Security Vulnerabilities - CVEs Published In April 2020
Certain NETGEAR devices are affected by disclosure of sensitive information. This affects R6700 before 1.0.1.26, R7000 before 1.0.9.10, R7100LG before 1.0.0.32, R7900 before 1.0.1.18, R8000 before 1.0.3.54, and R8500 before 1.0.2.100.
CVSS Score
6.2
EPSS Score
0.001
Published
2020-04-21
Certain NETGEAR devices are affected by CSRF. This affects R6050/JR6150 before 1.0.1.7, PR2000 before 1.0.0.17, R6220 before 1.1.0.50, WNDR3700v5 before 1.1.0.48, JNR1010v2 before 1.1.0.40, JWNR2010v5 before 1.1.0.40, WNR1000v4 before 1.1.0.40, WNR2020 before 1.1.0.40, WNR2050 before 1.1.0.40, WNR614 before 1.1.0.40, WNR618 before 1.1.0.40, and D7000 before 1.0.1.50.
CVSS Score
8.8
EPSS Score
0.002
Published
2020-04-21
NETGEAR D6100 devices before 1.0.0.50_0.0.50 are affected by command injection.
CVSS Score
8.4
EPSS Score
0.004
Published
2020-04-21
Certain NETGEAR devices are affected by command injection. This affects R6100 before 1.0.1.14, R7500 before 1.0.0.110, R7500v2 before 1.0.3.16, R7800 before 1.0.2.32, EX6200v2 before 1.0.1.50, and D7800 before 1.0.1.22.
CVSS Score
6.7
EPSS Score
0.002
Published
2020-04-21
NETGEAR R7800 devices before 1.0.2.30 are affected by incorrect configuration of security settings.
CVSS Score
6.2
EPSS Score
0.001
Published
2020-04-21
Certain NETGEAR devices are affected by command injection. This affects R7800 before 1.0.2.16 and R9000 before 1.0.2.4.
CVSS Score
6.7
EPSS Score
0.002
Published
2020-04-21
Certain NETGEAR devices are affected by command injection. This affects WAC510 before 1.3.0.10, WAC120 before 2.1.4, WNDAP620 before 2.1.3, WND930 before 2.1.2, WN604 before 3.3.7, WNDAP660 before 3.7.4.0, WNDAP350 before 3.7.4.0, WNAP320 before 3.7.4.0, WNAP210v2 before 3.7.4.0, and WNDAP360 before 3.7.4.0.
CVSS Score
6.7
EPSS Score
0.001
Published
2020-04-21
Untrusted Search Path vulnerability in the windows installer of Google Earth Pro versions prior to 7.3.3 allows an attacker to insert malicious local files to execute unauthenticated remote code on the targeted system.
CVSS Score
7.8
EPSS Score
0.0
Published
2020-04-21
In Saml2 Authentication Services for ASP.NET versions before 1.0.2, and between 2.0.0 and 2.6.0, there is a vulnerability in how tokens are validated in some cases. Saml2 tokens are usually used as bearer tokens - a caller that presents a token is assumed to be the subject of the token. There is also support in the Saml2 protocol for issuing tokens that is tied to a subject through other means, e.g. holder-of-key where possession of a private key must be proved. The Sustainsys.Saml2 library incorrectly treats all incoming tokens as bearer tokens, even though they have another subject confirmation method specified. This could be used by an attacker that could get access to Saml2 tokens with another subject confirmation method than bearer. The attacker could then use such a token to create a log in session. This vulnerability is patched in versions 1.0.2 and 2.7.0.
CVSS Score
6.5
EPSS Score
0.003
Published
2020-04-21
A remote command execution in Vesta Control Panel through 0.9.8-26 allows any authenticated user to execute arbitrary commands on the system via cron jobs.
CVSS Score
8.8
EPSS Score
0.033
Published
2020-04-21