Security Vulnerabilities - CVEs Published In April 2020
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).
CVSS Score
8.1
EPSS Score
0.028
Published
2020-04-07
An XSS vulnerability in the WP Lead Plus X plugin through 0.98 for WordPress allows remote attackers to upload page templates containing arbitrary JavaScript via the c37_wpl_import_template admin-post action (which will execute in an administrator's browser if the template is used to create a page).
CVSS Score
6.1
EPSS Score
0.015
Published
2020-04-07
An improper neutralization of input vulnerability in the dashboard of FortiADC may allow an authenticated attacker to perform a cross site scripting attack (XSS) via the name parameter.
CVSS Score
5.4
EPSS Score
0.004
Published
2020-04-07
An improper authorization vulnerability in FortiADC may allow a remote authenticated user with low privileges to perform certain actions such as rebooting the system.
CVSS Score
6.5
EPSS Score
0.009
Published
2020-04-07
An XSS vulnerability in the WP Lead Plus X plugin through 0.98 for WordPress allows logged-in users with minimal permissions to create or replace existing pages with a malicious page containing arbitrary JavaScript via the wp_ajax_core37_lp_save_page (aka core37_lp_save_page) AJAX action.
CVSS Score
5.4
EPSS Score
0.002
Published
2020-04-07
perl-Convert-ASN1 (aka the Convert::ASN1 module for Perl) through 0.27 allows remote attackers to cause an infinite loop via unexpected input.
CVSS Score
7.5
EPSS Score
0.01
Published
2020-04-07
An issue was discovered in xdLocalStorage through 2.0.5. The receiveMessage() function in xdLocalStoragePostMessageApi.js does not implement any validation of the origin of web messages. Remote attackers who can entice a user to load a malicious site can exploit this issue to impact the confidentiality and integrity of data in the local storage of the vulnerable site via malicious web messages.
CVSS Score
7.1
EPSS Score
0.004
Published
2020-04-07
An issue was discovered in xdLocalStorage through 2.0.5. The receiveMessage() function in xdLocalStorage.js does not implement any validation of the origin of web messages. Remote attackers who can entice a user to load a malicious site can exploit this issue to impact the confidentiality and integrity of data in the local storage of the vulnerable site via malicious web messages.
CVSS Score
7.1
EPSS Score
0.004
Published
2020-04-07
GE Mark VIe Controller has an unsecured Telnet protocol that may allow a user to create an authenticated session using generic default credentials. GE recommends that users disable the Telnet service.
CVSS Score
8.8
EPSS Score
0.002
Published
2020-04-07
GE Mark VIe Controller is shipped with pre-configured hard-coded credentials that may allow root-user access to the controller. A limited application of the affected product may ship without setup and configuration instructions immediately available to the end user. The bulk of controllers go into applications requiring the GE commissioning engineer to change default configurations during the installation process. GE recommends that users reset controller passwords during installation in the operating environment.
CVSS Score
7.8
EPSS Score
0.001
Published
2020-04-07