Security Vulnerabilities - CVEs Published In October 2019
Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones are writable Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2019-6465.
CVSS Score
5.3
EPSS Score
0.006
Published
2019-10-09
A programming error in the nxdomain-redirect feature can cause an assertion failure in query.c if the alternate namespace used by nxdomain-redirect is a descendant of a zone that is served locally. The most likely scenario where this might occur is if the server, in addition to performing NXDOMAIN redirection for recursive clients, is also serving a local copy of the root zone or using mirroring to provide the root zone, although other configurations are also possible. Versions affected: BIND 9.12.0-> 9.12.4, 9.14.0. Also affects all releases in the 9.13 development branch.
CVSS Score
5.9
EPSS Score
0.191
Published
2019-10-09
In BIND Supported Preview Edition, an error in the nxdomain-redirect feature can occur in versions which support EDNS Client Subnet (ECS) features. In those versions which have ECS support, enabling nxdomain-redirect is likely to lead to BIND exiting due to assertion failure. Versions affected: BIND Supported Preview Edition version 9.10.5-S1 -> 9.11.5-S5. ONLY BIND Supported Preview Edition releases are affected.
CVSS Score
5.3
EPSS Score
0.011
Published
2019-10-09
Kramer VIAware 2.5.0719.1034 has Incorrect Access Control.
CVSS Score
9.8
EPSS Score
0.238
Published
2019-10-09
Netreo OmniCenter through 12.1.1 allows unauthenticated SQL Injection (Boolean Based Blind) in the redirect parameters and parameter name of the login page through a GET request. The injection allows an attacker to read sensitive information from the database used by the application.
CVSS Score
7.5
EPSS Score
0.003
Published
2019-10-09
cPanel before 82.0.15 allows API token credentials to persist after an account has been renamed or terminated (SEC-517).
CVSS Score
8.8
EPSS Score
0.003
Published
2019-10-09
cPanel before 82.0.15 allows self XSS in the SSL Certificate Upload interface (SEC-521).
CVSS Score
6.1
EPSS Score
0.002
Published
2019-10-09
cPanel before 82.0.15 allows self XSS in LiveAPI example scripts (SEC-524).
CVSS Score
6.1
EPSS Score
0.003
Published
2019-10-09
cPanel before 82.0.15 allows self XSS in the SSL Key Delete interface (SEC-526).
CVSS Score
6.1
EPSS Score
0.003
Published
2019-10-09
cPanel before 82.0.15 allows self stored XSS in the WHM SSL Storage Manager interface (SEC-527).
CVSS Score
6.1
EPSS Score
0.003
Published
2019-10-09