Security Vulnerabilities - CVEs Published In June 2019
core/MY_Security.php in CSZ CMS 1.2.2 before 2019-06-20 has member/login/check SQL injection by sending a crafted HTTP User-Agent header and omitting the csrf_csz parameter.
CVSS Score
9.8
EPSS Score
0.508
Published
2019-06-30
Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_upload.php unauthenticated file upload feature. It extracts a ZIP archive before checking its content, and once it has been extracted, does not check files in a recursive way. This means that by putting a .php file in a folder and then this folder in a ZIP archive, the server will accept this file without any checks. Because one can access this file from the website, it is remote code execution. This is related to a scorm imsmanifest.xml file, the import_package function, and extraction in $courseSysDir.$newDir.
CVSS Score
9.8
EPSS Score
0.035
Published
2019-06-30
XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x0000000000384e2a.
CVSS Score
7.8
EPSS Score
0.002
Published
2019-06-30
XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x000000000026b739.
CVSS Score
7.8
EPSS Score
0.002
Published
2019-06-30
XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x000000000030ecfa.
CVSS Score
7.8
EPSS Score
0.002
Published
2019-06-30
SQL injection vulnerability in synophoto_csPhotoDB.php in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to execute arbitrary SQL command via the type parameter.
CVSS Score
7.3
EPSS Score
0.004
Published
2019-06-30
Relative path traversal vulnerability in SYNO.PhotoStation.File in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to upload arbitrary files via the uploadphoto parameter.
CVSS Score
4.3
EPSS Score
0.002
Published
2019-06-30
Cross-site scripting (XSS) vulnerability in Event Editor in Synology Calendar before 2.3.0-0615 allows remote attackers to inject arbitrary web script or HTML via the title parameter.
CVSS Score
6.5
EPSS Score
0.001
Published
2019-06-30
Relative path traversal vulnerability in SYNO.PhotoTeam.Upload.Item in Synology Moments before 1.3.0-0691 allows remote authenticated users to upload arbitrary files via the name parameter.
CVSS Score
8.0
EPSS Score
0.009
Published
2019-06-30
Cross-site scripting (XSS) vulnerability in SYNO.NoteStation.Shard in Synology Note Station before 2.5.3-0863 allows remote attackers to inject arbitrary web script or HTML via the object_id parameter.
CVSS Score
6.5
EPSS Score
0.001
Published
2019-06-30