Security Vulnerabilities - CVEs Published In July 2019
A TLS certificate validation flaw was found in Elastic APM agent for Ruby versions before 2.9.0. When specifying a trusted server CA certificate via the 'server_ca_cert' setting, the Ruby agent would not properly verify the certificate returned by the APM server. This could result in a man in the middle style attack against the Ruby agent.
CVSS Score
7.4
EPSS Score
0.001
Published
2019-07-30
Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer. An attacker with administrative Kibana access could set the timelion:graphite.url configuration option to an arbitrary URL. This could possibly lead to an attacker accessing external URL resources as the Kibana process on the host system.
CVSS Score
4.9
EPSS Score
0.095
Published
2019-07-30
SMTP MITM refers to a malicious actor setting up an SMTP proxy server between the UniFi Controller version <= 5.10.21 and their actual SMTP server to record their SMTP credentials for malicious use later.
CVSS Score
8.1
EPSS Score
0.004
Published
2019-07-30
Cross-site scripting (XSS) vulnerability in min-http-server (all versions) allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim's browser.
CVSS Score
5.4
EPSS Score
0.001
Published
2019-07-30
Cross-site scripting (XSS) vulnerability in http-file-server (all versions) allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim's browser.
CVSS Score
5.4
EPSS Score
0.001
Published
2019-07-30
An Integer underflow in VLC Media Player versions < 3.0.7 leads to an out-of-band read.
CVSS Score
7.1
EPSS Score
0.009
Published
2019-07-30
Double Free in VLC versions <= 3.0.6 leads to a crash.
CVSS Score
5.5
EPSS Score
0.007
Published
2019-07-30
Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.
CVSS Score
8.1
EPSS Score
0.001
Published
2019-07-30
A missing check in the Nextcloud Server prior to version 15.0.1 causes leaking of calendar event names when adding or modifying confidential or private events.
CVSS Score
4.3
EPSS Score
0.003
Published
2019-07-30
Improper sanitization of HTML in directory names in the Nextcloud Android app prior to version 3.7.0 allowed to style the directory name in the header bar when using basic HTML.
CVSS Score
6.8
EPSS Score
0.001
Published
2019-07-30