Security Vulnerabilities - CVEs Published In August 2020
The resolveRepositoryPath function doesn't properly validate user input and a malicious user may traverse to any valid Git repository outside the repoRoot. This issue may lead to unauthorized access of private Git repositories as long as the malicious user knows or brute-forces the location of the repository.
CVSS Score
5.9
EPSS Score
0.021
Published
2020-08-14
In openapi-python-client before version 0.5.3, there is a path traversal vulnerability. If a user generated a client using a maliciously crafted OpenAPI document, it is possible for generated files to be placed in arbitrary locations on disk.
CVSS Score
3.0
EPSS Score
0.004
Published
2020-08-14
A File Upload Vulnerability in PNotes - Andrey Gruber PNotes.NET v3.8.1.2 allows a local attacker to execute arbitrary code via the Miscellaneous " External Programs by uploading the malicious .exe file to the external program.
CVSS Score
7.8
EPSS Score
0.001
Published
2020-08-14
Rapid Software LLC Rapid SCADA 5.8.0 is affected by a local privilege escalation vulnerability in the ScadaAgentSvc.exe executable file. An attacker can obtain admin privileges by placing a malicious .exe file in the application and renaming it ScadaAgentSvc.exe, which would result in executing the binary as NT AUTHORITY\SYSTEM in a Windows operating system. For example, an attacker can plant a reverse shell from a low privileged user account and by restarting the computer, the malicious service will be started as NT AUTHORITY\SYSTEM by giving the attacker full system access to the remote PC.
CVSS Score
7.8
EPSS Score
0.0
Published
2020-08-14
A vulnerability has been identified in Automation License Manager 5 (All versions), Automation License Manager 6 (All versions < V6.0.8). The application does not properly validate the users' privileges when executing some operations, which could allow a user with low permissions to arbitrary modify files that should be protected against writing.
CVSS Score
7.8
EPSS Score
0.0
Published
2020-08-14
CVE-2019-5591
A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.
Known exploited
CVSS Score
6.5
EPSS Score
0.035
Published
2020-08-14
A vulnerability has been identified in Desigo CC (V4.x), Desigo CC (V3.x), Desigo CC Compact (V4.x), Desigo CC Compact (V3.x). Affected applications are delivered with a 3rd party component (BIRT) that contains a remote code execution vulnerability if the Advanced Reporting Engine is enabled. The vulnerability could allow a remote unauthenticated attacker to execute arbitrary commands on the server with SYSTEM privileges.
CVSS Score
9.8
EPSS Score
0.027
Published
2020-08-14
A vulnerability has been identified in SICAM WEB firmware for SICAM A8000 RTUs (All versions < V05.30). The login screen does not sufficiently sanitize input, which enables an attacker to generate specially crafted log messages. If an unsuspecting victim views the log messages via the web browser, these log messages might be interpreted and executed as code by the web application. This Cross-Site-Scripting (XSS) vulnerability might compromize the confidentiality, integrity and availability of the web application.
CVSS Score
9.6
EPSS Score
0.005
Published
2020-08-14
All versions of phpjs are vulnerable to Prototype Pollution via parse_str.
CVSS Score
9.8
EPSS Score
0.004
Published
2020-08-14
madlib-object-utils before 0.1.7 is vulnerable to Prototype Pollution via setValue.
CVSS Score
9.8
EPSS Score
0.011
Published
2020-08-14