Security Vulnerabilities - CVEs Published In December 2019
GoPro GPMF-parser 1.2.3 has an heap-based buffer over-read in GPMF_SeekToSamples in GPMF_parse.c for the size calculation.
CVSS Score
7.8
EPSS Score
0.003
Published
2019-12-30
CVE-2019-20085
TVT NVMS-1000 devices allow GET /.. Directory Traversal
Known exploited
CVSS Score
7.5
EPSS Score
0.94
Published
2019-12-30
The autocmd feature in window.c in Vim before 8.1.2136 accesses freed memory.
CVSS Score
7.8
EPSS Score
0.002
Published
2019-12-30
On Netis DL4323 devices, XSS exists via the urlFQDN parameter to form2url.cgi (aka the Keyword field of the URL Blocking Configuration).
CVSS Score
6.1
EPSS Score
0.004
Published
2019-12-30
On Netis DL4323 devices, CSRF exists via form2logaction.cgi to delete all logs.
CVSS Score
6.5
EPSS Score
0.002
Published
2019-12-30
On Netis DL4323 devices, XSS exists via the form2Ddns.cgi hostname parameter (Dynamic DNS Configuration).
CVSS Score
6.1
EPSS Score
0.004
Published
2019-12-30
On Netis DL4323 devices, XSS exists via the form2userconfig.cgi username parameter (User Account Configuration).
CVSS Score
6.1
EPSS Score
0.004
Published
2019-12-30
On Netis DL4323 devices, any user role can view sensitive information, such as a user password or the FTP password, via the form2saveConf.cgi page.
CVSS Score
8.8
EPSS Score
0.003
Published
2019-12-30
On Netis DL4323 devices, pingrtt_v6.html has XSS (Ping6 Diagnostic).
CVSS Score
6.1
EPSS Score
0.004
Published
2019-12-30
On Netis DL4323 devices, XSS exists via the form2Ddns.cgi username parameter (DynDns settings of the Dynamic DNS Configuration).
CVSS Score
6.1
EPSS Score
0.004
Published
2019-12-30