Security Vulnerabilities - CVEs Published In March 2020
Dolibarr ERP/CRM 3.0 through 10.0.3 allows XSS via the qty parameter to product/fournisseurs.php (product price screen).
CVSS Score
9.8
EPSS Score
0.012
Published
2020-03-16
Post-authentication Stored XSS in Team Password Manager through 7.93.204 allows attackers to steal other users' credentials by creating a shared password with HTML code as the title.
CVSS Score
5.4
EPSS Score
0.003
Published
2020-03-16
In JFrog Artifactory before 6.18, it is not possible to restrict either system or repository imports by any admin user in the enterprise, which can lead to "undesirable results."
CVSS Score
7.2
EPSS Score
0.005
Published
2020-03-16
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload.
CVSS Score
5.3
EPSS Score
0.001
Published
2020-03-16
Umbraco Cloud 8.5.3 allows an authenticated file upload (and consequently Remote Code Execution) via the Install Packages functionality.
CVSS Score
8.8
EPSS Score
0.029
Published
2020-03-16
A Remote Code Execution vulnerability exists in PRTG Network Monitor before 19.4.54.1506 that allows attackers to execute code due to insufficient sanitization when passing arguments to the HttpTransactionSensor.exe binary. In order to exploit the vulnerability, remote authenticated administrators need to create a new HTTP Transaction Sensor and set specific settings when the sensor is executed.
CVSS Score
7.2
EPSS Score
0.127
Published
2020-03-16
configurationwatcher.go in Traefik 2.x before 2.1.4 and TraefikEE 2.0.0 mishandles the purging of certificate contents from providers before logging.
CVSS Score
7.5
EPSS Score
0.002
Published
2020-03-16
be_teacher in class-lp-admin-ajax.php in the LearnPress plugin 3.2.6.5 and earlier for WordPress allows any registered user to assign itself the teacher role via the wp-admin/admin-ajax.php?action=learnpress_be_teacher URI without any additional permission checks. Therefore, any user can change its role to an instructor/teacher and gain access to otherwise restricted data.
CVSS Score
6.5
EPSS Score
0.004
Published
2020-03-16
A post-authentication privilege escalation in the web application of Combodo iTop allows regular authenticated users to access information and modify information with administrative privileges by not following the HTTP Location header in server responses. This is fixed in all iTop packages (community, essential, professional) in versions : 2.5.4, 2.6.3, 2.7.0
CVSS Score
8.1
EPSS Score
0.005
Published
2020-03-16
uhttpd in OpenWrt through 18.06.5 and 19.x through 19.07.0-rc2 has an integer signedness error. This leads to out-of-bounds access to a heap buffer and a subsequent crash. It can be triggered with an HTTP POST request to a CGI script, specifying both "Transfer-Encoding: chunked" and a large negative Content-Length value.
CVSS Score
7.5
EPSS Score
0.011
Published
2020-03-16