Security Vulnerabilities - CVEs Published In September 2020
InstallBuilder for Qt Windows (versions prior to 20.7.0) installers look for plugins at a predictable location at initialization time, writable by non-admin users. While those plugins are not required, they are loaded if present, which could allow an attacker to plant a malicious library which could result in code execution with the security scope of the installer.
CVSS Score
7.8
EPSS Score
0.001
Published
2020-09-18
An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. The ASP.net SMS module can be used to read and validate the source code of ASP files. By altering the path, it can be made to read any file on the Operating System, usually with NT AUTHORITY\SYSTEM privileges.
CVSS Score
4.9
EPSS Score
0.004
Published
2020-09-18
An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. The RSS To SMS module processes XML files in an unsafe manner. This opens the application to an XML External Entity attack that can be used to perform SSRF or read arbitrary local files.
CVSS Score
7.5
EPSS Score
0.004
Published
2020-09-18
A flaw was found in the Linux kernel in versions before 5.9-rc6. When changing screen size, an out-of-bounds memory write can occur leading to memory corruption or a denial of service. Due to the nature of the flaw, privilege escalation cannot be fully ruled out.
CVSS Score
5.6
EPSS Score
0.0
Published
2020-09-18
Philips Clinical Collaboration Platform, Versions 12.2.1 and prior. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties required to process the data safely and correctly.
CVSS Score
3.4
EPSS Score
0.001
Published
2020-09-18
Philips Clinical Collaboration Platform, Versions 12.2.1 and prior, does not neutralize or incorrectly neutralizes user-controllable input
before it is placed in output used as a webpage that is served to other
users.
CVSS Score
3.5
EPSS Score
0.001
Published
2020-09-18
The Alfresco Reset Password add-on before version 1.2.0 relies on untrusted inputs in a security decision. Intruders can get admin's access to the system using the vulnerability in the project. Impacts all servers where this add-on is installed. The problem is fixed in version 1.2.0
CVSS Score
9.3
EPSS Score
0.002
Published
2020-09-18
SOY CMS 3.0.2 and earlier is affected by Remote Code Execution (RCE) using Unrestricted File Upload. Cross-Site Scripting(XSS) vulnerability that was used in CVE-2020-15183 can be used to increase impact by redirecting the administrator to access a specially crafted page. This vulnerability is caused by insecure configuration in elFinder. This is fixed in version 3.0.2.328.
CVSS Score
6.8
EPSS Score
0.051
Published
2020-09-18
When an attacker claims to have a given identity,
Philips Clinical Collaboration Platform, Versions 12.2.1 and prior,
does not prove or insufficiently proves the claim is correct.
CVSS Score
5.0
EPSS Score
0.001
Published
2020-09-18
SOY CMS 3.0.2.327 and earlier is affected by Unauthenticated Remote Code Execution (RCE). The allows remote attackers to execute any arbitrary code when the inquiry form feature is enabled by the service. The vulnerability is caused by unserializing the form without any restrictions. This was fixed in 3.0.2.328.
CVSS Score
10.0
EPSS Score
0.055
Published
2020-09-18