Security Vulnerabilities - CVEs Published In December 2019
piwigo has XSS in password.php
CVSS Score
6.1
EPSS Score
0.004
Published
2019-12-02
piwigo has XSS in password.php (incomplete fix for CVE-2012-4525)
CVSS Score
6.1
EPSS Score
0.004
Published
2019-12-02
An issue was discovered in TitanHQ WebTitan before 5.18. It contains a Remote Code Execution issue through which an attacker can execute arbitrary code as root. The issue stems from the hotfix download mechanism, which downloads a shell script via HTTP, and then executes it as root. This is analogous to CVE-2019-6800 but for a different product.
CVSS Score
7.5
EPSS Score
0.008
Published
2019-12-02
An issue was discovered in TitanHQ WebTitan before 5.18. In the administration web interface it is possible to upload a crafted backup file that enables an attacker to execute arbitrary code by overwriting existing files or adding new PHP files under the web root. This requires the attacker to have access to a valid web interface account.
CVSS Score
7.2
EPSS Score
0.01
Published
2019-12-02
An issue was discovered in TitanHQ WebTitan before 5.18. It has a hidden support account (with a hard-coded password) in the web administration interface, with administrator privileges. Anybody can log in with this account.
CVSS Score
9.8
EPSS Score
0.004
Published
2019-12-02
In jpv (aka Json Pattern Validator) before 2.1.1, compareCommon() can be bypassed because certain internal attributes can be overwritten via a conflicting name, as demonstrated by 'constructor': {'name':'Array'}. This affects validate(). Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.
CVSS Score
5.3
EPSS Score
0.002
Published
2019-12-02
Anviz access control devices allow unverified password change which allows remote attackers to change the administrator password without prior authentication.
CVSS Score
9.8
EPSS Score
0.009
Published
2019-12-02
Due to unencrypted and unauthenticated data communication, the wireless barcode scanner Inateck BCST-60 is prone to keystroke injection attacks. Thus, an attacker is able to send arbitrary keystrokes to a victim's computer system, e.g., to install malware when the target system is unattended. In this way, an attacker can remotely take control over the victim's computer that is operated with an affected receiver of this device.
CVSS Score
9.8
EPSS Score
0.003
Published
2019-12-02
Anviz CrossChex access control management software 4.3.8.0 and 4.3.12 is vulnerable to a buffer overflow vulnerability.
CVSS Score
9.8
EPSS Score
0.748
Published
2019-12-02
An issue was discovered in TitanHQ WebTitan before 5.18. It has a sudoers file that enables low-privilege users to execute a vast number of commands as root, including mv, chown, and chmod. This can be trivially exploited to gain root privileges by an attacker with access.
CVSS Score
7.8
EPSS Score
0.001
Published
2019-12-02