1. CVE-2020-12720: vBulletin SQL Injection (OWASP 1: Injection)

vBulletin is a proprietary Internet forum software package used to build and manage online community websites. This module searches for a SQL injection vulnerability that would allow an attacker to launch a RCE attack via resetting the admin’s password.

CVSS Base Score: 9.8

2. CVE-2020-5902: F5 BIG IP RCE and LFI (OWASP 1: Injection)

The Traffic Management User Interface on F5 BIG-IP is vulnerable to arbitrary command execution and local file read. A path normalization issue affects the Java backend, allowing an unauthenticated attacker to perform a relative path traversal attack and access sensitive endpoints that will grant further access within the system. On successful exploitation, an attacker will be able to execute arbitrary code on the system.

CVSS Base Score: 9.8

3. CVE-2020-15506: MobileIron Core Authentication Bypass (OWASP 2: Broken Authentication)

An authentication bypass vulnerability exists in MobileIron Core and Connector versions 10.6 and earlier that allows remote attackers to bypass the authentication mechanism. This would allow attackers to access services and the admin panel.

CVSS Base Score: 9.8

4. CVE-2020-14882: Oracle WebLogic RCE (OWASP 1: Injection)

Unpatched Oracle WebLogic servers allow attackers to execute arbitrary commands to download files, log keystrokes, steal sensitive data, and move laterally across a network. The vulnerability can be exploited by simply sending one request to the server.

CVSS Base Score: 9.8

5. CVE-2020-14750: Oracle WebLogic RCE (OWASP 1: Injection)

This is a Remote Code Execution (RCE) vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware. If vulnerable, an attacker will be able to execute arbitrary commands on the application. Similar to CVE-2020-14882 above, the vulnerability can be exploited by simply sending one request to the server.

CVSS Base Score: 9.8

6. CVE-2020-17530: Apache Struts 2 RCE (OWASP 1: Injection)

Apache Struts (2.5.25 or earlier) is prone to a remote code execution vulnerability. In some cases, some tag attributes could perform a double OGNL evaluation on untrusted user input, which could lead to a remote code execution condition. An attacker would be able to execute system commands on the server.

CVSS Base Score: 9.8

7. CVE-2020-2551: Oracle WebLogic RCE (OWASP 1: Injection)

This is another vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware affecting versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0 that grants unauthenticated attackers with network access via IIOP to compromised Oracle WebLogic Servers.

CVSS Base Score: 9.8

8. CVE-2020-13379: Grafana SSRF (OWASP 3: Broken Access Control)

The avatar feature in Grafana contained a Server-Side Request Forgery (SSRF) vulnerability that permitted any unauthenticated user or client to make Grafana send HTTP requests to any URL and then return the result to the user or client.

CVSS Base Score: 8.2

9. CVE-2020-1147: Microsoft SharePoint Server RCE (OWASP 1: Injection)

This RCE vulnerability affects .NET Framework, Microsoft SharePoint, and Visual Studio when the software fails to check the source markup of XML file input. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the process responsible for deserialization of the XML content.

CVSS Base Score: 7.8

10. CVE-2020-8209: Citrix XenMobile Server Path Traversal (OWASP 3: Broken Access Control)

This is a path traversal vulnerability in Citrix XenMobile Server 10.12 before RP2, Citrix XenMobile Server 10.11 before RP4, Citrix XenMobile Server 10.10 before RP6, and Citrix XenMobile Server before 10.9 RP5. An attacker can download arbitrary files from the server and in some cases launch an RCE attack.

CVSS Base Score: 7.5

Honorable Mention: VMware vCenter Unauthenticated Arbitrary File (OWASP 3: Broken Access Control)

This last one was never assigned a CVE but is still noteworthy. VMware vCenter Server version 6.5.0 or earlier allows a remote attacker to arbitrarily read files on the host by accessing the open vCenter console. Attackers can read the vCenter configuration file to obtain the admin account password and then take over the vCenter platform and the virtual machine clusters it manages.

Fuente:

https://blog.detectify.com/2020/12/30/top-10-critical-cves-added-in-2020/