Security Vulnerabilities - CVEs Published In September 2020
An issue was discovered in Hoosk CMS v1.8.0. There is a SQL injection vulnerability in install/index.php
CVSS Score
9.8
EPSS Score
0.003
Published
2020-09-30
An issue was discovered in Hoosk CMS v1.8.0. There is a XSS vulnerability in install/index.php
CVSS Score
6.1
EPSS Score
0.002
Published
2020-09-30
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
CVSS Score
6.5
EPSS Score
0.002
Published
2020-09-30
md_push_block_bytes in md4c.c in md4c 0.4.5 allows attackers to trigger use of uninitialized memory, and cause a denial of service (e.g., assertion failure) via a malformed Markdown document.
CVSS Score
7.5
EPSS Score
0.004
Published
2020-09-30
An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.1. There is a blind SQL injection in the knximport component via an advanced attack vector, allowing logged in attackers to discover arbitrary information.
CVSS Score
4.3
EPSS Score
0.003
Published
2020-09-30
An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.1. There is a CSRF issue (with resultant SSRF) in the com_mb24proxy module, allowing attackers to steal session information from logged-in users with a crafted link.
CVSS Score
6.5
EPSS Score
0.001
Published
2020-09-30
An issue was discovered in the GAEN (aka Google/Apple Exposure Notifications) protocol through 2020-09-29, as used in COVID-19 applications on Android and iOS. It allows a user to be put in a position where he or she can be coerced into proving or disproving an exposure notification, because of the persistent state of a private framework.
CVSS Score
5.7
EPSS Score
0.001
Published
2020-09-30
Projectworlds Visitor Management System in PHP 1.0 allows SQL Injection. The file front.php does not perform input validation on the 'rid' parameter. An attacker can append SQL queries to the input to extract sensitive information from the database.
CVSS Score
8.8
EPSS Score
0.004
Published
2020-09-30
Projectworlds Visitor Management System in PHP 1.0 allows XSS. The file myform.php does not perform input validation on the request parameters. An attacker can inject javascript payloads in the parameters to perform various attacks such as stealing of cookies,sensitive information etc.
CVSS Score
6.1
EPSS Score
0.004
Published
2020-09-30
An issue was discovered in SourceCodester Seat Reservation System 1.0. The file admin_class.php does not perform input validation on the username and password parameters. An attacker can send malicious input in the post request to /admin/ajax.php?action=login and bypass authentication, extract sensitive information etc.
CVSS Score
9.1
EPSS Score
0.124
Published
2020-09-30