Security Vulnerabilities - CVEs Published In March 2020
GitLab 11.7 through 12.8.1 allows Information Disclosure. Under certain group conditions, group epic information was unintentionally being disclosed.
CVSS Score
5.3
EPSS Score
0.001
Published
2020-03-13
GitLab 9.3 through 12.8.1 allows XSS. A cross-site scripting vulnerability was found when viewing particular file types.
CVSS Score
6.1
EPSS Score
0.001
Published
2020-03-13
Directory Traversal in Safescan Timemoto and TA-8000 series version 1.0 allows unauthenticated remote attackers to execute code via the administrative API.
CVSS Score
9.8
EPSS Score
0.118
Published
2020-03-13
Zoho ManageEngine Applications Manager before 14600 allows a remote unauthenticated attacker to disclose license related information via WieldFeedServlet servlet.
CVSS Score
5.3
EPSS Score
0.069
Published
2020-03-13
GitLab 12.1 through 12.8.1 allows XSS. The merge request submission form was determined to have a stored cross-site scripting vulnerability.
CVSS Score
6.1
EPSS Score
0.001
Published
2020-03-13
GitLab 7.10 through 12.8.1 has Incorrect Access Control. Under certain conditions where users should have been required to configure two-factor authentication, it was not being required.
CVSS Score
5.3
EPSS Score
0.001
Published
2020-03-13
GitLab 8.3 through 12.8.1 allows Information Disclosure. It was possible for certain non-members to access the Contribution Analytics page of a private group.
CVSS Score
5.3
EPSS Score
0.001
Published
2020-03-13
GitLab before 12.8.2 has Incorrect Access Control. It was internally discovered that the LFS import process could potentially be used to incorrectly access LFS objects not owned by the user.
CVSS Score
6.5
EPSS Score
0.001
Published
2020-03-13
An improper neutralization of input vulnerability in Fortinet FortiADC 5.3.3 and earlier may allow an attacker to execute a stored Cross Site Scripting (XSS) via a field in the traffic group interface.
CVSS Score
5.4
EPSS Score
0.003
Published
2020-03-13
The popup-builder plugin before 3.64.1 for WordPress allows information disclosure and settings modification, leading to in-scope privilege escalation via admin-post actions to com/classes/Actions.php. By sending a POST request to wp-admin/admin-post.php, an authenticated attacker with minimal (subscriber-level) permissions can modify the plugin's settings to allow arbitrary roles (including subscribers) access to plugin functionality by setting the action parameter to sgpbSaveSettings, export a list of current newsletter subscribers by setting the action parameter to csv_file, or obtain system configuration information including webserver configuration and a list of installed plugins by setting the action parameter to sgpb_system_info.
CVSS Score
6.3
EPSS Score
0.005
Published
2020-03-13