Security Vulnerabilities - CVEs Published In February 2020
A Cross-origin vulnerability exists in WebKit in Apple Safari before 10.0.1 when processing location attributes, which could let a remote malicious user obtain sensitive information.
CVSS Score
7.5
EPSS Score
0.018
Published
2020-02-03
Bromium client version 4.0.3.2060 and prior to 4.1.7 Update 1 has an out of bound read results in race condition causing Kernel memory leaks or denial of service.
CVSS Score
6.1
EPSS Score
0.003
Published
2020-02-03
Brother MFC-9970CDW 1.10 firmware L devices contain a security bypass vulnerability which allows physically proximate attackers to gain unauthorized access.
CVSS Score
6.8
EPSS Score
0.001
Published
2020-02-03
Stored XSS in the Strong Testimonials plugin before 2.40.1 for WordPress can result in an attacker performing malicious actions such as stealing session tokens.
CVSS Score
6.1
EPSS Score
0.006
Published
2020-02-03
massCode 1.0.0-alpha.6 allows XSS via crafted Markdown text, with resultant remote code execution (because nodeIntegration in webPreferences is true).
CVSS Score
6.1
EPSS Score
0.008
Published
2020-02-03
IBM StoredIQ 7.6.0.17 through 7.6.0.20 could disclose sensitive information to a local user due to data in certain directories not being encrypted when it contained symbolic links. IBM X-Force ID: 175133.
CVSS Score
2.9
EPSS Score
0.0
Published
2020-02-03
The J-BusinessDirectory extension before 5.2.9 for Joomla! allows Reverse Tabnabbing. In some configurations, the link to the business website can be entered by any user. If it doesn't contain rel="noopener" (or similar attributes such as noreferrer), the tabnabbing may occur. To reproduce the bug, create a business with a website link that contains JavaScript to exploit the window.opener property (for example, by setting window.opener.location).
CVSS Score
6.5
EPSS Score
0.003
Published
2020-02-03
IBM SDK, Java Technology Edition Version 7.0.0.0 through 7.0.10.55, 7.1.0.0 through 7.1.4.55, and 8.0.0.0 through 8.0.6.0 could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. By placing a specially-crafted file in a compromised folder, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 172618.
CVSS Score
7.2
EPSS Score
0.002
Published
2020-02-03
Brother MFC-9970CDW devices with firmware 0D allow cleartext submission of passwords.
CVSS Score
7.5
EPSS Score
0.007
Published
2020-02-03
The Web Management of TP-Link TP-SG105E V4 1.0.0 Build 20181120 devices allows an unauthenticated attacker to reboot the device via a reboot.cgi request.
CVSS Score
7.5
EPSS Score
0.295
Published
2020-02-03