Security Vulnerabilities - CVEs Published In April 2020
svg2png 4.1.1 allows XSS with resultant SSRF via JavaScript inside an SVG document.
CVSS Score
6.1
EPSS Score
0.003
Published
2020-04-17
WSO2 Enterprise Integrator through 6.6.0 has an XXE vulnerability where a user (with admin console access) can use the XML validator to make unintended network invocations such as SSRF via an uploaded file.
CVSS Score
4.0
EPSS Score
0.004
Published
2020-04-17
OpenNMS Horizon and Meridian allows HQL Injection in element/nodeList.htm (aka the NodeListController) via snmpParm or snmpParmValue to addCriteriaForSnmpParm. This affects Horizon before 25.2.1, Meridian 2019 before 2019.1.4, Meridian 2018 before 2018.1.16, and Meridian 2017 before 2017.1.21.
CVSS Score
8.1
EPSS Score
0.004
Published
2020-04-17
In OpenMRS 2.9 and prior, he import functionality of the Data Exchange Module does not properly redirect to a login page when an unauthenticated user attempts to access it. This allows unauthenticated users to use a feature typically restricted to administrators.
CVSS Score
6.1
EPSS Score
0.01
Published
2020-04-17
In OpenMRS 2.9 and prior, the export functionality of the Data Exchange Module does not properly redirect to a login page when an unauthenticated user attempts to access it. This allows the export of potentially sensitive information.
CVSS Score
6.1
EPSS Score
0.01
Published
2020-04-17
Stored XSS in Tenable.Sc before 5.14.0 could allow an authenticated remote attacker to craft a request to execute arbitrary script code in a user's browser session. Updated input validation techniques have been implemented to correct this issue.
CVSS Score
5.4
EPSS Score
0.002
Published
2020-04-17
In Divante vue-storefront-api through 1.11.1 and storefront-api through 1.0-rc.1, as used in VueStorefront PWA, unexpected HTTP requests lead to an exception that discloses the error stack trace, with absolute file paths and Node.js module names.
CVSS Score
5.3
EPSS Score
0.027
Published
2020-04-17
An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability.
CVSS Score
5.1
EPSS Score
0.002
Published
2020-04-17
OpenMRS 2.9 and prior copies "Referrer" header values into an html element named "redirectUrl" within many webpages (such as login.htm). There is insufficient validation for this parameter, which allows for the possibility of cross-site scripting.
CVSS Score
6.1
EPSS Score
0.003
Published
2020-04-17
In OpenMRS 2.9 and prior, the UI Framework Error Page reflects arbitrary, user-supplied input back to the browser, which can result in XSS. Any page that is able to trigger a UI Framework Error is susceptible to this issue.
CVSS Score
6.1
EPSS Score
0.003
Published
2020-04-17