Security Vulnerabilities - CVEs Published In September 2019
An issue was discovered in the LifterLMS plugin through 3.34.5 for WordPress. The upload_import function in the class.llms.admin.import.php script is prone to an unauthenticated options import vulnerability that could lead to privilege escalation (administrator account creation), website redirection, and stored XSS.
CVSS Score
9.8
EPSS Score
0.037
Published
2019-09-10
The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681 allows an unauthenticated attacker to change the password of any user via the recruitment_online/personalData/act_acounttab.cfm txtNewUserName and hdNP fields.
CVSS Score
7.5
EPSS Score
0.004
Published
2019-09-10
Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.1 allows a remote, unauthenticated attacker to execute arbitrary code via a crafted IOCTL 70603 RPC message.
CVSS Score
9.8
EPSS Score
0.1
Published
2019-09-10
OnCommand Workflow Automation versions prior to 5.0 shipped without certain HTTP Security headers configured which could allow an attacker to obtain sensitive information via unspecified vectors.
CVSS Score
5.3
EPSS Score
0.005
Published
2019-09-10
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to remove a target user from phpMyAdmin via an attacker account.
CVSS Score
6.5
EPSS Score
0.006
Published
2019-09-10
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to delete an e-mail forwarding destination from a victim's account via an attacker account.
CVSS Score
4.3
EPSS Score
0.006
Published
2019-09-10
Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via it’s update handler.?By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern that will expand when the server parses the XML causing OOMs.
CVSS Score
7.5
EPSS Score
0.282
Published
2019-09-10
MISP before 2.4.115 allows privilege escalation in certain situations. After updating to 2.4.115, escalation attempts are blocked by the __checkLoggedActions function with a "This could be an indication of an attempted privilege escalation on older vulnerable versions of MISP (<2.4.115)" message.
CVSS Score
6.5
EPSS Score
0.002
Published
2019-09-10
The gravitate-qa-tracker plugin through 1.2.1 for WordPress has PHP Object Injection.
CVSS Score
9.8
EPSS Score
0.013
Published
2019-09-10
The avada theme before 5.1.5 for WordPress has stored XSS.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-09-10