Security Vulnerabilities - CVEs Published In January 2020
A Command Injection vulnerability exists in the ap parameter to the /cgi-bin/mft/wireless_mft.cgi file in TP-Link IP Cameras TL-SC 3130, TL-SC 3130G, 3171G. and 4171G 1.6.18P12s, which could let a malicious user execute arbitrary code.
CVSS Score
9.8
EPSS Score
0.224
Published
2020-01-29
An Access vulnerability exists in FOSCAM IP Camera FI8620 due to insufficient access restrictions in the /tmpfs/ and /log/ directories, which could let a malicious user obtain sensitive information.
CVSS Score
7.5
EPSS Score
0.305
Published
2020-01-29
vtiger CRM 5.4.0 and earlier contain an Authentication Bypass Vulnerability due to improper authentication validation in the validateSession function.
CVSS Score
9.8
EPSS Score
0.737
Published
2020-01-29
In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.
CVSS Score
7.8
EPSS Score
0.873
Published
2020-01-29
A Command Injection vulnerability exists in Zavio IP Cameras through 1.6.3 via the ap parameter to /cgi-bin/mft/wireless_mft.cgi, which could let a remote malicious user execute arbitrary code.
CVSS Score
9.8
EPSS Score
0.575
Published
2020-01-29
A Security Bypass vulnerability exists in Zavio IP Cameras through 1.6.3 because the RTSP protocol authentication is disabled by default, which could let a malicious user obtain unauthorized access to the live video stream.
CVSS Score
7.5
EPSS Score
0.68
Published
2020-01-29
A Command Injection vulnerability exists in Zavio IP Cameras through 1.6.3 in the General.Time.NTP.Server parameter to the sub_C8C8 function of the binary /opt/cgi/view/param, which could let a remove malicious user execute arbitrary code.
CVSS Score
9.8
EPSS Score
0.628
Published
2020-01-29
IKTeam BearFTP before 0.2.0 allows remote attackers to achieve denial of service via a large volume of connections to the PASV mode port.
CVSS Score
7.5
EPSS Score
0.402
Published
2020-01-29
An Authentication Bypass vulnerability exists in the web interface in Zavio IP Cameras through 1.6.03 due to a hardcoded admin account found in boa.conf, which lets a remote malicious user obtain sensitive information.
CVSS Score
7.5
EPSS Score
0.527
Published
2020-01-29
Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3, allowing unauthorized attackers with knowledge of agent names to obtain the connection secrets for those agents, which can be used to connect to Jenkins, impersonating those agents.
CVSS Score
8.6
EPSS Score
0.006
Published
2020-01-29