Security Vulnerabilities - CVEs Published In February 2020
Microsys PROMOTIC 8.2.13 contains an ActiveX Control Start Buffer Overflow vulnerability which can lead to denial of service.
CVSS Score
6.5
EPSS Score
0.003
Published
2020-02-13
Authentication bypass using an alternate path or channel in SimpliSafe SS3 firmware 1.4 allows a local, unauthenticated attacker to modify the Wi-Fi network the base station connects to.
CVSS Score
5.5
EPSS Score
0.001
Published
2020-02-13
The Voatz application 2020-01-01 for Android allows only 100 million different PINs, which makes it easier for attackers (after using root access to make a copy of the local database) to discover login credentials and voting history via an offline brute-force approach.
CVSS Score
5.9
EPSS Score
0.003
Published
2020-02-13
In the Voatz application 2020-01-01 for Android, the amount of data transmitted during a single voter's vote depends on the different lengths of the metadata across the available voting choices, which makes it easier for remote attackers to discover this voter's choice by sniffing the network. For example, a small amount of sniffed data may indicate that a vote was cast for the candidate with the least metadata. An active man-in-the-middle attacker can leverage this behavior to disrupt voters' abilities to vote for a candidate opposed by the attacker.
CVSS Score
5.3
EPSS Score
0.005
Published
2020-02-13
Multiple SQL injection vulnerabilities in CWPPoll.js in WordPress Poll Plugin 34.5 for WordPress allow attackers to execute arbitrary SQL commands via the pollid or poll_id parameter in a viewPollResults or userlogs action.
CVSS Score
9.8
EPSS Score
0.023
Published
2020-02-13
Multiple security bypass vulnerabilities in the editAnswer, deleteAnswer, addAnswer, and deletePoll functions in WordPress Poll Plugin 34.5 for WordPress allow a remote attacker to add, edit, and delete an answer and delete a poll.
CVSS Score
9.8
EPSS Score
0.046
Published
2020-02-13
Directory traversal vulnerability in Kaseya Virtual System Administrator (VSA) 7.0.0.0 before 7.0.0.33, 8..0.0.0 before 8.0.0.23, 9.0.0.0 before 9.0.0.19, and 9.1.0.0 before 9.1.0.9 allows remote authenticated users to write to and execute arbitrary files due to insufficient restrictions in file paths to json.ashx.
CVSS Score
8.8
EPSS Score
0.156
Published
2020-02-13
A Denial of Service vulnerability exists in askpop3d 0.7.7 in free (pszQuery),
CVSS Score
7.5
EPSS Score
0.006
Published
2020-02-13
Directory traversal vulnerability in node/utils/Minify.js in Etherpad 1.1.2 through 1.5.4 allows remote attackers to read arbitrary files with permissions of the user running the service via a .. (dot dot) in the path parameter of HTTP API requests. NOTE: This vulnerability is due to an incomplete fix to CVE-2015-3297.
CVSS Score
7.5
EPSS Score
0.004
Published
2020-02-13
Zend_XmlRpc Class in Magento before 1.7.0.2 contains an information disclosure vulnerability.
CVSS Score
7.5
EPSS Score
0.016
Published
2020-02-13