Security Vulnerabilities - CVEs Published In November 2020
WordPress before 5.5.2 allows attackers to gain privileges via XML-RPC.
CVSS Score
9.8
EPSS Score
0.044
Published
2020-11-02
wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2 allows attackers to gain privileges by using XML-RPC to comment on a post.
CVSS Score
9.8
EPSS Score
0.048
Published
2020-11-02
is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might allow an attacker to perform a new installation, leading to remote code execution (as well as a denial of service for the old installation).
CVSS Score
9.8
EPSS Score
0.128
Published
2020-11-02
A vulnerability exists in the Origin Client that could allow a non-Administrative user to elevate their access to either Administrator or System. Once the user has obtained elevated access, they may be able to take control of the system and perform actions otherwise reserved for high privileged users or system Administrators.
CVSS Score
7.8
EPSS Score
0.0
Published
2020-11-02
IceWarp 11.4.5.0 allows XSS via the language parameter.
CVSS Score
6.1
EPSS Score
0.079
Published
2020-11-02
An issue was discovered in REDCap 8.11.6 through 9.x before 10. The messenger's CSV feature (that allows users to export their conversation threads as CSV) allows non-privileged users to export one another's conversation threads by changing the thread_id parameter in the request to the endpoint Messenger/messenger_download_csv.php?title=Hey&thread_id={THREAD_ID}.
CVSS Score
4.3
EPSS Score
0.034
Published
2020-11-02
A cross-site scripting (XSS) issue in REDCap 8.11.6 through 9.x before 10 allows attackers to inject arbitrary JavaScript or HTML in the Messenger feature. It was found that the filename of the image or file attached in a message could be used to perform this XSS attack. A user could craft a message and send it to anyone on the platform including admins. The XSS payload would execute on the other account without interaction from the user on several pages.
CVSS Score
5.4
EPSS Score
0.005
Published
2020-11-02
A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out of memory (OOM) issue, leading to a denial of service. The highest threat from this vulnerability is to system availability.
CVSS Score
5.3
EPSS Score
0.002
Published
2020-11-02
A cross-site scripting (XSS) vulnerability exists in the Origin Client for Mac and PC 10.5.86 or earlier that could allow a remote attacker to execute arbitrary Javascript in a target user’s Origin client. An attacker could use this vulnerability to access sensitive data related to the target user’s Origin account, or to control or monitor the Origin text chat window.
CVSS Score
5.4
EPSS Score
0.002
Published
2020-11-02
A command injection vulnerability exists in Moxa Inc VPort 461 Series Firmware Version 3.4 or lower that could allow a remote attacker to execute arbitrary commands in Moxa's VPort 461 Series Industrial Video Servers.
CVSS Score
9.8
EPSS Score
0.061
Published
2020-11-02