Security Vulnerabilities - CVEs Published In November 2019
In the Bootloader, there is a possible kernel command injection due to missing command sanitization. This could lead to a local elevation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-80316910
CVSS Score
6.7
EPSS Score
0.001
Published
2019-11-13
An integer overflow condition in poppler before 0.16.3 can occur when parsing CharCodes for fonts.
CVSS Score
6.5
EPSS Score
0.008
Published
2019-11-13
poppler before 0.16.3 has malformed commands that may cause corruption of the internal stack.
CVSS Score
7.8
EPSS Score
0.005
Published
2019-11-13
NETGEAR WNR3500U and WNR3500L routers uses form tokens abased solely on router's current date and time, which allows attackers to guess the CSRF tokens.
CVSS Score
6.5
EPSS Score
0.002
Published
2019-11-13
Parallels Plesk Panel 9.5 allows XSS in target/locales/tr-TR/help/index.htm? via the "fileName" parameter.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-11-13
An issue was discovered in crun before 0.10.5. With a crafted image, it doesn't correctly check whether a target is a symlink, resulting in access to files outside of the container. This occurs in libcrun/linux.c and libcrun/chroot_realpath.c.
CVSS Score
8.6
EPSS Score
0.006
Published
2019-11-13
An XSS issue was discovered in Enghouse Web Chat 6.1.300.31 and 6.2.284.34. The QueueName parameter of a GET request allows for insertion of user-supplied JavaScript.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-11-13
A remote file include (RFI) issue was discovered in Enghouse Web Chat 6.2.284.34. One can replace the localhost attribute with one's own domain name. When the product calls this domain after the POST request is sent, it retrieves an attacker's data and displays it. Also worth mentioning is the amount of information sent in the request from this product to the attacker: it reveals information the public should not have. This includes pathnames and internal ip addresses.
CVSS Score
5.3
EPSS Score
0.004
Published
2019-11-13
Cross-site scripting (XSS) vulnerability in NETGEAR WNR3500U and WNR3500L.
CVSS Score
5.4
EPSS Score
0.003
Published
2019-11-13
offlineimap before 6.3.4 added support for SSL server certificate validation but it is still possible to use SSL v2 protocol, which is a flawed protocol with multiple security deficiencies.
CVSS Score
9.8
EPSS Score
0.003
Published
2019-11-13