Security Vulnerabilities - CVEs Published In June 2020
Adobe Experience Manager versions 6.5 and earlier have a server-side request forgery (ssrf) vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVSS Score
7.5
EPSS Score
0.011
Published
2020-06-12
Adobe Experience Manager versions 6.5 and earlier have a cross-site scripting (stored) vulnerability. Successful exploitation could lead to arbitrary javascript execution in the browser.
CVSS Score
5.4
EPSS Score
0.028
Published
2020-06-12
Adobe Experience Manager versions 6.5 and earlier have a blind server-side request forgery (ssrf) vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVSS Score
7.5
EPSS Score
0.011
Published
2020-06-12
Adobe Experience Manager versions 6.5 and earlier have a cross-site scripting (dom-based) vulnerability. Successful exploitation could lead to arbitrary javascript execution in the browser.
CVSS Score
6.1
EPSS Score
0.037
Published
2020-06-12
IBM API Connect 5.0.0.0 through 5.0.8.8 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 175489.
CVSS Score
5.4
EPSS Score
0.002
Published
2020-06-12
GeoVision Door Access Control device family is hardcoded with a root password, which adopting an identical password in all devices.
CVSS Score
6.2
EPSS Score
0.001
Published
2020-06-12
GeoVision Door Access Control device family employs shared cryptographic private keys for SSH and HTTPS. Attackers may conduct MITM attack with the derived keys and plaintext recover of encrypted messages.
CVSS Score
5.9
EPSS Score
0.001
Published
2020-06-12
GeoVision Door Access Control device family improperly stores and controls access to system logs, any users can read these logs.
CVSS Score
4.0
EPSS Score
0.001
Published
2020-06-12
Zoho ManageEngine ServiceDesk Plus before 11.1 build 11115 allows remote unauthenticated attackers to change the installation status of deployed agents.
CVSS Score
7.5
EPSS Score
0.25
Published
2020-06-12
SSB-DB version 20.0.0 has an information disclosure vulnerability. The get() method is supposed to only decrypt messages when you explicitly ask it to, but there is a bug where it's decrypting any message that it can. This means that it is returning the decrypted content of private messages, which a malicious peer could use to get access to private data. This only affects peers running SSB-DB@20.0.0 who also have private messages, and is only known to be exploitable if you're also running SSB-OOO (default in SSB-Server), which exposes a thin wrapper around get() to anonymous peers. This is fixed in version 20.0.1. Note that users of SSB-Server verion 16.0.0 should upgrade to 16.0.1 to get the fixed version of SSB-DB.
CVSS Score
7.5
EPSS Score
0.003
Published
2020-06-11