Security Vulnerabilities - CVEs Published In May 2020
We have recently released new version of AirMax AirOS firmware v6.3.0 for TI, XW and XM boards that fixes vulnerabilities found on AirMax AirOS v6.2.0 and prior TI, XW and XM boards, according to the description below:Multiple end-points with parameters vulnerable to reflected cross site scripting (XSS), allowing attackers to abuse the user' session information and/or account takeover of the admin user.Mitigation:Update to the latest AirMax AirOS firmware version available at the AirMax download page.
CVSS Score
6.1
EPSS Score
0.004
Published
2020-05-26
We have recently released new version of AirMax AirOS firmware v6.3.0 for TI, XW and XM boards that fixes vulnerabilities found on AirMax AirOS v6.2.0 and prior TI, XW and XM boards, according to the description below:There are certain end-points containing functionalities that are vulnerable to command injection. It is possible to craft an input string that passes the filter check but still contains commands, resulting in remote code execution.Mitigation:Update to the latest AirMax AirOS firmware version available at the AirMax download page.
CVSS Score
9.8
EPSS Score
0.069
Published
2020-05-26
A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.
CVSS Score
6.1
EPSS Score
0.001
Published
2020-05-26
The bbPress plugin through 2.6.4 for WordPress has stored XSS in the Forum creation section, resulting in JavaScript execution at wp-admin/edit.php?post_type=forum (aka the Forum listing page) for all users. An administrator can exploit this at the wp-admin/post.php?action=edit URI.
CVSS Score
4.8
EPSS Score
0.006
Published
2020-05-26
qmail-verify as used in netqmail 1.06 is prone to a mail-address verification bypass vulnerability.
CVSS Score
7.5
EPSS Score
0.003
Published
2020-05-26
qmail-verify as used in netqmail 1.06 is prone to an information disclosure vulnerability. A local attacker can test for the existence of files and directories anywhere in the filesystem because qmail-verify runs as root and tests for the existence of files in the attacker's home directory, without dropping its privileges first.
CVSS Score
5.5
EPSS Score
0.0
Published
2020-05-26
The Knock Knock plugin before 1.2.8 for Craft CMS allows IP Whitelist bypass via an X-Forwarded-For HTTP header.
CVSS Score
9.1
EPSS Score
0.003
Published
2020-05-25
The Knock Knock plugin before 1.2.8 for Craft CMS allows malicious redirection.
CVSS Score
6.1
EPSS Score
0.002
Published
2020-05-25
EM-HTTP-Request 1.1.5 uses the library eventmachine in an insecure way that allows an attacker to perform a man-in-the-middle attack against users of the library. The hostname in a TLS server certificate is not verified.
CVSS Score
7.4
EPSS Score
0.001
Published
2020-05-25
An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There are CSRF issues with the log-clear controller action.
CVSS Score
8.8
EPSS Score
0.001
Published
2020-05-25