Security Vulnerabilities - CVEs Published In November 2019
An exploitable integer underflow vulnerability exists in the CMP-parsing functionality of LEADTOOLS 20. A specially crafted CMP image file can cause an integer underflow, potentially resulting in code execution. An attacker can specially craft a CMP image to trigger this vulnerability.
CVSS Score
8.8
EPSS Score
0.003
Published
2019-11-06
An exploitable integer overflow vulnerability exists in the BMP header parsing functionality of LEADTOOLS 20. A specially crafted BMP image file can cause an integer overflow, potentially resulting in code execution. An attacker can specially craft a BMP image to trigger this vulnerability.
CVSS Score
8.8
EPSS Score
0.003
Published
2019-11-06
An exploitable heap overflow vulnerability exists in the JPEG2000 parsing functionality of LEADTOOLS 20. A specially crafted J2K image file can cause an out of bounds write of a heap buffer, potentially resulting in code execution. An attack can specially craft a J2K image to trigger this vulnerability.
CVSS Score
8.8
EPSS Score
0.005
Published
2019-11-06
Dump Servlet information leak in jetty before 6.1.22.
CVSS Score
7.5
EPSS Score
0.026
Published
2019-11-06
JSP Dump and Session Dump Servlet XSS in jetty before 6.1.22.
CVSS Score
6.1
EPSS Score
0.01
Published
2019-11-06
In kernel/compat.c in the Linux kernel before 3.17, as used in Google Chrome OS and other products, there is a possible out-of-bounds read. restart_syscall uses uninitialized data when restarting compat_sys_nanosleep. NOTE: this is disputed because the code path is unreachable
CVSS Score
9.1
EPSS Score
0.002
Published
2019-11-06
An issue was discovered in the MailPoet Newsletters (aka wysija-newsletters) plugin before 2.8.2 for WordPress. The plugin is vulnerable to SPAM attacks.
CVSS Score
5.3
EPSS Score
0.003
Published
2019-11-06
Computing For Good's Basic Laboratory Information System (also known as C4G BLIS) version 3.4 and earlier suffers from an instance of CWE-284, "Improper Access Control." As a result, an unauthenticated user may change the password of any administrator-level user.
CVSS Score
10.0
EPSS Score
0.019
Published
2019-11-06
Rapid7 Metasploit Pro version 4.16.0-2019081901 and prior suffers from an instance of CWE-732, wherein the unique server.key is written to the file system during installation with world-readable permissions. This can allow other users of the same system where Metasploit Pro is installed to intercept otherwise private communications to the Metasploit Pro web interface.
CVSS Score
3.3
EPSS Score
0.001
Published
2019-11-06
Computing For Good's Basic Laboratory Information System (also known as C4G BLIS) version 3.5 and earlier suffers from an instance of CWE-284, "Improper Access Control." As a result, an unauthenticated user may enumerate the user names and facility names in use on a particular installation.
CVSS Score
5.3
EPSS Score
0.008
Published
2019-11-06