Security Vulnerabilities - CVEs Published In February 2020
In Cloud Foundry UAA, versions prior to 74.14.0, a CSRF vulnerability exists due to the OAuth2 state parameter not being checked in the callback function when authenticating with external identity providers.
CVSS Score
8.8
EPSS Score
0.002
Published
2020-02-27
Apache Struts before 2.3.20 has a cross-site scripting (XSS) vulnerability.
CVSS Score
6.1
EPSS Score
0.011
Published
2020-02-27
Incorrect Access Control in Hunesion i-oneNet 3.0.6042.1200 allows the local user to access other user's information which is unauthorized via brute force.
CVSS Score
5.5
EPSS Score
0.001
Published
2020-02-27
An issue was discovered in openfortivpn 1.11.0 when used with OpenSSL 1.0.2 or later. tunnel.c mishandles certificate validation because an X509_check_host negative error code is interpreted as a successful return value.
CVSS Score
5.3
EPSS Score
0.018
Published
2020-02-27
An issue was discovered in openfortivpn 1.11.0 when used with OpenSSL 1.0.2 or later. tunnel.c mishandles certificate validation because the hostname check operates on uninitialized memory. The outcome is that a valid certificate is never accepted (only a malformed certificate may be accepted).
CVSS Score
5.3
EPSS Score
0.008
Published
2020-02-27
An issue was discovered in openfortivpn 1.11.0 when used with OpenSSL before 1.0.2. tunnel.c mishandles certificate validation because hostname comparisons do not consider '\0' characters, as demonstrated by a good.example.com\x00evil.example.com attack.
CVSS Score
9.1
EPSS Score
0.006
Published
2020-02-27
There are command injection vulnerabilities present in the AirWave application. Certain input fields controlled by an administrative user are not properly sanitized before being parsed by AirWave. If conditions are met, an attacker can obtain command execution on the host.
CVSS Score
7.2
EPSS Score
0.011
Published
2020-02-27
An administrative application user of or application user with write access to Aruba Airwave VisualRF is able to obtain code execution on the AMP platform. This is possible due to the ability to overwrite a file on disk which is subsequently deserialized by the Java application component.
CVSS Score
7.2
EPSS Score
0.025
Published
2020-02-27
ZTE E8820V3 router product is impacted by a permission and access control vulnerability. Attackers could use this vulnerability to tamper with DDNS parameters and send DoS attacks on the specified URL.
CVSS Score
6.5
EPSS Score
0.001
Published
2020-02-27
ZTE E8820V3 router product is impacted by an information leak vulnerability. Attackers could use this vulnerability to to gain wireless passwords. After obtaining the wireless password, the attacker could collect information and attack the router.
CVSS Score
6.5
EPSS Score
0.001
Published
2020-02-27