Security Vulnerabilities - CVEs Published In January 2020
A file upload issue exists in DeDeCMS before 5.7-sp1, which allows malicious users getshell.
CVSS Score
8.8
EPSS Score
0.385
Published
2020-01-06
A file upload issue exists in the specid parameter in Thomson Reuters FATCH before 5.2, which allows malicious users to upload arbitrary PHP files to the web root and execute system commands.
CVSS Score
9.9
EPSS Score
0.031
Published
2020-01-06
DTEN D5 and D7 before 1.3.2 devices allows remote attackers to read saved whiteboard image PDF documents via storage/emulated/0/Notes/PDF on TCP port 8080 without authentication.
CVSS Score
5.3
EPSS Score
0.003
Published
2020-01-06
An issue was discovered in Suricata 5.0.0. It was possible to bypass/evade any tcp based signature by faking a closed TCP session using an evil server. After the TCP SYN packet, it is possible to inject a RST ACK and a FIN ACK packet with a bad TCP Timestamp option. The client will ignore the RST ACK and the FIN ACK packets because of the bad TCP Timestamp option. Both linux and windows client are ignoring the injected packets.
CVSS Score
7.5
EPSS Score
0.003
Published
2020-01-06
A cross-site scripting (XSS) vulnerability in the configuration web interface of the Jinan USR IOT USR-WIFI232-S/T/G2/H Low Power WiFi Module with web version 1.2.2 allows attackers to leak credentials of the Wi-Fi access point the module is logged into, and the web interface login credentials, by opening a Wi-Fi access point nearby with a malicious SSID.
CVSS Score
6.1
EPSS Score
0.003
Published
2020-01-06
OKER G232V1 v1.03.02.20161129 devices provide a root terminal on a UART serial interface without proper access control. This allows attackers with physical access to interrupt the boot sequence in order to execute arbitrary commands with root privileges and conduct further attacks.
CVSS Score
6.8
EPSS Score
0.001
Published
2020-01-06
An insecure file upload and code execution issue was discovered in Ahsay Cloud Backup Suite 8.3.0.30 via a "PUT /obs/obm7/file/upload" request with the base64-encoded pathname in the X-RSW-custom-encode-path HTTP header, and the content in the HTTP request body. It is possible to upload a file into any directory of the server. One can insert a JSP shell into the web server's directory and execute it. This leads to full system access as the configured user (e.g., Administrator) when starting from any authenticated session (e.g., a trial account). This is fixed in the 83/830122/cbs-*-hotfix-task26000 builds.
CVSS Score
8.8
EPSS Score
0.008
Published
2020-01-06
DTEN D5 before 1.3 and D7 before 1.3 devices transfer customer data files via unencrypted HTTP.
CVSS Score
7.5
EPSS Score
0.002
Published
2020-01-06
OX App Suite through 7.10.2 has Incorrect Access Control.
CVSS Score
6.6
EPSS Score
0.004
Published
2020-01-06
OX App Suite through 7.10.2 has XSS.
CVSS Score
6.1
EPSS Score
0.004
Published
2020-01-06