Security Vulnerabilities - CVEs Published In September 2020
Cleartext Storage of Sensitive Information in Memory vulnerability in Microsoft Windows client in McAfee True Key (TK) prior to 6.2.109.2 allows a local user logged in with administrative privileges to access to another user’s passwords on the same machine via triggering a process dump in specific situations.
CVSS Score
5.0
EPSS Score
0.003
Published
2020-09-04
Bundler prior to 2.1.0 uses a predictable path in /tmp/, created with insecure permissions as a storage location for gems, if locations under the user's home directory are not available. If Bundler is used in a scenario where the user does not have a writable home directory, an attacker could place malicious code in this directory that would be later loaded and executed.
CVSS Score
7.8
EPSS Score
0.002
Published
2020-09-04
A vulnerability exists in the Aruba Analytics and Location Engine (ALE) web management interface 2.1.0.2 and earlier firmware that allows an already authenticated administrative user to arbitrarily modify files as an underlying privileged operating system user.
CVSS Score
4.9
EPSS Score
0.003
Published
2020-09-04
The package bestzip before 2.1.7 are vulnerable to Command Injection via the options param.
CVSS Score
9.8
EPSS Score
0.08
Published
2020-09-04
Insecure Service File Permissions in the bd service in Real Time Logic BarracudaDrive v6.5 allow local attackers to escalate privileges to admin by replacing the %SYSTEMDRIVE%\bd\bd.exe file. When the computer next starts, the new bd.exe will be run as LocalSystem.
CVSS Score
8.8
EPSS Score
0.0
Published
2020-09-04
An issue was discovered in Noise-Java through 2020-08-27. ChaChaPolyCipherState.encryptWithAd() allows out-of-bounds access.
CVSS Score
9.8
EPSS Score
0.006
Published
2020-09-04
An issue was discovered in Noise-Java through 2020-08-27. AESGCMFallbackCipherState.encryptWithAd() allows out-of-bounds access.
CVSS Score
9.8
EPSS Score
0.006
Published
2020-09-04
An issue was discovered in Noise-Java through 2020-08-27. AESGCMOnCtrCipherState.encryptWithAd() allows out-of-bounds access.
CVSS Score
9.8
EPSS Score
0.006
Published
2020-09-04
In Foxit Reader and PhantomPDF before 10.0.1, and PhantomPDF before 9.7.3, attackers can obtain sensitive information about an uninitialized object because of direct transformation from PDF Object to Stream without concern for a crafted XObject.
CVSS Score
8.1
EPSS Score
0.001
Published
2020-09-04
In Foxit Reader and PhantomPDF before 10.0.1, and PhantomPDF before 9.7.3, attackers can obtain sensitive information from an out-of-bounds read because a text-string index continues to be used after splitting a string into two parts. A crash may also occur.
CVSS Score
7.1
EPSS Score
0.001
Published
2020-09-04