Security Vulnerabilities - CVEs Published In July 2019
An issue was discovered in Eventum 3.5.0. /htdocs/list.php has XSS via the show_notification_list_issues or show_authorized_issues parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-07-10
An issue was discovered in Eventum 3.5.0. CSRF in htdocs/manage/users.php allows creating another user with admin privileges.
CVSS Score
8.8
EPSS Score
0.003
Published
2019-07-10
An issue has been found in third-party PNM decoding associated with libpng 1.6.35. It is a stack-based buffer overflow in the function get_token in pnm2png.c in pnm2png.
CVSS Score
8.8
EPSS Score
0.018
Published
2019-07-10
The Yoast SEO plugin before 11.6-RC5 for WordPress does not properly restrict unfiltered HTML in term descriptions.
CVSS Score
9.9
EPSS Score
0.003
Published
2019-07-09
PHPWind 9.1.0 has XSS vulnerabilities in the c and m parameters of the index.php file.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-07-09
In MobaXterm 11.1, the mobaxterm: URI handler has an argument injection vulnerability that allows remote attackers to execute arbitrary commands when the user visits a specially crafted URL. Based on the available command-line arguments of the software, one can simply inject -exec to execute arbitrary commands. The additional arguments -hideterm and -exitwhendone in the payload make the attack less visible.
CVSS Score
8.8
EPSS Score
0.009
Published
2019-07-09
KEYNTO Team Password Manager 1.5.0 allows XSS because data saved from websites is mishandled in the online vault.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-07-09
MatrixSSL before 4.2.1 has an out-of-bounds read during ASN.1 handling.
CVSS Score
9.8
EPSS Score
0.004
Published
2019-07-09
Mailvelope prior to 3.1.0 is vulnerable to a clickjacking attack against the settings page. As the settings page is intended to be accessible from web applications, the browser's extension isolation mechanisms are disabled (web_accessible_resources). Mailvelope implements additional measures to prevent web applications from directly embedding the settings page, but this mechanism can be bypassed.
CVSS Score
4.3
EPSS Score
0.003
Published
2019-07-09
Mailvelope prior to 3.3.0 accepts or operates with invalid PGP public keys: Mailvelope allows importing keys that contain users without a valid self-certification. Keys that are obviously invalid are not rejected during import. An attacker that is able to get a victim to import a manipulated key could claim to have signed a message that originates from another person.
CVSS Score
4.3
EPSS Score
0.003
Published
2019-07-09