Shodan
Vulnerabilities
Vulnerable Software
Security Vulnerabilities - CVEs Published In February 2020
CVE-2020-9353
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) loadFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL is affected by unauthenticated Local File Inclusion via directory-traversal sequences in the elem XML element in the _transaction parameter. NOTE: the documentation states "These tools are, by default, available to anyone ... so they should only be deployed into a trusted environment. Alternately, the tools can easily be restricted to administrators or end users by protecting the tools path with normal authentication and authorization mechanisms on the web server."
CVSS Score
7.5
EPSS Score
0.008
Published
2020-02-23
CVE-2020-9354
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) saveFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL allows an unauthenticated attacker to overwrite files via vectors involving an XML comment and /.. path traversal.
CVSS Score
7.5
EPSS Score
0.008
Published
2020-02-23
CVE-2020-9355
danfruehauf NetworkManager-ssh before 1.2.11 allows privilege escalation because extra options are mishandled.
CVSS Score
9.8
EPSS Score
0.005
Published
2020-02-23
CVE-2020-9350
Graph Builder in SAS Visual Analytics 8.5 allows XSS via a graph template that is accessed directly.
CVSS Score
5.4
EPSS Score
0.004
Published
2020-02-23
CVE-2020-9342
The F-Secure AV parsing engine before 2020-02-05 allows virus-detection bypass via crafted Compression Method data in a GZIP archive. This affects versions before 17.0.605.474 (on Linux) of Cloud Protection For Salesforce, Email and Server Security, and Internet GateKeeper.
CVSS Score
5.5
EPSS Score
0.003
Published
2020-02-22
CVE-2020-9338
SOPlanning 1.45 allows XSS via the "Your SoPlanning url" field.
CVSS Score
5.4
EPSS Score
0.003
Published
2020-02-22
CVE-2020-9339
SOPlanning 1.45 allows XSS via the Name or Comment to status.php.
CVSS Score
5.4
EPSS Score
0.003
Published
2020-02-22
CVE-2020-9340
fauzantrif eLection 2.0 has SQL Injection via the admin/ajax/op_kandidat.php id parameter.
CVSS Score
7.2
EPSS Score
0.003
Published
2020-02-22
CVE-2020-9341
CandidATS 2.1.0 is vulnerable to CSRF that allows for an administrator account to be added via the index.php?m=settings&a=addUser URI.
CVSS Score
8.8
EPSS Score
0.004
Published
2020-02-22
CVE-2020-9336
fauzantrif eLection 2.0 has XSS via the Admin Dashboard -> Settings -> Election -> "message if election is closed" field.
CVSS Score
5.4
EPSS Score
0.003
Published
2020-02-22


Products
Pricing
Contact Us

Shodan ® - All rights reserved