Security Vulnerabilities - CVEs Published In November 2020
AudimexEE before 14.1.1 is vulnerable to Reflected XSS (Cross-Site-Scripting). If the recommended security configuration parameter "unique_error_numbers" is not set, remote attackers can inject arbitrary web script or HTML via 'action, cargo, panel' parameters that can lead to data leakage.
CVSS Score
5.4
EPSS Score
0.002
Published
2020-11-05
Git LFS 2.12.0 allows Remote Code Execution.
CVSS Score
9.8
EPSS Score
0.926
Published
2020-11-05
RVToolsPasswordEncryption.exe in RVTools 4.0.6 allows users to encrypt passwords to be used in the configuration files. This encryption used a static IV and key, and thus using the Decrypt() method from VISKD.cs from the RVTools.exe executable allows for decrypting the encrypted passwords. The accounts used in the configuration files have access to vSphere instances.
CVSS Score
7.5
EPSS Score
0.08
Published
2020-11-05
The HK1 Box S905X3 TV Box contains a vulnerability that allows a local unprivileged user to escalate to root using the /system/xbin/su binary via a serial port (UART) connection or using adb.
CVSS Score
7.8
EPSS Score
0.001
Published
2020-11-05
A remote code execution vulnerability is identified in FruityWifi through 2.4. Due to improperly escaped shell metacharacters obtained from the POST request at the page_config_adv.php page, it is possible to perform remote code execution by an authenticated attacker. This is similar to CVE-2018-17317.
CVSS Score
8.8
EPSS Score
0.049
Published
2020-11-05
Immuta v2.8.2 is affected by stored XSS that allows a low-privileged user to escalate privileges to administrative permissions. Additionally, unauthenticated attackers can phish unauthenticated Immuta users to steal credentials or force actions on authenticated users through reflected, DOM-based XSS.
CVSS Score
9.0
EPSS Score
0.01
Published
2020-11-05
Immuta v2.8.2 accepts user-supplied project names without properly sanitizing the input, allowing attackers to inject arbitrary HTML content that is rendered as part of the application. An attacker could leverage this to redirect application users to a phishing website in an attempt to steal credentials.
CVSS Score
6.1
EPSS Score
0.003
Published
2020-11-05
Immuta v2.8.2 is affected by improper session management: user sessions are not revoked upon logout.
CVSS Score
8.8
EPSS Score
0.004
Published
2020-11-05
Immuta v2.8.2 is affected by one instance of insecure permissions that can lead to user account takeover.
CVSS Score
7.5
EPSS Score
0.002
Published
2020-11-05
This affects the package phantom-html-to-pdf before 0.6.1.
CVSS Score
7.5
EPSS Score
0.004
Published
2020-11-05