Security Vulnerabilities - CVEs Published In July 2019
graphql-engine (aka Hasura GraphQL Engine) before 1.0.0-beta.3 mishandles the audience check while verifying JWT.
CVSS Score
7.5
EPSS Score
0.002
Published
2019-07-29
ASH-AIO before 2.0.0.3 allows an open redirect.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-07-29
Discourse before 2.3.0 and 2.4.x before 2.4.0.beta3 lacks a confirmation screen when logging in via a user-api OTP.
CVSS Score
5.3
EPSS Score
0.003
Published
2019-07-29
yard before 0.9.20 allows path traversal.
CVSS Score
7.5
EPSS Score
0.002
Published
2019-07-29
Misskey before 10.102.4 allows hijacking a user's token.
CVSS Score
6.1
EPSS Score
0.004
Published
2019-07-29
SmokeDetector intentionally does automatic deployments of updated copies of SmokeDetector without server operator authority.
CVSS Score
9.0
EPSS Score
0.005
Published
2019-07-29
parse-server before 3.4.1 allows DoS after any POST to a volatile class.
CVSS Score
7.5
EPSS Score
0.003
Published
2019-07-29
parse-server before 3.6.0 allows account enumeration.
CVSS Score
5.3
EPSS Score
0.002
Published
2019-07-29
docker-credential-helpers before 0.6.3 has a double free in the List functions.
CVSS Score
5.5
EPSS Score
0.002
Published
2019-07-29
SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.
CVSS Score
9.8
EPSS Score
0.015
Published
2019-07-29