Security Vulnerabilities - CVEs Published In January 2020
Zimbra Collaboration 8.7.x - 8.8.11P2 contains non-persistent XSS.
CVSS Score
6.1
EPSS Score
0.012
Published
2020-01-27
Synacor Zimbra Collaboration before 8.0.8 has XSS.
CVSS Score
6.1
EPSS Score
0.007
Published
2020-01-27
Synacor Zimbra Collaboration before 8.0.9 allows plaintext command injection during STARTTLS.
CVSS Score
9.8
EPSS Score
0.053
Published
2020-01-27
Zimbra Collaboration before 8.6.0 patch5 has XSS.
CVSS Score
5.4
EPSS Score
0.007
Published
2020-01-27
An issue was discovered in Neato Botvac Connected 2.2.0. The GenerateRobotPassword function of the NeatoCrypto library generates insufficiently random numbers for robot secret_key values used for local and cloud authentication/authorization. If an attacker knows the serial number and is able to estimate the time of first provisioning of a robot, he is able to brute force the generated secret_key of the robot. This is because the entropy of the secret_key exclusively relies on these two values, due to not seeding the random generator and using several constant inputs for secret_key computation. Serial numbers are printed on the packaging and equal the MAC address of the robot.
CVSS Score
4.7
EPSS Score
0.001
Published
2020-01-27
In Pivotal tc Server, 3.x versions prior to 3.2.19 and 4.x versions prior to 4.0.10, and Pivotal tc Runtimes, 7.x versions prior to 7.0.99.B, 8.x versions prior to 8.5.47.A, and 9.x versions prior to 9.0.27.A, when a tc Runtime instance is configured with the JMX Socket Listener, a local attacker without access to the tc Runtime process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the tc Runtime instance.
CVSS Score
7.3
EPSS Score
0.001
Published
2020-01-27
Zimbra Collaboration before 8.8.12 Patch 1 has persistent XSS.
CVSS Score
5.4
EPSS Score
0.009
Published
2020-01-27
Zimbra Collaboration before 8.8.15 Patch 1 is vulnerable to a non-persistent XSS via the Admin Console.
CVSS Score
4.8
EPSS Score
0.007
Published
2020-01-27
A Stack-based Buffer Overflow vulnerability in libbelkin_api.so component of Belkin WeMo Insight Switch firmware allows a local attacker to obtain code execution on the device. This issue affects: Belkin WeMo Insight Switch firmware version 2.00.11396 and prior versions.
CVSS Score
8.3
EPSS Score
0.002
Published
2020-01-27
A command injection vulnerability has been discovered in the bootstrap stage of Bitdefender BOX 2, versions 2.1.47.42 and 2.1.53.45. The API method `/api/download_image` unsafely handles the production firmware URL supplied by remote servers, leading to arbitrary execution of system commands. In order to exploit the condition, an unauthenticated attacker should impersonate a infrastructure server to trigger this vulnerability.
CVSS Score
8.1
EPSS Score
0.044
Published
2020-01-27