Security Vulnerabilities - CVEs Published In November 2020
JetBrains ToolBox before version 1.18 is vulnerable to Remote Code Execution via a browser protocol handler.
CVSS Score
9.8
EPSS Score
0.0
Published
2020-11-16
In JetBrains YouTrack before 2020.3.6638, improper access control for some subresources leads to information disclosure via the REST API.
CVSS Score
7.5
EPSS Score
0.0
Published
2020-11-16
In JetBrains YouTrack before 2020.3.7955, an attacker could access workflow rules without appropriate access grants.
CVSS Score
5.3
EPSS Score
0.0
Published
2020-11-16
Chronoforeum 2.0.11 allows Stored XSS vulnerabilities when inserting a crafted payload into a post. If any user sees the post, the inserted XSS code is executed.
CVSS Score
6.1
EPSS Score
0.003
Published
2020-11-16
This affects the package @firebase/util before 0.3.4. This vulnerability relates to the deepExtend function within the DeepCopy.ts file. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.
CVSS Score
5.6
EPSS Score
0.002
Published
2020-11-16
This affects the package markdown-it-highlightjs before 3.3.1. It is possible insert malicious JavaScript as a value of lang in the markdown-it-highlightjs Inline code highlighting feature. const markdownItHighlightjs = require("markdown-it-highlightjs"); const md = require('markdown-it'); const reuslt_xss = md() .use(markdownItHighlightjs, { inline: true }) .render('console.log(42){.">js}'); console.log(reuslt_xss);
CVSS Score
6.5
EPSS Score
0.004
Published
2020-11-16
A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM (and other AEAD ciphers such as AES-GCM-SIV or (X)ChaCha20Poly1305) used by the SDKs to encrypt messages, an attacker can craft a unique cyphertext which will decrypt to multiple different results, and becomes especially relevant in a multi-recipient setting. We recommend users update their SDK to 2.0.0 or later.
CVSS Score
4.8
EPSS Score
0.001
Published
2020-11-16
SQL injection vulnerability in the XooNIps 3.49 and earlier allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors.
CVSS Score
8.8
EPSS Score
0.007
Published
2020-11-16
Reflected cross-site scripting vulnerability in XooNIps 3.49 and earlier allows remote authenticated attackers to inject arbitrary script via unspecified vectors.
CVSS Score
5.4
EPSS Score
0.002
Published
2020-11-16
Stored cross-site scripting vulnerability in XooNIps 3.49 and earlier allows remote authenticated attackers to inject arbitrary script via unspecified vectors.
CVSS Score
5.4
EPSS Score
0.002
Published
2020-11-16