Security Vulnerabilities - CVEs Published In October 2019
In TypeStack class-validator 0.10.2, validate() input validation can be bypassed because certain internal attributes can be overwritten via a conflicting name. Even though there is an optional forbidUnknownValues parameter that can be used to reduce the risk of this bypass, this option is not documented and thus most developers configure input validation in the vulnerable default manner. With this vulnerability, attackers can launch SQL Injection or XSS attacks by injecting arbitrary malicious input. NOTE: a software maintainer agrees with the "is not documented" finding but suggests that much of the responsibility for the risk lies in a different product.
CVSS Score
3.7
EPSS Score
0.001
Published
2019-10-24
Sourcecodester Restaurant Management System 1.0 is affected by an admin/staff-exec.php Cross Site Request Forgery vulnerability due to a lack of CSRF protection. This could lead to an attacker tricking the administrator into executing arbitrary code or adding a staff entry via a crafted HTML page.
CVSS Score
8.8
EPSS Score
0.002
Published
2019-10-24
Sourcecodester Restaurant Management System 1.0 allows XSS via the "send a message" screen.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-10-24
Sourcecodester Restaurant Management System 1.0 allows XSS via the Last Name field of a member.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-10-24
Sourcecodester Restaurant Management System 1.0 allows an authenticated attacker to upload arbitrary files that can result in code execution. The issue occurs because the application fails to adequately sanitize user-supplied input, e.g., "add a new food" allows .php files.
CVSS Score
8.8
EPSS Score
0.01
Published
2019-10-24
Adobe Experience Manager versions 6.4, 6.3 and 6.2 have a reflected cross site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVSS Score
6.1
EPSS Score
0.013
Published
2019-10-24
Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a stored cross site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVSS Score
6.1
EPSS Score
0.016
Published
2019-10-24
Horde Groupware Webmail Edition through 5.2.22 allows XSS via an admin/user.php?form=update_f&user_name= or admin/user.php?form=remove_f&user_name= or admin/config/diff.php?app= URI.
CVSS Score
6.1
EPSS Score
0.01
Published
2019-10-24
Symantec Messaging Gateway (prior to 10.7.0), may be susceptible to an information disclosure issue, which is a type of vulnerability that could potentially allow unauthorized access to data.
CVSS Score
4.5
EPSS Score
0.001
Published
2019-10-24
admin/app/mediamanager in Schlix CMS 2.1.8-7 allows Authenticated Unrestricted File Upload, leading to remote code execution. NOTE: "While inadvertently allowing a PHP file to be uploaded via Media Manager was an oversight, it still requires an admin permission. We think it's pretty rare for an administrator to exploit a bug on his/her own site to own his/her own site.
CVSS Score
7.2
EPSS Score
0.033
Published
2019-10-24