Security Vulnerabilities - CVEs Published In 2019
The image thumbnailing handler in Zulip Server versions 1.9.0 to before 2.0.8 allowed an open redirect that was visible to logged-in users.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-12-18
In Joomla! before 3.9.14, a missing access check in framework files could lead to a path disclosure.
CVSS Score
5.3
EPSS Score
0.0
Published
2019-12-18
In Joomla! before 3.9.14, the lack of validation of configuration parameters used in SQL queries caused various SQL injection vectors.
CVSS Score
9.8
EPSS Score
0.001
Published
2019-12-18
The WorkflowResource class removeStatus method in Jira before version 7.13.12, from version 8.0.0 before version 8.4.3, and from version 8.5.0 before version 8.5.2 allows authenticated remote attackers who do not have project administration access to remove a configured issue status from a project via a missing authorisation check.
CVSS Score
4.3
EPSS Score
0.003
Published
2019-12-18
Cross-Site Request Forgery vulnerability in all Micro Focus ArcSight Logger affecting all product versions below version 7.0. The vulnerability could be exploited to perform CSRF attack.
CVSS Score
8.8
EPSS Score
0.002
Published
2019-12-17
In Advantech DiagAnywhere Server, Versions 3.07.11 and prior, multiple stack-based buffer overflow vulnerabilities exist in the file transfer service listening on the TCP port. Successful exploitation could allow an unauthenticated attacker to execute arbitrary code with the privileges of the user running DiagAnywhere Server.
CVSS Score
9.8
EPSS Score
0.012
Published
2019-12-17
CVE-2019-7481
Vulnerability in SonicWall SMA100 allow unauthenticated user to gain read-only access to unauthorized resources. This vulnerablity impacted SMA100 version 9.0.0.3 and earlier.
Known exploited
CVSS Score
7.5
EPSS Score
0.943
Published
2019-12-17
ELOG 3.1.4-57bea22 and below is affected by an information disclosure vulnerability. A remote unauthenticated attacker can access the server's configuration file by sending an HTTP GET request. Amongst the configuration data, the attacker may gain access to valid admin usernames and, in older versions of ELOG, passwords.
CVSS Score
7.5
EPSS Score
0.04
Published
2019-12-17
ELOG 3.1.4-57bea22 and below is affected by an information disclosure vulnerability. A remote unauthenticated attacker can recover a user's password hash by sending a crafted HTTP POST request.
CVSS Score
7.5
EPSS Score
0.116
Published
2019-12-17
ELOG 3.1.4-57bea22 and below is affected by a denial of service vulnerability due to a use after free. A remote unauthenticated attacker can crash the ELOG server by sending multiple HTTP POST requests which causes the ELOG function retrieve_url() to use a freed variable.
CVSS Score
7.5
EPSS Score
0.028
Published
2019-12-17