Security Vulnerabilities - CVEs Published In November 2020
app\admin\controller\sys\Uploads.php in lemocms 1.8.x allows users to upload files to upload executable files.
CVSS Score
7.3
EPSS Score
0.003
Published
2020-11-18
RSA Archer 6.8 through 6.8.0.3 and 6.9 contains a URL injection vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability by tricking a victim application user into executing malicious JavaScript code in the context of the web application.
CVSS Score
6.1
EPSS Score
0.005
Published
2020-11-18
httpd on TP-Link TL-WPA4220 devices (hardware versions 2 through 4) allows remote authenticated users to trigger a buffer overflow (causing a denial of service) by sending a POST request to the /admin/syslog endpoint. Fixed version: TL-WPA4220(EU)_V4_201023
CVSS Score
6.5
EPSS Score
0.009
Published
2020-11-18
Valve's Game Networking Sockets prior to version v1.2.0 improperly handles unreliable segments with negative offsets in function SNP_ReceiveUnreliableSegment(), leading to a Heap-Based Buffer Underflow and a free() of memory not from the heap, resulting in a memory corruption and probably even a remote code execution.
CVSS Score
9.8
EPSS Score
0.1
Published
2020-11-18
Open redirect vulnerability in werkzeug before 0.11.6 via a double slash in the URL.
CVSS Score
6.1
EPSS Score
0.009
Published
2020-11-18
A CWE-787: Out-of-bounds Write vulnerability exists in the Web Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy offers and their Communication Modules (see notification for details) which could cause corruption of data, a crash, or code execution when uploading a specially crafted file on the controller over FTP.
CVSS Score
8.8
EPSS Score
0.01
Published
2020-11-18
A CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability exists in the Web Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy offers and their Communication Modules (see notification for details) which could cause write access and the execution of commands when uploading a specially crafted file on the controller over FTP.
CVSS Score
8.8
EPSS Score
0.012
Published
2020-11-18
Kamailio before 5.4.0, as used in Sip Express Router (SER) in Sippy Softswitch 4.5 through 5.2 and other products, allows a bypass of a header-removal protection mechanism via whitespace characters. This occurs in the remove_hf function in the Kamailio textops module. Particular use of remove_hf in Sippy Softswitch may allow skilled attacker having a valid credential in the system to disrupt internal call start/duration accounting mechanisms leading potentially to a loss of revenue.
CVSS Score
5.4
EPSS Score
0.002
Published
2020-11-18
A CWE-125: Out-of-Bounds Read vulnerability exists in the Web Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy offers and their Communication Modules (see notification for details) which could cause a segmentation fault or a buffer overflow when uploading a specially crafted file on the controller over FTP.
CVSS Score
8.1
EPSS Score
0.005
Published
2020-11-18
Cross Site Scripting (XSS) vulnerability in the Registration page of the admin panel in PHPGurukul User Registration & Login and User Management System With admin panel 2.1.
CVSS Score
4.8
EPSS Score
0.004
Published
2020-11-18