Security Vulnerabilities - CVEs Published In June 2019
Cross-site scripting (XSS) vulnerability in Chart in Synology Office before 3.1.4-2771 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
CVSS Score
5.5
EPSS Score
0.001
Published
2019-06-30
OS command injection vulnerability in drivers_syno_import_user.php in Synology Calendar before 2.3.1-0617 allows remote attackers to execute arbitrary commands via the crafted 'X-Real-IP' header.
CVSS Score
7.3
EPSS Score
0.041
Published
2019-06-30
Tor Browser through 8.5.3 has an information exposure vulnerability. It allows remote attackers to detect the browser's language via vectors involving an IFRAME element, because text in that language is included in the title attribute of a LINK element for a non-HTML page. This is related to a behavior of Firefox before 68.
CVSS Score
5.3
EPSS Score
0.001
Published
2019-06-30
Stored XSS in the Filters page (Name field) in ZoneMinder 1.32.3 allows a malicious user to embed and execute JavaScript code in the browser of any user who navigates to this page.
CVSS Score
5.4
EPSS Score
0.003
Published
2019-06-30
njs through 0.3.3, used in NGINX, has a buffer over-read in nxt_utf8_decode in nxt/nxt_utf8.c. This issue occurs after the fix for CVE-2019-12207 is in place.
CVSS Score
9.8
EPSS Score
0.004
Published
2019-06-30
public/app/features/panel/panel_ctrl.ts in Grafana before 6.2.5 allows HTML Injection in panel drilldown links (via the Title or url field).
CVSS Score
5.4
EPSS Score
0.066
Published
2019-06-30
Logitech Unifying devices before 2016-02-26 allow keystroke injection, bypassing encryption, aka MouseJack.
CVSS Score
6.5
EPSS Score
0.0
Published
2019-06-29
Logitech Unifying devices allow live decryption if the pairing of a keyboard to a receiver is sniffed.
CVSS Score
6.5
EPSS Score
0.001
Published
2019-06-29
Logitech Unifying devices allow keystroke injection, bypassing encryption. The attacker must press a "magic" key combination while sniffing cryptographic data from a Radio Frequency transmission. NOTE: this issue exists because of an incomplete fix for CVE-2016-10761.
CVSS Score
6.5
EPSS Score
0.0
Published
2019-06-29
The Logitech R500 presentation clicker allows attackers to determine the AES key, leading to keystroke injection. On Windows, any text may be injected by using ALT+NUMPAD input to bypass the restriction on the characters A through Z.
CVSS Score
6.5
EPSS Score
0.001
Published
2019-06-29