Security Vulnerabilities - CVEs Published In November 2019
udisks before 1.0.3 allows a local user to load arbitrary Linux kernel modules.
CVSS Score
7.8
EPSS Score
0.002
Published
2019-11-13
hook_file_download in the CKEditor module 7.x-1.4 for Drupal does not properly restrict access to private files, which allows remote attackers to read private files via a direct request.
CVSS Score
7.5
EPSS Score
0.009
Published
2019-11-13
Multiple cross-site scripting (XSS) vulnerabilities in Bitweaver 2.8.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the path info to (1) stats/index.php or (2) newsletters/edition.php or the (3) username parameter to users/remind_password.php, (4) days parameter to stats/index.php, (5) login parameter to users/register.php, or (6) highlight parameter.
CVSS Score
6.1
EPSS Score
0.008
Published
2019-11-13
Undocumented TELNET service in TRENDnet TEW-691GR and TEW-692GR when a web page named backdoor contains an HTML parameter of password and a value of j78G¬DFdg_24Mhw3.
CVSS Score
9.8
EPSS Score
0.005
Published
2019-11-13
Cross-site scripting (XSS) vulnerability in the zen_breadcrumb function in template.php in the Zen theme 6.x-1.x, 7.x-3.x before 7.x-3.2, and 7.x-5.x before 7.x-5.4 for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via the breadcrumb separator field.
CVSS Score
5.4
EPSS Score
0.004
Published
2019-11-13
views/upload.php in the ProJoom Smart Flash Header (NovaSFH) component 3.0.2 and earlier for Joomla! allows remote attackers to upload and execute arbitrary files via a crafted (1) dest parameter and (2) arbitrary extension in the Filename parameter.
CVSS Score
8.8
EPSS Score
0.041
Published
2019-11-13
The Device Model in ACRN before 2019w25.5-140000p relies on assert calls in devicemodel/hw/pci/core.c and devicemodel/include/pci_core.h (instead of other mechanisms for propagating error information or diagnostic information), which might allow attackers to cause a denial of service (assertion failure) within pci core. This is fixed in 1.2. 6199e653418e is a mitigation for pre-1.1 versions, whereas 2b3dedfb9ba1 is a mitigation for 1.1.
CVSS Score
7.5
EPSS Score
0.005
Published
2019-11-13
XSS exists in Lavalite CMS 5.7 via the admin/profile name or designation field.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-11-13
index.php/team_members/add_team_member in RISE Ultimate Project Manager 2.3 has CSRF for adding authorized users.
CVSS Score
8.8
EPSS Score
0.002
Published
2019-11-13
In load_logging_config of qmi_vs_service.cc, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10Android ID: A-139148442
CVSS Score
7.8
EPSS Score
0.0
Published
2019-11-13