Malware in PyPI Code Shows Supply Chain Risks

A code backdoor in a package on the Python Package Index demonstrates the importance of verifying code brought in from code repositories.
Source: DarkReading
Malware in PyPI Code Shows Supply Chain Risks

CVE-2019-12945

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
Source: NIST
CVE-2019-12945

CVE-2019-12453

In MicroStrategy Web before 10.1 patch 10, stored XSS is possible in the FLTB parameter due to missing input validation.
Source: NIST
CVE-2019-12453

CVE-2018-17792

MDaemon Webmail (formerly WorldClient) has CSRF.
Source: NIST
CVE-2018-17792

CVE-2019-1010238

Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact is: The heap based buffer overflow can be used to get code execution. The component is: function name: pango_log2vis_get_embedding_levels, assignment of nchars and the loop condition. The attack vector is: Bug can be used when application pass invalid utf-8 strings to functions like pango_itemize.
Source: NIST
CVE-2019-1010238

CVE-2019-11553

Code42 for Enterprise through 6.8.4 has Incorrect Access Control.
Source: NIST
CVE-2019-11553

CVE-2019-1010239

DaveGamble/cJSON cJSON 1.7.8 is affected by: Improper Check for Unusual or Exceptional Conditions. The impact is: Null dereference, so attack can cause denial of service. The component is: cJSON_GetObjectItemCaseSensitive() function. The attack vector is: crafted json file. The fixed version is: 1.7.9 and later.
Source: NIST
CVE-2019-1010239

CVE-2019-1010241

Jenkins Credentials Binding Plugin Jenkins 1.17 is affected by: CWE-257: Storing Passwords in a Recoverable Format. The impact is: Authenticated users can recover credentials. The component is: config-variables.jelly line #30 (passwordVariable). The attack vector is: Attacker creates and executes a Jenkins job.
Source: NIST
CVE-2019-1010241

CVE-2019-1010113

Premium Software CLEditor 1.4.5 and earlier is affected by: Cross Site Scripting (XSS). The impact is: An attacker might be able to inject arbitrary html and script code into the web site. The component is: jQuery plug-in. The attack vector is: the victim must open a crafted href attribute of a link (A) element.
Source: NIST
CVE-2019-1010113

CVE-2019-12193

H3C H3Cloud OS all versions allows SQL injection via the ear/grid_event sidx parameter.
Source: NIST
CVE-2019-12193