Security Vulnerabilities - CVEs Published In August 2019
An issue was discovered in the crossbeam crate before 0.4.1 for Rust. There is a double free because of destructor mishandling.
CVSS Score
9.8
EPSS Score
0.004
Published
2019-08-26
An issue was discovered in the openssl crate before 0.10.9 for Rust. A use-after-free occurs in CMS Signing.
CVSS Score
9.8
EPSS Score
0.005
Published
2019-08-26
An issue was discovered in the arrayfire crate before 3.6.0 for Rust. Addition of the repr() attribute to an enum is mishandled, leading to memory corruption.
CVSS Score
9.8
EPSS Score
0.004
Published
2019-08-26
Improper access control in the Insyde software tools may allow an authenticated user to potentially enable escalation of privilege, or information disclosure via local access. This is a software vulnerability, not a firmware issue. Affected tools include: H2OFFT version 3.02~5.28, 100.00.00.00~100.00.08.23 and 200.00.00.01~200.00.00.05, H2OOAE before version 200.00.00.02, H2OSDE before version 200.00.00.07, H2OUVE before version 200.00.02.02, H2OPCM before version 100.00.06.00, H2OELV before version 100.00.02.08.
CVSS Score
7.8
EPSS Score
0.001
Published
2019-08-26
The fetch API in Tightrope Media Carousel before 7.1.3 has CarouselAPI/v0/fetch?url= SSRF. This has two potential areas for abuse. First, a specially crafted URL could be used in a phishing attack to hijack the trust the user and the browser have with the website and could serve malicious content from a third-party attacker-controlled system. Second, arguably more severe, is the potential for an attacker to circumvent firewall controls, by proxying traffic, unauthenticated, into the internal network from the internet.
CVSS Score
10.0
EPSS Score
0.004
Published
2019-08-26
An issue was discovered in the asn1_der crate before 0.6.2 for Rust. Attackers can trigger memory exhaustion by supplying a large value in a length field.
CVSS Score
7.5
EPSS Score
0.003
Published
2019-08-26
FredReinink Wellness-app before 2019-06-19 allows SQL injection, related to dietTrack.php, exerciseGenerator.php, fitnessTrack.php, and server.php.
CVSS Score
9.8
EPSS Score
0.003
Published
2019-08-26
XM^online 2 User Account and Authentication server 1.0.0 allows SQL injection via a tenant key.
CVSS Score
9.8
EPSS Score
0.01
Published
2019-08-26
XM^online 2 Common Utils and Endpoints 0.2.1 allows SQL injection, related to Constants.java, DropSchemaResolver.java, and SchemaChangeResolver.java.
CVSS Score
9.8
EPSS Score
0.003
Published
2019-08-26
Numerous Tableau products are vulnerable to XXE via a malicious workbook, extension, or data source, leading to information disclosure or a DoS. This affects Tableau Server, Tableau Desktop, Tableau Reader, and Tableau Public Desktop.
CVSS Score
7.1
EPSS Score
0.084
Published
2019-08-26