Security Vulnerabilities - Known exploited
CVE-2020-36193
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
Known exploited
CVSS Score
7.5
EPSS Score
0.711
Published
2021-01-18
CVE-2020-6572
Use after free in Media in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to execute arbitrary code via a crafted HTML page.
Known exploited
CVSS Score
8.8
EPSS Score
0.191
Published
2021-01-14
CVE-2021-1647
Microsoft Defender Remote Code Execution Vulnerability
Known exploited
CVSS Score
7.8
EPSS Score
0.774
Published
2021-01-12
CVE-2021-3129
Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
Known exploited
CVSS Score
9.8
EPSS Score
0.943
Published
2021-01-12
CVE-2020-16013
Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.198 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Known exploited
CVSS Score
8.8
EPSS Score
0.261
Published
2021-01-08
CVE-2020-16017
Use after free in site isolation in Google Chrome prior to 86.0.4240.198 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
Known exploited
CVSS Score
9.6
EPSS Score
0.214
Published
2021-01-08
CVE-2020-17519
A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master.
Known exploited
CVSS Score
7.5
EPSS Score
0.943
Published
2021-01-05
CVE-2020-10148
The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected.
Known exploited
CVSS Score
9.8
EPSS Score
0.943
Published
2020-12-29
CVE-2020-35730
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.
Known exploited
CVSS Score
6.1
EPSS Score
0.648
Published
2020-12-28
CVE-2020-29583
Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.
Known exploited
CVSS Score
9.8
EPSS Score
0.944
Published
2020-12-22