Security Vulnerabilities - CVEs Published In October 2020
This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the _transformMeasurements function.
CVSS Score
9.6
EPSS Score
0.07
Published
2020-10-21
SQL injection vulnerability in Simple Download Monitor 3.8.8 and earlier allows remote attackers to execute arbitrary SQL commands via a specially crafted URL.
CVSS Score
8.8
EPSS Score
0.007
Published
2020-10-21
Cross-site scripting vulnerability in Simple Download Monitor 3.8.8 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors.
CVSS Score
6.1
EPSS Score
0.003
Published
2020-10-21
BigBlueButton through 2.2.28 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
CVSS Score
9.8
EPSS Score
0.004
Published
2020-10-21
BigBlueButton before 2.2.28 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
CVSS Score
5.3
EPSS Score
0.002
Published
2020-10-21
In BigBlueButton before 2.2.28 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or transmit it to one or more meeting participants or other third parties.
CVSS Score
6.5
EPSS Score
0.002
Published
2020-10-21
In BigBlueButton before 2.2.28 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
CVSS Score
6.1
EPSS Score
0.003
Published
2020-10-21
BigBlueButton through 2.2.28 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.
CVSS Score
5.3
EPSS Score
0.002
Published
2020-10-21
The installation procedure in BigBlueButton before 2.2.28 (or earlier) exposes certain network services to external interfaces, and does not automatically set up a firewall configuration to block external access.
CVSS Score
7.5
EPSS Score
0.003
Published
2020-10-21
BigBlueButton through 2.2.28 uses STUN/TURN resources from a third party, which may represent an unintended endpoint.
CVSS Score
7.3
EPSS Score
0.001
Published
2020-10-21