Security Vulnerabilities - CVEs Published In July 2019
Cross-site scripting vulnerability in Palo Alto Networks MineMeld version 0.9.60 and earlier may allow a remote attacker able to convince an authenticated MineMeld admin to type malicious input in the MineMeld UI could execute arbitrary JavaScript code in the admin’s browser.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-07-01
Optergy Proton/Enterprise devices have Hard-coded Credentials.
CVSS Score
7.3
EPSS Score
0.003
Published
2019-07-01
Prima Systems FlexAir, Versions 2.3.38 and prior. The session-ID is of an insufficient length and can be exploited by brute force, which may allow a remote attacker to obtain a valid session and bypass authentication.
CVSS Score
8.8
EPSS Score
0.014
Published
2019-07-01
Prima Systems FlexAir, Versions 2.3.38 and prior. An unauthenticated user can send unverified HTTP requests, which may allow the attacker to perform certain actions with administrative privileges if a logged-in user visits a malicious website.
CVSS Score
8.8
EPSS Score
0.004
Published
2019-07-01
Prima Systems FlexAir, Versions 2.3.38 and prior. The application allows improper authentication using the MD5 hash value of the password, which may allow an attacker with access to the database to login as admin without decrypting the password.
CVSS Score
8.8
EPSS Score
0.124
Published
2019-07-01
Prima Systems FlexAir, Versions 2.3.38 and prior. The application generates database backup files with a predictable name, and an attacker can use brute force to identify the database backup file name. A malicious actor can exploit this issue to download the database file and disclose login information, which can allow the attacker to bypass authentication and have full access to the system.
CVSS Score
9.8
EPSS Score
0.037
Published
2019-07-01
Prima Systems FlexAir devices have Default Credentials.
CVSS Score
9.8
EPSS Score
0.003
Published
2019-07-01
Prima Systems FlexAir, Versions 2.3.38 and prior. Improper validation of file extensions when uploading files could allow a remote authenticated attacker to upload and execute malicious applications within the application’s web root with root privileges.
CVSS Score
8.8
EPSS Score
0.125
Published
2019-07-01
Prima Systems FlexAir, Versions 2.3.38 and prior. The application incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component, which could allow attackers to execute commands directly on the operating system.
CVSS Score
7.2
EPSS Score
0.272
Published
2019-07-01
A Cross-Site-Request-Forgery (CSRF) vulnerability in widget_logic.php in the 2by2host Widget Logic plugin before 5.10.2 for WordPress allows remote attackers to execute PHP code via snippets (that are attached to widgets and then eval'd to dynamically determine their visibility) by crafting a malicious POST request that tricks administrators into adding the code.
CVSS Score
8.8
EPSS Score
0.003
Published
2019-07-01