Ticket | Info |
---|---|
DE10503 | Fixed directory permission issue with BPS /resources/ clientcerts and clientkeys. |
DE10496 | Fix strike implementation for CVE-2019-2725 and CVE-2019-2729. |
CVSS | ID | References | Category | Info |
---|---|---|---|---|
10.0 | E19-0wr21 |
CVE-2019-7838 CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C) URL |
Exploits | This strike exploits a file upload vulnerability in Adobe Coldfusion. The vulnerability is due to the improper sanitization of requests sent to the application. An attacker could exploit this vulnerability by sending crafted HTTP traffic to the target server. Successful exploitation could lead to file upload and code execution on the target server. |
10.0 | E19-0s3x1 |
BID-108339 CVE-2019-1821 CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C) EXPLOITDB-47016 URL |
Exploits | This strike exploits a path traversal vulnerability found in Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager. The vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by uploading a malicious file to the administrative web interface. A successful exploit could allow the attacker to execute code with root-level privileges on the underlying operating system. |
10.0 | E19-7o2j1 |
CVE-2019-11707 CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C) GOOGLE-1820 |
Exploits | This strike exploits a vulnerability in Mozilla Firefox. Specifically, the vulnerability exists in the Javascript engine Spidermonkey. It is possible to craft Javascript in such a way that IonMonkey incorrectly predicts the return type of Array.Prototype.pop. This causes type confusion to occur which can result in remote code execution. |
9.3 | E19-0re01 |
CVE-2019-0888 CVSS-9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C) URL |
Exploits | A code execution vulnerability has been reported in Microsoft Windows ActiveX Data Objects (ADO). The vulnerability is due to improper handling of an object. A remote attacker could exploit this vulnerability by enticing a user to open a specially crafted file. Successful exploitation could result in the execution of arbitrary code with the victim's privileges. |
9.0 | E19-7p341 |
CVE-2019-13024 CVSS-9.0 (AV:N/AC:L/AU:S/C:C/I:C/A:C) EXPLOITDB-47069 |
Exploits | An OS command injection exists in Centreon 19.04.0 due to lack of sanitization when the 'nagios' binary path is set. By exploiting this flaw, an authenticated remote attacker can run arbitrary OS commands on the target system. |
7.6 | E19-0ya01 |
CVE-2019-9816 CVSS-7.6 (AV:N/AC:H/AU:N/C:C/I:C/A:C) GOOGLE-1808 |
Exploits | This strike exploits a vulnerability in Mozilla Firefox. Specifically, the vulnerability exists in the Javascript engine Spidermonkey. It is possible to craft Javascript in such a way that in IonMonkey an unexpected ObjectGroup in an ObjectGroupDispatch operation might allow for unsafe code to execute. This could cause type confusion to occur causing a denial of service condition in the browser or potentially allowing for remote code execution to occur. |
5.0 | E19-7oic1 |
CVE-2019-12276 CVSS-5.0 (AV:N/AC:L/AU:N/C:P/I:N/A:N) URL |
Exploits | This strike exploits a directory traversal vulnerability in GrandNode Ecommerce platform. The vulnerability is due to improper sanitization of parameters passed to the "LetsEncryptController" module. By successfully exploiting this vulnerability, a remote, unauthenticated attacker could retrieve arbitrary files from the target server. |
5.0 | E19-7pc01 |
CVE-2019-13344 CVSS-5.0 (AV:N/AC:L/AU:N/C:N/I:P/A:N) EXPLOITDB-47078 |
Exploits | This strike exploits an authentication bypass on the Wordpress Plugin Like Button. The vulnerability is due to not properly checking if the request is sent by an authorized user. A remote unauthorized attacker can exploit this vulnerability by sending a crafted HTTP POST request to the system. Successful exploitation results in changing the configuration of the plugin setting. |
4.3 | E19-0rhe1 |
CVE-2019-1010 CVSS-4.3 (AV:N/AC:M/AU:N/C:P/I:N/A:N) URL |
Exploits | This strike exploits an information disclosure vulnerability in Microsoft Windows GDI component. The flaw is located in 'bHandleCreateDIBPatternBrush' function and exists due to lack of checks when parsing an EMF file's 'BITMAPINFOHEADER' fields. In order to exploit this vulnerability an attacker must entice the victim to open a malicious 'emf' file. |
3.5 | E19-0y6t1 |
CVE-2019-9701 CVSS-3.5 (AV:N/AC:M/AU:S/C:N/I:P/A:N) EXPLOITDB-47071 |
Exploits | This strike simulates a stored XSS attack on Symantec DLP 15.5 MP1. The flaw exists in '/ProtectManager/enforce/admin/senderrecipientpatterns/list' endpoint due to lack of sanitization for the 'name' parameter. A successful authenticated attacker is thus able gain control of victim's browser. |