Security Vulnerabilities - CVEs Published In January 2020
SOPlanning 1.45 has SQL injection via the user_list.php "by" parameter.
CVSS Score
8.8
EPSS Score
0.003
Published
2020-01-09
The awesome-support plugin 5.8.0 for WordPress allows XSS via the post_title parameter.
CVSS Score
4.8
EPSS Score
0.003
Published
2020-01-09
The FooGallery plugin 1.8.12 for WordPress allow XSS via the post_title parameter.
CVSS Score
4.8
EPSS Score
0.003
Published
2020-01-09
uploadimage.php in Employee Records System 1.0 allows upload and execution of arbitrary PHP code because file-extension validation is only on the client side. The attacker can modify global.js to allow the .php extension.
CVSS Score
7.2
EPSS Score
0.604
Published
2020-01-09
KeePass 2.4.1 allows CSV injection in the title field of a CSV export.
CVSS Score
7.8
EPSS Score
0.003
Published
2020-01-09
In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server.
CVSS Score
8.8
EPSS Score
0.139
Published
2020-01-09
Advisto PEEL Shopping 9.2.1 has CSRF via administrer/utilisateurs.php to delete a user.
CVSS Score
6.5
EPSS Score
0.002
Published
2020-01-09
Gateway Geomatics MapServer for Windows before 3.0.6 contains a Local File Include Vulnerability which allows remote attackers to execute local PHP code and obtain sensitive information.
CVSS Score
8.1
EPSS Score
0.054
Published
2020-01-09
Samsung Kies before 2.5.0.12094_27_11 contains a NULL pointer dereference vulnerability which could allow remote attackers to perform a denial of service.
CVSS Score
7.5
EPSS Score
0.024
Published
2020-01-09
Samsung Kies before 2.5.0.12094_27_11 has arbitrary file execution.
CVSS Score
9.8
EPSS Score
0.349
Published
2020-01-09