Security Vulnerabilities - CVEs Published In September 2019
Multiple vulnerabilities in the web-based user interface (Web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands with elevated privileges on the affected device. For more information about these vulnerabilities, see the Details section of this advisory.
CVSS Score
7.6
EPSS Score
0.269
Published
2019-09-25
GLPI through 9.4.3 is prone to account takeover by abusing the ajax/autocompletion.php autocompletion feature. The lack of correct validation leads to recovery of the token generated via the password reset functionality, and thus an authenticated attacker can set an arbitrary password for any user. This vulnerability can be exploited to take control of admin account. This vulnerability could be also abused to obtain other sensitive fields like API keys or password hashes.
CVSS Score
8.8
EPSS Score
0.03
Published
2019-09-25
SilverStripe through 4.3.3 allows session fixation in the "change password" form.
CVSS Score
6.3
EPSS Score
0.001
Published
2019-09-25
In SilverStripe through 4.3.3, a missing warning about leaving install.php in a public webroot can lead to unauthenticated admin access.
CVSS Score
9.8
EPSS Score
0.008
Published
2019-09-25
SilverStripe through 4.3.3 has Flash Clipboard Reflected XSS.
CVSS Score
6.1
EPSS Score
0.004
Published
2019-09-25
SilverStripe through 4.3.3 has incorrect access control for protected files uploaded via Upload::loadIntoFile(). An attacker may be able to guess a filename in silverstripe/assets via the AssetControlExtension.
CVSS Score
5.3
EPSS Score
0.003
Published
2019-09-25
An authentication bypass vulnerability discovered in Smart Battery A2-25DE, a multifunctional portable charger, firmware version ?<= SECFS-2013-10-16-13:42:58-629c30ee-60c68be6. An attacker can bypass authentication and gain privilege by modifying the login page.
CVSS Score
9.8
EPSS Score
0.004
Published
2019-09-25
A broken access control vulnerability in Smart Battery A4, a multifunctional portable charger, firmware version ?<= r1.7.9 allows an attacker to get/reset administrator’s password without any authentication.
CVSS Score
9.8
EPSS Score
0.003
Published
2019-09-25
An unsafe authentication interface was discovered in Smart Battery A4, a multifunctional portable charger, firmware version ?<= r1.7.9 . An attacker can bypass authentication without modifying device file and gain web page management privilege.
CVSS Score
9.8
EPSS Score
0.005
Published
2019-09-25
On versions 14.0.0-14.1.2, 13.0.0-13.1.3, 12.1.0-12.1.5, and 11.5.1-11.6.5, the BIG-IP system fails to perform Martian Address Filtering (As defined in RFC 1812 section 5.3.7) on the control plane (management interface). This may allow attackers on an adjacent system to force BIG-IP into processing packets with spoofed source addresses.
CVSS Score
4.3
EPSS Score
0.001
Published
2019-09-25