Security Vulnerabilities - CVEs Published In September 2020
The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this information exposure vulnerability could disclose sensitive information. QNAP has already fixed the issue in Helpdesk 3.0.3 and later.
CVSS Score
4.3
EPSS Score
0.003
Published
2020-09-11
The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this cross-site request forgery (CSRF) vulnerability could allow attackers to force NAS users to execute unintentional actions through a web application. QNAP has already fixed the issue in Helpdesk 3.0.3 and later.
CVSS Score
2.0
EPSS Score
0.001
Published
2020-09-11
When using the StreamGenerator, the code parse a user-provided XML. A specially crafted XML, including external system entities, could be used to access any file on the server system.
CVSS Score
7.5
EPSS Score
0.931
Published
2020-09-11
Memory overflow in Xiaomi AI speaker Rom version <1.59.6 can happen when the speaker verifying a malicious firmware during OTA process.
CVSS Score
9.8
EPSS Score
0.005
Published
2020-09-11
In Xiaomi router R3600 ROM version<1.0.66, filters in the set_WAN6 interface can be bypassed, causing remote code execution. The router administrator can gain root access from this vulnerability.
CVSS Score
9.8
EPSS Score
0.018
Published
2020-09-11
Devices supporting Bluetooth before 5.1 may allow man-in-the-middle attacks, aka BLURtooth. Cross Transport Key Derivation in Bluetooth Core Specification v4.2 and v5.0 may permit an unauthenticated user to establish a bonding with one transport, either LE or BR/EDR, and replace a bonding already established on the opposing transport, BR/EDR or LE, potentially overwriting an authenticated key with an unauthenticated key, or a key with greater entropy with one with less.
CVSS Score
5.9
EPSS Score
0.447
Published
2020-09-11
In Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, the product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. The application on the surveillance station operates in kiosk mode, which is vulnerable to local breakouts that could allow an attacker with physical access to escape the restricted environment with limited privileges.
CVSS Score
6.8
EPSS Score
0.001
Published
2020-09-11
In IntelliVue patient monitors MX100, MX400-550, MX600, MX700, MX750,
MX800, MX850, MP2-MP90, and IntelliVue X2 and X3 Versions N and prior,
the product receives input or data but does not validate or incorrectly
validates that the input has the properties required to process the data
safely and correctly, which can induce a denial-of-service condition
through a system restart.
CVSS Score
6.5
EPSS Score
0.001
Published
2020-09-11
In Patient Information Center iX (PICiX) Versions C.02, C.03,
PerformanceBridge Focal Point Version A.01, the product receives input
that is expected to be well-formed (i.e., to comply with a certain
syntax) but it does not validate or incorrectly validates that the input
complies with the syntax, causing the certificate enrollment service to
crash. It does not impact monitoring but prevents new devices from
enrolling.
CVSS Score
4.3
EPSS Score
0.0
Published
2020-09-11
In Patient Information Center iX (PICiX) Versions C.02, C.03, the
software parses a formatted message or structure but does not handle or
incorrectly handles a length field that is inconsistent with the actual
length of the associated data, causing the application on the
surveillance station to restart.
CVSS Score
6.5
EPSS Score
0.001
Published
2020-09-11