Security Vulnerabilities - CVEs Published In June 2020
Lexiglot through 2014-11-20 allows XSS (Reflected) via the username, or XSS (Stored) via the admin.php?page=config install_name, intro_message, or new_file_content parameter.
CVSS Score
5.4
EPSS Score
0.002
Published
2020-06-01
admin.php?page=projects in Lexiglot through 2014-11-20 allows command injection via username and password fields.
CVSS Score
9.8
EPSS Score
0.178
Published
2020-06-01
system/classes/DbPDO.php in Cmfive through 2015-03-15, when database connectivity malfunctions, allows remote attackers to obtain sensitive information (username and password) via any request, such as a password reset request.
CVSS Score
7.5
EPSS Score
0.003
Published
2020-06-01
FarLinX X25 Gateway through 2014-09-25 allows command injection via shell metacharacters to sysSaveMonitorData.php, fsx25MonProxy.php, syseditdate.php, iframeupload.php, or sysRestoreX25Cplt.php.
CVSS Score
9.8
EPSS Score
0.131
Published
2020-06-01
FarLinX X25 Gateway through 2014-09-25 allows directory traversal via the log-handling feature.
CVSS Score
5.3
EPSS Score
0.001
Published
2020-06-01
FarLinX X25 Gateway through 2014-09-25 allows attackers to write arbitrary data to fsUI.xyz via fsSaveUIPersistence.php.
CVSS Score
9.8
EPSS Score
0.004
Published
2020-06-01
The scp client in OpenSSH 8.2 incorrectly sends duplicate responses to the server upon a utimes system call failure, which allows a malicious unprivileged user on the remote server to overwrite arbitrary files in the client's download directory by creating a crafted subdirectory anywhere on the remote server. The victim must use the command scp -rp to download a file hierarchy containing, anywhere inside, this crafted subdirectory. NOTE: the vendor points out that "this attack can achieve no more than a hostile peer is already able to achieve within the scp protocol" and "utimes does not fail under normal circumstances.
CVSS Score
7.5
EPSS Score
0.005
Published
2020-06-01
QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8 allows an authenticated remote attacker to execute code on the server via command injection in the servicestart parameter.
CVSS Score
8.8
EPSS Score
0.402
Published
2020-06-01
In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user can execute sudo mysql without a password, which means that the www-data user can execute arbitrary OS commands via the mysql -e option.
CVSS Score
8.8
EPSS Score
0.004
Published
2020-06-01
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
CVSS Score
8.1
EPSS Score
0.024
Published
2020-06-01