Security Vulnerabilities - CVEs Published In October 2019
In FusionPBX up to 4.5.7, the file app\messages\messages_thread.php uses an unsanitized "contact_uuid" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-10-22
In FusionPBX up to 4.5.7, the file app\contacts\contact_addresses.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-10-22
In FusionPBX up to 4.5.7, the file app\contacts\contact_edit.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-10-22
The freshmail-newsletter plugin before 1.6 for WordPress has shortcode.php SQL Injection via the 'FM_form id=' substring.
CVSS Score
8.8
EPSS Score
0.008
Published
2019-10-22
The ad-inserter plugin before 1.5.3 for WordPress has CSRF with resultant XSS via wp-admin/options-general.php?page=ad-inserter.php.
CVSS Score
8.8
EPSS Score
0.004
Published
2019-10-22
The wps-hide-login plugin before 1.1 for WordPress has CSRF that affects saving an option value.
CVSS Score
8.8
EPSS Score
0.004
Published
2019-10-22
The Showbiz Pro plugin through 1.7.1 for WordPress has PHP code execution by uploading a .php file within a ZIP archive.
CVSS Score
9.8
EPSS Score
0.696
Published
2019-10-22
The Exquisite Ultimate Newspaper theme 1.3.3 for WordPress has XSS via the anchor identifier to assets/js/jquery.foundation.plugins.js.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-10-22
In the Loofah gem for Ruby through v2.3.0 unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
CVSS Score
5.4
EPSS Score
0.019
Published
2019-10-22
Adobe Experience Manager Forms versions 6.3-6.5 have a reflected cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVSS Score
6.1
EPSS Score
0.016
Published
2019-10-22