Security Vulnerabilities - CVEs Published In 2019
NETGEAR WNR3500U and WNR3500L routers uses form tokens abased solely on router's current date and time, which allows attackers to guess the CSRF tokens.
CVSS Score
6.5
EPSS Score
0.002
Published
2019-11-13
Parallels Plesk Panel 9.5 allows XSS in target/locales/tr-TR/help/index.htm? via the "fileName" parameter.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-11-13
An issue was discovered in crun before 0.10.5. With a crafted image, it doesn't correctly check whether a target is a symlink, resulting in access to files outside of the container. This occurs in libcrun/linux.c and libcrun/chroot_realpath.c.
CVSS Score
8.6
EPSS Score
0.006
Published
2019-11-13
An XSS issue was discovered in Enghouse Web Chat 6.1.300.31 and 6.2.284.34. The QueueName parameter of a GET request allows for insertion of user-supplied JavaScript.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-11-13
A remote file include (RFI) issue was discovered in Enghouse Web Chat 6.2.284.34. One can replace the localhost attribute with one's own domain name. When the product calls this domain after the POST request is sent, it retrieves an attacker's data and displays it. Also worth mentioning is the amount of information sent in the request from this product to the attacker: it reveals information the public should not have. This includes pathnames and internal ip addresses.
CVSS Score
5.3
EPSS Score
0.004
Published
2019-11-13
Cross-site scripting (XSS) vulnerability in NETGEAR WNR3500U and WNR3500L.
CVSS Score
5.4
EPSS Score
0.003
Published
2019-11-13
offlineimap before 6.3.4 added support for SSL server certificate validation but it is still possible to use SSL v2 protocol, which is a flawed protocol with multiple security deficiencies.
CVSS Score
9.8
EPSS Score
0.003
Published
2019-11-13
In BTA_DmPinReply of bta_dm_api.cc, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-139287605
CVSS Score
5.5
EPSS Score
0.0
Published
2019-11-13
In createProjectionMapForQuery of TvProvider.java, there is possible SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-135269669
CVSS Score
7.5
EPSS Score
0.002
Published
2019-11-13
In poisson_distribution of random, there is an out of bounds read. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-139690488
CVSS Score
5.5
EPSS Score
0.0
Published
2019-11-13