Security Vulnerabilities - CVEs Published In February 2020
In Unitrends Backup before 10.4.1, an HTTP request parameter was not properly sanitized, allowing for SQL injection that resulted in an authentication bypass.
CVSS Score
9.8
EPSS Score
0.004
Published
2020-02-17
Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, leading to remote code execution.
CVSS Score
9.8
EPSS Score
0.849
Published
2020-02-17
In GitLab Enterprise Edition (EE) 12.5.0 through 12.7.5, sharing a group with a group could grant project access to unauthorized users.
CVSS Score
7.5
EPSS Score
0.001
Published
2020-02-17
Unauthorized Access to the Container Registry of other groups was discovered in GitLab Enterprise 12.0.0-pre. In other words, authenticated remote attackers can read Docker registries of other groups. When a legitimate user changes the path of a group, Docker registries are not adapted, leaving them in the old namespace. They are not protected and are available to all other users with no previous access to the repo.
CVSS Score
4.3
EPSS Score
0.001
Published
2020-02-17
meshsystem.dll in Valve Dota 2 through 2020-02-17 allows remote attackers to achieve code execution or denial of service by creating a gaming server with a crafted map, and inviting a victim to this server. A GetValue call is mishandled.
CVSS Score
7.8
EPSS Score
0.026
Published
2020-02-17
Mitsubishi Electric MELSEC C Controller Module and MELIPC Series MI5000 MELSEC-Q Series C Controller Module(Q24DHCCPU-V, Q24DHCCPU-VG User Ethernet port (CH1, CH2): First 5 digits of serial number 21121 or before), MELSEC iQ-R Series C Controller Module / C Intelligent Function Module(R12CCPU-V Ethernet port (CH1, CH2): First 2 digits of serial number 11 or before, and RD55UP06-V Ethernet port: First 2 digits of serial number 08 or before), and MELIPC Series MI5000(MI5122-VW Ethernet port (CH1): First 2 digits of serial number 03 or before, or the firmware version 03 or before) allow remote attackers to cause a denial of service and/or malware being executed via unspecified vectors.
CVSS Score
9.8
EPSS Score
0.008
Published
2020-02-17
Unquoted service executable path in DXL Broker in McAfee Data eXchange Layer (DXL) Framework 6.0.0 and earlier allows local users to cause a denial of service and malicious file execution via carefully crafted and named executable files.
CVSS Score
4.2
EPSS Score
0.001
Published
2020-02-17
Iteris Vantage Velocity Field Unit 2.3.1 and 2.4.2 devices have world-writable permissions for the /root/cleardata.pl (executed as root by crond) and /root/loadperl.sh (executed as root at boot time) scripts.
CVSS Score
9.8
EPSS Score
0.002
Published
2020-02-17
Iteris Vantage Velocity Field Unit 2.4.2 devices have multiple stored XSS issues in all parameters of the Start Data Viewer feature of the /cgi-bin/loaddata.py script.
CVSS Score
6.1
EPSS Score
0.003
Published
2020-02-17
ELTEX NTP-RG-1402G 1v10 3.25.3.32 devices allow OS command injection via the PING field of the resource ping.cmd. The NTP-2 device is also affected.
CVSS Score
9.8
EPSS Score
0.032
Published
2020-02-17