Security Vulnerabilities - CVEs Published In May 2019
NUUO Network Video Recorder Firmware 1.7.x through 3.3.x allows unauthenticated attackers to execute arbitrary commands via shell metacharacters to handle_load_config.php.
CVSS Score
9.8
EPSS Score
0.876
Published
2019-05-31
In QEMU 3.1.0, load_device_tree in device_tree.c calls the deprecated load_image function, which has a buffer overflow risk.
CVSS Score
9.8
EPSS Score
0.019
Published
2019-05-31
Evernote 7.9 on macOS allows attackers to execute arbitrary programs by embedding a reference to a local executable file such as the /Applications/Calculator.app/Contents/MacOS/Calculator file.
CVSS Score
7.8
EPSS Score
0.027
Published
2019-05-31
The "action" get_sess_id in the web application of Pydio through 8.2.2 discloses the session cookie value in the response body, enabling scripts to get access to its value. This identifier can be reused by an attacker to impersonate a user and perform actions on behalf of him/her (if the session is still active).
CVSS Score
6.5
EPSS Score
0.002
Published
2019-05-31
CVE-2019-9874
Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.
Known exploited
CVSS Score
9.8
EPSS Score
0.184
Published
2019-05-31
CVE-2019-9875
Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in an HTTP POST parameter.
Known exploited
CVSS Score
8.8
EPSS Score
0.119
Published
2019-05-31
The function getopt_simple as described in Advanced Bash Scripting Guide (ISBN 978-1435752184) allows privilege escalation and execution of commands when used in a shell script called, for example, via sudo.
CVSS Score
9.8
EPSS Score
0.007
Published
2019-05-31
In Vijeo Citect 7.30 and 7.40, and CitectSCADA 7.30 and 7.40, a vulnerability has been identified that may allow an authenticated local user access to Citect user credentials.
CVSS Score
7.8
EPSS Score
0.002
Published
2019-05-31
Jector Smart TV FM-K75 devices allow remote code execution because there is an adb open port with root permission.
CVSS Score
9.8
EPSS Score
0.069
Published
2019-05-31
A cross-site request forgery vulnerability in Jenkins Artifactory Plugin 3.2.2 and earlier in ArtifactoryBuilder.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVSS Score
4.3
EPSS Score
0.001
Published
2019-05-31