Security Vulnerabilities - CVEs Published In December 2019
A vulnerability has been identified in XHQ (All versions < V6.0.0.2). The web application requests could be manipulated, causing the the application to behave in unexpected ways for legitimate users. Successful exploitation does not require for an attacker to be authenticated. A successful attack could allow the import of scripts or generation of malicious links. This could allow the attacker to read or modify contents of the web application. At the time of advisory publication no public exploitation of this security vulnerability was known.
CVSS Score
9.1
EPSS Score
0.004
Published
2019-12-12
A vulnerability has been identified in EN100 Ethernet module DNP3 variant (All versions), EN100 Ethernet module IEC 61850 variant (All versions < V4.37), EN100 Ethernet module IEC104 variant (All versions), EN100 Ethernet module Modbus TCP variant (All versions), EN100 Ethernet module PROFINET IO variant (All versions). An unauthorized user could exploit a buffer overflow vulnerability in the webserver. Specially crafted packets sent could cause a Denial-of-Service condition and if certain conditions are met, the affected devices must be restarted manually to fully recover. At the time of advisory publication no public exploitation of this security vulnerability was known.
CVSS Score
7.5
EPSS Score
0.002
Published
2019-12-12
minerstat msOS before 2019-10-23 does not have a unique SSH key for each instance of the product.
CVSS Score
9.8
EPSS Score
0.004
Published
2019-12-12
IBM DB2 High Performance Unload load for LUW 6.1 and 6.5 could allow a local attacker to execute arbitrary code on the system, caused by an untrusted search path vulnerability. By using a executable file, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 168298.
CVSS Score
7.4
EPSS Score
0.002
Published
2019-12-12
Intesync Solismed 3.3sp1 allows Local File Inclusion (LFI), a different vulnerability than CVE-2019-15931. This leads to unauthenticated code execution.
CVSS Score
9.8
EPSS Score
0.013
Published
2019-12-12
Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP module.
CVSS Score
8.1
EPSS Score
0.024
Published
2019-12-12
An issue was discovered in Intesync Solismed 3.3sp1. An flaw in the encryption implementation exists, allowing for all encrypted data stored within the database to be decrypted.
CVSS Score
5.9
EPSS Score
0.001
Published
2019-12-12
A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrator, the attacker can for example add a new admin user to gain full access to the application.
CVSS Score
9.3
EPSS Score
0.011
Published
2019-12-12
The Scoutnet Kalender plugin 1.1.0 for WordPress allows XSS.
CVSS Score
5.4
EPSS Score
0.008
Published
2019-12-12
Electronic Arts Origin through 10.5.x allows Elevation of Privilege (issue 1 of 2).
CVSS Score
7.8
EPSS Score
0.001
Published
2019-12-12