Security Vulnerabilities - CVEs Published In October 2019
A vulnerability was found in OpenShift builds, versions 4.1 up to 4.3. Builds that extract source from a container image, bypass the TLS hostname verification. An attacker can take advantage of this flaw by launching a man-in-the-middle attack and injecting malicious content.
CVSS Score
5.7
EPSS Score
0.0
Published
2019-10-08
In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.
CVSS Score
7.3
EPSS Score
0.001
Published
2019-10-08
/var/WEB-GUI/cgi-bin/telnet.cgi on FiberHome HG2201T 1.00.M5007_JS_201804 devices allows pre-authentication remote code execution.
CVSS Score
8.8
EPSS Score
0.003
Published
2019-10-08
Bootstrap-3-Typeahead after version 4.0.2 is vulnerable to a cross-site scripting flaw in the highlighter() function. An attacker could exploit this via user interaction to execute code in the user's browser.
CVSS Score
6.1
EPSS Score
0.004
Published
2019-10-08
It is possible to inject JavaScript within node-red-dashboard versions prior to version 2.17.0 due to the ui_notification node accepting raw HTML by default.
CVSS Score
5.4
EPSS Score
0.002
Published
2019-10-08
Moxa EDR 810, all versions 5.1 and prior, allows an unauthenticated attacker to be able to retrieve some log files from the device, which may allow sensitive information disclosure. Log files must have previously been exported by a legitimate user.
CVSS Score
4.3
EPSS Score
0.031
Published
2019-10-08
Moxa EDR 810, all versions 5.1 and prior, allows an authenticated attacker to abuse the ping feature to execute unauthorized commands on the router, which may allow an attacker to perform remote code execution.
CVSS Score
7.2
EPSS Score
0.052
Published
2019-10-08
Amphora Images in OpenStack Octavia >=0.10.0 <2.1.2, >=3.0.0 <3.2.0, >=4.0.0 <4.1.0 allows anyone with access to the management network to bypass client-certificate based authentication and retrieve information or issue configuration commands via simple HTTP requests to the Agent on port https/9443, because the cmd/agent.py gunicorn cert_reqs option is True but is supposed to be ssl.CERT_REQUIRED.
CVSS Score
9.1
EPSS Score
0.008
Published
2019-10-08
The token generator in index.php in Centreon Web before 2.8.27 is predictable.
CVSS Score
5.3
EPSS Score
0.001
Published
2019-10-08
/var/WEB-GUI/cgi-bin/downloadfile.cgi on FiberHome HG2201T 1.00.M5007_JS_201804 devices allows pre-authentication Directory Traversal for reading arbitrary files.
CVSS Score
7.5
EPSS Score
0.0
Published
2019-10-08