Security Vulnerabilities - CVEs Published In December 2019
This command injection vulnerability in Music Station allows attackers to execute commands on the affected device. To fix the vulnerability, QNAP recommend updating Music Station to their latest versions.
CVSS Score
9.8
EPSS Score
0.042
Published
2019-12-04
This command injection vulnerability in File Station allows attackers to execute commands on the affected device. To fix the vulnerability, QNAP recommend updating QTS to their latest versions.
CVSS Score
9.8
EPSS Score
0.012
Published
2019-12-04
In Mcrouter prior to v0.41.0, the deprecated ASCII parser would allocate a buffer to a user-specified length with no maximum length enforced, allowing for resource exhaustion or denial of service.
CVSS Score
7.5
EPSS Score
0.006
Published
2019-12-04
In Mcrouter prior to v0.41.0, a large struct input provided to the Carbon protocol reader could result in stack exhaustion and denial of service.
CVSS Score
7.5
EPSS Score
0.006
Published
2019-12-04
A vulnerability was found in Keycloak 7.x where the user federation LDAP bind type is none (LDAP anonymous bind), any password, invalid or valid will be accepted.
CVSS Score
9.3
EPSS Score
0.003
Published
2019-12-04
COPA-DATA zenone32 zenon Editor through 8.10 has an Uncontrolled Search Path Element.
CVSS Score
7.8
EPSS Score
0.001
Published
2019-12-04
TrevorC2 v1.1/v1.2 fails to prevent fingerprinting primarily via a discrepancy between response headers when responding to different HTTP methods, also via predictible responses when accessing and interacting with the "SITE_PATH_QUERY".
CVSS Score
7.5
EPSS Score
0.004
Published
2019-12-04
An issue exists in uscan in devscripts before 2.13.19, which could let a remote malicious user execute arbitrary code via a crafted tarball.
CVSS Score
8.8
EPSS Score
0.005
Published
2019-12-03
A vulnerability exists in libgwenhywfar through 4.12.0 due to the usage of outdated bundled CA certificates.
CVSS Score
5.3
EPSS Score
0.001
Published
2019-12-03
Exploitable SQL injection vulnerabilities exist in the authenticated portion of Forma LMS 2.2.1. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and, in certain configurations, access the underlying operating system.
CVSS Score
7.4
EPSS Score
0.005
Published
2019-12-03