Security Vulnerabilities - CVEs Published In October 2019
z-song laravel-admin 1.7.3 has XSS via the Slug or Name on the Roles screen, because of mishandling on the "Operation log" screen.
CVSS Score
4.8
EPSS Score
0.002
Published
2019-10-10
LavaLite through 5.7 has XSS via a crafted account name that is mishandled on the Manage Clients screen.
CVSS Score
5.4
EPSS Score
0.002
Published
2019-10-10
Adhouma CMS through 2019-10-09 has SQL Injection via the post.php p_id parameter.
CVSS Score
9.8
EPSS Score
0.003
Published
2019-10-10
EyouCms through 2019-07-11 has XSS related to the login.php web_recordnum parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-10-10
The liquid-speech-balloon (aka LIQUID SPEECH BALLOON) plugin before 1.0.7 for WordPress allows XSS with Internet Explorer.
CVSS Score
6.1
EPSS Score
0.004
Published
2019-10-10
The client-dash (aka Client Dash) plugin 2.1.4 for WordPress allows XSS.
CVSS Score
6.1
EPSS Score
0.004
Published
2019-10-10
The new-contact-form-widget (aka Contact Form Widget - Contact Query, Form Maker) plugin 1.0.9 for WordPress has SQL Injection via all-query-page.php.
CVSS Score
9.8
EPSS Score
0.009
Published
2019-10-10
Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding "_bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around this _bsontype special case that exists in older versions of the bson parser (aka the mongodb/js-bson project).
CVSS Score
9.1
EPSS Score
0.002
Published
2019-10-10
In Redmine before 3.4.11 and 4.0.x before 4.0.4, persistent XSS exists due to textile formatting errors.
CVSS Score
6.1
EPSS Score
0.022
Published
2019-10-10
PbootCMS 2.0.2 allows XSS via vectors involving the Pboot/admin.php?p=/Single/index/mcode/1 and Pboot/?contact/ URIs.
CVSS Score
4.8
EPSS Score
0.002
Published
2019-10-10