Security Vulnerabilities - CVEs Published In April 2020
UPS Adapter CS141 before 1.90 allows Directory Traversal. An attacker with Admin or Engineer login credentials could exploit the vulnerability by manipulating variables that reference files and by doing this achieve access to files and directories outside the web root folder. An attacker may access arbitrary files and directories stored in the file system, but integrity of the files are not jeopardized as attacker have read access rights only.
CVSS Score
6.5
EPSS Score
0.007
Published
2020-04-27
OpenDMARC through 1.3.2 and 1.4.x allows attacks that inject authentication results to provide false information about the domain that originated an e-mail message. This is caused by incorrect parsing and interpretation of SPF/DKIM authentication results, as demonstrated by the example.net(.example.com substring.
CVSS Score
5.3
EPSS Score
0.01
Published
2020-04-27
A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.
CVSS Score
5.5
EPSS Score
0.004
Published
2020-04-27
ZOOM International Call Recording 6.3.1 suffers from multiple authenticated stored XSS vulnerabilities via the phoneNumber field in the (1) User Edit or (2) User Add form, (3) name field in the Role Add form, (4) name or number field in the Edit Group form, (5) tagKey or tagValue field in the Recording Rules Configuration, or (6) txt_69735:/VemailAddress/value or txt_75767:/VemailFrom/value field in callrec/config.
CVSS Score
5.4
EPSS Score
0.006
Published
2020-04-27
The IGMP component in VxWorks 6.8.3 IPNET CVE patches created in 2019 has a NULL Pointer Dereference.
CVSS Score
7.5
EPSS Score
0.004
Published
2020-04-27
An issue was discovered in Percona XtraDB Cluster before 5.7.28-31.41.2. A bundled script inadvertently sets a static transition_key for SST processes in place of the random key expected.
CVSS Score
8.1
EPSS Score
0.006
Published
2020-04-27
Percona XtraBackup before 2.4.20 unintentionally writes the command line to any resulting backup file output. This may include sensitive arguments passed at run time. In addition, when --history is passed at run time, this command line is also written to the PERCONA_SCHEMA.xtrabackup_history table.
CVSS Score
6.5
EPSS Score
0.007
Published
2020-04-27
Grafana version < 6.7.3 is vulnerable for annotation popup XSS.
CVSS Score
6.1
EPSS Score
0.012
Published
2020-04-27
In TestLink 1.9.20, a crafted login.php viewer parameter exposes cleartext credentials.
CVSS Score
7.5
EPSS Score
0.002
Published
2020-04-27
In TestLink 1.9.20, the lib/cfields/cfieldsExport.php goback_url parameter causes a security risk because it depends on client input and is not constrained to lib/cfields/cfieldsView.php at the web site associated with the session.
CVSS Score
9.8
EPSS Score
0.004
Published
2020-04-27