CVE ID : | CVE-2019-6835 | | CVSS v3.0 Base Score 5.4 | (Medium) | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | | A Cross-Site Scripting (XSS) CWE-79 vulnerability exists, which could allow an attacker to inject client-side script when a user visits a web page. |
CVE ID : | CVE-2019-6836 | | CVSS v3.0 Base Score 8.8 | (High) | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | | An Improper Access Control: CWE-284 vulnerability exists, which could allow the file system to access the wrong file. |
CVE ID : | CVE-2019-6837 | | CVSS v3.0 Base Score 9.6 | (Critical) | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N | | A Server-Side Request Forgery (SSRF): CWE-918 vulnerability exists, which could cause server configuration data to be exposed when an attacker modifies a URL. |
CVE ID : | CVE-2019-6838 | | CVSS v3.0 Base Score 6.5 | (Medium) | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N | | An Improper Access Control: CWE-284 vulnerability exists, which could allow a user with low privileges to delete a critical file. |
CVE ID : | CVE-2019-6839 | | CVSS v3.0 Base Score 8.8 | (High) | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | | An Improper Access Control: CWE-284 vulnerability exists, which could allow a user with low privileges to upload a rogue file. |
CVE ID : | CVE-2019-6840 | | CVSS v3.0 Base Score 8.8 | (High) | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | | A Format String: CWE-134 vulnerability exists, which could allow an attacker to send a crafted message to the target server, thereby causing arbitrary commands to be executed. |
Solution : The vulnerabilities are fixed in version 1.3.7 and is available for download. |