Weekly Vulnerabilities Reports > February 10 to 16, 2020

Overview

543 new vulnerabilities reported during this period, including 45 critical vulnerabilities and 89 high severity vulnerabilities. This weekly summary report vulnerabilities in 1182 products from 202 vendors including Microsoft, Google, Adobe, Jenkins, and Opensuse. Vulnerabilities are notably categorized as "Improper Privilege Management", "Cross-site Scripting", "Out-of-bounds Write", "Improper Input Validation", and "Information Exposure".

  • 394 reported vulnerabilities are remotely exploitables.
  • 23 reported vulnerabilities have public exploit available.
  • 133 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 455 reported vulnerabilities are exploitable by an anonymous user.
  • Microsoft has the most reported vulnerabilities, with 106 reported vulnerabilities.
  • Adobe has the most reported critical vulnerabilities, with 14 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

45 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2020-02-14 CVE-2019-4392 Hcltech USE of Hard-Coded Credentials vulnerability in Hcltech Appscan 9.0.3.13

HCL AppScan Standard Edition 9.0.3.13 and earlier uses hard-coded credentials which can be exploited by attackers to get unauthorized access to the system.

10.0
2020-02-13 CVE-2013-7287 Mobileiron Inadequate Encryption Strength vulnerability in Mobileiron Sentry and Virtual Smartphone Platform

MobileIron VSP < 5.9.1 and Sentry < 5.0 has an insecure encryption scheme.

10.0
2020-02-13 CVE-2013-7173 Belkin Classic Buffer Overflow vulnerability in Belkin N750 Firmware 1.10.16M

Belkin n750 routers have a buffer overflow.

10.0
2020-02-13 CVE-2020-3763 Adobe Improper Privilege Management vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have a privilege escalation vulnerability.

10.0
2020-02-13 CVE-2020-3762 Adobe Improper Privilege Management vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have a privilege escalation vulnerability.

10.0
2020-02-13 CVE-2020-3760 Adobe Injection vulnerability in Adobe Digital Editions

Adobe Digital Editions versions 4.5.10 and below have a command injection vulnerability.

10.0
2020-02-13 CVE-2020-3754 Adobe Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have a buffer error vulnerability.

10.0
2020-02-13 CVE-2020-3752 Adobe Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have a buffer error vulnerability.

10.0
2020-02-13 CVE-2020-3751 Adobe USE After Free vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have an use after free vulnerability.

10.0
2020-02-13 CVE-2020-3750 Adobe USE After Free vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have an use after free vulnerability.

10.0
2020-02-13 CVE-2020-3749 Adobe USE After Free vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have an use after free vulnerability.

10.0
2020-02-13 CVE-2020-3746 Adobe USE After Free vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have an use after free vulnerability.

10.0
2020-02-13 CVE-2020-3745 Adobe USE After Free vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have an use after free vulnerability.

10.0
2020-02-13 CVE-2020-3743 Adobe USE After Free vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have an use after free vulnerability.

10.0
2020-02-13 CVE-2020-3742 Adobe Out-Of-Bounds Write vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions, 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have a heap overflow vulnerability.

10.0
2020-02-13 CVE-2020-3740 Adobe Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe Framemaker

Adobe Framemaker versions 2019.0.4 and below have a memory corruption vulnerability.

10.0
2020-02-13 CVE-2020-8964 Timetoolsltd USE of Hard-Coded Credentials vulnerability in Timetoolsltd products

TimeTools SC7105 1.0.007, SC9205 1.0.007, SC9705 1.0.007, SR7110 1.0.007, SR9210 1.0.007, SR9750 1.0.007, SR9850 1.0.007, T100 1.0.003, T300 1.0.003, and T550 1.0.003 devices allow remote attackers to bypass authentication by placing t3axs=TiMEtOOlsj7G3xMm52wB in a t3.cgi request, aka a "hardcoded cookie."

10.0
2020-02-13 CVE-2020-8963 Timetoolsltd OS Command Injection vulnerability in Timetoolsltd products

TimeTools SC7105 1.0.007, SC9205 1.0.007, SC9705 1.0.007, SR7110 1.0.007, SR9210 1.0.007, SR9750 1.0.007, SR9850 1.0.007, T100 1.0.003, T300 1.0.003, and T550 1.0.003 devices allow remote attackers to execute arbitrary OS commands via shell metacharacters in the t3.cgi srmodel or srtime parameter.

10.0
2020-02-12 CVE-2011-4908 Tiny Unrestricted Upload of File With Dangerous Type vulnerability in Tiny Tinybrowser

TinyBrowser plugin for Joomla! before 1.5.13 allows arbitrary file upload via upload.php.

10.0
2020-02-12 CVE-2013-6236 Izoncam USE of Hard-Coded Credentials vulnerability in Izoncam Izon IP Firmware 2.0.2

IZON IP 2.0.2: hard-coded password vulnerability

10.0
2020-02-11 CVE-2013-3684 Imagely Unrestricted Upload of File With Dangerous Type vulnerability in Imagely Nextgen Gallery

NextGEN Gallery plugin before 1.9.13 for WordPress: ngggallery.php file upload

10.0
2020-02-11 CVE-2013-1359 Sonicwall Improper Authentication vulnerability in Sonicwall products

An Authentication Bypass Vulnerability exists in DELL SonicWALL Analyzer 7.0, Global Management System (GMS) 4.1, 5.0, 5.1, 6.0, and 7.0; Universal Management Appliance (UMA) 5.1, 6.0, and 7.0 and ViewPoint 4.1, 5.0, 5.1, and 6.0 via the skipSessionCheck parameter to the UMA interface (/appliance/), which could let a remote malicious user obtain access to the root account.

10.0
2020-02-11 CVE-2013-1360 Sonicwall Improper Authentication vulnerability in Sonicwall products

An Authentication Bypass vulnerability exists in DELL SonicWALL Global Management System (GMS) 4.1, 5.0, 5.1, 6.0, and 7.0, Analyzer 7.0, Universal Management Appliance (UMA) 5.1, 6.0, and 7.0 and ViewPoint 4.1, 5.0, and 6.0 via a crafted request to the SGMS interface, which could let a remote malicious user obtain administrative access.

10.0
2020-02-11 CVE-2019-14514 Microvirt OS Command Injection vulnerability in Microvirt Memu

An issue was discovered in Microvirt MEmu all versions prior to 7.0.2.

10.0
2020-02-11 CVE-2013-5945 Dlink SQL Injection vulnerability in Dlink products

Multiple SQL injection vulnerabilities in D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmware before 1.05B64; DSR-250 and DSR-250N with firmware before 1.08B44; and DSR-500, DSR-500N, DSR-1000, and DSR-1000N with firmware before 1.08B77 allow remote attackers to execute arbitrary SQL commands via the password to (1) the login.authenticate function in share/lua/5.1/teamf1lualib/login.lua or (2) captivePortal.lua.

10.0
2020-02-11 CVE-2013-4267 Pydio OS Command Injection vulnerability in Pydio

Ajaxeplorer before 5.0.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) archive_name parameter to the Power FS module (plugins/action.powerfs/class.PowerFSController.php), a (2) file name to the getTrustSizeOnFileSystem function in the File System (Standard) module (plugins/access.fs/class.fsAccessWrapper.php), or the (3) revision parameter to the Subversion Repository module (plugins/meta.svn/class.SvnManager.php).

10.0
2020-02-10 CVE-2019-20451 Prismview Unrestricted Upload of File With Dangerous Type vulnerability in Prismview Player 11 and System 9

The HTTP API in Prismview System 9 11.10.17.00 and Prismview Player 11 13.09.1100 allows remote code execution by uploading RebootSystem.lnk and requesting /REBOOTSYSTEM or /RESTARTVNC.

10.0
2020-02-10 CVE-2012-6611 Polycom USE of Hard-Coded Credentials vulnerability in Polycom HDX System Software

An issue was discovered in Polycom Web Management Interface G3/HDX 8000 HD with Durango 2.6.0 4740 software and embedded Polycom Linux Development Platform 2.14.g3.

10.0
2020-02-13 CVE-2020-3757 Adobe
Redhat
Type Confusion vulnerability in multiple products

Adobe Flash Player versions 32.0.0.321 and earlier, 32.0.0.314 and earlier, 32.0.0.321 and earlier, and 32.0.0.255 and earlier have a type confusion vulnerability.

9.3
2020-02-12 CVE-2013-3494 Umplayer Project Untrusted Search Path vulnerability in Umplayer Project Umplayer 0.98

A Code Execution Vulnerability exists in UMPlayer 0.98 in wintab32.dll due to insufficient path restrictions when loading external libraries.

9.3
2020-02-12 CVE-2013-2097 Zpanel Project Unspecified vulnerability in Zpanel Project Zpanel 10.1.0

ZPanel through 10.1.0 has Remote Command Execution

9.3
2020-02-11 CVE-2020-0759 Microsoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft Excel and Office 365 Proplus

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft Excel Remote Code Execution Vulnerability'.

9.3
2020-02-11 CVE-2020-0738 Microsoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft products

A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory, aka 'Media Foundation Memory Corruption Vulnerability'.

9.3
2020-02-11 CVE-2020-0734 Microsoft Improper Input Validation vulnerability in Microsoft products

A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server, aka 'Remote Desktop Client Remote Code Execution Vulnerability'.

9.3
2020-02-11 CVE-2020-6406 Google USE After Free vulnerability in Google Chrome

Use after free in audio in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

9.3
2020-02-10 CVE-2017-18641 Linuxcontainers Improper Authentication vulnerability in Linuxcontainers LXC 2.0.0

In LXC 2.0, many template scripts download code over cleartext HTTP, and omit a digital-signature check, before running it to bootstrap containers.

9.3
2020-02-14 CVE-2020-8858 Moxa OS Command Injection vulnerability in Moxa products

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Moxa MGate 5105-MB-EIP firmware version 4.1.

9.0
2020-02-12 CVE-2020-6192 SAP Improper Input Validation vulnerability in SAP Landscape Management 3.0

SAP Landscape Management, version 3.0, allows an attacker with admin privileges to execute malicious commands with root privileges in SAP Host Agent via SAP Landscape Management.

9.0
2020-02-12 CVE-2020-6191 SAP Improper Input Validation vulnerability in SAP Landscape Management 3.0

SAP Landscape Management, version 3.0, allows an attacker with admin privileges to execute malicious executables with root privileges in SAP Host Agent via SAP Landscape Management due to Missing Input Validation.

9.0
2020-02-12 CVE-2020-8949 Gocloud OS Command Injection vulnerability in Gocloud products

Gocloud S2A_WL 4.2.7.16471, S2A 4.2.7.17278, S2A 4.3.0.15815, S2A 4.3.0.17193, S3A K2P MTK 4.2.7.16528, S3A 4.3.0.16572, and ISP3000 4.3.0.17190 devices allows remote attackers to execute arbitrary OS commands via shell metacharacters in a ping operation, as demonstrated by the cgi-bin/webui/admin/tools/app_ping/diag_ping/; substring.

9.0
2020-02-12 CVE-2020-8947 Artica OS Command Injection vulnerability in Artica Pandora FMS 7.0

functions_netflow.php in Artica Pandora FMS 7.0 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the index.php?operation/netflow/nf_live_view ip_dst, dst_port, or src_port parameter, a different vulnerability than CVE-2019-20224.

9.0
2020-02-12 CVE-2020-8946 Netis Systems OS Command Injection vulnerability in Netis-Systems Wf2471 Firmware 1.2.30142

Netis WF2471 v1.2.30142 devices allow an authenticated attacker to execute arbitrary OS commands via shell metacharacters in the /cgi-bin-igd/sys_log_clean.cgi log_3g_type parameter.

9.0
2020-02-11 CVE-2020-0688 Microsoft Deserialization of Untrusted Data vulnerability in Microsoft Exchange Server

A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'.

9.0
2020-02-11 CVE-2020-0662 Microsoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft products

A remote code execution vulnerability exists in the way that Windows handles objects in memory, aka 'Windows Remote Code Execution Vulnerability'.

9.0
2020-02-11 CVE-2020-8429 Kinetica Improper Input Validation vulnerability in Kinetica 7.0.9.2.20191118151947

The Admin web application in Kinetica 7.0.9.2.20191118151947 does not properly sanitise the input for the function getLogs.

9.0

89 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2020-02-11 CVE-2020-0655 Microsoft Improper Input Validation vulnerability in Microsoft products

A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an authenticated attacker abuses clipboard redirection, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.

8.5
2020-02-13 CVE-2020-0022 Google Out-Of-Bounds Write vulnerability in Google Android

In reassemble_and_dispatch of packet_fragmenter.cc, there is possible out of bounds write due to an incorrect bounds calculation.

8.3
2020-02-14 CVE-2019-20045 S3India Improper Input Validation vulnerability in S3India Husky RTU 6049-E70 Firmware 5.0

The Synergy Systems & Solutions PLC & RTU system has a vulnerability in HUSKY RTU 6049-E70 firmware versions 5.0 and prior.

7.8
2020-02-13 CVE-2013-1634 Intel Improper Initialization vulnerability in Intel 82574L Controller Firmware 20130206

A denial of service vulnerability exists in some motherboard implementations of Intel e1000e/82574L network controller devices through 2013-02-06 where the device can be brought into a non-processing state when parsing 32 hex, 33 hex, or 34 hex byte values at the 0x47f offset.

7.8
2020-02-12 CVE-2011-3336 PHP
Apple
Freebsd
Openbsd
Resource Exhaustion vulnerability in multiple products

regcomp in the BSD implementation of libc is vulnerable to denial of service due to stack exhaustion.

7.8
2020-02-12 CVE-2020-7046 Dovecot Infinite Loop vulnerability in Dovecot 2.3.9/2.3.9.1/2.3.9.2

lib-smtp in submission-login and lmtp in Dovecot 2.3.9 before 2.3.9.3 mishandles truncated UTF-8 data in command parameters, as demonstrated by the unauthenticated triggering of a submission-login infinite loop.

7.8
2020-02-11 CVE-2019-13946 Siemens Resource Exhaustion vulnerability in Siemens products

A vulnerability has been identified in Development/Evaluation Kits for PROFINET IO: DK Standard Ethernet Controller (All versions), Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200 (All Versions < V4.5), Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200P (All Versions < V4.6), PROFINET Driver for Controller (All Versions < V2.1), RUGGEDCOM RM1224 (All versions < V4.3), SCALANCE M-800 / S615 (All versions < V4.3), SCALANCE W700 IEEE 802.11n (All versions <= V6.0.1), SCALANCE X-200 switch family (incl.

7.8
2020-02-11 CVE-2019-13926 Siemens Resource Exhaustion vulnerability in Siemens products

A vulnerability has been identified in SCALANCE S602 (All versions >= V3.0), SCALANCE S612 (All versions >= V3.0), SCALANCE S623 (All versions >= V3.0), SCALANCE S627-2M (All versions >= V3.0).

7.8
2020-02-11 CVE-2020-0767 Microsoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'.

7.6
2020-02-11 CVE-2020-0713 Microsoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'.

7.6
2020-02-11 CVE-2020-0712 Microsoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'.

7.6
2020-02-11 CVE-2020-0711 Microsoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'.

7.6
2020-02-11 CVE-2020-0710 Microsoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft Chakracore and Edge

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'.

7.6
2020-02-11 CVE-2020-0681 Microsoft Improper Input Validation vulnerability in Microsoft products

A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server, aka 'Remote Desktop Client Remote Code Execution Vulnerability'.

7.6
2020-02-11 CVE-2020-0674 Microsoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft Internet Explorer 10/11/9

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'.

7.6
2020-02-11 CVE-2020-0673 Microsoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft Internet Explorer 10/11/9

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'.

7.6
2020-02-14 CVE-2020-8129 Script Manager Project Code Injection vulnerability in Script-Manager Project Script-Manager 0.8.6

An unintended require vulnerability in script-manager npm package version 0.8.6 and earlier may allow attackers to execute arbitrary code.

7.5
2020-02-14 CVE-2020-8128 Jsreport Server-Side Request Forgery (SSRF) vulnerability in Jsreport

An unintended require and server-side request forgery vulnerabilities in jsreport version 2.5.0 and earlier allow attackers to execute arbitrary code.

7.5
2020-02-14 CVE-2013-4211 Openx Code Injection vulnerability in Openx 2.8.10

A Code Execution Vulnerability exists in OpenX Ad Server 2.8.10 due to a backdoor in flowplayer-3.1.1.min.js library, which could let a remote malicious user execute arbitrary PHP code

7.5
2020-02-14 CVE-2019-20046 S3India Improper Authentication vulnerability in S3India Husky RTU 6049-E70 Firmware 5.0

The Synergy Systems & Solutions PLC & RTU system has a vulnerability in HUSKY RTU 6049-E70 firmware versions 5.0 and prior.

7.5
2020-02-13 CVE-2013-7098 Infradead Out-Of-Bounds Write vulnerability in Infradead Openconnect

OpenConnect VPN client with GnuTLS before 5.02 contains a heap overflow if MTU is increased on reconnection.

7.5
2020-02-13 CVE-2013-1401 Cardozatechnologies SQL Injection vulnerability in Cardozatechnologies Wordpress Poll 34.05

Multiple security bypass vulnerabilities in the editAnswer, deleteAnswer, addAnswer, and deletePoll functions in WordPress Poll Plugin 34.5 for WordPress allow a remote attacker to add, edit, and delete an answer and delete a poll.

7.5
2020-02-13 CVE-2013-1400 Cardozatechnologies SQL Injection vulnerability in Cardozatechnologies Wordpress Poll 34.05/34.06

Multiple SQL injection vulnerabilities in CWPPoll.js in WordPress Poll Plugin 34.5 for WordPress allow attackers to execute arbitrary SQL commands via the pollid or poll_id parameter in a viewPollResults or userlogs action.

7.5
2020-02-13 CVE-2014-4170 Freereprintables Improper Privilege Management vulnerability in Freereprintables Articlefr 3.0.4

A Privilege Escalation Vulnerability exists in Free Reprintables ArticleFR 11.06.2014 due to insufficient access restrictions in the data.php script, which could let a remote malicious user obtain access or modify or delete database information.

7.5
2020-02-13 CVE-2020-8803 Salesagility Path Traversal vulnerability in Salesagility Suitecrm

SuiteCRM through 7.11.11 allows Directory Traversal to include arbitrary .php files within the webroot via add_to_prospect_list.

7.5
2020-02-13 CVE-2020-8802 Salesagility SQL Injection vulnerability in Salesagility Suitecrm

SuiteCRM through 7.11.11 has Incorrect Access Control via action_saveHTMLField Bean Manipulation.

7.5
2020-02-13 CVE-2020-8614 Askey Improper Input Validation vulnerability in Askey Ap4000W Firmware Tdcv1.01.003

An issue was discovered on Askey AP4000W TDC_V1.01.003 devices.

7.5
2020-02-13 CVE-2020-8962 Dlink Out-Of-Bounds Write vulnerability in Dlink Dir-842 Firmware 3.13B09

A stack-based buffer overflow was found on the D-Link DIR-842 REVC with firmware v3.13B09 HOTFIX due to the use of strcpy for LOGINPASSWORD when handling a POST request to the /MTFWU endpoint.

7.5
2020-02-13 CVE-2020-8953 Openvpn Improper Authentication vulnerability in Openvpn Access Server 2.8.0

OpenVPN Access Server 2.8.x before 2.8.1 allows LDAP authentication bypass (except when a user is enrolled in two-factor authentication).

7.5
2020-02-13 CVE-2020-7209 HP Unspecified vulnerability in HP Linuxki

LinuxKI v6.0-1 and earlier is vulnerable to an remote code execution which is resolved in release 6.0-2.

7.5
2020-02-12 CVE-2020-8955 Weechat Classic Buffer Overflow vulnerability in Weechat

irc_mode_channel_update in plugins/irc/irc-mode.c in WeeChat through 2.7 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a malformed IRC message 324 (channel mode).

7.5
2020-02-12 CVE-2011-4906 Tiny Unrestricted Upload of File With Dangerous Type vulnerability in Tiny Tinybrowser

Tiny browser in TinyMCE 3.0 editor in Joomla! before 1.5.13 allows file upload and arbitrary PHP code execution.

7.5
2020-02-12 CVE-2013-3725 Invisioncommunity Unspecified vulnerability in Invisioncommunity Invision Power Board

Invision Power Board (IPB) through 3.x allows admin account takeover leading to code execution.

7.5
2020-02-12 CVE-2020-8595 Istio
Redhat
Improper Authentication vulnerability in multiple products

Istio versions 1.2.10 (End of Life) and prior, 1.3 through 1.3.7, and 1.4 through 1.4.3 allows authentication bypass.

7.5
2020-02-12 CVE-2015-5617 Enorth SQL Injection vulnerability in Enorth Webpublisher CMS

SQL injection vulnerability in pub/m_pending_news/delete_pending_news.jsp in Enorth Webpublisher CMS allows remote attackers to execute arbitrary SQL commands via the cbNewsId parameter.

7.5
2020-02-12 CVE-2013-7381 Libnotify Project Injection vulnerability in Libnotify Project Libnotify

libnotify before 1.0.4 for Node.js allows remote attackers to execute arbitrary commands via unspecified characters in a call to libnotify.notify.

7.5
2020-02-12 CVE-2013-2010 Automattic
Boldgrid
Injection vulnerability in multiple products

WordPress W3 Total Cache Plugin 0.9.2.8 has a Remote PHP Code Execution Vulnerability

7.5
2020-02-12 CVE-2013-7378 Hubot Scripts Project Injection vulnerability in Hubot Scripts Project Hubot Scripts

scripts/email.coffee in the Hubot Scripts module before 2.4.4 for Node.js allows remote attackers to execute arbitrary commands.

7.5
2020-02-12 CVE-2014-9390 GIT SCM
Apple
Microsoft
Mercurial
Eclipse
Libgit2
Improper Input Validation vulnerability in multiple products

Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.

7.5
2020-02-12 CVE-2014-2595 Barracuda Insufficient Session Expiration vulnerability in Barracuda web Application Firewall 7.8.1.013

Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.

7.5
2020-02-12 CVE-2014-0234 Redhat Insecure Default Initialization of Resource vulnerability in Redhat Openshift

The default configuration of broker.conf in Red Hat OpenShift Enterprise 2.x before 2.1 has a password of "mooo" for a Mongo account, which allows remote attackers to hijack the broker by providing this password, related to the openshift.sh script in Openshift Extras before 20130920.

7.5
2020-02-11 CVE-2012-1124 Phxeventmanager Project SQL Injection vulnerability in Phxeventmanager Project Phxeventmanager 2.0

SQL injection vulnerability in search.php in phxEventManager 2.0 beta 5 allows remote attackers to execute arbitrary SQL commands via the search_terms parameter.

7.5
2020-02-11 CVE-2014-9753 Atutor Improper Authentication vulnerability in Atutor

confirm.php in ATutor 2.2 and earlier allows remote attackers to bypass authentication and gain access as an existing user via the auto_login parameter.

7.5
2020-02-11 CVE-2013-2057 Yabb Unrestricted Upload of File With Dangerous Type vulnerability in Yabb 2.5.2

YaBB through 2.5.2: 'guestlanguage' Cookie Parameter Local File Include Vulnerability

7.5
2020-02-11 CVE-2013-1607 Pdfkit Project Improper Input Validation vulnerability in Pdfkit Project Pdfkit

Ruby PDFKit gem prior to 0.5.3 has a Code Execution Vulnerability

7.5
2020-02-11 CVE-2013-0803 Polarbear CMS Project Unrestricted Upload of File With Dangerous Type vulnerability in Polarbear CMS Project Polarbear CMS 2.5

A PHP File Upload Vulnerability exists in PolarBear CMS 2.5 via upload.php, which could let a malicious user execute arbitrary code.

7.5
2020-02-11 CVE-2014-2052 Owncloud XXE vulnerability in Owncloud

Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.

7.5
2020-02-11 CVE-2020-3934 Secom SQL Injection vulnerability in Secom Dr.Id Access Control and Dr.Id Attendance System

TAIWAN SECOM CO., LTD., a Door Access Control and Personnel Attendance Management system, contains a vulnerability of Pre-auth SQL Injection, allowing attackers to inject a specific SQL command.

7.5
2020-02-10 CVE-2020-8840 Fasterxml Deserialization of Untrusted Data vulnerability in Fasterxml Jackson-Databind

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.

7.5
2020-02-10 CVE-2019-17137 Netgear Improper Authentication vulnerability in Netgear Ac1200 R6220 Firmware 1.1.0.86

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR AC1200 R6220 Firmware version 1.1.0.86 Smart WiFi Router.

7.5
2020-02-13 CVE-2020-0027 Google Out-Of-Bounds Write vulnerability in Google Android

In HidRawSensor::batch of HidRawSensor.cpp, there is a possible out of bounds write due to an unexpected switch fallthrough.

7.2
2020-02-13 CVE-2020-0026 Google USE After Free vulnerability in Google Android

In Parcel::continueWrite of Parcel.cpp, there is possible memory corruption due to a use after free.

7.2
2020-02-13 CVE-2020-0005 Google Out-Of-Bounds Write vulnerability in Google Android

In btm_read_remote_ext_features_complete of btm_acl.cc, there is a possible out of bounds write due to a missing bounds check.

7.2
2020-02-12 CVE-2020-8950 AMD Link Following vulnerability in AMD User Experience Program 1.0.0.1

The AUEPLauncher service in Radeon AMD User Experience Program Launcher through 1.0.0.1 on Windows allows elevation of privilege by placing a crafted file in %PROGRAMDATA%\AMD\PPC\upload and then creating a symbolic link in %PROGRAMDATA%\AMD\PPC\temp that points to an arbitrary folder with an arbitrary file name.

7.2
2020-02-12 CVE-2011-4338 Shaman Project Improper Authentication vulnerability in Shaman Project Shaman 1.0.9

Shaman 1.0.9: Users can add the line askforpwd=false to his shaman.conf file, without entering the root password in shaman.

7.2
2020-02-11 CVE-2020-0792 Microsoft Improper Privilege Management vulnerability in Microsoft Windows 10 and Windows Server 2016

An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory, aka 'Windows Graphics Component Elevation of Privilege Vulnerability'.

7.2
2020-02-11 CVE-2020-0757 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists when Windows improperly handles Secure Socket Shell remote commands, aka 'Windows SSH Elevation of Privilege Vulnerability'.

7.2
2020-02-11 CVE-2020-0745 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory, aka 'Windows Graphics Component Elevation of Privilege Vulnerability'.

7.2
2020-02-11 CVE-2020-0732 Microsoft Improper Privilege Management vulnerability in Microsoft Windows 10 and Windows Server 2016

An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory, aka 'DirectX Elevation of Privilege Vulnerability'.

7.2
2020-02-11 CVE-2020-0731 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.

7.2
2020-02-11 CVE-2020-0726 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.

7.2
2020-02-11 CVE-2020-0725 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.

7.2
2020-02-11 CVE-2020-0724 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.

7.2
2020-02-11 CVE-2020-0723 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.

7.2
2020-02-11 CVE-2020-0722 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.

7.2
2020-02-11 CVE-2020-0721 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.

7.2
2020-02-11 CVE-2020-0720 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.

7.2
2020-02-11 CVE-2020-0719 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.

7.2
2020-02-11 CVE-2020-0715 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory, aka 'Windows Graphics Component Elevation of Privilege Vulnerability'.

7.2
2020-02-11 CVE-2020-0709 Microsoft Improper Privilege Management vulnerability in Microsoft Windows 10 and Windows Server 2016

An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory, aka 'DirectX Elevation of Privilege Vulnerability'.

7.2
2020-02-11 CVE-2020-0707 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the Windows IME improperly handles memory.To exploit this vulnerability, an attacker would first have to gain execution on the victim system, aka 'Windows IME Elevation of Privilege Vulnerability'.

7.2
2020-02-11 CVE-2020-0704 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the Windows Wireless Network Manager improperly handles memory.To exploit this vulnerability, an attacker would first have to gain execution on the victim system, aka 'Windows Wireless Network Manager Elevation of Privilege Vulnerability'.

7.2
2020-02-11 CVE-2020-0703 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the Windows Backup Service improperly handles file operations.To exploit this vulnerability, an attacker would first have to gain execution on the victim system, aka 'Windows Backup Service Elevation of Privilege Vulnerability'.

7.2
2020-02-11 CVE-2020-0697 Microsoft Improper Privilege Management vulnerability in Microsoft Office 365 Proplus

An elevation of privilege vulnerability exists in Microsoft Office OLicenseHeartbeat task, where an attacker who successfully exploited this vulnerability could run this task as SYSTEM.To exploit the vulnerability, an authenticated attacker would need to place a specially crafted file in a specific location, thereby allowing arbitrary file corruption.The security update addresses the vulnerability by correcting how the process validates the log file., aka 'Microsoft Office Tampering Vulnerability'.

7.2
2020-02-11 CVE-2020-0691 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.

7.2
2020-02-11 CVE-2020-0686 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links, aka 'Windows Installer Elevation of Privilege Vulnerability'.

7.2
2020-02-11 CVE-2020-0685 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists when Windows improperly handles COM object creation, aka 'Windows COM Server Elevation of Privilege Vulnerability'.

7.2
2020-02-11 CVE-2020-0683 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links, aka 'Windows Installer Elevation of Privilege Vulnerability'.

7.2
2020-02-11 CVE-2020-0682 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the way that the Windows Function Discovery Service handles objects in memory, aka 'Windows Function Discovery Service Elevation of Privilege Vulnerability'.

7.2
2020-02-11 CVE-2020-0678 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles hard links, aka 'Windows Error Reporting Manager Elevation of Privilege Vulnerability'.

7.2
2020-02-11 CVE-2020-0672 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'.

7.2
2020-02-11 CVE-2020-0671 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'.

7.2
2020-02-11 CVE-2020-0670 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'.

7.2
2020-02-11 CVE-2009-4067 Linux
Redhat
Classic Buffer Overflow vulnerability in Linux Kernel

Buffer overflow in the auerswald_probe function in the Auerswald Linux USB driver for the Linux kernel before 2.6.27 allows physically proximate attackers to execute arbitrary code, cause a denial of service via a crafted USB device, or take full control of the system.

7.2
2020-02-11 CVE-2013-0517 IBM OS Command Injection vulnerability in IBM Sterling External Authentication Server

A Command Execution Vulnerability exists in IBM Sterling External Authentication Server 2.2.0, 2.3.01, 2.4.0, and 2.4.1 via an unspecified OS command, which could let a local malicious user execute arbitrary code.

7.2
2020-02-11 CVE-2013-4535 Qemu
Redhat
Improper Input Validation vulnerability in multiple products

The virtqueue_map_sg function in hw/virtio/virtio.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary files via a crafted savevm image, related to virtio-block or virtio-serial read.

7.2
2020-02-13 CVE-2014-1617 Promotic Classic Buffer Overflow vulnerability in Promotic 8.2.13

Microsys PROMOTIC 8.2.13 contains an ActiveX Control Start Buffer Overflow vulnerability which can lead to denial of service.

7.1
2020-02-13 CVE-2020-0028 Google Information Exposure vulnerability in Google Android 9.0

In notifyNetworkTested and related functions of NetworkMonitor.java, there is a possible bypass of private DNS settings.

7.1
2020-02-12 CVE-2013-4602 Avira Resource Exhaustion vulnerability in Avira products

A Denial of Service (infinite loop) vulnerability exists in Avira AntiVir Engine before 8.2.12.58 via an unspecified function in the PDF Scanner Engine.

7.1

335 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2020-02-13 CVE-2020-0030 Google USE After Free vulnerability in Google Android

In binder_thread_release of binder.c, there is a possible use after free due to a race condition.

6.9
2020-02-13 CVE-2019-2200 Google Incorrect Default Permissions vulnerability in Google Android 10.0

In updatePermissions of PermissionManagerService.java, it may be possible for a malicious app to obtain a custom permission from another app due to a permission bypass.

6.9
2020-02-12 CVE-2013-3685 Spritesoftware
LG
Race Condition vulnerability in Spritesoftware Spritebackup and Spritebud

A Privilege Escalation Vulnerability exists in Sprite Software Spritebud 1.3.24 and 1.3.28 and Backup 2.5.4105 and 2.5.4108 on LG Android smartphones due to a race condition in the spritebud daemon, which could let a local malicious user obtain root privileges.

6.9
2020-02-14 CVE-2020-6068 Accusoft Out-Of-Bounds Write vulnerability in Accusoft Imagegear 19.5.0

An exploitable out-of-bounds write vulnerability exists in the igcore19d.dll PNG pngread parser of the Accusoft ImageGear 19.5.0 library.

6.8
2020-02-14 CVE-2019-5187 Accusoft Out-Of-Bounds Write vulnerability in Accusoft Imagegear 19.5.0

An exploitable out-of-bounds write vulnerability exists in the TIFreadstripdata function of the igcore19d.dll library of Accusoft ImageGear 19.5.0.

6.8
2020-02-14 CVE-2020-8857 Foxitsoftware USE After Free vulnerability in Foxitsoftware Reader

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.0.29455.

6.8
2020-02-14 CVE-2020-8856 Foxitsoftware USE After Free vulnerability in Foxitsoftware Reader

This vulnerability allows remote atackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.6.0.25608.

6.8
2020-02-14 CVE-2020-8855 Foxitsoftware USE After Free vulnerability in Foxitsoftware Reader

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.7.0.2947.

6.8
2020-02-14 CVE-2020-8854 Foxitsoftware Out-Of-Bounds Write vulnerability in Foxitsoftware Reader

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.7.0.29478.

6.8
2020-02-14 CVE-2020-8853 Foxitsoftware Out-Of-Bounds Write vulnerability in Foxitsoftware Reader

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.7.0.29478.

6.8
2020-02-14 CVE-2020-8851 Foxitsoftware Out-Of-Bounds Write vulnerability in Foxitsoftware Reader

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.0.29455.

6.8
2020-02-14 CVE-2020-8850 Foxitsoftware Out-Of-Bounds Write vulnerability in Foxitsoftware Reader

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.0.29455.

6.8
2020-02-14 CVE-2020-8849 Foxitsoftware Out-Of-Bounds Write vulnerability in Foxitsoftware Reader

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.0.29455.

6.8
2020-02-14 CVE-2020-8848 Foxitsoftware Out-Of-Bounds Write vulnerability in Foxitsoftware Reader

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.0.29455.

6.8
2020-02-14 CVE-2020-8847 Foxitsoftware Out-Of-Bounds Write vulnerability in Foxitsoftware Reader

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.0.29455.

6.8
2020-02-14 CVE-2020-8846 Foxitsoftware USE After Free vulnerability in Foxitsoftware Reader

This vulnerability allows remote atackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.6.0.25114.

6.8
2020-02-14 CVE-2020-8845 Foxitsoftware USE After Free vulnerability in Foxitsoftware Reader

This vulnerability allows remote atackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.6.0.25114.

6.8
2020-02-14 CVE-2020-8844 Foxitsoftware Integer Overflow OR Wraparound vulnerability in Foxitsoftware Reader

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.6.0.25114.

6.8
2020-02-14 CVE-2019-11215 Combodo Race Condition vulnerability in Combodo Itop

In Combodo iTop 2.2.0 through 2.6.0, if the configuration file is writable, then execution of arbitrary code can be accomplished by calling ajax.dataloader with a maliciously crafted payload.

6.8
2020-02-13 CVE-2020-3748 Adobe USE After Free vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have an use after free vulnerability.

6.8
2020-02-13 CVE-2020-3739 Adobe Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe Framemaker

Adobe Framemaker versions 2019.0.4 and below have a memory corruption vulnerability.

6.8
2020-02-13 CVE-2020-3738 Adobe Out-Of-Bounds Write vulnerability in Adobe Framemaker

Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds write vulnerability.

6.8
2020-02-13 CVE-2020-3737 Adobe Out-Of-Bounds Write vulnerability in Adobe Framemaker

Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds write vulnerability.

6.8
2020-02-13 CVE-2020-3736 Adobe Out-Of-Bounds Write vulnerability in Adobe Framemaker

Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds write vulnerability.

6.8
2020-02-13 CVE-2020-3735 Adobe Out-Of-Bounds Write vulnerability in Adobe Framemaker

Adobe Framemaker versions 2019.0.4 and below have a heap overflow vulnerability.

6.8
2020-02-13 CVE-2020-3734 Adobe Out-Of-Bounds Write vulnerability in Adobe Framemaker

Adobe Framemaker versions 2019.0.4 and below have a buffer error vulnerability.

6.8
2020-02-13 CVE-2020-3733 Adobe Out-Of-Bounds Write vulnerability in Adobe Framemaker

Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds write vulnerability.

6.8
2020-02-13 CVE-2020-3732 Adobe Out-Of-Bounds Write vulnerability in Adobe Framemaker

Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds write vulnerability.

6.8
2020-02-13 CVE-2020-3731 Adobe Out-Of-Bounds Write vulnerability in Adobe Framemaker

Adobe Framemaker versions 2019.0.4 and below have a heap overflow vulnerability.

6.8
2020-02-13 CVE-2020-3730 Adobe Out-Of-Bounds Write vulnerability in Adobe Framemaker

Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds write vulnerability.

6.8
2020-02-13 CVE-2020-3729 Adobe Out-Of-Bounds Write vulnerability in Adobe Framemaker

Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds write vulnerability.

6.8
2020-02-13 CVE-2020-3728 Adobe Out-Of-Bounds Write vulnerability in Adobe Framemaker

Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds write vulnerability.

6.8
2020-02-13 CVE-2020-3727 Adobe Out-Of-Bounds Write vulnerability in Adobe Framemaker

Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds write vulnerability.

6.8
2020-02-13 CVE-2020-3726 Adobe Out-Of-Bounds Write vulnerability in Adobe Framemaker

Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds write vulnerability.

6.8
2020-02-13 CVE-2020-3725 Adobe Out-Of-Bounds Write vulnerability in Adobe Framemaker

Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds write vulnerability.

6.8
2020-02-13 CVE-2020-3724 Adobe Out-Of-Bounds Write vulnerability in Adobe Framemaker

Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds write vulnerability.

6.8
2020-02-13 CVE-2020-3723 Adobe Out-Of-Bounds Write vulnerability in Adobe Framemaker

Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds write vulnerability.

6.8
2020-02-13 CVE-2020-3722 Adobe Out-Of-Bounds Write vulnerability in Adobe Framemaker

Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds write vulnerability.

6.8
2020-02-13 CVE-2020-3721 Adobe Out-Of-Bounds Write vulnerability in Adobe Framemaker

Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds write vulnerability.

6.8
2020-02-13 CVE-2020-3720 Adobe Out-Of-Bounds Write vulnerability in Adobe Framemaker

Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds write vulnerability.

6.8
2020-02-13 CVE-2020-0021 Google Null Pointer Dereference vulnerability in Google Android 10.0

In removeUnusedPackagesLPw of PackageManagerService.java, there is a possible permanent denial-of-service due to a missing package dependency test.

6.8
2020-02-12 CVE-2020-1977 Paloaltonetworks Cross-Site Request Forgery (CSRF) vulnerability in Paloaltonetworks Expedition Migration Tool

Insufficient Cross-Site Request Forgery (XSRF) protection on Expedition Migration Tool allows remote unauthenticated attackers to hijack the authentication of administrators and to perform actions on the Expedition Migration Tool.

6.8
2020-02-12 CVE-2013-5106 Python Mode Project Improper Input Validation vulnerability in Python-Mode Project Python-Mode 20121219

A Code Execution vulnerability exists in select.py when using python-mode 2012-12-19.

6.8
2020-02-12 CVE-2020-2116 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Pipeline Github Notify Step

A cross-site request forgery vulnerability in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

6.8
2020-02-12 CVE-2014-4607 Oberhumer Integer Overflow OR Wraparound vulnerability in Oberhumer Liblzo2 and Lzo2

Integer overflow in the LZO algorithm variant in Oberhumer liblzo2 and lzo-2 before 2.07 on 32-bit platforms might allow remote attackers to execute arbitrary code via a crafted Literal Run.

6.8
2020-02-12 CVE-2015-7508 Netsurf Browser Out-Of-Bounds Write vulnerability in Netsurf-Browser Libnsbmp 0.1.2

Heap-based buffer overflow in the bmp_decode_rle function in libnsbmp.c in Libnsbmp 0.1.2 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via the last row of RLE data in a crafted BMP file.

6.8
2020-02-12 CVE-2014-4968 Boatmob Remote Code Execution vulnerability in Boatmob Boat Browser 8.0/8.0.1

The WebView class and use of the WebView.addJavascriptInterface method in the Boat Browser application 8.0 and 8.0.1 for Android allow remote attackers to execute arbitrary code via a crafted web site, a related issue to CVE-2012-6636.

6.8
2020-02-12 CVE-2020-8892 Misp Unspecified vulnerability in Misp

An issue was discovered in MISP before 2.4.121.

6.8
2020-02-11 CVE-2020-0729 Microsoft Unspecified vulnerability in Microsoft products

A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed.An attacker who successfully exploited this vulnerability could gain the same user rights as the local user, aka 'LNK Remote Code Execution Vulnerability'.

6.8
2020-02-11 CVE-2020-0708 Microsoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft products

A remote code execution vulnerability exists when the Windows Imaging Library improperly handles memory.To exploit this vulnerability, an attacker would first have to coerce a victim to open a specially crafted file.The security update addresses the vulnerability by correcting how the Windows Imaging Library handles memory., aka 'Windows Imaging Library Remote Code Execution Vulnerability'.

6.8
2020-02-11 CVE-2020-0692 Microsoft Improper Privilege Management vulnerability in Microsoft Exchange Server 2013/2016/2019

An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka 'Microsoft Exchange Server Elevation of Privilege Vulnerability'.

6.8
2020-02-11 CVE-2020-0665 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists in Active Directory Forest trusts due to a default setting that lets an attacker in the trusting forest request delegation of a TGT for an identity from the trusted forest, aka 'Active Directory Elevation of Privilege Vulnerability'.

6.8
2020-02-11 CVE-2020-6069 Accusoft Out-Of-Bounds Write vulnerability in Accusoft Imagegear 19.5.0

An exploitable out-of-bounds write vulnerability exists in the igcore19d.dll JPEG jpegread precision parser of the Accusoft ImageGear 19.5.0 library.

6.8
2020-02-11 CVE-2020-6067 Accusoft Out-Of-Bounds Write vulnerability in Accusoft Imagegear 19.5.0

An exploitable out-of-bounds write vulnerability exists in the igcore19d.dll TIFF tifread parser of the Accusoft ImageGear 19.5.0 library.

6.8
2020-02-11 CVE-2020-6066 Accusoft Out-Of-Bounds Write vulnerability in Accusoft Imagegear 19.5.0

An exploitable out-of-bounds write vulnerability exists in the igcore19d.dll JPEG SOFx parser of the Accusoft ImageGear 19.5.0 library.

6.8
2020-02-11 CVE-2020-6065 Accusoft Out-Of-Bounds Write vulnerability in Accusoft Imagegear 19.5.0

An exploitable out-of-bounds write vulnerability exists in the bmp_parsing function of the igcore19d.dll library of Accusoft ImageGear, version 19.5.0.

6.8
2020-02-11 CVE-2020-6064 Accusoft Out-Of-Bounds Write vulnerability in Accusoft Imagegear 19.5.0

An exploitable out-of-bounds write vulnerability exists in the uncompress_scan_line function of the igcore19d.dll library of Accusoft ImageGear, version 19.5.0.

6.8
2020-02-11 CVE-2020-6063 Accusoft Out-Of-Bounds Write vulnerability in Accusoft Imagegear 19.5.0

An exploitable out-of-bounds write vulnerability exists in the uncompress_scan_line function of the igcore19d.dll library of Accusoft ImageGear, version 19.5.0.

6.8
2020-02-11 CVE-2013-4225 Restful WEB Services Project Code Injection vulnerability in Restful web Services Project Restful web Services

The RESTful Web Services (restws) module 7.x-1.x before 7.x-1.4 and 7.x-2.x before 7.x-2.1 for Drupal does not properly restrict access to entity write operations, which makes it easier for remote authenticated users with the "access resource node" and "create page content" permissions (or equivalents) to conduct cross-site scripting (XSS) or execute arbitrary PHP code via a crafted text field.

6.8
2020-02-11 CVE-2012-6721 Socialengine Cross-Site Request Forgery (CSRF) vulnerability in Socialengine 4.2.2

Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) Forum, (2) Event, and (3) Classifieds plugins in SocialEngine before 4.2.4.

6.8
2020-02-11 CVE-2013-5582 Ammyy Improper Authentication vulnerability in Ammyy Admin 3.2

Ammyy Admin 3.2 and earlier stores the client ID at a fixed memory location, which might make it easier for user-assisted remote attackers to bypass authentication by running a local program that extracts a field from the AA_v3.2.exe file.

6.8
2020-02-11 CVE-2013-3942 Daum Untrusted Search Path vulnerability in Daum Potplayer

Potplayer prior to 1.5.39659: DLL Loading Arbitrary Code Execution Vulnerability

6.8
2020-02-11 CVE-2014-9748 Libuv
Microsoft
Race Condition vulnerability in Libuv

The uv_rwlock_t fallback implementation for Windows XP and Server 2003 in libuv before 1.7.4 does not properly prevent threads from releasing the locks of other threads, which allows attackers to cause a denial of service (deadlock) or possibly have unspecified other impact by leveraging a race condition.

6.8
2020-02-11 CVE-2020-6416 Google Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Google Chrome

Insufficient data validation in streams in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2020-02-11 CVE-2020-6415 Google Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Google Chrome

Inappropriate implementation in JavaScript in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2020-02-11 CVE-2020-6414 Google
Opensuse
Insufficient policy enforcement in Safe Browsing in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
6.8
2020-02-11 CVE-2020-6413 Google
Opensuse
Inappropriate implementation in Blink in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to bypass HTML validators via a crafted HTML page.
6.8
2020-02-11 CVE-2020-6410 Google Unspecified vulnerability in Google Chrome

Insufficient policy enforcement in navigation in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to confuse the user via a crafted domain name.

6.8
2020-02-11 CVE-2020-6409 Google Unspecified vulnerability in Google Chrome

Inappropriate implementation in Omnibox in Google Chrome prior to 80.0.3987.87 allowed a remote attacker who convinced the user to enter a URI to bypass navigation restrictions via a crafted domain name.

6.8
2020-02-11 CVE-2020-6402 Google
Opensuse
Improper Input Validation vulnerability in multiple products

Insufficient policy enforcement in downloads in Google Chrome on OS X prior to 80.0.3987.87 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension.

6.8
2020-02-11 CVE-2020-6398 Google
Opensuse
USE of Uninitialized Resource vulnerability in multiple products

Use of uninitialized data in PDFium in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.

6.8
2020-02-11 CVE-2020-6390 Google Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Google Chrome

Out of bounds memory access in streams in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2020-02-11 CVE-2020-6389 Google Out-Of-Bounds Write vulnerability in Google Chrome

Out of bounds write in WebRTC in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted video stream.

6.8
2020-02-11 CVE-2020-6388 Google Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Google Chrome

Out of bounds access in WebAudio in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2020-02-11 CVE-2020-6387 Google Out-Of-Bounds Write vulnerability in Google Chrome

Out of bounds write in WebRTC in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted video stream.

6.8
2020-02-11 CVE-2020-6385 Google
Opensuse
Improper Input Validation vulnerability in multiple products

Insufficient policy enforcement in storage in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to bypass site isolation via a crafted HTML page.

6.8
2020-02-11 CVE-2020-6382 Google Type Confusion vulnerability in Google Chrome

Type confusion in JavaScript in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2020-02-11 CVE-2020-6381 Google
Opensuse
Integer Overflow OR Wraparound vulnerability in multiple products

Integer overflow in JavaScript in Google Chrome on ChromeOS and Android prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2020-02-11 CVE-2020-6380 Google Improper Input Validation vulnerability in Google Chrome

Insufficient policy enforcement in extensions in Google Chrome prior to 79.0.3945.130 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted Chrome Extension.

6.8
2020-02-11 CVE-2020-6379 Google USE After Free vulnerability in Google Chrome

Use after free in V8 in Google Chrome prior to 79.0.3945.130 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2020-02-11 CVE-2020-6378 Google USE After Free vulnerability in Google Chrome

Use after free in speech in Google Chrome prior to 79.0.3945.130 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2020-02-11 CVE-2020-5529 Htmlunit Project Improper Initialization vulnerability in Htmlunit Project Htmlunit

HtmlUnit prior to 2.37.0 contains code execution vulnerabilities.

6.8
2020-02-10 CVE-2019-13322 MI Improper Input Validation vulnerability in MI Browser

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Xiaomi Browser Prior to 10.4.0.

6.8
2020-02-10 CVE-2013-2109 Undolog Cross-Site Request Forgery (CSRF) vulnerability in Undolog WP Cleanfix 1.4

WordPress plugin wp-cleanfix has Remote Code Execution

6.8
2020-02-10 CVE-2019-19659 Maxum Cross-Site Request Forgery (CSRF) vulnerability in Maxum Rumpus 8.2.9.1

A CSRF vulnerability exists in the Web File Manager's Edit Accounts functionality of Rumpus FTP Server 8.2.9.1.

6.8
2020-02-10 CVE-2019-20059 Mfscripts Cross-Site Request Forgery (CSRF) vulnerability in Mfscripts Yetishare

payment_manage.ajax.php and various *_manage.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.4 directly insert values from the sSortDir_0 parameter into a SQL string.

6.8
2020-02-14 CVE-2020-8611 Progess
Progress
SQL Injection vulnerability in multiple products

In Progress MOVEit Transfer 2019.1 before 2019.1.4 and 2019.2 before 2019.2.1, multiple SQL Injection vulnerabilities have been found in the REST API that could allow an authenticated attacker to gain unauthorized access to MOVEit Transfer's database via the REST API.

6.5
2020-02-13 CVE-2015-6589 Kaseya Path Traversal vulnerability in Kaseya Virtual System Administrator

Directory traversal vulnerability in Kaseya Virtual System Administrator (VSA) 7.0.0.0 before 7.0.0.33, 8..0.0.0 before 8.0.0.23, 9.0.0.0 before 9.0.0.19, and 9.1.0.0 before 9.1.0.9 allows remote authenticated users to write to and execute arbitrary files due to insufficient restrictions in file paths to json.ashx.

6.5
2020-02-13 CVE-2020-8801 Salesagility Injection vulnerability in Salesagility Suitecrm

SuiteCRM through 7.11.11 allows PHAR Deserialization.

6.5
2020-02-13 CVE-2020-8800 Salesagility Injection vulnerability in Salesagility Suitecrm

SuiteCRM through 7.11.11 allows EmailsControllerActionGetFromFields PHP Object Injection.

6.5
2020-02-13 CVE-2020-5239 Mailu Unspecified vulnerability in Mailu 1.5/1.6

In Mailu before version 1.7, an authenticated user can exploit a vulnerability in Mailu fetchmail script and gain full access to a Mailu instance.

6.5
2020-02-12 CVE-2020-1975 Paloaltonetworks XXE vulnerability in Paloaltonetworks Pan-Os

Missing XML validation vulnerability in the PAN-OS web interface on Palo Alto Networks PAN-OS software allows authenticated users to inject arbitrary XML that results in privilege escalation.

6.5
2020-02-12 CVE-2020-6188 SAP Missing Authorization vulnerability in SAP ERP and S/4 Hana

VAT Pro-Rata reports in SAP ERP (SAP_APPL versions 600, 602, 603, 604, 605, 606, 616 and SAP_FIN versions 617, 618, 700, 720, 730) and SAP S/4 HANA (versions 100, 101, 102, 103, 104) do not perform necessary authorization checks for an authenticated user leading to Missing Authorization Check.

6.5
2020-02-12 CVE-2020-2123 Jenkins Deserialization of Untrusted Data vulnerability in Jenkins Radargun

Jenkins RadarGun Plugin 1.7 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

6.5
2020-02-12 CVE-2020-2121 Jenkins Unspecified vulnerability in Jenkins Google Kubernetes Engine

Jenkins Google Kubernetes Engine Plugin 0.8.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

6.5
2020-02-12 CVE-2020-2120 Jenkins XXE vulnerability in Jenkins Fitnesse

Jenkins FitNesse Plugin 1.30 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.

6.5
2020-02-12 CVE-2020-2115 Jenkins XXE vulnerability in Jenkins Nunit

Jenkins NUnit Plugin 0.25 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.

6.5
2020-02-12 CVE-2020-2110 Jenkins Improper Input Validation vulnerability in Jenkins Script Security

Sandbox protection in Jenkins Script Security Plugin 1.69 and earlier could be circumvented during the script compilation phase by applying AST transforming annotations to imports or by using them inside of other annotations.

6.5
2020-02-12 CVE-2020-2109 Jenkins Improper Input Validation vulnerability in Jenkins Pipeline: Groovy

Sandbox protection in Jenkins Pipeline: Groovy Plugin 2.78 and earlier can be circumvented through default parameter expressions in CPS-transformed methods.

6.5
2020-02-11 CVE-2020-0618 Microsoft Improper Input Validation vulnerability in Microsoft SQL Server 2012/2014/2016

A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests, aka 'Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability'.

6.5
2020-02-10 CVE-2020-8841 Testlink SQL Injection vulnerability in Testlink 1.9.19

An issue was discovered in TestLink 1.9.19.

6.5
2020-02-10 CVE-2014-5086 Sphider
Sphider Plus
Sphiderpro
Injection vulnerability in Sphider Plus and Sphider PRO

A Command Execution vulnerability exists in Sphider Pro, and Sphider Plus 3.2 due to insufficient sanitization of fwrite to conf.php, which could let a remote malicious user execute arbitrary code.

6.5
2020-02-10 CVE-2014-5085 Sphider Plus Injection vulnerability in Sphider-Plus 3.2

A Command Execution vulnerability exists in Sphider Plus 3.2 due to insufficient sanitization of fwrite to conf.php, which could let a remote malicious user execute arbitrary code.

6.5
2020-02-10 CVE-2014-5084 Sphiderpro Injection vulnerability in Sphiderpro 3.2

A Command Execution vulnerability exists in Sphider Pro 3.2 due to insufficient sanitization of fwrite, which could let a remote malicious user execute arbitrary code.

6.5
2020-02-10 CVE-2014-5083 Sphider Injection vulnerability in Sphider

A Command Execution vulnerability exists in Sphider before 1.3.6 due to insufficient sanitization of fwrite to conf.php, which could let a remote malicious user execute arbitrary code.

6.5
2020-02-13 CVE-2014-4198 Bssys Improper Authentication vulnerability in Bssys RBS Bs-Client. Retail Client 2.4/2.5

A Two-Factor Authentication Bypass Vulnerability exists in BS-Client Private Client 2.4 and 2.5 via an XML request that neglects the use of ADPswID and AD parameters, which could let a malicious user access privileged function.

6.4
2020-02-12 CVE-2020-6183 SAP Missing Authorization vulnerability in SAP Host Agent 7.21

SAP Host Agent, version 7.21, allows an unprivileged user to read the shared memory or write to the shared memory by sending request to the main SAPOSCOL process and receive responses that may contain data read with user root privileges e.g.

6.4
2020-02-12 CVE-2020-8894 Misp Unspecified vulnerability in Misp

An issue was discovered in MISP before 2.4.121.

6.4
2020-02-10 CVE-2020-7060 PHP Out-Of-Bounds Read vulnerability in PHP

When using certain mbstring functions to convert multibyte encodings, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause function mbfl_filt_conv_big5_wchar to read past the allocated buffer.

6.4
2020-02-10 CVE-2020-7059 PHP Out-Of-Bounds Read vulnerability in PHP

When using fgetss() function to read data with stripping tags, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause this function to read past the allocated buffer.

6.4
2020-02-13 CVE-2020-6973 Digi Cross-Site Scripting vulnerability in Digi products

Digi International ConnectPort LTS 32 MEI, Firmware Version 1.4.3 (82002228_K 08/09/2018), bios Version 1.2.

6.3
2020-02-10 CVE-2019-19195 Microchip Unspecified vulnerability in Microchip Atmsamb11 Blusdk Smart 6.2

The Bluetooth Low Energy implementation on Microchip Technology BluSDK Smart through 6.2 for ATSAMB11 devices does not properly restrict link-layer data length on reception, allowing attackers in radio range to cause a denial of service (crash) via a crafted packet.

6.1
2020-02-10 CVE-2019-19193 TI Unspecified vulnerability in TI Ble-Stack and Cc2640R2 Software Development KIT

The Bluetooth Low Energy peripheral implementation on Texas Instruments SIMPLELINK-CC2640R2-SDK through 3.30.00.20 and BLE-STACK through 1.5.0 before Q4 2019 for CC2640R2 and CC2540/1 devices does not properly restrict the advertisement connection request packet on reception, allowing attackers in radio range to cause a denial of service (crash) via a crafted packet.

6.1
2020-02-10 CVE-2019-17520 TI Classic Buffer Overflow vulnerability in TI Cc2640R2 Software Development KIT

The Bluetooth Low Energy implementation on Texas Instruments SDK through 3.30.00.20 for CC2640R2 devices does not properly restrict the SM Public Key packet on reception, allowing attackers in radio range to cause a denial of service (crash) via crafted packets.

6.1
2020-02-10 CVE-2019-17518 Dialog Semiconductor Classic Buffer Overflow vulnerability in Dialog-Semiconductor Software Development KIT 1.0.14.1081

The Bluetooth Low Energy implementation on Dialog Semiconductor SDK through 1.0.14.1081 for DA1468x devices responds to link layer packets with a payload length larger than expected, allowing attackers in radio range to cause a buffer overflow via a crafted packet.

6.1
2020-02-10 CVE-2019-17517 Dialog Semiconductor Classic Buffer Overflow vulnerability in Dialog-Semiconductor Software Development KIT 1.0.14.1081/5.0.4

The Bluetooth Low Energy implementation on Dialog Semiconductor SDK through 5.0.4 for DA14580/1/2/3 devices does not properly restrict the L2CAP payload length, allowing attackers in radio range to cause a buffer overflow via a crafted Link Layer packet.

6.1
2020-02-10 CVE-2019-17061 Cypress Classic Buffer Overflow vulnerability in Cypress Psoc 4 BLE 3.62

The Bluetooth Low Energy (BLE) stack implementation on Cypress PSoC 4 through 3.62 devices does not properly restrict the BLE Link Layer header and executes certain memory contents upon receiving a packet with a Link Layer ID (LLID) equal to zero.

6.1
2020-02-10 CVE-2019-17060 NXP Classic Buffer Overflow vulnerability in NXP Mcuxpresso Software Development KIT 2.2.1

The Bluetooth Low Energy (BLE) stack implementation on the NXP KW41Z (based on the MCUXpresso SDK with Bluetooth Low Energy Driver 2.2.1 and earlier) does not properly restrict the BLE Link Layer header and executes certain memory contents upon receiving a packet with a Link Layer ID (LLID) equal to zero.

6.1
2020-02-14 CVE-2020-8612 Progess
Progress
Cross-Site Scripting vulnerability in multiple products

In Progress MOVEit Transfer 2019.1 before 2019.1.4 and 2019.2 before 2019.2.1, a REST API endpoint failed to adequately sanitize malicious input, which could allow an authenticated attacker to execute arbitrary code in a victim's browser, aka XSS.

6.0
2020-02-11 CVE-2020-1711 Qemu
Redhat
Debian
Opensuse
Out-Of-Bounds Write vulnerability in multiple products

An out-of-bounds heap buffer access flaw was found in the way the iSCSI Block driver in QEMU versions 2.12.0 before 4.2.1 handled a response coming from an iSCSI server while checking the status of a Logical Address Block (LBA) in an iscsi_co_block_status() routine.

6.0
2020-02-11 CVE-2020-8596 Xnau SQL Injection vulnerability in Xnau Participants Database

participants-database.php in the Participants Database plugin 1.9.5.5 and previous versions for WordPress has a time-based SQL injection vulnerability via the ascdesc, list_filter_count, or sortBy parameters.

6.0
2020-02-16 CVE-2020-8997 Abbott Out-Of-Bounds Write vulnerability in Abbott Freestyle Libre Firmware

Older generation Abbott FreeStyle Libre sensors allow remote attackers within close proximity to enable write access to memory via a specific NFC unlock command.

5.8
2020-02-14 CVE-2020-8843 Istio Improper Input Validation vulnerability in Istio

An issue was discovered in Istio 1.3 through 1.3.6.

5.8
2020-02-14 CVE-2019-19758 Lenovo Open Redirect vulnerability in Lenovo products

A vulnerability in the web interface of Lenovo EZ Media & Backup Center, ix2 & ix2-dl version 4.1.406.34763 and prior could allow an unauthenticated, remote attacker to redirect a user to an untrusted web page.

5.8
2020-02-12 CVE-2020-5399 Cloudfoundry
Pivotal Software
Cleartext Transmission of Sensitive Information vulnerability in multiple products

Cloud Foundry CredHub, versions prior to 2.5.10, connects to a MySQL database without TLS even when configured to use TLS.

5.8
2020-02-12 CVE-2019-17519 NXP Classic Buffer Overflow vulnerability in NXP Kw41Z SDK 2.2.1

The Bluetooth Low Energy implementation on NXP SDK through 2.2.1 for KW41Z devices does not properly restrict the Link Layer payload length, allowing attackers in radio range to cause a buffer overflow via a crafted packet.

5.8
2020-02-12 CVE-2019-19194 Telink Semi Unspecified vulnerability in Telink-Semi products

The Bluetooth Low Energy Secure Manager Protocol (SMP) implementation on Telink Semiconductor BLE SDK versions before November 2019 for TLSR8x5x through 3.4.0, TLSR823x through 1.3.0, and TLSR826x through 3.3 devices installs a zero long term key (LTK) if an out-of-order link-layer encryption request is received during Secure Connections pairing.

5.8
2020-02-11 CVE-2020-0695 Microsoft Improper Input Validation vulnerability in Microsoft Office Online Server

A spoofing vulnerability exists when Office Online Server does not validate origin in cross-origin communications correctly, aka 'Microsoft Office Online Server Spoofing Vulnerability'.

5.8
2020-02-11 CVE-2020-1726 Libpod Project
Redhat
Files OR Directories Accessible TO External Parties vulnerability in multiple products

A flaw was discovered in Podman where it incorrectly allows containers when created to overwrite existing files in volumes, even if they are mounted as read-only.

5.8
2020-02-11 CVE-2014-6447 Juniper Cross-Site Scripting vulnerability in Juniper Junos

Multiple vulnerabilities exist in Juniper Junos J-Web error handling that may lead to cross site scripting (XSS) issues or crash the J-Web service (DoS).

5.8
2020-02-11 CVE-2020-6412 Google
Opensuse
Improper Input Validation vulnerability in multiple products

Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.

5.8
2020-02-11 CVE-2020-6411 Google Improper Input Validation vulnerability in Google Chrome

Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.

5.8
2020-02-11 CVE-2020-6394 Google
Opensuse
Improper Input Validation vulnerability in multiple products

Insufficient policy enforcement in Blink in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to bypass content security policy via a crafted HTML page.

5.8
2020-02-10 CVE-2019-19669 Maxum Cross-Site Request Forgery (CSRF) vulnerability in Maxum Rumpus FTP 8.2.9.1

A CSRF vulnerability exists in the Upload Center Forms Component of Web File Manager in Rumpus FTP 8.2.9.1.

5.8
2020-02-10 CVE-2019-19667 Maxum Cross-Site Request Forgery (CSRF) vulnerability in Maxum Rumpus FTP 8.2.9.1

A CSRF vulnerability exists in the Block Clients component of Web File Manager in Rumpus FTP 8.2.9.1 that could allow an attacker to whitelist or block any IP address via RAPR/BlockedClients.html.

5.8
2020-02-10 CVE-2019-19664 Maxum Cross-Site Request Forgery (CSRF) vulnerability in Maxum Rumpus FTP 8.2.9.1

A CSRF vulnerability exists in the Web Settings of Web File Manager in Rumpus FTP 8.2.9.1.

5.8
2020-02-10 CVE-2019-19663 Maxum Cross-Site Request Forgery (CSRF) vulnerability in Maxum Rumpus 8.2.9.1

A CSRF vulnerability exists in the Folder Sets Settings of Web File Manager in Rumpus FTP 8.2.9.1.

5.8
2020-02-11 CVE-2020-0661 Microsoft Improper Input Validation vulnerability in Microsoft products

A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate input from a privileged user on a guest operating system, aka 'Windows Hyper-V Denial of Service Vulnerability'.

5.5
2020-02-10 CVE-2019-13321 MI Incorrect Permission Assignment FOR Critical Resource vulnerability in MI Browser

This vulnerability allows network adjacent attackers to execute arbitrary code on affected installations of Xiaomi Browser Prior to 10.4.0.

5.4
2020-02-12 CVE-2020-8945 Gnupg
Redhat
Fedoraproject
USE After Free vulnerability in multiple products

The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O.

5.1
2020-02-14 CVE-2019-13967 Combodo Unspecified vulnerability in Combodo Itop

iTop 2.2.0 through 2.6.0 allows remote attackers to cause a denial of service (application outage) via many requests to launch a compile operation.

5.0
2020-02-14 CVE-2019-6193 Lenovo Information Exposure vulnerability in Lenovo Xclarity Administrator

An information disclosure vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.6.6 that could allow unauthenticated access to some configuration files which may contain usernames, license keys, IP addresses, and encrypted password hashes.

5.0
2020-02-14 CVE-2019-19879 Hashicorp Unspecified vulnerability in Hashicorp Sentinel

HashiCorp Sentinel up to 0.10.1 incorrectly parsed negation in certain policy expressions.

5.0
2020-02-14 CVE-2019-20454 Pcre Out-Of-Bounds Read vulnerability in Pcre Pcre2 10.31/10.32/10.33

An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to match specially crafted subjects in non-UTF mode.

5.0
2020-02-14 CVE-2013-5687 Aicorporation Information Exposure vulnerability in Aicorporation Risknet Acquirer 6.0

RiskNet Acquirer before hotfix 6.0 b7+ADHOC-443 ApplicationServiceBean contains a service information disclosure.

5.0
2020-02-13 CVE-2013-6362 Xerox USE of Hard-Coded Credentials vulnerability in Xerox products

Xerox ColorCube and WorkCenter devices in 2013 had hardcoded FTP and shell user accounts.

5.0
2020-02-13 CVE-2013-6360 Trendnet Improper Authentication vulnerability in Trendnet Ts-S402 Firmware 2.00.11

TRENDnet TS-S402 has a backdoor to enable TELNET.

5.0
2020-02-13 CVE-2013-6277 Qnap USE of Hard-Coded Credentials vulnerability in Qnap Viocard 300 Firmware Rsb3722/Rsb4631

QNAP VioCard 300 has hardcoded RSA private keys.

5.0
2020-02-13 CVE-2020-8989 Voatz Information Exposure Through Discrepancy vulnerability in Voatz 20200101

In the Voatz application 2020-01-01 for Android, the amount of data transmitted during a single voter's vote depends on the different lengths of the metadata across the available voting choices, which makes it easier for remote attackers to discover this voter's choice by sniffing the network.

5.0
2020-02-13 CVE-2015-3309 Etherpad Path Traversal vulnerability in Etherpad

Directory traversal vulnerability in node/utils/Minify.js in Etherpad 1.1.2 through 1.5.4 allows remote attackers to read arbitrary files with permissions of the user running the service via a ..

5.0
2020-02-13 CVE-2014-3208 Askpop3D Project Buffer Errors vulnerability in Askpop3D Project Askpop3D 0.7.7

A Denial of Service vulnerability exists in askpop3d 0.7.7 in free (pszQuery),

5.0
2020-02-13 CVE-2012-6091 Magentocommerce Information Exposure vulnerability in Magentocommerce Magento

Zend_XmlRpc Class in Magento before 1.7.0.2 contains an information disclosure vulnerability.

5.0
2020-02-13 CVE-2012-5623 Squirrelmail USE of A Broken OR Risky Cryptographic Algorithm vulnerability in Squirrelmail Change Passwd 4.0

Squirrelmail 4.0 uses the outdated MD5 hash algorithm for passwords.

5.0
2020-02-13 CVE-2020-3759 Adobe Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe Digital Editions

Adobe Digital Editions versions 4.5.10 and below have a buffer errors vulnerability.

5.0
2020-02-13 CVE-2020-3756 Adobe Resource Exhaustion vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have a stack exhaustion vulnerability.

5.0
2020-02-13 CVE-2020-3755 Adobe Out-Of-Bounds Read vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have an out-of-bounds read vulnerability.

5.0
2020-02-13 CVE-2020-3753 Adobe Resource Exhaustion vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have a stack exhaustion vulnerability.

5.0
2020-02-13 CVE-2020-3747 Adobe Out-Of-Bounds Read vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have an out-of-bounds read vulnerability.

5.0
2020-02-13 CVE-2020-3744 Adobe Out-Of-Bounds Read vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have an out-of-bounds read vulnerability.

5.0
2020-02-13 CVE-2020-3741 Adobe Resource Exhaustion vulnerability in Adobe Experience Manager 6.4/6.5

Adobe Experience Manager versions 6.5, and 6.4 have an uncontrolled resource consumption vulnerability.

5.0
2020-02-13 CVE-2019-4592 IBM Unspecified vulnerability in IBM Tivoli Monitoring 6.3.0.7.10/6.3.0.7.3

IBM Tivoli Monitoring Service 6.3.0.7.3 through 6.3.0.7.10 could allow an unauthorized user to access and modify operation aspects of the ITM monitoring server possibly leading to an effective denial of service or disabling of the monitoring server.

5.0
2020-02-13 CVE-2019-5322 Arubanetworks Unspecified vulnerability in Arubanetworks products

A remotely exploitable information disclosure vulnerability is present in Aruba Intelligent Edge Switch models 5400, 3810, 2920, 2930, 2530 with GigT port, 2530 10/100 port, or 2540.

5.0
2020-02-12 CVE-2020-6190 SAP Information Exposure vulnerability in SAP Netweaver Application Server Java

Certain vulnerable endpoints in SAP NetWeaver AS Java (Heap Dump Application), versions 7.30, 7.31, 7.40, 7.50, provide valuable information about the system like hostname, server node and installation path that could be misused by an attacker leading to Information Disclosure.

5.0
2020-02-12 CVE-2020-6189 SAP Information Exposure vulnerability in SAP Businessobjects Business Intelligence Platform 4.2

Certain settings page(s) in SAP Business Objects Business Intelligence Platform (CMC), version 4.2, generates error messages that can give enterprise private-network related information which would otherwise be restricted leading to Information Disclosure.

5.0
2020-02-12 CVE-2020-6186 SAP Missing Authentication FOR Critical Function vulnerability in SAP Host Agent 7.21

SAP Host Agent, version 7.21, allows an attacker to cause a slowdown in processing of username/password-based authentication requests of the SAP Host Agent, leading to Denial of Service.

5.0
2020-02-12 CVE-2020-6181 SAP Unspecified vulnerability in SAP Abap Platform and Netweaver

Under some circumstances the SAML SSO implementation in the SAP NetWeaver (SAP_BASIS versions 702, 730, 731, 740 and SAP ABAP Platform (SAP_BASIS versions 750, 751, 752, 753, 754), allows an attacker to include invalidated data in the HTTP response header sent to a Web user, leading to HTTP Response Splitting vulnerability.

5.0
2020-02-12 CVE-2011-3901 Google Information Exposure vulnerability in Google Android 2.3.7

Android SQLite Journal before 4.0.1 has an information disclosure vulnerability.

5.0
2020-02-12 CVE-2013-7286 ATT
Apache
Insufficiently Protected Credentials vulnerability in multiple products

MobileIron VSP < 5.9.1 and Sentry < 5.0 has a weak password obfuscation algorithm

5.0
2020-02-12 CVE-2020-7957 Dovecot Improper Input Validation vulnerability in Dovecot 2.3.9/2.3.9.1/2.3.9.2

The IMAP and LMTP components in Dovecot 2.3.9 before 2.3.9.3 mishandle snippet generation when many characters must be read to compute the snippet and a trailing > character exists.

5.0
2020-02-12 CVE-2019-4741 IBM
Linux
Microsoft
Server-Side Request Forgery (SSRF) vulnerability in IBM Content Navigator 3.0.0

IBM Content Navigator 3.0CD is vulnerable to Server Side Request Forgery (SSRF).

5.0
2020-02-12 CVE-2019-4427 IBM
Microsoft
USE of A Broken OR Risky Cryptographic Algorithm vulnerability in IBM Cloud CLI

IBM Cloud CLI 0.6.0 through 0.16.1 windows installers are signed using SHA1 certificate.

5.0
2020-02-12 CVE-2013-4090 Varnish Cache Unspecified vulnerability in Varnish-Cache Varnish

Varnish HTTP cache before 3.0.4: ACL bug

5.0
2020-02-12 CVE-2013-1924 Skill Unspecified vulnerability in Skill Commerce Skrill

Commerce Skrill (Formerly Moneybookers) has an Access bypass vulnerability in all versions prior to 7.x-1.2

5.0
2020-02-12 CVE-2020-8815 Iktm Improper Input Validation vulnerability in Iktm Bearftp

Improper connection handling in the base connection handler in IKTeam BearFTP before v0.3.1 allows a remote attacker to achieve denial of service via a Slowloris approach by sending a large volume of small packets.

5.0
2020-02-12 CVE-2020-2119 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Azure AD

Jenkins Azure AD Plugin 1.1.2 and earlier transmits configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

5.0
2020-02-12 CVE-2020-2114 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins S3 Publisher

Jenkins S3 publisher Plugin 0.11.4 and earlier transmits configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

5.0
2020-02-12 CVE-2014-6262 Zenoss USE of Externally-Controlled Format String vulnerability in Zenoss Core 4.2.4

Multiple format string vulnerabilities in the python module in RRDtool, as used in Zenoss Core before 4.2.5 and other products, allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted third argument to the rrdtool.graph function, aka ZEN-15415, a related issue to CVE-2013-2131.

5.0
2020-02-12 CVE-2020-8893 Misp Unspecified vulnerability in Misp

An issue was discovered in MISP before 2.4.121.

5.0
2020-02-11 CVE-2020-0746 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists in the way that Microsoft Graphics Components handle objects in memory, aka 'Microsoft Graphics Components Information Disclosure Vulnerability'.

5.0
2020-02-11 CVE-2020-0660 Microsoft Improper Input Validation vulnerability in Microsoft products

A denial of service vulnerability exists in Remote Desktop Protocol (RDP) when an attacker connects to the target system using RDP and sends specially crafted requests, aka 'Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability'.

5.0
2020-02-11 CVE-2020-1942 Apache Information Exposure vulnerability in Apache Nifi

In Apache NiFi 0.0.1 to 1.11.0, the flow fingerprint factory generated flow fingerprints which included sensitive property descriptor values.

5.0
2020-02-11 CVE-2019-13941 Siemens Files OR Directories Accessible TO External Parties vulnerability in Siemens Ozw672 Firmware and Ozw772 Firmware

A vulnerability has been identified in OZW672 (All versions < V10.00), OZW772 (All versions < V10.00).

5.0
2020-02-11 CVE-2019-13940 Siemens Resource Exhaustion vulnerability in Siemens products

A vulnerability has been identified in SIMATIC S7-1200 CPU family (incl.

5.0
2020-02-11 CVE-2019-13925 Siemens Resource Exhaustion vulnerability in Siemens products

A vulnerability has been identified in SCALANCE S602 (All versions >= V3.0), SCALANCE S612 (All versions >= V3.0), SCALANCE S623 (All versions >= V3.0), SCALANCE S627-2M (All versions >= V3.0).

5.0
2020-02-11 CVE-2018-14553 Libgd Null Pointer Dereference vulnerability in Libgd

gdImageClone in gd.c in libgd 2.1.0-rc2 through 2.2.5 has a NULL pointer dereference allowing attackers to crash an application via a specific function call sequence.

5.0
2020-02-11 CVE-2020-7217 Opensuse Missing Release of Resource After Effective Lifetime vulnerability in Opensuse Wicked

An ni_dhcp4_fsm_process_dhcp4_packet memory leak in openSUSE wicked 0.6.55 and earlier allows network attackers to cause a denial of service by sending DHCP4 packets with a different client-id.

5.0
2020-02-11 CVE-2020-3935 Secom Cleartext Storage of Sensitive Information vulnerability in Secom Dr.Id Access Control and Dr.Id Attendance System

TAIWAN SECOM CO., LTD., a Door Access Control and Personnel Attendance Management system, stores users’ information by cleartext in the cookie, which divulges password to attackers.

5.0
2020-02-11 CVE-2020-3933 Secom Information Exposure vulnerability in Secom Dr.Id Access Control and Dr.Id Attendance System

TAIWAN SECOM CO., LTD., a Door Access Control and Personnel Attendance Management system, allows attackers to enumerate and exam user account in the system.

5.0
2020-02-10 CVE-2019-20062 Mfscripts USE of Password Hash With Insufficient Computational Effort vulnerability in Mfscripts Yetishare

MFScripts YetiShare v3.5.2 through v4.5.4 might allow an attacker to reset a password by using a leaked hash (the hash never expires until used).

5.0
2020-02-10 CVE-2019-20061 Mfscripts Cleartext Transmission of Sensitive Information vulnerability in Mfscripts Yetishare

The user-introduction email in MFScripts YetiShare v3.5.2 through v4.5.4 may leak the (system-picked) password if this email is sent in cleartext.

5.0
2020-02-10 CVE-2019-20060 Mfscripts Insecure Storage of Sensitive Information vulnerability in Mfscripts Yetishare

MFScripts YetiShare v3.5.2 through v4.5.4 places sensitive information in the Referer header.

5.0
2020-02-14 CVE-2020-8992 Linux Resource Exhaustion vulnerability in Linux Kernel

ext4_protect_reserved_inode in fs/ext4/block_validity.c in the Linux kernel through 5.5.3 allows attackers to cause a denial of service (soft lockup) via a crafted journal size.

4.9
2020-02-13 CVE-2020-0020 Google Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Google Android 10.0

In getAttributeRange of ExifInterface.java, there is a possible failure to redact location information from media files due to an incorrect bounds check.

4.9
2020-02-12 CVE-2020-1976 Paloaltonetworks Improper Input Validation vulnerability in Paloaltonetworks Globalprotect

A denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalProtect software running on Mac OS allows authenticated local users to cause the Mac OS kernel to hang or crash.

4.9
2020-02-12 CVE-2015-7890 Samsung Classic Buffer Overflow vulnerability in Samsung Galaxy S6 Edge Firmware

Multiple buffer overflows in the esa_write function in /dev/seirenin the Exynos Seiren Audio driver, as used in Samsung S6 Edge, allow local users to cause a denial of service (memory corruption) via a large (1) buffer or (2) size parameter.

4.9
2020-02-12 CVE-2012-0810 Linux Resource Exhaustion vulnerability in Linux Kernel

The int3 handler in the Linux kernel before 3.3 relies on a per-CPU debug stack, which allows local users to cause a denial of service (stack corruption and panic) via a crafted application that triggers certain lock contention.

4.9
2020-02-11 CVE-2020-0728 Microsoft Information Exposure vulnerability in Microsoft products

An information vulnerability exists when Windows Modules Installer Service improperly discloses file information, aka 'Windows Modules Installer Service Information Disclosure Vulnerability'.

4.9
2020-02-10 CVE-2012-2204 IBM Unspecified vulnerability in IBM Infosphere Guardium 8.0.0/8.2.0

InfoSphere Guardium aix_ktap module: DoS

4.9
2020-02-13 CVE-2020-0023 Google Incorrect Default Permissions vulnerability in Google Android 10.0

In setPhonebookAccessPermission of AdapterService.java, there is a possible disclosure of user contacts over bluetooth due to a missing permission check.

4.7
2020-02-13 CVE-2020-0564 Intel Incorrect Default Permissions vulnerability in Intel Raid web Console 3 4.186/7.009.011.000

Improper permissions in the installer for Intel(R) RWC3 for Windows before version 7.010.009.000 may allow an authenticated user to potentially enable escalation of privilege via local access.

4.6
2020-02-13 CVE-2020-0563 Intel Improper Privilege Management vulnerability in Intel Manycore Platform Software Stack

Improper permissions in the installer for Intel(R) MPSS before version 3.8.6 may allow an authenticated user to potentially enable escalation of privilege via local access.

4.6
2020-02-13 CVE-2020-0562 Intel Incorrect Default Permissions vulnerability in Intel Raid web Console 2

Improper permissions in the installer for Intel(R) RWC2, all versions, may allow an authenticated user to potentially enable escalation of privilege via local access.

4.6
2020-02-13 CVE-2020-0561 Intel Improper Initialization vulnerability in Intel Software Guard Extensions SDK

Improper initialization in the Intel(R) SGX SDK before v2.6.100.1 may allow an authenticated user to potentially enable escalation of privilege via local access.

4.6
2020-02-13 CVE-2019-14598 Intel Improper Authentication vulnerability in Intel Converged Security Management Engine Firmware

Improper Authentication in subsystem in Intel(R) CSME versions 12.0 through 12.0.48 (IOT only: 12.0.56), versions 13.0 through 13.0.20, versions 14.0 through 14.0.10 may allow a privileged user to potentially enable escalation of privilege, denial of service or information disclosure via local access.

4.6
2020-02-13 CVE-2020-0560 Intel Incorrect Default Permissions vulnerability in Intel Renesas Electronics USB 3.0 Driver

Improper permissions in the installer for the Intel(R) Renesas Electronics(R) USB 3.0 Driver, all versions, may allow an authenticated user to potentially enable escalation of privilege via local access.

4.6
2020-02-13 CVE-2019-18915 HP Improper Input Validation vulnerability in HP System Event Utility 1.4.32

A potential security vulnerability has been identified with certain versions of HP System Event Utility prior to version 1.4.33.

4.6
2020-02-12 CVE-2012-0951 Nvidia Out-Of-Bounds Write vulnerability in Nvidia Display Driver 295.49/295.53

A Memory Corruption Vulnerability exists in NVIDIA Graphics Drivers 29549 due to an unknown function in the file proc/driver/nvidia/registry.

4.6
2020-02-11 CVE-2020-0754 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files, aka 'Windows Error Reporting Elevation of Privilege Vulnerability'.

4.6
2020-02-11 CVE-2020-0753 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files, aka 'Windows Error Reporting Elevation of Privilege Vulnerability'.

4.6
2020-02-11 CVE-2020-0752 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory, aka 'Windows Search Indexer Elevation of Privilege Vulnerability'.

4.6
2020-02-11 CVE-2020-0750 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory, aka 'Connected Devices Platform Service Elevation of Privilege Vulnerability'.

4.6
2020-02-11 CVE-2020-0749 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory, aka 'Connected Devices Platform Service Elevation of Privilege Vulnerability'.

4.6
2020-02-11 CVE-2020-0747 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the Windows Data Sharing Service improperly handles file operations, aka 'Windows Data Sharing Service Elevation of Privilege Vulnerability'.

4.6
2020-02-11 CVE-2020-0743 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory, aka 'Connected Devices Platform Service Elevation of Privilege Vulnerability'.

4.6
2020-02-11 CVE-2020-0742 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory, aka 'Connected Devices Platform Service Elevation of Privilege Vulnerability'.

4.6
2020-02-11 CVE-2020-0741 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory, aka 'Connected Devices Platform Service Elevation of Privilege Vulnerability'.

4.6
2020-02-11 CVE-2020-0740 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the way that the Connected Devices Platform Service handles objects in memory, aka 'Connected Devices Platform Service Elevation of Privilege Vulnerability'.

4.6
2020-02-11 CVE-2020-0739 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the way that the dssvc.dll handles file creation allowing for a file overwrite or creation in a secured location, aka 'Windows Elevation of Privilege Vulnerability'.

4.6
2020-02-11 CVE-2020-0737 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the way that the tapisrv.dll handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'.

4.6
2020-02-11 CVE-2020-0735 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory, aka 'Windows Search Indexer Elevation of Privilege Vulnerability'.

4.6
2020-02-11 CVE-2020-0733 Microsoft Improper Privilege Management vulnerability in Microsoft Windows Malicious Software Removal Tool

An elevation of privilege vulnerability exists when the Windows Malicious Software Removal Tool (MSRT) improperly handles junctions.To exploit this vulnerability, an attacker would first have to gain execution on the victim system, aka 'Windows Malicious Software Removal Tool Elevation of Privilege Vulnerability'.

4.6
2020-02-11 CVE-2020-0727 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the Connected User Experiences and Telemetry Service improperly handles file operations, aka 'Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability'.

4.6
2020-02-11 CVE-2020-0702 Microsoft Incorrect Authorization vulnerability in Microsoft Surface HUB Firmware

A security feature bypass vulnerability exists in Surface Hub when prompting for credentials, aka 'Surface Hub Security Feature Bypass Vulnerability'.

4.6
2020-02-11 CVE-2020-0701 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the way that the Windows Client License Service (ClipSVC) handles objects in memory, aka 'Windows Client License Service Elevation of Privilege Vulnerability'.

4.6
2020-02-11 CVE-2020-0689 Microsoft Improper Input Validation vulnerability in Microsoft products

A security feature bypass vulnerability exists in secure boot, aka 'Microsoft Secure Boot Security Feature Bypass Vulnerability'.

4.6
2020-02-11 CVE-2020-0680 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the way that the Windows Function Discovery Service handles objects in memory, aka 'Windows Function Discovery Service Elevation of Privilege Vulnerability'.

4.6
2020-02-11 CVE-2020-0679 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the way that the Windows Function Discovery Service handles objects in memory, aka 'Windows Function Discovery Service Elevation of Privilege Vulnerability'.

4.6
2020-02-11 CVE-2020-0669 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'.

4.6
2020-02-11 CVE-2020-0668 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'.

4.6
2020-02-11 CVE-2020-0667 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory, aka 'Windows Search Indexer Elevation of Privilege Vulnerability'.

4.6
2020-02-11 CVE-2020-0666 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory, aka 'Windows Search Indexer Elevation of Privilege Vulnerability'.

4.6
2020-02-11 CVE-2020-0659 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the Windows Data Sharing Service improperly handles file operations, aka 'Windows Data Sharing Service Elevation of Privilege Vulnerability'.

4.6
2020-02-11 CVE-2020-0657 Microsoft Improper Privilege Management vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the Windows Common Log File System (CLFS) driver improperly handles objects in memory, aka 'Windows Common Log File System Driver Elevation of Privilege Vulnerability'.

4.6
2020-02-11 CVE-2020-5823 Symantec Improper Privilege Management vulnerability in Symantec Endpoint Protection

Symantec Endpoint Protection (SEP) and Symantec Endpoint Protection Small Business Edition (SEP SBE), prior to 14.2 RU2 MP1 and prior to 14.2.5569.2100 respectively, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.

4.6
2020-02-11 CVE-2020-5822 Symantec Improper Privilege Management vulnerability in Symantec Endpoint Protection

Symantec Endpoint Protection (SEP) and Symantec Endpoint Protection Small Business Edition (SEP SBE), prior to 14.2 RU2 MP1 and prior to 14.2.5569.2100 respectively, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.

4.6
2020-02-11 CVE-2020-5821 Symantec Injection vulnerability in Symantec Endpoint Protection

Symantec Endpoint Protection (SEP) and Symantec Endpoint Protection Small Business Edition (SEP SBE), prior to 14.2 RU2 MP1 and prior to 14.2.5569.2100 respectively, may be susceptible to a DLL injection vulnerability, which is a type of issue whereby an individual attempts to execute their own code in place of legitimate code as a means to perform an exploit.

4.6
2020-02-11 CVE-2020-5820 Symantec Improper Privilege Management vulnerability in Symantec Endpoint Protection

Symantec Endpoint Protection (SEP) and Symantec Endpoint Protection Small Business Edition (SEP SBE), prior to 14.2 RU2 MP1 and prior to 14.2.5569.2100 respectively, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.

4.6
2020-02-11 CVE-2020-6417 Google Unspecified vulnerability in Google Chrome

Inappropriate implementation in installer in Google Chrome prior to 80.0.3987.87 allowed a local attacker to execute arbitrary code via a crafted registry entry.

4.6
2020-02-11 CVE-2020-6404 Google
Opensuse
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Inappropriate implementation in Blink in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

4.6
2020-02-11 CVE-2014-8347 Claris Improper Authentication vulnerability in Claris Filemaker PRO and Filemaker PRO Advanced

An Authentication Bypass vulnerability exists in the MatchPasswordData function in DBEngine.dll in Filemaker Pro 13.03 and Filemaker Pro Advanced 12.04, which could let a malicious user obtain elevated privileges.

4.6
2020-02-16 CVE-2019-20456 Goverlan
Microsoft
Untrusted Search Path vulnerability in Goverlan Client Agent, Reach Console and Reach Server

Goverlan Reach Console before 9.50, Goverlan Reach Server before 3.50, and Goverlan Client Agent before 9.20.50 have an Untrusted Search Path that leads to Command Injection and Local Privilege Escalation via DLL hijacking.

4.4
2020-02-13 CVE-2020-0015 Google Improper Privilege Management vulnerability in Google Android

In onCreate of CertInstaller.java, there is a possible way to overlay the Certificate Installation dialog by a malicious application.

4.4
2020-02-12 CVE-2014-3860 Xilisoft Untrusted Search Path vulnerability in Xilisoft Video Converter 7.8.1

Xilisoft Video Converter Ultimate 7.8.1 build-20140505 has a DLL Hijacking vulnerability

4.4
2020-02-12 CVE-2019-19921 Linuxfoundation
Debian
Opensuse
USE of Incorrectly-Resolved Name OR Reference vulnerability in multiple products

runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go.

4.4
2020-02-16 CVE-2020-9012 Gluu Cross-Site Scripting vulnerability in Gluu Server 4.0

A cross-site scripting (XSS) vulnerability in the Import People functionality in Gluu Identity Configuration 4.0 allows remote attackers to inject arbitrary web script or HTML via the filename parameter.

4.3
2020-02-14 CVE-2019-13966 Combodo Cross-Site Scripting vulnerability in Combodo Itop

In iTop through 2.6.0, an XSS payload can be delivered in certain fields (such as icon) of the XML file used to build the dashboard.

4.3
2020-02-14 CVE-2019-13965 Combodo Cross-Site Scripting vulnerability in Combodo Itop

Because of a lack of sanitization around error messages, multiple Reflective XSS issues exist in iTop through 2.6.0 via the param_file parameter to webservices/export.php, webservices/cron.php, or env-production/itop-backup/backup.php.

4.3
2020-02-14 CVE-2020-8852 Foxitsoftware Out-Of-Bounds Read vulnerability in Foxitsoftware Reader

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Reader 9.7.0.29455.

4.3
2020-02-14 CVE-2019-6194 Lenovo XXE vulnerability in Lenovo Xclarity Administrator

An XML External Entity (XXE) processing vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.6.6 that could allow information disclosure.

4.3
2020-02-14 CVE-2019-20455 Globalpayments Improper Certificate Validation vulnerability in Globalpayments PHP SDK

Gateways/Gateway.php in Heartland & Global Payments PHP SDK before 2.0.0 does not enforce SSL certificate validations.

4.3
2020-02-14 CVE-2013-5212 Easyxdm Cross-Site Scripting vulnerability in Easyxdm

Cross-site Scripting (XSS) in EasyXDM before 2.4.18 allows remote attackers to inject arbitrary web script or html via the easyxdm.swf file.

4.3
2020-02-13 CVE-2020-8988 Voatz Insufficiently Protected Credentials vulnerability in Voatz 20200101

The Voatz application 2020-01-01 for Android allows only 100 million different PINs, which makes it easier for attackers (after using root access to make a copy of the local database) to discover login credentials and voting history via an offline brute-force approach.

4.3
2020-02-13 CVE-2014-3919 Netgear Cross-Site Scripting vulnerability in Netgear Cg3100 Firmware

A vulnerability exists in Netgear CG3100 devices before 3.9.2421.13.mp3 V0027 via an embed malicious script in an unspecified page, which could let a malicious user obtain sensitive information.

4.3
2020-02-13 CVE-2020-8981 Mantisbt Cross-Site Scripting vulnerability in Mantisbt Source Integration

A cross-site scripting (XSS) vulnerability was discovered in the Source Integration plugin before 1.6.2 and 2.x before 2.3.1 for MantisBT.

4.3
2020-02-13 CVE-2019-10785 Linuxfoundation
Debian
Cross-Site Scripting vulnerability in multiple products

dojox is vulnerable to Cross-site Scripting in all versions before version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9.

4.3
2020-02-13 CVE-2020-7051 Codologic Cross-Site Scripting vulnerability in Codologic Codoforum 2.5.1/4.8.3/4.8.4

Codologic Codoforum through 4.8.4 allows stored XSS in the login area.

4.3
2020-02-13 CVE-2020-0014 Google Improper Restriction of Rendered UI Layers OR Frames vulnerability in Google Android

It is possible for a malicious application to construct a TYPE_TOAST window manually and make that window clickable.

4.3
2020-02-13 CVE-2019-14652 Amazon Cross-Site Scripting vulnerability in Amazon AWS Javascript S3 Explorer 1.0.0

explorer.js in Amazon AWS JavaScript S3 Explorer (aka aws-js-s3-explorer) v2 alpha before 2019-08-02 allows XSS in certain circumstances.

4.3
2020-02-13 CVE-2020-7208 HP Cross-Site Scripting vulnerability in HP Linuxki

LinuxKI v6.0-1 and earlier is vulnerable to an XSS which is resolved in release 6.0-2.

4.3
2020-02-12 CVE-2013-6022 Tiki Cross-Site Scripting vulnerability in Tiki Tikiwiki Cms/Groupware

A Cross-Site Scripting (XSS) vulnerability exists in Tiki Wiki CMG Groupware 11.0 via the id paraZeroClipboard.swf, which could let a remote malicious user execute arbitrary code.

4.3
2020-02-12 CVE-2020-6193 SAP Cross-Site Scripting vulnerability in SAP Netweaver Knowledge Management

SAP NetWeaver (Knowledge Management ICE Service), versions 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to execute malicious scripts leading to Reflected Cross-Site Scripting (XSS) vulnerability.

4.3
2020-02-12 CVE-2020-6184 SAP Cross-Site Scripting vulnerability in SAP Netweaver and S/4Hana

Under certain conditions, ABAP Online Community in SAP NetWeaver (SAP_BASIS version 7.40) and SAP S/4HANA (SAP_BASIS versions 7.50, 7.51, 7.52, 7.53, 7.54), does not sufficiently encode user-controlled inputs, resulting in Reflected Cross-Site Scripting (XSS) vulnerability.

4.3
2020-02-12 CVE-2011-2499 Mambo Foundation Cross-Site Scripting vulnerability in Mambo-Foundation Mambo CMS

Mambo CMS through 4.6.5 has multiple XSS.

4.3
2020-02-12 CVE-2013-2637 Otrs
Opensuse
Cross-Site Scripting vulnerability in multiple products

A Cross-Site Scripting (XSS) Vulnerability exists in OTRS ITSM prior to 3.2.4, 3.1.8, and 3.0.7 and FAQ prior to 2.1.4 and 2.0.8 via changes, workorder items, and FAQ articles, which could let a remote malicious user execute arbitrary code.

4.3
2020-02-12 CVE-2011-4661 Cisco Missing Release of Resource After Effective Lifetime vulnerability in Cisco IOS

A memory leak vulnerability exists in Cisco IOS before 15.2(1)T due to a memory leak in the HTTP PROXY Server process (aka CSCtu52820), when configured with Cisco ISR Web Security with Cisco ScanSafe and User Authenticaiton NTLM configured.

4.3
2020-02-12 CVE-2013-6681 Mapway Information Exposure vulnerability in Mapway Tube MAP

Tube Map Live Underground for Android before 3.0.22 has an Information Disclosure Vulnerability

4.3
2020-02-12 CVE-2013-4395 Simplemachines Cross-Site Scripting vulnerability in Simplemachines Simple Machines Forum

Simple Machines Forum (SMF) through 2.0.5 has XSS

4.3
2020-02-12 CVE-2013-1938 Zimbra Cross-Site Scripting vulnerability in Zimbra 2013

Zimbra 2013 has XSS in aspell.php

4.3
2020-02-12 CVE-2020-8839 Chiyu T Cross-Site Scripting vulnerability in Chiyu-T Bf-430 Firmware

Stored XSS was discovered on CHIYU BF-430 232/485 TCP/IP Converter devices before 1.16.00, as demonstrated by the /if.cgi TF_submask field.

4.3
2020-02-12 CVE-2013-1410 Perforce Cross-Site Scripting vulnerability in Perforce P4Web 2011.1/2012.1

Perforce P4web 2011.1 and 2012.1 has multiple XSS vulnerabilities

4.3
2020-02-12 CVE-2019-20100 Atlassian Cross-Site Request Forgery (CSRF) vulnerability in Atlassian Jira

The Atlassian Application Links plugin is vulnerable to cross-site request forgery (CSRF).

4.3
2020-02-12 CVE-2019-20099 Atlassian Cross-Site Request Forgery (CSRF) vulnerability in Atlassian Jira

The VerifyPopServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF).

4.3
2020-02-12 CVE-2019-20098 Atlassian Cross-Site Request Forgery (CSRF) vulnerability in Atlassian Jira

The VerifySmtpServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF).

4.3
2020-02-12 CVE-2014-2560 Phoner USE of Password Hash With Insufficient Computational Effort vulnerability in Phoner Phonerlite

The PhonerLite phone before 2.15 provides hashed credentials in a response to an invalid authentication challenge, which makes it easier for remote attackers to obtain access via a brute-force attack, related to a "SIP Digest Leak" issue.

4.3
2020-02-12 CVE-2009-5140 Linksys Improper Restriction of Excessive Authentication Attempts vulnerability in Linksys Spa2102 Firmware

The SIP implementation on the Linksys SPA2102 phone adapter provides hashed credentials in a response to an invalid authentication challenge, which makes it easier for remote attackers to obtain access via a brute-force attack, related to a "SIP Digest Leak" issue.

4.3
2020-02-12 CVE-2009-5139 Google USE of Password Hash With Insufficient Computational Effort vulnerability in Google Gizmo5

The SIP implementation on the Gizmo5 software phone provides hashed credentials in a response to an invalid authentication challenge, which makes it easier for remote attackers to obtain access via a brute-force attack, related to a "SIP Digest Leak" issue.

4.3
2020-02-12 CVE-2014-8128 Libtiff
Apple
Out-Of-Bounds Write vulnerability in Libtiff

LibTIFF prior to 4.0.4, as used in Apple iOS before 8.4 and OS X before 10.10.4 and other products, allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted TIFF image.

4.3
2020-02-12 CVE-2020-8891 Misp Unspecified vulnerability in Misp

An issue was discovered in MISP before 2.4.121.

4.3
2020-02-12 CVE-2020-8890 Misp Time-Of-Check Time-Of-Use (Toctou) Race Condition vulnerability in Misp

An issue was discovered in MISP before 2.4.121.

4.3
2020-02-11 CVE-2020-0706 Microsoft Information Exposure vulnerability in Microsoft Edge and Internet Explorer

An information disclosure vulnerability exists in the way that affected Microsoft browsers handle cross-origin requests, aka 'Microsoft Browser Information Disclosure Vulnerability'.

4.3
2020-02-11 CVE-2020-0696 Microsoft Unspecified vulnerability in Microsoft Office, Office 365 Proplus and Outlook

A security feature bypass vulnerability exists in Microsoft Outlook software when it improperly handles the parsing of URI formats, aka 'Microsoft Outlook Security Feature Bypass Vulnerability'.

4.3
2020-02-11 CVE-2011-4938 Muze Cross-Site Scripting vulnerability in Muze Ariadne 2.7.6

Multiple cross-site scripting (XSS) vulnerabilities in Ariadne 2.7.6 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO parameter to (1) index.php and (2) loader.php.

4.3
2020-02-11 CVE-2012-6720 Socialengine Cross-Site Scripting vulnerability in Socialengine 4.2.2

Multiple cross-site scripting (XSS) vulnerabilities in SocialEngine before 4.2.4 allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to music/create, (2) location parameter to events/create, or (3) search parameter to widget/index/content_id/*.

4.3
2020-02-11 CVE-2012-2517 Prestashop Cross-Site Scripting vulnerability in Prestashop

Cross-site scripting (XSS) vulnerability in PrestaShop before 1.4.9 allows remote attackers to inject arbitrary web script or HTML via the index of the product[] parameter to ajax.php.

4.3
2020-02-11 CVE-2012-2452 Pragmamx Cross-Site Scripting vulnerability in Pragmamx 1.0/1.12.1

Multiple cross-site scripting (XSS) vulnerabilities in pragmaMx 1.x before 1.12.2 allow remote attackers to inject arbitrary web script or HTML via the (1) name parameter to modules.php or (2) img_url to includes/wysiwyg/spaw/editor/plugins/imgpopup/img_popup.php.

4.3
2020-02-11 CVE-2013-5988 Semperplugins Cross-Site Scripting vulnerability in Semperplugins ALL in ONE SEO Pack

A Cross-site Scripting (XSS) vulnerability exists in the All in One SEO Pack plugin before 2.0.3.1 for WordPress via the Search parameter.

4.3
2020-02-11 CVE-2013-1760 Thebuggenie Cross-Site Scripting vulnerability in Thebuggenie the BUG Genie

The Bug Genie before 3.2.6 has Multiple XSS and HTML Injection Vulnerabilities

4.3
2020-02-11 CVE-2012-4519 Zenphoto Cross-Site Scripting vulnerability in Zenphoto

Zenphoto before 1.4.3.4 admin-news-articles.php date parameter XSS.

4.3
2020-02-11 CVE-2019-13924 Siemens Improper Restriction of Rendered UI Layers OR Frames vulnerability in Siemens products

A vulnerability has been identified in SCALANCE X-200 switch family (incl.

4.3
2020-02-11 CVE-2020-6405 Google Out-Of-Bounds Read vulnerability in Google Chrome

Out of bounds read in SQLite in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.

4.3
2020-02-11 CVE-2020-6403 Google
Opensuse
Improper Input Validation vulnerability in multiple products

Incorrect implementation in Omnibox in Google Chrome on iOS prior to 80.0.3987.87 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.

4.3
2020-02-11 CVE-2020-6401 Google
Opensuse
Improper Input Validation vulnerability in multiple products

Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.

4.3
2020-02-11 CVE-2020-6400 Google
Opensuse
Information Exposure vulnerability in multiple products

Inappropriate implementation in CORS in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

4.3
2020-02-11 CVE-2020-6399 Google
Opensuse
Improper Input Validation vulnerability in multiple products

Insufficient policy enforcement in AppCache in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

4.3
2020-02-11 CVE-2020-6397 Google
Opensuse
Improper Input Validation vulnerability in multiple products

Inappropriate implementation in sharing in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to spoof security UI via a crafted HTML page.

4.3
2020-02-11 CVE-2020-6396 Google
Opensuse
Improper Input Validation vulnerability in multiple products

Inappropriate implementation in Skia in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.

4.3
2020-02-11 CVE-2020-6395 Google Out-Of-Bounds Read vulnerability in Google Chrome

Out of bounds read in JavaScript in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.

4.3
2020-02-11 CVE-2020-6393 Google
Opensuse
Improper Input Validation vulnerability in multiple products

Insufficient policy enforcement in Blink in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

4.3
2020-02-11 CVE-2020-6392 Google
Opensuse
Improper Input Validation vulnerability in multiple products

Insufficient policy enforcement in extensions in Google Chrome prior to 80.0.3987.87 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension.

4.3
2020-02-11 CVE-2020-6391 Google
Opensuse
Improper Input Validation vulnerability in multiple products

Insufficient validation of untrusted input in Blink in Google Chrome prior to 80.0.3987.87 allowed a local attacker to bypass content security policy via a crafted HTML page.

4.3
2020-02-10 CVE-2019-19668 Maxum Cross-Site Request Forgery (CSRF) vulnerability in Maxum Rumpus FTP 8.2.9.1

A CSRF vulnerability exists in the File Types component of Web File Manager in Rumpus FTP 8.2.9.1 that allows an attacker to add or delete the file types that are used on the server via RAPR/TriggerServerFunction.html.

4.3
2020-02-10 CVE-2019-19670 Maxum Unspecified vulnerability in Maxum Rumpus FTP 8.2.9.1

A HTTP Response Splitting vulnerability was identified in the Web Settings Component of Web File Manager in Rumpus FTP Server 8.2.9.1.

4.3
2020-02-10 CVE-2019-19666 Maxum Cross-Site Request Forgery (CSRF) vulnerability in Maxum Rumpus FTP 8.2.9.1

A CSRF vulnerability exists in the Event Notices Settings of Web File Manager in Rumpus FTP 8.2.9.1.

4.3
2020-02-10 CVE-2019-19661 Maxum Cross-Site Scripting vulnerability in Maxum Rumpus FTP 8.2.9.1

A Cookie based reflected XSS exists in the Web File Manager of Rumpus FTP Server 8.2.9.1, related to RumpusLoginUserName and snp.

4.3
2020-02-10 CVE-2019-19662 Maxum Cross-Site Request Forgery (CSRF) vulnerability in Maxum Rumpus FTP 8.2.9.1

A CSRF vulnerability exists in the Web File Manager's Create/Delete Accounts functionality of Rumpus FTP Server 8.2.9.1.

4.3
2020-02-10 CVE-2013-2108 Undolog Cross-Site Request Forgery (CSRF) vulnerability in Undolog Cleanfix 2.4.4

WordPress WP Cleanfix Plugin 2.4.4 has CSRF

4.3
2020-02-10 CVE-2019-19665 Maxum Cross-Site Request Forgery (CSRF) vulnerability in Maxum Rumpus 8.2.9.1

A CSRF vulnerability exists in the FTP Settings of Web File Manager in Rumpus FTP 8.2.9.1.

4.3
2020-02-10 CVE-2019-19660 Maxum Cross-Site Request Forgery (CSRF) vulnerability in Maxum Rumpus 8.2.9.1

A CSRF vulnerability exists in the Web File Manager's Network Setting functionality of Rumpus FTP Server 8.2.9.1.

4.3
2020-02-10 CVE-2012-5828 Blackberry Information Exposure vulnerability in Blackberry Playbook Firmware

BlackBerry PlayBook before 2.1 has an Information Disclosure Vulnerability via a Web browser component error

4.3
2020-02-10 CVE-2012-6666 Vbseo Cross-Site Scripting vulnerability in Vbseo 3.8.7

vBSeo before 3.6.0PL2 allows XSS via the member.php u parameter.

4.3
2020-02-10 CVE-2020-8823 Sockjs Project Cross-Site Scripting vulnerability in Sockjs Project Sockjs

htmlfile in lib/transport/htmlfile.js in SockJS before 0.3.0 is vulnerable to Reflected XSS via the /htmlfile c (aka callback) parameter.

4.3
2020-02-16 CVE-2020-9013 Arvato Improper Input Validation vulnerability in Arvato Skillpipe 3.0

Arvato Skillpipe 3.0 allows attackers to bypass intended print restrictions by deleting <div id="watermark"> from the HTML source code.

4.0
2020-02-16 CVE-2020-8996 Aishu Path Traversal vulnerability in Aishu Anyshare Cloud 6.0.9

AnyShare Cloud 6.0.9 allows authenticated directory traversal to read files, as demonstrated by the interface/downloadwithpath/downloadfile/?filepath=/etc/passwd URI.

4.0
2020-02-14 CVE-2019-15594 Gitlab Information Exposure vulnerability in Gitlab

GitLab 11.8 and later contains a security vulnerability that allows a user to obtain details of restricted pipelines via the merge request endpoint.

4.0
2020-02-14 CVE-2019-15592 Gitlab Information Exposure vulnerability in Gitlab

GitLab 12.2.2 and below contains a security vulnerability that allows a guest user in a private project to see the merge request ID associated to an issue via the activity timeline.

4.0
2020-02-14 CVE-2018-21033 Hitachi
Linux
Microsoft
Oracle
Improper Input Validation vulnerability in Hitachi products

A vulnerability in Hitachi Command Suite prior to 8.6.2-00, Hitachi Automation Director prior to 8.6.2-00 and Hitachi Infrastructure Analytics Advisor prior to 4.2.0-00 allow authenticated remote users to load an arbitrary Cascading Style Sheets (CSS) token sequence.

4.0
2020-02-14 CVE-2018-21032 Hitachi
Linux
Microsoft
Oracle
Information Exposure Through AN Error Message vulnerability in Hitachi products

A vulnerability in Hitachi Command Suite prior to 8.7.1-00 and Hitachi Automation Director prior to 8.5.0-00 allow authenticated remote users to expose technical information through error messages.

4.0
2020-02-14 CVE-2020-5532 Extrun Improper Authentication vulnerability in Extrun Ilbo

ilbo App (ilbo App for Android prior to version 1.1.8 and ilbo App for iOS prior to version 1.2.01) allows an attacker on the same network segment to bypass authentication and to view the images which were recorded by the other ilbo user's device via unspecified vectors.

4.0
2020-02-13 CVE-2020-8804 Salesagility SQL Injection vulnerability in Salesagility Suitecrm

SuiteCRM through 7.11.10 allows SQL Injection via the SOAP API, the EmailUIAjax interface, or the MailMerge module.

4.0
2020-02-12 CVE-2020-6975 Digi Unrestricted Upload of File With Dangerous Type vulnerability in Digi products

Digi International ConnectPort LTS 32 MEI, Firmware Version 1.4.3 (82002228_K 08/09/2018), bios Version 1.2.

4.0
2020-02-12 CVE-2020-6187 SAP XXE vulnerability in SAP Netweaver Guided Procedures

SAP NetWeaver (Guided Procedures), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate an XML document input from a compromised admin, leading to Denial of Service.

4.0
2020-02-12 CVE-2020-6177 SAP Improper Input Validation vulnerability in SAP Mobile Platform 3.0

SAP Mobile Platform, version 3.0, does not sufficiently validate an XML document accepted from an untrusted source which could lead to partial denial of service.

4.0
2020-02-12 CVE-2020-2133 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Applatix 1.1

Jenkins Applatix Plugin 1.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.

4.0
2020-02-12 CVE-2020-2132 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Parasoft Environment Manager

Jenkins Parasoft Environment Manager Plugin 2.14 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.

4.0
2020-02-12 CVE-2020-2131 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Harvest SCM

Jenkins Harvest SCM Plugin 0.5.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

4.0
2020-02-12 CVE-2020-2130 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Harvest SCM

Jenkins Harvest SCM Plugin 0.5.1 and earlier stores a password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.

4.0
2020-02-12 CVE-2020-2129 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Eagle Tester

Jenkins Eagle Tester Plugin 1.0.9 and earlier stores a password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.

4.0
2020-02-12 CVE-2020-2128 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins ECX Copy Data Management

Jenkins ECX Copy Data Management Plugin 1.9 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.

4.0
2020-02-12 CVE-2020-2127 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins BMC Release Package and Deployment 1.0/1.1

Jenkins BMC Release Package and Deployment Plugin 1.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

4.0
2020-02-12 CVE-2020-2126 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Digitalocean

Jenkins DigitalOcean Plugin 1.1 and earlier stores a token unencrypted in the global config.xml file on the Jenkins master where it can be viewed by users with access to the master file system.

4.0
2020-02-12 CVE-2020-2125 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Debian Package Builder

Jenkins Debian Package Builder Plugin 1.6.11 and earlier stores a GPG passphrase unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.

4.0
2020-02-12 CVE-2020-2124 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Dynamic Extended Choice Parameter 1.0.0/1.0.1

Jenkins Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.

4.0
2020-02-12 CVE-2020-2118 Jenkins Incorrect Default Permissions vulnerability in Jenkins Pipeline Github Notify Step

A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

4.0
2020-02-12 CVE-2020-2117 Jenkins Incorrect Default Permissions vulnerability in Jenkins Pipeline Github Notify Step

A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

4.0
2020-02-11 CVE-2020-0663 Microsoft Improper Privilege Management vulnerability in Microsoft Edge

An elevation of privilege vulnerability exists when Microsoft Edge does not properly enforce cross-domain policies, which could allow an attacker to access information from one domain and inject it into another domain.In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit the vulnerability, aka 'Microsoft Edge Elevation of Privilege Vulnerability'.

4.0

74 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2020-02-11 CVE-2020-0730 Microsoft Link Following vulnerability in Microsoft products

An elevation of privilege vulnerability exists when the Windows User Profile Service (ProfSvc) improperly handles symlinks, aka 'Windows User Profile Service Elevation of Privilege Vulnerability'.

3.6
2020-02-11 CVE-2020-5825 Symantec Improper Privilege Management vulnerability in Symantec Endpoint Protection

Symantec Endpoint Protection (SEP) and Symantec Endpoint Protection Small Business Edition (SEP SBE), prior to 14.2 RU2 MP1 and prior to 14.2.5569.2100 respectively, may be susceptible to an arbitrary file write vulnerability, which is a type of issue whereby an attacker is able to overwrite existing files on the resident system without proper privileges.

3.6
2020-02-16 CVE-2020-9016 Dolibarr Cross-Site Scripting vulnerability in Dolibarr 11.0.0

Dolibarr 11.0 allows XSS via the joinfiles, topic, or code parameter, or the HTTP Referer header.

3.5
2020-02-16 CVE-2020-9007 Codologic Cross-Site Scripting vulnerability in Codologic Codoforum 4.8.8

Codoforum 4.8.8 allows self-XSS via the title of a new topic.

3.5
2020-02-15 CVE-2020-7050 Codologic Cross-Site Scripting vulnerability in Codologic Codoforum 2.5.1/4.8.3/4.8.4

Codologic Codoforum through 4.8.4 allows a DOM-based XSS.

3.5
2020-02-14 CVE-2020-8594 Ninjaforms Cross-Site Scripting vulnerability in Ninjaforms Ninja Forms 3.4.22

The Ninja Forms plugin 3.4.22 for WordPress has Multiple Stored XSS vulnerabilities via ninja_forms[recaptcha_site_key], ninja_forms[recaptcha_secret_key], ninja_forms[recaptcha_lang], or ninja_forms[date_format].

3.5
2020-02-14 CVE-2019-19757 Lenovo Cross-Site Scripting vulnerability in Lenovo Xclarity Administrator

An internal product security audit of Lenovo XClarity Administrator (LXCA) discovered a Document Object Model (DOM) based cross-site scripting vulnerability in versions prior to 2.6.6 that could allow JavaScript code to be executed in the user's web browser if a specially crafted link is visited.

3.5
2020-02-14 CVE-2013-4792 Prestashop Cross-Site Request Forgery (CSRF) vulnerability in Prestashop

PrestaShop before 1.4.11 allows logout CSRF.

3.5
2020-02-14 CVE-2013-4791 Prestashop Cross-Site Scripting vulnerability in Prestashop

PrestaShop before 1.4.11 allows Logistician, translators and other low level profiles/accounts to inject a persistent XSS vector on TinyMCE.

3.5
2020-02-13 CVE-2012-1903 Telligent Cross-Site Scripting vulnerability in Telligent Community 5.6.583.20496

XSS in Telligent Community 5.6.583.20496 via a flash file and related to the allowScriptAccess parameter.

3.5
2020-02-13 CVE-2012-1500 Atlassian Cross-Site Scripting vulnerability in Atlassian Greenhopper and Jira

Stored XSS vulnerability in UpdateFieldJson.jspa in JIRA 4.4.3 and GreenHopper before 5.9.8 allows an attacker to inject arbitrary script code.

3.5
2020-02-13 CVE-2019-18791 Lexmark Cross-Site Scripting vulnerability in Lexmark products

Lexmark printer MS812 and multiple older generation Lexmark devices have a stored XSS vulnerability in the embedded web server.

3.5
2020-02-13 CVE-2020-5241 Matestack Cross-Site Scripting vulnerability in Matestack Ui-Core

matestack-ui-core (RubyGem) before 0.7.4 is vulnerable to XSS/Script injection.

3.5
2020-02-12 CVE-2020-6185 SAP Cross-Site Scripting vulnerability in SAP Netweaver and S/4Hana

Under certain conditions ABAP Online Community in SAP NetWeaver (SAP_BASIS version 7.40) and SAP S/4HANA (SAP_BASIS versions 7.50, 7.51, 7.52, 7.53, 7.54), allows an authenticated attacker to store a malicious payload which results in Stored Cross Site Scripting vulnerability.

3.5
2020-02-12 CVE-2019-4431 IBM Cross-Site Scripting vulnerability in IBM Rational Publishing Engine 6.0.6/6.0.6.1

IBM Rational Publishing Engine 6.0.6 and 6.0.6.1 is vulnerable to cross-site scripting.

3.5
2020-02-12 CVE-2020-2122 Jenkins Cross-Site Scripting vulnerability in Jenkins Brakeman

Jenkins Brakeman Plugin 0.12 and earlier did not escape values received from parsed JSON files when rendering them, resulting in a stored cross-site scripting vulnerability exploitable by users able to control the Brakeman post-build step input data.

3.5
2020-02-12 CVE-2020-2113 Jenkins Cross-Site Scripting vulnerability in Jenkins GIT Parameter

Jenkins Git Parameter Plugin 0.9.11 and earlier does not escape the default value shown on the UI, resulting in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission.

3.5
2020-02-12 CVE-2020-2112 Jenkins Cross-Site Scripting vulnerability in Jenkins GIT Parameter

Jenkins Git Parameter Plugin 0.9.11 and earlier does not escape the parameter name shown on the UI, resulting in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission.

3.5
2020-02-12 CVE-2020-2111 Jenkins Cross-Site Scripting vulnerability in Jenkins Subversion

Jenkins Subversion Plugin 2.13.0 and earlier does not escape the error message for the Project Repository Base URL field form validation, resulting in a stored cross-site scripting vulnerability.

3.5
2020-02-11 CVE-2020-0694 Microsoft Cross-Site Scripting vulnerability in Microsoft Sharepoint Enterprise Server 2013/2016/2019

A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'.

3.5
2020-02-11 CVE-2020-0693 Microsoft Cross-Site Scripting vulnerability in Microsoft Sharepoint Enterprise Server 2013/2016/2019

A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'.

3.5
2020-02-11 CVE-2014-3827 Mybb Cross-Site Scripting vulnerability in Mybb

Multiple cross-site scripting (XSS) vulnerabilities in the MyBB (aka MyBulletinBoard) before 1.8.4 allow remote authenticated users to inject arbitrary web script or HTML via the title parameter in the (1) edit or (2) add action in the user-users module or the (3) finduser action or the name parameter in an (4) edit action in the user-user module or the (5) editprofile action to modcp.php.

3.5
2020-02-11 CVE-2014-3826 Mybb Cross-Site Scripting vulnerability in Mybb

Cross-site scripting (XSS) vulnerability in MyBB before 1.6.13 allows remote authenticated users to inject arbitrary web script or HTML via the name parameter in the edit action of the config-profile_fields module.

3.5
2020-02-11 CVE-2019-18210 Moodle Cross-Site Scripting vulnerability in Moodle

Persistent XSS in /course/modedit.php of Moodle through 3.7.2 allows authenticated users (Teacher and above) to inject JavaScript into the session of another user (e.g., enrolled student or site administrator) via the introeditor[text] parameter.

3.5
2020-02-11 CVE-2016-5710 Netapp Improper Restriction of Rendered UI Layers OR Frames vulnerability in Netapp Snap Creator Framework

NetApp Snap Creator Framework before 4.3P1 allows remote authenticated users to conduct clickjacking attacks via unspecified vectors.

3.5
2020-02-10 CVE-2020-8089 Piwigo Cross-Site Scripting vulnerability in Piwigo 2.10.1

Piwigo 2.10.1 is affected by stored XSS via the Group Name Field to the group_list page.

3.5
2020-02-10 CVE-2020-1697 Redhat Cross-Site Scripting vulnerability in Redhat Keycloak

It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks.

3.5
2020-02-10 CVE-2012-6449 Cpanel Cross-Site Scripting vulnerability in Cpanel and WHM

The clientconf.html and detailbw.html pages in x3 in cPanel & WHM 11.34.0 (build 8) have a XSS vulnerability.

3.5
2020-02-10 CVE-2013-1353 Orangehrm Cross-Site Scripting vulnerability in Orangehrm 2.7.1

Orange HRM 2.7.1 allows XSS via the vacancy name.

3.5
2020-02-10 CVE-2020-8825 Vanillaforums Cross-Site Scripting vulnerability in Vanillaforums Vanilla 2.6.3

index.php?p=/dashboard/settings/branding in Vanilla 2.6.3 allows stored XSS.

3.5
2020-02-10 CVE-2020-8822 Digi Cross-Site Scripting vulnerability in Digi Transport Wr21 Firmware and Transport Wr44 Firmware

Digi TransPort WR21 5.2.2.3, WR44 5.1.6.4, and WR44v2 5.1.6.9 devices allow stored XSS in the web application.

3.5
2020-02-13 CVE-2020-0017 Google Information Exposure vulnerability in Google Android

In multiple places, it was possible for the primary user’s dictionary to be visible to and modifiable by secondary users.

3.3
2020-02-12 CVE-2019-19192 ST Improper Input Validation vulnerability in ST Bluenrg-2 and Wb55

The Bluetooth Low Energy implementation on STMicroelectronics BLE Stack through 1.3.1 for STM32WB5x devices does not properly handle consecutive Attribute Protocol (ATT) requests on reception, allowing attackers in radio range to cause an event deadlock or crash via crafted packets.

3.3
2020-02-12 CVE-2019-16336 Cypress Classic Buffer Overflow vulnerability in Cypress Cybl11573 and Cyble-416045

The Bluetooth Low Energy implementation in Cypress PSoC 4 BLE component 3.61 and earlier processes data channel frames with a payload length larger than the configured link layer maximum RX payload size, which allows attackers (in radio range) to cause a denial of service (crash) via a crafted BLE Link Layer frame.

3.3
2020-02-12 CVE-2019-19196 Telink Semi Classic Buffer Overflow vulnerability in Telink-Semi products

The Bluetooth Low Energy Secure Manager Protocol (SMP) implementation on Telink Semiconductor BLE SDK versions before November 2019 for TLSR8x5x through 3.4.0, TLSR823x through 1.3.0, and TLSR826x through 3.3 devices accepts a pairing request with a key size greater than 16 bytes, allowing an attacker in radio range to cause a buffer overflow and denial of service (crash) via crafted packets.

3.3
2020-02-10 CVE-2017-18642 Syska Information Exposure vulnerability in Syska Smartlight Rainbow LED Smart Bulb Firmware 20170806

Syska Smart Bulb devices through 2017-08-06 receive RGB parameters over cleartext Bluetooth Low Energy (BLE), leading to sniffing, reverse engineering, and replay attacks.

3.3
2020-02-10 CVE-2012-1994 HP Information Exposure vulnerability in HP Systems Insight Manager

HP Systems Insight Manager before 7.0 allows a remote user on adjacent network to access information

2.7
2020-02-14 CVE-2019-6195 Lenovo Improper Privilege Management vulnerability in Lenovo Xclarity Controller 1.71Psi328N/3.01Tei392O

An authorization bypass exists in Lenovo XClarity Controller (XCC) versions prior to 3.08 CDI340V, 3.01 TEI392O, 1.71 PSI328N where a valid authenticated user with lesser privileges may be granted read-only access to higher-privileged information if 1) “LDAP Authentication Only with Local Authorization” mode is configured and used by XCC, and 2) a lesser privileged user logs into XCC within 1 minute of a higher privileged user logging out.

2.1
2020-02-14 CVE-2019-6190 Lenovo Improper Initialization vulnerability in Lenovo products

Lenovo was notified of a potential denial of service vulnerability, affecting various versions of BIOS for Lenovo Desktop, Desktop - All in One, and ThinkStation, that could cause PCRs to be cleared intermittently after resuming from sleep (S3) on systems with Intel TXT enabled.

2.1
2020-02-14 CVE-2020-7251 Mcafee Incorrect Authorization vulnerability in Mcafee Endpoint Security

Improper access control vulnerability in Configuration Tool in McAfee Mcafee Endpoint Security (ENS) Prior to 10.6.1 February 2020 Update allows local users to disable security features via unauthorised use of the configuration tool from older versions of ENS.

2.1
2020-02-14 CVE-2020-8991 Redhat Missing Release of Resource After Effective Lifetime vulnerability in Redhat Lvm2 2.02.00

** DISPUTED ** vg_lookup in daemons/lvmetad/lvmetad-core.c in LVM2 2.02 mismanages memory, leading to an lvmetad memory leak, as demonstrated by running pvs.

2.1
2020-02-13 CVE-2013-6927 Triplc Local Security Bypass vulnerability in Internet TRiLOGI Server User Account Creation

Internet TRiLOGI Server (unknown versions) could allow a local user to bypass security and create a local user account.

2.1
2020-02-13 CVE-2019-4666 IBM Unspecified vulnerability in IBM Urbancode Build and Urbancode Deploy

IBM UrbanCode Deploy (UCD) 7.0.3 and IBM UrbanCode Build 6.1.5 could allow a local user to obtain sensitive information by unmasking certain secure values in documents.

2.1
2020-02-13 CVE-2020-0018 Google Information Exposure Through LOG Files vulnerability in Google Android

In MotionEntry::appendDescription of InputDispatcher.cpp, there is a possible log information disclosure.

2.1
2020-02-13 CVE-2018-3987 Rakuten Information Exposure vulnerability in Rakuten Viber 9.3.0.6

An exploitable information disclosure vulnerability exists in the 'Secret Chats' functionality of Rakuten Viber on Android 9.3.0.6.

2.1
2020-02-12 CVE-2011-2343 Google Information Exposure vulnerability in Google Android

The Bluetooth stack in Android before 2.3.6 allows a physically proximate attacker to obtain contact information via an AT phonebook transfer.

2.1
2020-02-12 CVE-2019-11867 Realtek Null Pointer Dereference vulnerability in Realtek Ndis 10.1.505.2015

Realtek NDIS driver rt640x64.sys, file version 10.1.505.2015, fails to do any size checking on an input buffer from user space, which the driver assumes has a size greater than zero bytes.

2.1
2020-02-11 CVE-2020-0756 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists in the Cryptography Next Generation (CNG) service when it fails to properly handle objects in memory.To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application.The security update addresses the vulnerability by correcting how the service handles objects in memory., aka 'Windows Key Isolation Service Information Disclosure Vulnerability'.

2.1
2020-02-11 CVE-2020-0755 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists in the Cryptography Next Generation (CNG) service when it fails to properly handle objects in memory.To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application.The security update addresses the vulnerability by correcting how the service handles objects in memory., aka 'Windows Key Isolation Service Information Disclosure Vulnerability'.

2.1
2020-02-11 CVE-2020-0751 Microsoft Improper Input Validation vulnerability in Microsoft Windows 10 and Windows Server 2016

A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate specific malicious data from a user on a guest operating system.To exploit the vulnerability, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application.The security update addresses the vulnerability by resolving the conditions where Hyper-V would fail to handle these requests., aka 'Windows Hyper-V Denial of Service Vulnerability'.

2.1
2020-02-11 CVE-2020-0748 Microsoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft products

An information disclosure vulnerability exists in the Cryptography Next Generation (CNG) service when it fails to properly handle objects in memory.To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application.The security update addresses the vulnerability by correcting how the service handles objects in memory., aka 'Windows Key Isolation Service Information Disclosure Vulnerability'.

2.1
2020-02-11 CVE-2020-0744 Microsoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft products

An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system, aka 'Windows GDI Information Disclosure Vulnerability'.

2.1
2020-02-11 CVE-2020-0736 Microsoft Information Exposure vulnerability in Microsoft Windows 7 and Windows Server 2008

An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka 'Windows Kernel Information Disclosure Vulnerability'.

2.1
2020-02-11 CVE-2020-0717 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists when the win32k component improperly provides kernel information, aka 'Win32k Information Disclosure Vulnerability'.

2.1
2020-02-11 CVE-2020-0716 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists when the win32k component improperly provides kernel information, aka 'Win32k Information Disclosure Vulnerability'.

2.1
2020-02-11 CVE-2020-0714 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists when DirectX improperly handles objects in memory, aka 'DirectX Information Disclosure Vulnerability'.

2.1
2020-02-11 CVE-2020-0705 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists when the Windows Network Driver Interface Specification (NDIS) improperly handles memory.To exploit this vulnerability, an attacker would first have to gain execution on the victim system, aka 'Windows Network Driver Interface Specification (NDIS) Information Disclosure Vulnerability'.

2.1
2020-02-11 CVE-2020-0698 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists when the Telephony Service improperly discloses the contents of its memory, aka 'Windows Information Disclosure Vulnerability'.

2.1
2020-02-11 CVE-2020-0677 Microsoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft products

An information disclosure vulnerability exists in the Cryptography Next Generation (CNG) service when it fails to properly handle objects in memory.To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application.The security update addresses the vulnerability by correcting how the service handles objects in memory., aka 'Windows Key Isolation Service Information Disclosure Vulnerability'.

2.1
2020-02-11 CVE-2020-0676 Microsoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft products

An information disclosure vulnerability exists in the Cryptography Next Generation (CNG) service when it fails to properly handle objects in memory.To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application.The security update addresses the vulnerability by correcting how the service handles objects in memory., aka 'Windows Key Isolation Service Information Disclosure Vulnerability'.

2.1
2020-02-11 CVE-2020-0675 Microsoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft products

An information disclosure vulnerability exists in the Cryptography Next Generation (CNG) service when it fails to properly handle objects in memory.To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application.The security update addresses the vulnerability by correcting how the service handles objects in memory., aka 'Windows Key Isolation Service Information Disclosure Vulnerability'.

2.1
2020-02-11 CVE-2020-0658 Microsoft Information Exposure vulnerability in Microsoft products

An information disclosure vulnerability exists in the Windows Common Log File System (CLFS) driver when it fails to properly handle objects in memory, aka 'Windows Common Log File System Driver Information Disclosure Vulnerability'.

2.1
2020-02-11 CVE-2013-2213 KDE USE of A Broken OR Risky Cryptographic Algorithm vulnerability in KDE Paste Applet

The KRandom::random function in KDE Paste Applet after 4.10.5 in kdeplasma-addons uses the GNU C Library rand function's linear congruential generator, which makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms by predicting the generator output.

2.1
2020-02-11 CVE-2013-2120 KDE Improper Authentication vulnerability in KDE Paste Applet

The %{password(...)} macro in pastemacroexpander.cpp in the KDE Paste Applet before 4.10.5 in kdeplasma-addons does not properly generate passwords, which allows context-dependent attackers to bypass authentication via a brute-force attack.

2.1
2020-02-11 CVE-2020-5831 Symantec Out-Of-Bounds Read vulnerability in Symantec Endpoint Protection Manager

Symantec Endpoint Protection Manager (SEPM), prior to 14.2 RU2 MP1, may be susceptible to an out of bounds vulnerability, which is a type of issue that results in an existing application reading memory outside of the bounds of the memory that had been allocated to the program.

2.1
2020-02-11 CVE-2020-5830 Symantec Out-Of-Bounds Read vulnerability in Symantec Endpoint Protection Manager

Symantec Endpoint Protection Manager (SEPM), prior to 14.2 RU2 MP1, may be susceptible to an out of bounds vulnerability, which is a type of issue that results in an existing application reading memory outside of the bounds of the memory that had been allocated to the program.

2.1
2020-02-11 CVE-2020-5829 Symantec Out-Of-Bounds Read vulnerability in Symantec Endpoint Protection Manager

Symantec Endpoint Protection Manager (SEPM), prior to 14.2 RU2 MP1, may be susceptible to an out of bounds vulnerability, which is a type of issue that results in an existing application reading memory outside of the bounds of the memory that had been allocated to the program.

2.1
2020-02-11 CVE-2020-5828 Symantec Out-Of-Bounds Read vulnerability in Symantec Endpoint Protection Manager

Symantec Endpoint Protection Manager (SEPM), prior to 14.2 RU2 MP1, may be susceptible to an out of bounds vulnerability, which is a type of issue that results in an existing application reading memory outside of the bounds of the memory that had been allocated to the program.

2.1
2020-02-11 CVE-2020-5827 Symantec Out-Of-Bounds Read vulnerability in Symantec Endpoint Protection Manager

Symantec Endpoint Protection Manager (SEPM), prior to 14.2 RU2 MP1, may be susceptible to an out of bounds vulnerability, which is a type of issue that results in an existing application reading memory outside of the bounds of the memory that had been allocated to the program.

2.1
2020-02-11 CVE-2020-5826 Symantec Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Symantec Endpoint Protection

Symantec Endpoint Protection (SEP) and Symantec Endpoint Protection Small Business Edition (SEP SBE), prior to 14.2 RU2 MP1 and prior to 14.2.5569.2100 respectively, may be susceptible to an out of bounds vulnerability, which is a type of issue that results in an existing application reading memory outside of the bounds of the memory that had been allocated to the program.

2.1
2020-02-11 CVE-2020-5824 Symantec Unspecified vulnerability in Symantec Endpoint Protection

Symantec Endpoint Protection (SEP) and Symantec Endpoint Protection Small Business Edition (SEP SBE), prior to 14.2 RU2 MP1 and prior to 14.2.5569.2100 respectively, may be susceptible to a denial of service vulnerability, which is a type of issue whereby a threat actor attempts to tie up the resources of a resident application, thereby making certain functions unavailable.

2.1
2020-02-11 CVE-2020-6408 Google
Opensuse
Information Exposure vulnerability in multiple products

Insufficient policy enforcement in CORS in Google Chrome prior to 80.0.3987.87 allowed a local attacker to obtain potentially sensitive information via a crafted HTML page.

2.1
2020-02-10 CVE-2019-6744 Samsung Improper Authentication vulnerability in Samsung Knox 1.2.02.39

This vulnerability allows local attackers to disclose sensitive information on affected installations of Samsung Knox 1.2.02.39 on Samsung Galaxy S9 build G9600ZHS3ARL1 Secure Folder.

2.1
2020-02-13 CVE-2019-3998 Simplisafe Improper Authentication vulnerability in Simplisafe SS3 Firmware 1.4

Authentication bypass using an alternate path or channel in SimpliSafe SS3 firmware 1.4 allows a local, unauthenticated attacker to modify the Wi-Fi network the base station connects to.

1.9