Security Vulnerabilities - CVEs Published In July 2020
In SilverStripe through 4.5, malicious users with a valid Silverstripe CMS login (usually CMS access) can craft profile information which can lead to XSS for other users through specially crafted login form URLs.
CVSS Score
5.4
EPSS Score
0.003
Published
2020-07-15
The authentication implementation on the xArm controller has very low entropy, making it vulnerable to a brute-force attack. There is no mechanism in place to mitigate or lockout automated attempts to gain access.
CVSS Score
9.4
EPSS Score
0.004
Published
2020-07-15
Harbor prior to 2.0.1 allows SSRF with this limitation: an attacker with the ability to edit projects can scan ports of hosts accessible on the Harbor server's intranet.
CVSS Score
4.3
EPSS Score
0.007
Published
2020-07-15
A Blind SQL Injection vulnerability in Kronos WebTA 3.8.x and later before 4.0 (affecting the com.threeis.webta.H352premPayRequest servlet's SortBy parameter) allows an attacker with the Employee, Supervisor, or Timekeeper role to read sensitive data from the database.
CVSS Score
6.5
EPSS Score
0.003
Published
2020-07-15
An issue was discovered in Artica Proxy before 4.30.000000. Stored XSS exists via the Server Domain Name, Your Email Address, Group Name, MYSQL Server, Database, MYSQL Username, Group Name, and Task Description fields.
CVSS Score
6.1
EPSS Score
0.258
Published
2020-07-15
A Path Traversal issue was discovered in the socket.io-file package through 2.0.31 for Node.js. The socket.io-file::createFile message uses path.join with ../ in the name option, and the uploadDir and rename options determine the path.
CVSS Score
7.5
EPSS Score
0.005
Published
2020-07-15
XXE injection can occur in i-net Clear Reports 2019 19.0.287 (Designer), as used in i-net HelpDesk and other products, when XML input containing a reference to an external entity is processed by a weakly configured XML parser.
CVSS Score
9.8
EPSS Score
0.004
Published
2020-07-15
A remote code execution vulnerability was identified in SecZetta NEProfile 3.3.11. Authenticated remote adversaries can invoke code execution upon uploading a carefully crafted JPEG file as part of the profile avatar.
CVSS Score
8.8
EPSS Score
0.028
Published
2020-07-15
IceWarp Email Server 12.3.0.1 has Incorrect Access Control for user accounts.
CVSS Score
6.5
EPSS Score
0.007
Published
2020-07-15
IceWarp Email Server 12.3.0.1 allows remote attackers to upload files and consume disk space.
CVSS Score
6.5
EPSS Score
0.023
Published
2020-07-15