我有一个 Latex Longtable,其代码如下:
\usepackage[utf8]{inputenc}%
\usepackage{lmodern}%
\usepackage{textcomp}%
\usepackage{lastpage}%
\usepackage[a4paper,scale=1,hmargin=1cm,vmargin=0.5cm]{geometry}%
\usepackage[english]{babel}%
\usepackage{array}%
\usepackage[useregional]{datetime2}%
\usepackage{graphicx}%
\usepackage[final]{pdfpages}%
\usepackage[hyphenbreaks]{breakurl}%
\usepackage{caption}%
\usepackage{subcaption}%
\usepackage{booktabs}%
\usepackage{ltablex}%
\usepackage{longtable}%
\usepackage[protrusion=true,expansion=true]{microtype}%
\usepackage{amsmath,amsfonts,amsthm,amssymb}%
\usepackage{hyperref}%
\usepackage{lscape}%
\usepackage{xurl}%
\usepackage{seqsplit}%
\newcounter{inlineenum}%
\renewcommand{\theinlineenum}{\alph{inlineenum}}%
\newenvironment{inlineenum}%
{\unskip\ignorespaces\setcounter{inlineenum}{0}%%
\renewcommand{\item}{\refstepcounter{inlineenum}{\textit{\theinlineenum})~}}}%
{\ignorespacesafterend}%
\setcounter{tocdepth}{3}%
\makeatletter%
\g@addto@macro{\UrlBreaks}{\UrlOrds}%
\makeatother%
\hypersetup{%
colorlinks,%
citecolor=black,%
filecolor=black,%
linkcolor=blue,%
colorlinks=true,%
urlcolor=blue%
}%
\graphicspath{{img/}}%
\newcommand{\HRule}{\rule{\linewidth}{0.5mm}}%
\usepackage[sorting=none]{biblatex}%
\addbibresource{references.bib}%
%
\begin{document}%
\begin{longtable}{|p{1.5cm}|p{1cm}|p{1.5cm}|p{7.5cm}|p{5cm}|}%
\caption{US-CERT Weekly High Risk Vulnerabilities}%
\\%
\toprule%
\textbf{Date} & \textbf{CVSS} & \textbf{Vendor--Product} & \textbf{Description} & \textbf{Source and Patch Info} \\%
\hline%
\endfirsthead%
\multicolumn{3}{c}%
{{\bfseries \tablename\ \thetable{} -- continued}} \\%
\hline \textbf{Date} & \textbf{CVSS} & \textbf{Vendor--Product} & \textbf{Description} & \textbf{Source and Patch Info} \\ \hline%
\endhead%
\hline \multicolumn{5}{r}{{Continued \ldots}} \\%
\endfoot%
\endlastfoot%
2020-12-02 & \textcolor{red}{7.5} & \seqsplit{74cms {-}{-} 74cms} &PHP remote file inclusion in the assign\_resume\_tpl method in Application/Common/Controller/BaseController.class.php in 74CMS before 6.0.48 allows remote code execution. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-29279} \item \url{http://www.74cms.com/news/show-2497.html} \item \url{https://github.com/BigTiger2020/74CMS/blob/main/README.md} \end{enumerate} \\%
\hline%
2020-12-02 & \textcolor{red}{7.5} & \seqsplit{bloodx\_project {-}{-} bloodx} &SQL injection vulnerability in BloodX 1.0 allows attackers to bypass authentication. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-29282} \item \url{https://github.com/BigTiger2020/BloodX-CMS/blob/main/README.md} \item \url{https://github.com/diveshlunker/BloodX} \item \url{https://www.exploit-db.com/exploits/48786} \end{enumerate} \\%
\hline%
2020-11-27 & \textcolor{red}{10.0} & \seqsplit{br{-}automation {-}{-} industrial\_automation\_aprol} &An issue was discovered in B\&R Industrial Automation APROL before R4.2 V7.08. Arbitrary commands could be injected (using Python scripts) via the AprolCluster script that is invoked via sudo and thus executes with root privileges, a different vulnerability than CVE{-}2019{-}16364. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2019-19875} \item \url{https://www.br-automation.com/downloads_br_productcatalogue/BRP44400000000000000585952/APROL_R42_A1_ReleaseNotes_001.pdf} \end{enumerate} \\%
\hline%
2020-11-27 & \textcolor{red}{7.5} & \seqsplit{br{-}automation {-}{-} industrial\_automation\_aprol} &An issue was discovered in B\&R Industrial Automation APROL before R4.2 V7.08. The AprolLoader could be used to inject and execute arbitrary unintended commands via an unspecified attack scenario, a different vulnerability than CVE{-}2019{-}16364. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2019-19872} \item \url{https://www.br-automation.com/downloads_br_productcatalogue/BRP44400000000000000585952/APROL_R42_A1_ReleaseNotes_001.pdf} \end{enumerate} \\%
\hline%
2020-11-27 & \textcolor{red}{7.5} & \seqsplit{br{-}automation {-}{-} industrial\_automation\_aprol} &An issue was discovered in B\&R Industrial Automation APROL before R4.2 V7.08. An EnMon PHP script was vulnerable to SQL injection, a different vulnerability than CVE{-}2019{-}10006. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2019-19876} \item \url{https://www.br-automation.com/downloads_br_productcatalogue/BRP44400000000000000585952/APROL_R42_A1_ReleaseNotes_001.pdf} \end{enumerate} \\%
\hline%
2020-11-27 & \textcolor{red}{7.5} & \seqsplit{br{-}automation {-}{-} industrial\_automation\_aprol} &An issue was discovered in B\&R Industrial Automation APROL before R4.2 V7.08. Some web scripts in the web interface allowed injection and execution of arbitrary unintended commands on the web server, a different vulnerability than CVE{-}2019{-}16364. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2019-19874} \item \url{https://www.br-automation.com/downloads_br_productcatalogue/BRP44400000000000000585952/APROL_R42_A1_ReleaseNotes_001.pdf} \end{enumerate} \\%
\hline%
2020-11-27 & \textcolor{red}{9.3} & \seqsplit{c{-}blosc2\_project {-}{-} c{-}blosc2} &blosc2.c in Blosc C{-}Blosc2 through 2.0.0.beta.5 has a heap{-}based buffer overflow when there is a lack of space to write compressed data. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-29367} \item \url{https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26442} \item \url{https://github.com/Blosc/c-blosc2/commit/c4c6470e88210afc95262c8b9fcc27e30ca043ee} \end{enumerate} \\%
\hline%
2020-12-02 & \textcolor{red}{7.5} & \seqsplit{car\_rental\_management\_system\_project {-}{-} car\_rental\_management\_system} &An SQL injection vulnerability was discovered in Car Rental Management System v1.0 can be exploited via the id parameter in view\_car.php or the car\_id parameter in booking.php. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-29287} \item \url{https://github.com/BigTiger2020/Car-Rental-Management-System/blob/main/README.md} \item \url{https://www.exploit-db.com/exploits/49056} \item \url{https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html} \end{enumerate} \\%
\hline%
2020-12-02 & \textcolor{red}{7.8} & \seqsplit{cloudfoundry {-}{-} capi{-}release} &CAPI (Cloud Controller) versions prior to 1.101.0 are vulnerable to a denial{-}of{-}service attack in which an unauthenticated malicious attacker can send specially{-}crafted YAML files to certain endpoints, causing the YAML parser to consume excessive CPU and RAM. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-5423} \item \url{https://www.cloudfoundry.org/blog/cve-2020-5423} \end{enumerate} \\%
\hline%
2020-12-02 & \textcolor{red}{10.0} & \seqsplit{crux {-}{-} crux} &The official Crux Linux Docker images 3.0 through 3.4 contain a blank password for a root user. System using the Crux Linux Docker container deployed by affected versions of the Docker image may allow an attacker to achieve root access with a blank password. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-29389} \item \url{https://github.com/koharin/koharin2/blob/main/CVE-2020-29389} \end{enumerate} \\%
\hline%
2020-12-01 & \textcolor{red}{7.5} & \seqsplit{edimax {-}{-} ic{-}3116w\_firmware} &A stack{-}based buffer{-}overflow exists in Edimax IP{-}Camera IC{-}3116W (v3.06) and IC{-}3140W (v3.07), which allows an unauthenticated, unauthorized attacker to perform remote{-}code{-}execution due to a crafted GET{-}Request. The overflow occurs in binary ipcam\_cgi due to a missing type check in function doGetSysteminfo(). This has been fixed in version: IC{-}3116W v3.08. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-26762} \item \url{https://www.edimax.com/edimax/download/download/data/edimax/de/download/for_home/home_network_cameras/home_network_cameras_indoor_fixed/ic-3116w} \end{enumerate} \\%
\hline%
2020-11-30 & \textcolor{red}{10.0} & \seqsplit{fujitsu {-}{-} eternus\_storage\_dx200\_s4\_firmware} &An issue was discovered on Fujitsu Eternus Storage DX200 S4 devices through 2020{-}11{-}25. After logging into the portal as a root user (using any web browser), the portal can be accessed with root privileges when the URI cgi{-}bin/csp?cspid=\{XXXXXXXXXX\}\&csppage=cgi\_PgOverview\&csplang=en is visited from a different web browser. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-29127} \item \url{http://packetstormsecurity.com/files/160255/Fujitsu-Eternus-Storage-DX200-S4-Broken-Authentication.html} \item \url{https://cxsecurity.com/issue/WLB-2020110215} \item \url{https://seccops.com/fujitsu-eternus-storage-dx200-s4-broken-authentication/} \item \url{https://www.first.org/members/teams/fujitsu_psirt} \end{enumerate} \\%
\hline%
2020-12-02 & \textcolor{red}{7.5} & \seqsplit{gym\_management\_system\_project {-}{-} gym\_management\_system} &An SQL injection vulnerability was discovered in Gym Management System In manage\_user.php file, GET parameter 'id' is vulnerable. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-29288} \item \url{https://github.com/BigTiger2020/Gym-Management-System/blob/main/README.md} \item \url{https://www.exploit-db.com/exploits/48936} \item \url{https://www.sourcecodester.com/php/14541/gym-management-system-using-phpmysqli-source-code.html} \end{enumerate} \\%
\hline%
2020-12-02 & \textcolor{red}{10.0} & \seqsplit{hcltech {-}{-} domino} &HCL Domino is susceptible to a Buffer Overflow vulnerability in DXL due to improper validation of user input. A successful exploit could enable an attacker to crash Domino or execute attacker{-}controlled code on the server system. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-14260} \item \url{https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0085500} \end{enumerate} \\%
\hline%
2020-12-02 & \textcolor{red}{7.2} & \seqsplit{hcltech {-}{-} notes} &HCL Notes is susceptible to a Buffer Overflow vulnerability in DXL due to improper validation of user input. A successful exploit could enable an attacker to crash Notes or execute attacker{-}controlled code on the client system. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-4102} \item \url{https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0085499} \end{enumerate} \\%
\hline%
2020-12-02 & \textcolor{red}{10.0} & \seqsplit{hp {-}{-} edgeline\_infrastructure\_manager} &A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gaining privileged access, causing denial of service, and changing the configuration. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-7199} \item \url{https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn04063en_us} \end{enumerate} \\%
\hline%
2020-12-01 & \textcolor{red}{7.2} & \seqsplit{huawei {-}{-} fusioncompute} &FusionCompute versions 6.3.0, 6.3.1, 6.5.0, 6.5.1 and 8.0.0 have a privilege escalation vulnerability. Due to improper privilege management, an attacker with common privilege may access some specific files and get the administrator privilege in the affected products. Successful exploit will cause privilege escalation. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-9114} \item \url{https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20201118-01-privilege-en} \end{enumerate} \\%
\hline%
2020-12-01 & \textcolor{red}{9.0} & \seqsplit{huawei {-}{-} manageone} &ManageOne versions 6.5.1.1.B010, 6.5.1.1.B020, 6.5.1.1.B030, 6.5.1.1.B040, ,6.5.1.1.B050, 8.0.0 and 8.0.1 have a command injection vulnerability. An attacker with high privileges may exploit this vulnerability through some operations on the plug{-}in component. Due to insufficient input validation of some parameters, the attacker can exploit this vulnerability to inject commands to the target device. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-9115} \item \url{https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20201125-01-commandinjection-en} \end{enumerate} \\%
\hline%
2020-11-30 & \textcolor{red}{9.0} & \seqsplit{ibm {-}{-} cloud\_pak\_for\_security} &IBM Cloud Pak for Security 1.3.0.1(CP4S) potentially vulnerable to CVS Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X{-}Force ID: 185367. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-4627} \item \url{https://exchange.xforce.ibmcloud.com/vulnerabilities/185367} \item \url{https://www.ibm.com/support/pages/node/6372538} \end{enumerate} \\%
\hline%
2020-12-02 & \textcolor{red}{9.0} & \seqsplit{linux {-}{-} linux\_kernel} &An out{-}of{-}bounds memory write flaw was found in how the Linux kernel’s Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-14305} \item \url{https://bugs.openvz.org/browse/OVZ-7188} \item \url{https://bugzilla.redhat.com/show_bug.cgi?id=1850716} \item \url{https://patchwork.ozlabs.org/project/netfilter-devel/patch/[email protected]/} \end{enumerate} \\%
\hline%
2020-11-30 & \textcolor{red}{7.8} & \seqsplit{mitsubishielectric {-}{-} r00cpu\_firmware} &Mitsubishi MELSEC iQ{-}R Series PLCs with firmware 49 allow an unauthenticated attacker to halt the industrial process by sending a crafted packet over the network. This denial of service attack exposes Improper Input Validation. After halting, physical access to the PLC is required in order to restore production, and the device state is lost. This is related to R04CPU, RJ71GF11{-}T2, R04CPU, and RJ71GF11{-}T2. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-16850} \item \url{https://blog.scadafence.com/vulnerability-in-mitsubishi-electric-melsec-iq-r-series} \item \url{https://us-cert.cisa.gov/ics/advisories/icsa-20-282-02} \end{enumerate} \\%
\hline%
2020-12-04 & \textcolor{red}{7.5} & \seqsplit{moddable {-}{-} moddable} &Heap buffer overflow in the fxCheckArrowFunction function at moddable/xs/sources/xsSyntaxical.c:3562 in Moddable SDK before OS200903. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-25462} \item \url{https://github.com/Moddable-OpenSource/moddable/issues/432} \item \url{https://github.com/Moddable-OpenSource/moddable/releases/tag/OS200903} \end{enumerate} \\%
\hline%
2020-12-02 & \textcolor{red}{7.5} & \seqsplit{multi\_restaurant\_table\_reservation\_system\_project {-}{-} multi\_restaurant\_table\_reservation\_system} &The file view{-}chair{-}list.php in Multi Restaurant Table Reservation System 1.0 does not perform input validation on the table\_id parameter which allows unauthenticated SQL Injection. An attacker can send malicious input in the GET request to /dashboard/view{-}chair{-}list.php?table\_id= to trigger the vulnerability. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-29284} \item \url{https://github.com/BigTiger2020/-Multi-Restaurant-Table-Reservation-System/blob/main/README.md} \item \url{https://www.exploit-db.com/exploits/48984} \item \url{https://www.sourcecodester.com/php/14568/multi-restaurant-table-reservation-system-php-full-source-code.html} \end{enumerate} \\%
\hline%
2020-12-02 & \textcolor{red}{7.5} & \seqsplit{online\_doctor\_appointment\_booking\_system\_php\_and\_mysql\_project {-}{-} online\_doctor\_appointment\_booking\_system\_php\_and\_mysql} &An SQL injection vulnerability was discovered in Online Doctor Appointment Booking System PHP and Mysql via the q parameter to getuser.php. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-29283} \item \url{https://github.com/BigTiger2020/Online-Doctor-Appointment-Booking-System-PHP/blob/main/README.md} \item \url{https://projectworlds.in/free-projects/php-projects/online-doctor-appointment-booking-system-php-and-mysql} \end{enumerate} \\%
\hline%
2020-11-27 & \textcolor{red}{7.2} & \seqsplit{pcanalyser {-}{-} pc\_analyser} &An issue was discovered in Devid Espenschied PC Analyser through 4.10. The PCADRVX64.SYS kernel driver exposes IOCTL functionality that allows low{-}privilege users to read and write arbitrary physical memory. This could lead to arbitrary Ring{-}0 code execution and escalation of privileges. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-28922} \item \url{http://www.pcanalyser.de/index.php/historie/} \item \url{https://github.com/eset/vulnerability-disclosures} \item \url{https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-28922/CVE-2020-28922.md} \end{enumerate} \\%
\hline%
2020-11-27 & \textcolor{red}{7.2} & \seqsplit{pcanalyser {-}{-} pc\_analyser} &An issue was discovered in Devid Espenschied PC Analyser through 4.10. The PCADRVX64.SYS kernel driver exposes IOCTL functionality that allows low{-}privilege users to read and write to arbitrary Model Specific Registers (MSRs). This could lead to arbitrary Ring{-}0 code execution and escalation of privileges. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-28921} \item \url{http://www.pcanalyser.de/index.php/historie/} \item \url{https://github.com/eset/vulnerability-disclosures} \item \url{https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-28921/CVE-2020-28921.md} \end{enumerate} \\%
\hline%
2020-12-02 & \textcolor{red}{7.5} & \seqsplit{point\_of\_sales\_in\_php\textbackslash{}/pdo\_project {-}{-} point\_of\_sales\_in\_php\textbackslash{}/pdo} &SQL injection vulnerability was discovered in Point of Sales in PHP/PDO 1.0, which can be exploited via the id parameter to edit\_category.php. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-29285} \item \url{https://github.com/BigTiger2020/Point-of-Sales/blob/main/README.md} \item \url{https://projectworlds.in/free-projects/php-projects/online-doctor-appointment-booking-system-php-and-mysql} \item \url{https://www.sourcecodester.com/php/14540/point-sales-phppdo-full-source-code-2020.html} \end{enumerate} \\%
\hline%
2020-11-30 & \textcolor{red}{7.5} & \seqsplit{readymedia\_project {-}{-} readymedia} &ReadyMedia (aka MiniDLNA) before versions 1.3.0 allows remote code execution. Sending a malicious UPnP HTTP request to the miniDLNA service using HTTP chunked encoding can lead to a signedness bug resulting in a buffer overflow in calls to memcpy/memmove. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-28926} \item \url{https://sourceforge.net/projects/minidlna/} \item \url{https://www.rootshellsecurity.net/remote-heap-corruption-bug-discovery-minidlna/} \end{enumerate} \\%
\hline%
2020-11-30 & \textcolor{red}{10.0} & \seqsplit{synology {-}{-} safeaccess} &SQL injection vulnerability in request.cgi in Synology SafeAccess before 1.2.3{-}0234 allows remote attackers to execute arbitrary SQL commands via the domain parameter. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-27660} \item \url{https://www.synology.com/security/advisory/Synology_SA_20_25} \end{enumerate} \\%
\hline%
2020-11-27 & \textcolor{red}{7.5} & \seqsplit{systeminformation {-}{-} systeminformation} &npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to si.inetChecksite(). & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-26245} \item \url{https://github.com/sebhildebrandt/systeminformation/commit/8113ff0e87b2f422a5756c48f1057575e73af016} \item \url{https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-4v2w-h9jm-mqjg} \end{enumerate} \\%
\hline%
2020-11-30 & \textcolor{red}{10.0} & \seqsplit{ucms\_project {-}{-} ucms} &File upload vulnerability exists in UCMS 1.5.0, and the attacker can take advantage of this vulnerability to obtain server management permission. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-25537} \item \url{https://github.com/BigTiger2020/UCMS/blob/main/UCMS%20v1.5.0%20Arbitrary%20file%20upload%20vulnerability%20get%20shell.md} \item \url{https://sunian19.github.io/2020/09/11/UCMS%20v1.5.0%20Arbitrary%20file%20upload%20vulnerability/} \end{enumerate} \\%
\hline%
2020-12-02 & \textcolor{red}{7.5} & \seqsplit{valvesoftware {-}{-} game\_networking\_sockets} &Valve's Game Networking Sockets prior to version v1.2.0 improperly handles long encrypted messages in function AES\_GCM\_DecryptContext::Decrypt() when compiled using libsodium, leading to a Stack{-}Based Buffer Overflow and resulting in a memory corruption and possibly even a remote code execution. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-6018} \item \url{https://github.com/ValveSoftware/GameNetworkingSockets/commit/bea84e2844b647532a9b7fbc3a6a8989d66e49e3} \end{enumerate} \\%
\hline%
2020-12-02 & \textcolor{red}{7.5} & \seqsplit{victor\_cms\_project {-}{-} victor\_cms} &The Victor CMS v1.0 application is vulnerable to SQL injection via the 'search' parameter on the search.php page. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-29280} \item \url{https://github.com/BigTiger2020/Victor-CMS-/blob/main/README.md} \item \url{https://github.com/VictorAlagwu/CMSsite/issues/13} \item \url{https://www.exploit-db.com/exploits/48734} \end{enumerate} \\%
\hline%
2020-11-29 & \textcolor{red}{10.0} & \seqsplit{vsolcn {-}{-} v1600d\_firmware} &An issue was discovered on V{-}SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D{-}MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. Command injection can occur in "upload tftp syslog" and "upload tftp configuration" in the CLI via a crafted filename. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-29381} \item \url{https://seclists.org/fulldisclosure/2020/Jul/14} \end{enumerate} \\%
\hline%
2020-11-29 & \textcolor{red}{9.0} & \seqsplit{vsolcn {-}{-} v1600d\_firmware} &An issue was discovered on V{-}SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D{-}MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password !j@l\#y\$z\%x6x7q8c9z) for the enable command. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-29378} \item \url{https://seclists.org/fulldisclosure/2020/Jul/14} \end{enumerate} \\%
\hline%
2020-12-01 & \textcolor{red}{7.5} & \seqsplit{westerndigital {-}{-} my\_cloud\_os\_5} &An issue was discovered on Western Digital My Cloud OS 5 devices before 5.06.115. A NAS Admin authentication bypass vulnerability could allow an unauthenticated user to execute privileged commands on the device via a cookie, because of insufficient validation of URI paths. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-28971} \item \url{https://support.wdc.com/downloads.aspx?g=907&lang=en#downloads} \item \url{https://www.westerndigital.com/support/productsecurity/wdc-20009-os5-firmware-5-06-115} \end{enumerate} \\%
\hline%
2020-12-01 & \textcolor{red}{7.5} & \seqsplit{westerndigital {-}{-} my\_cloud\_os\_5} &An issue was discovered on Western Digital My Cloud OS 5 devices before 5.06.115. A NAS Admin authentication bypass vulnerability could allow an unauthenticated user to execute privileged commands on the device via a cookie. (In addition, an upload endpoint could then be used by an authenticated administrator to upload executable PHP scripts.) & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-28970} \item \url{https://support.wdc.com/downloads.aspx?g=907&lang=en#downloads} \item \url{https://www.westerndigital.com/support/productsecurity/wdc-20009-os5-firmware-5-06-115} \end{enumerate} \\%
\hline%
2020-12-01 & \textcolor{red}{7.5} & \seqsplit{westerndigital {-}{-} my\_cloud\_os\_5} &On Western Digital My Cloud OS 5 devices before 5.06.115, the NAS Admin dashboard has an authentication bypass vulnerability that could allow an unauthenticated user to execute privileged commands on the device. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-28940} \item \url{https://support.wdc.com/downloads.aspx?g=907&lang=en#downloads} \item \url{https://www.westerndigital.com/support/productsecurity/wdc-20009-os5-firmware-5-06-115} \end{enumerate} \\%
\hline%
2020-11-30 & \textcolor{red}{10.0} & \seqsplit{zeroshell {-}{-} zeroshell} &Zeroshell 3.9.3 contains a command injection vulnerability in the /cgi{-}bin/kerbynet StartSessionSubmit parameter that could allow an unauthenticated attacker to execute a system command by using shell metacharacters and the \%0a character. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-29390} \item \url{https://blog.quake.so/post/zeroshell_linux_router_rce/} \end{enumerate} \\%
\hline%
2020-12-01 & \textcolor{red}{7.5} & \seqsplit{zte {-}{-} zxv10\_w908\_firmware} &A ZXELINK wireless controller has a SQL injection vulnerability. A remote attacker does not need to log in. By sending malicious SQL statements, because the device does not properly filter parameters, successful use can obtain management rights. This affects: ZXV10 W908 all versions before MIPS\_A\_1022IPV6R3T6P7Y20. & \begin{enumerate} \item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-6880} \item \url{http://www.zxelink.com.cn/website/html/CommonContent.html?classify=news&id=43&menuID=20201126153313319} \end{enumerate} \\%
\hline%
\bottomrule%
\end{longtable}%
\end{document}
结果表如下所示:
现在,我想更改代码以使这个长表看起来与原始网站上的表格完全一样(https://us-cert.cisa.gov/ncas/bulletins/sb20-342):
知道如何更改我的代码吗?谢谢。
答案1
像这样吗?
我建议你使用xltabular而不是longtable。使用enumitem包,可以很容易地enumerate在最后一栏中自定义环境。
表格前两行的颜色不太清楚。我猜,这些行应该在每页上与表格的一部分一起收割。
要为表格线着色,请使用\rowcolor{<color name>}:第一行显示为红色,第二行显示为灰色。不幸的是,红色行的内容未知。
您可以考虑进一步更改表格。例如,将第二列加宽(例如加宽至 20 毫米),并将字体大小从 减小到small。footnotesize尝试我留给您的那些更改。
\documentclass{article}
\usepackage[a4paper,
hmargin=1cm,vmargin=0.5cm]{geometry}%
%\usepackage[utf8]{inputenc}%
\usepackage{textcomp}%
\usepackage[english]{babel}%
\usepackage{caption}%
\usepackage[protrusion=true,expansion=true]{microtype}%
\usepackage[column=O]{cellspace}
\setlength\cellspacetoplimit{7pt}
\setlength\cellspacebottomlimit{7pt}
\usepackage{makecell, xltabular}
\newcolumntype{L}{>{\RaggedRight\hspace{0pt}}X}
\newcolumntype{P}[1]{>{\RaggedRight\hspace{0pt}}p{#1}}
\addparagraphcolumntypes{L}
\addparagraphcolumntypes{P}
\usepackage{seqsplit}%
% new packages
\usepackage{siunitx}
\usepackage{ragged2e}
\usepackage[table]{xcolor}
\usepackage{enumitem}
\usepackage{etoolbox}
\AtBeginEnvironment{xltabular}{%
\small
\setlength\tabcolsep{4pt}
%
\setlist[enumerate]{nosep,
leftmargin=*,
label=\arabic*.,
before = \vspace{-\baselineskip},
after = \vspace{-\baselineskip}
}% end of setlist
}
\usepackage[citecolor=black,%
filecolor=black,%
linkcolor=blue,%
colorlinks=true,%
urlcolor=blue]{hyperref}
\usepackage{xurl}%
\begin{document}%
\begin{xltabular}{\linewidth}{|Oc|
>{\color{red}}S[table-format=2.1]|
O{P{1.5cm}}|
O{L}|
L | }%
\caption{US-CERT Weekly High Risk Vulnerabilities}\\%
\Xhline{1.2pt}
\rowcolor{red!50}
\multicolumn{5}{Oc}{ red colored row } \\
\Xhline{0.8pt}%
\rowcolor{gray!30}
\textbf{Date}
& {\textbf{CVSS}}
& \textbf{Vendor--Product}
& \textbf{Description}
& \textbf{Source and Patch Info} \\
\Xhline{0.8pt}%
\endfirsthead%
\caption[]{US-CERT Weekly High Risk Vulnerabilities -- continued} \\
\Xhline{0.9pt}
\rowcolor{red!50}
\multicolumn{5}{Oc}{ red colored row } \\
\Xhline{0.8pt}%
\rowcolor{gray!30}
\textbf{Date}
& {\textbf{CVSS}}
& \textbf{Vendor--Product}
& \textbf{Description}
& \textbf{Source and Patch Info} \\
\Xhline{0.8pt}
\endhead
\multicolumn{5}{r}{\footnotesize\textit{Continued on the next page}} \\
\endfoot
\Xhline{0.8pt}
\endlastfoot
2020-12-02 & 7.5 & \seqsplit{74cms {-}{-} 74cms}
& PHP remote file inclusion in the assign\_resume\_tpl method in Application/Com\-mon/Controller/BaseController.class.php in 74CMS before 6.0.48 allows remote code execution.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-29279}
\item \url{http://www.74cms.com/news/show-2497.html}
\item \url{https://github.com/BigTiger2020/74CMS/blob/main/README.md}
\end{enumerate} \\
\hline
2020-12-02 & 7.5 & \seqsplit{bloodx\_project {-}{-} bloodx}
& SQL injection vulnerability in BloodX 1.0 allows attackers to bypass authentication.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-29282}
\item \url{https://github.com/BigTiger2020/BloodX-CMS/blob/main/README.md}
\item \url{https://github.com/diveshlunker/BloodX}
\item \url{https://www.exploit-db.com/exploits/48786} \end{enumerate} \\
\hline
2020-11-27 & 10.0 & \seqsplit{br{-}automation {-}{-} industrial\_automation\_aprol}
& An issue was discovered in B\&R Industrial Automation APROL before R4.2 V7.08. Arbitrary commands could be injected (using Python scripts) via the AprolCluster script that is invoked via sudo and thus executes with root privileges, a different vulnerability than CVE{-}2019{-}16364.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2019-19875}
\item \url{https://www.br-automation.com/downloads_br_productcatalogue/BRP44400000000000000585952/APROL_R42_A1_ReleaseNotes_001.pdf} \end{enumerate} \\
\hline
2020-11-27 & 7.5 & \seqsplit{br{-}automation {-}{-} industrial\_automation\_aprol}
& An issue was discovered in B\&R Industrial Automation APROL before R4.2 V7.08. The AprolLoader could be used to inject and execute arbitrary unintended commands via an unspecified attack scenario, a different vulnerability than CVE{-}2019{-}16364.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2019-19872}
\item \url{https://www.br-automation.com/downloads_br_productcatalogue/BRP44400000000000000585952/APROL_R42_A1_ReleaseNotes_001.pdf} \end{enumerate} \\
\hline
2020-11-27 & 7.5 & \seqsplit{br{-}automation {-}{-} industrial\_automation\_aprol}
& An issue was discovered in B\&R Industrial Automation APROL before R4.2 V7.08. An EnMon PHP script was vulnerable to SQL injection, a different vulnerability than CVE{-}2019{-}10006.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2019-19876}
\item \url{https://www.br-automation.com/downloads_br_productcatalogue/BRP44400000000000000585952/APROL_R42_A1_ReleaseNotes_001.pdf} \end{enumerate} \\
\hline
2020-11-27 & 7.5 & \seqsplit{br{-}automation {-}{-} industrial\_automation\_aprol}
& An issue was discovered in B\&R Industrial Automation APROL before R4.2 V7.08. Some web scripts in the web interface allowed injection and execution of arbitrary unintended commands on the web server, a different vulnerability than CVE{-}2019{-}16364.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2019-19874}
\item \url{https://www.br-automation.com/downloads_br_productcatalogue/BRP44400000000000000585952/APROL_R42_A1_ReleaseNotes_001.pdf} \end{enumerate} \\
\hline
2020-11-27 & 9.3 & \seqsplit{c{-}blosc2\_project {-}{-} c{-}blosc2}
& blosc2.c in Blosc C{-}Blosc2 through 2.0.0.beta.5 has a heap{-}based buffer overflow when there is a lack of space to write compressed data.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-29367}
\item \url{https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26442}
\item \url{https://github.com/Blosc/c-blosc2/commit/c4c6470e88210afc95262c8b9fcc27e30ca043ee} \end{enumerate} \\
\hline
2020-12-02 & 7.5 & \seqsplit{car\_rental\_management\_system\_project {-}{-} car\_rental\_management\_system}
& An SQL injection vulnerability was discovered in Car Rental Management System v1.0 can be exploited via the id parameter in view\_car.php or the car\_id parameter in booking.php.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-29287}
\item \url{https://github.com/BigTiger2020/Car-Rental-Management-System/blob/main/README.md} \item \url{https://www.exploit-db.com/exploits/49056}
\item \url{https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html} \end{enumerate} \\
\hline
2020-12-02 & 7.8 & \seqsplit{cloudfoundry {-}{-} capi{-}release}
& CAPI (Cloud Controller) versions prior to 1.101.0 are vulnerable to a denial{-}of{-}service attack in which an unauthenticated malicious attacker can send specially{-}crafted YAML files to certain endpoints, causing the YAML parser to consume excessive CPU and RAM.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-5423}
\item \url{https://www.cloudfoundry.org/blog/cve-2020-5423}
\end{enumerate} \\
\hline
2020-12-02 & 10.0 & \seqsplit{crux {-}{-} crux}
& The official Crux Linux Docker images 3.0 through 3.4 contain a blank password for a root user. System using the Crux Linux Docker container deployed by affected versions of the Docker image may allow an attacker to achieve root access with a blank password.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-29389}
\item \url{https://github.com/koharin/koharin2/blob/main/CVE-2020-29389}
\end{enumerate} \\
\hline
2020-12-01 & 7.5 & \seqsplit{edimax {-}{-} ic{-}3116w\_firmware}
& A stack{-}based buffer{-}overflow exists in Edimax IP{-}Camera IC{-}3116W (v3.06) and IC{-}3140W (v3.07), which allows an unauthenticated, unauthorized attacker to perform remote{-}code{-}execution due to a crafted GET{-}Request. The overflow occurs in binary ipcam\_cgi due to a missing type check in function doGetSysteminfo(). This has been fixed in version: IC{-}3116W v3.08.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-26762}
\item \url{https://www.edimax.com/edimax/download/download/data/edimax/de/download/for_home/home_network_cameras/home_network_cameras_indoor_fixed/ic-3116w} \end{enumerate} \\
\hline
2020-11-30 & 10.0 & \seqsplit{fujitsu {-}{-} eternus\_storage\_dx200\_s4\_firmware}
& An issue was discovered on Fujitsu Eternus Storage DX200 S4 devices through 2020{-}11{-}25. After logging into the portal as a root user (using any web browser), the portal can be accessed with root privileges when the URI cgi{-}bin/csp?cspid=\{XXXXXXXXXX\}\&csppage= cgi\_PgOverview\&csplang=en is visited from a different web browser.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-29127}
\item \url{http://packetstormsecurity.com/files/160255/Fujitsu-Eternus-Storage-DX200-S4-Broken-Authentication.html}
\item \url{https://cxsecurity.com/issue/WLB-2020110215}
\item \url{https://seccops.com/fujitsu-eternus-storage-dx200-s4-broken-authentication/}
\item \url{https://www.first.org/members/teams/fujitsu_psirt}
\end{enumerate} \\
\hline
2020-12-02 & 7.5 & \seqsplit{gym\_management\_system\_project {-}{-} gym\_management\_system}
& An SQL injection vulnerability was discovered in Gym Management System In manage\_user.php file, GET parameter 'id' is vulnerable.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-29288}
\item \url{https://github.com/BigTiger2020/Gym-Management-System/blob/main/README.md}
\item \url{https://www.exploit-db.com/exploits/48936} \item \url{https://www.sourcecodester.com/php/14541/gym-management-system-using-phpmysqli-source-code.html} \end{enumerate} \\
\hline
2020-12-02 & 10.0 & \seqsplit{hcltech {-}{-} domino}
& HCL Domino is susceptible to a Buffer Overflow vulnerability in DXL due to improper validation of user input. A successful exploit could enable an attacker to crash Domino or execute attacker{-}controlled code on the server system.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-14260}
\item \url{https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0085500} \end{enumerate} \\
\hline
2020-12-02 & 7.2 & \seqsplit{hcltech {-}{-} notes}
& HCL Notes is susceptible to a Buffer Overflow vulnerability in DXL due to improper validation of user input. A successful exploit could enable an attacker to crash Notes or execute attacker{-}controlled code on the client system.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-4102}
\item \url{https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0085499} \end{enumerate} \\
\hline
2020-12-02 & 10.0 & \seqsplit{hp {-}{-} edgeline\_infrastructure\_manager}
& A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gaining privileged access, causing denial of service, and changing the configuration.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-7199}
\item \url{https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn04063en_us} \end{enumerate} \\
\hline
2020-12-01 & 7.2 & \seqsplit{huawei {-}{-} fusioncompute}
& FusionCompute versions 6.3.0, 6.3.1, 6.5.0, 6.5.1 and 8.0.0 have a privilege escalation vulnerability. Due to improper privilege management, an attacker with common privilege may access some specific files and get the administrator privilege in the affected products. Successful exploit will cause privilege escalation.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-9114}
\item \url{https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20201118-01-privilege-en} \end{enumerate} \\
\hline
2020-12-01 & 9.0 & \seqsplit{huawei {-}{-} manageone}
& ManageOne versions 6.5.1.1.B010, 6.5.1.1.B020, 6.5.1.1.B030, 6.5.1.1.B040, ,6.5.1.1.B050, 8.0.0 and 8.0.1 have a command injection vulnerability. An attacker with high privileges may exploit this vulnerability through some operations on the plug{-}in component. Due to insufficient input validation of some parameters, the attacker can exploit this vulnerability to inject commands to the target device.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-9115}
\item \url{https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20201125-01-commandinjection-en} \end{enumerate} \\
\hline
2020-11-30 & 9.0 & \seqsplit{ibm {-}{-} cloud\_pak\_for\_security}
& IBM Cloud Pak for Security 1.3.0.1(CP4S) potentially vulnerable to CVS Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X{-}Force ID: 185367.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-4627}
\item \url{https://exchange.xforce.ibmcloud.com/vulnerabilities/185367} \item \url{https://www.ibm.com/support/pages/node/6372538}
\end{enumerate} \\
\hline
2020-12-02 & 9.0 & \seqsplit{linux {-}{-} linux\_kernel}
& An out{-}of{-}bounds memory write flaw was found in how the Linux kernel’s Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-14305}
\item \url{https://bugs.openvz.org/browse/OVZ-7188}
\item \url{https://bugzilla.redhat.com/show_bug.cgi?id=1850716}
\item \url{https://patchwork.ozlabs.org/project/netfilter-devel/patch/[email protected]/} \end{enumerate} \\
\hline
2020-11-30 & 7.8 & \seqsplit{mitsubishielectric {-}{-} r00cpu\_firmware}
& Mitsubishi MELSEC iQ{-}R Series PLCs with firmware 49 allow an unauthenticated attacker to halt the industrial process by sending a crafted packet over the network. This denial of service attack exposes Improper Input Validation. After halting, physical access to the PLC is required in order to restore production, and the device state is lost. This is related to R04CPU, RJ71GF11{-}T2, R04CPU, and RJ71GF11{-}T2.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-16850}
\item \url{https://blog.scadafence.com/vulnerability-in-mitsubishi-electric-melsec-iq-r-series}
\item \url{https://us-cert.cisa.gov/ics/advisories/icsa-20-282-02}
\end{enumerate} \\
\hline
2020-12-04 & 7.5 & \seqsplit{moddable {-}{-} moddable}
& Heap buffer overflow in the fxCheckArrowFunction function at moddable/xs/sources/xsSyntaxical.c:3562 in Moddable SDK before OS200903.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-25462}
\item \url{https://github.com/Moddable-OpenSource/moddable/issues/432}
\item \url{https://github.com/Moddable-OpenSource/moddable/releases/tag/OS200903}
\end{enumerate} \\
\hline
2020-12-02 & 7.5 & \seqsplit{multi\_restaurant\_table\_reservation\_system\_project {-}{-} multi\_restaurant\_table\_reservation\_system}
& The file view{-}chair{-}list.php in Multi Restaurant Table Reservation System 1.0 does not perform input validation on the table\_id parameter which allows unauthenticated SQL Injection. An attacker can send malicious input in the GET request to /dashboard/view{-}chair{-}list.php?table\_id= to trigger the vulnerability.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-29284}
\item \url{https://github.com/BigTiger2020/-Multi-Restaurant-Table-Reservation-System/blob/main/README.md} \item \url{https://www.exploit-db.com/exploits/48984}
\item \url{https://www.sourcecodester.com/php/14568/multi-restaurant-table-reservation-system-php-full-source-code.html}
\end{enumerate} \\
\hline
2020-12-02 & 7.5 & \seqsplit{online\_doctor\_appointment\_booking\_system\_php\_and\_mysql\_project {-}{-} online\_doctor\_appointment\_booking\_system\_php\_and\_mysql}
& An SQL injection vulnerability was discovered in Online Doctor Appointment Booking System PHP and Mysql via the q parameter to getuser.php.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-29283}
\item \url{https://github.com/BigTiger2020/Online-Doctor-Appointment-Booking-System-PHP/blob/main/README.md}
\item \url{https://projectworlds.in/free-projects/php-projects/online-doctor-appointment-booking-system-php-and-mysql}
\end{enumerate} \\
\hline
2020-11-27 & 7.2 & \seqsplit{pcanalyser {-}{-} pc\_analyser}
& An issue was discovered in Devid Espenschied PC Analyser through 4.10. The PCADRVX64.SYS kernel driver exposes IOCTL functionality that allows low{-}privilege users to read and write arbitrary physical memory. This could lead to arbitrary Ring{-}0 code execution and escalation of privileges.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-28922}
\item \url{http://www.pcanalyser.de/index.php/historie/}
\item \url{https://github.com/eset/vulnerability-disclosures}
\item \url{https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-28922/CVE-2020-28922.md}
\end{enumerate} \\
\hline
2020-11-27 & 7.2 & \seqsplit{pcanalyser {-}{-} pc\_analyser}
& An issue was discovered in Devid Espenschied PC Analyser through 4.10. The PCADRVX64.SYS kernel driver exposes IOCTL functionality that allows low{-}privilege users to read and write to arbitrary Model Specific Registers (MSRs). This could lead to arbitrary Ring{-}0 code execution and escalation of privileges.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-28921}
\item \url{http://www.pcanalyser.de/index.php/historie/}
\item \url{https://github.com/eset/vulnerability-disclosures}
\item \url{https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-28921/CVE-2020-28921.md}
\end{enumerate} \\
\hline
2020-12-02 & 7.5 & \seqsplit{point\_of\_sales\_in\_php\textbackslash{}/pdo\_project {-}{-} point\_of\_sales\_in\_php\textbackslash{}/pdo}
& SQL injection vulnerability was discovered in Point of Sales in PHP/PDO 1.0, which can be exploited via the id parameter to edit\_category.php.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-29285}
\item \url{https://github.com/BigTiger2020/Point-of-Sales/blob/main/README.md}
\item \url{https://projectworlds.in/free-projects/php-projects/online-doctor-appointment-booking-system-php-and-mysql}
\item \url{https://www.sourcecodester.com/php/14540/point-sales-phppdo-full-source-code-2020.html}
\end{enumerate} \\
\hline
2020-11-30 & 7.5 & \seqsplit{readymedia\_project {-}{-} readymedia}
& ReadyMedia (aka MiniDLNA) before versions 1.3.0 allows remote code execution. Sending a malicious UPnP HTTP request to the miniDLNA service using HTTP chunked encoding can lead to a signedness bug resulting in a buffer overflow in calls to memcpy/memmove.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-28926}
\item \url{https://sourceforge.net/projects/minidlna/}
\item \url{https://www.rootshellsecurity.net/remote-heap-corruption-bug-discovery-minidlna/}
\end{enumerate} \\
\hline
2020-11-30 & 10.0 & \seqsplit{synology {-}{-} safeaccess}
& SQL injection vulnerability in request.cgi in Synology SafeAccess before 1.2.3{-}0234 allows remote attackers to execute arbitrary SQL commands via the domain parameter.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-27660}
\item \url{https://www.synology.com/security/advisory/Synology_SA_20_25}
\end{enumerate} \\
\hline
2020-11-27 & 7.5 & \seqsplit{systeminformation {-}{-} systeminformation}
& npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to si.inetChecksite().
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-26245}
\item \url{https://github.com/sebhildebrandt/systeminformation/commit/8113ff0e87b2f422a5756c48f1057575e73af016}
\item \url{https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-4v2w-h9jm-mqjg}
\end{enumerate} \\
\hline
2020-11-30 & 10.0 & \seqsplit{ucms\_project {-}{-} ucms}
& File upload vulnerability exists in UCMS 1.5.0, and the attacker can take advantage of this vulnerability to obtain server management permission.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-25537}
\item \url{https://github.com/BigTiger2020/UCMS/blob/main/UCMS\%20v1.5.0\%20Arbitrary\%20file\%20upload\%20vulnerability\%20get\%20shell.md}
\item \url{https://sunian19.github.io/2020/09/11/UCMS\%20v1.5.0\%20Arbitrary\%20file\%20upload\%20vulnerability/} \end{enumerate} \\
\hline
2020-12-02 & 7.5 & \seqsplit{valvesoftware {-}{-} game\_networking\_sockets}
& Valve's Game Networking Sockets prior to version v1.2.0 improperly handles long encrypted messages in function AES\_GCM\_DecryptContext::Decrypt() when compiled using libsodium, leading to a Stack{-}Based Buffer Overflow and resulting in a memory corruption and possibly even a remote code execution.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-6018}
\item \url{https://github.com/ValveSoftware/GameNetworkingSockets/commit/bea84e2844b647532a9b7fbc3a6a8989d66e49e3}
\end{enumerate} \\
\hline
2020-12-02 & 7.5 & \seqsplit{victor\_cms\_project {-}{-} victor\_cms}
& The Victor CMS v1.0 application is vulnerable to SQL injection via the 'search' parameter on the search.php page.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-29280}
\item \url{https://github.com/BigTiger2020/Victor-CMS-/blob/main/README.md}
\item \url{https://github.com/VictorAlagwu/CMSsite/issues/13}
\item \url{https://www.exploit-db.com/exploits/48734}
\end{enumerate} \\
\hline
2020-11-29 & 10.0 & \seqsplit{vsolcn {-}{-} v1600d\_firmware}
& An issue was discovered on V{-}SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D{-}MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. Command injection can occur in "upload tftp syslog" and "upload tftp configuration" in the CLI via a crafted filename.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-29381}
\item \url{https://seclists.org/fulldisclosure/2020/Jul/14}
\end{enumerate} \\
\hline
2020-11-29 & 9.0 & \seqsplit{vsolcn {-}{-} v1600d\_firmware}
& An issue was discovered on V{-}SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D{-}MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password !j@l\#y\$z\%x6x7q8c9z) for the enable command.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-29378}
\item \url{https://seclists.org/fulldisclosure/2020/Jul/14}
\end{enumerate} \\
\hline
2020-12-01 & 7.5 & \seqsplit{westerndigital {-}{-} my\_cloud\_os\_5}
& An issue was discovered on Western Digital My Cloud OS 5 devices before 5.06.115. A NAS Admin authentication bypass vulnerability could allow an unauthenticated user to execute privileged commands on the device via a cookie, because of insufficient validation of URI paths.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-28971}
\item \url{https://support.wdc.com/downloads.aspx?g=907&lang=en\#downloads}
\item \url{https://www.westerndigital.com/support/productsecurity/wdc-20009-os5-firmware-5-06-115}
\end{enumerate}
\\
\hline
2020-12-01 & 7.5 & \seqsplit{westerndigital {-}{-} my\_cloud\_os\_5}
& An issue was discovered on Western Digital My Cloud OS 5 devices before 5.06.115. A NAS Admin authentication bypass vulnerability could allow an unauthenticated user to execute privileged commands on the device via a cookie. (In addition, an upload endpoint could then be used by an authenticated administrator to upload executable PHP scripts.)
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-28970}
\item \url{https://support.wdc.com/downloads.aspx?g=907&lang=en\#downloads}
\item \url{https://www.westerndigital.com/support/productsecurity/wdc-20009-os5-firmware-5-06-115}
\end{enumerate} \\
\hline
2020-12-01 & 7.5 & \seqsplit{westerndigital {-}{-} my\_cloud\_os\_5}
& On Western Digital My Cloud OS 5 devices before 5.06.115, the NAS Admin dashboard has an authentication bypass vulnerability that could allow an unauthenticated user to execute privileged commands on the device.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-28940}
\item \url{https://support.wdc.com/downloads.aspx?g=907&lang=en\#downloads}
\item \url{https://www.westerndigital.com/support/productsecurity/wdc-20009-os5-firmware-5-06-115} \end{enumerate} \\
\hline
2020-11-30 & 10.0 & \seqsplit{zeroshell {-}{-} zeroshell}
& Zeroshell 3.9.3 contains a command injection vulnerability in the /cgi{-}bin/kerbynet StartSessionSubmit parameter that could allow an unauthenticated attacker to execute a system command by using shell metacharacters and the \%0a character.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-29390}
\item \url{https://blog.quake.so/post/zeroshell_linux_router_rce/}
\end{enumerate} \\
\hline
2020-12-01 & 7.5 & \seqsplit{zte {-}{-} zxv10\_w908\_firmware}
& A ZXELINK wireless controller has a SQL injection vulnerability. A remote attacker does not need to log in. By sending malicious SQL statements, because the device does not properly filter parameters, successful use can obtain management rights. This affects: ZXV10 W908 all versions before MIPS\_A\_1022IPV6R3T6P7Y20.
& \begin{enumerate}
\item \url{https://nvd.nist.gov/nvd.cfm?cvename=CVE-2020-6880}
\item \url{http://www.zxelink.com.cn/website/html/CommonContent.html?classify=news&id=43&menuID=20201126153313319} \end{enumerate}
\end{xltabular}
\end{document}