Shodan
Vulnerabilities
Vulnerable Software
Security Vulnerabilities - CVEs Published In October 2019
CVE-2018-21024
licenseUpload.php in Centreon Web before 2.8.27 allows attackers to upload arbitrary files via a POST request.
CVSS Score
9.8
EPSS Score
0.003
Published
2019-10-08
CVE-2019-17359
The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.
CVSS Score
7.5
EPSS Score
0.076
Published
2019-10-08
CVE-2019-13336
The dbell Wi-Fi Smart Video Doorbell DB01-S Gen 1 allows remote attackers to launch commands with no authentication verification via TCP port 81, because the loginuse and loginpass parameters to openlock.cgi can have arbitrary values. NOTE: the vendor's position is that this product reached end of life in 2016.
CVSS Score
9.8
EPSS Score
0.012
Published
2019-10-08
CVE-2019-14656
Yealink phones through 2019-08-04 do not properly check user roles in POST requests. Consequently, the default User account (with a password of user) can make admin requests via HTTP.
CVSS Score
8.8
EPSS Score
0.004
Published
2019-10-08
CVE-2019-14657
Yealink phones through 2019-08-04 have an issue with OpenVPN file upload. They execute tar as root to extract files, but do not validate the extraction directory. Creating a tar file with ../../../../ allows replacement of almost any file on a phone. This leads to password replacement and arbitrary code execution as root.
CVSS Score
8.8
EPSS Score
0.019
Published
2019-10-08
CVE-2019-16416
HRworks 3.36.9 allows XSS via the purpose of a travel-expense report.
CVSS Score
5.4
EPSS Score
0.002
Published
2019-10-08
CVE-2019-16417
HRworks FLOW 3.36.9 allows XSS via the purpose of a travel-expense report.
CVSS Score
5.4
EPSS Score
0.002
Published
2019-10-08
CVE-2019-16929
Auth0 auth0.net before 6.5.4 has Incorrect Access Control because IdentityTokenValidator can be accidentally used to validate untrusted ID tokens.
CVSS Score
7.5
EPSS Score
0.002
Published
2019-10-08
CVE-2019-17104
In Centreon VM through 19.04.3, the cookie configuration within the Apache HTTP Server does not protect against theft because the HTTPOnly flag is not set.
CVSS Score
7.5
EPSS Score
0.001
Published
2019-10-08
CVE-2019-17106
In Centreon Web through 2.8.29, disclosure of external components' passwords allows authenticated attackers to move laterally to external components.
CVSS Score
6.5
EPSS Score
0.001
Published
2019-10-08


Products
Pricing
Contact Us

Shodan ® - All rights reserved