Security Vulnerabilities - CVEs Published In March 2020
Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions prior to patch 83, and 19.1 versions prior to patch 71 contain a server missing authorization vulnerability in the REST API. A remote authenticated malicious user with administrative privileges may potentially exploit this vulnerability to alter the application’s allowable list of OS commands. This may lead to arbitrary OS command execution as the regular user runs the DPA service on the affected system.
CVSS Score
9.1
EPSS Score
0.022
Published
2020-03-18
Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions prior to patch 83, and 19.1 versions prior to patch 71 contain a server-side template injection vulnerability in the REST API. A remote authenticated malicious user with administrative privileges may potentially exploit this vulnerability to inject malicious report generation scripts in the server. This may lead to OS command execution as the regular user runs the DPA service on the affected system.
CVSS Score
9.1
EPSS Score
0.024
Published
2020-03-18
An issue was discovered in ONAP SDNC before Dublin. By executing sla/dgUpload with a crafted filename parameter, an unauthenticated attacker can execute an arbitrary command. All SDC setups that include admportal are affected.
CVSS Score
9.8
EPSS Score
0.017
Published
2020-03-18
The Newton application through 10.0.23 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission.
CVSS Score
6.1
EPSS Score
0.003
Published
2020-03-18
The Nine application through 4.5.3a for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission.
CVSS Score
6.1
EPSS Score
0.005
Published
2020-03-18
The BlueMail application through 1.9.5.36 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission.
CVSS Score
6.1
EPSS Score
0.003
Published
2020-03-18
The Edison Mail application through 1.7.1 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission.
CVSS Score
6.1
EPSS Score
0.003
Published
2020-03-18
The TypeApp application through 1.9.5.35 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission.
CVSS Score
6.1
EPSS Score
0.003
Published
2020-03-18
The Spark application through 2.0.2 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission.
CVSS Score
6.1
EPSS Score
0.005
Published
2020-03-18
SolarWinds Serv-U Managed File Transfer (MFT) Web client before 15.1.6 Hotfix 2 is vulnerable to Cross-Site Request Forgery in the file upload functionality via ?Command=Upload with the Dir and File parameters.
CVSS Score
8.8
EPSS Score
0.006
Published
2020-03-18