AppSec News from the Web
- 2019 on track to be the worst year for breaches
- Fintechs and Banks suffer from OSS and web vulns at an alarming rate
- SC Magazine UK highlights the challenges around only using CVSS to prioritize patching
- AMZN will scan for misconfigs in WAFs after CapOne hackÂ
- AppSec vulns largely the same in the first half of 2019
- More scanning is not resulting in more vulnerability remediation
- The Cybersecurity 80/20 ruleÂ
- Research shows that banks may want to pay more attention to AppSec
- CISO Mag’s warning on AppSec threats
Waratek Alerts and Blog
- Customer alert for Apache Solr injection threat
- Article: Risks from the software supply chain
- Security Guy TV interview at BHUSA 2019
From Our Partners
Webinar: Traditional ERP Security, Why you may be at Risk
September 12, 2019 at 2pm ET/ 10am PT
REGISTERCustomer CVE Alert for 2019-August
Below is a list of CV’s that were announced last week which are protected by the Waratek ARMR Platform.
This list is not comprehensive of all of the CVEs issued and only represents application vulnerabilities. For customers that have questions, please contact your account manager or support@waratek.com. If you want more information on any of the CVE’s below, please visit the Mitre site here.
Notes:
Dates are dd/mm.
NVD Disclaimer: The date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
| CVE | CWE | Update Date | CVSS Score | RCE | Detail |
| CVE-2019-14313 | 89 | 7/30/19 | 10 | Remote | A SQL injection vulnerability exists in the 10Web Photo Gallery plugin before 1.5.31 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via filemanager/model.php. |
| CVE-2019-13573 | 89 | 7/17/19 | 10 | Remote | A SQL injection vulnerability exists in the FolioVision FV Flowplayer Video Player plugin before 7.3.19.727 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system. |
| CVE-2019-0193 | 287 | 8/1/19 | 9 | Remote | In Apache Solr |
| CVE-2017-18515 | 89 | 8/14/19 | 7.5 | Remote | The wp-statistics plugin before 12.0.8 for WordPress has SQL injection. |
| CVE-2017-18514 | 89 | 8/14/19 | 7.5 | Remote | The simple-login-log plugin before 1.1.2 for WordPress has SQL injection. |
| CVE-2016-10889 | 89 | 8/14/19 | 7.5 | Remote | The nextgen-gallery plugin before 2.1.57 for WordPress has SQL injection via a gallery name. |
| CVE-2016-10888 | 89 | 8/14/19 | 7.5 | Remote | The all-in-one-wp-security-and-firewall plugin before 4.0.7 for WordPress has multiple SQL injection issues. |
| CVE-2016-10887 | 89 | 8/14/19 | 7.5 | Remote | The all-in-one-wp-security-and-firewall plugin before 4.0.9 for WordPress has multiple SQL injection issues. |
| CVE-2015-9316 | 89 | 8/14/19 | 7.5 | Remote | The wp-fastest-cache plugin before 0.8.4.9 for WordPress has SQL injection in wp-admin/admin-ajax.php?action=wpfc_wppolls_ajax_request via the poll_id parameter. |
| CVE-2015-9315 | 89 | 8/14/19 | 7.5 | Remote | The newstatpress plugin before 1.0.1 for WordPress has SQL injection. |
| CVE-2015-9313 | 89 | 8/14/19 | 7.5 | Remote | The newstatpress plugin before 1.0.5 for WordPress has SQL injection related to an IMG element. |
| CVE-2015-9310 | 89 | 8/14/19 | 7.5 | Remote | The all-in-one-wp-security-and-firewall plugin before 3.9.1 for WordPress has multiple SQL injection issues. |
| CVE-2015-9301 | 89 | 8/13/19 | 7.5 | Remote | The liveforms plugin before 3.2.0 for WordPress has SQL injection. |
| CVE-2019-14968 | 89 | 8/12/19 | 7.5 | Remote | An issue was discovered in imcat 4.9. There is SQL Injection via the index.php order parameter in a mod=faqs action. |
| CVE-2019-14234 | 89 | 8/9/19 | 7.5 | Remote | An issue was discovered in Django 1.11.x before 1.11.23 |
| CVE-2019-2856 | 284 | 7/23/19 | 7.5 | Remote | Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Application Container – JavaEE). Supported versions that are affected is 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality |
| CVE-2019-2855 | 284 | 7/23/19 | 7.5 | Remote | Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). The supported version that is affected is 8.5.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In Technology. Successful attacks of this vulnerability can result in unauthorized update |
| CVE-2019-2854 | 284 | 7/23/19 | 7.5 | Remote | Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). The supported version that is affected is 8.5.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In Technology. Successful attacks of this vulnerability can result in unauthorized update |
| CVE-2019-2853 | 284 | 7/23/19 | 7.5 | Remote | Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). The supported version that is affected is 8.5.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In Technology. Successful attacks of this vulnerability can result in unauthorized update |
| CVE-2019-2852 | 284 | 7/23/19 | 7.5 | Remote | Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). The supported version that is affected is 8.5.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In Technology. Successful attacks of this vulnerability can result in unauthorized update |
| CVE-2019-2835 | 284 | 7/23/19 | 7.5 | Remote | Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). The supported version that is affected is 8.5.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In Technology. Successful attacks of this vulnerability can result in unauthorized update |
| CVE-2019-2792 | 284 | 7/23/19 | 7.5 | Remote | Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). The supported version that is affected is 8.5.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In Technology. Successful attacks of this vulnerability can result in unauthorized update |
| CVE-2019-2764 | 284 | 7/23/19 | 7.5 | Remote | Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). The supported version that is affected is 8.5.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In Technology. Successful attacks of this vulnerability can result in unauthorized update |
| CVE-2019-2759 | 284 | 7/23/19 | 7.5 | Remote | Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). The supported version that is affected is 8.5.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In Technology. Successful attacks of this vulnerability can result in unauthorized update |
| CVE-2019-2756 | 284 | 7/23/19 | 7.5 | Remote | Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). The supported version that is affected is 8.5.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In Technology. Successful attacks of this vulnerability can result in unauthorized update |
| CVE-2019-11772 | 787 | 7/17/19 | 7.5 | Remote | In Eclipse OpenJ9 prior to 0.15 |
| CVE-2018-20968 | 352 | 8/14/19 | 6.8 | Remote | The wp-ultimate-exporter plugin before 1.4.2 for WordPress has CSRF. |
| CVE-2018-20967 | 352 | 8/14/19 | 6.8 | Remote | The wp-ultimate-csv-importer plugin before 5.6.1 for WordPress has CSRF. |
| CVE-2017-18513 | 352 | 8/14/19 | 6.8 | Remote | The responsive-menu plugin before 3.1.4 for WordPress has no CSRF protection mechanism for the admin interface. |
| CVE-2017-18512 | 352 | 8/14/19 | 6.8 | Remote | The newsletter-by-supsystic plugin before 1.1.8 for WordPress has CSRF. |
| CVE-2017-18511 | 352 | 8/14/19 | 6.8 | Remote | The custom-sidebars plugin before 3.0.8.1 for WordPress has CSRF. |
| CVE-2017-18510 | 352 | 8/14/19 | 6.8 | Remote | The custom-sidebars plugin before 3.1.0 for WordPress has CSRF related to set location |
| CVE-2016-10884 | 352 | 8/14/19 | 6.8 | Remote | The simple-membership plugin before 3.3.3 for WordPress has multiple CSRF issues. |
| CVE-2016-10882 | 352 | 8/14/19 | 6.8 | Remote | The google-document-embedder plugin before 2.6.2 for WordPress has CSRF. |
| CVE-2015-9309 | 352 | 8/14/19 | 6.8 | Remote | The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF in the add/edit category feature. |
| CVE-2015-9308 | 352 | 8/14/19 | 6.8 | Remote | The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF in the add/edit map feature. |
| CVE-2015-9307 | 352 | 8/14/19 | 6.8 | Remote | The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF in the add/edit location feature. |
| CVE-2018-20964 | 352 | 8/13/19 | 6.8 | Remote | The contact-form-to-email plugin before 1.2.66 for WordPress has CSRF. |
| CVE-2017-18504 | 352 | 8/12/19 | 6.8 | Remote | The twitter-cards-meta plugin before 2.5.0 for WordPress has CSRF. |
| CVE-2016-10876 | 352 | 8/12/19 | 6.8 | Remote | The wp-database-backup plugin before 4.3.1 for WordPress has CSRF. |
| CVE-2016-10874 | 352 | 8/12/19 | 6.8 | Remote | The wp-database-backup plugin before 4.3.3 for WordPress has CSRF. |
| CVE-2019-14681 | 352 | 8/8/19 | 6.8 | Remote | The Deny All Firewall plugin before 1.1.7 for WordPress allows wp-admin/options-general.php?page=daf_settings&daf_remove=true CSRF. |
| CVE-2019-10386 | 352 | 8/7/19 | 6.8 | Remote | A cross-site request forgery vulnerability in Jenkins XL TestView Plugin 1.2.0 and earlier in XLTestView.XLTestDescriptor#doTestConnection allows users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method |
| CVE-2019-10368 | 352 | 8/7/19 | 6.8 | Remote | A cross-site request forgery vulnerability in Jenkins JClouds Plugin 2.14 and earlier in BlobStoreProfile.DescriptorImpl#doTestConnection and JCloudsCloud.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method |
| CVE-2018-10899 | 352 | 8/1/19 | 6.8 | Remote | A flaw was found in Jolokia versions from 1.2 to before 1.6.1. Affected versions are vulnerable to a system-wide CSRF. This holds true for properly configured instances with strict checking for origin and referrer headers. This could result in a Remote Code Execution attack. |
| CVE-2019-10359 | 352 | 7/31/19 | 6.8 | Remote | A cross-site request forgery vulnerability in Jenkins Maven Release Plugin 0.14.0 and earlier in the M2ReleaseAction#doSubmit method allowed attackers to perform releases with attacker-specified options. |
| CVE-2019-10181 | 345 | 7/31/19 | 6.8 | Remote | It was found that in icedtea-web up to and including 1.7.2 and 1.8.2 executable code could be injected in a JAR file without compromising the signature verification. An attacker could use this flaw to inject code in a trusted JAR. The code would be executed inside the sandbox. |
| CVE-2019-2828 | 284 | 7/23/19 | 6.8 | Remote | Vulnerability in the Oracle Field Service component of Oracle E-Business Suite (subcomponent: Wireless). Supported versions that are affected are 12.1.1 – 12.1.3 and 12.2.3 – 12.2.8. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Field Service. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Field Service |
| CVE-2019-10340 | 352 | 7/11/19 | 6.8 | Remote | A cross-site request forgery vulnerability in Jenkins Docker Plugin 1.1.6 and earlier in DockerAPI.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method |
| CVE-2019-14966 | 89 | 8/12/19 | 6.5 | Remote | An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. There exists an authenticated SQL injection. |
| CVE-2019-10380 | 254 | 8/7/19 | 6.5 | Remote | Jenkins Simple Travis Pipeline Runner Plugin 1.0 and earlier specifies unsafe values in its custom Script Security whitelist |
| CVE-2019-10356 | 254 | 7/31/19 | 6.5 | Remote | A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of method pointer expressions allowed attackers to execute arbitrary code in sandboxed scripts. |
| CVE-2019-10355 | 254 | 7/31/19 | 6.5 | Remote | A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of type casts allowed attackers to execute arbitrary code in sandboxed scripts. |
| CVE-2019-0327 | 434 | 7/10/19 | 6.5 | Remote | SAP NetWeaver for Java Application Server – Web Container |
| CVE-2019-10185 | 22 | 7/31/19 | 6.4 | Remote | It was found that icedtea-web up to and including 1.7.2 and 1.8.2 was vulnerable to a zip-slip attack during auto-extraction of a JAR file. An attacker could use this flaw to write files to arbitrary locations. This could also be used to replace the main running application and |
| CVE-2019-13635 | 22 | 7/30/19 | 6.4 | Remote | The WP Fastest Cache plugin through 0.8.9.5 for WordPress allows wpFastestCache.php and inc/cache.php Directory Traversal. |
| CVE-2019-2775 | 284 | 7/23/19 | 6.4 | Remote | Vulnerability in the Oracle Payments component of Oracle E-Business Suite (subcomponent: File Transmission). Supported versions that are affected are 12.1.1 – 12.1.3 and 12.2.3 – 12.2.8. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Payments. Successful attacks of this vulnerability can result in unauthorized creation |
| CVE-2019-2767 | 284 | 7/23/19 | 6.4 | Remote | Vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware (subcomponent: BI Publisher Security). The supported version that is affected is 11.1.1.9.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise BI Publisher (formerly XML Publisher). While the vulnerability is in BI Publisher (formerly XML Publisher) |
| CVE-2019-2742 | 284 | 7/23/19 | 6.4 | Remote | Vulnerability in the Oracle BI Publisher component of Oracle Fusion Middleware (subcomponent: Web Service API). The supported version that is affected is 11.1.1.9.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle BI Publisher. While the vulnerability is in Oracle BI Publisher |
| CVE-2019-2771 | 284 | 7/23/19 | 6 | Remote | Vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware (subcomponent: BI Publisher Security). Supported versions that are affected are 11.1.1.9.0 and 12.2.1.3.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise BI Publisher (formerly XML Publisher). Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in BI Publisher (formerly XML Publisher) |
| CVE-2016-10883 | 352 | 8/14/19 | 5.8 | Remote | The simple-add-pages-or-posts plugin before 1.7 for WordPress has CSRF for deleting users. |
| CVE-2019-10382 | 295 | 8/7/19 | 5.8 | Remote | Jenkins VMware Lab Manager Slaves Plugin 0.2.8 and earlier disables SSL/TLS and hostname verification globally for the Jenkins master JVM. |
| CVE-2019-10372 | 601 | 8/7/19 | 5.8 | Remote | An open redirect vulnerability in Jenkins Gitlab Authentication Plugin 1.4 and earlier in GitLabSecurityRealm.java allows attackers to redirect users to a URL outside Jenkins after successful login. |
| CVE-2019-10182 | 22 | 7/31/19 | 5.8 | Remote | It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly sanitize paths from <jar/> elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user. |
| CVE-2019-2837 | 284 | 7/23/19 | 5.8 | Remote | Vulnerability in the Oracle CRM Technical Foundation component of Oracle E-Business Suite (subcomponent: User Interface). Supported versions that are affected are 12.1.3 and 12.2.3 – 12.2.8. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle CRM Technical Foundation. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle CRM Technical Foundation |
| CVE-2019-2829 | 284 | 7/23/19 | 5.8 | Remote | Vulnerability in the Oracle iSupport component of Oracle E-Business Suite (subcomponent: Service Requests). Supported versions that are affected are 12.1.1 – 12.1.3 and 12.2.3 – 12.2.8. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iSupport. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle iSupport |
| CVE-2019-2816 | 284 | 7/23/19 | 5.8 | Remote | Vulnerability in the Java SE |
| CVE-2019-2672 | 284 | 7/23/19 | 5.8 | Remote | Vulnerability in the Oracle One-to-One Fulfillment component of Oracle E-Business Suite (subcomponent: Print Server). Supported versions that are affected are 12.1.1 – 12.1.3 and 12.2.3 – 12.2.8. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle One-to-One Fulfillment. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle One-to-One Fulfillment |
| CVE-2019-2668 | 284 | 7/23/19 | 5.8 | Remote | Vulnerability in the Oracle One-to-One Fulfillment component of Oracle E-Business Suite (subcomponent: Print Server). Supported versions that are affected are 12.1.1 – 12.1.3 and 12.2.3 – 12.2.8. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle One-to-One Fulfillment. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle One-to-One Fulfillment |
| CVE-2019-2666 | 284 | 7/23/19 | 5.8 | Remote | Vulnerability in the Oracle One-to-One Fulfillment component of Oracle E-Business Suite (subcomponent: Print Server). Supported versions that are affected are 12.1.1 – 12.1.3 and 12.2.3 – 12.2.8. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle One-to-One Fulfillment. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle One-to-One Fulfillment |
| CVE-2019-7955 | 79 | 7/18/19 | 5.8 | Remote | Adobe Experience Manager version 6.4 and ealier have a Reflected Cross-site Scripting vulnerability. Successful exploitation could lead to Sensitive Information disclosure in the context of the current user. |
| CVE-2019-10362 | 20 | 7/31/19 | 5.5 | Remote | Jenkins Configuration as Code Plugin 1.24 and earlier did not escape values resulting in variable interpolation during configuration import when exporting |
| CVE-2019-4062 | 611 | 7/30/19 | 5.5 | Remote | IBM i2 Intelligent Analyis Platform 9.0.0 through 9.1.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 157007. |
| CVE-2019-2827 | 284 | 7/23/19 | 5.5 | Remote | Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0.0 |
| CVE-2019-2825 | 284 | 7/23/19 | 5.5 | Remote | Vulnerability in the Oracle Applications Manager component of Oracle E-Business Suite (subcomponent: Oracle Diagnostics Interfaces). Supported versions that are affected are 12.1.3 and 12.2.3 – 12.2.8. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Applications Manager. Successful attacks of this vulnerability can result in unauthorized creation |
| CVE-2019-2824 | 284 | 7/23/19 | 5.5 | Remote | Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0.0 |
| CVE-2019-10371 | 384 | 8/7/19 | 5 | Remote | A session fixation vulnerability in Jenkins Gitlab Authentication Plugin 1.4 and earlier in GitLabSecurityRealm.java allows unauthorized attackers to impersonate another user if they can control the pre-authentication session. |
| CVE-2019-7859 | 22 | 8/2/19 | 5 | Remote | A path traversal vulnerability in the WYSIWYG editor for Magento 2.1 prior to 2.1.18 |
| CVE-2019-4165 | 20 | 7/31/19 | 5 | Remote | IBM StoreIQ 7.6.0.0. through 7.6.0.18 could allow a remote attacker to cause a denial of service attack using repeated requests to the server. IBM X-Force ID: 158698. |
| CVE-2019-14439 | 200 | 7/30/19 | 5 | Remote | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath. |
| CVE-2019-0202 | 532 | 7/25/19 | 5 | Remote | The Apache Storm Logviewer daemon exposes HTTP-accessible endpoints to read/search log files on hosts running Storm. In Apache Storm versions 0.9.1-incubating to 1.2.2 |
| CVE-2019-2809 | 284 | 7/23/19 | 5 | Remote | Vulnerability in the Oracle iRecruitment component of Oracle E-Business Suite (subcomponent: Password Reset). Supported versions that are affected are 12.1.1 – 12.1.3 and 12.2.3 – 12.2.8. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iRecruitment. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle iRecruitment. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). |
| CVE-2019-2783 | 284 | 7/23/19 | 5 | Remote | Vulnerability in the Oracle Payments component of Oracle E-Business Suite (subcomponent: File Transmission). Supported versions that are affected are 12.1.1 – 12.1.3 and 12.2.3 – 12.2.8. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Payments. While the vulnerability is in Oracle Payments |
| CVE-2019-2782 | 284 | 7/23/19 | 5 | Remote | Vulnerability in the Oracle Payments component of Oracle E-Business Suite (subcomponent: File Transmission). Supported versions that are affected are 12.1.1 – 12.1.3 and 12.2.3 – 12.2.8. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Payments. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Payments accessible data. CVSS 3.0 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). |
| CVE-2019-2773 | 284 | 7/23/19 | 5 | Remote | Vulnerability in the Oracle Payments component of Oracle E-Business Suite (subcomponent: File Transmission). Supported versions that are affected are 12.1.1 – 12.1.3 and 12.2.3 – 12.2.8. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Payments. While the vulnerability is in Oracle Payments |
| CVE-2019-2769 | 284 | 7/23/19 | 5 | Remote | Vulnerability in the Java SE |
| CVE-2019-2768 | 200 | 7/23/19 | 5 | Remote | Vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware (subcomponent: BI Publisher Security). The supported version that is affected is 11.1.1.9.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise BI Publisher (formerly XML Publisher). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all BI Publisher (formerly XML Publisher) accessible data. CVSS 3.0 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). |
| CVE-2019-2762 | 284 | 7/23/19 | 5 | Remote | Vulnerability in the Java SE |
