Security Vulnerabilities - CVEs Published In November 2020
This affects the package jsreport-chrome-pdf before 1.10.0.
CVSS Score
6.5
EPSS Score
0.003
Published
2020-11-05
This affects the package @absolunet/kafe before 3.2.10. It allows cause a denial of service when validating crafted invalid emails.
CVSS Score
5.3
EPSS Score
0.004
Published
2020-11-05
An unrestricted file upload issue in HorizontCMS through 1.0.0-beta allows an authenticated remote attacker (with access to the FileManager) to upload and execute arbitrary PHP code by uploading a PHP payload, and then using the FileManager's rename function to provide the payload (which will receive a random name on the server) with the PHP extension, and finally executing the PHP file via an HTTP GET request to /storage/<php_file_name>. NOTE: the vendor has patched this while leaving the version number at 1.0.0-beta.
CVSS Score
8.8
EPSS Score
0.737
Published
2020-11-05
HashiCorp Consul Enterprise version 1.7.0 up to 1.8.4 includes a namespace replication bug which can be triggered to cause denial of service via infinite Raft writes. Fixed in 1.7.9 and 1.8.5.
CVSS Score
7.5
EPSS Score
0.025
Published
2020-11-04
DatabaseSchemaViewer before version 2.7.4.3 is vulnerable to arbitrary code execution if a user is tricked into opening a specially crafted `.dbschema` file. The patch was released in v2.7.4.3. As a workaround, ensure `.dbschema` files from untrusted sources are not opened.
CVSS Score
8.0
EPSS Score
0.007
Published
2020-11-04
The Relish (Verve Connect) VH510 device with firmware before 1.0.1.6L0516 contains a buffer overflow within its web management portal. When a POST request is sent to /boaform/admin/formDOMAINBLK with a large blkDomain value, the Boa server crashes.
CVSS Score
5.5
EPSS Score
0.001
Published
2020-11-04
The Relish (Verve Connect) VH510 device with firmware before 1.0.1.6L0516 allows XSS via URLBlocking Settings, SNMP Settings, and System Log Settings.
CVSS Score
6.1
EPSS Score
0.003
Published
2020-11-04
The Relish (Verve Connect) VH510 device with firmware before 1.0.1.6L0516 contains multiple CSRF vulnerabilities within its web management portal. Attackers can, for example, use this to update the TR-069 configuration server settings (responsible for managing devices remotely). This makes it possible to remotely reboot the device or upload malicious firmware.
CVSS Score
8.8
EPSS Score
0.001
Published
2020-11-04
Subrion CMS v4.2.1 allows XSS via the panel/phrases/ VALUE parameter.
CVSS Score
5.4
EPSS Score
0.003
Published
2020-11-04
The Relish (Verve Connect) VH510 device with firmware before 1.0.1.6L0516 contains undocumented default admin credentials for the web management interface. A remote attacker could exploit this vulnerability to login and execute commands on the device, as well as upgrade the firmware image to a malicious version.
CVSS Score
9.8
EPSS Score
0.016
Published
2020-11-04