Security Vulnerabilities - CVEs Published In October 2019
Mapserver 5.2, 5.4 and 5.6 before 5.6.5-2 improperly validates symbol index values during Mapfile parsing.
CVSS Score
7.5
EPSS Score
0.007
Published
2019-10-29
SugarCRM CE <= 6.3.1 contains scripts that use "unserialize()" with user controlled input which allows remote attackers to execute arbitrary PHP code.
CVSS Score
9.8
EPSS Score
0.837
Published
2019-10-29
ikiwiki before 3.20110608 allows remote attackers to hijack root's tty and run symlink attacks.
CVSS Score
8.2
EPSS Score
0.006
Published
2019-10-29
The Tightrope Media Carousel Seneca HDn Windows-based appliance 7.0.4.104 is shipped with a default local administrator username and password. This can be found by a limited user account in an "unattend.xml" file left over on the C: drive from the Sysprep process. An attacker with this username and password can leverage it to gain administrator-level access on the system.
CVSS Score
8.8
EPSS Score
0.003
Published
2019-10-29
The Tightrope Media Carousel digital signage product 7.0.4.104 contains an arbitrary file upload vulnerability in the Manage Bulletins/Upload feature, which can be leveraged to gain remote code execution. An authenticated attacker can upload a crafted ZIP file (based on an exported backup of existing "Bulletins") containing a malicious file. When uploaded, the system only checks for the presence of the needed files within the ZIP and, as long as the malicious file is named properly, will extract all contained files to a new directory on the system, named with a random GUID. The attacker can determine this GUID by previewing an image from the uploaded Bulletin within the web UI. Once the GUID is determined, the attacker can navigate to the malicious file and execute it. In testing, an ASPX web shell was uploaded, allowing for remote-code execution in the context of a restricted IIS user.
CVSS Score
8.8
EPSS Score
0.015
Published
2019-10-29
An issue was discovered in the Tightrope Media Carousel digital signage product 7.0.4.104. Due to insecure default permissions on the C:\TRMS\Services directory, an attacker who has gained access to the system can elevate their privileges from a restricted account to full SYSTEM by replacing the Carousel.Service.exe file with a custom malicious executable. This service is independent of the associated IIS web site, which means that this service can be manipulated by an attacker without losing access to vulnerabilities in the web interface (which would potentially be used in conjunction with this attack, to control the service). Once the attacker has replaced Carousel.Service.exe, the server can be restarted using the command "shutdown -r -t 0" from a web shell, causing the system to reboot and launching the malicious Carousel.Service.exe as SYSTEM on startup. If this malicious Carousel.Service.exe is configured to launch a reverse shell back to the attacker, then upon reboot the attacker will have a fully privileged remote command-line environment to manipulate the system further.
CVSS Score
8.8
EPSS Score
0.002
Published
2019-10-29
qtum through 0.16 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service. The attacker sends invalid headers/blocks. The attack requires no stake and can fill the victim's disk and RAM.
CVSS Score
7.5
EPSS Score
0.008
Published
2019-10-29
An issue was discovered in LabKey Server 19.1.0. It is possible to force a logged-in administrator to execute code through a /reports-viewScriptReport.view CSRF vulnerability.
CVSS Score
8.8
EPSS Score
0.019
Published
2019-10-29
A CWE-755: Improper Handling of Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Modicon BMxCRA and 140CRA modules (all firmware versions), which could cause a Denial of Service atack on the PLC when upgrading the controller with a firmware package containing an invalid web server image using FTP protocol.
CVSS Score
4.9
EPSS Score
0.004
Published
2019-10-29
A CWE-319: Cleartext Transmission of Sensitive Information vulnerability exists in Modicon M580, Modicon M340, Modicon Premium , Modicon Quantum (all firmware versions), which could cause the disclosure of information when transferring applications to the controller using Modbus TCP protocol.
CVSS Score
7.5
EPSS Score
0.002
Published
2019-10-29