Security Vulnerabilities - CVEs Published In October 2019
Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. Path traversal vulnerabilities are caused by a lack of proper validation of a user-supplied path prior to use in file operations. An attacker can leverage these vulnerabilities to remotely execute code while posing as an administrator.
CVSS Score
9.8
EPSS Score
0.01
Published
2019-10-31
IcedTea6 before 1.7.4 does not properly check property access, which allows unsigned apps to read and write arbitrary files.
CVSS Score
9.1
EPSS Score
0.003
Published
2019-10-31
IcedTea6 before 1.7.4 allow unsigned apps to read and write arbitrary files, related to Extended JNLP Services.
CVSS Score
9.1
EPSS Score
0.004
Published
2019-10-31
Buffer overflow in the thread scheduler in Chicken before 4.8.0.1 allows attackers to cause a denial of service (crash) by opening a file descriptor with a large integer value.
CVSS Score
7.5
EPSS Score
0.021
Published
2019-10-31
Chicken before 4.8.0 does not properly handle NUL bytes in certain strings, which allows an attacker to conduct "poisoned NUL byte attack."
CVSS Score
6.5
EPSS Score
0.004
Published
2019-10-31
A casting error in Chicken before 4.8.0 on 64-bit platform caused the random number generator to return a constant value. NOTE: the vendor states "This function wasn't used for security purposes (and is advertised as being unsuitable)."
CVSS Score
5.3
EPSS Score
0.004
Published
2019-10-31
Chicken before 4.8.0 is susceptible to algorithmic complexity attacks related to hash table collisions.
CVSS Score
9.8
EPSS Score
0.006
Published
2019-10-31
An OS command injection vulnerability in FortiExtender 4.1.0 to 4.1.1, 4.0.0 and below under CLI admin console may allow unauthorized administrators to run arbitrary system level commands via specially crafted "execute date" commands.
CVSS Score
7.2
EPSS Score
0.027
Published
2019-10-31
An issue was discovered in certain Oi third-party firmware that may be installed on Technicolor TD5130v2 devices. A Command Injection in the Ping module in the Web Interface in OI_Fw_V20 allows remote attackers to execute arbitrary OS commands in the pingAddr parameter to mnt_ping.cgi. NOTE: This may overlap CVE-2017–14127.
CVSS Score
7.2
EPSS Score
0.526
Published
2019-10-31
An exploitable memory corruption vulnerability exists in AMD ATIDXX64.DLL driver, versions 25.20.15031.5004 and 25.20.15031.9002. A specially crafted pixel shader can cause an out-of-bounds memory write. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be triggered from VMware guest, affecting VMware host.
CVSS Score
10.0
EPSS Score
0.004
Published
2019-10-31