Read the original article: Vulnerability Summary for the Week of May 25, 2020
Original release date: June 1, 2020
High Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| adminpanel — adminplanel |
Jason2605 AdminPanel 4.0 allows SQL Injection via the editPlayer.php hidden parameter. | 2020-05-24 | 7.5 | CVE-2020-13433 MISC MISC |
| apache — kylin |
Kylin has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation. | 2020-05-22 | 9 | CVE-2020-1956 MISC |
| aviatrix — vpn_client |
An Elevation of Privilege issue was discovered in Aviatrix VPN Client before 2.10.7, because of an incomplete fix for CVE-2020-7224. This affects Linux, macOS, and Windows installations for certain OpenSSL parameters. | 2020-05-22 | 7.5 | CVE-2020-13417 MISC |
| bosch — recording_station |
Improper Access Control in the Kiosk Mode functionality of Bosch Recording Station allows a local unauthenticated attacker to escape from the Kiosk Mode and access the underlying operating system. | 2020-05-27 | 7.2 | CVE-2020-6774 MISC |
| cisco — prime_network_registrar |
A vulnerability in the DHCP server of Cisco Prime Network Registrar could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to insufficient input validation of incoming DHCP traffic. An attacker could exploit this vulnerability by sending a crafted DHCP request to an affected device. A successful exploit could allow the attacker to cause a restart of the DHCP server process, causing a DoS condition. | 2020-05-22 | 7.8 | CVE-2020-3272 CISCO |
| cisco — unified_contact_center_express |
A vulnerability in the Java Remote Management Interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a malicious serialized Java object to a specific listener on an affected system. A successful exploit could allow the attacker to execute arbitrary code as the root user on an affected device. | 2020-05-22 | 10 | CVE-2020-3280 CISCO |
| cybozu — cybozu_desktop_for_windows |
Cybozu Desktop for Windows 2.0.23 to 2.2.40 allows remote code execution via unspecified vectors. | 2020-05-25 | 7.5 | CVE-2020-5537 JVN MISC MISC |
| dext5 — dext5_upload | A Remote code execution vulnerability exists in DEXT5Upload in DEXT5 through 2.7.1402870. An attacker can upload a PHP file via dext5handler.jsp handler because the uploaded file is stored under dext5uploadeddata/. | 2020-05-25 | 7.5 | CVE-2020-13442 MISC |
| dns-sync — dns-sync |
node-dns-sync (npm module dns-sync) through 0.2.0 allows execution of arbitrary commands . This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This has been fixed in 0.2.1. | 2020-05-28 | 7.5 | CVE-2020-11079 MISC CONFIRM |
|
kaoni — ezhttptrans |
Ezhttptrans.ocx ActiveX Control in Kaoni ezHTTPTrans 1.0.0.70 and prior versions contain a vulnerability that could allow remote attacker to download and execute arbitrary file by setting the arguments to the activex method. This can be leveraged for code execution. | 2020-05-22 | 7.5 | CVE-2020-7813 MISC MISC |
| kaoni — ezhttptrans |
Ezhttptrans.ocx ActiveX Control in Kaoni ezHTTPTrans 1.0.0.70 and prior versions contain a vulnerability that could allow remote attacker to download arbitrary file by setting the arguments to the activex method. This can be leveraged for code execution by rebooting the victim’s PC. | 2020-05-28 | 7.5 | CVE-2020-7812 MISC MISC |
| lenovo — lj4010dn_devices |
A denial of service vulnerability was reported in the firmware prior to version 1.01 used in Lenovo Printer LJ4010DN that could be triggered by a remote user sending a crafted packet to the device, preventing subsequent print jobs until the printer is rebooted. | 2020-05-28 | 7.8 | CVE-2020-8330 CONFIRM |
| lenovo — lj4010dn_devices |
A denial of service vulnerability was reported in the firmware prior to version 1.01 used in Lenovo Printer LJ4010DN that could be triggered by a remote user sending a crafted packet to the device, causing an error to be displayed and preventing printer from functioning until the printer is rebooted. | 2020-05-28 | 7.8 | CVE-2020-8329 CONFIRM |
| mozilla — firefox | Incorrect origin serialization of URLs with IPv6 addresses could lead to incorrect security checks. This vulnerability affects Firefox < 76. | 2020-05-26 | 7.5 | CVE-2020-12390 MISC MISC |
| mozilla — firefox |
Mozilla developers and community members reported memory safety bugs present in Firefox 75. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 76. | 2020-05-26 | 7.5 | CVE-2020-12396 MISC MISC |
| mozilla — firefox_and_firefox_esr |
The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape. *Note: this issue only affects Firefox on Windows operating systems.*. This vulnerability affects Firefox ESR < 68.8 and Firefox < 76. | 2020-05-26 | 7.5 | CVE-2020-12389 MISC MISC MISC |
Advertise on IT Security News.
Read the original article: Vulnerability Summary for the Week of May 25, 2020
Post navigation |