Security Vulnerabilities - CVEs Published In September 2019
The slick-popup plugin before 1.7.2 for WordPress has a hardcoded OmakPass13# password for the slickpopupteam account, after a Subscriber calls a certain AJAX action.
CVSS Score
8.8
EPSS Score
0.011
Published
2019-09-03
The affiliates-manager plugin before 2.6.6 for WordPress has CSRF.
CVSS Score
8.8
EPSS Score
0.002
Published
2019-09-03
The JobCareer theme before 2.5.1 for WordPress has stored XSS.
CVSS Score
5.4
EPSS Score
0.002
Published
2019-09-03
The CarSpot theme before 2.1.7 for WordPress has stored XSS via the Phone Number field.
CVSS Score
5.4
EPSS Score
0.002
Published
2019-09-03
In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
CVSS Score
7.5
EPSS Score
0.905
Published
2019-09-03
admin/includes/class.import.snippet.php in the "Woody ad snippets" plugin before 2.2.5 for WordPress allows unauthenticated options import, as demonstrated by storing an XSS payload for remote code execution.
CVSS Score
8.8
EPSS Score
0.596
Published
2019-09-03
Xpdf 2.00 allows a SIGSEGV in XRef::constructXRef in XRef.cc. NOTE: 2.00 is a version from November 2002.
CVSS Score
5.5
EPSS Score
0.002
Published
2019-09-03
FreeType before 2.6.1 has a heap-based buffer over-read in T1_Get_Private_Dict in type1/t1parse.c.
CVSS Score
8.8
EPSS Score
0.007
Published
2019-09-03
FreeType before 2.6.1 has a buffer over-read in skip_comment in psaux/psobjs.c because ps_parser_skip_PS_token is mishandled in an FT_New_Memory_Face operation.
CVSS Score
6.5
EPSS Score
0.008
Published
2019-09-03
FreeType before 2.6.2 has a heap-based buffer over-read in tt_cmap14_validate in sfnt/ttcmap.c.
CVSS Score
6.5
EPSS Score
0.03
Published
2019-09-03