Security Vulnerabilities - CVEs Published In August 2019
Several Ricoh printers have multiple buffer overflows parsing LPD packets, which allow an attacker to cause a denial of service or code execution via crafted requests to the LPD service. Affected firmware versions depend on the printer models. One affected configuration is cpe:2.3:o:ricoh:sp_c250dn_firmware:-:*:*:*:*:*:*:* up to (including) 1.06 running on cpe:2.3:o:ricoh:sp_c250dn:-:*:*:*:*:*:*:*, cpe:2.3:o:ricoh:sp_c252dn:-:*:*:*:*:*:*:*. Another affected configuration is cpe:2.3:o:ricoh:sp_c250sf_firmware:-:*:*:*:*:*:*:* up to (including) 1.12 running on cpe:2.3:o:ricoh:sp_c250sf:-:*:*:*:*:*:*:*, cpe:2.3:o:ricoh:sp_c252sf:-:*:*:*:*:*:*:*.
CVSS Score
9.8
EPSS Score
0.013
Published
2019-08-26
Status Board 1.1.81 has reflected XSS via dashboard.ts.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-08-26
Reflected cross site scripting (XSS) in L-Soft LISTSERV before 16.5-2018a exists via the /scripts/wa.exe OK parameter.
CVSS Score
6.1
EPSS Score
0.152
Published
2019-08-26
An issue was discovered in the tar crate before 0.4.16 for Rust. Arbitrary file overwrite can occur via a symlink or hardlink in a TAR archive.
CVSS Score
7.5
EPSS Score
0.003
Published
2019-08-26
An issue was discovered in the claxon crate before 0.4.1 for Rust. Uninitialized memory can be exposed because certain decode buffer sizes are mishandled.
CVSS Score
6.5
EPSS Score
0.003
Published
2019-08-26
An issue was discovered in the yaml-rust crate before 0.4.1 for Rust. There is uncontrolled recursion during deserialization.
CVSS Score
7.5
EPSS Score
0.004
Published
2019-08-26
An issue was discovered in the trust-dns-proto crate before 0.5.0-alpha.3 for Rust. There is infinite recursion because DNS message compression is mishandled.
CVSS Score
7.5
EPSS Score
0.003
Published
2019-08-26
Lierda Grill Temperature Monitor V1.00_50006 has a default password of admin for the admin account, which allows an attacker to cause a Denial of Service or Information Disclosure via the undocumented access-point configuration page located on the device. This wifi thermometer app requests and requires excessive permissions to operate such as Fine GPS location, camera, applists, Serial number, IMEI. In addition to the "backdoor" login access for "admin" purposes, this accompanying app also establishes connections with several china based URLs to include Alibaba cloud computing. NOTE: this device also ships with ProGrade branding.
CVSS Score
9.1
EPSS Score
0.018
Published
2019-08-26
Spoon Library through 2014-02-06, as used in Fork CMS before 1.4.1 and other products, allows PHP object injection via a cookie containing an object.
CVSS Score
9.8
EPSS Score
0.007
Published
2019-08-26
CSZ CMS 1.2.3 allows arbitrary file upload, as demonstrated by a .php file to admin/filemanager in the File Management Module, which leads to remote code execution by visiting a photo/upload/2019/ URI.
CVSS Score
9.8
EPSS Score
0.024
Published
2019-08-26