Security Vulnerabilities - CVEs Published In October 2019
An issue was discovered in Mooltipass Moolticute through v0.42.1 and v0.42.x-testing through v0.42.5-testing. There is a NULL pointer dereference in MPDevice_win.cpp.
CVSS Score
7.5
EPSS Score
0.004
Published
2019-10-30
The init script in autokey before 0.61.3-2 allows local attackers to write to arbitrary files via a symlink attack.
CVSS Score
6.5
EPSS Score
0.004
Published
2019-10-30
systemd 239 through 245 accepts any certificate signed by a trusted certificate authority for DNS Over TLS. Server Name Indication (SNI) is not sent, and there is no hostname validation with the GnuTLS backend. NOTE: This has been disputed by the developer as not a vulnerability since hostname validation does not have anything to do with this issue (i.e. there is no hostname to be sent)
CVSS Score
9.8
EPSS Score
0.016
Published
2019-10-30
columnQuote in medoo before 1.7.5 allows remote attackers to perform a SQL Injection due to improper escaping.
CVSS Score
9.8
EPSS Score
0.006
Published
2019-10-30
A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. This also presented a Local File Disclosure vulnerability to any file readable by the webserver process.
CVSS Score
4.8
EPSS Score
0.007
Published
2019-10-30
European Commission eIDAS-Node Integration Package before 2.3.1 allows Certificate Faking because an attacker can sign a manipulated SAML response with a forged certificate.
CVSS Score
9.8
EPSS Score
0.002
Published
2019-10-30
European Commission eIDAS-Node Integration Package before 2.3.1 has Missing Certificate Validation because a certain ExplicitKeyTrustEvaluator return value is not checked. NOTE: only 2.1 is confirmed to be affected.
CVSS Score
9.8
EPSS Score
0.002
Published
2019-10-30
ClipSoft REXPERT 1.0.0.527 and earlier version allows directory traversal by issuing a special HTTP POST request with ../ characters. This could lead to create malicious HTML file, because they can inject a content with crafted template. User interaction is required to exploit this vulnerability in that the target must visit a malicious web page.
CVSS Score
6.5
EPSS Score
0.006
Published
2019-10-30
ClipSoft REXPERT 1.0.0.527 and earlier version allows remote attacker to upload arbitrary local file via the ActiveX method in RexViewerCtrl30.ocx. That could lead to disclosure of sensitive information. User interaction is required to exploit this vulnerability in that the target must visit a malicious web page.
CVSS Score
6.5
EPSS Score
0.005
Published
2019-10-30
ClipSoft REXPERT 1.0.0.527 and earlier version allows remote attacker to arbitrary file deletion by issuing a HTTP GET request with a specially crafted parameter. User interaction is required to exploit this vulnerability in that the target must visit a malicious web page.
CVSS Score
6.5
EPSS Score
0.005
Published
2019-10-30