Security Vulnerabilities - CVEs Published In November 2020
An authentication bypass in the debug interface in Mercedes-Benz HERMES 1.5 allows an attacker with physical access to device hardware to obtain system information.
CVSS Score
4.6
EPSS Score
0.001
Published
2020-11-16
A misconfiguration in the debug interface in Mercedes-Benz HERMES 1.5 allows an attacker with direct physical access to device hardware to obtain cellular modem information.
CVSS Score
2.4
EPSS Score
0.001
Published
2020-11-16
An authentication bypass in the debug interface in Mercedes-Benz HERMES 2.1 allows an attacker with physical access to device hardware to obtain system information.
CVSS Score
4.6
EPSS Score
0.001
Published
2020-11-16
A misconfiguration in the debug interface in Mercedes-Benz HERMES 2.1 allows an attacker with direct physical access to device hardware to obtain cellular modem information.
CVSS Score
2.4
EPSS Score
0.001
Published
2020-11-16
Prototype pollution vulnerability in 'controlled-merge' versions 1.0.0 through 1.2.0 allows attacker to cause a denial of service and may lead to remote code execution.
CVSS Score
7.5
EPSS Score
0.046
Published
2020-11-15
This affects the package doc-path before 2.1.2.
CVSS Score
7.5
EPSS Score
0.008
Published
2020-11-15
An issue was discovered in PassMark BurnInTest v9.1 Build 1008, OSForensics v7.1 Build 1012, and PerformanceTest v10.0 Build 1008. The kernel driver exposes IOCTL functionality that allows low-privilege users to map arbitrary physical memory into the address space of the calling process. This could lead to arbitrary Ring-0 code execution and escalation of privileges. This affects DirectIo32.sys and DirectIo64.sys drivers. This issue is fixed in BurnInTest v9.2, PerformanceTest v10.0 Build 1009, OSForensics v8.0.
CVSS Score
7.8
EPSS Score
0.002
Published
2020-11-13
ask_password in Tomb 2.0 through 2.7 returns a warning when pinentry-curses is used and $DISPLAY is non-empty, causing affected users' files to be encrypted with "tomb {W] Detected DISPLAY, but only pinentry-curses is found." as the encryption key.
CVSS Score
9.8
EPSS Score
0.002
Published
2020-11-13
Improper preservation of permissions in Nagios XI 5.7.4 allows a local, low-privileged, authenticated user to weaken the permissions of files, resulting in low-privileged users being able to write to and execute arbitrary PHP code with root privileges.
CVSS Score
7.8
EPSS Score
0.001
Published
2020-11-13
Opera Touch for iOS before version 2.4.5 is vulnerable to an address bar spoofing attack. The vulnerability allows a malicious page to trick the browser into showing an address of a different page. This may allow the malicious page to impersonate another page and trick a user into providing sensitive data.
CVSS Score
4.3
EPSS Score
0.003
Published
2020-11-13