Security Vulnerabilities - CVEs Published In July 2019
Quest KACE, all versions prior to version 8.0.x, 8.1.x, and 9.0.x, allows unintentional access to the appliance leveraging functions of the troubleshooting tools located in the administrator user interface.
CVSS Score
7.2
EPSS Score
0.006
Published
2019-07-08
hide.me before 2.4.4 on macOS suffers from a privilege escalation vulnerability in the connectWithExecutablePath:configFilePath:configFileName method of the me_hide_vpnhelper.Helper class in the me.hide.vpnhelper macOS privilege helper tool. This method takes user-supplied input and can be used to escalate privileges, as well as obtain the ability to run any application on the system in the root context.
CVSS Score
7.8
EPSS Score
0.0
Published
2019-07-08
The strong_password gem 0.0.7 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. The current version, without this backdoor, is 0.0.6.
CVSS Score
9.8
EPSS Score
0.007
Published
2019-07-08
The Rencontre plugin before 3.1.3 for WordPress allows SQL Injection via inc/rencontre_widget.php.
CVSS Score
9.8
EPSS Score
0.007
Published
2019-07-08
The Rencontre plugin before 3.1.3 for WordPress allows XSS via inc/rencontre_widget.php.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-07-08
An issue was discovered in Open Ticket Request System (OTRS) 6.0.x through 6.0.7. A carefully constructed email could be used to inject and execute arbitrary stylesheet or JavaScript code in a logged in customer's browser in the context of the OTRS customer panel application.
CVSS Score
4.6
EPSS Score
0.003
Published
2019-07-08
Dropbox.exe (and QtWebEngineProcess.exe in the Web Helper) in the Dropbox desktop application 71.4.108.0 store cleartext credentials in memory upon successful login or new account creation. These are not securely freed in the running process.
CVSS Score
7.8
EPSS Score
0.001
Published
2019-07-08
Dynacolor FCM-MB40 v1.2.0.0 use /etc/appWeb/appweb.pass to store administrative web-interface credentials in cleartext. These credentials can be retrieved via cgi-bin/getuserinfo.cgi?mode=info.
CVSS Score
9.8
EPSS Score
0.004
Published
2019-07-08
Dynacolor FCM-MB40 v1.2.0.0 devices have CSRF in all scripts under cgi-bin/.
CVSS Score
8.8
EPSS Score
0.001
Published
2019-07-08
/usr/sbin/default.sh and /usr/apache/htdocs/cgi-bin/admin/hardfactorydefault.cgi on Dynacolor FCM-MB40 v1.2.0.0 devices implement an incomplete factory-reset process. A backdoor can persist because neither system accounts nor the set of services is reset.
CVSS Score
8.8
EPSS Score
0.004
Published
2019-07-08