Security Vulnerabilities - CVEs Published In August 2019
In ImageMagick 7.x before 7.0.8-42 and 6.x before 6.9.10-42, there is a use after free vulnerability in the UnmapBlob function that allows an attacker to cause a denial of service by sending a crafted file.
CVSS Score
6.5
EPSS Score
0.002
Published
2019-08-12
In ImageMagick 7.x before 7.0.8-41 and 6.x before 6.9.10-41, there is a divide-by-zero vulnerability in the MeanShiftImage function. It allows an attacker to cause a denial of service by sending a crafted file.
CVSS Score
6.5
EPSS Score
0.007
Published
2019-08-12
In Exiv2 before v0.27.2, there is an integer overflow vulnerability in the WebPImage::getHeaderOffset function in webpimage.cpp. It can lead to a buffer overflow vulnerability and a crash.
CVSS Score
6.5
EPSS Score
0.006
Published
2019-08-12
Search Guard versions before 24.0 had an issue that values of string arrays in documents are not properly anonymized.
CVSS Score
7.5
EPSS Score
0.002
Published
2019-08-12
iCMS 7.0.15 allows admincp.php?app=apps XSS via the keywords parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-08-12
Search Guard versions before 24.0 had an issue that field caps and mapping API leak field names (but not values) for fields which are not allowed for the user when field level security (FLS) is activated.
CVSS Score
5.3
EPSS Score
0.002
Published
2019-08-12
Netwrix Auditor before 9.8 has insecure permissions on %PROGRAMDATA%\Netwrix Auditor\Logs\ActiveDirectory\ and sub-folders. In addition, the service Netwrix.ADA.StorageAuditService (which writes to that directory) does not perform proper impersonation, and thus the target file will have the same permissions as the invoking process (in this case, granting Authenticated Users full access over the target file). This vulnerability can be triggered by a low-privileged user to perform DLL Hijacking/Binary Planting attacks and ultimately execute code as NT AUTHORITY\SYSTEM with the help of Symbolic Links.
CVSS Score
7.8
EPSS Score
0.0
Published
2019-08-12
An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. A server side template injection (SSTI) issue exists.
CVSS Score
9.8
EPSS Score
0.018
Published
2019-08-12
An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. There exists an authenticated SQL injection.
CVSS Score
8.8
EPSS Score
0.011
Published
2019-08-12
An issue was discovered in Frappe Framework 10, 11 before 11.1.46, and 12. There exists an XSS vulnerability.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-08-12