Security Vulnerabilities - CVEs Published In August 2019
eQ-3 Homematic CCU2 and CCU3 obtain session IDs without login. This allows a Denial of Service and is a starting point for other attacks. Affected versions for CCU2: 2.35.16, 2.41.5, 2.41.8, 2.41.9, 2.45.6, 2.45.7, 2.47.10, 2.47.12, 2.47.15. Affected versions for CCU3: 3.41.11, 3.43.16, 3.45.5, 3.45.7, 3.47.10, 3.47.15.
CVSS Score
8.2
EPSS Score
0.002
Published
2019-08-14
It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing operations via request from an untrusted domain.
CVSS Score
4.6
EPSS Score
0.001
Published
2019-08-14
It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the <Signature> sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information.
CVSS Score
8.1
EPSS Score
0.001
Published
2019-08-14
The "HTML Include and replace macro" plugin before 1.5.0 for Confluence Server allows a bypass of the includeScripts=false XSS protection mechanism via vectors involving an IFRAME element.
CVSS Score
6.8
EPSS Score
0.018
Published
2019-08-14
Exfiltration of Data in McAfee Web Gateway (MWG) 7.8.2.x prior to 7.8.2.12 allows attackers to obtain sensitive data via crafting a complex webpage that will trigger the Web Gateway to block the user accessing an iframe.
CVSS Score
4.3
EPSS Score
0.003
Published
2019-08-14
Privilege Escalation vulnerability in McAfee FRP 5.x prior to 5.1.0.209 allows local users to gain elevated privileges via running McAfee Tray with elevated privileges.
CVSS Score
4.1
EPSS Score
0.0
Published
2019-08-14
Clickjack vulnerability in Adminstrator web console in McAfee Web Gateway (MWG) 7.8.2.x prior to 7.8.2.12 allows remote attackers to conduct clickjacking attacks via a crafted web page that contains an iframe via does not send an X-Frame-Options HTTP header.
CVSS Score
7.1
EPSS Score
0.003
Published
2019-08-14
The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. This allows practical brute-force attacks (aka "KNOB") that can decrypt traffic and inject arbitrary ciphertext without the victim noticing.
CVSS Score
7.6
EPSS Score
0.029
Published
2019-08-14
The all-in-one-wp-security-and-firewall plugin before 4.0.7 for WordPress has multiple SQL injection issues.
CVSS Score
9.8
EPSS Score
0.005
Published
2019-08-14
The custom-sidebars plugin before 3.1.0 for WordPress has CSRF related to set location, import actions, and export actions.
CVSS Score
8.8
EPSS Score
0.001
Published
2019-08-14