Security Vulnerabilities - CVEs Published In October 2019
NETGEAR JNR1010 devices before 1.0.0.32 allow webproc?getpage= XSS.
CVSS Score
6.1
EPSS Score
0.007
Published
2019-10-16
A reflected Cross-Site Scripting (XSS) vulnerability in MindPalette NateMail 3.0.15 allows an attacker to execute remote JavaScript in a victim's browser via a specially crafted POST request. The application will reflect the recipient value if it is not in the NateMail recipient array. Note that this array is keyed via integers by default, so any string input will be invalid.
CVSS Score
6.1
EPSS Score
0.107
Published
2019-10-16
An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
CVSS Score
7.2
EPSS Score
0.003
Published
2019-10-15
qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in the content parameter.
CVSS Score
9.8
EPSS Score
0.033
Published
2019-10-15
In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
CVSS Score
9.8
EPSS Score
0.004
Published
2019-10-15
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
CVSS Score
9.8
EPSS Score
0.586
Published
2019-10-15
In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
CVSS Score
9.8
EPSS Score
0.004
Published
2019-10-15
In the PowerSchool Mobile application 1.1.8 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
CVSS Score
9.8
EPSS Score
0.004
Published
2019-10-15
In the Dark Horse Comics application 1.3.21 for Android, token information (equivalent to the username and password) is stored in the log during authentication, and may be available to attackers via logcat.
CVSS Score
9.8
EPSS Score
0.004
Published
2019-10-15
In MiniShare 1.4.1, there is a stack-based buffer overflow via an HTTP CONNECT request, which allows an attacker to achieve arbitrary code execution, a similar issue to CVE-2018-19862 and CVE-2018-19861. NOTE: this product is discontinued.
CVSS Score
9.8
EPSS Score
0.006
Published
2019-10-15