Security Vulnerabilities - CVEs Published In September 2020
In cPanel before 88.0.3, an insecure auth policy API key is used by Dovecot on a templated VM (SEC-550).
CVSS Score
7.5
EPSS Score
0.006
Published
2020-09-25
QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked.
CVSS Score
3.2
EPSS Score
0.0
Published
2020-09-25
QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue in exec.c because hw/sd/sdhci.c mishandles a write operation in the SDHC_BLKSIZE case.
CVSS Score
5.0
EPSS Score
0.0
Published
2020-09-25
hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop.
CVSS Score
5.3
EPSS Score
0.0
Published
2020-09-25
The Telnet service of Rubetek RV-3406, RV-3409, and RV-3411 cameras (firmware versions v342, v339) can allow a remote attacker to gain access to RTSP and ONFIV services without authentication. Thus, the attacker can watch live streams from the camera, rotate the camera, change some settings (brightness, clarity, time), restart the camera, or reset it to factory settings.
CVSS Score
9.4
EPSS Score
0.022
Published
2020-09-25
A Cleartext Transmission issue was discovered on Rubetek RV-3406, RV-3409, and RV-3411 cameras (firmware versions v342, v339). Someone in the middle can intercept and modify the video data from the camera, which is transmitted in an unencrypted form. One can also modify responses from NTP and RTSP servers and force the camera to use the changed values.
CVSS Score
8.1
EPSS Score
0.002
Published
2020-09-25
The Telnet service of Rubetek cameras RV-3406, RV-3409, and RV-3411 cameras (firmware versions v342, v339) could allow an remote attacker to take full control of the device with a high-privileged account. The vulnerability exists because a system account has a default and static password. The Telnet service cannot be disabled and this password cannot be changed via standard functionality.
CVSS Score
9.8
EPSS Score
0.039
Published
2020-09-25
Mitel MiCloud Management Portal before 6.1 SP5 could allow an attacker, by sending a crafted request, to view system information due to insufficient output sanitization.
CVSS Score
5.3
EPSS Score
0.002
Published
2020-09-25
Mitel MiCloud Management Portal before 6.1 SP5 could allow a remote attacker to conduct a SQL Injection attack and access user credentials due to improper input validation.
CVSS Score
7.2
EPSS Score
0.004
Published
2020-09-25
Mitel MiCloud Management Portal before 6.1 SP5 could allow an unauthenticated attacker to execute arbitrary scripts due to insufficient input validation, aka XSS. A successful exploit could allow an attacker to gain access to a user session.
CVSS Score
9.6
EPSS Score
0.007
Published
2020-09-25