Security Vulnerabilities - CVEs Published In January 2020
XML external entity (XXE) vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev11 and 7.6.x before 7.6.0-rev9 allows remote attackers to read arbitrary files and possibly other unspecified impact via a crafted OpenDocument Text document.
CVSS Score
7.8
EPSS Score
0.009
Published
2020-01-14
Array index error in smal_decode_segment function in LibRaw before 0.17.1 allows context-dependent attackers to cause memory errors and possibly execute arbitrary code via vectors related to indexes.
CVSS Score
9.8
EPSS Score
0.013
Published
2020-01-14
The phase_one_correct function in Libraw before 0.17.1 allows attackers to cause memory errors and possibly execute arbitrary code, related to memory object initialization.
CVSS Score
9.8
EPSS Score
0.016
Published
2020-01-14
On impacted versions and platforms the Trusted Platform Module (TPM) system integrity check cannot detect modifications to specific system components. This issue only impacts specific engineering hotfixes and platforms. NOTE: This vulnerability does not affect any of the BIG-IP major, minor or maintenance releases you obtained from downloads.f5.com. The affected Engineering Hotfix builds are as follows: Hotfix-BIGIP-14.1.0.2.0.45.4-ENG Hotfix-BIGIP-14.1.0.2.0.62.4-ENG
CVSS Score
4.6
EPSS Score
0.002
Published
2020-01-14
Nitro PDF 8.5.0.26: A specially crafted DLL file can facilitate Arbitrary Code Execution
CVSS Score
7.8
EPSS Score
0.0
Published
2020-01-14
PotPlayer 1.5.40688: .avi File Memory Corruption
CVSS Score
7.8
EPSS Score
0.016
Published
2020-01-14
A website running in the InAppBrowser webview on Android could execute arbitrary JavaScript in the main application's webview using a specially crafted gap-iab: URI.
CVSS Score
9.8
EPSS Score
0.107
Published
2020-01-14
When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector's task configuration and the response will contain the plaintext secret rather than the externalized secrets variables.
CVSS Score
7.5
EPSS Score
0.032
Published
2020-01-14
ClickDesk version 4.3 and below has persistent cross site scripting
CVSS Score
6.1
EPSS Score
0.003
Published
2020-01-14
The zip API endpoint in Cerberus FTP Server 8 allows an authenticated attacker without zip permission to use the zip functionality via an unrestricted API endpoint. Improper permission verification occurs when calling the file/ajax_download_zip/zip_name endpoint. The result is that a user without permissions can zip and download files even if they do not have permission to view whether the file exists.
CVSS Score
5.4
EPSS Score
0.002
Published
2020-01-14