Security Vulnerabilities - CVEs Published In May 2020
RSA Archer, versions prior to 6.7 P1 (6.7.0.1), contain a URL redirection vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to redirect application users to arbitrary web URLs by tricking the victim users to click on maliciously crafted links. The vulnerability could be used to conduct phishing attacks that cause users to unknowingly visit malicious sites.
CVSS Score
4.6
EPSS Score
0.002
Published
2020-05-04
Dell Client platforms restored using a Dell OS recovery image downloaded before December 20, 2019, may contain an insecure inherited permissions vulnerability. A local authenticated malicious user with low privileges could exploit this vulnerability to gain unauthorized access on the root folder.
CVSS Score
7.3
EPSS Score
0.0
Published
2020-05-04
LCDS LAquis SCADA Versions 4.3.1 and prior. The affected product is vulnerable to sensitive information exposure by unauthorized users.
CVSS Score
5.5
EPSS Score
0.002
Published
2020-05-04
LCDS LAquis SCADA Versions 4.3.1 and prior. The affected product is vulnerable to arbitrary file creation by unauthorized users
CVSS Score
7.8
EPSS Score
0.002
Published
2020-05-04
A flaw was found in Soteria before 1.0.1, in a way that multiple requests occurring concurrently causing security identity corruption across concurrent threads when using EE Security with WildFly Elytron which can lead to the possibility of being handled using the identity from another request.
CVSS Score
4.2
EPSS Score
0.001
Published
2020-05-04
Certain TP-Link devices allow Command Injection. This affects NC200 2.1.9 build 200225, NC210 1.0.9 build 200304, NC220 1.3.0 build 200304, NC230 1.3.0 build 200304, NC250 1.3.0 build 200304, NC260 1.5.2 build 200304, and NC450 1.5.3 build 200304.
CVSS Score
8.8
EPSS Score
0.835
Published
2020-05-04
An issue was discovered in service-api before 4.3.12 and 5.x before 5.1.1 for Report Portal. It allows XXE, with resultant secrets disclosure and SSRF, via JUnit XML launch import.
CVSS Score
7.5
EPSS Score
0.003
Published
2020-05-04
Certain TP-Link devices allow Command Injection. This affects NC260 1.5.2 build 200304 and NC450 1.5.3 build 200304.
CVSS Score
8.8
EPSS Score
0.045
Published
2020-05-04
Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php.
CVSS Score
9.8
EPSS Score
0.227
Published
2020-05-04
CVE-2020-12641
rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.
Known exploited
CVSS Score
9.8
EPSS Score
0.931
Published
2020-05-04