Kia Denies Ransomware Attack as IT Outage Continues

Enterprise Vulnerabilities
From DHS/US-CERT’s National Vulnerability Database CVE-2020-28248
PUBLISHED: 2021-02-20

An integer overflow in the PngImg::InitStorage_() function of png-img before 3.1.0 leads to an under-allocation of heap memory and subsequently an exploitable heap-based buffer overflow when loading a crafted PNG file.

CVE-2020-12668
PUBLISHED: 2021-02-19

Jinjava before 2.5.4 allow access to arbitrary classes by calling Java methods on objects passed into a Jinjava context. This could allow for abuse of the application class loader, including Arbitrary File Disclosure.

CVE-2020-12873
PUBLISHED: 2021-02-19

An issue was discovered in Alfresco Enterprise Content Management (ECM) before 6.2.1. A user with privileges to edit a FreeMarker template (e.g., a webscript) may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running Alfresco.

CVE-2020-24392
PUBLISHED: 2021-02-19

In voloko twitter-stream 0.1.10, missing TLS hostname validation allows an attacker to perform a man-in-the-middle attack against users of the library (because eventmachine is misused).

CVE-2020-24393
PUBLISHED: 2021-02-19

TweetStream 2.6.1 uses the library eventmachine in an insecure way that does not have TLS hostname validation. This allows an attacker to perform a man-in-the-middle attack.

Read More HERE

Leave a Reply