Security Vulnerabilities - CVEs Published In September 2020
MediaKind (formerly Ericsson) RX8200 5.13.3 devices are vulnerable to multiple reflected and stored XSS. An attacker has to inject JavaScript code directly in the "path" or "Services+ID" parameters and send the URL to a user in order to exploit reflected XSS. In the case of stored XSS, an attacker must modify the "name" parameter with the malicious code.
CVSS Score
6.1
EPSS Score
0.003
Published
2020-09-14
Wordpress Plugin Store / SoftradeWeb SNC WP SMART CRM V1.8.7 is affected by: Cross Site Scripting via the Business Name field, Tax Code field, First Name field, Address field, Town field, Phone field, Mobile field, Place of Birth field, Web Site field, VAT Number field, Last Name field, Fax field, Email field, and Skype field.
CVSS Score
5.4
EPSS Score
0.002
Published
2020-09-14
Wordpress Plugin Store / AccessPress Themes WP Floating Menu V1.3.0 is affected by: Cross Site Scripting (XSS) via the id GET parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2020-09-14
Wordpress Plugin Store / Mike Rooijackers Recall Products V0.8 fails to sanitize input from the 'Manufacturer[]' parameter which allows an authenticated attacker to inject a malicious SQL query.
CVSS Score
8.8
EPSS Score
0.024
Published
2020-09-14
Wordpress Plugin Store / Mike Rooijackers Recall Products V0.8 is affected by: Cross Site Scripting (XSS) via the 'Recall Settings' field in admin.php. An attacker can inject JavaScript code that will be stored and executed.
CVSS Score
5.4
EPSS Score
0.002
Published
2020-09-14
Dataiku DSS before 6.0.5 allows attackers write access to the project to modify the "Created by" metadata.
CVSS Score
8.1
EPSS Score
0.003
Published
2020-09-14
D-Link COVR-2600R and COVR-3902 Kit before 1.01b05Beta01 use hardcoded credentials for telnet connection, which allows unauthenticated attackers to gain privileged access to the router, and to extract sensitive data or modify the configuration.
CVSS Score
9.8
EPSS Score
0.165
Published
2020-09-14
A timing side channel was discovered in AT91bootstrap before 3.9.2. It can be exploited by attackers with physical access to forge CMAC values and subsequently boot arbitrary code on an affected system.
CVSS Score
6.8
EPSS Score
0.001
Published
2020-09-14
AT91bootstrap before 3.9.2 does not properly wipe encryption and authentication keys from memory before passing control to a less privileged software component. This can be exploited to disclose these keys and subsequently encrypt and sign the next boot stage (such as the bootloader).
CVSS Score
9.1
EPSS Score
0.002
Published
2020-09-14
Microchip Atmel ATSAMA5 products in Secure Mode allow an attacker to bypass existing security mechanisms related to applet handling.
CVSS Score
7.5
EPSS Score
0.002
Published
2020-09-14