CVE-2019-13954
published 2019-07-26CVE-2019-13954: Mikrotik RouterOS before 6.44.5 (long-term release tree) is vulnerable to memory exhaustion. By sending a crafted HTTP request, an authenticated remote…
PriorityP336medium6.5CVSS 3.0
AVNACLPRLUINSUCNINAH
EPSS
4.26%
89.8th percentile
Mikrotik RouterOS before 6.44.5 (long-term release tree) is vulnerable to memory exhaustion. By sending a crafted HTTP request, an authenticated remote attacker can crash the HTTP server and in some circumstances reboot the system. Malicious code cannot be injected.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mikrotik | routeros | < 6.44.5 | 6.44.5 |
| mikrotik | routeros | — | — |
CVSS provenance
nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv2.06.8MEDIUMAV:N/AC:L/Au:S/C:N/I:N/A:C
ghsa6.1MEDIUM
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-79mg-j8gj-jwc2: Mikrotik RouterOS before 6
ghsa_unreviewed·2022-05-24
CVE-2019-13954 [MEDIUM] CWE-770 GHSA-79mg-j8gj-jwc2: Mikrotik RouterOS before 6
Mikrotik RouterOS before 6.44.5 (long-term release tree) is vulnerable to memory exhaustion. By sending a crafted HTTP request, an authenticated remote attacker can crash the HTTP server and in some circumstances reboot the system. Malicious code cannot be injected.
GHSA
Cross-site scripting in Apache CXF
ghsa·2021-04-22·CVSS 6.1
CVE-2020-13954 [MEDIUM] CWE-79 Cross-site scripting in Apache CXF
Cross-site scripting in Apache CXF
By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573.
Red Hat
cxf: XSS via the styleSheetPath
vendor_redhat·2020-11-12·CVSS 6.1
CVE-2020-13954 [MEDIUM] CWE-79 cxf: XSS via the styleSheetPath
cxf: XSS via the styleSheetPath
By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573.
Mitigation: Users can disable the service listing altogether by setting the "hide-service-list-page" servlet parameter to "true".
Package: cxf (Red Hat BPM Suite 6) - Out of support scope
Package: cxf-core (Red Hat BPM Suite 6) - Out of support scope
Package: cxf-core (Red Hat Decision Manager 7) - Affected
Package: cxf-core (Red Ha
No detection rules found.
No public exploits indexed.
2019-07-26
Published