Security Vulnerabilities - CVEs Published In September 2019
CVE-2019-1367
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1221.
Known exploited
CVSS Score
7.5
EPSS Score
0.897
Published
2019-09-23
Cloud Foundry NFS Volume Service, 1.7.x versions prior to 1.7.11 and 2.x versions prior to 2.3.0, is vulnerable to LDAP injection. A remote authenticated malicious space developer can potentially inject LDAP filters via service instance creation, facilitating the malicious space developer to deny service or perform a dictionary attack.
CVSS Score
8.4
EPSS Score
0.009
Published
2019-09-23
An issue was discovered in Grafana 5.4.0. Passwords for data sources used by Grafana (e.g., MySQL) are not encrypted. An admin user can reveal passwords for any data source by pressing the "Save and test" button within a data source's settings menu. When watching the transaction with Burp Proxy, the password for the data source is revealed and sent to the server. From a browser, a prompt to save the credentials is generated, and the password can be revealed by simply checking the "Show password" box.
CVSS Score
4.9
EPSS Score
0.002
Published
2019-09-23
The makandra consul gem through 1.0.2 for Ruby has Incorrect Access Control.
CVSS Score
9.8
EPSS Score
0.013
Published
2019-09-23
Home Assistant before 0.67.0 was vulnerable to an information disclosure that allowed an unauthenticated attacker to read the application's error log via components/api.py.
CVSS Score
7.5
EPSS Score
0.013
Published
2019-09-23
On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the plain editor, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.
CVSS Score
6.1
EPSS Score
0.052
Published
2019-09-23
Red Lion Controls Crimson, version 3.0 and prior and version 3.1 prior to release 3112.00, allow multiple vulnerabilities to be exploited when a valid user opens a specially crafted, malicious input file that operates outside of the designated memory area.
CVSS Score
7.8
EPSS Score
0.002
Published
2019-09-23
Red Lion Controls Crimson, version 3.0 and prior and version 3.1 prior to release 3112.00, allow multiple vulnerabilities to be exploited when a valid user opens a specially crafted, malicious input file that causes the program to mishandle pointers.
CVSS Score
7.8
EPSS Score
0.002
Published
2019-09-23
Red Lion Controls Crimson, version 3.0 and prior and version 3.1 prior to release 3112.00, uses a hard-coded password to encrypt protected files in transit and at rest, which may allow an attacker to access configuration files.
CVSS Score
6.5
EPSS Score
0.002
Published
2019-09-23
Red Lion Controls Crimson, version 3.0 and prior and version 3.1 prior to release 3112.00, allow multiple vulnerabilities to be exploited when a valid user opens a specially crafted, malicious input file that can reference memory after it has been freed.
CVSS Score
7.8
EPSS Score
0.002
Published
2019-09-23