Security Vulnerabilities - CVEs Published In April 2020
An issue was discovered in Project Worlds Official Car Rental System 1. It allows the admin user to run commands on the server with their account because the upload section on the file-manager page contains an arbitrary file upload vulnerability via add_cars.php. There are no upload restrictions for executable files.
CVSS Score
7.2
EPSS Score
0.004
Published
2020-04-06
Project Worlds Official Car Rental System 1 is vulnerable to multiple SQL injection issues, as demonstrated by the email and parameters (account.php), uname and pass parameters (login.php), and id parameter (book_car.php) This allows an attacker to dump the MySQL database and to bypass the login authentication prompt.
CVSS Score
9.8
EPSS Score
0.001
Published
2020-04-06
This affects the package io.jooby:jooby-netty before 1.6.9, from 2.0.0 and before 2.2.1. The DefaultHttpHeaders is set to false which means it does not validates that the header isn't being abused for HTTP Response Splitting.
CVSS Score
6.5
EPSS Score
0.005
Published
2020-04-06
The S. Siedle & Soehne SG 150-0 Smart Gateway before 1.2.4 has a passwordless ftp ssh user. By using an exploit chain, an attacker with access to the network can get root access on the gateway.
CVSS Score
6.6
EPSS Score
0.005
Published
2020-04-06
A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors.
CVSS Score
4.8
EPSS Score
0.001
Published
2020-04-06
STMicroelectronics STM32F1 devices have Incorrect Access Control.
CVSS Score
7.5
EPSS Score
0.036
Published
2020-04-06
diskusage-ng through 0.2.4 is vulnerable to Command Injection.It allows execution of arbitrary commands via the path argument.
CVSS Score
9.8
EPSS Score
0.012
Published
2020-04-06
node-mpv through 1.4.3 is vulnerable to Command Injection. It allows execution of arbitrary commands via the options argument.
CVSS Score
9.8
EPSS Score
0.012
Published
2020-04-06
apiconnect-cli-plugins through 6.0.1 is vulnerable to Command Injection.It allows execution of arbitrary commands via the pluginUri argument.
CVSS Score
9.8
EPSS Score
0.012
Published
2020-04-06
heroku-addonpool through 0.1.15 is vulnerable to Command Injection.
CVSS Score
9.8
EPSS Score
0.033
Published
2020-04-06