Security Vulnerabilities - CVEs Published In September 2019
The bj-lazy-load plugin before 1.0 for WordPress has Remote File Inclusion.
CVSS Score
7.5
EPSS Score
0.003
Published
2019-09-26
The sitepress-multilingual-cms (WPML) plugin 2.9.3 to 3.2.6 for WordPress has XSS via the Accept-Language HTTP header.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-09-26
The testimonial-slider plugin through 1.2.1 for WordPress has CSRF with resultant XSS.
CVSS Score
6.5
EPSS Score
0.002
Published
2019-09-26
The Watu Pro plugin before 4.9.0.8 for WordPress has CSRF that allows an attacker to delete quizzes.
CVSS Score
4.3
EPSS Score
0.001
Published
2019-09-26
The Text-to-speech Engine (aka SamsungTTS) application before 3.0.02.7 and 3.0.00.101 for Android allows a local attacker to escalate privileges, e.g., to system privileges. The Samsung case ID is 101755.
CVSS Score
7.8
EPSS Score
0.199
Published
2019-09-25
An XSS vulnerability was discovered in noVNC before 0.6.2 in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the status field, such as the VNC server name.
CVSS Score
6.1
EPSS Score
0.048
Published
2019-09-25
In Rubyzip before 1.3.0, a crafted ZIP file can bypass application checks on ZIP entry sizes because data about the uncompressed size can be spoofed. This allows attackers to cause a denial of service (disk consumption).
CVSS Score
5.5
EPSS Score
0.002
Published
2019-09-25
Halo 1.1.0 has XSS via a crafted authorUrl in JSON data to api/content/posts/comments.
CVSS Score
5.4
EPSS Score
0.002
Published
2019-09-25
A vulnerability in the HTTP server code of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause the HTTP server to crash. The vulnerability is due to a logical error in the logging mechanism. An attacker could exploit this vulnerability by generating a high amount of long-lived connections to the HTTP service on the device. A successful exploit could allow the attacker to cause the HTTP server to crash.
CVSS Score
5.3
EPSS Score
0.005
Published
2019-09-25
A vulnerability in the CLI of Cisco IOS XE Software could allow an authenticated, local attacker to write values to the underlying memory of an affected device. The vulnerability is due to improper input validation and authorization of specific commands that a user can execute within the CLI. An attacker could exploit this vulnerability by authenticating to an affected device and issuing a specific set of commands. A successful exploit could allow the attacker to modify the configuration of the device to cause it to be non-secure and abnormally functioning.
CVSS Score
5.5
EPSS Score
0.001
Published
2019-09-25