Security Vulnerabilities - CVEs Published In February 2020
A File Inclusion vulnerability exists in Railo 4.2.1 and earlier via a specially-crafted URL request to the thumbnail.cfm to specify a malicious PNG file, which could let a remote malicious user obtain sensitive information or execute arbitrary code.
CVSS Score
8.8
EPSS Score
0.653
Published
2020-02-07
A CSRF Vulnerability exists in Kemp Load Master before 7.0-18a via unspecified vectors in administrative pages.
CVSS Score
8.8
EPSS Score
0.002
Published
2020-02-07
The external frontend system uses numerous background calls to the backend. Each background request is treated as user activity so the SessionMaxIdleTime will not be reached. This issue affects: OTRS 7.0.x version 7.0.14 and prior versions.
CVSS Score
5.4
EPSS Score
0.003
Published
2020-02-07
CVE-2019-18988
TeamViewer Desktop through 14.7.1965 allows a bypass of remote-login access control because the same key is used for different customers' installations. It used a shared AES key for all installations since at least as far back as v7.0.43148, and used it for at least OptionsPasswordAES in the current version of the product. If an attacker were to know this key, they could decrypt protect information stored in the registry or configuration files of TeamViewer. With versions before v9.x , this allowed for attackers to decrypt the Unattended Access password to the system (which allows for remote login to the system as well as headless file browsing). The latest version still uses the same key for OptionPasswordAES but appears to have changed how the Unattended Access password is stored. While in most cases an attacker requires an existing session on a system, if the registry/configuration keys were stored off of the machine (such as in a file share or online), an attacker could then decrypt the required password to login to the system.
Known exploited
CVSS Score
7.0
EPSS Score
0.132
Published
2020-02-07
statusnet through 2010 allows attackers to spoof syslog messages via newline injection attacks.
CVSS Score
5.3
EPSS Score
0.002
Published
2020-02-07
A Cross-site Scripting (XSS) vulnerability exists in WatchGuard XTM 11.8.3 via the poll_name parameter in the firewall/policy script.
CVSS Score
6.1
EPSS Score
0.004
Published
2020-02-07
A Code Execution vulnerability exists in Android prior to 4.4.0 related to the addJavascriptInterface method and the accessibility and accessibilityTraversal objects, which could let a remote malicious user execute arbitrary code.
CVSS Score
8.8
EPSS Score
0.022
Published
2020-02-07
A vulnerability exists in nw.js before 0.11.3 when calling nw methods from normal frames, which has an unspecified impact.
CVSS Score
9.8
EPSS Score
0.004
Published
2020-02-07
Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate
CVSS Score
7.5
EPSS Score
0.047
Published
2020-02-07
HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed
CVSS Score
9.8
EPSS Score
0.323
Published
2020-02-07