Vulnerabilities
Vulnerable Software
Security Vulnerabilities - CVEs Published In December 2020
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to bypass a global authorization check for anonymous users by manipulating request paths.
CVSS Score
7.5
EPSS Score
0.059
Published
2020-12-17
Time-based SQL injection exists in Spotweb 1.4.9 via the query string.
CVSS Score
9.8
EPSS Score
0.038
Published
2020-12-17
Fleet is an open source osquery manager. In Fleet before version 3.5.1, due to issues in Go's standard library XML parsing, a valid SAML response may be mutated by an attacker to modify the trusted document. This can result in allowing unverified logins from a SAML IdP. Users that configure Fleet with SSO login may be vulnerable to this issue. This issue is patched in 3.5.1. The fix was made using https://github.com/mattermost/xml-roundtrip-validator If upgrade to 3.5.1 is not possible, users should disable SSO authentication in Fleet.
CVSS Score
10.0
EPSS Score
0.022
Published
2020-12-17
IBM Security Key Lifecycle Manager 3.0.1 and 4.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 190289.
CVSS Score
5.4
EPSS Score
0.006
Published
2020-12-17
IBM Security Key Lifecycle Manager 3.0.1 and 4.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 190290.
CVSS Score
2.7
EPSS Score
0.01
Published
2020-12-17
The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters.
CVSS Score
10.0
EPSS Score
0.896
Published
2020-12-17
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.
CVSS Score
8.1
EPSS Score
0.077
Published
2020-12-17
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.
CVSS Score
8.1
EPSS Score
0.095
Published
2020-12-17
Lack of validation on data read from guest memory in IntPeGetDirectory, IntPeParseUnwindData, IntLogExceptionRecord, IntKsymExpandSymbol and IntLixTaskDumpTree may lead to out-of-bounds read or it could cause DoS due to integer-overflor (IntPeGetDirectory), TOCTOU (IntPeParseUnwindData) or insufficient validations.
CVSS Score
5.5
EPSS Score
0.003
Published
2020-12-17
Memory corruption in IntLixCrashDumpDmesg, IntLixTaskFetchCmdLine, IntLixFileReadDentry and IntLixFileGetPath due to insufficient guest-data input validation may lead to denial of service conditions.
CVSS Score
6.1
EPSS Score
0.003
Published
2020-12-17


Contact Us

Shodan ® - All rights reserved