Security Vulnerabilities - CVEs Published In August 2019
The 360-product-rotation plugin before 1.4.8 for WordPress has reflected XSS.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-08-20
The Live:Text Box macro in the Old Street Live Input Macros app before 2.11 for Confluence has XSS, leading to theft of the Administrator Session Cookie.
CVSS Score
6.1
EPSS Score
0.01
Published
2019-08-20
An issue was discovered in the Linux kernel through 5.2.9. There is a NULL pointer dereference caused by a malicious USB device in the flexcop_usb_probe function in the drivers/media/usb/b2c2/flexcop-usb.c driver.
CVSS Score
4.6
EPSS Score
0.001
Published
2019-08-20
plugin/Audit/Objects/AuditTable.php in YouPHPTube through 7.2 allows SQL Injection.
CVSS Score
5.3
EPSS Score
0.018
Published
2019-08-20
Fat Free CRM before 0.18.1 has XSS in the tags_helper in app/helpers/tags_helper.rb.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-08-20
OX App Suite 7.10.1 allows Content Spoofing.
CVSS Score
8.1
EPSS Score
0.003
Published
2019-08-20
OX App Suite 7.10.0 to 7.10.2 allows XSS.
CVSS Score
5.4
EPSS Score
0.002
Published
2019-08-20
OX App Suite 7.10.1 and earlier has Insecure Permissions.
CVSS Score
3.3
EPSS Score
0.0
Published
2019-08-20
An unauthenticated privilege escalation exists in SailPoint Desktop Password Reset 7.2. A user with local access to only the Windows logon screen can escalate their privileges to NT AUTHORITY\System. An attacker would need local access to the machine for a successful exploit. The attacker must disconnect the computer from the local network / WAN and connect it to an internet facing access point / network. At that point, the attacker can execute the password-reset functionality, which will expose a web browser. Browsing to a site that calls local Windows system functions (e.g., file upload) will expose the local file system. From there an attacker can launch a privileged command shell.
CVSS Score
7.0
EPSS Score
0.003
Published
2019-08-20
In the Linux kernel, a certain net/ipv4/tcp_output.c change, which was properly incorporated into 4.16.12, was incorrectly backported to the earlier longterm kernels, introducing a new vulnerability that was potentially more severe than the issue that was intended to be fixed by backporting. Specifically, by adding to a write queue between disconnection and re-connection, a local attacker can trigger multiple use-after-free conditions. This can result in a kernel crash, or potentially in privilege escalation. NOTE: this affects (for example) Linux distributions that use 4.9.x longterm kernels before 4.9.190 or 4.14.x longterm kernels before 4.14.139.
CVSS Score
7.8
EPSS Score
0.0
Published
2019-08-20