Security Vulnerabilities - CVEs Published In April 2020
Certain NETGEAR devices are affected by a stack-based buffer overflow by an unauthenticated attacker. This affects R6700 before 1.0.1.48, R7900 before 1.0.2.16, R6900 before 1.0.1.48, R7000P before 1.3.1.44, R6900P before 1.3.1.44, R6250 before 1.0.4.30, R6300v2 before 1.0.4.32, R6400 before 1.0.1.44, R6400v2 before 1.0.2.60, R7000 before 1.0.9.34, R7100LG before 1.0.0.48, R7300 before 1.0.0.68, R8000 before 1.0.4.18, R8000P before 1.4.1.24, R7900P before 1.4.1.24, R8500 before 1.0.2.122, R8300 before 1.0.2.122, WN2500RPv2 before 1.0.1.54, EX3700 before 1.0.0.72, EX3800 before 1.0.0.72, EX6000 before 1.0.0.32, EX6100 before 1.0.2.24, EX6120 before 1.0.0.42, EX6130 before 1.0.0.24, EX6150v1 before 1.0.0.42, EX6200 before 1.0.3.88, EX7000 before 1.0.0.66, D7000v2 before 1.0.0.51, D6220 before 1.0.0.46, D6400 before 1.0.0.82, and D8500 before 1.0.3.42.
CVSS Score
6.8
EPSS Score
0.005
Published
2020-04-23
In versions prior to 3.3.0, the NGINX Controller is configured to communicate with its Postgres database server over unencrypted channels, making the communicated data vulnerable to interception via man-in-the-middle (MiTM) attacks.
CVSS Score
4.8
EPSS Score
0.001
Published
2020-04-23
In versions of NGINX Controller prior to 3.3.0, the helper.sh script, which is used optionally in NGINX Controller to change settings, uses sensitive items as command-line arguments.
CVSS Score
5.5
EPSS Score
0.001
Published
2020-04-23
httpd in Juplink RX4-1500 v1.0.3-v1.0.5 allows remote attackers to change or access router settings by connecting to the unauthenticated setup3.htm endpoint from the local network.
CVSS Score
5.5
EPSS Score
0.002
Published
2020-04-23
NETGEAR R7800 devices before 1.0.2.60 are affected by command injection by an authenticated user.
CVSS Score
6.8
EPSS Score
0.001
Published
2020-04-23
NETGEAR R7800 devices before 1.0.2.60 are affected by command injection by an authenticated user.
CVSS Score
6.8
EPSS Score
0.001
Published
2020-04-23
NETGEAR R7800 devices before 1.0.2.60 are affected by command injection by an authenticated user.
CVSS Score
6.8
EPSS Score
0.001
Published
2020-04-23
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in firmware versions prior to x.xx of Netatmo Smart Indoor Camera allows an attacker to execute commands on the device. This issue affects: Netatmo Smart Indoor Camera version and prior versions.
CVSS Score
5.7
EPSS Score
0.006
Published
2020-04-23
libvncclient/cursor.c in LibVNCServer through 0.9.12 has a HandleCursorShape integer overflow and heap-based buffer overflow via a large height or width value. NOTE: this may overlap CVE-2019-15690.
CVSS Score
9.8
EPSS Score
0.008
Published
2020-04-23
In versions of NGINX Controller prior to 3.2.0, communication between NGINX Controller and NGINX Plus instances skip TLS verification by default.
CVSS Score
7.4
EPSS Score
0.004
Published
2020-04-23