Security Vulnerabilities - CVEs Published In December 2019
Cross-site scripting (XSS) vulnerability in the Easy Career Openings plugin 0.4 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-12-27
Cross-site scripting (XSS) vulnerability in magpie/scripts/magpie_slashbox.php in the Ebay Feeds for WordPress plugin 1.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the rss_url parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-12-27
Multiple cross-site scripting (XSS) vulnerabilities in test-plugin.php in the Swipe Checkout for WP e-Commerce plugin 3.1.0 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) api_key, (2) payment_page_url, (3) merchant_id, (4) api_url, or (5) currency parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-12-27
wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript: substring.
CVSS Score
9.8
EPSS Score
0.024
Published
2019-12-27
In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel() can be used in a particular way to result in a stored cross-site scripting (XSS) vulnerability. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.
CVSS Score
6.1
EPSS Score
0.069
Published
2019-12-27
In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass that. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.
CVSS Score
4.3
EPSS Score
0.01
Published
2019-12-27
A heap-based buffer overflow was discovered in image_buffer_resize in fromsixel.c in libsixel before 1.8.4.
CVSS Score
6.5
EPSS Score
0.005
Published
2019-12-27
libmysofa before 2019-11-24 does not properly restrict recursive function calls, as demonstrated by reports of stack consumption in readOHDRHeaderMessageDatatype in dataobject.c and directblockRead in fractalhead.c. NOTE: a download of v0.9 after 2019-12-06 should fully remediate this issue.
CVSS Score
6.5
EPSS Score
0.005
Published
2019-12-27
A stack-based buffer over-read was discovered in Mat_VarReadNextInfo5 in mat5.c in matio 1.5.17.
CVSS Score
6.5
EPSS Score
0.004
Published
2019-12-27
A stack-based buffer over-read was discovered in ReadNextCell in mat5.c in matio 1.5.17.
CVSS Score
6.5
EPSS Score
0.004
Published
2019-12-27