Security Vulnerabilities - CVEs Published In August 2019
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to discover phpMyAdmin passwords (of any user in /etc/passwd) via an attacker account.
CVSS Score
6.5
EPSS Score
0.007
Published
2019-08-21
pyraw in Zenoss 2.5.3 allows local privilege escalation by modifying environment variables to redirect execution before privileges are dropped, aka ZEN-31765.
CVSS Score
7.8
EPSS Score
0.0
Published
2019-08-21
The XML-RPC subsystem in Zenoss 2.5.3 allows XXE attacks that lead to unauthenticated information disclosure via port 9988.
CVSS Score
7.5
EPSS Score
0.006
Published
2019-08-21
AjaxDomainServlet in Zoho ManageEngine ServiceDesk Plus 10 allows User Enumeration. NOTE: the vendor's position is that this is intended functionality
CVSS Score
5.3
EPSS Score
0.025
Published
2019-08-21
The Timeline feature in my_view_page.php in MantisBT through 2.21.1 has a stored cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code (if CSP settings permit it) after uploading an attachment with a crafted filename. The code is executed for any user having visibility to the issue, whenever My View Page is displayed.
CVSS Score
9.6
EPSS Score
0.009
Published
2019-08-21
REDCap before 9.3.0 allows XSS attacks against non-administrator accounts on the Data Import Tool page via a CSV data import file.
CVSS Score
5.4
EPSS Score
0.003
Published
2019-08-21
The duplicate-post plugin before 2.6 for WordPress has XSS.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-08-21
The duplicate-post plugin before 2.6 for WordPress has SQL injection.
CVSS Score
9.8
EPSS Score
0.005
Published
2019-08-21
The aryo-activity-log plugin before 2.3.2 for WordPress has XSS.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-08-21
The aryo-activity-log plugin before 2.3.3 for WordPress has XSS.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-08-21