Two CVE’s (2020-9497 and 2020-9498) have been announced in the Apache Guacamole service. Successful exploitation of these vulnerabilities would allow an attacker to hijack a session on the host device or steal credentials.
These vulnerabilities have been highlighted in version 1.1.0 of Guacamole. This version of the software should be updated to the latest version at the time of writing this is version 1.2.0.
If this is not possible the protocol should be removed until a fix is released.
This vulnerability is still waiting for confirmation by the NVD and this post may be updates as new information is available.
Source: The Register