Security Vulnerabilities - CVEs Published In October 2019
WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer.
CVSS Score
5.4
EPSS Score
0.018
Published
2019-10-17
WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF.
CVSS Score
8.8
EPSS Score
0.042
Published
2019-10-17
app/system/admin/admin/index.class.php in MetInfo 7.0.0beta allows a CSRF attack to add a user account via a doSaveSetup action to admin/index.php, as demonstrated by an admin/?n=admin&c=index&a=doSaveSetup URI.
CVSS Score
8.8
EPSS Score
0.001
Published
2019-10-17
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because URL validation does not consider the interpretation of a name as a series of hex characters.
CVSS Score
9.8
EPSS Score
0.111
Published
2019-10-17
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs.
CVSS Score
9.8
EPSS Score
0.048
Published
2019-10-17
In WordPress before 5.2.4, unauthenticated viewing of certain content is possible because the static query property is mishandled.
CVSS Score
5.3
EPSS Score
0.729
Published
2019-10-17
Samsung Galaxy S10 and Note10 devices allow unlock operations via unregistered fingerprints in certain situations involving a third-party screen protector.
CVSS Score
6.8
EPSS Score
0.002
Published
2019-10-17
Comtech H8 Heights Remote Gateway 2.5.1 devices allow XSS and HTML injection via the Site Name (aka SiteName) field.
CVSS Score
5.4
EPSS Score
0.003
Published
2019-10-17
rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through 5.3.6 lacks a certain upper-bound check, leading to a buffer overflow.
CVSS Score
8.8
EPSS Score
0.003
Published
2019-10-17
HongCMS 3.0.0 has XSS via the install/index.php servername parameter.
CVSS Score
6.1
EPSS Score
0.004
Published
2019-10-16