Security Vulnerabilities - CVEs Published In January 2020
In mruby 2.1.0, there is a use-after-free in hash_values_at in mrbgems/mruby-hash-ext/src/hash-ext.c.
CVSS Score
9.8
EPSS Score
0.004
Published
2020-01-11
grammar-parser.jison in the hot-formula-parser package before 3.0.1 for Node.js is vulnerable to arbitrary code injection. The package fails to sanitize values passed to the parse function and concatenates them in an eval call. If a value of the formula is taken from user-controlled input, it may allow attackers to run arbitrary commands on the server.
CVSS Score
9.8
EPSS Score
0.01
Published
2020-01-11
Use after free in audio in Google Chrome prior to 79.0.3945.117 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVSS Score
8.8
EPSS Score
0.029
Published
2020-01-10
Use after free in media picker in Google Chrome prior to 79.0.3945.88 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.
CVSS Score
8.8
EPSS Score
0.074
Published
2020-01-10
An issue was discovered in ManageEngine Applications Manager 14 with Build 14360. Integrated PostgreSQL which is built-in in Applications Manager is prone to attack due to lack of file permission security. The malicious users who are in “Authenticated Users” group can exploit privilege escalation and modify PostgreSQL configuration to execute arbitrary command to escalate and gain full system privilege user access and rights over the system.
CVSS Score
8.8
EPSS Score
0.002
Published
2020-01-10
An issue was discovered in Bftpd before 5.4. There is a heap-based off-by-one error during file-transfer error checking.
CVSS Score
9.8
EPSS Score
0.003
Published
2020-01-10
Citrix XenApp Online Plug-in for Windows 12.1 and earlier, and Citrix Receiver for Windows 3.2 and earlier could allow remote attackers to execute arbitrary code by convincing a target to open a specially crafted file from an SMB or WebDAV fileserver.
CVSS Score
7.8
EPSS Score
0.058
Published
2020-01-10
A Security Bypass vulnerability exists in the activate.asp page in Arial Software Campaign Enterprise 11.0.551, which could let a remote malicious user modify the SerialNumber field.
CVSS Score
4.3
EPSS Score
0.004
Published
2020-01-10
A Privilege Escalation vulnerability exists in Viscosity 1.4.1 on Mac OS X due to a path name validation issue in the setuid-set ViscosityHelper binary, which could let a remote malicious user execute arbitrary code
CVSS Score
9.8
EPSS Score
0.494
Published
2020-01-10
An SQL Injection vulnerability exists in the ID parameter in Online TV Database 2011.
CVSS Score
9.8
EPSS Score
0.003
Published
2020-01-10