{"vulnerability": "cve-2020-2689", "sightings": [{"uuid": "d6cf2ba0-336c-491e-96a9-23d963beeadf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-26890", "type": "seen", "source": "https://t.me/cibsecurity/16766", "content": "\u203c CVE-2020-26890 \u203c\n\nMatrix Synapse before 1.20.0 erroneously permits non-standard NaN, Infinity, and -Infinity JSON values in fields of m.room.member events, allowing remote attackers to execute a denial of service attack against the federation and common Matrix clients. If such a malformed event is accepted into the room's state, the impact is long-lasting and is not fixed by an upgrade to a newer version, requiring the event to be manually redacted instead. Since events are replicated to servers of other room members, the impact is not constrained to the server of the event sender.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2020-11-24T07:46:24.000000Z"}, {"uuid": "aea86a38-e5cf-46fd-a3e7-197b7c6bdbc0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-26895", "type": "seen", "source": "https://t.me/cibsecurity/15432", "content": "\u203c CVE-2020-26895 \u203c\n\nPrior to 0.10.0-beta, LND (Lightning Network Daemon) would have accepted a counterparty high-S signature and broadcast tx-relay invalid local commitment/HTLC transactions. This can be exploited by any peer with an open channel regardless of the victim situation (e.g., routing node, payment-receiver, or payment-sender). The impact is a loss of funds in certain situations.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2020-10-21T07:50:34.000000Z"}, {"uuid": "93c964e2-9b4f-4c51-9958-1de214ccce51", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-26893", "type": "seen", "source": "https://t.me/cibsecurity/15321", "content": "\u203c CVE-2020-26893 \u203c\n\nAn issue was discovered in ClamXAV 3 before 3.1.1. A malicious actor could use a properly signed copy of ClamXAV 2 (running with an injected malicious dylib) to communicate with ClamXAV 3's helper tool and perform privileged operations. This occurs because of inadequate client verification in the helper tool.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2020-10-16T16:42:17.000000Z"}, {"uuid": "25b2dd37-a4ec-493b-951c-69e696160da0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-26891", "type": "seen", "source": "https://t.me/cibsecurity/15380", "content": "\u203c CVE-2020-26891 \u203c\n\nAuthRestServlet in Matrix Synapse before 1.21.0 is vulnerable to XSS due to unsafe interpolation of the session GET parameter. This allows a remote attacker to execute an XSS attack on the domain Synapse is hosted on, by supplying the victim user with a malicious URL to the /_matrix/client/r0/auth/m.login.recaptcha or /_matrix/client/r0/auth/m.login.terms Synapse 974923.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2020-10-19T20:46:19.000000Z"}]}