Security Vulnerabilities - CVEs Published In December 2019
Trend Micro Security (Consumer) 2020 (v16.0.1221 and below) is affected by a DLL hijacking vulnerability that could allow an attacker to use a specific service as an execution and/or persistence mechanism which could execute a malicious program each time the service is started.
CVSS Score
7.8
EPSS Score
0.002
Published
2019-12-02
Code injection in pluginconfig.php in Image Uploader and Browser for CKEditor before 4.1.9 allows remote authenticated users to execute arbitrary PHP code.
CVSS Score
9.8
EPSS Score
0.009
Published
2019-12-02
Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)
CVSS Score
6.5
EPSS Score
0.003
Published
2019-12-02
NAPC Xinet Elegant 6 Asset Library 6.1.655 allows Pre-Authentication SQL Injection via the /elegant6/login LoginForm[username] field when double quotes are used.
CVSS Score
9.8
EPSS Score
0.097
Published
2019-12-02
Alfresco Enterprise before 5.2.5 allows stored XSS via an uploaded HTML document.
CVSS Score
5.4
EPSS Score
0.003
Published
2019-12-02
An issue was discovered in the Chat functionality of the TeamViewer desktop application 14.3.4730 on Windows. (The vendor states that it was later fixed.) Upon login, every communication is saved within Windows main memory. When a user logs out or deletes conversation history (but does not exit the application), this data is not wiped from main memory, and therefore could be read by a local user with the same or greater privileges.
CVSS Score
4.3
EPSS Score
0.002
Published
2019-12-02
Kentico before 12.0.50 allows file uploads in which the Content-Type header is inconsistent with the file extension, leading to XSS.
CVSS Score
5.4
EPSS Score
0.007
Published
2019-12-02
SMPlayer 19.5.0 has a buffer overflow via a long .m3u file.
CVSS Score
5.5
EPSS Score
0.003
Published
2019-12-02
LiteManager 4.5.0 has weak permissions (Everyone: Full Control) in the "LiteManagerFree - Server" folder, as demonstrated by ROMFUSClient.exe.
CVSS Score
7.3
EPSS Score
0.001
Published
2019-12-02
TestLink 1.9.19 has XSS via the lib/testcases/archiveData.php edit parameter, the index.php reqURI parameter, or the URI in a lib/testcases/tcEdit.php?doAction=doDeleteStep request.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-12-02