Security Vulnerabilities - CVEs Published In November 2020
Airleader Master and Easy <= 6.21 devices have default credentials that can be used for a denial of service.
CVSS Score
7.5
EPSS Score
0.003
Published
2020-11-16
Airleader Master <= 6.21 devices have default credentials that can be used to access the exposed Tomcat Manager for deployment of a new .war file, with resultant remote code execution.
CVSS Score
9.8
EPSS Score
0.011
Published
2020-11-16
The import.json.php file before 8.9 for Avideo is vulnerable to a File Deletion vulnerability. This allows the deletion of configuration.php, which leads to certain privilege checks not being in place, and therefore a user can escalate privileges to admin.
CVSS Score
8.8
EPSS Score
0.071
Published
2020-11-16
There was a local file disclosure vulnerability in AVideo < 8.9 via the proxy streaming. An unauthenticated attacker can exploit this issue to read an arbitrary file on the server. Which could leak database credentials or other sensitive information such as /etc/passwd file.
CVSS Score
7.5
EPSS Score
0.167
Published
2020-11-16
In Gila CMS 1.16.0, an attacker can upload a shell to tmp directy and abuse .htaccess through the logs function for executing PHP files.
CVSS Score
7.2
EPSS Score
0.005
Published
2020-11-16
IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.2 and 5.2.0.0 through 5.2.6.5 could allow an authenticated user belonging to a specific user group to create a user or group with administrative privileges. IBM X-Force ID: 187077.
CVSS Score
7.5
EPSS Score
0.006
Published
2020-11-16
IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.2 and 5.2.0.0 through 5.2.6.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 187190.
CVSS Score
4.8
EPSS Score
0.002
Published
2020-11-16
IBM Sterling File Gateway 6.0.0.0 through 6.0.3.2 and 2.2.0.0 through 2.2.6.5 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 188897.
CVSS Score
4.3
EPSS Score
0.002
Published
2020-11-16
Nagios XI before 5.7.5 is vulnerable to XSS in the Deployment tool (add agent).
CVSS Score
5.4
EPSS Score
0.177
Published
2020-11-16
Nagios XI before 5.7.5 is vulnerable to XSS in Account Information (Email field).
CVSS Score
5.4
EPSS Score
0.177
Published
2020-11-16