Security Vulnerabilities - CVEs Published In January 2020
Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite 7.2.x before 7.2.2-rev27 and 7.4.x before 7.4.0-rev20 allows remote attackers to inject arbitrary web script or HTML via the body of an email. NOTE: this vulnerability was SPLIT from CVE-2013-6242 because it affects different sets of versions.
CVSS Score
6.1
EPSS Score
0.009
Published
2020-01-02
Cross-site Scripting (XSS) in the spreadshirt-rss-3d-cube-flash-gallery plugin 2014 for WordPress allows remote attackers to execute arbitrary web script or HTML via unspecified parameters.
CVSS Score
6.1
EPSS Score
0.002
Published
2020-01-02
obs-server before 1.7.7 allows logins by 'unconfirmed' accounts due to a bug in the REST api implementation.
CVSS Score
8.8
EPSS Score
0.003
Published
2020-01-02
Stack-based buffer overflow in the MrSID plugin (MrSID.dll) before 4.37 for IrfanView allows remote attackers to execute arbitrary code via an IMAGE tag.
CVSS Score
7.8
EPSS Score
0.108
Published
2020-01-02
The MrSID plugin (MrSID.dll) before 4.37 for IrfanView allows remote attackers to execute arbitrary code via a nband tag.
CVSS Score
7.8
EPSS Score
0.018
Published
2020-01-02
Heap-based buffer overflow in the MrSID plugin (MrSID.dll) before 4.37 for IrfanView allows remote attackers to execute arbitrary code via a levels header.
CVSS Score
7.8
EPSS Score
0.049
Published
2020-01-02
Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchange (OX) AppSuite 6.22.3 before 6.22.3-rev5 and 6.22.4 before 6.22.4-rev12 allows remote attackers to inject arbitrary web script or HTML via the subject of an email. NOTE: the vulnerabilities related to the body of the email and the publication name were SPLIT from this CVE ID because they affect different sets of versions.
CVSS Score
6.1
EPSS Score
0.007
Published
2020-01-02
Intelligent Platform Management Interface (IPMI) with firmware for Supermicro X9 generation motherboards before SMT_X9_317 and firmware for Supermicro X8 generation motherboards before SMT X8 312 contain harcoded private encryption keys for the (1) Lighttpd web server SSL interface and the (2) Dropbear SSH daemon.
CVSS Score
8.1
EPSS Score
0.095
Published
2020-01-02
Hardcoded WSMan credentials in Intelligent Platform Management Interface (IPMI) with firmware for Supermicro X9 generation motherboards before 3.15 (SMT_X9_315) and firmware for Supermicro X8 generation motherboards before SMT X8 312.
CVSS Score
7.5
EPSS Score
0.017
Published
2020-01-02
ovirt-engine-sdk-python before 3.4.0.7 and 3.5.0.4 does not verify that the hostname of the remote endpoint matches the Common Name (CN) or subjectAltName as specified by its x.509 certificate in a TLS/SSL session. This could allow man-in-the-middle attackers to spoof remote endpoints via an arbitrary valid certificate.
CVSS Score
5.9
EPSS Score
0.001
Published
2020-01-02