Weekly Vulnerabilities Reports > March 16 to 22, 2020
Overview
358 new vulnerabilities reported during this period, including 63 critical vulnerabilities and 132 high severity vulnerabilities. This weekly summary report vulnerabilities in 265 products from 153 vendors including Onap, Redhat, Cpanel, Fedoraproject, and Debian. Vulnerabilities are notably categorized as "Cross-site Scripting", "Missing Authentication for Critical Function", "SQL Injection", "OS Command Injection", and "NULL Pointer Dereference".
- 303 reported vulnerabilities are remotely exploitables.
- 4 reported vulnerabilities have public exploit available.
- 149 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 222 reported vulnerabilities are exploitable by an anonymous user.
- Onap has the most reported vulnerabilities, with 21 reported vulnerabilities.
- Onap has the most reported critical vulnerabilities, with 17 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
63 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2020-03-22 | CVE-2020-10806 | EZ | Unrestricted Upload of File with Dangerous Type vulnerability in EZ Publish-Kernel and EZ Publish-Legacy eZ Publish Kernel before 5.4.14.1, 6.x before 6.13.6.2, and 7.x before 7.5.6.2 and eZ Publish Legacy before 5.4.14.1, 2017 before 2017.12.7.2, and 2019 before 2019.03.4.2 allow remote attackers to execute arbitrary code by uploading PHP code, unless the vhost configuration permits only app.php execution. | 9.8 |
2020-03-21 | CVE-2019-12767 | Dlink | OS Command Injection vulnerability in Dlink Dap-1650 Firmware An issue was discovered on D-Link DAP-1650 devices before 1.04B02_J65H Hot Fix. | 9.8 |
2020-03-21 | CVE-2013-7487 | Swann | Injection vulnerability in Swann products On Swann DVR04B, DVR08B, DVR-16CIF, and DVR16B devices, raysharpdvr application has a vulnerable call to “system”, which allows remote attackers to execute arbitrary code via TCP port 9000. | 9.8 |
2020-03-20 | CVE-2020-10799 | Svglib Project | XXE vulnerability in Svglib Project Svglib The svglib package through 0.9.3 for Python allows XXE attacks via an svg2rlg call. | 9.8 |
2020-03-20 | CVE-2019-11574 | Simplemachines | Server-Side Request Forgery (SSRF) vulnerability in Simplemachines Simple Machine Forum An issue was discovered in Simple Machines Forum (SMF) before release 2.0.17. | 9.8 |
2020-03-20 | CVE-2019-18641 | Sparkdevnetwork | Unspecified vulnerability in Sparkdevnetwork Rock RMS Rock RMS before 1.8.6 mishandles vCard access control within the People/GetVCard/REST controller. | 9.8 |
2020-03-20 | CVE-2019-15522 | Linbit | Unspecified vulnerability in Linbit Csync2 1.34/2.0 An issue was discovered in LINBIT csync2 through 2.0. | 9.8 |
2020-03-20 | CVE-2020-8137 | Blamer Project | Code Injection vulnerability in Blamer Project Blamer Code injection vulnerability in blamer 1.0.0 and earlier may result in remote code execution when the input can be controlled by an attacker. | 9.8 |
2020-03-20 | CVE-2020-8135 | Uppy | Server-Side Request Forgery (SSRF) vulnerability in Uppy 1.9.1/1.9.2 The uppy npm package < 1.9.3 is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability, which allows an attacker to scan local or external network or otherwise interact with internal systems. | 9.8 |
2020-03-20 | CVE-2020-7961 | Liferay | Deserialization of Untrusted Data vulnerability in Liferay Portal Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS). | 9.8 |
2020-03-20 | CVE-2019-12498 | 3CX | Missing Authorization vulnerability in 3CX Live Chat The WP Live Chat Support plugin before 8.0.33 for WordPress accepts certain REST API calls without invoking the wplc_api_permission_check protection mechanism. | 9.8 |
2020-03-20 | CVE-2019-19148 | Tellabs | OS Command Injection vulnerability in Tellabs Optical Line Terminal 1150 Firmware Ont709.2.50.12 Tellabs Optical Line Terminal (OLT) 1150 devices allow Remote Command Execution via the -l option to TELNET or SSH. | 9.8 |
2020-03-20 | CVE-2018-20334 | Asus | OS Command Injection vulnerability in Asus Asuswrt 3.0.0.4.384.20308 An issue was discovered in ASUSWRT 3.0.0.4.384.20308. | 9.8 |
2020-03-20 | CVE-2019-16072 | Netsas | OS Command Injection vulnerability in Netsas Enigma Network Management Solution An OS command injection vulnerability in the discover_and_manage CGI script in NETSAS Enigma NMS 65.0.0 and prior allows an attacker to execute arbitrary code because of improper neutralization of shell metacharacters in the ip_address variable within an snmp_browser action. | 9.8 |
2020-03-19 | CVE-2019-12127 | Onap | Missing Authentication for Critical Function vulnerability in Onap Open Network Automation Platform In ONAP OOM through Dublin, by accessing an applicable port (30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, and/or 30271), an attacker gains full access to the respective ONAP services without any authentication. | 9.8 |
2020-03-19 | CVE-2019-12126 | Onap | Missing Authentication for Critical Function vulnerability in Onap Open Network Automation Platform In ONAP DCAE through Dublin, by accessing an applicable port (30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, and/or 30271), an attacker gains full access to the respective ONAP services without any authentication. | 9.8 |
2020-03-19 | CVE-2019-12125 | Onap | Missing Authentication for Critical Function vulnerability in Onap Open Network Automation Platform In ONAP Logging through Dublin, by accessing an applicable port (30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, and/or 30271), an attacker gains full access to the respective ONAP services without any authentication. | 9.8 |
2020-03-19 | CVE-2019-16382 | Ivanti | Unspecified vulnerability in Ivanti Workspace Control 10.3.110.0 An issue was discovered in Ivanti Workspace Control 10.3.110.0. | 9.8 |
2020-03-19 | CVE-2019-12130 | Onap | Missing Authentication for Critical Function vulnerability in Onap Open Network Automation Platform In ONAP CLI through Dublin, by accessing an applicable port (30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, and/or 30271), an attacker gains full access to the respective ONAP services without any authentication. | 9.8 |
2020-03-19 | CVE-2019-12129 | Onap | Missing Authentication for Critical Function vulnerability in Onap Open Network Automation Platform In ONAP MSB through Dublin, by accessing an applicable port (30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, and/or 30271), an attacker gains full access to the respective ONAP services without any authentication. | 9.8 |
2020-03-19 | CVE-2019-12128 | Onap | Missing Authentication for Critical Function vulnerability in Onap Open Network Automation Platform In ONAP SO through Dublin, by accessing an applicable port (30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, and/or 30271), an attacker gains full access to the respective ONAP services without any authentication. | 9.8 |
2020-03-18 | CVE-2020-9423 | Logicaldoc | Unrestricted Upload of File with Dangerous Type vulnerability in Logicaldoc LogicalDoc before 8.3.3 could allow an attacker to upload arbitrary files, leading to command execution or retrieval of data from the database. | 9.8 |
2020-03-18 | CVE-2020-10674 | Perlspeak Project | OS Command Injection vulnerability in Perlspeak Project Perlspeak PerlSpeak through 2.01 allows attackers to execute arbitrary OS commands, as demonstrated by use of system and 2-argument open. | 9.8 |
2020-03-18 | CVE-2019-12132 | Onap | OS Command Injection vulnerability in Onap Open Network Automation Platform An issue was discovered in ONAP SDNC before Dublin. | 9.8 |
2020-03-18 | CVE-2019-12120 | Onap | Missing Authentication for Critical Function vulnerability in Onap Open Network Automation Platform An issue was discovered in ONAP VNFSDK through Dublin. | 9.8 |
2020-03-18 | CVE-2019-12119 | Onap | Missing Authentication for Critical Function vulnerability in Onap Open Network Automation Platform An issue was discovered in ONAP SDC through Dublin. | 9.8 |
2020-03-18 | CVE-2019-12118 | Onap | Missing Authentication for Critical Function vulnerability in Onap Open Network Automation Platform An issue was discovered in ONAP SDC through Dublin. | 9.8 |
2020-03-18 | CVE-2019-12117 | Onap | Missing Authentication for Critical Function vulnerability in Onap Open Network Automation Platform An issue was discovered in ONAP SDC through Dublin. | 9.8 |
2020-03-18 | CVE-2019-12116 | Onap | Missing Authentication for Critical Function vulnerability in Onap Open Network Automation Platform An issue was discovered in ONAP SDC through Dublin. | 9.8 |
2020-03-18 | CVE-2019-12115 | Onap | Missing Authentication for Critical Function vulnerability in Onap Open Network Automation Platform An issue was discovered in ONAP SDC through Dublin. | 9.8 |
2020-03-18 | CVE-2019-12114 | Onap | Missing Authentication for Critical Function vulnerability in Onap Open Network Automation Platform 3.0.0/3.0.1/3.0.2 An issue was discovered in ONAP HOLMES before Dublin. | 9.8 |
2020-03-18 | CVE-2019-12112 | Onap | OS Command Injection vulnerability in Onap Open Network Automation Platform An issue was discovered in ONAP SDNC before Dublin. | 9.8 |
2020-03-18 | CVE-2020-3922 | Armorx | SQL Injection vulnerability in Armorx Lisomail 2.0 LisoMail, by ArmorX, allows SQL Injections, attackers can access the database without authentication via a URL parameter manipulation. | 9.8 |
2020-03-18 | CVE-2020-8600 | Trendmicro | Path Traversal vulnerability in Trendmicro Worry-Free Business Security 10.0/9.0/9.5 Trend Micro Worry-Free Business Security (9.0, 9.5, 10.0) is affected by a directory traversal vulnerability that could allow an attacker to manipulate a key file to bypass authentication. | 9.8 |
2020-03-18 | CVE-2020-8599 | Trendmicro | Unspecified vulnerability in Trendmicro Apex ONE and Officescan Trend Micro Apex One (2019) and OfficeScan XG server contain a vulnerable EXE file that could allow a remote attacker to write arbitrary data to an arbitrary path on affected installations and bypass ROOT login. | 9.8 |
2020-03-18 | CVE-2020-8598 | Trendmicro | Missing Authentication for Critical Function vulnerability in Trendmicro Apex One, Officescan and Worry-Free Business Security Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (9.0, 9.5, 10.0) server contains a vulnerable service DLL file that could allow a remote attacker to execute arbitrary code on affected installations with SYSTEM level privileges. | 9.8 |
2020-03-17 | CVE-2020-10121 | Cpanel | Unspecified vulnerability in Cpanel cPanel before 84.0.20 allows a demo account to achieve code execution via PassengerApps APIs (SEC-546). | 9.8 |
2020-03-17 | CVE-2020-10119 | Cpanel | Unspecified vulnerability in Cpanel cPanel before 84.0.20 allows a demo account to achieve remote code execution via a cpsrvd rsync shell (SEC-544). | 9.8 |
2020-03-17 | CVE-2019-20498 | Cpanel | Unspecified vulnerability in Cpanel cPanel before 82.0.18 allows WebDAV authentication bypass because the connection-sharing logic is incorrect (SEC-534). | 9.8 |
2020-03-17 | CVE-2020-10380 | R Consortium | SQL Injection vulnerability in R-Consortium Rmysql RMySQL through 0.10.19 allows SQL Injection. | 9.8 |
2020-03-16 | CVE-2020-9347 | Zohocorp | Improper Neutralization of Formula Elements in a CSV File vulnerability in Zohocorp Manageengine Password Manager PRO Zoho ManageEngine Password Manager Pro through 10.x has a CSV Excel Macro Injection vulnerability via a crafted name that is mishandled by the Export Passwords feature. | 9.8 |
2020-03-16 | CVE-2020-8786 | Salesagility | SQL Injection vulnerability in Salesagility Suitecrm SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 4 of 4). | 9.8 |
2020-03-16 | CVE-2020-8785 | Salesagility | SQL Injection vulnerability in Salesagility Suitecrm SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 3 of 4). | 9.8 |
2020-03-16 | CVE-2020-8784 | Salesagility | SQL Injection vulnerability in Salesagility Suitecrm SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 2 of 4). | 9.8 |
2020-03-16 | CVE-2020-8783 | Salesagility | SQL Injection vulnerability in Salesagility Suitecrm SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 1 of 4). | 9.8 |
2020-03-16 | CVE-2019-19212 | Dolibarr | Cross-site Scripting vulnerability in Dolibarr Dolibarr ERP/CRM 3.0 through 10.0.3 allows XSS via the qty parameter to product/fournisseurs.php (product price screen). | 9.8 |
2020-03-16 | CVE-2020-5847 | Unraid | Unspecified vulnerability in Unraid 6.8.0 Unraid through 6.8.0 allows Remote Code Execution. | 9.8 |
2020-03-16 | CVE-2020-6990 | Rockwellautomation | Use of Hard-coded Credentials vulnerability in Rockwellautomation products Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, The cryptographic key utilized to help protect the account password is hard coded into the RSLogix 500 binary file. | 9.8 |
2020-03-16 | CVE-2020-10243 | Joomla | SQL Injection vulnerability in Joomla Joomla! An issue was discovered in Joomla! before 3.9.16. | 9.8 |
2020-03-16 | CVE-2020-10230 | Control Webpanel | SQL Injection vulnerability in Control-Webpanel Webpanel CentOS-WebPanel.com (aka CWP) CentOS Web Panel (for CentOS 6 and 7) allows SQL Injection via the /cwp_{SESSION_HASH}/admin/loader_ajax.php term parameter. | 9.8 |
2020-03-16 | CVE-2019-19208 | Codiad | Code Injection vulnerability in Codiad Codiad Web IDE through 2.8.4 allows PHP Code injection. | 9.8 |
2020-03-16 | CVE-2020-5547 | Mitsubishielectric | Unspecified vulnerability in Mitsubishielectric Iu1-1M20-D Firmware 1.0.7 Resource Management Errors vulnerability in TCP function included in the firmware of Mitsubishi Electric MELQIC IU1 series IU1-1M20-D firmware version 1.0.7 and earlier allows remote attackers to stop the network functions or execute malware via a specially crafted packet. | 9.8 |
2020-03-16 | CVE-2020-5545 | Mitsubishielectric | Unspecified vulnerability in Mitsubishielectric Iu1-1M20-D Firmware 1.0.7 TCP function included in the firmware of Mitsubishi Electric MELQIC IU1 series IU1-1M20-D firmware version 1.0.7 and earlier allows remote attackers to bypass access restriction and to stop the network functions or execute malware via a specially crafted packet. | 9.8 |
2020-03-16 | CVE-2020-5544 | Mitsubishielectric | NULL Pointer Dereference vulnerability in Mitsubishielectric Iu1-1M20-D Firmware 1.0.7 Null Pointer Dereference vulnerability in TCP function included in the firmware of Mitsubishi Electric MELQIC IU1 series IU1-1M20-D firmware version 1.0.7 and earlier allows remote attackers to stop the network functions or execute malware via a specially crafted packet. | 9.8 |
2020-03-16 | CVE-2020-5543 | Mitsubishielectric | Session Fixation vulnerability in Mitsubishielectric Iu1-1M20-D Firmware 1.0.7 TCP function included in the firmware of Mitsubishi Electric MELQIC IU1 series IU1-1M20-D firmware version 1.0.7 and earlier does not properly manage sessions, which allows remote attackers to stop the network functions or execute malware via a specially crafted packet. | 9.8 |
2020-03-16 | CVE-2020-5542 | Mitsubishielectric | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Mitsubishielectric Iu1-1M20-D Firmware 1.0.7 Buffer error vulnerability in TCP function included in the firmware of Mitsubishi Electric MELQIC IU1 series IU1-1M20-D firmware version 1.0.7 and earlier allows remote attackers to stop the network functions or execute malware via a specially crafted packet. | 9.8 |
2020-03-19 | CVE-2019-16064 | Netsas | Path Traversal vulnerability in Netsas Enigma Network Management Solution NETSAS Enigma NMS 65.0.0 and prior suffers from a directory traversal vulnerability that can allow an authenticated user to access files and directories stored outside of the web root folder. | 9.6 |
2020-03-18 | CVE-2019-19676 | Arxes Tolina | Improper Neutralization of Formula Elements in a CSV File vulnerability in Arxes-Tolina 3.0.0 A CSV injection in arxes-tolina 3.0.0 allows malicious users to gain remote control of other computers. | 9.6 |
2020-03-18 | CVE-2019-12131 | Onap | Authentication Bypass by Spoofing vulnerability in Onap Open Network Automation Platform An issue was detected in ONAP APPC through Dublin and SDC through Dublin. | 9.1 |
2020-03-18 | CVE-2019-12124 | Onap | Unspecified vulnerability in Onap Open Network Automation Platform An issue was discovered in ONAP APPC before Dublin. | 9.1 |
2020-03-17 | CVE-2020-10118 | Cpanel | Unspecified vulnerability in Cpanel cPanel before 84.0.20 allows a demo account to modify files via Branding API calls (SEC-543). | 9.1 |
2020-03-17 | CVE-2020-10117 | Cpanel | Unspecified vulnerability in Cpanel cPanel before 84.0.20 mishandles enforcement of demo checks in the Market UAPI namespace (SEC-542). | 9.1 |
2020-03-16 | CVE-2019-14887 | Redhat | Unspecified vulnerability in Redhat products A flaw was found when an OpenSSL security provider is used with Wildfly, the 'enabled-protocols' value in the Wildfly configuration isn't honored. | 9.1 |
132 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2020-03-22 | CVE-2020-10808 | Vestacp | OS Command Injection vulnerability in Vestacp Vesta Control Panel Vesta Control Panel (VestaCP) through 0.9.8-26 allows Command Injection via the schedule/backup Backup Listing Endpoint. | 8.8 |
2020-03-20 | CVE-2020-8882 | Foxitsoftware | Access of Uninitialized Pointer vulnerability in Foxitsoftware Foxit Studio Photo This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Studio Photo 3.6.6.916. | 8.8 |
2020-03-20 | CVE-2020-8881 | Foxitsoftware | Use After Free vulnerability in Foxitsoftware Foxit Studio Photo This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Studio Photo 3.6.6.916. | 8.8 |
2020-03-20 | CVE-2020-8880 | Foxitsoftware | Out-of-bounds Read vulnerability in Foxitsoftware Foxit Studio Photo This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Studio Photo 3.6.6.916. | 8.8 |
2020-03-20 | CVE-2020-8878 | Foxitsoftware | Out-of-bounds Write vulnerability in Foxitsoftware Foxit Studio Photo This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Studio Photo 3.6.6.916. | 8.8 |
2020-03-20 | CVE-2019-19487 | Centreon | OS Command Injection vulnerability in Centreon Command Injection in minPlayCommand.php in Centreon (19.04.4 and below) allows an attacker to achieve command injection via a plugin test. | 8.8 |
2020-03-20 | CVE-2019-19025 | Linuxfoundation Pivotal | Cross-Site Request Forgery (CSRF) vulnerability in multiple products Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows CSRF in the VMware Harbor Container Registry for the Pivotal Platform. | 8.8 |
2020-03-20 | CVE-2019-19023 | Linuxfoundation Pivotal | Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 has a Privilege Escalation Vulnerability in the VMware Harbor Container Registry for the Pivotal Platform. | 8.8 |
2020-03-20 | CVE-2019-16071 | Netsas | Improper Privilege Management vulnerability in Netsas Enigma NMS 65.0.0 Enigma NMS 65.0.0 and prior allows administrative users to create low-privileged accounts that do not have the ability to modify any settings in the system, only view the components. | 8.8 |
2020-03-19 | CVE-2019-16068 | Netsas | Cross-site Scripting vulnerability in Netsas Enigma Network Management Solution A CSRF vulnerability exists in NETSAS ENIGMA NMS version 65.0.0 and prior that could allow an attacker to be able to trick a victim into submitting a malicious manage_files.cgi request. | 8.8 |
2020-03-19 | CVE-2020-10671 | Canon | Cross-Site Request Forgery (CSRF) vulnerability in Canon OCE Colorwave 500 Firmware 4.0.0.0 The Canon Oce Colorwave 500 4.0.0.0 printer's web application is missing any form of CSRF protections. | 8.8 |
2020-03-19 | CVE-2019-16066 | Netsas | Unrestricted Upload of File with Dangerous Type vulnerability in Netsas Enigma Network Management Solution An unrestricted file upload vulnerability exists in user and system file upload functions in NETSAS Enigma NMS 65.0.0 and prior. | 8.8 |
2020-03-19 | CVE-2019-16065 | Netsas | SQL Injection vulnerability in Netsas Enigma Network Management Solution A remote SQL injection web vulnerability was discovered in the Enigma NMS 65.0.0 and prior web application that allows an attacker to execute SQL commands to expose and compromise the web server, expose database tables and values, and potentially execute system-based commands as the mysql user. | 8.8 |
2020-03-19 | CVE-2019-16061 | Netsas | Incorrect Default Permissions vulnerability in Netsas Enigma Network Management Solution A number of files on the NETSAS Enigma NMS server 65.0.0 and prior are granted weak world-readable and world-writable permissions, allowing any low privileged user with access to the system to read sensitive data (e.g., .htpasswd) and create/modify/delete content (e.g., under /var/www/html/docs) within the operating system. | 8.8 |
2020-03-19 | CVE-2019-11361 | Zohocorp | Incorrect Authorization vulnerability in Zohocorp Manageengine Remote Access Plus 10.0.258 Zoho ManageEngine Remote Access Plus 10.0.258 does not validate user permissions properly, allowing for privilege escalation and eventually a full application takeover. | 8.8 |
2020-03-19 | CVE-2014-2723 | Fortinet | Incorrect Default Permissions vulnerability in Fortinet products In FortiBalancer 400, 1000, 2000 and 3000, a platform-specific remote access vulnerability has been discovered that may allow a remote user to gain privileged access to affected systems using SSH. | 8.8 |
2020-03-19 | CVE-2014-2722 | Fortinet | Incorrect Default Permissions vulnerability in Fortinet products In FortiBalancer 400, 1000, 2000 and 3000, a platform-specific remote access vulnerability has been discovered that may allow a remote user to gain privileged access to affected systems using SSH. | 8.8 |
2020-03-19 | CVE-2014-2721 | Fortinet | Incorrect Default Permissions vulnerability in Fortinet products In FortiBalancer 400, 1000, 2000 and 3000, a platform-specific remote access vulnerability has been discovered that may allow a remote user to gain privileged access to affected systems using SSH. | 8.8 |
2020-03-19 | CVE-2020-10678 | Octopus | Unspecified vulnerability in Octopus Deploy In Octopus Deploy before 2020.1.5, for customers running on-premises Active Directory linked to their Octopus server, an authenticated user can leverage a bug to escalate privileges. | 8.8 |
2020-03-18 | CVE-2020-10673 | Fasterxml Debian Netapp Oracle | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus). | 8.8 |
2020-03-18 | CVE-2020-10672 | Fasterxml Debian Netapp Oracle | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms). | 8.8 |
2020-03-18 | CVE-2019-12769 | Solarwinds | Cross-Site Request Forgery (CSRF) vulnerability in Solarwinds Serv-U Managed File Transfer 15.1.5/15.1.6 SolarWinds Serv-U Managed File Transfer (MFT) Web client before 15.1.6 Hotfix 2 is vulnerable to Cross-Site Request Forgery in the file upload functionality via ?Command=Upload with the Dir and File parameters. | 8.8 |
2020-03-18 | CVE-2019-12123 | Onap | OS Command Injection vulnerability in Onap Open Network Automation Platform An issue was discovered in ONAP SDNC before Dublin. | 8.8 |
2020-03-18 | CVE-2019-12113 | Onap | OS Command Injection vulnerability in Onap Open Network Automation Platform 3.0.0/3.0.1/3.0.2 An issue was discovered in ONAP SDNC before Dublin. | 8.8 |
2020-03-18 | CVE-2020-8468 | Trendmicro | Injection vulnerability in Trendmicro Apex One, Officescan and Worry-Free Business Security Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (9.0, 9.5, 10.0) agents are affected by a content validation escape vulnerability which could allow an attacker to manipulate certain agent client components. | 8.8 |
2020-03-18 | CVE-2020-8467 | Trendmicro | Unspecified vulnerability in Trendmicro Apex ONE and Officescan A migration tool component of Trend Micro Apex One (2019) and OfficeScan XG contains a vulnerability which could allow remote attackers to execute arbitrary code on affected installations (RCE). | 8.8 |
2020-03-17 | CVE-2019-20492 | Cpanel | Unspecified vulnerability in Cpanel cPanel before 82.0.18 allows authentication bypass because of misparsing of the format of the password file (SEC-516). | 8.8 |
2020-03-17 | CVE-2019-20490 | Cpanel | Unspecified vulnerability in Cpanel cPanel before 82.0.18 allows authentication bypass because webmail usernames are processed inconsistently (SEC-499). | 8.8 |
2020-03-17 | CVE-2018-21037 | Intelliants | Cross-Site Request Forgery (CSRF) vulnerability in Intelliants Subrion Subrion CMS 4.1.5 (and possibly earlier versions) allow CSRF to change the administrator password via the panel/members/edit/1 URI. | 8.8 |
2020-03-17 | CVE-2019-20453 | Pydio | Deserialization of Untrusted Data vulnerability in Pydio A problem was found in Pydio Core before 8.2.4 and Pydio Enterprise before 8.2.4. | 8.8 |
2020-03-17 | CVE-2019-20452 | Pydio | Deserialization of Untrusted Data vulnerability in Pydio A problem was found in Pydio Core before 8.2.4 and Pydio Enterprise before 8.2.4. | 8.8 |
2020-03-16 | CVE-2020-9346 | Zohocorp | Cross-Site Request Forgery (CSRF) vulnerability in Zohocorp Manageengine Password Manager PRO Zoho ManageEngine Password Manager Pro 10.4 and prior has no protection against Cross-site Request Forgery (CSRF) attacks, as demonstrated by changing a user's role. | 8.8 |
2020-03-16 | CVE-2020-9471 | Umbraco | Unrestricted Upload of File with Dangerous Type vulnerability in Umbraco CMS 8.5.3 Umbraco Cloud 8.5.3 allows an authenticated file upload (and consequently Remote Code Execution) via the Install Packages functionality. | 8.8 |
2020-03-16 | CVE-2020-3947 | Vmware | Use After Free vulnerability in VMWare Fusion and Workstation VMware Workstation (15.x before 15.5.2) and Fusion (11.x before 11.5.2) contain a use-after vulnerability in vmnetdhcp. | 8.8 |
2020-03-16 | CVE-2020-6585 | Nagios | Cross-Site Request Forgery (CSRF) vulnerability in Nagios 2.1.3 Nagios Log Server 2.1.3 has CSRF. | 8.8 |
2020-03-16 | CVE-2020-10241 | Joomla | Cross-Site Request Forgery (CSRF) vulnerability in Joomla Joomla! An issue was discovered in Joomla! before 3.9.16. | 8.8 |
2020-03-16 | CVE-2020-10239 | Joomla | Incorrect Authorization vulnerability in Joomla Joomla! An issue was discovered in Joomla! before 3.9.16. | 8.8 |
2020-03-16 | CVE-2020-10557 | Atutor | Unrestricted Upload of File with Dangerous Type vulnerability in Atutor Acontent An issue was discovered in AContent through 1.4. | 8.8 |
2020-03-16 | CVE-2020-5546 | Mitsubishielectric | Argument Injection or Modification vulnerability in Mitsubishielectric Iu1-1M20-D Firmware 1.0.7 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in TCP function included in the firmware of Mitsubishi Electric MELQIC IU1 series IU1-1M20-D firmware version 1.0.7 and earlier allows an attacker on the same network segment to stop the network functions or execute malware via a specially crafted packet. | 8.8 |
2020-03-19 | CVE-2020-7006 | Systech | Cross-site Scripting vulnerability in Systech Nds-5000 Firmware and Nds/5008Rm Firmware Systech Corporation NDS-5000 Terminal Server, NDS/5008 (8 Port, RJ45), firmware Version 02D.30. | 8.4 |
2020-03-21 | CVE-2020-10800 | LIX Project | Unspecified vulnerability in LIX Project LIX lix through 15.8.7 allows man-in-the-middle attackers to execute arbitrary code by modifying the HTTP client-server data stream so that the Location header is associated with attacker-controlled executable content in the postDownload field. | 8.1 |
2020-03-20 | CVE-2020-8134 | Ghost | Server-Side Request Forgery (SSRF) vulnerability in Ghost Server-side request forgery (SSRF) vulnerability in Ghost CMS < 3.10.0 allows an attacker to scan local or external network or otherwise interact with internal systems. | 8.1 |
2020-03-20 | CVE-2020-1864 | Huawei | Improper Authentication vulnerability in Huawei Secospace Antiddos8000 Firmware Some Huawei products have a security vulnerability due to improper authentication. | 8.1 |
2020-03-19 | CVE-2019-16012 | Cisco | SQL Injection vulnerability in Cisco Sd-Wan Firmware A vulnerability in the web UI of Cisco SD-WAN Solution vManage software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. | 8.1 |
2020-03-18 | CVE-2019-11689 | Asustor | OS Command Injection vulnerability in Asustor Exfat Driver 1.0.0 An issue was discovered in ASUSTOR exFAT Driver through 1.0.0.r20. | 8.1 |
2020-03-16 | CVE-2020-7982 | Openwrt | Improper Check for Unusual or Exceptional Conditions vulnerability in Openwrt Lede and Openwrt An issue was discovered in OpenWrt 18.06.0 to 18.06.6 and 19.07.0, and LEDE 17.01.0 to 17.01.7. | 8.1 |
2020-03-16 | CVE-2019-19821 | Combodo | Cross-site Scripting vulnerability in Combodo Itop A post-authentication privilege escalation in the web application of Combodo iTop allows regular authenticated users to access information and modify information with administrative privileges by not following the HTTP Location header in server responses. | 8.1 |
2020-03-22 | CVE-2020-10802 | Phpmyadmin Debian Fedoraproject Opensuse Suse | SQL Injection vulnerability in multiple products In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions in libraries/classes/Controllers/Table/TableSearchController.php. | 8.0 |
2020-03-22 | CVE-2020-10804 | Phpmyadmin Fedoraproject Opensuse Suse | SQL Injection vulnerability in multiple products In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was found in retrieval of the current username (in libraries/classes/Server/Privileges.php and libraries/classes/UserPassword.php). | 8.0 |
2020-03-20 | CVE-2020-1709 | Redhat | Unspecified vulnerability in Redhat Openshift A vulnerability was found in all openshift/mediawiki 4.x.x versions prior to 4.3.0, where an insecure modification vulnerability in the /etc/passwd file was found in the openshift/mediawiki. | 7.8 |
2020-03-20 | CVE-2019-19345 | Redhat | Unspecified vulnerability in Redhat Openshift A vulnerability was found in all openshift/mediawiki-apb 4.x.x versions prior to 4.3.0, where an insecure modification vulnerability in the /etc/passwd file was found in the container openshift/mediawiki-apb. | 7.8 |
2020-03-20 | CVE-2020-10682 | Cmsmadesimple | Unrestricted Upload of File with Dangerous Type vulnerability in Cmsmadesimple CMS Made Simple 2.2.13 The Filemanager in CMS Made Simple 2.2.13 allows remote code execution via a .php.jpegd JPEG file, as demonstrated by m1_files[] to admin/moduleinterface.php. | 7.8 |
2020-03-19 | CVE-2019-16338 | Hancom | Use After Free vulnerability in Hancom Office NEO 9.6.1.7634 The tfo_common component in HwordApp.dll in Hancom Office 9.6.1.7634 allows a use-after-free via a crafted .docx file. | 7.8 |
2020-03-19 | CVE-2019-16337 | Hancom | Use After Free vulnerability in Hancom Office NEO 9.6.1.9403 The hncbd90 component in Hancom Office 9.6.1.9403 allows a use-after-free via an unknown object in a crafted .docx file. | 7.8 |
2020-03-19 | CVE-2020-3266 | Cisco | OS Command Injection vulnerability in Cisco Sd-Wan Firmware A vulnerability in the CLI of Cisco SD-WAN Solution software could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. | 7.8 |
2020-03-19 | CVE-2020-3265 | Cisco | Improper Privilege Management vulnerability in Cisco Sd-Wan Firmware A vulnerability in Cisco SD-WAN Solution software could allow an authenticated, local attacker to elevate privileges to root on the underlying operating system. | 7.8 |
2020-03-19 | CVE-2020-10648 | Denx Opensuse | Improper Input Validation vulnerability in multiple products Das U-Boot through 2020.01 allows attackers to bypass verified boot restrictions and subsequently boot arbitrary images by providing a crafted FIT image to a system configured to boot the default configuration. | 7.8 |
2020-03-18 | CVE-2019-18979 | Claranova | Unspecified vulnerability in Claranova Adaware Antivirus 12.6.1005.11662/12.7.1055.0 Adaware antivirus 12.6.1005.11662 and 12.7.1055.0 has a quarantine flaw that allows privilege escalation. | 7.8 |
2020-03-18 | CVE-2020-7002 | Deltaww | Out-of-bounds Write vulnerability in Deltaww Cncsoft Screeneditor 1.00.88/1.00.96 Delta Industrial Automation CNCSoft ScreenEditor, v1.00.96 and prior. | 7.8 |
2020-03-17 | CVE-2020-3950 | Vmware | Improper Privilege Management vulnerability in VMWare Fusion, Horizon Client and Remote Console VMware Fusion (11.x before 11.5.2), VMware Remote Console for Mac (11.x and prior before 11.0.1) and Horizon Client for Mac (5.x and prior before 5.4.0) contain a privilege escalation vulnerability due to improper use of setuid binaries. | 7.8 |
2020-03-16 | CVE-2019-20326 | Gnome Linuxmint Debian | Out-of-bounds Write vulnerability in multiple products A heap-based buffer overflow in _cairo_image_surface_create_from_jpeg() in extensions/cairo_io/cairo-image-surface-jpeg.c in GNOME gThumb before 3.8.3 and Linux Mint Pix before 2.4.5 allows attackers to cause a crash and potentially execute arbitrary code via a crafted JPEG file. | 7.8 |
2020-03-16 | CVE-2020-3948 | Vmware | Incorrect Permission Assignment for Critical Resource vulnerability in VMWare Fusion and Workstation Linux Guest VMs running on VMware Workstation (15.x before 15.5.2) and Fusion (11.x before 11.5.2) contain a local privilege escalation vulnerability due to improper file permissions in Cortado Thinprint. | 7.8 |
2020-03-16 | CVE-2019-5543 | Vmware | Incorrect Permission Assignment for Critical Resource vulnerability in VMWare Horizon Client, Remote Console and Workstation For VMware Horizon Client for Windows (5.x and prior before 5.3.0), VMware Remote Console for Windows (10.x before 11.0.0), VMware Workstation for Windows (15.x before 15.5.2) the folder containing configuration files for the VMware USB arbitration service was found to be writable by all users. | 7.8 |
2020-03-21 | CVE-2019-18936 | Bloq | Uncontrolled Recursion vulnerability in Bloq Univalue UniValue::read() in UniValue before 1.0.5 allow attackers to cause a denial of service (the class internal data reaches an inconsistent state) via input data that triggers an error. | 7.5 |
2020-03-21 | CVE-2019-17185 | Freeradius Opensuse | Improper Synchronization vulnerability in multiple products In FreeRADIUS 3.0.x before 3.0.20, the EAP-pwd module used a global OpenSSL BN_CTX instance to handle all handshakes. | 7.5 |
2020-03-20 | CVE-2019-16528 | Mediawiki | Information Exposure Through Log Files vulnerability in Mediawiki Abusefilter 1.32/1.33 An issue was discovered in the AbuseFilter extension for MediaWiki. | 7.5 |
2020-03-20 | CVE-2020-8136 | Fastify | Resource Exhaustion vulnerability in Fastify Fastify-Multipart Prototype pollution vulnerability in fastify-multipart < 1.0.5 allows an attacker to crash fastify applications parsing multipart requests by sending a specially crafted request. | 7.5 |
2020-03-20 | CVE-2020-9425 | Rconfig | Always-Incorrect Control Flow Implementation vulnerability in Rconfig An issue was discovered in includes/head.inc.php in rConfig before 3.9.4. | 7.5 |
2020-03-20 | CVE-2020-10792 | IT Novum | Incorrect Default Permissions vulnerability in It-Novum Openitcockpit openITCOCKPIT through 3.7.2 allows remote attackers to configure the self::DEVELOPMENT or self::STAGING option by placing a hostname containing "dev" or "staging" in the HTTP Host header. | 7.5 |
2020-03-20 | CVE-2019-19324 | Xmidt | Always-Incorrect Control Flow Implementation vulnerability in Xmidt Cjwt 1.0.1 Xmidt cjwt through 1.0.1 before 2019-11-25 maps unsupported algorithms to alg=none, which sometimes leads to untrusted accidental JWT acceptance. | 7.5 |
2020-03-20 | CVE-2019-15075 | Inextrix | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Inextrix Astpp An issue was discovered in iNextrix ASTPP before 4.0.1. | 7.5 |
2020-03-20 | CVE-2019-14855 | Gnupg Fedoraproject Canonical | Inadequate Encryption Strength vulnerability in multiple products A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. | 7.5 |
2020-03-20 | CVE-2019-18785 | Suitecrm | Insufficiently Protected Credentials vulnerability in Suitecrm SuiteCRM 7.10.x prior to 7.10.21 and 7.11.x prior to 7.11.9 mishandles API access tokens and credentials. | 7.5 |
2020-03-20 | CVE-2018-20335 | Asus | Improper Input Validation vulnerability in Asus Asuswrt 3.0.0.4.384.20308 An issue was discovered in ASUSWRT 3.0.0.4.384.20308. | 7.5 |
2020-03-20 | CVE-2018-20333 | Asus | Information Exposure vulnerability in Asus Asuswrt 3.0.0.4.384.20308 An issue was discovered in ASUSWRT 3.0.0.4.384.20308. | 7.5 |
2020-03-20 | CVE-2019-16108 | Phpbb | Code Injection vulnerability in PHPbb 3.2.7 phpBB 3.2.7 allows adding an arbitrary Cascading Style Sheets (CSS) token sequence to a page through BBCode. | 7.5 |
2020-03-19 | CVE-2020-10669 | Canon | Improper Authentication vulnerability in Canon OCE Colorwave 500 Firmware 4.0.0.0 The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 printer is vulnerable to authentication bypass on the page /home.jsp. | 7.5 |
2020-03-19 | CVE-2019-16063 | Netsas | Cleartext Transmission of Sensitive Information vulnerability in Netsas Enigma Network Management Solution NETSAS Enigma NMS 65.0.0 and prior does not encrypt sensitive data rendered within web pages. | 7.5 |
2020-03-19 | CVE-2019-16067 | Netsas | Insufficiently Protected Credentials vulnerability in Netsas Enigma Network Management Solution NETSAS Enigma NMS 65.0.0 and prior utilises basic authentication over HTTP for enforcing access control to the web application. | 7.5 |
2020-03-19 | CVE-2019-15656 | Dlink | Insufficiently Protected Credentials vulnerability in Dlink Dsl-2875Al Firmware and Dsl-2877Al Firmware D-Link DSL-2875AL and DSL-2877AL devices through 1.00.05 are prone to information disclosure via a simple crafted request to index.asp on the web management server because of username_v and password_v variables. | 7.5 |
2020-03-19 | CVE-2019-15655 | Dlink | Insufficiently Protected Credentials vulnerability in Dlink Dsl-2875Al Firmware 1.00.05 D-Link DSL-2875AL devices through 1.00.05 are prone to password disclosure via a simple crafted /romfile.cfg request to the web management server. | 7.5 |
2020-03-19 | CVE-2019-15654 | Comba | Missing Authentication for Critical Function vulnerability in Comba Ac2400 Firmware Comba AC2400 devices are prone to password disclosure via a simple crafted /09/business/upgrade/upcfgAction.php?download=true request to the web management server. | 7.5 |
2020-03-19 | CVE-2019-15653 | Comba | Insufficiently Protected Credentials vulnerability in Comba Ap2600-I - A02 - 0202N00Pd2 Firmware Comba AP2600-I devices through A02,0202N00PD2 are prone to password disclosure via an insecure authentication mechanism. | 7.5 |
2020-03-19 | CVE-2020-10675 | Jsonparser Project Fedoraproject | Infinite Loop vulnerability in multiple products The Library API in buger jsonparser through 2019-12-04 allows attackers to cause a denial of service (infinite loop) via a Delete call. | 7.5 |
2020-03-18 | CVE-2019-3762 | Dell | Improper Certificate Validation vulnerability in Dell products Data Protection Central versions 1.0, 1.0.1, 18.1, 18.2, and 19.1 contains an Improper Certificate Chain of Trust Vulnerability. | 7.5 |
2020-03-18 | CVE-2019-20529 | Frappe | Files or Directories Accessible to External Parties vulnerability in Frappe 11.0.0/12.0.0 In core/doctype/prepared_report/prepared_report.py in Frappe 11 and 12, data files generated with Prepared Report were being stored as public files (no authentication is required to access; having a link is sufficient) instead of private files. | 7.5 |
2020-03-18 | CVE-2019-12121 | Onap | Inadequate Encryption Strength vulnerability in Onap Open Network Automation Platform An issue was detected in ONAP Portal through Dublin. | 7.5 |
2020-03-18 | CVE-2020-9326 | Beyondtrust | Unspecified vulnerability in Beyondtrust Privilege Management for Windows and mac BeyondTrust Privilege Management for Windows and Mac (aka PMWM; formerly Avecto Defendpoint) 5.1 through 5.5 before 5.5 SR1 mishandles command-line arguments with PowerShell .ps1 file extensions present, leading to a DefendpointService.exe crash. | 7.5 |
2020-03-18 | CVE-2019-10682 | Django Nopassword Project | Cleartext Storage of Sensitive Information vulnerability in Django-Nopassword Project Django-Nopassword django-nopassword before 5.0.0 stores cleartext secrets in the database. | 7.5 |
2020-03-18 | CVE-2020-9325 | Aquaforest | Missing Authentication for Critical Function vulnerability in Aquaforest Tiff Server 4.0 Aquaforest TIFF Server 4.0 allows Unauthenticated Arbitrary File Download. | 7.5 |
2020-03-18 | CVE-2020-9324 | Aquaforest | Insufficiently Protected Credentials vulnerability in Aquaforest Tiff Server 4.0 Aquaforest TIFF Server 4.0 allows Unauthenticated SMB Hash Capture via UNC. | 7.5 |
2020-03-18 | CVE-2020-8470 | Trendmicro | Unspecified vulnerability in Trendmicro Apex One, Officescan and Worry-Free Business Security Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (9.0, 9.5, 10.0) server contains a vulnerable service DLL file that could allow an attacker to delete any file on the server with SYSTEM level privileges. | 7.5 |
2020-03-18 | CVE-2019-11939 | Allocation of Resources Without Limits or Throttling vulnerability in Facebook Thrift Golang Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. | 7.5 | |
2020-03-16 | CVE-2020-8787 | Salesagility | Improper Input Validation vulnerability in Salesagility Suitecrm SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow for an invalid Bean ID to be submitted. | 7.5 |
2020-03-16 | CVE-2019-20191 | Sync | XXE vulnerability in Sync Oxygen XML Editor Oxygen XML Editor 21.1.1 allows XXE to read any file. | 7.5 |
2020-03-16 | CVE-2020-7919 | Golang Debian Fedoraproject Netapp | Improper Certificate Validation vulnerability in multiple products Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate. | 7.5 |
2020-03-16 | CVE-2020-7248 | Openwrt | Out-of-bounds Write vulnerability in Openwrt libubox in OpenWrt before 18.06.7 and 19.x before 19.07.1 has a tagged binary data JSON serialization vulnerability that may cause a stack based buffer overflow. | 7.5 |
2020-03-16 | CVE-2017-12842 | Bitcoin | Improper Input Validation vulnerability in Bitcoin Core Bitcoin Core before 0.14 allows an attacker to create an ostensibly valid SPV proof for a payment to a victim who uses an SPV wallet, even if that payment did not actually occur. | 7.5 |
2020-03-16 | CVE-2020-9321 | Traefik | Improper Certificate Validation vulnerability in Traefik configurationwatcher.go in Traefik 2.x before 2.1.4 and TraefikEE 2.0.0 mishandles the purging of certificate contents from providers before logging. | 7.5 |
2020-03-16 | CVE-2020-6582 | Nagios Fedoraproject | Incorrect Conversion between Numeric Types vulnerability in multiple products Nagios NRPE 3.2.1 has a Heap-Based Buffer Overflow, as demonstrated by interpretation of a small negative number as a large positive number during a bzero call. | 7.5 |
2020-03-16 | CVE-2020-5849 | Unraid | Incorrect Comparison vulnerability in Unraid 6.8.0 Unraid 6.8.0 allows authentication bypass. | 7.5 |
2020-03-16 | CVE-2019-19945 | Openwrt | Incorrect Conversion between Numeric Types vulnerability in Openwrt uhttpd in OpenWrt through 18.06.5 and 19.x through 19.07.0-rc2 has an integer signedness error. | 7.5 |
2020-03-16 | CVE-2020-6988 | Rockwellautomation | Improper Authentication vulnerability in Rockwellautomation products Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, A remote, unauthenticated attacker can send a request from the RSLogix 500 software to the victim’s MicroLogix controller. | 7.5 |
2020-03-16 | CVE-2020-6984 | Rockwellautomation | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Rockwellautomation products Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, The cryptographic function utilized to protect the password in MicroLogix is discoverable. | 7.5 |
2020-03-16 | CVE-2020-10238 | Joomla | Exposure of Resource to Wrong Sphere vulnerability in Joomla Joomla! An issue was discovered in Joomla! before 3.9.16. | 7.5 |
2020-03-16 | CVE-2019-19942 | Swisscom | Improper Input Validation vulnerability in Swisscom Centro Business and Centro Grande Firmware Missing output sanitation in Swisscom Centro Grande Centro Grande before 6.16.12, Centro Business 1.0 (ADB) before 7.10.18, and Centro Business 2.0 before 8.02.04 allows a remote attacker to perform DNS spoofing against the web interface via crafted hostnames in DHCP requests. | 7.5 |
2020-03-16 | CVE-2019-19209 | Dolibarr | SQL Injection vulnerability in Dolibarr Dolibarr ERP/CRM before 10.0.3 allows SQL Injection. | 7.5 |
2020-03-16 | CVE-2018-13063 | Easyappointments | Missing Authorization vulnerability in Easyappointments Easy!Appointments Easy!Appointments 1.3.0 has a Missing Authorization issue allowing retrieval of hashed passwords and salts. | 7.5 |
2020-03-18 | CVE-2019-11688 | Asustor | Improper Certificate Validation vulnerability in Asustor Exfat Driver 1.0.0 An issue was discovered in ASUSTOR exFAT Driver through 1.0.0.r20. | 7.4 |
2020-03-16 | CVE-2019-19135 | Opcfoundation | Use of Insufficiently Random Values vulnerability in Opcfoundation Netstandard.Opc.Ua and Ua-.Netstandard In OPC Foundation OPC UA .NET Standard codebase 1.4.357.28, servers do not create sufficiently random numbers in OPCFoundation.NetStandard.Opc.Ua before 1.4.359.31, which allows man in the middle attackers to reuse encrypted user credentials sent over the network. | 7.4 |
2020-03-16 | CVE-2019-10091 | Apache | Improper Certificate Validation vulnerability in Apache Geode 1.9.0 When TLS is enabled with ssl-endpoint-identification-enabled set to true, Apache Geode fails to perform hostname verification of the entries in the certificate SAN during the SSL handshake. | 7.4 |
2020-03-16 | CVE-2020-6581 | Nagios Fedoraproject | Nagios NRPE 3.2.1 has Insufficient Filtering because, for example, nasty_metachars interprets \n as the character \ and the character n (not as the \n newline sequence). | 7.3 |
2020-03-22 | CVE-2020-10818 | Articatech | OS Command Injection vulnerability in Articatech Artica Proxy 4.26 Artica Proxy 4.26 allows remote command execution for an authenticated user via shell metacharacters in the "Modify the hostname" field. | 7.2 |
2020-03-20 | CVE-2019-15665 | Killernetworking | Out-of-bounds Write vulnerability in Killernetworking Killer Control Center An issue was discovered in Rivet Killer Control Center before 2.1.1352. | 7.2 |
2020-03-20 | CVE-2019-15661 | Killernetworking | Out-of-bounds Write vulnerability in Killernetworking Killer Control Center An issue was discovered in Rivet Killer Control Center before 2.1.1352. | 7.2 |
2020-03-20 | CVE-2019-19029 | Linuxfoundation Pivotal | SQL Injection vulnerability in multiple products Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via user-groups in the VMware Harbor Container Registry for the Pivotal Platform. | 7.2 |
2020-03-18 | CVE-2019-18582 | Dell | Code Injection vulnerability in Dell products Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions prior to patch 83, and 19.1 versions prior to patch 71 contain a server-side template injection vulnerability in the REST API. | 7.2 |
2020-03-18 | CVE-2019-18581 | Dell | Missing Authorization vulnerability in Dell products Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions prior to patch 83, and 19.1 versions prior to patch 71 contain a server missing authorization vulnerability in the REST API. | 7.2 |
2020-03-17 | CVE-2020-10120 | Cpanel | Unspecified vulnerability in Cpanel cPanel before 84.0.20 allows resellers to achieve remote code execution as root via a cpsrvd rsync shell (SEC-545). | 7.2 |
2020-03-17 | CVE-2020-10115 | Cpanel | Unspecified vulnerability in Cpanel cPanel before 84.0.20, when PowerDNS is used, allows arbitrary code execution as root via dnsadmin. | 7.2 |
2020-03-17 | CVE-2019-11074 | Paessler | Unrestricted Upload of File with Dangerous Type vulnerability in Paessler Prtg Network Monitor A Write to Arbitrary Location in Disk vulnerability exists in PRTG Network Monitor 19.1.49 and below that allows attackers to place files in arbitrary locations with SYSTEM privileges (although not controlling the contents of such files) due to insufficient sanitisation when passing arguments to the phantomjs.exe binary. | 7.2 |
2020-03-16 | CVE-2019-19538 | Sangoma | Unspecified vulnerability in Sangoma Freepbx In Sangoma FreePBX 13 through 15 and sysadmin (aka System Admin) 13.0.92 through 15.0.13.6 modules have a Remote Command Execution vulnerability that results in Privilege Escalation. | 7.2 |
2020-03-16 | CVE-2019-19937 | Jfrog | Missing Authorization vulnerability in Jfrog Artifactory In JFrog Artifactory before 6.18, it is not possible to restrict either system or repository imports by any admin user in the enterprise, which can lead to "undesirable results." | 7.2 |
2020-03-16 | CVE-2019-11073 | Paessler | Injection vulnerability in Paessler Prtg Network Monitor A Remote Code Execution vulnerability exists in PRTG Network Monitor before 19.4.54.1506 that allows attackers to execute code due to insufficient sanitization when passing arguments to the HttpTransactionSensor.exe binary. | 7.2 |
2020-03-16 | CVE-2020-5844 | Artica | Unrestricted Upload of File with Dangerous Type vulnerability in Artica Pandora FMS 7.0Ng index.php?sec=godmode/extensions&sec2=extensions/files_repo in Pandora FMS v7.0 NG allows authenticated administrators to upload malicious PHP scripts, and execute them via base64 decoding of the file location. | 7.2 |
2020-03-16 | CVE-2019-19940 | Swisscom | OS Command Injection vulnerability in Swisscom Centro Grande Firmware 6.12.02/6.14.00 Incorrect input sanitation in text-oriented user interfaces (telnet, ssh) in Swisscom Centro Grande before 6.16.12 allows remote authenticated users to execute arbitrary commands via command injection. | 7.2 |
2020-03-20 | CVE-2020-10597 | Deltaww | Out-of-bounds Read vulnerability in Deltaww Delta Industrial Automation Dopsoft Delta Industrial Automation DOPSoft, Version 4.00.08.15 and prior. | 7.1 |
2020-03-19 | CVE-2020-3264 | Cisco | Classic Buffer Overflow vulnerability in Cisco Sd-Wan Firmware A vulnerability in Cisco SD-WAN Solution software could allow an authenticated, local attacker to cause a buffer overflow on an affected device. | 7.1 |
2020-03-20 | CVE-2020-1707 | Redhat | Unspecified vulnerability in Redhat Openshift A vulnerability was found in all openshift/postgresql-apb 4.x.x versions prior to 4.3.0, where an insecure modification vulnerability in the /etc/passwd file was found in the container openshift/postgresql-apb. | 7.0 |
2020-03-19 | CVE-2020-1705 | Redhat | Unspecified vulnerability in Redhat Template Service Broker Operator 4.0.0/4.2.0 A vulnerability was found in openshift/template-service-broker-operator in all 4.x.x versions prior to 4.3.0, where an insecure modification vulnerability in the /etc/passwd file was found in the openshift/template-service-broker-operator. | 7.0 |
2020-03-18 | CVE-2019-19355 | Redhat | Unspecified vulnerability in Redhat Openshift 4.0 An insecure modification vulnerability in the /etc/passwd file was found in the openshift/ocp-release-operator-sdk. | 7.0 |
2020-03-18 | CVE-2019-19351 | Redhat | Unspecified vulnerability in Redhat Openshift 3.11/4.0 An insecure modification vulnerability in the /etc/passwd file was found in the container openshift/jenkins. | 7.0 |
152 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2020-03-20 | CVE-2019-16258 | HOM EE | Missing Authentication for Critical Function vulnerability in Hom.Ee Brain Cube Core 2.23.0 The bootloader of the homee Brain Cube V2 through 2.23.0 allows attackers with physical access to gain root access by manipulating the U-Boot environment via the CLI after connecting to the internal UART interface. | 6.8 |
2020-03-20 | CVE-2020-8140 | Nextcloud | Code Injection vulnerability in Nextcloud Desktop A code injection in Nextcloud Desktop Client 2.6.2 for macOS allowed to load arbitrary code when starting the client with DYLD_INSERT_LIBRARIES set in the environment. | 6.7 |
2020-03-18 | CVE-2020-10665 | Docker | Link Following vulnerability in Docker Desktop Docker Desktop allows local privilege escalation to NT AUTHORITY\SYSTEM because it mishandles the collection of diagnostics with Administrator privileges, leading to arbitrary DACL permissions overwrites and arbitrary file writes. | 6.7 |
2020-03-20 | CVE-2020-1796 | Huawei | Incorrect Authorization vulnerability in Huawei Mate 20 Firmware and Mate 30 PRO Firmware There is an improper authorization vulnerability in several smartphones. | 6.6 |
2020-03-20 | CVE-2020-8139 | Nextcloud Fedoraproject | Missing Authorization vulnerability in multiple products A missing access control check in Nextcloud Server < 18.0.1, < 17.0.4, and < 16.0.9 causes hide-download shares to be downloadable when appending /download to the URL. | 6.5 |
2020-03-20 | CVE-2020-8138 | Nextcloud | Server-Side Request Forgery (SSRF) vulnerability in Nextcloud Server A missing check for IPv4 nested inside IPv6 in Nextcloud server < 17.0.1, < 16.0.7, and < 15.0.14 allowed a Server-Side Request Forgery (SSRF) vulnerability when subscribing to a malicious calendar URL. | 6.5 |
2020-03-20 | CVE-2020-10194 | Zimbra | Missing Authorization vulnerability in Zimbra Zm-Mailbox cs/service/account/AutoCompleteGal.java in Zimbra zm-mailbox before 8.8.15.p8 allows authenticated users to request any GAL account. | 6.5 |
2020-03-20 | CVE-2020-10558 | Tesla | Unspecified vulnerability in Tesla Model 3 web Interface The driving interface of Tesla Model 3 vehicles in any release before 2020.4.10 allows Denial of Service to occur due to improper process separation, which allows attackers to disable the speedometer, web browser, climate controls, turn signal visual and sounds, navigation, autopilot notifications, along with other miscellaneous functions from the main screen. | 6.5 |
2020-03-20 | CVE-2020-9345 | Signotec | Allocation of Resources Without Limits or Throttling vulnerability in Signotec Signopad-Api/Web An issue was discovered in signotec signoPAD-API/Web (formerly Websocket Pad Server) before 3.1.1 on Windows. | 6.5 |
2020-03-20 | CVE-2020-9343 | Signotec | Unspecified vulnerability in Signotec Signopad-Api/Web An issue was discovered in signotec signoPAD-API/Web (formerly Websocket Pad Server) before 3.1.1 on Windows. | 6.5 |
2020-03-20 | CVE-2019-19486 | Centreon | Path Traversal vulnerability in Centreon Local File Inclusion in minPlayCommand.php in Centreon (19.04.4 and below) allows an attacker to traverse paths via a plugin test. | 6.5 |
2020-03-19 | CVE-2019-16062 | Netsas | Cleartext Storage of Sensitive Information vulnerability in Netsas Enigma Network Management Solution NETSAS Enigma NMS 65.0.0 and prior does not encrypt sensitive data stored within the SQL database. | 6.5 |
2020-03-19 | CVE-2019-14878 | Newlib Project | NULL Pointer Dereference vulnerability in Newlib Project Newlib In the __d2b function of the newlib libc library, all versions prior to 3.3.0 (see newlib/libc/stdlib/mprec.c), Balloc is used to allocate a big integer, however no check is performed to verify if the allocation succeeded or not. | 6.5 |
2020-03-19 | CVE-2019-14877 | Newlib Project | NULL Pointer Dereference vulnerability in Newlib Project Newlib In the __mdiff function of the newlib libc library, all versions prior to 3.3.0 (see newlib/libc/stdlib/mprec.c), Balloc is used to allocate big integers, however no check is performed to verify if the allocation succeeded or not. | 6.5 |
2020-03-19 | CVE-2019-14876 | Newlib Project | NULL Pointer Dereference vulnerability in Newlib Project Newlib In the __lshift function of the newlib libc library, all versions prior to 3.3.0 (see newlib/libc/stdlib/mprec.c), Balloc is used to allocate a big integer, however no check is performed to verify if the allocation succeeded or not. | 6.5 |
2020-03-19 | CVE-2019-14875 | Newlib Project | NULL Pointer Dereference vulnerability in Newlib Project Newlib In the __multiply function of the newlib libc library, all versions prior to 3.3.0 (see newlib/libc/stdlib/mprec.c), Balloc is used to allocate a big integer, however no check is performed to verify if the allocation succeeded or not. | 6.5 |
2020-03-19 | CVE-2019-14874 | Newlib Project | NULL Pointer Dereference vulnerability in Newlib Project Newlib In the __i2b function of the newlib libc library, all versions prior to 3.3.0 (see newlib/libc/stdlib/mprec.c), Balloc is used to allocate a big integer, however no check is performed to verify if the allocation succeeded or not. | 6.5 |
2020-03-19 | CVE-2019-14873 | Newlib Project | NULL Pointer Dereference vulnerability in Newlib Project Newlib In the __multadd function of the newlib libc library, prior to versions 3.3.0 (see newlib/libc/stdlib/mprec.c), Balloc is used to allocate a big integer, however no check is performed to verify if the allocation succeeded or not. | 6.5 |
2020-03-19 | CVE-2019-14872 | Newlib Project | NULL Pointer Dereference vulnerability in Newlib Project Newlib The _dtoa_r function of the newlib libc library, prior to version 3.3.0, performs multiple memory allocations without checking their return value. | 6.5 |
2020-03-18 | CVE-2020-10365 | Logicaldoc | SQL Injection vulnerability in Logicaldoc LogicalDoc before 8.3.3 allows SQL Injection. | 6.5 |
2020-03-18 | CVE-2019-12921 | Graphicsmagick Debian Opensuse | Command Injection vulnerability in multiple products In GraphicsMagick before 1.3.32, the text filename component allows remote attackers to read arbitrary files via a crafted image because of TranslateTextEx for SVG. | 6.5 |
2020-03-18 | CVE-2019-12122 | Onap | Cleartext Transmission of Sensitive Information vulnerability in Onap Open Network Automation Platform An issue was discovered in ONAP Portal through Dublin. | 6.5 |
2020-03-18 | CVE-2019-14871 | Newlib Project | NULL Pointer Dereference vulnerability in Newlib Project Newlib The REENT_CHECK macro (see newlib/libc/include/sys/reent.h) as used by REENT_CHECK_TM, REENT_CHECK_MISC, REENT_CHECK_MP and other newlib macros in versions prior to 3.3.0, does not check for memory allocation problems when the DEBUG flag is unset (as is the case in production firmware builds). | 6.5 |
2020-03-17 | CVE-2020-1720 | Postgresql Redhat | Missing Authorization vulnerability in multiple products A flaw was found in PostgreSQL's "ALTER ... | 6.5 |
2020-03-17 | CVE-2020-10122 | Cpanel | Unspecified vulnerability in Cpanel cPanel before 84.0.20 allows a webmail or demo account to delete arbitrary files (SEC-547). | 6.5 |
2020-03-17 | CVE-2019-20495 | Cpanel | Unspecified vulnerability in Cpanel cPanel before 82.0.18 allows attackers to read an arbitrary database via MySQL dump streaming (SEC-531). | 6.5 |
2020-03-16 | CVE-2020-9472 | Umbraco | Unrestricted Upload of File with Dangerous Type vulnerability in Umbraco CMS 8.5.3 Umbraco CMS 8.5.3 allows an authenticated file upload (and consequently Remote Code Execution) via the Install Package functionality. | 6.5 |
2020-03-16 | CVE-2019-18917 | HP | Improper Restriction of Excessive Authentication Attempts vulnerability in HP products A potential security vulnerability has been identified for certain HP Printers and All-in-Ones that would allow bypassing account lockout. | 6.5 |
2020-03-16 | CVE-2020-7916 | Thimpress | Improper Privilege Management vulnerability in Thimpress Learnpress be_teacher in class-lp-admin-ajax.php in the LearnPress plugin 3.2.6.5 and earlier for WordPress allows any registered user to assign itself the teacher role via the wp-admin/admin-ajax.php?action=learnpress_be_teacher URI without any additional permission checks. | 6.5 |
2020-03-16 | CVE-2019-19946 | Dradisframework | Authorization Bypass Through User-Controlled Key vulnerability in Dradisframework Dradis 3.4.1 The API in Dradis Pro 3.4.1 allows any user to extract the content of a project, even if this user is not part of the project team. | 6.5 |
2020-03-16 | CVE-2020-6584 | Nagios | Improper Privilege Management vulnerability in Nagios 2.1.3 Nagios Log Server 2.1.3 has Incorrect Access Control. | 6.5 |
2020-03-16 | CVE-2019-4656 | IBM | Unspecified vulnerability in IBM MQ, MQ Appliance and Websphere MQ IBM MQ and IBM MQ Appliance 7.1, 7.5, 8.0, 9.0 LTS, 9.1 LTS, and 9.1 CD is vulnerable to a denial of service attack that would allow an authenticated user to crash the queue and require a restart due to an error processing error messages. | 6.5 |
2020-03-16 | CVE-2018-13060 | Easyappointments | Improper Authentication vulnerability in Easyappointments Easy!Appointments Easy!Appointments 1.3.0 has a Guessable CAPTCHA issue. | 6.5 |
2020-03-19 | CVE-2020-4205 | IBM | Improper Authentication vulnerability in IBM Datapower Gateway IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.8 could allow an authenticated user to bypass security restrictions, and continue to access the server even after authentication certificates have been revolked. | 6.3 |
2020-03-20 | CVE-2019-18860 | Squid Cache Debian Canonical Opensuse | Injection vulnerability in multiple products Squid before 4.9, when certain web browsers are used, mishandles HTML in the host (aka hostname) parameter to cachemgr.cgi. | 6.1 |
2020-03-20 | CVE-2019-13463 | Quantumcloud | Cross-site Scripting vulnerability in Quantumcloud Simple Link Directory An XSS vulnerability in qcopd-shortcode-generator.php in the Simple Link Directory plugin before 7.3.5 for WordPress allows remote attackers to inject arbitrary web script or HTML, because esc_html is not called for the "echo get_the_title()" or "echo $term->name" statement. | 6.1 |
2020-03-20 | CVE-2019-13389 | Rainloop | Cross-site Scripting vulnerability in Rainloop Webmail RainLoop Webmail before 1.13.0 lacks XSS protection mechanisms such as xlink:href validation, the X-XSS-Protection header, and the Content-Security-Policy header. | 6.1 |
2020-03-20 | CVE-2019-10221 | Redhat Dogtagpki | Cross-site Scripting vulnerability in multiple products A Reflected Cross Site Scripting vulnerability was found in all pki-core 10.x.x versions, where the pki-ca module from the pki-core server. | 6.1 |
2020-03-20 | CVE-2019-10179 | Redhat Dogtagpki | A vulnerability was found in all pki-core 10.x.x versions, where the Key Recovery Authority (KRA) Agent Service did not properly sanitize recovery request search page, enabling a Reflected Cross Site Scripting (XSS) vulnerability. | 6.1 |
2020-03-20 | CVE-2020-9344 | Atlassian | Cross-site Scripting vulnerability in Atlassian Subversion Application Lifecycle Management Subversion ALM for the enterprise before 8.8.2 allows reflected XSS at multiple locations. | 6.1 |
2020-03-20 | CVE-2019-19484 | Centreon | Open Redirect vulnerability in Centreon Open redirect via parameter ‘p’ in login.php in Centreon (19.04.4 and below) allows an attacker to craft a payload and execute unintended behavior. | 6.1 |
2020-03-19 | CVE-2019-16069 | Netsas | Cross-site Scripting vulnerability in Netsas Enigma Network Management Solution A number of stored Cross-site Scripting (XSS) vulnerabilities were identified in NETSAS Enigma NMS 65.0.0 and prior that could allow a threat actor to inject malicious code directly into the application through the SNMP protocol. | 6.1 |
2020-03-19 | CVE-2020-10670 | Canon | Cross-site Scripting vulnerability in Canon OCE Colorwave 500 Firmware 4.0.0.0 The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 printer is vulnerable to Reflected XSS in the parameter settingId of the settingDialogContent.jsp page. | 6.1 |
2020-03-19 | CVE-2020-10668 | Canon | Cross-site Scripting vulnerability in Canon OCE Colorwave 500 Firmware 4.0.0.0 The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 printer is vulnerable to Reflected XSS in /home.jsp. | 6.1 |
2020-03-19 | CVE-2020-10667 | Canon | Cross-site Scripting vulnerability in Canon OCE Colorwave 500 Firmware 4.0.0.0 The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 printer is vulnerable to Stored XSS in /TemplateManager/indexExternalLocation.jsp. | 6.1 |
2020-03-19 | CVE-2019-15539 | Mantisbt | Cross-site Scripting vulnerability in Mantisbt The proj_doc_edit_page.php Project Documentation feature in MantisBT before 2.21.3 has a stored cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code (if CSP settings permit it) after uploading an attachment with a crafted filename. | 6.1 |
2020-03-19 | CVE-2019-15124 | Mediawiki | Cross-site Scripting vulnerability in Mediawiki Mobilefrontend 1.31.0/1.32.0/1.33.0 In the MobileFrontend extension for MediaWiki, XSS exists within the edit summary field of the watchlist feed. | 6.1 |
2020-03-19 | CVE-2019-20526 | Igniterealtime | Cross-site Scripting vulnerability in Igniterealtime Openfire 4.4.1 Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp password parameter. | 6.1 |
2020-03-19 | CVE-2019-20525 | Igniterealtime | Cross-site Scripting vulnerability in Igniterealtime Openfire 4.4.1 Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp driver parameter. | 6.1 |
2020-03-19 | CVE-2019-20521 | Frappe | Cross-site Scripting vulnerability in Frappe Erpnext 11.1.47 ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/ URI. | 6.1 |
2020-03-19 | CVE-2019-20520 | Frappe | Cross-site Scripting vulnerability in Frappe Erpnext 11.1.47 ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/method/ URI. | 6.1 |
2020-03-19 | CVE-2019-20519 | Frappe | Cross-site Scripting vulnerability in Frappe Erpnext 11.1.47 ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the user/ URI, as demonstrated by a crafted e-mail address. | 6.1 |
2020-03-19 | CVE-2019-20518 | Frappe | Cross-site Scripting vulnerability in Frappe Erpnext 11.1.47 ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the project/ URI. | 6.1 |
2020-03-19 | CVE-2019-20517 | Frappe | Cross-site Scripting vulnerability in Frappe Erpnext 11.1.47 ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the contact/ URI. | 6.1 |
2020-03-19 | CVE-2019-20516 | Frappe | Cross-site Scripting vulnerability in Frappe Erpnext 11.1.47 ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the blog/ URI. | 6.1 |
2020-03-19 | CVE-2019-20515 | Frappe | Cross-site Scripting vulnerability in Frappe Erpnext 11.1.47 ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the addresses/ URI. | 6.1 |
2020-03-19 | CVE-2019-20514 | Frappe | Cross-site Scripting vulnerability in Frappe Erpnext 11.1.47 ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the address/ URI. | 6.1 |
2020-03-19 | CVE-2019-20513 | EDX | Cross-site Scripting vulnerability in EDX Open EDX 20190315 Open edX Ironwood.1 allows support/certificates?user= reflected XSS. | 6.1 |
2020-03-19 | CVE-2019-16070 | Netsas | Cross-site Scripting vulnerability in Netsas Enigma Network Management Solution A number of stored Cross-site Scripting (XSS) vulnerabilities were identified in NETSAS Enigma NMS 65.0.0 and prior that could allow a threat actor to inject malicious code directly into the application through web application form inputs. | 6.1 |
2020-03-19 | CVE-2019-12416 | Apache | Injection vulnerability in Apache Deltaspike we got reports for 2 injection attacks against the DeltaSpike windowhandler.js. | 6.1 |
2020-03-19 | CVE-2019-20527 | Igniterealtime | Cross-site Scripting vulnerability in Igniterealtime Openfire 4.4.1 Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp serverURL parameter. | 6.1 |
2020-03-19 | CVE-2019-20524 | Ilch | Cross-site Scripting vulnerability in Ilch CMS 2.1.23 ilchCMS 2.1.23 allows XSS via the index.php/partner/index Banner parameter. | 6.1 |
2020-03-19 | CVE-2019-20523 | Ilch | Cross-site Scripting vulnerability in Ilch CMS 2.1.23 ilchCMS 2.1.23 allows XSS via the index.php/partner/index Name parameter. | 6.1 |
2020-03-19 | CVE-2019-20522 | Ilch | Cross-site Scripting vulnerability in Ilch CMS 2.1.23 ilchCMS 2.1.23 allows XSS via the index.php/partner/index Link parameter. | 6.1 |
2020-03-19 | CVE-2019-19336 | Ovirt Redhat | Cross-site Scripting vulnerability in multiple products A cross-site scripting vulnerability was reported in the oVirt-engine's OAuth authorization endpoint before version 4.3.8. | 6.1 |
2020-03-18 | CVE-2019-20528 | Igniterealtime | Cross-site Scripting vulnerability in Igniterealtime Openfire 4.4.1 Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp username parameter. | 6.1 |
2020-03-18 | CVE-2019-20512 | Open EDX | Cross-site Scripting vulnerability in Open.Edx Ironwood .1 Open edX Ironwood.1 allows support/certificates?course_id= reflected XSS. | 6.1 |
2020-03-18 | CVE-2019-20511 | Frappe | Cross-site Scripting vulnerability in Frappe Erpnext 11.1.47 ERPNext 11.1.47 allows blog?blog_category= Frame Injection. | 6.1 |
2020-03-18 | CVE-2019-12370 | Readdle | Cross-site Scripting vulnerability in Readdle Spark 2.0.2 The Spark application through 2.0.2 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission. | 6.1 |
2020-03-18 | CVE-2019-12369 | Typeapp | Cross-site Scripting vulnerability in Typeapp 1.9.5.35 The TypeApp application through 1.9.5.35 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission. | 6.1 |
2020-03-18 | CVE-2019-12368 | Edison | Cross-site Scripting vulnerability in Edison Mail 1.7.1 The Edison Mail application through 1.7.1 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission. | 6.1 |
2020-03-18 | CVE-2019-12367 | Blixhq | Cross-site Scripting vulnerability in Blixhq Bluemail 1.9.5.36 The BlueMail application through 1.9.5.36 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission. | 6.1 |
2020-03-18 | CVE-2019-12366 | 9Folders | Cross-site Scripting vulnerability in 9Folders Nine The Nine application through 4.5.3a for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission. | 6.1 |
2020-03-18 | CVE-2019-12365 | Cloudmagic | Cross-site Scripting vulnerability in Cloudmagic Newton 10.0.23 The Newton application through 10.0.23 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission. | 6.1 |
2020-03-18 | CVE-2019-10178 | Dogtagpki | Unspecified vulnerability in Dogtagpki It was found that the Token Processing Service (TPS) did not properly sanitize the Token IDs from the "Activity" page, enabling a Stored Cross Site Scripting (XSS) vulnerability. | 6.1 |
2020-03-18 | CVE-2020-9443 | Zulipchat | Cross-site Scripting vulnerability in Zulipchat Zulip Desktop Zulip Desktop before 4.0.3 loaded untrusted content in an Electron webview with web security disabled, which can be exploited for XSS in a number of ways. | 6.1 |
2020-03-18 | CVE-2019-14884 | Moodle | Cross-site Scripting vulnerability in Moodle A vulnerability was found in Moodle 3.7 before 3.73, 3.6 before 3.6.7 and 3.5 before 3.5.9, where a reflected XSS possible from some fatal error messages. | 6.1 |
2020-03-18 | CVE-2019-14882 | Moodle | Open Redirect vulnerability in Moodle A vulnerability was found in Moodle 3.7 to 3.7.3, 3.6 to 3.6.7, 3.5 to 3.5.9 and earlier where an open redirect existed in the Lesson edit page. | 6.1 |
2020-03-18 | CVE-2019-14881 | Moodle | Cross-site Scripting vulnerability in Moodle 3.7.0/3.7.1/3.7.2 A vulnerability was found in moodle 3.7 before 3.7.3, where there is blind XSS reflected in some locations where user email is displayed. | 6.1 |
2020-03-17 | CVE-2020-10114 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 84.0.20 allows stored self-XSS via the HTML file editor (SEC-535). | 6.1 |
2020-03-17 | CVE-2020-10113 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 84.0.20 allows self XSS via a temporary character-set specification (SEC-515). | 6.1 |
2020-03-17 | CVE-2019-20493 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 82.0.18 allows self-XSS because JSON string escaping is mishandled (SEC-520). | 6.1 |
2020-03-16 | CVE-2020-10242 | Joomla | Cross-site Scripting vulnerability in Joomla Joomla! An issue was discovered in Joomla! before 3.9.16. | 6.1 |
2020-03-16 | CVE-2019-19211 | Dolibarr | Cross-site Scripting vulnerability in Dolibarr Dolibarr ERP/CRM before 10.0.3 has an Insufficient Filtering issue that can lead to user/card.php XSS. | 6.1 |
2020-03-16 | CVE-2019-14512 | Limesurvey | Cross-site Scripting vulnerability in Limesurvey 3.17.7+190627 LimeSurvey 3.17.7+190627 has XSS via Boxes in application/extensions/PanelBoxWidget/views/box.php or a label title in application/views/admin/labels/labelview_view.php. | 6.1 |
2020-03-16 | CVE-2018-10125 | Contao | Cross-site Scripting vulnerability in Contao Contao before 4.5.7 has XSS in the system log. | 6.1 |
2020-03-16 | CVE-2020-6175 | Citrix | Improper Certificate Validation vulnerability in Citrix Sd-Wan Center and Netscaler Sd-Wan Center Citrix SD-WAN 10.2.x before 10.2.6 and 11.0.x before 11.0.3 has Missing SSL Certificate Validation. | 5.9 |
2020-03-19 | CVE-2019-20485 | Redhat Debian Fedoraproject | Improper Input Validation vulnerability in multiple products qemu/qemu_driver.c in libvirt before 6.0.0 mishandles the holding of a monitor job during a query to a guest agent, which allows attackers to cause a denial of service (API blockage). | 5.7 |
2020-03-22 | CVE-2020-10812 | Hdfgroup | NULL Pointer Dereference vulnerability in Hdfgroup Hdf5 An issue was discovered in HDF5 through 1.12.0. | 5.5 |
2020-03-22 | CVE-2020-10811 | Hdfgroup | Out-of-bounds Read vulnerability in Hdfgroup Hdf5 An issue was discovered in HDF5 through 1.12.0. | 5.5 |
2020-03-22 | CVE-2020-10810 | Hdfgroup | NULL Pointer Dereference vulnerability in Hdfgroup Hdf5 An issue was discovered in HDF5 through 1.12.0. | 5.5 |
2020-03-22 | CVE-2020-10809 | Hdfgroup | Out-of-bounds Write vulnerability in Hdfgroup Hdf5 An issue was discovered in HDF5 through 1.12.0. | 5.5 |
2020-03-20 | CVE-2020-1878 | Huawei | Improper Authentication vulnerability in Huawei Oxfords-An00A Firmware Huawei smartphone OxfordS-AN00A with versions earlier than 10.0.1.152D(C735E152R3P3),versions earlier than 10.0.1.160(C00E160R4P1) have an improper authentication vulnerability. | 5.5 |
2020-03-19 | CVE-2020-5262 | Easybuild Project | Insecure Storage of Sensitive Information vulnerability in Easybuild Project Easybuild In EasyBuild before version 4.1.2, the GitHub Personal Access Token (PAT) used by EasyBuild for the GitHub integration features (like `--new-pr`, `--fro,-pr`, etc.) is shown in plain text in EasyBuild debug log files. | 5.5 |
2020-03-18 | CVE-2020-6976 | Deltaww | Out-of-bounds Read vulnerability in Deltaww Cncsoft Screeneditor 1.00.88/1.00.96 Delta Industrial Automation CNCSoft ScreenEditor, v1.00.96 and prior. | 5.5 |
2020-03-17 | CVE-2019-20496 | Cpanel | Unspecified vulnerability in Cpanel cPanel before 82.0.18 allows attackers to conduct arbitrary chown operations as root during log processing (SEC-532). | 5.5 |
2020-03-16 | CVE-2019-4719 | IBM | Unspecified vulnerability in IBM MQ and MQ Appliance IBM MQ and IBM MQ Appliance 7.1, 7.5, 8.0, 9.0 LTS, 9.1 LTS, and 9.1 CD could allow a local attacker to obtain sensitive information by inclusion of sensitive data within runmqras data. | 5.5 |
2020-03-16 | CVE-2019-4619 | IBM | Information Exposure Through an Error Message vulnerability in IBM MQ and MQ Appliance IBM MQ and IBM MQ Appliance 7.1, 7.5, 8.0, 9.0 LTS, 9.1 LTS, and 9.1 CD could allow a local attacker to obtain sensitive information by inclusion of sensitive data within trace. | 5.5 |
2020-03-16 | CVE-2020-1753 | Redhat Debian Fedoraproject | A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the k8s module. | 5.5 |
2020-03-22 | CVE-2020-10803 | Phpmyadmin Debian Fedoraproject Opensuse Suse | SQL Injection vulnerability in multiple products In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack through retrieving and displaying results (in tbl_get_field.php and libraries/classes/Display/Results.php). | 5.4 |
2020-03-20 | CVE-2020-1696 | Redhat Dogtagpki | A flaw was found in the all pki-core 10.x.x versions, where Token Processing Service (TPS) where it did not properly sanitize Profile IDs, enabling a Stored Cross-Site Scripting (XSS) vulnerability when the profile ID is printed. | 5.4 |
2020-03-20 | CVE-2020-10681 | Cmsmadesimple | Cross-site Scripting vulnerability in Cmsmadesimple CMS Made Simple 2.2.13 The Filemanager in CMS Made Simple 2.2.13 has stored XSS via a .pxd file, as demonstrated by m1_files[] to admin/moduleinterface.php. | 5.4 |
2020-03-19 | CVE-2019-16375 | Otrs | Cross-site Scripting vulnerability in Otrs An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.11, and Community Edition 5.0.x through 5.0.37 and 6.0.x through 6.0.22. | 5.4 |
2020-03-17 | CVE-2020-10596 | Opencart | Cross-site Scripting vulnerability in Opencart 3.0.3.2 OpenCart 3.0.3.2 allows remote authenticated users to conduct XSS attacks via a crafted filename in the users' image upload section. | 5.4 |
2020-03-17 | CVE-2019-20497 | Cpanel | Cross-site Scripting vulnerability in Cpanel cPanel before 82.0.18 allows stored XSS via WHM Backup Restoration (SEC-533). | 5.4 |
2020-03-17 | CVE-2020-6646 | Fortinet | Cross-site Scripting vulnerability in Fortinet Fortiweb An improper neutralization of input vulnerability in FortiWeb allows a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Disclaimer Description of a Replacement Message. | 5.4 |
2020-03-16 | CVE-2019-20491 | Cpanel | Unspecified vulnerability in Cpanel cPanel before 82.0.18 allows attackers to leverage virtual mail accounts in order to bypass account suspensions (SEC-508). | 5.4 |
2020-03-16 | CVE-2019-19612 | Halvotec | Cross-site Scripting vulnerability in Halvotec Raquest 10.23.10801.0 An issue was discovered in Halvotec RaQuest 10.23.10801.0. | 5.4 |
2020-03-16 | CVE-2019-19610 | Halvotec | Session Fixation vulnerability in Halvotec Raquest 10.23.10801.0 An issue was discovered in Halvotec RaQuest 10.23.10801.0. | 5.4 |
2020-03-16 | CVE-2019-19461 | Teampasswordmanager | Cross-site Scripting vulnerability in Teampasswordmanager Team Password Manager Post-authentication Stored XSS in Team Password Manager through 7.93.204 allows attackers to steal other users' credentials by creating a shared password with HTML code as the title. | 5.4 |
2020-03-16 | CVE-2020-6586 | Nagios | Cross-site Scripting vulnerability in Nagios 2.1.3 Nagios Log Server 2.1.3 allows XSS by visiting /profile and entering a crafted name field that is mishandled on the /admin/users page. | 5.4 |
2020-03-16 | CVE-2019-19941 | Swisscom | Cross-site Scripting vulnerability in Swisscom Centro Grande Firmware 6.12.02/6.14.00 Missing hostname validation in Swisscom Centro Grande before 6.16.12 allows a remote attacker to inject its local IP address as a domain entry in the DNS service of the router via crafted hostnames in DHCP requests, causing XSS. | 5.4 |
2020-03-16 | CVE-2019-19210 | Dolibarr | Cross-site Scripting vulnerability in Dolibarr Dolibarr ERP/CRM before 10.0.3 allows XSS because uploaded HTML documents are served as text/html despite being renamed to .noexe files. | 5.4 |
2020-03-22 | CVE-2020-10807 | Mitre | Authentication Bypass by Spoofing vulnerability in Mitre Caldera auth_svc in Caldera before 2.6.5 allows authentication bypass (for REST API requests) via a forged "localhost" string in the HTTP Host header. | 5.3 |
2020-03-20 | CVE-2019-18782 | Salesagility | Unspecified vulnerability in Salesagility Suitecrm SuiteCRM 7.10.x prior to 7.10.21 and 7.11.x prior to 7.11.9 does not correctly implement the .htaccess protection mechanism. | 5.3 |
2020-03-19 | CVE-2019-16529 | Mediawiki | Unspecified vulnerability in Mediawiki Checkuser An issue was discovered in the CheckUser extension through 1.35.0 for MediaWiki. | 5.3 |
2020-03-18 | CVE-2020-9323 | Aquaforest | Path Traversal vulnerability in Aquaforest Tiff Server 4.0 Aquaforest TIFF Server 4.0 allows Unauthenticated File and Directory Enumeration via tiffserver/tssp.aspx. | 5.3 |
2020-03-18 | CVE-2019-14883 | Moodle | Missing Authorization vulnerability in Moodle A vulnerability was found in Moodle 3.6 before 3.6.7 and 3.7 before 3.7.3, where tokens used to fetch inline atachments in email notifications were not disabled when a user's account was no longer active. | 5.3 |
2020-03-17 | CVE-2020-10116 | Cpanel | Missing Authorization vulnerability in Cpanel cPanel before 84.0.20 allows attackers to bypass intended restrictions on features and demo accounts via WebDisk UAPI calls (SEC-541). | 5.3 |
2020-03-17 | CVE-2018-18576 | Incsub | Path Traversal vulnerability in Incsub Hustle The Hustle (aka wordpress-popup) plugin through 6.0.5 for WordPress allows Directory Traversal to obtain a directory listing via the views/admin/dashboard/ URI. | 5.3 |
2020-03-16 | CVE-2020-7608 | Yargs | Unspecified vulnerability in Yargs Yargs-Parser yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload. | 5.3 |
2020-03-16 | CVE-2020-10240 | Joomla | Improper Input Validation vulnerability in Joomla Joomla! An issue was discovered in Joomla! before 3.9.16. | 5.3 |
2020-03-16 | CVE-2020-9518 | Microfocus | Unspecified vulnerability in Microfocus Service Manager Login filter can access configuration files vulnerability in Micro Focus Service Manager (Web Tier), affecting versions 9.50, 9.51, 9.52, 9.60, 9.61, 9.62. | 5.3 |
2020-03-16 | CVE-2020-9519 | Microfocus | Unspecified vulnerability in Microfocus Service Manager HTTP methods reveled in Web services vulnerability in Micro Focus Service manager (server), affecting versions 9.40, 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62, 9.63. | 5.3 |
2020-03-16 | CVE-2019-19613 | Halvotec | Open Redirect vulnerability in Halvotec Raquest 10.23.10801.0 An issue was discovered in Halvotec RaQuest 10.23.10801.0. | 5.2 |
2020-03-20 | CVE-2019-19026 | Linuxfoundation Pivotal | SQL Injection vulnerability in multiple products Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via project quotas in the VMware Harbor Container Registry for the Pivotal Platform. | 4.9 |
2020-03-19 | CVE-2020-4203 | IBM | Unspecified vulnerability in IBM Datapower Gateway IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.8 could potentially disclose highly sensitive information to a privileged user due to improper access controls. | 4.9 |
2020-03-17 | CVE-2019-20105 | Atlassian | Missing Authentication for Critical Function vulnerability in Atlassian Application Links The EditApplinkServlet resource in the Atlassian Application Links plugin before version 5.4.20, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.1, and from version 7.1.0 before version 7.1.3 allows remote attackers who have obtained access to administrator's session to access the EditApplinkServlet resource without needing to re-authenticate to pass "WebSudo" in products that support "WebSudo" through an improper access control vulnerability. | 4.9 |
2020-03-22 | CVE-2020-10821 | Nagios | Cross-site Scripting vulnerability in Nagios XI 5.6.11 Nagios XI 5.6.11 allows XSS via the account/main.php theme parameter. | 4.8 |
2020-03-22 | CVE-2020-10820 | Nagios | Cross-site Scripting vulnerability in Nagios XI 5.6.11 Nagios XI 5.6.11 allows XSS via the includes/components/ldap_ad_integration/ password parameter. | 4.8 |
2020-03-22 | CVE-2020-10819 | Nagios | Cross-site Scripting vulnerability in Nagios XI 5.6.11 Nagios XI 5.6.11 allows XSS via the includes/components/ldap_ad_integration/ username parameter. | 4.8 |
2020-03-19 | CVE-2020-5267 | Rubyonrails Debian Fedoraproject Opensuse | In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible XSS vulnerability in ActionView's JavaScript literal escape helpers. | 4.8 |
2020-03-19 | CVE-2019-16010 | Cisco | Cross-site Scripting vulnerability in Cisco Sd-Wan Firmware A vulnerability in the web UI of the Cisco SD-WAN vManage software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of the vManage software. | 4.8 |
2020-03-18 | CVE-2020-7258 | Mcafee | Cross-site Scripting vulnerability in Mcafee Network Security Manager Cross site scripting vulnerability in McAfee Network Security Management (NSM) Prior to 9.1 update 6 Mar 2020 Update allows attackers to unspecified impact via unspecified vectors. | 4.8 |
2020-03-18 | CVE-2020-7256 | Mcafee | Cross-site Scripting vulnerability in Mcafee Network Security Manager Cross site scripting vulnerability in McAfee Network Security Management (NSM) Prior to 9.1 update 6 Mar 2020 Update allows attackers to unspecified impact via unspecified vectors. | 4.8 |
2020-03-16 | CVE-2019-19852 | Sangoma | Cross-site Scripting vulnerability in Sangoma Freepbx An XSS Injection vulnerability exists in Sangoma FreePBX and PBXact 13, 14, and 15 within the Call Event Logging report screen in the cel module at the admin/config.php?display=cel URI via date fields. | 4.8 |
2020-03-16 | CVE-2019-19615 | Sangoma | Cross-site Scripting vulnerability in Sangoma Freepbx Multiple XSS vulnerabilities exist in the Backup & Restore module \ v14.0.10.2 through v14.0.10.7 for FreePBX, as shown at /admin/config.php?display=backup on the FreePBX Administrator web site. | 4.8 |
2020-03-16 | CVE-2019-19851 | Sangoma | Cross-site Scripting vulnerability in Sangoma Freepbx An XSS Injection vulnerability exists in Sangoma FreePBX and PBXact 13, 14, and 15 within the Debug/Test page of the Superfecta module at the admin/config.php?display=superfecta URI. | 4.8 |
2020-03-18 | CVE-2019-10146 | Redhat Dogtagpki | A Reflected Cross Site Scripting flaw was found in all pki-core 10.x.x versions module from the pki-core server due to the CA Agent Service not properly sanitizing the certificate request page. | 4.7 |
2020-03-16 | CVE-2020-1740 | Redhat Debian Fedoraproject | A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. | 4.7 |
2020-03-20 | CVE-2020-1794 | Huawei | Improper Authentication vulnerability in Huawei Mate 20 Firmware and Mate 30 PRO Firmware There is an improper authentication vulnerability in several smartphones. | 4.6 |
2020-03-20 | CVE-2020-1793 | Huawei | Improper Authentication vulnerability in Huawei Mate 20 Firmware and Mate 30 PRO Firmware There is an improper authentication vulnerability in several smartphones. | 4.6 |
2020-03-16 | CVE-2020-1735 | Redhat Debian Fedoraproject | A flaw was found in the Ansible Engine when the fetch module is used. | 4.6 |
2020-03-18 | CVE-2019-19335 | Redhat | Unspecified vulnerability in Redhat Openshift 4.0/4.2 During installation of an OpenShift 4 cluster, the `openshift-install` command line tool creates an `auth` directory, with `kubeconfig` and `kubeadmin-password` files. | 4.4 |
2020-03-16 | CVE-2019-4617 | IBM | Session Fixation vulnerability in IBM Cloud Automation Manager 3.2.1.0 IBM Cloud Automation Manager 3.2.1.0 does not renew a session variable after a successful authentication which could lead to session fixation/hijacking vulnerability. | 4.4 |
2020-03-20 | CVE-2020-8883 | Foxitsoftware | Out-of-bounds Read vulnerability in Foxitsoftware Foxit Studio Photo This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Studio Photo 3.6.6.916. | 4.3 |
2020-03-20 | CVE-2020-8879 | Foxitsoftware | Out-of-bounds Read vulnerability in Foxitsoftware Foxit Studio Photo This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Studio Photo 3.6.6.916. | 4.3 |
2020-03-20 | CVE-2020-8877 | Foxitsoftware | Out-of-bounds Read vulnerability in Foxitsoftware Foxit Studio Photo This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Studio Photo 3.6.6.916. | 4.3 |
2020-03-18 | CVE-2019-19677 | Arxes Tolina | Information Exposure vulnerability in Arxes-Tolina 3.0.0 arxes-tolina 3.0.0 allows User Enumeration. | 4.3 |
2020-03-18 | CVE-2020-4199 | IBM | Cross-Site Request Forgery (CSRF) vulnerability in IBM Tivoli Netcool/Omnibus 8.1.0 IBM Tivoli Netcool/OMNIbus 8.1.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | 4.3 |
2020-03-18 | CVE-2020-10659 | Entrustdatacard | Improper Certificate Validation vulnerability in Entrustdatacard Entelligence Security Provider Entrust Entelligence Security Provider (ESP) before 10.0.60 on Windows mishandles errors during SSL Certificate Validation, leading to situations where (for example) a user continues to interact with a web site that has an invalid certificate chain. | 4.3 |
2020-03-17 | CVE-2019-20407 | Atlassian | Missing Authorization vulnerability in Atlassian Jira Data Center and Jira Server The ConfigureBambooRelease resource in Jira Software and Jira Software Data Center before version 8.6.1 allows authenticated remote attackers to view release version information in projects that they do not have access to through an missing authorisation check. | 4.3 |
11 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2020-03-20 | CVE-2020-1879 | Huawei | Improper Validation of Integrity Check Value vulnerability in Huawei products There is an improper integrity checking vulnerability on some huawei products. | 3.9 |
2020-03-16 | CVE-2020-1738 | Redhat | Argument Injection or Modification vulnerability in Redhat products A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. | 3.9 |
2020-03-17 | CVE-2020-3951 | Vmware | Out-of-bounds Write vulnerability in VMWare Horizon Client and Workstation VMware Workstation (15.x before 15.5.2) and Horizon Client for Windows (5.x and prior before 5.4.0) contain a denial-of-service vulnerability due to a heap-overflow issue in Cortado Thinprint. | 3.8 |
2020-03-20 | CVE-2020-1862 | Huawei | Double Free vulnerability in Huawei Campusinsight and Manageone There is a double free vulnerability in some Huawei products. | 3.3 |
2020-03-17 | CVE-2019-20494 | Cpanel | Use of Insufficiently Random Values vulnerability in Cpanel In cPanel before 82.0.18, Cpanel::Rand::Get can produce a predictable series of numbers (SEC-525). | 3.3 |
2020-03-16 | CVE-2020-6980 | Rockwellautomation | Cleartext Storage of Sensitive Information vulnerability in Rockwellautomation products Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, If Simple Mail Transfer Protocol (SMTP) account data is saved in RSLogix 500, a local attacker with access to a victim’s project may be able to gather SMTP server authentication data as it is written to the project file in cleartext. | 3.3 |
2020-03-16 | CVE-2020-1736 | Redhat Fedoraproject | Incorrect Permission Assignment for Critical Resource vulnerability in multiple products A flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode cannot be specified. | 3.3 |
2020-03-20 | CVE-2019-15664 | Killernetworking | Out-of-bounds Read vulnerability in Killernetworking Killer Control Center An issue was discovered in Rivet Killer Control Center before 2.1.1352. | 2.7 |
2020-03-20 | CVE-2019-15663 | Killernetworking | Out-of-bounds Read vulnerability in Killernetworking Killer Control Center An issue was discovered in Rivet Killer Control Center before 2.1.1352. | 2.7 |
2020-03-20 | CVE-2019-15662 | Killernetworking | Out-of-bounds Read vulnerability in Killernetworking Killer Control Center An issue was discovered in Rivet Killer Control Center before 2.1.1352. | 2.7 |
2020-03-20 | CVE-2020-1795 | Huawei | Unspecified vulnerability in Huawei Mate 20 Firmware and Mate 30 PRO Firmware There is a logic error vulnerability in several smartphones. | 2.4 |