Security Vulnerabilities - CVEs Published In November 2019
An issue was discovered in signmgr.dll 6.5.0.819 in Comodo Internet Security through 12.0. A DLL Preloading vulnerability allows an attacker to implant an unsigned DLL named iLog.dll in a partially unprotected product directory. This DLL is then loaded into a high-privileged service before the binary signature validation logic is loaded, and might bypass some of the self-defense mechanisms.
CVSS Score
7.8
EPSS Score
0.001
Published
2019-11-18
permission and access control vulnerability, which exists in V2.1.14 and below versions of C520V21 smart camera devices. An attacker can construct a URL for directory traversal and access to other unauthorized files or resources.
CVSS Score
5.3
EPSS Score
0.001
Published
2019-11-18
authentication issues vulnerability, which exists in V2.1.14 and below versions of C520V21 smart camera devices. An attacker can automatically obtain access to web services from the authorized browser of the same computer and perform operations.
CVSS Score
8.2
EPSS Score
0.003
Published
2019-11-18
An XML external entity (XXE) vulnerability in CommandCenterWebServices/.*?wsdl in Raritan CommandCenter Secure Gateway before 8.0.0 allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.
CVSS Score
9.8
EPSS Score
0.016
Published
2019-11-18
Sandline Centraleyezer (On Premises) allows unrestricted File Upload with a dangerous type, because the feature of adding ".jpg" to any uploaded filename is not enforced on the server side.
CVSS Score
9.8
EPSS Score
0.004
Published
2019-11-18
Sandline Centraleyezer (On Premises) allows Stored XSS using HTML entities in the name field of the Category section.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-11-18
Sandline Centraleyezer (On Premises) allows Unrestricted File Upload leading to Stored XSS. An HTML page running a script could be uploaded to the server. When a victim tries to download a CISO Report template, the script is loaded.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-11-18
An exploitable information leak vulnerability exists in the ustream-ssl library of OpenWrt, versions 18.06.4 and 15.05.1. When connecting to a remote server, the server's SSL certificate is checked but no action is taken when the certificate is invalid. An attacker could exploit this behavior by performing a man-in-the-middle attack, providing any certificate, leading to the theft of all the data sent by the client during the first request.An exploitable information leak vulnerability exists in the ustream-ssl library of OpenWrt, versions 18.06.4 and 15.05.1. When connecting to a remote server, the server's SSL certificate is checked but no action is taken when the certificate is invalid. An attacker could exploit this behavior by performing a man-in-the-middle attack, providing any certificate, leading to the theft of all the data sent by the client during the first request.
CVSS Score
4.0
EPSS Score
0.002
Published
2019-11-18
NVIDIA NVFlash, NVUFlash Tool prior to v5.588.0 and GPUModeSwitch Tool prior to 2019-11, NVIDIA kernel mode driver (nvflash.sys, nvflsh32.sys, and nvflsh64.sys) contains a vulnerability in which authenticated users with administrative privileges can gain access to device memory and registers of other devices not managed by NVIDIA, which may lead to escalation of privileges, information disclosure, or denial of service.
CVSS Score
6.7
EPSS Score
0.001
Published
2019-11-18
Distributed Ruby (aka DRuby) 1.8 mishandles the sending of syscalls.
CVSS Score
9.8
EPSS Score
0.004
Published
2019-11-18