Security Vulnerabilities - CVEs Published In July 2019
In Code42 for Enterprise through 6.8.4, an administrator without web restore permission but with the ability to manage users in an organization can impersonate a user with web restore permission. When requesting the token to do a web restore, an administrator with permission to manage a user could request the token of that user. If the administrator was not authorized to perform web restores but the user was authorized to perform web restores, this would allow the administrator to impersonate the user with greater permissions. In order to exploit this vulnerability, the user would have to be an administrator with access to manage an organization with a user with greater permissions than themselves.
CVSS Score
8.8
EPSS Score
0.002
Published
2019-07-19
Akeo Consulting Rufus 3.0 and earlier is affected by: DLL search order hijacking. The impact is: Arbitrary code execution WITH escalation of privilege. The component is: Executable installers, portable executables (ALL executables on the web site). The attack vector is: CAPEC-471, CWE-426, CWE-427.
CVSS Score
7.8
EPSS Score
0.004
Published
2019-07-19
Akeo Consulting Rufus 3.0 and earlier is affected by: Insecure Permissions. The impact is: arbitrary code execution with escalation of privilege. The component is: Executable installer, portable executable (ALL executables available). The attack vector is: CWE-29, CWE-377, CWE-379.
CVSS Score
9.8
EPSS Score
0.007
Published
2019-07-19
Premium Software CLEditor 1.4.5 and earlier is affected by: Cross Site Scripting (XSS). The impact is: An attacker might be able to inject arbitrary html and script code into the web site. The component is: jQuery plug-in. The attack vector is: the victim must open a crafted href attribute of a link (A) element.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-07-19
ChinaMobile GPN2.4P21-C-CN W2001EN-00 is affected by: Incorrect Access Control - Unauthenticated Remote Reboot. The impact is: PLC Wireless Router's are vulnerable to an unauthenticated remote reboot due. The component is: Reboot settings are available to unauthenticated users instead of only authenticaed users. The attack vector is: Remote.
CVSS Score
7.5
EPSS Score
0.012
Published
2019-07-19
scapy 2.4.0 is affected by: Denial of Service. The impact is: infinite loop, resource consumption and program unresponsive. The component is: _RADIUSAttrPacketListField.getfield(self..). The attack vector is: over the network or in a pcap. both work.
CVSS Score
7.5
EPSS Score
0.019
Published
2019-07-19
H3C H3Cloud OS all versions allows SQL injection via the ear/grid_event sidx parameter.
CVSS Score
9.8
EPSS Score
0.003
Published
2019-07-19
Improper handling of LDAP authentication in MongoDB Server versions 3.0.0 to 3.0.6 allows an unauthenticated client to gain unauthorized access.
CVSS Score
8.1
EPSS Score
0.006
Published
2019-07-19
ZmartZone IAM mod_auth_openidc 2.3.10.1 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Redirecting the user to a phishing page or interacting with the application on behalf of the user. The component is: File: src/mod_auth_openidc.c, Line: 3109. The fixed version is: 2.3.10.2.
CVSS Score
6.1
EPSS Score
0.004
Published
2019-07-19
In Directus 7 API before 2.2.1, uploading of PHP files is not blocked, leading to uploads/_/originals remote code execution.
CVSS Score
8.8
EPSS Score
0.011
Published
2019-07-19