Security Vulnerabilities - CVEs Published In March 2020
IBM InfoSphere Information Server 11.5 and 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 174342.
CVSS Score
5.4
EPSS Score
0.003
Published
2020-03-10
In ImageMagick 7.0.9, an out-of-bounds read vulnerability exists within the ReadHEICImageByID function in coders\heic.c. It can be triggered via an image with a width or height value that exceeds the actual size of the image.
CVSS Score
5.5
EPSS Score
0.004
Published
2020-03-10
The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trx_addons/v2/get/sc_layout REST API endpoint, allowing for PHP functions to be executed by any users, because includes/plugin.rest-api.php calls trx_addons_rest_get_sc_layout with an unsafe sc parameter.
CVSS Score
9.8
EPSS Score
0.013
Published
2020-03-10
Dell Digital Delivery versions prior to 3.5.2015 contain an incorrect default permissions vulnerability. A locally authenticated low-privileged malicious user could exploit this vulnerability to run an arbitrary executable with administrative privileges on the affected system.
CVSS Score
7.8
EPSS Score
0.002
Published
2020-03-09
An issue was discovered in MunkiReport before 5.3.0. An authenticated actor can send a custom XSS payload through the /module/comment/save endpoint. The payload will be executed by any authenticated users browsing the application. This concerns app/controllers/client.php:detail.
CVSS Score
5.4
EPSS Score
0.006
Published
2020-03-09
An issue was discovered in Munkireport before 5.3.0.3923. An unauthenticated actor can send a custom XSS payload through the /report/broken_client endpoint. The payload will be executed by any authenticated users browsing the application. This concerns app/views/listings/default.php.
CVSS Score
6.1
EPSS Score
0.007
Published
2020-03-09
JPaseto before 0.3.0 generates weak hashes when using v2.local tokens.
CVSS Score
7.5
EPSS Score
0.002
Published
2020-03-09
MISP 2.4.122 has reflected XSS via unsanitized URL parameters. This is related to app/View/Users/statistics_orgs.ctp.
CVSS Score
6.1
EPSS Score
0.003
Published
2020-03-09
MISP 2.4.122 has Persistent XSS in the sighting popover tool. This is related to app/View/Elements/Events/View/sighting_field.ctp.
CVSS Score
6.1
EPSS Score
0.003
Published
2020-03-09
BWA DiREX-Pro 1.2181 devices allow remote attackers to discover passwords via a direct request to val_users.php3.
CVSS Score
7.5
EPSS Score
0.005
Published
2020-03-09