Security Vulnerabilities - CVEs Published In March 2020
A code injection in Nextcloud Desktop Client 2.6.2 for macOS allowed to load arbitrary code when starting the client with DYLD_INSERT_LIBRARIES set in the environment.
CVSS Score
6.7
EPSS Score
0.004
Published
2020-03-20
Rock RMS before 1.8.6 mishandles vCard access control within the People/GetVCard/REST controller.
CVSS Score
9.8
EPSS Score
0.037
Published
2020-03-20
Squid before 4.9, when certain web browsers are used, mishandles HTML in the host (aka hostname) parameter to cachemgr.cgi.
CVSS Score
6.1
EPSS Score
0.018
Published
2020-03-20
An XSS vulnerability in qcopd-shortcode-generator.php in the Simple Link Directory plugin before 7.3.5 for WordPress allows remote attackers to inject arbitrary web script or HTML, because esc_html is not called for the "echo get_the_title()" or "echo $term->name" statement.
CVSS Score
6.1
EPSS Score
0.003
Published
2020-03-20
An issue was discovered in LINBIT csync2 through 2.0. csync_daemon_session in daemon.c neglects to force a failure of a hello command when the configuration requires use of SSL.
CVSS Score
9.8
EPSS Score
0.005
Published
2020-03-20
An issue was discovered in the AbuseFilter extension for MediaWiki. includes/special/SpecialAbuseLog.php allows attackers to obtain sensitive information, such as deleted/suppressed usernames and summaries, from AbuseLog revision data. This affects REL1_32 and REL1_33.
CVSS Score
7.5
EPSS Score
0.005
Published
2020-03-20
Code injection vulnerability in blamer 1.0.0 and earlier may result in remote code execution when the input can be controlled by an attacker.
CVSS Score
9.8
EPSS Score
0.047
Published
2020-03-20
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Studio Photo 3.6.6.916. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of PSD files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated structure. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-9624.
CVSS Score
3.3
EPSS Score
0.204
Published
2020-03-20
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Studio Photo 3.6.6.916. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of PSD files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9625.
CVSS Score
7.8
EPSS Score
0.024
Published
2020-03-20
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Studio Photo 3.6.6.916. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of PSD files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated structure. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-9626.
CVSS Score
3.3
EPSS Score
0.204
Published
2020-03-20