Read the original article: Vulnerability Summary for the Week of January 4, 2021
Original release date: January 11, 2021
The CISA Weekly Vulnerability Summary Bulletin is created using information from the NIST NVD. In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
High Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| 1234n — minicms | Directory traversal vulnerability in post-edit.php in MiniCMS V1.10 allows remote attackers to include and execute arbitrary files via the state parameter. | 2021-01-05 | 7.5 | CVE-2020-36052 MISC |
| asciitable.js_project — asciitable.js | The package asciitable.js before 1.0.3 are vulnerable to Prototype Pollution via the main function. | 2021-01-04 | 7.5 | CVE-2020-7771 MISC MISC |
| asus — dsl-n17u_firmware | The ASUS DSL-N17U modem with firmware 1.1.0.2 allows attackers to access the admin interface by changing the admin password without authentication via a POST request to Advanced_System_Content.asp with the uiViewTools_username=admin&uiViewTools_Password= and uiViewTools_PasswordConfirm= substrings. | 2021-01-04 | 10 | CVE-2020-35219 MISC MISC |
| chatter-social — creeper | Creeper is an experimental dynamic, interpreted language. The binary release of Creeper Interpreter 1.1.3 contains potential malware. The compromised binary release was available for a few hours between December 26, 2020 at 3:22 PM EST to December 26, 2020 at 11:00 PM EST. If you used the source code, you are **NOT** affected. This only affects the binary releases. The binary of unknown quality has been removed from the release. If you have downloaded the binary, please delete it and run a reputable antivirus scanner to ensure that your computer is clean. | 2021-01-04 | 7.5 | CVE-2020-26292 CONFIRM |
| clickhouse-driver_project — clickhouse-driver | clickhouse-driver before 0.1.5 allows a malicious clickhouse server to trigger a crash or execute arbitrary code (on a database client) via a crafted server response, due to a buffer overflow. | 2021-01-06 | 7.5 | CVE-2020-26759 MISC MISC |
| cse_bookstore_project — cse_bookstore | CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php and in cart.php. A successful exploitation of this vulnerability will lead to an attacker dumping the entire database on which the web application is running. | 2021-01-04 | 7.5 | CVE-2020-36112 MISC |
| dell — emc_isilon_onefs | Dell EMC Isilon OneFS versions 8.1 and later and Dell EMC PowerScale OneFS version 9.0.0 contain a privilege escalation vulnerability on a SmartLock Compliance mode cluster. The compadmin user connecting using ISI PRIV LOGIN SSH or ISI PRIV LOGIN CONSOLE can elevate privileges to the root user if they have ISI PRIV HARDENING privileges. | 2021-01-05 | 7.2 | CVE-2020-26181 MISC |
| djv_project — djv | This affects the package djv before 2.1.4. By controlling the schema file, an attacker can run arbitrary JavaScript code on the victim machine. | 2021-01-04 | 10 | CVE-2020-28464 MISC MISC MISC |
| drivergenius — drivergenius_firmware | MyDrivers64.sys in DriverGenius 9.61.3708.3054 allows attackers to cause a system crash via the ioctl command 0x9c402000 to \\.\MyDrivers0_0_1. | 2021-01-03 | 7.1 | CVE-2020-28841 MISC MISC |
| fasterxml — jackson-databind | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource. | 2021-01-06 | 7.5 | CVE-2020-36185 MISC MISC |
| fasterxml — jackson-databind | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS. | 2021-01-06 | 7.5 | CVE-2020-36181 MISC MISC |
| fasterxml — jackson-databind | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS. | 2021-01-07 | 7.5 | CVE-2020-36182 MISC MISC |
| fasterxml — jackson-databind | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. | 2021-01-07 | 7.5 | CVE-2020-36183 MISC MISC |
| fasterxml — jackson-databind | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource. | 2021-01-06 | 7.5 | CVE-2020-36184 MISC MISC |
| fasterxml — jackson-databind | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS. | 2021-01-07 | 7.5 | CVE-2020-36179 MISC MISC |
| fasterxml — jackson-databind | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource. | 2021-01-06 | 7.5 | CVE-2020-36186 Become a supporter of IT Security News and help us remove the ads. Read the original article: Vulnerability Summary for the Week of January 4, 2021
Post navigation |