Security Vulnerabilities - CVEs Published In 2020
Nifty-PM CPE 2.3 is affected by stored HTML injection. The impact is remote arbitrary code execution.
CVSS Score
6.1
EPSS Score
0.005
Published
2020-12-21
EgavilanMedia User Registration & Login System with Admin Panel 1.0 is affected by Cross Site Request Forgery (CSRF) to remotely gain privileges in the User Profile panel. An attacker can update any user's account.
CVSS Score
8.0
EPSS Score
0.002
Published
2020-12-21
DotCMS Add Template with admin panel 20.11 is affected by cross-site Scripting (XSS) to gain remote privileges. An attacker could compromise the security of a website or web application through a stored XSS attack and stealing cookies using XSS.
CVSS Score
4.8
EPSS Score
0.002
Published
2020-12-21
Coastercms v5.8.18 is affected by cross-site Scripting (XSS). A user can steal a cookie and make the user redirect to any malicious website because it is trigged on the main home page of the product/application.
CVSS Score
5.4
EPSS Score
0.004
Published
2020-12-21
EgavilanMedia ECM Address Book 1.0 is affected by SQL injection. An attacker can bypass the Admin Login panel through SQLi and get Admin access and add or remove any user.
CVSS Score
9.8
EPSS Score
0.003
Published
2020-12-21
LimitLoginAttempts.php in the limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows a bypass of (per IP address) rate limits because the X-Forwarded-For header can be forged. When the plugin is configured to accept an arbitrary header for the client source IP address, a malicious user is not limited to perform a brute force attack, because the client IP header accepts any arbitrary string. When randomizing the header input, the login count does not ever reach the maximum allowed retries.
CVSS Score
9.8
EPSS Score
0.428
Published
2020-12-21
The limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows wp-admin/options-general.php?page=limit-login-attempts&tab= XSS. A malicious user can cause an administrator user to supply dangerous content to the vulnerable page, which is then reflected back to the user and executed by the web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims.
CVSS Score
5.4
EPSS Score
0.002
Published
2020-12-21
Affected versions of Atlassian Crucible allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the file upload request feature of code reviews. The affected versions are before version 4.7.4, and from version 4.8.0 before 4.8.5.
CVSS Score
4.3
EPSS Score
0.004
Published
2020-12-21
tindy2013 subconverter 0.6.4 has a /sub?target=%TARGET%&url=%URL%&config=%CONFIG% API endpoint that accepts an arbitrary %URL% value and launches a GET request for it, but does not consider that the external request target may indirectly redirect back to this original /sub endpoint. Thus, a request loop and a denial of service may occur.
CVSS Score
7.5
EPSS Score
0.004
Published
2020-12-20
srs2.c in PostSRSd before 1.10 allows remote attackers to cause a denial of service (CPU consumption) via a long timestamp tag in an SRS address.
CVSS Score
7.5
EPSS Score
0.017
Published
2020-12-20