Security Vulnerabilities - CVEs Published In February 2020
An issue was discovered in Gurux GXDLMS Director through 8.5.1905.1301. When downloading OBIS codes, it does not verify that the downloaded files are actual OBIS codes and doesn't check for path traversal. This allows the attacker exploiting CVE-2020-8809 to send executable files and place them in an autorun directory, or to place DLLs inside the existing GXDLMS Director installation (run on next execution of GXDLMS Director). This can be used to achieve code execution even if the user doesn't have any add-ins installed.
CVSS Score
8.1
EPSS Score
0.007
Published
2020-02-25
The Software Development Kit of the MiContact Center Business with Site Based Security 8.0 through 9.0.1.0 before KB496276 allows an authenticated user to access sensitive information. A successful exploit could allow unauthorized access to user conversations.
CVSS Score
6.5
EPSS Score
0.003
Published
2020-02-25
Kunena before 5.0.4 does not restrict avatar file extensions to gif, jpeg, jpg, and png. This can lead to XSS and remote code execution.
CVSS Score
9.8
EPSS Score
0.034
Published
2020-02-25
Stored Cross-site scripting (XSS) vulnerability in Blackboard Learn/PeopleTool v9.1 allows users to inject arbitrary web script via the Tile widget in the People Tool profile editor.
CVSS Score
5.4
EPSS Score
0.002
Published
2020-02-25
LiteCart through 2.2.1 allows admin/?app=users&doc=edit_user CSRF to add a user.
CVSS Score
5.3
EPSS Score
0.002
Published
2020-02-25
The WPJobBoard plugin 5.5.3 for WordPress allows Persistent XSS via the Add Job form, as demonstrated by title and Description.
CVSS Score
6.1
EPSS Score
0.002
Published
2020-02-25
An issue was discovered in the Linux kernel 5.4 and 5.5 through 5.5.6 on the AArch64 architecture. It ignores the top byte in the address passed to the brk system call, potentially moving the memory break downwards when the application expects it to move upwards, aka CID-dcde237319e6. This has been observed to cause heap corruption with the GNU C Library malloc implementation.
CVSS Score
5.5
EPSS Score
0.002
Published
2020-02-25
OpenSMTPD before 6.6.4 allows local users to read arbitrary files (e.g., on some Linux distributions) because of a combination of an untrusted search path in makemap.c and race conditions in the offline functionality in smtpd.c.
CVSS Score
4.7
EPSS Score
0.008
Published
2020-02-25
OpenSMTPD before 6.6.4 allows remote code execution because of an out-of-bounds read in mta_io in mta_session.c for multi-line replies. Although this vulnerability affects the client side of OpenSMTPD, it is possible to attack a server because the server code launches the client code during bounce handling.
CVSS Score
9.8
EPSS Score
0.868
Published
2020-02-25
LiteCart through 2.2.1 allows CSV injection via a customer's profile.
CVSS Score
8.0
EPSS Score
0.004
Published
2020-02-25