Security Vulnerabilities - CVEs Published In 2019
An issue was discovered in GNU LibreDWG before 0.93. There is a double-free in dwg_free in free.c.
CVSS Score
8.8
EPSS Score
0.005
Published
2019-12-27
An issue was discovered in GNU LibreDWG 0.92. Crafted input will lead to an attempted excessive memory allocation in dwg_decode_LWPOLYLINE_private in dwg.spec.
CVSS Score
6.5
EPSS Score
0.006
Published
2019-12-27
An authentication bypass exists in the web management interface in Belkin F5D8236-4 v2.
CVSS Score
9.8
EPSS Score
0.001
Published
2019-12-26
Belkin N900 router (F9K1104v1) contains an Authentication Bypass using "Javascript debugging".
CVSS Score
9.8
EPSS Score
0.002
Published
2019-12-26
In Archery before 1.3, inserting an XSS payload into a project name (either by creating a new project or editing an existing one) will result in stored XSS on the vulnerability-scan scheduling page.
CVSS Score
5.4
EPSS Score
0.004
Published
2019-12-26
An issue was discovered in ezXML 0.8.3 through 0.8.6. The function ezxml_decode, while parsing a crafted XML file, performs incorrect memory handling, leading to a heap-based buffer over-read while running strchr() starting with a pointer after a '\0' character (where the processing of a string was finished).
CVSS Score
6.5
EPSS Score
0.007
Published
2019-12-26
An issue was discovered in ezXML 0.8.3 through 0.8.6. The function ezxml_char_content puts a pointer to the internal address of a larger block as xml->txt. This is later deallocated (using free), leading to a segmentation fault.
CVSS Score
7.5
EPSS Score
0.004
Published
2019-12-26
An issue was discovered in ezXML 0.8.2 through 0.8.6. The function ezxml_str2utf8, while parsing a crafted XML file, performs zero-length reallocation in ezxml.c, leading to returning a NULL pointer (in some compilers). After this, the function ezxml_parse_str does not check whether the s variable is not NULL in ezxml.c, leading to a NULL pointer dereference and crash (segmentation fault).
CVSS Score
6.5
EPSS Score
0.009
Published
2019-12-26
An information disclosure flaw was found in the way the Java Virtual Machine (JVM) implementation of Java SE 7 as provided by OpenJDK 7 incorrectly initialized integer arrays after memory allocation (in certain circumstances they had nonzero elements right after the allocation). A remote attacker could use this flaw to obtain potentially sensitive information.
CVSS Score
7.5
EPSS Score
0.011
Published
2019-12-26
WordPress W3 Super Cache Plugin before 1.3.2 contains a PHP code-execution vulnerability which could allow remote attackers to inject arbitrary code. This issue exists because of an incomplete fix for CVE-2013-2009.
CVSS Score
8.8
EPSS Score
0.059
Published
2019-12-26