Security Vulnerabilities - CVEs Published In July 2019
A stack-buffer overflow vulnerability was found in the Redis hyperloglog data structure versions 3.x before 3.2.13, 4.x before 4.0.14 and 5.x before 5.0.4. By corrupting a hyperloglog using the SETRANGE command, an attacker could cause Redis to perform controlled increments of up to 12 bytes past the end of a stack-allocated buffer.
CVSS Score
7.2
EPSS Score
0.335
Published
2019-07-11
Sensitive passwords used in deployment and configuration of oVirt Metrics, all versions. were found to be insufficiently protected. Passwords could be disclosed in log files (if playbooks are run with -v) or in playbooks stored on Metrics or Bastion hosts.
CVSS Score
5.9
EPSS Score
0.001
Published
2019-07-11
The SUNNET WMPro v5.0 and v5.1 for eLearning system has OS Command Injection via "/teach/course/doajaxfileupload.php". The target server can be exploited without authentication.
CVSS Score
9.8
EPSS Score
0.056
Published
2019-07-11
An issue was discovered in the Core Server in Ivanti Endpoint Manager (EPM) 2017.3 before SU7 and 2018.x before 2018.3 SU3, with remote code execution. In other words, the issue affects 2017.3, 2018.1, and 2018.3 installations that lack the April 2019 update.
CVSS Score
9.8
EPSS Score
0.233
Published
2019-07-11
Cloud Foundry UAA version prior to 73.3.0, contain endpoints that contains improper escaping. An authenticated malicious user with basic read privileges for one identity zone can extend those reading privileges to all other identity zones and obtain private information on users, clients, and groups in all other identity zones.
CVSS Score
6.5
EPSS Score
0.004
Published
2019-07-11
XSS exists in Ping Identity Agentless Integration Kit before 1.5.
CVSS Score
6.1
EPSS Score
0.005
Published
2019-07-11
D-Link DIR-655 C devices before 3.02B05 BETA03 allow remote attackers to force a blank password via the apply_sec.cgi setup_wizard parameter.
CVSS Score
9.8
EPSS Score
0.021
Published
2019-07-11
D-Link DIR-655 C devices before 3.02B05 BETA03 allow remote attackers to execute arbitrary commands via shell metacharacters in the online_firmware_check.cgi check_fw_url parameter.
CVSS Score
9.8
EPSS Score
0.218
Published
2019-07-11
D-Link DIR-655 C devices before 3.02B05 BETA03 allow XSS, as demonstrated by the /www/ping_response.cgi ping_ipaddr parameter, the /www/ping6_response.cgi ping6_ipaddr parameter, and the /www/apply_sec.cgi html_response_return_page parameter.
CVSS Score
6.1
EPSS Score
0.008
Published
2019-07-11
D-Link DIR-655 C devices before 3.02B05 BETA03 allow CSRF for the entire management console.
CVSS Score
8.8
EPSS Score
0.002
Published
2019-07-11