Security Vulnerabilities - CVEs Published In November 2019
The TYPO3 Core wec_discussion extension before 2.1.1 is vulnerable to SQL Injection due to improper sanitation of user-supplied input.
CVSS Score
9.8
EPSS Score
0.005
Published
2019-11-26
Polipo before 1.0.4.1 suffers from a DoD vulnerability via specially-crafted HTTP POST / PUT request.
CVSS Score
7.5
EPSS Score
0.139
Published
2019-11-26
Cloud Foundry UAA Release, versions prior to v74.8.0, logs all query parameters to tomcat’s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well.
CVSS Score
8.8
EPSS Score
0.005
Published
2019-11-26
A privilege escalation exists in UniFi Video Controller =<3.10.6 that would allow an attacker on the local machine to run arbitrary commands.
CVSS Score
8.8
EPSS Score
0.007
Published
2019-11-26
In Philips IntelliBridge EC40 and EC80, IntelliBridge EC40 Hub all versions, and IntelliBridge EC80 Hub all versions, the SSH server running on the affected products is configured to allow weak ciphers. This could enable an unauthorized attacker with access to the network to capture and replay the session and gain unauthorized access to the EC40/80 hub.
CVSS Score
6.5
EPSS Score
0.001
Published
2019-11-26
In all versions of ABB Power Generation Information Manager (PGIM) and Plant Connect, the affected product is vulnerable to authentication bypass, which may allow an attacker to remotely bypass authentication and extract credentials from the affected device.
CVSS Score
9.8
EPSS Score
0.001
Published
2019-11-26
In Omron CX-Supervisor, Versions 3.5 (12) and prior, Omron CX-Supervisor ships with Teamviewer Version 5.0.8703 QS. This version of Teamviewer is vulnerable to an obsolete function vulnerability requiring user interaction to exploit.
CVSS Score
8.8
EPSS Score
0.003
Published
2019-11-26
evolution-data-server3 3.0.3 through 3.2.1 used insecure (non-SSL) connection when attempting to store sent email messages into the Sent folder, when the Sent folder was located on the remote server. An attacker could use this flaw to obtain login credentials of the victim.
CVSS Score
7.3
EPSS Score
0.002
Published
2019-11-25
Drupal Views Builk Operations (VBO) module 6.x-1.0 through 6.x-1.10 does not properly escape the vocabulary help when the vocabulary has had user tagging enabled and the "Modify node taxonomy terms" action is used. A remote attacker could provide a specially-crafted URL that could lead to cross-site scripting (XSS) attack.
CVSS Score
6.1
EPSS Score
0.006
Published
2019-11-25
Characters in the GET url path are not properly escaped and can be reflected in the server response.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-11-25