Security Vulnerabilities - CVEs Published In October 2019
Milesight IP security cameras through 2016-11-14 have a hardcoded SSL private key under the /etc/config directory.
CVSS Score
9.8
EPSS Score
0.008
Published
2019-10-25
Milesight IP security cameras through 2016-11-14 have a default set of 10 privileged accounts with hardcoded credentials. They are accessible if the customer has not configured 10 actual user accounts.
CVSS Score
9.8
EPSS Score
0.008
Published
2019-10-25
Milesight IP security cameras through 2016-11-14 allow remote attackers to bypass authentication and access a protected resource by simultaneously making a request for the unprotected vb.htm resource.
CVSS Score
9.8
EPSS Score
0.006
Published
2019-10-25
Milesight IP security cameras through 2016-11-14 have a default root password in /etc/shadow that is the same across different customers' installations.
CVSS Score
9.8
EPSS Score
0.008
Published
2019-10-25
browser/extensions/api/dial/dial_registry.cc in Google Chrome before 54.0.2840.98 on macOS, before 54.0.2840.99 on Windows, and before 54.0.2840.100 on Linux neglects to copy a device ID before an erase() call, which causes the erase operation to access data that that erase operation will destroy.
CVSS Score
9.1
EPSS Score
0.001
Published
2019-10-25
Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.
CVSS Score
7.5
EPSS Score
0.041
Published
2019-10-24
clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests because there is no session management.
CVSS Score
9.8
EPSS Score
0.106
Published
2019-10-24
A cross-site scripting (XSS) vulnerability in index.php in ClonOS WEB control panel 19.09 allows remote attackers to inject arbitrary web script or HTML via the lang parameter.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-10-24
Adobe Experience Manager versions 6.4 and 6.3 have a stored cross site scripting vulnerability. Successful exploitation could lead to privilege escalation.
CVSS Score
6.1
EPSS Score
0.01
Published
2019-10-24
Horde Trean, as used in Horde Groupware Webmail Edition through 5.2.22 and other products, allows CSRF, as demonstrated by the treanBookmarkTags parameter to the trean/ URI on a webmail server. NOTE: treanBookmarkTags could, for example, be a stored XSS payload.
CVSS Score
8.8
EPSS Score
0.005
Published
2019-10-24