Security Vulnerabilities - CVEs Published In August 2019
admin/includes/class.actions.snippet.php in the "Woody ad snippets" plugin through 2.2.5 for WordPress allows wp-admin/admin-post.php?action=close&post= deletion.
CVSS Score
7.5
EPSS Score
0.003
Published
2019-08-08
The woo-variation-swatches (aka Variation Swatches for WooCommerce) plugin 1.0.61 for WordPress allows XSS via the wp-admin/admin.php?page=woo-variation-swatches-settings tab parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-08-08
The Backpack\CRUD Backpack component before 3.4.9 for Laravel allows XSS via the select field type.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-08-08
core/views/arprice_import_export.php in the ARPrice Lite plugin 2.2 for WordPress allows wp-admin/admin.php?page=arplite_import_export CSRF.
CVSS Score
6.5
EPSS Score
0.001
Published
2019-08-08
The admin-renamer-extended (aka Admin renamer extended) plugin 3.2.1 for WordPress allows wp-admin/plugins.php?page=admin-renamer-extended/admin.php CSRF.
CVSS Score
5.7
EPSS Score
0.001
Published
2019-08-08
The Deny All Firewall plugin before 1.1.7 for WordPress allows wp-admin/options-general.php?page=daf_settings&daf_remove=true CSRF.
CVSS Score
8.8
EPSS Score
0.002
Published
2019-08-08
On Trezor One devices before 1.8.2, a side channel for the row-based OLED display was found. The power consumption of each row-based display cycle depends on the number of illuminated pixels, allowing a partial recovery of display contents. For example, a hardware implant in the USB cable might be able to leverage this behavior to recover confidential secrets such as the PIN and BIP39 mnemonic. In other words, the side channel is relevant only if the attacker has enough control over the device's USB connection to make power-consumption measurements at a time when secret data is displayed. The side channel is not relevant in other circumstances, such as a stolen device that is not currently displaying secret data. NOTE: this CVE applies exclusively to the Trezor One, and does not refer to any issues with OLED displays on other devices.
CVSS Score
4.2
EPSS Score
0.001
Published
2019-08-08
Policy import functionality in Apache Ranger 0.7.0 to 1.2.0 is vulnerable to a cross-site scripting issue. Upgrade to 2.0.0 or later version of Apache Ranger with the fix.
CVSS Score
6.1
EPSS Score
0.021
Published
2019-08-08
Server Side Request Forgery (SSRF) exists in Zoho ManageEngine AssetExplorer 6.2.0 and before for the ClientUtilServlet servlet via a URL in a parameter.
CVSS Score
8.8
EPSS Score
0.004
Published
2019-08-08
Server Side Request Forgery (SSRF) exists in Zoho ManageEngine AssetExplorer version 6.2.0 for the AJaxServlet servlet via a parameter in a URL.
CVSS Score
9.1
EPSS Score
0.036
Published
2019-08-08