Cyber Security

Trump Signs IoT Security Bill into Law


Enterprise Vulnerabilities
From DHS/US-CERT’s National Vulnerability Database

CVE-2020-13945
PUBLISHED: 2020-12-07

In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. This affects versions 1.2, 1.3, 1.4, 1.5.

CVE-2020-17521
PUBLISHED: 2020-12-07

Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy’s implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the ex…

CVE-2020-29597
PUBLISHED: 2020-12-07

IncomCMS 2.0 has a modules/uploader/showcase/script.php insecure file upload vulnerability. This vulnerability allows unauthenticated attackers to upload files into the server.

CVE-2020-29599
PUBLISHED: 2020-12-07

ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject additional shell commands via coders/pd…

CVE-2020-29600
PUBLISHED: 2020-12-07

In AWStats through 7.7, cgi-bin/awstats.pl?config= accepts an absolute pathname, even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501.



 

Source link

Back to top button
SoundCloud To Mp3