Security Vulnerabilities - CVEs Published In July 2019
The MSI installer for Python through 2.7.16 on Windows defaults to the C:\Python27 directory, which makes it easier for local users to deploy Trojan horse code. (This also affects old 3.x releases before 3.5.) NOTE: the vendor's position is that it is the user's responsibility to ensure C:\Python27 access control or choose a different directory, because backwards compatibility requires that C:\Python27 remain the default for 2.7.x
CVSS Score
7.8
EPSS Score
0.002
Published
2019-07-08
Dynacolor FCM-MB40 v1.2.0.0 devices allow remote attackers to execute arbitrary commands via a crafted parameter to a CGI script, as demonstrated by sed injection in cgi-bin/camctrl_save_profile.cgi (save parameter) and cgi-bin/ddns.cgi.
CVSS Score
7.2
EPSS Score
0.032
Published
2019-07-08
Dynacolor FCM-MB40 v1.2.0.0 devices have a hard-coded SSL/TLS key that is used during an administrator's SSL conversation.
CVSS Score
5.9
EPSS Score
0.004
Published
2019-07-08
In FFmpeg 4.1.3, there is a division by zero at adx_write_trailer in libavformat/rawenc.c.
CVSS Score
6.5
EPSS Score
0.004
Published
2019-07-07
In ImageMagick 7.0.8-50 Q16, ComplexImages in MagickCore/fourier.c has a heap-based buffer over-read because of incorrect calls to GetCacheViewVirtualPixels.
CVSS Score
8.8
EPSS Score
0.006
Published
2019-07-07
On AVTECH Room Alert 3E devices before 2.2.5, an attacker with access to the device's web interface may escalate privileges from an unauthenticated user to administrator by performing a cmd.cgi?action=ResetDefaults&src=RA reset and using the default credentials to get in.
CVSS Score
8.8
EPSS Score
0.084
Published
2019-07-07
Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as demonstrated by changing admin settings.
CVSS Score
8.8
EPSS Score
0.002
Published
2019-07-07
/web/Lib/Action/IndexAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to execute arbitrary PHP code via a cookie because a cookie's username field allows eval injection, and an empty password bypasses authentication.
CVSS Score
9.8
EPSS Score
0.931
Published
2019-07-06
An issue was discovered in the D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6. Input does not get validated and arbitrary SQL statements can be executed in the database via the /web/Public/Conn.php parameter dbSQL.
CVSS Score
9.8
EPSS Score
0.901
Published
2019-07-06
A cross-site scripting (XSS) vulnerability in resource view in PayAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to inject arbitrary web script or HTML via the index.php/Pay/passcodeAuth passcode parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-07-06