Security Vulnerabilities - CVEs Published In December 2020
SolarWinds Database Performance Analyzer (DPA) 11.1.468 and 12.0.3074 have several persistent XSS vulnerabilities, related to logViewer.iwc, centralManage.cen, userAdministration.iwc, database.iwc, alertManagement.iwc, eventAnnotations.iwc, and central.cen.
CVSS Score
5.4
EPSS Score
0.035
Published
2020-12-15
Icinga 2 v2.8.0 through v2.11.7 and v2.12.2 has an issue where revoked certificates due for renewal will automatically be renewed, ignoring the CRL. This issue is fixed in Icinga 2 v2.11.8 and v2.12.3.
CVSS Score
9.1
EPSS Score
0.002
Published
2020-12-15
An issue was discovered in the Keysight Database Connector plugin before 1.5.0 for Confluence. A malicious user could insert arbitrary JavaScript into saved macro parameters that would execute when a user viewed a page with that instance of the macro.
CVSS Score
8.8
EPSS Score
0.004
Published
2020-12-15
An issue was discovered in the Keysight Database Connector plugin before 1.5.0 for Confluence. A malicious user could bypass the access controls for using a saved database connection profile to submit arbitrary SQL against a saved database connection.
CVSS Score
7.5
EPSS Score
0.002
Published
2020-12-15
Version 3.16.0 of the CoScale agent Docker image contains a blank password for the root user. Systems deployed using affected versions of the CoScale agent container may allow a remote attacker to achieve root access with a blank password.
CVSS Score
9.8
EPSS Score
0.02
Published
2020-12-15
Pega Platform through 8.4.x is affected by Cross Site Scripting (XSS) via the ConnectionID parameter, as demonstrated by a pyActivity=Data-TRACERSettings.pzStartTracerSession request to a PRAuth URI.
CVSS Score
6.1
EPSS Score
0.002
Published
2020-12-15
A Remote Code Execution vulnerability exists in DourceCodester Alumni Management System 1.0. An authenticated attacker can upload arbitrary file in the gallery.php page and executing it on the server reaching the RCE.
CVSS Score
7.2
EPSS Score
0.026
Published
2020-12-15
GJSON before 1.6.4 allows attackers to cause a denial of service via crafted JSON.
CVSS Score
7.5
EPSS Score
0.005
Published
2020-12-15
jsonparser 1.0.0 allows attackers to cause a denial of service (panic: runtime error: slice bounds out of range) via a GET call.
CVSS Score
7.5
EPSS Score
0.004
Published
2020-12-15
Multiple cross-site scripting (XSS) vulnerabilities exist in PHPJabbers Appointment Scheduler 2.3, in the index.php admin login webpage (with different request parameters), allows remote attackers to inject arbitrary web script or HTML.
CVSS Score
6.1
EPSS Score
0.022
Published
2020-12-15