Security Vulnerabilities - CVEs Published In May 2020
A flaw was found in OpenShift Container Platform where OAuth tokens are not encrypted when the encryption of data at rest is enabled. This flaw allows an attacker with access to a backup to obtain OAuth tokens and then use them to log into the cluster as any user who logged into the cluster via the WebUI or via the command line in the last 24 hours. Once the backup is older than 24 hours the OAuth tokens are no longer valid.
CVSS Score
6.3
EPSS Score
0.0
Published
2020-05-12
An out-of-bounds buffer read flaw was found in the pluto daemon of libreswan from versions 3.27 till 3.31 where, an unauthenticated attacker could use this flaw to crash libreswan by sending specially-crafted IKEv1 Informational Exchange packets. The daemon respawns after the crash.
CVSS Score
7.5
EPSS Score
0.048
Published
2020-05-12
IBM API Connect V2018.4.1.0 through 2018.4.1.10 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 174859.
CVSS Score
5.4
EPSS Score
0.001
Published
2020-05-12
IBM API Connect's V2018.4.1.0 through 2018.4.1.10 management server has an unsecured api which can be exploited by an unauthenticated attacker to obtain sensitive information. IBM X-Force ID: 178322.
CVSS Score
5.3
EPSS Score
0.002
Published
2020-05-12
An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint.
CVSS Score
7.7
EPSS Score
0.008
Published
2020-05-12
An outdated 3rd party library in the Files PDF viewer for Nextcloud Server 18.0.2 caused a Cross-site scripting vulnerability when opening a malicious PDF.
CVSS Score
5.4
EPSS Score
0.006
Published
2020-05-12
A missing verification of the TLS host in Nextcloud Mail 1.1.3 allowed a man in the middle attack.
CVSS Score
7.0
EPSS Score
0.003
Published
2020-05-12
There is a vulnerability in actionpack_page-caching gem < v1.2.1 that allows an attacker to write arbitrary files to a web server, potentially resulting in remote code execution if the attacker can write unescaped ERB to a view.
CVSS Score
9.8
EPSS Score
0.054
Published
2020-05-12
There is a possible information disclosure issue in Active Resource <v5.1.1 that could allow an attacker to create specially crafted requests to access data in an unexpected way and possibly leak information.
CVSS Score
7.5
EPSS Score
0.003
Published
2020-05-12
Improper access control in Groupfolders app 4.0.3 allowed to delete hidden directories when when renaming an accessible item to the same name.
CVSS Score
8.1
EPSS Score
0.006
Published
2020-05-12