Security Vulnerabilities - CVEs Published In August 2019
All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by command injection vulnerability. Due to insufficient parameter validation check, an authorized user can exploit this vulnerability to take control of user router system.
CVSS Score
8.1
EPSS Score
0.015
Published
2019-08-15
All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by cross-site scripting vulnerability (XSS). Due to incomplete input validation, an authorized user can exploit this vulnerability to execute malicious scripts.
CVSS Score
5.7
EPSS Score
0.004
Published
2019-08-15
The FV Flowplayer Video Player plugin before 7.3.15.727 for WordPress allows guests to obtain the email subscription list in CSV format via the wp-admin/admin-post.php?page=fvplayer&fv-email-export=1 URI.
CVSS Score
5.3
EPSS Score
0.002
Published
2019-08-15
OpenCart 3.x, when the attacker has login access to the admin panel, allows stored XSS within the Source/HTML editing feature of the Categories, Product, and Information pages.
CVSS Score
4.8
EPSS Score
0.002
Published
2019-08-15
The profile photo upload feature in Leaf Admin 61.9.0212.10 f allows Unrestricted Upload of a File with a Dangerous Type.
CVSS Score
8.8
EPSS Score
0.007
Published
2019-08-15
The limb-gallery (aka Limb Gallery) plugin 1.4.0 for WordPress has XSS via the wp-admin/admin-ajax.php?action=grsGalleryAjax&grsAction=shortcode task parameter,
CVSS Score
6.1
EPSS Score
0.002
Published
2019-08-15
The toggle-the-title (aka Toggle The Title) plugin 1.4 for WordPress has XSS via the wp-admin/admin-ajax.php?action=update_title_options isAutoSaveValveChecked or isDisableAllPagesValveChecked parameter.
CVSS Score
4.8
EPSS Score
0.003
Published
2019-08-15
An issue was discovered in Dolibarr 11.0.0-alpha. A user can store an IFRAME element (containing a user/card.php CSRF request) in his Linked Files settings page. When visited by the admin, this could completely take over the admin account. (The protection mechanism for CSRF is to check the Referer header; however, because the attack is from one of the application's own settings pages, this mechanism is bypassed.)
CVSS Score
8.0
EPSS Score
0.001
Published
2019-08-14
XSS exists in WEB STUDIO Ultimate Loan Manager 2.0 by adding a branch under the Branches button that sets the notes parameter with crafted JavaScript code.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-08-14
An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system.
To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system.
The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
CVSS Score
5.5
EPSS Score
0.009
Published
2019-08-14