Security Vulnerabilities - CVEs Published In April 2020
An information-disclosure flaw was found in Grafana through 6.7.3. The database directory /var/lib/grafana and database file /var/lib/grafana/grafana.db are world readable. This can result in exposure of sensitive information (e.g., cleartext or encrypted datasource passwords).
CVSS Score
5.5
EPSS Score
0.001
Published
2020-04-29
In certain Red Hat packages for Grafana 6.x through 6.3.6, the configuration files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml (which contain a secret_key and a bind_password) are world readable.
CVSS Score
5.5
EPSS Score
0.001
Published
2020-04-29
Pega Platform before version 8.2.6 is affected by a Stored Cross-Site Scripting (XSS) vulnerability in the comment tags.
CVSS Score
8.9
EPSS Score
0.005
Published
2020-04-29
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.40, prior to 6.0.20 and prior to 6.1.6. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).
CVSS Score
7.5
EPSS Score
0.002
Published
2020-04-29
ActiveX Control(HShell.dll) in Handy Groupware 1.7.3.1 for Windows 7, 8, and 10 allows an attacker to execute arbitrary command via the ShellExec method.
CVSS Score
6.4
EPSS Score
0.005
Published
2020-04-29
The Richtext Editor in Pega Platform before 8.2.6 is affected by a Stored Cross-Site Scripting (XSS) vulnerability.
CVSS Score
8.9
EPSS Score
0.005
Published
2020-04-29
Pega Platform before version 8.2.6 is affected by a Reflected Cross-Site Scripting vulnerability in the "ActionStringID" function.
CVSS Score
8.8
EPSS Score
0.005
Published
2020-04-29
An issue was discovered in Gigamon GigaVUE 5.5.01.11. The upload functionality allows an arbitrary file upload for an authenticated user. If an executable file is uploaded into the www-root directory, then it could yield remote code execution via the filename parameter.
CVSS Score
6.2
EPSS Score
0.035
Published
2020-04-29
The ene.sys driver in G.SKILL Trident Z Lighting Control through 1.00.08 exposes mapping and un-mapping of physical memory, reading and writing to Model Specific Register (MSR) registers, and input from and output to I/O ports to local non-privileged users. This leads to privilege escalation to NT AUTHORITY\SYSTEM.
CVSS Score
7.8
EPSS Score
0.001
Published
2020-04-29
Cerner medico 26.00 has a Local Buffer Overflow (issue 1 of 3).
CVSS Score
8.8
EPSS Score
0.003
Published
2020-04-29