Weekly Vulnerabilities Reports > March 23 to 29, 2020
Overview
423 new vulnerabilities reported during this period, including 49 critical vulnerabilities and 116 high severity vulnerabilities. This weekly summary report vulnerabilities in 472 products from 118 vendors including Google, Adobe, Debian, Fedoraproject, and Opensuse. Vulnerabilities are notably categorized as "Out-of-bounds Write", "Information Exposure", "Improper Input Validation", "Cross-site Scripting", and "Out-of-bounds Read".
- 335 reported vulnerabilities are remotely exploitables.
- 2 reported vulnerabilities have public exploit available.
- 89 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 366 reported vulnerabilities are exploitable by an anonymous user.
- Google has the most reported vulnerabilities, with 130 reported vulnerabilities.
- Google has the most reported critical vulnerabilities, with 19 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
49 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2020-03-27 | CVE-2015-5684 | Lenovo | Classic Buffer Overflow vulnerability in Lenovo products MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. | 10.0 |
2020-03-26 | CVE-2020-10826 | Draytek | Command Injection vulnerability in Draytek products /cgi-bin/activate.cgi on Draytek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1 allows remote attackers to achieve command injection via a remote HTTP request in DEBUG mode. | 10.0 |
2020-03-26 | CVE-2020-10245 | Codesys | Out-of-bounds Write vulnerability in Codesys products CODESYS V3 web server before 3.5.15.40, as used in CODESYS Control runtime systems, has a buffer overflow. | 10.0 |
2020-03-25 | CVE-2020-10881 | TP Link | Out-of-bounds Write vulnerability in Tp-Link Ac1750 Firmware 190726 This vulnerability allows remote attackers to execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. | 10.0 |
2020-03-25 | CVE-2020-3794 | Adobe | Improper Input Validation vulnerability in Adobe Coldfusion 2016/2018 ColdFusion versions ColdFusion 2016, and ColdFusion 2018 have a file inclusion vulnerability. | 10.0 |
2020-03-25 | CVE-2020-3805 | Adobe | Use After Free vulnerability in Adobe Acrobat DC Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011.30158 and earlier, 2017.011.30158 and earlier, 2015.006.30510 and earlier, and 2015.006.30510 and earlier have a use-after-free vulnerability. | 10.0 |
2020-03-25 | CVE-2020-10789 | IT Novum | OS Command Injection vulnerability in It-Novum Openitcockpit openITCOCKPIT before 3.7.3 has a web-based terminal that allows attackers to execute arbitrary OS commands via shell metacharacters that are mishandled on an su command line in app/Lib/SudoMessageInterface.php. | 10.0 |
2020-03-25 | CVE-2020-5561 | Keijiban Tsumiki Project | OS Command Injection vulnerability in Keijiban Tsumiki Project Keijiban Tsumiki 1.15 Keijiban Tsumiki v1.15 allows remote attackers to execute arbitrary OS commands via unspecified vectors. | 10.0 |
2020-03-25 | CVE-2020-5560 | WL ENQ Project | OS Command Injection vulnerability in Wl-Enq Project Wl-Enq 1.11/1.12 WL-Enq 1.11 and 1.12 allows remote attackers to execute arbitrary OS commands with the administrative privilege via unspecified vectors. | 10.0 |
2020-03-25 | CVE-2020-5556 | Shihonkanri Plus Goout Project | OS Command Injection vulnerability in Shihonkanri Plus Goout Project Shihonkanri Plus Goout 1.5.8/2.2.10 Shihonkanri Plus GOOUT Ver1.5.8 and Ver2.2.10 allows remote attackers to execute arbitrary OS commands via unspecified vectors. | 10.0 |
2020-03-25 | CVE-2020-5553 | Mailform | Code Injection vulnerability in Mailform 1.04 mailform version 1.04 allows remote attackers to execute arbitrary PHP code via unspecified vectors. | 10.0 |
2020-03-24 | CVE-2020-7007 | Moxa | Out-of-bounds Write vulnerability in Moxa Eds-510E Firmware and Eds-G516E Firmware In Moxa EDS-G516E Series firmware, Version 5.2 or lower, the attacker may execute arbitrary codes or target the device, causing it to go out of service. | 10.0 |
2020-03-24 | CVE-2020-6981 | Moxa | Use of Hard-coded Credentials vulnerability in Moxa Eds-510E Firmware and Eds-G516E Firmware In Moxa EDS-G516E Series firmware, Version 5.2 or lower, an attacker may gain access to the system without proper authentication. | 10.0 |
2020-03-24 | CVE-2020-6985 | Moxa | Use of Hard-coded Credentials vulnerability in Moxa products In Moxa PT-7528 series firmware, Version 4.0 or lower, and PT-7828 series firmware, Version 3.9 or lower, these devices use a hard-coded service code for access to the console. | 10.0 |
2020-03-24 | CVE-2019-20622 | Out-of-bounds Write vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (Exynos chipsets) software. | 10.0 | |
2020-03-24 | CVE-2019-20621 | Out-of-bounds Write vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (Exynos chipsets) software. | 10.0 | |
2020-03-24 | CVE-2019-20611 | Out-of-bounds Write vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), Go(8.1), P(9.0), and Go(9.0) (Exynos chipsets) software. | 10.0 | |
2020-03-24 | CVE-2019-20607 | Google Qualcomm Samsung | Out-of-bounds Write vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (MSM8996, MSM8998, Exynos7420, Exynos7870, Exynos8890, and Exynos8895 chipsets) software. | 10.0 |
2020-03-24 | CVE-2019-20605 | Out-of-bounds Write vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (Exynos chipsets) software. | 10.0 | |
2020-03-24 | CVE-2019-20589 | Type Confusion vulnerability in Google Android 8.0/8.1/9.0 An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) (with TEEGRIS) software. | 10.0 | |
2020-03-24 | CVE-2019-20588 | Type Confusion vulnerability in Google Android 8.0/8.1/9.0 An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) (with TEEGRIS) software. | 10.0 | |
2020-03-24 | CVE-2019-20587 | Type Confusion vulnerability in Google Android 8.1/9.0 An issue was discovered on Samsung mobile devices with O(8.1) and P(9.0) (with TEEGRIS) software. | 10.0 | |
2020-03-24 | CVE-2019-20586 | Type Confusion vulnerability in Google Android 8.1/9.0 An issue was discovered on Samsung mobile devices with O(8.1) and P(9.0) (with TEEGRIS) software. | 10.0 | |
2020-03-24 | CVE-2019-20585 | Type Confusion vulnerability in Google Android 8.0/8.1/9.0 An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) (with TEEGRIS) software. | 10.0 | |
2020-03-24 | CVE-2019-20584 | Type Confusion vulnerability in Google Android 8.0/8.1/9.0 An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) (with TEEGRIS) software. | 10.0 | |
2020-03-24 | CVE-2019-20583 | Type Confusion vulnerability in Google Android 8.0/8.1/9.0 An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) (with TEEGRIS) software. | 10.0 | |
2020-03-24 | CVE-2019-20567 | Out-of-bounds Write vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (Exynos chipsets) software. | 10.0 | |
2020-03-24 | CVE-2020-10850 | Classic Buffer Overflow vulnerability in Google Android An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) (Exynos chipsets) software. | 10.0 | |
2020-03-24 | CVE-2020-10848 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) (Exynos 9810 chipsets) software. | 10.0 | |
2020-03-24 | CVE-2020-10837 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android 10.0/9.0 An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) (with TEEGRIS) software. | 10.0 | |
2020-03-24 | CVE-2020-10835 | Samsung | Classic Buffer Overflow vulnerability in Samsung Exynos An issue was discovered on Samsung mobile devices with any (before February 2020 for Exynos modem chipsets) software. | 10.0 |
2020-03-24 | CVE-2019-20545 | Classic Buffer Overflow vulnerability in Google Android 8.0/8.1/9.0 An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) (Exynos chipsets) software. | 10.0 | |
2020-03-24 | CVE-2019-20537 | Out-of-bounds Write vulnerability in Google Android 9.0 An issue was discovered on Samsung mobile devices with P(9.0) (TEEGRIS and Qualcomm chipsets). | 10.0 | |
2020-03-23 | CVE-2020-8868 | Quest | Use of Hard-coded Credentials vulnerability in Quest Foglight Evolve 9.0.0 This vulnerability allows remote attackers to execute arbitrary code on affected installations of Quest Foglight Evolve 9.0.0. | 10.0 |
2020-03-23 | CVE-2020-6967 | Rockwellautomation | Deserialization of Untrusted Data vulnerability in Rockwellautomation Factorytalk Services Platform In Rockwell Automation all versions of FactoryTalk Diagnostics software, a subsystem of the FactoryTalk Services Platform, FactoryTalk Diagnostics exposes a .NET Remoting endpoint via RNADiagnosticsSrv.exe at TCPtcp/8082, which can insecurely deserialize untrusted data. | 10.0 |
2020-03-23 | CVE-2020-5722 | Grandstream | SQL Injection vulnerability in Grandstream Ucm6200 Firmware The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. | 10.0 |
2020-03-27 | CVE-2020-3936 | Unisoon | SQL Injection vulnerability in Unisoon Ultralog Express Firmware 1.4.0 UltraLog Express device management interface does not properly filter user inputted string in some specific parameters, attackers can inject arbitrary SQL command. | 9.8 |
2020-03-25 | CVE-2020-1957 | Apache Debian | Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. | 9.8 |
2020-03-24 | CVE-2020-1747 | Pyyaml Fedoraproject Opensuse Oracle | Improper Input Validation vulnerability in multiple products A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. | 9.8 |
2020-03-23 | CVE-2020-1944 | Apache Debian | HTTP Request Smuggling vulnerability in multiple products There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8, and 8.0.0 to 8.0.5 with a smuggling attack and Transfer-Encoding and Content length headers. | 9.8 |
2020-03-23 | CVE-2019-17565 | Apache Debian | HTTP Request Smuggling vulnerability in multiple products There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8, and 8.0.0 to 8.0.5 with a smuggling attack and chunked encoding. | 9.8 |
2020-03-23 | CVE-2019-17559 | Apache Debian | HTTP Request Smuggling vulnerability in multiple products There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8, and 8.0.0 to 8.0.5 with a smuggling attack and scheme parsing. | 9.8 |
2020-03-23 | CVE-2019-20627 | Rbsoft | XXE vulnerability in Rbsoft Autoupdater.Net AutoUpdater.cs in AutoUpdater.NET before 1.5.8 allows XXE. | 9.8 |
2020-03-24 | CVE-2019-20610 | Google Samsung | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.X) and O(8.X) (Exynos 7570, 7870, 7880, 7885, 8890, 8895, and 9810 chipsets) software. | 9.3 |
2020-03-23 | CVE-2020-9759 | LG | Download of Code Without Integrity Check vulnerability in LG Webos A Vulnerability of LG Electronic web OS TV Emulator could allow an attacker to escalate privileges and overwrite certain files. | 9.3 |
2020-03-25 | CVE-2019-7245 | Techpowerup | Improper Initialization vulnerability in Techpowerup Gpu-Z An issue was discovered in GPU-Z.sys in TechPowerUp GPU-Z before 2.23.0. | 9.0 |
2020-03-25 | CVE-2019-7244 | Aida64 | Improper Initialization vulnerability in Aida64 An issue was discovered in kerneld.sys in AIDA64 before 5.99. | 9.0 |
2020-03-25 | CVE-2019-7240 | Moo0 | Improper Initialization vulnerability in Moo0 System Monitor 1.83 An issue was discovered in WinRing0x64.sys in Moo0 System Monitor 1.83. | 9.0 |
2020-03-25 | CVE-2020-5558 | Cutephp | Injection vulnerability in Cutephp Cutenews 2.0.1 CuteNews 2.0.1 allows remote authenticated attackers to execute arbitrary PHP code via unspecified vectors. | 9.0 |
116 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2020-03-26 | CVE-2020-9521 | Microfocus | SQL Injection vulnerability in Microfocus Service Manager Automation An SQL injection vulnerability was discovered in Micro Focus Service Manager Automation (SMA), affecting versions 2019.08, 2019.05, 2019.02, 2018.08, 2018.05, 2018.02. | 8.8 |
2020-03-26 | CVE-2020-10969 | Fasterxml Debian Netapp Oracle | Deserialization of Untrusted Data vulnerability in multiple products FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane. | 8.8 |
2020-03-26 | CVE-2020-10968 | Fasterxml Debian Netapp Oracle | Deserialization of Untrusted Data vulnerability in multiple products FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy). | 8.8 |
2020-03-25 | CVE-2020-6807 | Mozilla Canonical | Use After Free vulnerability in multiple products When a device was changed while a stream was about to be destroyed, the <code>stream-reinit</code> task may have been executed after the stream was destroyed, causing a use-after-free and a potentially exploitable crash. | 8.8 |
2020-03-25 | CVE-2020-6806 | Mozilla Canonical | Out-of-bounds Read vulnerability in multiple products By carefully crafting promise resolutions, it was possible to cause an out-of-bounds read off the end of an array resized during script execution. | 8.8 |
2020-03-25 | CVE-2020-6805 | Mozilla Canonical | Use After Free vulnerability in multiple products When removing data about an origin whose tab was recently closed, a use-after-free could occur in the Quota manager, resulting in a potentially exploitable crash. | 8.8 |
2020-03-25 | CVE-2020-10884 | TP Link | Use of Hard-coded Credentials vulnerability in Tp-Link Ac1750 Firmware 190726 This vulnerability allows network-adjacent attackers execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. | 8.8 |
2020-03-25 | CVE-2020-10882 | TP Link | OS Command Injection vulnerability in Tp-Link Ac1750 Firmware 190726 This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. | 8.8 |
2020-03-25 | CVE-2020-2171 | Jenkins | XXE vulnerability in Jenkins Rapiddeploy Jenkins RapidDeploy Plugin 4.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | 8.8 |
2020-03-25 | CVE-2020-2168 | Jenkins | Improper Input Validation vulnerability in Jenkins Azure Container Service Jenkins Azure Container Service Plugin 1.0.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. | 8.8 |
2020-03-25 | CVE-2020-2167 | Jenkins | Improper Input Validation vulnerability in Jenkins Openshift Pipeline Jenkins OpenShift Pipeline Plugin 1.0.56 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. | 8.8 |
2020-03-25 | CVE-2020-2166 | Jenkins | Improper Input Validation vulnerability in Jenkins Pipeline: AWS Steps Jenkins Pipeline: AWS Steps Plugin 1.40 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. | 8.8 |
2020-03-25 | CVE-2020-2160 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Jenkins 2.227 and earlier, LTS 2.204.5 and earlier uses different representations of request URL paths, which allows attackers to craft URLs that allow bypassing CSRF protection of any target URL. | 8.8 |
2020-03-23 | CVE-2020-6449 | Google Debian Fedoraproject Suse Opensuse | Use After Free vulnerability in multiple products Use after free in audio in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2020-03-23 | CVE-2020-6429 | Google Debian Fedoraproject Suse Opensuse | Out-of-bounds Write vulnerability in multiple products Use after free in audio in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2020-03-23 | CVE-2020-6428 | Google Suse Opensuse Fedoraproject Debian | Out-of-bounds Write vulnerability in multiple products Use after free in audio in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2020-03-23 | CVE-2020-6427 | Google Debian Fedoraproject Suse Opensuse | Out-of-bounds Write vulnerability in multiple products Use after free in audio in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2020-03-23 | CVE-2020-6424 | Google Debian Fedoraproject Suse Opensuse | Use After Free vulnerability in multiple products Use after free in media in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2020-03-23 | CVE-2020-6422 | Google Fedoraproject Debian Suse Opensuse | Out-of-bounds Write vulnerability in multiple products Use after free in WebGL in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2020-03-23 | CVE-2020-6420 | Google Debian Fedoraproject | Insufficient policy enforcement in media in Google Chrome prior to 80.0.3987.132 allowed a remote attacker to bypass same origin policy via a crafted HTML page. | 8.8 |
2020-03-23 | CVE-2020-10793 | Codeigniter | Improper Privilege Management vulnerability in Codeigniter CodeIgniter through 4.0.0 allows remote attackers to gain privileges via a modified Email ID to the "Select Role of the User" page. | 8.8 |
2020-03-26 | CVE-2020-1764 | Kiali Redhat | Use of Hard-coded Credentials vulnerability in multiple products A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. | 8.6 |
2020-03-23 | CVE-2020-8864 | Dlink | Incorrect Comparison vulnerability in Dlink products This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-867, DIR-878, and DIR-882 routers with firmware 1.10B04. | 8.3 |
2020-03-23 | CVE-2020-8863 | Dlink | Improper Authentication vulnerability in Dlink products This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-867, DIR-878, and DIR-882 routers with firmware 1.10B04. | 8.3 |
2020-03-27 | CVE-2020-1773 | Otrs | Insufficient Entropy vulnerability in Otrs An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may be able to predict other users session IDs, password reset tokens and automatically generated passwords. | 8.1 |
2020-03-27 | CVE-2020-3920 | Unisoon | Missing Authentication for Critical Function vulnerability in Unisoon Ultralog Express Firmware 1.4.0 UltraLog Express device management interface does not properly perform access authentication in some specific pages/functions. | 8.1 |
2020-03-26 | CVE-2020-7260 | Mcafee | Untrusted Search Path vulnerability in Mcafee Application and Change Control DLL Side Loading vulnerability in the installer for McAfee Application and Change Control (MACC) prior to 8.3 allows local users to execute arbitrary code via execution from a compromised folder. | 7.8 |
2020-03-25 | CVE-2020-10883 | TP Link | Incorrect Permission Assignment for Critical Resource vulnerability in Tp-Link Ac1750 Firmware 190726 This vulnerability allows local attackers to escalate privileges on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. | 7.8 |
2020-03-25 | CVE-2020-9375 | TP Link | Missing Release of Resource after Effective Lifetime vulnerability in Tp-Link Archer C50 Build170822/Build171227/Build200318 TP-Link Archer C50 V3 devices before Build 200318 Rel. | 7.8 |
2020-03-24 | CVE-2019-20577 | Unspecified vulnerability in Google Android 9.0 An issue was discovered on Samsung mobile devices with P(9.0) (Exynos chipsets) software. | 7.8 | |
2020-03-23 | CVE-2020-7479 | Schneider Electric | Missing Authentication for Critical Function vulnerability in Schneider-Electric Interactive Graphical Scada System 14.0/14.0.0.19120 A CWE-306: Missing Authentication for Critical Function vulnerability exists in IGSS (Versions 14 and prior using the service: IGSSupdate), which could allow a local user to execute processes that otherwise require escalation privileges when sending local network commands to the IGSS Update Service. | 7.8 |
2020-03-23 | CVE-2020-10364 | Mikrotik | Resource Exhaustion vulnerability in Mikrotik Routeros The SSH daemon on MikroTik routers through v6.44.3 could allow remote attackers to generate CPU activity, trigger refusal of new authorized connections, and cause a reboot via connect and write system calls, because of uncontrolled resource management. | 7.8 |
2020-03-23 | CVE-2020-10592 | Torproject Opensuse | Tor before 0.3.5.10, 0.4.x before 0.4.1.9, and 0.4.2.x before 0.4.2.7 allows remote attackers to cause a Denial of Service (CPU consumption), aka TROVE-2020-002. | 7.8 |
2020-03-27 | CVE-2020-10956 | Gitlab | Server-Side Request Forgery (SSRF) vulnerability in Gitlab GitLab 8.10 and later through 12.9 is vulnerable to an SSRF in a project import note feature. | 7.5 |
2020-03-27 | CVE-2020-5863 | F5 Netapp | In NGINX Controller versions prior to 3.2.0, an unauthenticated attacker with network access to the Controller API can create unprivileged user accounts. | 7.5 |
2020-03-27 | CVE-2020-1772 | Otrs Opensuse Debian | It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. | 7.5 |
2020-03-27 | CVE-2020-3921 | Unisoon | Cleartext Storage of Sensitive Information vulnerability in Unisoon Ultralog Express Firmware 1.4.0 UltraLog Express device management software stores user’s information in cleartext. | 7.5 |
2020-03-27 | CVE-2020-10992 | Azkaban Project | XXE vulnerability in Azkaban Project Azkaban Azkaban through 3.84.0 allows XXE, related to validator/XmlValidatorManager.java and user/XmlUserManager.java. | 7.5 |
2020-03-27 | CVE-2020-10991 | Mulesoft | XXE vulnerability in Mulesoft Aplkit Mulesoft APIkit through 1.3.0 allows XXE because of validation/RestXmlSchemaValidator.java | 7.5 |
2020-03-27 | CVE-2020-10990 | Accenture | XXE vulnerability in Accenture Mercury An XXE issue exists in Accenture Mercury before 1.12.28 because of the platformlambda/core/serializers/SimpleXmlParser.java component. | 7.5 |
2020-03-26 | CVE-2020-10828 | Draytek | Out-of-bounds Write vulnerability in Draytek products A stack-based buffer overflow in cvmd on Draytek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1 allows remote attackers to achieve code execution via a remote HTTP request. | 7.5 |
2020-03-26 | CVE-2020-10827 | Draytek | Out-of-bounds Write vulnerability in Draytek products A stack-based buffer overflow in apmd on Draytek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1 allows remote attackers to achieve code execution via a remote HTTP request. | 7.5 |
2020-03-26 | CVE-2020-10825 | Draytek | Out-of-bounds Write vulnerability in Draytek products A stack-based buffer overflow in /cgi-bin/activate.cgi while base64 decoding ticket parameter on Draytek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1 allows remote attackers to achieve code execution via a remote HTTP request (issue 3 of 3). | 7.5 |
2020-03-26 | CVE-2020-10824 | Draytek | Out-of-bounds Write vulnerability in Draytek products A stack-based buffer overflow in /cgi-bin/activate.cgi through ticket parameter on Draytek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1 allows remote attackers to achieve code execution via a remote HTTP request (issue 2 of 3). | 7.5 |
2020-03-26 | CVE-2020-10823 | Draytek | Out-of-bounds Write vulnerability in Draytek products A stack-based buffer overflow in /cgi-bin/activate.cgi through var parameter on Draytek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1 allows remote attackers to achieve code execution via a remote HTTP request (issue 1 of 3). | 7.5 |
2020-03-25 | CVE-2020-6815 | Mozilla | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Mozilla Firefox Mozilla developers reported memory safety and script safety bugs present in Firefox 73. | 7.5 |
2020-03-25 | CVE-2020-6814 | Mozilla Canonical | Out-of-bounds Write vulnerability in multiple products Mozilla developers reported memory safety bugs present in Firefox and Thunderbird 68.5. | 7.5 |
2020-03-25 | CVE-2020-10964 | S9Y | Unrestricted Upload of File with Dangerous Type vulnerability in S9Y Serendipity Serendipity before 2.3.4 on Windows allows remote attackers to execute arbitrary code because the filename of a renamed file may end with a dot. | 7.5 |
2020-03-25 | CVE-2020-3789 | Adobe | Out-of-bounds Write vulnerability in Adobe Photoshop 2020 and Photoshop CC Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have a memory corruption vulnerability. | 7.5 |
2020-03-25 | CVE-2020-3788 | Adobe | Out-of-bounds Write vulnerability in Adobe Photoshop 2020 and Photoshop CC Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have a memory corruption vulnerability. | 7.5 |
2020-03-25 | CVE-2020-3787 | Adobe | Out-of-bounds Write vulnerability in Adobe Photoshop 2020 and Photoshop CC Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have a memory corruption vulnerability. | 7.5 |
2020-03-25 | CVE-2020-3786 | Adobe | Out-of-bounds Write vulnerability in Adobe Photoshop 2020 and Photoshop CC Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have a memory corruption vulnerability. | 7.5 |
2020-03-25 | CVE-2020-3785 | Adobe | Out-of-bounds Write vulnerability in Adobe Photoshop 2020 and Photoshop CC Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have a memory corruption vulnerability. | 7.5 |
2020-03-25 | CVE-2020-3784 | Adobe | Out-of-bounds Write vulnerability in Adobe Photoshop 2020 and Photoshop CC Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have a memory corruption vulnerability. | 7.5 |
2020-03-25 | CVE-2020-3783 | Adobe | Out-of-bounds Write vulnerability in Adobe Photoshop 2020 and Photoshop CC Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have a heap corruption vulnerability. | 7.5 |
2020-03-25 | CVE-2020-3775 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Photoshop 2020 and Photoshop CC Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have a buffer errors vulnerability. | 7.5 |
2020-03-25 | CVE-2020-10888 | TP Link | Improper Authentication vulnerability in Tp-Link Ac1750 Firmware 190726 This vulnerability allows remote attackers to bypass authentication on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. | 7.5 |
2020-03-25 | CVE-2020-10887 | TP Link | Unspecified vulnerability in Tp-Link Ac1750 Firmware 190726 This vulnerability allows a firewall bypass on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. | 7.5 |
2020-03-25 | CVE-2020-10886 | TP Link | OS Command Injection vulnerability in Tp-Link Ac1750 Firmware 190726 This vulnerability allows remote attackers to execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. | 7.5 |
2020-03-25 | CVE-2020-10885 | TP Link | Improper Input Validation vulnerability in Tp-Link Ac1750 Firmware 190726 This vulnerability allows remote attackers to execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. | 7.5 |
2020-03-25 | CVE-2020-5282 | Nick Chan BOT Project | OS Command Injection vulnerability in Nick Chan BOT Project Nick Chan BOT 1.0.0 In Nick Chan Bot before version 1.0.0-beta there is a vulnerability in the `npm` command which is part of this software package. | 7.5 |
2020-03-25 | CVE-2020-3807 | Adobe | Classic Buffer Overflow vulnerability in Adobe Acrobat DC Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011.30158 and earlier, 2017.011.30158 and earlier, 2015.006.30510 and earlier, and 2015.006.30510 and earlier have a buffer overflow vulnerability. | 7.5 |
2020-03-25 | CVE-2020-3801 | Adobe | Use After Free vulnerability in Adobe Acrobat DC Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011.30158 and earlier, 2017.011.30158 and earlier, 2015.006.30510 and earlier, and 2015.006.30510 and earlier have a use-after-free vulnerability. | 7.5 |
2020-03-25 | CVE-2020-2165 | Jfrog | Insufficiently Protected Credentials vulnerability in Jfrog Artifactory Jenkins Artifactory Plugin 3.6.0 and earlier transmits configured passwords in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure. | 7.5 |
2020-03-25 | CVE-2020-3799 | Adobe | Out-of-bounds Write vulnerability in Adobe Acrobat DC Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011.30158 and earlier, 2017.011.30158 and earlier, 2015.006.30510 and earlier, and 2015.006.30510 and earlier have a stack-based buffer overflow vulnerability. | 7.5 |
2020-03-25 | CVE-2020-3797 | Adobe | Out-of-bounds Write vulnerability in Adobe Acrobat DC Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011.30158 and earlier, 2017.011.30158 and earlier, 2015.006.30510 and earlier, and 2015.006.30510 and earlier have a memory corruption vulnerability. | 7.5 |
2020-03-25 | CVE-2020-3795 | Adobe | Out-of-bounds Write vulnerability in Adobe Acrobat DC Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011.30158 and earlier, 2017.011.30158 and earlier, 2015.006.30510 and earlier, and 2015.006.30510 and earlier have an out-of-bounds write vulnerability. | 7.5 |
2020-03-25 | CVE-2020-3793 | Adobe | Use After Free vulnerability in Adobe Acrobat DC Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011.30158 and earlier, 2017.011.30158 and earlier, 2015.006.30510 and earlier, and 2015.006.30510 and earlier have a use-after-free vulnerability. | 7.5 |
2020-03-25 | CVE-2020-3792 | Adobe | Use After Free vulnerability in Adobe Acrobat DC Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011.30158 and earlier, 2017.011.30158 and earlier, 2015.006.30510 and earlier, and 2015.006.30510 and earlier have a use-after-free vulnerability. | 7.5 |
2020-03-24 | CVE-2020-8986 | Zend | Improper Check for Unusual or Exceptional Conditions vulnerability in Zend Zendto lib/NSSDropbox.php in ZendTo prior to 5.22-2 Beta failed to properly check for equality when validating the session cookie, allowing an attacker to gain administrative access with a large number of requests. | 7.5 |
2020-03-24 | CVE-2020-6078 | Videolabs Debian | Unchecked Return Value vulnerability in multiple products An exploitable denial-of-service vulnerability exists in the message-parsing functionality of Videolabs libmicrodns 0.1.0. | 7.5 |
2020-03-24 | CVE-2020-6072 | Videolabs Debian | Double Free vulnerability in multiple products An exploitable code execution vulnerability exists in the label-parsing functionality of Videolabs libmicrodns 0.1.0. | 7.5 |
2020-03-24 | CVE-2020-6995 | Moxa | Weak Password Requirements vulnerability in Moxa products In Moxa PT-7528 series firmware, Version 4.0 or lower, and PT-7828 series firmware, Version 3.9 or lower, the application utilizes weak password requirements, which may allow an attacker to gain unauthorized access. | 7.5 |
2020-03-24 | CVE-2019-20590 | Google Qualcomm | Integer Underflow (Wrap or Wraparound) vulnerability in Google Android 8.0/8.1 An issue was discovered on Samsung mobile devices with O(8.x) (Qualcomm chipsets) software. | 7.5 |
2020-03-24 | CVE-2019-20576 | SQL Injection vulnerability in Google Android 9.0 An issue was discovered on Samsung mobile devices with P(9.0) software. | 7.5 | |
2020-03-24 | CVE-2020-6989 | Moxa | Out-of-bounds Write vulnerability in Moxa products In Moxa PT-7528 series firmware, Version 4.0 or lower, and PT-7828 series firmware, Version 3.9 or lower, a buffer overflow in the web server allows remote attackers to cause a denial-of-service condition or execute arbitrary code. | 7.5 |
2020-03-24 | CVE-2019-20582 | Google Samsung | Use After Free vulnerability in Google Android 8.0/8.1/9.0 An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) devices (Exynos9810 chipsets) software. | 7.5 |
2020-03-24 | CVE-2019-20581 | Out-of-bounds Write vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (Exynos chipsets) software. | 7.5 | |
2020-03-24 | CVE-2019-20578 | Google Samsung | Classic Buffer Overflow vulnerability in Google Android 9.0 An issue was discovered on Samsung mobile devices with P(9.0) (Exynos 9820 chipsets) software. | 7.5 |
2020-03-24 | CVE-2019-20572 | Google Samsung | Classic Buffer Overflow vulnerability in Google Android 8.1/9.0 An issue was discovered on Samsung mobile devices with O(8.1) and P(9.0) (Exynos chipsets) software. | 7.5 |
2020-03-24 | CVE-2019-20571 | Type Confusion vulnerability in Google Android 8.0/8.1 An issue was discovered on Samsung mobile devices with O(8.x) (with TEEGRIS) software. | 7.5 | |
2020-03-24 | CVE-2019-20566 | Samsung | Out-of-bounds Write vulnerability in Samsung Exynos Smp1300 An issue was discovered on Samsung mobile devices with any (before September 2019 for SMP1300 Exynos modem chipsets) software. | 7.5 |
2020-03-24 | CVE-2019-20563 | Out-of-bounds Write vulnerability in Google Android 8.0/8.1/9.0 An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) (with TEEGRIS) software. | 7.5 | |
2020-03-24 | CVE-2019-20562 | Classic Buffer Overflow vulnerability in Google Android 9.0 An issue was discovered on Samsung mobile devices with P(9.0) (with TEEGRIS) software. | 7.5 | |
2020-03-24 | CVE-2019-20561 | Integer Overflow or Wraparound vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (Exynos chipsets) software. | 7.5 | |
2020-03-24 | CVE-2019-20560 | Out-of-bounds Write vulnerability in Google Android 8.0/8.1/9.0 An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) (with TEEGRIS) software. | 7.5 | |
2020-03-24 | CVE-2019-20558 | Google Samsung | Classic Buffer Overflow vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (Exynos chipsets) software. | 7.5 |
2020-03-24 | CVE-2019-20556 | Google Qualcomm Samsung | Out-of-bounds Write vulnerability in Google Android 9.0 An issue was discovered on Samsung mobile devices with P(9.0) (SM6150, SM8150, SM8150_FUSION, exynos7885, exynos9610, and exynos9820 chipsets) software. | 7.5 |
2020-03-24 | CVE-2019-20553 | Google Qualcomm Samsung | Unspecified vulnerability in Google Android 9.0 An issue was discovered on Samsung mobile devices with P(9.0) (SM6150, SM8150, SM8150_FUSION, exynos7885, exynos9610, and exynos9820 chipsets) software. | 7.5 |
2020-03-24 | CVE-2019-20549 | Google Broadcom | Out-of-bounds Read vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (Broadcom chipsets) software. | 7.5 |
2020-03-24 | CVE-2019-20548 | Classic Buffer Overflow vulnerability in Google Android 9.0 An issue was discovered on Samsung mobile devices with P(9.0) devices (Qualcomm chipsets) software. | 7.5 | |
2020-03-24 | CVE-2020-10836 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) (Exynos chipsets) software. | 7.5 | |
2020-03-24 | CVE-2019-20544 | Out-of-bounds Write vulnerability in Google Android 8.0/8.1/9.0 An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) (Exynos chipsets) software. | 7.5 | |
2020-03-24 | CVE-2019-20536 | Incorrect Default Permissions vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.1), O(8.x), and P(9.0) (released in China) software. | 7.5 | |
2020-03-24 | CVE-2019-20530 | Code Injection vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.1), O(8.x), P(9.0), and Q(10.0) software. | 7.5 | |
2020-03-24 | CVE-2020-10938 | Graphicsmagick Debian Opensuse | Integer Overflow or Wraparound vulnerability in multiple products GraphicsMagick before 1.3.35 has an integer overflow and resultant heap-based buffer overflow in HuffmanDecodeImage in magick/compress.c. | 7.5 |
2020-03-23 | CVE-2020-10879 | Rconfig | Injection vulnerability in Rconfig rConfig before 3.9.5 allows command injection by sending a crafted GET request to lib/crud/search.crud.php since the nodeId parameter is passed directly to the exec function without being escaped. | 7.5 |
2020-03-23 | CVE-2020-7480 | Schneider Electric | Code Injection vulnerability in Schneider-Electric products A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists in Andover Continuum (All versions), which could cause files on the application server filesystem to be viewable when an attacker interferes with an application's processing of XML data. | 7.5 |
2020-03-23 | CVE-2020-7478 | Schneider Electric | Path Traversal vulnerability in Schneider-Electric Interactive Graphical Scada System 14.0/14.0.0.19120 A CWE-22: Improper Limitation of a Pathname to a Restricted Directory exists in IGSS (Versions 14 and prior using the service: IGSSupdate), which could allow a remote unauthenticated attacker to read arbitrary files from the IGSS server PC on an unrestricted or shared network when the IGSS Update Service is enabled. | 7.5 |
2020-03-23 | CVE-2020-7475 | Schneider Electric | Injection vulnerability in Schneider-Electric products A CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), reflective DLL, vulnerability exists in EcoStruxure Control Expert (all versions prior to 14.1 Hot Fix), Unity Pro (all versions), Modicon M340 (all versions prior to V3.20), Modicon M580 (all versions prior to V3.10), which, if exploited, could allow attackers to transfer malicious code to the controller. | 7.5 |
2020-03-23 | CVE-2020-9392 | Supsystic | Incorrect Default Permissions vulnerability in Supsystic Pricing Table BY Supsystic 1.8.0/1.8.1 An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress. | 7.5 |
2020-03-23 | CVE-2020-9760 | Weechat Debian | Classic Buffer Overflow vulnerability in multiple products An issue was discovered in WeeChat before 2.7.1 (0.3.4 to 2.7 are affected). | 7.5 |
2020-03-23 | CVE-2020-10593 | Torproject Opensuse | Memory Leak vulnerability in multiple products Tor before 0.3.5.10, 0.4.x before 0.4.1.9, and 0.4.2.x before 0.4.2.7 allows remote attackers to cause a Denial of Service (memory leak), aka TROVE-2020-004. | 7.5 |
2020-03-23 | CVE-2020-9752 | Naver | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Naver Cloud Explorer Naver Cloud Explorer before 2.2.2.11 allows the attacker can move a local file in any path on the filesystem as a system privilege through its named pipe. | 7.5 |
2020-03-27 | CVE-2015-8535 | Lenovo | Path Traversal vulnerability in Lenovo Solution Center MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. | 7.2 |
2020-03-27 | CVE-2015-8534 | Lenovo | Improper Privilege Management vulnerability in Lenovo Solution Center MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. | 7.2 |
2020-03-27 | CVE-2015-7334 | Lenovo | Improper Privilege Management vulnerability in Lenovo System Update 5.06.0027/5.06.0043/5.07.0008 MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. | 7.2 |
2020-03-27 | CVE-2015-7333 | Lenovo | Improper Privilege Management vulnerability in Lenovo System Update 5.06.0027/5.06.0043/5.07.0008 MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. | 7.2 |
2020-03-25 | CVE-2020-10963 | Frozennode | Unrestricted Upload of File with Dangerous Type vulnerability in Frozennode Laravel-Administrator FrozenNode Laravel-Administrator through 5.0.12 allows unrestricted file upload (and consequently Remote Code Execution) via admin/tips_image/image/file_upload image upload with PHP content within a GIF image that has the .php extension. | 7.2 |
2020-03-25 | CVE-2020-3766 | Adobe | Incorrect Default Permissions vulnerability in Adobe Genuine Integrity Service 6.4 Adobe Genuine Integrity Service versions Version 6.4 and earlier have an insecure file permissions vulnerability. | 7.2 |
2020-03-25 | CVE-2020-10649 | Asus | Improper Privilege Management vulnerability in Asus Device Activation DevActSvc.exe in ASUS Device Activation before 1.0.7.0 for Windows 10 notebooks and PCs could lead to unsigned code execution with no additional restrictions when a user puts an application at a particular path with a particular file name. | 7.2 |
2020-03-25 | CVE-2019-7630 | Gigabyte | Improper Initialization vulnerability in Gigabyte APP Center 1.05.21 An issue was discovered in gdrv.sys in Gigabyte APP Center before 19.0227.1. | 7.2 |
2020-03-24 | CVE-2020-10934 | Acyba | Unrestricted Upload of File with Dangerous Type vulnerability in Acyba Acymailing Acyba AcyMailing before 6.9.2 mishandles file uploads by admins. | 7.2 |
2020-03-23 | CVE-2020-8875 | Parallels | Out-of-bounds Write vulnerability in Parallels Desktop This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 15.1.2-47123. | 7.2 |
2020-03-23 | CVE-2019-19034 | Zohocorp | OS Command Injection vulnerability in Zohocorp Manageengine Assetexplorer 6.5 Zoho ManageEngine Asset Explorer 6.5 does not validate the System Center Configuration Manager (SCCM) database username when dynamically generating a command to schedule scans for SCCM. | 7.2 |
2020-03-24 | CVE-2020-10684 | Redhat Debian Fedoraproject | Missing Authorization vulnerability in multiple products A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. | 7.1 |
221 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2020-03-27 | CVE-2015-7335 | Lenovo | Race Condition vulnerability in Lenovo System Update 5.06.0027/5.06.0043/5.07.0008 MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. | 6.9 |
2020-03-27 | CVE-2020-5860 | F5 | Inadequate Encryption Strength vulnerability in F5 products On BIG-IP 15.0.0-15.1.0.2, 14.1.0-14.1.2.3, 13.1.0-13.1.3.2, 12.1.0-12.1.5.1, and 11.5.2-11.6.5.1 and BIG-IQ 7.0.0, 6.0.0-6.1.0, and 5.2.0-5.4.0, in a High Availability (HA) network failover in Device Service Cluster (DSC), the failover service does not require a strong form of authentication and HA network failover traffic is not encrypted by Transport Layer Security (TLS). | 6.8 |
2020-03-27 | CVE-2015-8536 | Lenovo | Cross-Site Request Forgery (CSRF) vulnerability in Lenovo Solution Center MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. | 6.8 |
2020-03-26 | CVE-2020-9066 | Huawei | Improper Authentication vulnerability in Huawei Oxfordp-An10B Firmware Huawei smartphones OxfordP-AN10B with versions earlier than 10.0.1.169(C00E166R4P1) have an improper authentication vulnerability. | 6.8 |
2020-03-26 | CVE-2020-1800 | Huawei | Incorrect Authorization vulnerability in Huawei P30 Firmware HUAWEI smartphones P30 with versions earlier than 10.0.0.185(C00E85R1P11) have an improper access control vulnerability. | 6.8 |
2020-03-25 | CVE-2020-10965 | Teradici | Insufficiently Protected Credentials vulnerability in Teradici Pcoip Management Console 19.11.1/20.01.0 Teradici PCoIP Management Console 20.01.0 and 19.11.1 is vulnerable to unauthenticated password resets via login/resetadminpassword of the default admin account. | 6.8 |
2020-03-25 | CVE-2020-6811 | Mozilla Canonical | Command Injection vulnerability in multiple products The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. | 6.8 |
2020-03-25 | CVE-2020-3790 | Adobe | Out-of-bounds Write vulnerability in Adobe Photoshop 2020 and Photoshop CC Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have a memory corruption vulnerability. | 6.8 |
2020-03-25 | CVE-2020-3780 | Adobe | Out-of-bounds Write vulnerability in Adobe Photoshop 2020 and Photoshop CC Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have a buffer errors vulnerability. | 6.8 |
2020-03-25 | CVE-2020-3779 | Adobe | Out-of-bounds Write vulnerability in Adobe Photoshop 2020 and Photoshop CC Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have an out-of-bounds write vulnerability. | 6.8 |
2020-03-25 | CVE-2020-3776 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Photoshop 2020 and Photoshop CC Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have a buffer errors vulnerability. | 6.8 |
2020-03-25 | CVE-2020-3774 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Photoshop 2020 and Photoshop CC Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have a buffer errors vulnerability. | 6.8 |
2020-03-25 | CVE-2020-3773 | Adobe | Out-of-bounds Write vulnerability in Adobe Photoshop 2020 and Photoshop CC Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have an out-of-bounds write vulnerability. | 6.8 |
2020-03-25 | CVE-2020-3772 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Photoshop 2020 and Photoshop CC Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have a buffer errors vulnerability. | 6.8 |
2020-03-25 | CVE-2020-3770 | Adobe | Out-of-bounds Write vulnerability in Adobe Photoshop 2020 and Photoshop CC Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have a buffer errors vulnerability. | 6.8 |
2020-03-25 | CVE-2020-9552 | Adobe | Out-of-bounds Write vulnerability in Adobe Bridge 10.0 Adobe Bridge versions 10.0 have a heap-based buffer overflow vulnerability. | 6.8 |
2020-03-25 | CVE-2020-9551 | Adobe | Out-of-bounds Write vulnerability in Adobe Bridge 10.0 Adobe Bridge versions 10.0 have an out-of-bounds write vulnerability. | 6.8 |
2020-03-25 | CVE-2020-3802 | Adobe | Use After Free vulnerability in Adobe Acrobat DC Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011.30158 and earlier, 2017.011.30158 and earlier, 2015.006.30510 and earlier, and 2015.006.30510 and earlier have a use-after-free vulnerability. | 6.8 |
2020-03-25 | CVE-2019-19127 | Tribalgroup | Cleartext Transmission of Sensitive Information vulnerability in Tribalgroup Sits:Vision 9.7.0 An authentication bypass vulnerability is present in the standalone SITS:Vision 9.7.0 component of Tribal SITS in its default configuration, related to unencrypted communications sent by the client each time it is launched. | 6.8 |
2020-03-24 | CVE-2020-8985 | Zend | Cross-Site Request Forgery (CSRF) vulnerability in Zend Zendto ZendTo prior to 5.22-2 Beta allowed reflected XSS and CSRF via the unlock.tpl unlock user functionality. | 6.8 |
2020-03-24 | CVE-2020-7005 | Honeywell | Cross-Site Request Forgery (CSRF) vulnerability in Honeywell Win-Pak 4.7.2 In Honeywell WIN-PAK 4.7.2, Web and prior versions, the affected product is vulnerable to a cross-site request forgery, which may allow an attacker to remotely execute arbitrary code. | 6.8 |
2020-03-24 | CVE-2019-20613 | SQL Injection vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.x) and O(8.x) software. | 6.8 | |
2020-03-24 | CVE-2019-20568 | Use After Free vulnerability in Google Android 8.0/8.1/9.0 An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) devices (Exynos and Qualcomm chipsets) software. | 6.8 | |
2020-03-27 | CVE-2020-10817 | Custom Searchable Data Entry System Project | SQL Injection vulnerability in Custom Searchable Data Entry System Project Custom Searchable Data Entry System The custom-searchable-data-entry-system (aka Custom Searchable Data Entry System) plugin through 1.7.1 for WordPress allows SQL Injection. | 6.5 |
2020-03-27 | CVE-2020-8551 | Kubernetes Fedoraproject | Allocation of Resources Without Limits or Throttling vulnerability in multiple products The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250. | 6.5 |
2020-03-27 | CVE-2020-10607 | Advantech | Out-of-bounds Write vulnerability in Advantech Webaccess In Advantech WebAccess, Versions 8.4.2 and prior. | 6.5 |
2020-03-26 | CVE-2020-8910 | Unspecified vulnerability in Google Closure Library A URL parsing issue in goog.uri of the Google Closure Library versions up to and including v20200224 allows an attacker to send malicious URLs to be parsed by the library and return the wrong authority. | 6.5 | |
2020-03-25 | CVE-2020-2164 | Jfrog | Insufficiently Protected Credentials vulnerability in Jfrog Artifactory Jenkins Artifactory Plugin 3.5.0 and earlier stores its Artifactory server password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system. | 6.5 |
2020-03-24 | CVE-2020-4253 | IBM | Insufficient Session Expiration vulnerability in IBM Content Navigator 3.0.0 IBM Content Navigator 3.0CD does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. | 6.5 |
2020-03-23 | CVE-2020-8866 | Horde Debian | Unrestricted Upload of File with Dangerous Type vulnerability in multiple products This vulnerability allows remote attackers to create arbitrary files on affected installations of Horde Groupware Webmail Edition 5.2.22. | 6.5 |
2020-03-23 | CVE-2019-20626 | Honda | Authentication Bypass by Capture-replay vulnerability in Honda Hr-V 2017 Firmware The remote keyless system on Honda HR-V 2017 vehicles sends the same RF signal for each door-open request, which might allow a replay attack. | 6.5 |
2020-03-23 | CVE-2020-8511 | Artica | Unrestricted Upload of File with Dangerous Type vulnerability in Artica Pandora FMS In Artica Pandora FMS through 7.42, Web Admin users can execute arbitrary code by uploading a .php file via the File Repository component, a different issue than CVE-2020-7935 and CVE-2020-8500. | 6.5 |
2020-03-23 | CVE-2020-7935 | Artica | Unrestricted Upload of File with Dangerous Type vulnerability in Artica Pandora FMS Artica Pandora FMS through 7.42 is vulnerable to remote PHP code execution because of an Unrestricted Upload Of A File With A Dangerous Type issue in the File Manager. | 6.5 |
2020-03-23 | CVE-2020-6426 | Google Suse Opensuse Fedoraproject Debian | Out-of-bounds Write vulnerability in multiple products Inappropriate implementation in V8 in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 6.5 |
2020-03-23 | CVE-2016-11022 | Netgear | OS Command Injection vulnerability in Netgear products NETGEAR Prosafe WC9500 5.1.0.17, WC7600 5.1.0.17, and WC7520 2.5.0.35 devices allow a remote attacker to execute code with root privileges via shell metacharacters in the reqMethod parameter to login_handler.php. | 6.5 |
2020-03-27 | CVE-2020-10993 | Osmand | XXE vulnerability in Osmand 2.0.0 Osmand through 2.0.0 allow XXE because of binary/BinaryMapIndexReader.java. | 6.4 |
2020-03-25 | CVE-2020-10788 | IT Novum | Use of a Broken or Risky Cryptographic Algorithm vulnerability in It-Novum Openitcockpit openITCOCKPIT before 3.7.3 uses the 1fea123e07f730f76e661bced33a94152378611e API key rather than generating a random API Key for WebSocket connections. | 6.4 |
2020-03-25 | CVE-2020-5555 | Shihonkanri Plus Goout Project | Improper Input Validation vulnerability in Shihonkanri Plus Goout Project Shihonkanri Plus Goout 1.5.8/2.2.10 Shihonkanri Plus GOOUT Ver1.5.8 and Ver2.2.10 allows remote attackers to read and write data of the files placed in the same directory where it is placed via unspecified vector due to the improper input validation issue. | 6.4 |
2020-03-25 | CVE-2020-5554 | Shihonkanri Plus Goout Project | Path Traversal vulnerability in Shihonkanri Plus Goout Project Shihonkanri Plus Goout 1.5.8/2.2.10 Directory traversal vulnerability in Shihonkanri Plus GOOUT Ver1.5.8 and Ver2.2.10 allows remote attackers to read and write arbitrary files via unspecified vectors. | 6.4 |
2020-03-24 | CVE-2020-6978 | Honeywell | Unspecified vulnerability in Honeywell Win-Pak 4.7.2 In Honeywell WIN-PAK 4.7.2, Web and prior versions, the affected product is vulnerable due to the usage of old jQuery libraries. | 6.4 |
2020-03-24 | CVE-2019-20597 | Information Exposure vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.1), O(8.x), and P(9.0) software. | 6.4 | |
2020-03-24 | CVE-2019-20596 | Google Samsung | Unspecified vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.x) and O(8.x) (Exynos chipsets) software. | 6.4 |
2020-03-24 | CVE-2020-10844 | Out-of-bounds Read vulnerability in Google Android An issue was discovered on Samsung mobile devices with O(8.x), P(9.x), and Q(10.0) software. | 6.4 | |
2020-03-24 | CVE-2020-6972 | Honeywell | Authentication Bypass by Capture-replay vulnerability in Honeywell Notifier Webserver 3.50 In Notifier Web Server (NWS) Version 3.50 and earlier, the Honeywell Fire Web Server’s authentication may be bypassed by a capture-replay attack from a web browser. | 6.4 |
2020-03-23 | CVE-2019-6560 | Auto Maskin | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Auto-Maskin products In Auto-Maskin RP210E Versions 3.7 and prior, DCU210E Versions 3.7 and prior and Marine Observer Pro (Android App), the software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. | 6.4 |
2020-03-23 | CVE-2020-8838 | Zohocorp | Improper Validation of Integrity Check Value vulnerability in Zohocorp Manageengine Assetexplorer 6.5 An issue was discovered in Zoho ManageEngine AssetExplorer 6.5. | 6.4 |
2020-03-23 | CVE-2020-8865 | Horde Debian | Path Traversal vulnerability in multiple products This vulnerability allows remote attackers to execute local PHP files on affected installations of Horde Groupware Webmail Edition 5.2.22. | 6.3 |
2020-03-25 | CVE-2020-2169 | Jenkins | Cross-site Scripting vulnerability in Jenkins Queue Cleanup 1.0/1.2/1.3 A form validation endpoint in Jenkins Queue cleanup Plugin 1.3 and earlier does not properly escape a query parameter displayed in an error message, resulting in a reflected XSS vulnerability. | 6.1 |
2020-03-24 | CVE-2020-6816 | Mozilla Fedoraproject | Cross-site Scripting vulnerability in multiple products In Mozilla Bleach before 3.12, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are whitelisted and the keyword argument strip=False. | 6.1 |
2020-03-24 | CVE-2020-6802 | Mozilla Fedoraproject | Cross-site Scripting vulnerability in multiple products In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option. | 6.1 |
2020-03-23 | CVE-2019-15510 | Zohocorp | Cross-site Scripting vulnerability in Zohocorp Manageengine Desktop Central 10.0 ManageEngine_DesktopCentral.exe in Zoho ManageEngine Desktop Central 10 allows HTML injection on the user administration page via the description of a role. | 6.1 |
2020-03-26 | CVE-2020-4276 | IBM | Improper Privilege Management vulnerability in IBM Websphere Application Server IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is vulnerable to a privilege escalation vulnerability when using token-based authentication in an admin request over the SOAP connector. | 6.0 |
2020-03-24 | CVE-2020-10941 | ARM Fedoraproject Debian | Arm Mbed TLS before 2.16.5 allows attackers to obtain sensitive information (an RSA private key) by measuring cache usage during an import. | 5.9 |
2020-03-27 | CVE-2020-10952 | Gitlab | Incorrect Authorization vulnerability in Gitlab GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images. | 5.8 |
2020-03-25 | CVE-2020-3808 | Adobe | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Adobe Creative Cloud Creative Cloud Desktop Application versions 5.0 and earlier have a time-of-check to time-of-use (toctou) race condition vulnerability. | 5.8 |
2020-03-24 | CVE-2020-6982 | Honeywell | Injection vulnerability in Honeywell Win-Pak 4.7.2 In Honeywell WIN-PAK 4.7.2, Web and prior versions, the header injection vulnerability has been identified, which may allow remote code execution. | 5.8 |
2020-03-24 | CVE-2019-20606 | Improper Input Validation vulnerability in Google Android An issue was discovered on Samsung mobile devices with any (before May 2019) software. | 5.8 | |
2020-03-23 | CVE-2020-6650 | Eaton | Code Injection vulnerability in Eaton UPS Companion UPS companion software v1.05 & Prior is affected by ‘Eval Injection’ vulnerability. | 5.8 |
2020-03-23 | CVE-2020-10661 | Hashicorp | Unspecified vulnerability in Hashicorp Vault HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing nested-path policies grant access to Namespaces created after-the-fact. | 5.8 |
2020-03-24 | CVE-2020-1744 | Redhat | Improper Handling of Exceptional Conditions vulnerability in Redhat Keycloak A flaw was found in keycloak before version 9.0.1. | 5.6 |
2020-03-27 | CVE-2020-7918 | Totemo | Authorization Bypass Through User-Controlled Key vulnerability in Totemo Totemomail 7.0.0 An insecure direct object reference in webmail in totemo totemomail 7.0.0 allows an authenticated remote user to read and modify mail folder names of other users via enumeration. | 5.5 |
2020-03-23 | CVE-2020-1951 | Apache Oracle Debian Canonical | Infinite Loop vulnerability in multiple products A carefully crafted or corrupt PSD file can cause an infinite loop in Apache Tika's PSDParser in versions 1.0-1.23. | 5.5 |
2020-03-23 | CVE-2020-1950 | Apache Oracle Debian Canonical | Resource Exhaustion vulnerability in multiple products A carefully crafted or corrupt PSD file can cause excessive memory usage in Apache Tika's PSDParser in versions 1.0-1.23. | 5.5 |
2020-03-27 | CVE-2020-1771 | Otrs | Cross-site Scripting vulnerability in Otrs Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). | 5.4 |
2020-03-25 | CVE-2020-9520 | Microfocus | Cross-site Scripting vulnerability in Microfocus Vibe 4.0.2 A stored XSS vulnerability was discovered in Micro Focus Vibe, affecting all Vibe version prior to 4.0.7. | 5.4 |
2020-03-25 | CVE-2020-2170 | Jenkins | Cross-site Scripting vulnerability in Jenkins Rapiddeploy Jenkins RapidDeploy Plugin 4.2 and earlier does not escape package names in the table of packages obtained from a remote server, resulting in a stored XSS vulnerability. | 5.4 |
2020-03-25 | CVE-2020-2163 | Jenkins | Cross-site Scripting vulnerability in Jenkins Jenkins 2.227 and earlier, LTS 2.204.5 and earlier improperly processes HTML content of list view column headers, resulting in a stored XSS vulnerability exploitable by users able to control column headers. | 5.4 |
2020-03-25 | CVE-2020-2162 | Jenkins | Cross-site Scripting vulnerability in Jenkins Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not set Content-Security-Policy headers for files uploaded as file parameters to a build, resulting in a stored XSS vulnerability. | 5.4 |
2020-03-25 | CVE-2020-2161 | Jenkins | Cross-site Scripting vulnerability in Jenkins Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are shown in the form validation for label expressions on job configuration pages, resulting in a stored XSS vulnerability exploitable by users able to define node labels. | 5.4 |
2020-03-24 | CVE-2020-10942 | Linux Opensuse Debian Canonical | Out-of-bounds Write vulnerability in multiple products In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls. | 5.4 |
2020-03-24 | CVE-2020-10385 | Wpforms | Cross-site Scripting vulnerability in Wpforms Contact Form A stored cross-site scripting (XSS) vulnerability exists in the WPForms Contact Form (aka wpforms-lite) plugin before 1.5.9 for WordPress. | 5.4 |
2020-03-23 | CVE-2020-6425 | Google Debian Fedoraproject Opensuse | Improper Input Validation vulnerability in multiple products Insufficient policy enforcement in extensions in Google Chrome prior to 80.0.3987.149 allowed an attacker who convinced a user to install a malicious extension to bypass site isolation via a crafted Chrome Extension. | 5.4 |
2020-03-25 | CVE-2020-6812 | Mozilla Canonical | Information Exposure vulnerability in multiple products The first time AirPods are connected to an iPhone, they become named after the user's name by default (e.g. | 5.3 |
2020-03-24 | CVE-2020-9359 | KDE Debian Fedoraproject | KDE Okular before 1.10.0 allows code execution via an action link in a PDF document. | 5.3 |
2020-03-23 | CVE-2020-10871 | Openwrt | Information Exposure vulnerability in Openwrt Luci Git20.049.11521Bebfe20/Git20.078.229020Ed0D42 In OpenWrt LuCI git-20.x, remote unauthenticated attackers can retrieve the list of installed packages and services. | 5.3 |
2020-03-27 | CVE-2020-6095 | Gstreamer Project Opensuse | NULL Pointer Dereference vulnerability in multiple products An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. | 5.0 |
2020-03-27 | CVE-2020-10954 | Gitlab | Resource Exhaustion vulnerability in Gitlab GitLab through 12.9 is affected by a potential DoS in repository archive download. | 5.0 |
2020-03-27 | CVE-2020-10953 | Gitlab | Path Traversal vulnerability in Gitlab In GitLab EE 11.7 through 12.9, the NPM feature is vulnerable to a path traversal issue. | 5.0 |
2020-03-27 | CVE-2020-5862 | F5 | Improper Input Validation vulnerability in F5 products On BIG-IP 15.1.0-15.1.0.1, 15.0.0-15.0.1.1, and 14.1.0-14.1.2.2, under certain conditions, TMM may crash or stop processing new traffic with the DPDK/ENA driver on AWS systems while sending traffic. | 5.0 |
2020-03-27 | CVE-2020-5861 | F5 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in F5 products On BIG-IP 12.1.0-12.1.5, the TMM process may produce a core file in some cases when Ram Cache incorrectly optimizes stored data resulting in memory errors. | 5.0 |
2020-03-27 | CVE-2020-5859 | F5 | Improper Input Validation vulnerability in F5 products On BIG-IP 15.1.0.1, specially formatted HTTP/3 messages may cause TMM to produce a core file. | 5.0 |
2020-03-27 | CVE-2020-5857 | F5 | Improper Input Validation vulnerability in F5 products On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.2.2, 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.5.2-11.6.5.1, undisclosed HTTP behavior may lead to a denial of service. | 5.0 |
2020-03-27 | CVE-2015-7336 | Lenovo | Improper Verification of Cryptographic Signature vulnerability in Lenovo System Update 5.06.0027/5.06.0043/5.07.0008 MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. | 5.0 |
2020-03-27 | CVE-2020-10508 | SUN | Information Exposure vulnerability in SUN Ehrd 8/9 Sunnet eHRD, a human training and development management system, improperly stores system files. | 5.0 |
2020-03-26 | CVE-2019-5105 | Codesys | Out-of-bounds Write vulnerability in Codesys 3.5.13.2 An exploitable memory corruption vulnerability exists in the Name Service Client functionality of 3S-Smart Software Solutions CODESYS GatewayService. | 5.0 |
2020-03-26 | CVE-2020-5129 | Sonicwall | HTTP Request Smuggling vulnerability in Sonicwall Sma1000 Firmware A vulnerability in the SonicWall SMA1000 HTTP Extraweb server allows an unauthenticated remote attacker to cause HTTP server crash which leads to Denial of Service. | 5.0 |
2020-03-25 | CVE-2020-6813 | Mozilla | Unspecified vulnerability in Mozilla Firefox When protecting CSS blocks with the nonce feature of Content Security Policy, the @import statement in the CSS block could allow an attacker to inject arbitrary styles, bypassing the intent of the Content Security Policy. | 5.0 |
2020-03-25 | CVE-2020-6809 | Mozilla | Information Exposure vulnerability in Mozilla Firefox When a Web Extension had the all-urls permission and made a fetch request with a mode set to 'same-origin', it was possible for the Web Extension to read local files. | 5.0 |
2020-03-25 | CVE-2020-3777 | Adobe | Out-of-bounds Read vulnerability in Adobe Photoshop 2020 and Photoshop CC Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have an out-of-bounds read vulnerability. | 5.0 |
2020-03-25 | CVE-2020-3769 | Adobe | Server-Side Request Forgery (SSRF) vulnerability in Adobe Experience Manager Adobe Experience Manager versions 6.5 and earlier have a server-side request forgery (ssrf) vulnerability. | 5.0 |
2020-03-25 | CVE-2020-3761 | Adobe | Information Exposure vulnerability in Adobe Coldfusion 2016/2018 ColdFusion versions ColdFusion 2016, and ColdFusion 2018 have a remote file read vulnerability. | 5.0 |
2020-03-25 | CVE-2020-5281 | Cesnet | Incorrect Permission Assignment for Critical Resource vulnerability in Cesnet Perun In Perun before version 3.9.1, VO or group manager can modify configuration of the LDAP extSource to retrieve all from Perun LDAP. | 5.0 |
2020-03-25 | CVE-2020-5280 | Typelevel | Path Traversal vulnerability in Typelevel Http4S http4s before versions 0.18.26, 0.20.20, and 0.21.2 has a local file inclusion vulnerability. | 5.0 |
2020-03-25 | CVE-2020-3806 | Adobe | Out-of-bounds Read vulnerability in Adobe Acrobat DC Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011.30158 and earlier, 2017.011.30158 and earlier, 2015.006.30510 and earlier, and 2015.006.30510 and earlier have an out-of-bounds read vulnerability. | 5.0 |
2020-03-25 | CVE-2020-3804 | Adobe | Out-of-bounds Read vulnerability in Adobe Acrobat DC Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011.30158 and earlier, 2017.011.30158 and earlier, 2015.006.30510 and earlier, and 2015.006.30510 and earlier have an out-of-bounds read vulnerability. | 5.0 |
2020-03-25 | CVE-2020-3800 | Adobe | Information Exposure vulnerability in Adobe Acrobat DC Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011.30158 and earlier, 2017.011.30158 and earlier, 2015.006.30510 and earlier, and 2015.006.30510 and earlier have a memory address leak vulnerability. | 5.0 |
2020-03-24 | CVE-2020-8984 | Zend | Origin Validation Error vulnerability in Zend Zendto lib/NSSDropbox.php in ZendTo prior to 5.22-2 Beta allowed IP address spoofing via the X-Forwarded-For header. | 5.0 |
2020-03-24 | CVE-2020-7001 | Moxa | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Moxa Eds-510E Firmware and Eds-G516E Firmware In Moxa EDS-G516E Series firmware, Version 5.2 or lower, the affected products use a weak cryptographic algorithm, which may allow confidential information to be disclosed. | 5.0 |
2020-03-24 | CVE-2020-6997 | Moxa | Cleartext Transmission of Sensitive Information vulnerability in Moxa Eds-510E Firmware and Eds-G516E Firmware In Moxa EDS-G516E Series firmware, Version 5.2 or lower, sensitive information is transmitted over some web applications in cleartext. | 5.0 |
2020-03-24 | CVE-2020-6991 | Moxa | Weak Password Requirements vulnerability in Moxa Eds-510E Firmware and Eds-G516E Firmware In Moxa EDS-G516E Series firmware, Version 5.2 or lower, weak password requirements may allow an attacker to gain access using brute force. | 5.0 |
2020-03-24 | CVE-2020-6979 | Moxa | Use of Hard-coded Credentials vulnerability in Moxa Eds-510E Firmware and Eds-G516E Firmware In Moxa EDS-G516E Series firmware, Version 5.2 or lower, the affected products use a hard-coded cryptographic key, increasing the possibility that confidential data can be recovered. | 5.0 |
2020-03-24 | CVE-2020-6080 | Videolabs Debian | Memory Leak vulnerability in multiple products An exploitable denial-of-service vulnerability exists in the resource allocation handling of Videolabs libmicrodns 0.1.0. | 5.0 |
2020-03-24 | CVE-2020-6079 | Videolabs Debian | Memory Leak vulnerability in multiple products An exploitable denial-of-service vulnerability exists in the resource allocation handling of Videolabs libmicrodns 0.1.0. | 5.0 |
2020-03-24 | CVE-2020-6077 | Videolabs Debian | Out-of-bounds Read vulnerability in multiple products An exploitable denial-of-service vulnerability exists in the message-parsing functionality of Videolabs libmicrodns 0.1.0. | 5.0 |
2020-03-24 | CVE-2020-6073 | Videolabs Debian | Integer Overflow or Wraparound vulnerability in multiple products An exploitable denial-of-service vulnerability exists in the TXT record-parsing functionality of Videolabs libmicrodns 0.1.0. | 5.0 |
2020-03-24 | CVE-2020-6071 | Videolabs Debian | Uncontrolled Recursion vulnerability in multiple products An exploitable denial-of-service vulnerability exists in the resource record-parsing functionality of Videolabs libmicrodns 0.1.0. | 5.0 |
2020-03-24 | CVE-2020-6993 | Moxa | Information Exposure vulnerability in Moxa products In Moxa PT-7528 series firmware, Version 4.0 or lower, and PT-7828 series firmware, Version 3.9 or lower, an attacker can gain access to sensitive information from the web service without authorization. | 5.0 |
2020-03-24 | CVE-2019-20624 | Information Exposure vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.x) and O(8.x) software. | 5.0 | |
2020-03-24 | CVE-2019-20620 | Improper Authentication vulnerability in Google Android 9.0 An issue was discovered on Samsung mobile devices with P(9.0) software. | 5.0 | |
2020-03-24 | CVE-2019-20619 | Information Exposure vulnerability in Google Android 9.0 An issue was discovered on Samsung mobile devices with P(9.0) software. | 5.0 | |
2020-03-24 | CVE-2019-20618 | Improper Authentication vulnerability in Google Android 9.0 An issue was discovered on Samsung mobile devices with P(9.0) software. | 5.0 | |
2020-03-24 | CVE-2019-20617 | Information Exposure vulnerability in Google Android 9.0 An issue was discovered on Samsung mobile devices with P(9.0) software. | 5.0 | |
2020-03-24 | CVE-2019-20616 | Information Exposure vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.x) and O(8.x) software. | 5.0 | |
2020-03-24 | CVE-2019-20614 | Information Exposure vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software. | 5.0 | |
2020-03-24 | CVE-2019-20612 | Unspecified vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.x) and O(8.x) (Broadcom Wi-Fi, and SEC Wi-Fi chipsets) software. | 5.0 | |
2020-03-24 | CVE-2019-20608 | Unspecified vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software. | 5.0 | |
2020-03-24 | CVE-2019-20604 | Unspecified vulnerability in Google Android 8.0/8.1 An issue was discovered on Samsung mobile devices with O(8.x) software. | 5.0 | |
2020-03-24 | CVE-2019-20603 | NULL Pointer Dereference vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.x), O(8.0), and P(9.0) (Qualcomm chipsets) software. | 5.0 | |
2020-03-24 | CVE-2019-20602 | NULL Pointer Dereference vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.x), O(8.0), and P(9.0) (Qualcomm chipsets) software. | 5.0 | |
2020-03-24 | CVE-2019-20601 | Google Samsung | Out-of-bounds Write vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (Exynos7570, 7580, 7870, 7880, and 8890 chipsets) software. | 5.0 |
2020-03-24 | CVE-2019-20599 | Improper Input Validation vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software. | 5.0 | |
2020-03-24 | CVE-2019-20593 | Information Exposure vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.x) and O(8.x) software. | 5.0 | |
2020-03-24 | CVE-2020-6987 | Moxa | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Moxa products In Moxa PT-7528 series firmware, Version 4.0 or lower, and PT-7828 series firmware, Version 3.9 or lower, the affected products use a weak cryptographic algorithm, which may allow confidential information to be disclosed. | 5.0 |
2020-03-24 | CVE-2020-6983 | Moxa | Use of Hard-coded Credentials vulnerability in Moxa products In Moxa PT-7528 series firmware, Version 4.0 or lower, and PT-7828 series firmware, Version 3.9 or lower, the affected products use a hard-coded cryptographic key, which increases the possibility that confidential data can be recovered. | 5.0 |
2020-03-24 | CVE-2019-20580 | Information Exposure vulnerability in Google Android 9.0 An issue was discovered on Samsung mobile devices with P(9.0) software. | 5.0 | |
2020-03-24 | CVE-2019-20570 | Improper Input Validation vulnerability in Google Android 7.1/8.0/9.0 An issue was discovered on Samsung mobile devices with P(9.0), O(8.0), and N(7.1) software. | 5.0 | |
2020-03-24 | CVE-2019-20565 | Improper Authentication vulnerability in Google Android 8.0/8.1/9.0 An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) software. | 5.0 | |
2020-03-24 | CVE-2019-20564 | Samsung | Improper Input Validation vulnerability in Samsung Note9 and S9 An issue was discovered on Samsung mobile devices with any (before October 2019 for S9 or Note9) software. | 5.0 |
2020-03-24 | CVE-2019-20555 | Information Exposure vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.x) software. | 5.0 | |
2020-03-24 | CVE-2019-20552 | Improper Input Validation vulnerability in Google Android 9.0 An issue was discovered on Samsung mobile devices with P(9.0) software. | 5.0 | |
2020-03-24 | CVE-2019-20551 | Improper Input Validation vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software. | 5.0 | |
2020-03-24 | CVE-2019-20547 | Information Exposure vulnerability in Google Android 8.0/8.1/9.0 An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) software. | 5.0 | |
2020-03-24 | CVE-2020-7003 | Moxa | Cleartext Transmission of Sensitive Information vulnerability in Moxa products In Moxa ioLogik 2500 series firmware, Version 3.0 or lower, and IOxpress configuration utility, Version 2.3.0 or lower, sensitive information is transmitted over some web applications in clear text. | 5.0 |
2020-03-24 | CVE-2020-10854 | Information Exposure vulnerability in Google Android An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. | 5.0 | |
2020-03-24 | CVE-2020-10853 | Information Exposure vulnerability in Google Android 9.0 An issue was discovered on Samsung mobile devices with P(9.0) software. | 5.0 | |
2020-03-24 | CVE-2020-10849 | Improper Restriction of Excessive Authentication Attempts vulnerability in Google Android An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) (Exynos7885, Exynos8895, and Exynos9810 chipsets) software. | 5.0 | |
2020-03-24 | CVE-2020-10834 | Information Exposure vulnerability in Google Android 9.0 An issue was discovered on Samsung mobile devices with P(9.0) software. | 5.0 | |
2020-03-24 | CVE-2020-10833 | Improper Authentication vulnerability in Google Android 10.0 An issue was discovered on Samsung mobile devices with Q(10.0) software. | 5.0 | |
2020-03-24 | CVE-2020-10831 | Insufficient Verification of Data Authenticity vulnerability in Google Android An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. | 5.0 | |
2020-03-24 | CVE-2019-20539 | Out-of-bounds Read vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (Broadcom chipsets) software. | 5.0 | |
2020-03-24 | CVE-2019-20532 | Missing Authentication for Critical Function vulnerability in Google Android An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. | 5.0 | |
2020-03-24 | CVE-2019-18242 | Moxa | Unspecified vulnerability in Moxa products In Moxa ioLogik 2500 series firmware, Version 3.0 or lower, and IOxpress configuration utility, Version 2.3.0 or lower, frequent and multiple requests for short-term use may cause the web server to fail. | 5.0 |
2020-03-24 | CVE-2020-4309 | IBM | Information Exposure vulnerability in IBM Content Navigator 3.0.0 IBM Content Navigator 3.0CD could disclose sensitive information to an unauthenticated user which could be used to aid in further attacks against the system. | 5.0 |
2020-03-24 | CVE-2019-4553 | IBM | Use of a Broken or Risky Cryptographic Algorithm vulnerability in IBM API Connect IBM API Connect V5.0.0.0 through 5.0.8.7iFix3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | 5.0 |
2020-03-24 | CVE-2020-10931 | Memcached | Classic Buffer Overflow vulnerability in Memcached 1.6.0/1.6.1 Memcached 1.6.x before 1.6.2 allows remote attackers to cause a denial of service (daemon crash) via a crafted binary protocol header to try_read_command_binary in memcached.c. | 5.0 |
2020-03-23 | CVE-2020-10875 | Zebra | Path Traversal vulnerability in Zebra Fx9500 Firmware Motorola FX9500 devices allow remote attackers to conduct absolute path traversal attacks, as demonstrated by PL/SQL Server Pages files such as /include/viewtagdb.psp. | 5.0 |
2020-03-23 | CVE-2020-8859 | PSI | NULL Pointer Dereference vulnerability in PSI Electronic Logbook 3.1.4283534D This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of ELOG Electronic Logbook 3.1.4-283534d. | 5.0 |
2020-03-23 | CVE-2020-10874 | Motorola | Information Exposure vulnerability in Motorola products Motorola FX9500 devices allow remote attackers to read database files. | 5.0 |
2020-03-23 | CVE-2019-6558 | Auto Maskin | Weak Password Requirements vulnerability in Auto-Maskin products In Auto-Maskin RP210E Versions 3.7 and prior, DCU210E Versions 3.7 and prior and Marine Observer Pro (Android App), the software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. | 5.0 |
2020-03-23 | CVE-2020-7477 | Schneider Electric | Improper Check for Unusual or Exceptional Conditions vulnerability in Schneider-Electric products A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Quantum Ethernet Network module 140NOE771x1 (Versions 7.0 and prior), Quantum processors with integrated Ethernet – 140CPU65xxxxx (all Versions), and Premium processors with integrated Ethernet (all Versions), which could cause a Denial of Service when sending a specially crafted command over Modbus. | 5.0 |
2020-03-23 | CVE-2020-8497 | Artica | Information Exposure vulnerability in Artica Pandora FMS In Artica Pandora FMS through 7.42, an unauthenticated attacker can read the chat history. | 5.0 |
2020-03-25 | CVE-2020-5261 | Sustainsys | Authentication Bypass by Capture-replay vulnerability in Sustainsys Saml2 Saml2 Authentication services for ASP.NET (NuGet package Sustainsys.Saml2) greater than 2.0.0, and less than version 2.5.0 has a faulty implementation of Token Replay Detection. | 4.9 |
2020-03-26 | CVE-2020-5340 | EMC | Cross-site Scripting vulnerability in EMC RSA Authentication Manager RSA Authentication Manager versions prior to 8.4 P10 contain a stored cross-site scripting vulnerability in the Security Console. | 4.8 |
2020-03-26 | CVE-2020-5339 | EMC | Cross-site Scripting vulnerability in EMC RSA Authentication Manager RSA Authentication Manager versions prior to 8.4 P10 contain a stored cross-site scripting vulnerability in the Security Console. | 4.8 |
2020-03-24 | CVE-2019-20575 | Use of Password Hash With Insufficient Computational Effort vulnerability in Google Android 9.0 An issue was discovered on Samsung mobile devices with P(9.0) software. | 4.8 | |
2020-03-27 | CVE-2020-10940 | Phoenixcontact | Improper Privilege Management vulnerability in Phoenixcontact products Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service. | 4.6 |
2020-03-27 | CVE-2020-10939 | Phoenixcontact | Improper Privilege Management vulnerability in Phoenixcontact PC Worx SRT Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation. | 4.6 |
2020-03-27 | CVE-2020-5858 | F5 | Improper Privilege Management vulnerability in F5 products On BIG-IP 15.0.0-15.0.1.2, 14.1.0-14.1.2.2, 13.1.0-13.1.3.2, 12.1.0-12.1.5, and 11.5.2-11.6.5.1 and BIG-IQ 7.0.0, 6.0.0-6.1.0, and 5.2.0-5.4.0, users with non-administrator roles (for example, Guest or Resource Administrator) with tmsh shell access can execute arbitrary commands with elevated privilege via a crafted tmsh command. | 4.6 |
2020-03-24 | CVE-2019-4001 | Druva | Incorrect Default Permissions vulnerability in Druva Insync 6.5.0 Improper input validation in Druva inSync Client 6.5.0 allows a local, authenticated attacker to execute arbitrary NodeJS code. | 4.6 |
2020-03-24 | CVE-2019-20594 | Out-of-bounds Write vulnerability in Google Android 8.1/9.0 An issue was discovered on Samsung mobile devices with O(8.1) and P(9.0) (Exynos chipsets) software. | 4.6 | |
2020-03-24 | CVE-2019-20592 | SQL Injection vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software. | 4.6 | |
2020-03-24 | CVE-2019-20591 | SQL Injection vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software. | 4.6 | |
2020-03-24 | CVE-2019-20574 | SQL Injection vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software. | 4.6 | |
2020-03-24 | CVE-2019-20573 | SQL Injection vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software. | 4.6 | |
2020-03-24 | CVE-2020-10852 | Out-of-bounds Write vulnerability in Google Android An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. | 4.6 | |
2020-03-24 | CVE-2020-10851 | Out-of-bounds Write vulnerability in Google Android 10.0/9.0 An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software. | 4.6 | |
2020-03-24 | CVE-2020-10847 | Improper Authentication vulnerability in Google Android 9.0 An issue was discovered on Samsung mobile devices with P(9.0) (Galaxy S8 and Note8) software. | 4.6 | |
2020-03-24 | CVE-2020-10842 | Out-of-bounds Write vulnerability in Google Android An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) (S.LSI chipsets) software. | 4.6 | |
2020-03-24 | CVE-2020-10841 | Unspecified vulnerability in Google Android 10.0/9.0 An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) (Exynos 9610 chipsets) software. | 4.6 | |
2020-03-24 | CVE-2020-10839 | Incorrect Authorization vulnerability in Google Android An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. | 4.6 | |
2020-03-24 | CVE-2020-10838 | Use After Free vulnerability in Google Android 10.0/9.0 An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software. | 4.6 | |
2020-03-24 | CVE-2020-10832 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android 9.0 An issue was discovered on Samsung mobile devices with P(9.0) (Exynos chipsets) software. | 4.6 | |
2020-03-24 | CVE-2020-10829 | Out-of-bounds Write vulnerability in Google Android 10.0/8.0/9.0 An issue was discovered on Samsung mobile devices with O(8.0), P(9.0), and Q(10.0) (Broadcom chipsets) software. | 4.6 | |
2020-03-24 | CVE-2019-20542 | Out-of-bounds Write vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.1), O(8.x), and P(9.0) (Exynos chipsets) software. | 4.6 | |
2020-03-24 | CVE-2019-20541 | Out-of-bounds Write vulnerability in Google Android 9.0 An issue was discovered on Samsung mobile devices with P(9.0) (Exynos chipsets) software. | 4.6 | |
2020-03-24 | CVE-2019-20538 | Out-of-bounds Write vulnerability in Google Android 9.0 An issue was discovered on Samsung mobile devices with P(9.0) software. | 4.6 | |
2020-03-23 | CVE-2020-8874 | Parallels | Integer Overflow or Wraparound vulnerability in Parallels Desktop This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 15.1.2-47123. | 4.6 |
2020-03-23 | CVE-2020-8873 | Parallels | Improper Privilege Management vulnerability in Parallels Desktop This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 15.1.2-47123. | 4.6 |
2020-03-23 | CVE-2020-8871 | Parallels | Out-of-bounds Write vulnerability in Parallels Desktop This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 15.1.0-47107 . | 4.6 |
2020-03-23 | CVE-2019-5184 | Wago | Double Free vulnerability in Wago Pfc200 Firmware 03.02.02(14) An exploitable double free vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. | 4.6 |
2020-03-25 | CVE-2020-3803 | Adobe | Uncontrolled Search Path Element vulnerability in Adobe Acrobat DC Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011.30158 and earlier, 2017.011.30158 and earlier, 2015.006.30510 and earlier, and 2015.006.30510 and earlier have an insecure library loading (dll hijacking) vulnerability. | 4.4 |
2020-03-24 | CVE-2020-10845 | Use After Free vulnerability in Google Android An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. | 4.4 | |
2020-03-24 | CVE-2020-10843 | Race Condition vulnerability in Google Android An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) (S.LSI chipsets) software. | 4.4 | |
2020-03-23 | CVE-2020-7476 | Schneider Electric | Untrusted Search Path vulnerability in Schneider-Electric Ulti Zigbee Installation Toolkit A CWE-426: Untrusted Search Path vulnerability exists in ZigBee Installation Kit (Versions prior to 1.0.1), which could cause execution of malicious code when a malicious file is put in the search path. | 4.4 |
2020-03-23 | CVE-2020-7474 | Schneider Electric | Uncontrolled Search Path Element vulnerability in Schneider-Electric Pmepxm0100 Prosoft Configurator 1.002 A CWE-427: Uncontrolled Search Path Element vulnerability exists in ProSoft Configurator (v1.002 and prior), for the PMEPXM0100 (H) module, which could cause the execution of untrusted code when using double click to open a project file which may trigger execution of a malicious DLL. | 4.4 |
2020-03-23 | CVE-2019-5186 | Wago | Classic Buffer Overflow vulnerability in Wago Pfc200 Firmware 03.02.02(14) An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. | 4.4 |
2020-03-23 | CVE-2019-5185 | Wago | Classic Buffer Overflow vulnerability in Wago Pfc200 Firmware 03.02.02(14) An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. | 4.4 |
2020-03-27 | CVE-2020-8552 | Kubernetes Fedoraproject | Allocation of Resources Without Limits or Throttling vulnerability in multiple products The Kubernetes API server component in versions prior to 1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via successful API requests. | 4.3 |
2020-03-27 | CVE-2020-1770 | Otrs Opensuse Debian | Information Exposure vulnerability in multiple products Support bundle generated files could contain sensitive information that might be unwanted to be disclosed. | 4.3 |
2020-03-27 | CVE-2020-1769 | Otrs Opensuse | In the login screens (in agent and customer interface), Username and Password fields use autocomplete, which might be considered as security issue. | 4.3 |
2020-03-27 | CVE-2020-10509 | SUN | Cross-site Scripting vulnerability in SUN Ehrd 8.0/9.0 Sunnet eHRD, a human training and development management system, contains vulnerability of Cross-Site Scripting (XSS), attackers can inject arbitrary command into the system and launch XSS attack. | 4.3 |
2020-03-26 | CVE-2020-8923 | Dart | Cross-site Scripting vulnerability in Dart Software Development KIT An improper HTML sanitization in Dart versions up to and including 2.7.1 and dev versions 2.8.0-dev.16.0, allows an attacker leveraging DOM Clobbering techniques to skip the sanitization and inject custom html/javascript (XSS). | 4.3 |
2020-03-25 | CVE-2020-10966 | Hestiacp Vestacp | In the Password Reset Module in VESTA Control Panel through 0.9.8-25 and Hestia Control Panel before 1.1.1, Host header manipulation leads to account takeover because the victim receives a reset URL containing an attacker-controlled server name. | 4.3 |
2020-03-25 | CVE-2020-6810 | Mozilla | Authentication Bypass by Spoofing vulnerability in Mozilla Firefox After a website had entered fullscreen mode, it could have used a previously opened popup to obscure the notification that indicates the browser is in fullscreen mode. | 4.3 |
2020-03-25 | CVE-2020-6808 | Mozilla | Authentication Bypass by Spoofing vulnerability in Mozilla Firefox When a JavaScript URL (javascript:) is evaluated and the result is a string, this string is parsed to create an HTML document, which is then presented. | 4.3 |
2020-03-25 | CVE-2020-3791 | Adobe | Out-of-bounds Read vulnerability in Adobe Photoshop 2020 and Photoshop CC Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have an out-of-bounds read vulnerability. | 4.3 |
2020-03-25 | CVE-2020-3782 | Adobe | Out-of-bounds Read vulnerability in Adobe Photoshop 2020 and Photoshop CC Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have an out-of-bounds read vulnerability. | 4.3 |
2020-03-25 | CVE-2020-3781 | Adobe | Out-of-bounds Read vulnerability in Adobe Photoshop 2020 and Photoshop CC Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have an out-of-bounds read vulnerability. | 4.3 |
2020-03-25 | CVE-2020-3778 | Adobe | Out-of-bounds Read vulnerability in Adobe Photoshop 2020 and Photoshop CC Adobe Photoshop versions Photoshop CC 2019, and Photoshop 2020 have an out-of-bounds read vulnerability. | 4.3 |
2020-03-25 | CVE-2020-3771 | Adobe | Out-of-bounds Read vulnerability in Adobe Photoshop 2020 and Photoshop CC Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have an out-of-bounds read vulnerability. | 4.3 |
2020-03-25 | CVE-2019-20633 | GNU | Double Free vulnerability in GNU Patch GNU patch through 2.7.6 contains a free(p_line[p_end]) Double Free vulnerability in the function another_hunk in pch.c that can cause a denial of service via a crafted patch file. | 4.3 |
2020-03-25 | CVE-2020-5559 | WL ENQ Project | Cross-site Scripting vulnerability in Wl-Enq Project Wl-Enq 1.11/1.12 Cross-site scripting vulnerability in WL-Enq 1.11 and 1.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2020-03-25 | CVE-2020-5557 | Cutephp | Cross-site Scripting vulnerability in Cutephp Cutenews 2.0.1 Cross-site scripting vulnerability in CuteNews 2.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2020-03-25 | CVE-2020-5552 | Mailform | Cross-site Scripting vulnerability in Mailform 1.04 Cross-site scripting vulnerability in mailform version 1.04 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2020-03-24 | CVE-2019-20632 | Gpac | Release of Invalid Pointer or Reference vulnerability in Gpac An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstrated by MP4Box. | 4.3 |
2020-03-24 | CVE-2019-20631 | Gpac | Release of Invalid Pointer or Reference vulnerability in Gpac An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstrated by MP4Box. | 4.3 |
2020-03-24 | CVE-2019-20630 | Gpac | Out-of-bounds Read vulnerability in Gpac An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstrated by MP4Box. | 4.3 |
2020-03-24 | CVE-2019-20629 | Gpac | Out-of-bounds Read vulnerability in Gpac An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstrated by MP4Box. | 4.3 |
2020-03-24 | CVE-2019-20628 | Gpac | Use After Free vulnerability in Gpac An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstrated by MP4Box. | 4.3 |
2020-03-24 | CVE-2019-4681 | IBM Linux Microsoft Oracle | Cross-site Scripting vulnerability in IBM Tivoli Netcool/Impact IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.17 is vulnerable to cross-site scripting. | 4.3 |
2020-03-23 | CVE-2020-7482 | Schneider Electric | Cross-site Scripting vulnerability in Schneider-Electric products A CWE-79:Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists Andover Continuum (All versions), which could cause a Reflective Cross-site Scripting (XSS attack) when using the products' web server. | 4.3 |
2020-03-23 | CVE-2020-7481 | Schneider Electric | Cross-site Scripting vulnerability in Schneider-Electric products A CWE-79:Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists Andover Continuum (All versions), which could enable a successful Cross-site Scripting (XSS attack) when using the products' web server. | 4.3 |
2020-03-23 | CVE-2020-10660 | Hashicorp | Incorrect Default Permissions vulnerability in Hashicorp Vault HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership inadvertently include Groups the Entity no longer has permissions to. | 4.3 |
2020-03-27 | CVE-2020-10955 | Gitlab Debian | Missing Authorization vulnerability in multiple products GitLab EE/CE 11.1 through 12.9 is vulnerable to parameter tampering on an upload feature that allows an unauthorized user to read content available under specific folders. | 4.0 |
2020-03-27 | CVE-2020-10510 | SUN | Improper Input Validation vulnerability in SUN Ehrd 8/9 Sunnet eHRD, a human training and development management system, contains a vulnerability of Broken Access Control. | 4.0 |
2020-03-26 | CVE-2020-9468 | Piwigo | Improper Input Validation vulnerability in Piwigo 2.9.0 The Community plugin 2.9.e-beta for Piwigo allows users to set image information on images in albums for which they do not have permission, by manipulating the image_id parameter. | 4.0 |
2020-03-26 | CVE-2020-7944 | Puppet | Information Exposure vulnerability in Puppet Continuous Delivery In Continuous Delivery for Puppet Enterprise (CD4PE) before 3.4.0, changes to resources or classes containing Sensitive parameters can result in the Sensitive parameters ending up in the impact analysis report. | 4.0 |
2020-03-26 | CVE-2020-6999 | Moxa | Classic Buffer Overflow vulnerability in Moxa Mds-G516E Firmware 5.2 In Moxa EDS-G516E Series firmware, Version 5.2 or lower, some of the parameters in the setting pages do not ensure text is the correct size for its buffer. | 4.0 |
2020-03-25 | CVE-2019-18626 | Harriscomputer | Information Exposure vulnerability in Harriscomputer Ormed MIS Harris Ormed Self Service before 2019.1.4 allows an authenticated user to view W-2 forms belonging to other users via an arbitrary empNo value to the ORMEDMIS/Data/PY/T4W2Service.svc/RetrieveW2EntriesForEmployee URI, thus exposing sensitive information including employee tax information, social security numbers, home addresses, and more. | 4.0 |
2020-03-25 | CVE-2020-10791 | IT Novum | Server-Side Request Forgery (SSRF) vulnerability in It-Novum Openitcockpit app/Plugin/GrafanaModule/Controller/GrafanaConfigurationController.php in openITCOCKPIT before 3.7.3 allows remote authenticated users to trigger outbound TCP requests (aka SSRF) via the Test Connection feature (aka testGrafanaConnection) of the Grafana Module. | 4.0 |
2020-03-23 | CVE-2019-19964 | Netgear | Unspecified vulnerability in Netgear Gs728Tps Firmware On NETGEAR GS728TPS devices through 5.3.0.35, a remote attacker having network connectivity to the web-administration panel can access part of the web panel, bypassing authentication. | 4.0 |
37 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2020-03-24 | CVE-2019-20600 | Google Samsung | Use After Free vulnerability in Google Android 8.0/9.0 An issue was discovered on Samsung mobile devices with O(8.0) and P(9.0) (Exynos8890 chipsets) software. | 3.6 |
2020-03-24 | CVE-2020-10840 | Memory Leak vulnerability in Google Android 10.0/9.0 An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) (Exynos 9610 chipsets) software. | 3.6 | |
2020-03-24 | CVE-2019-20531 | Out-of-bounds Read vulnerability in Google Android 9.0 An issue was discovered on Samsung mobile devices with P(9.0) (Exynos chipsets) software. | 3.6 | |
2020-03-24 | CVE-2020-10570 | Telegram | Improper Authentication vulnerability in Telegram The Telegram application through 5.12 for Android, when Show Popup is enabled, might allow physically proximate attackers to bypass intended restrictions on message reading and message replying. | 3.6 |
2020-03-26 | CVE-2020-9467 | Piwigo | Cross-site Scripting vulnerability in Piwigo 2.10.1 Piwigo 2.10.1 has stored XSS via the file parameter in a /ws.php request because of the pwg.images.setInfo function. | 3.5 |
2020-03-25 | CVE-2020-5277 | Prestashop | Cross-site Scripting vulnerability in Prestashop Faceted Search Module PrestaShop module ps_facetedsearch versions before 3.5.0 has a reflected XSS with `url_name` parameter. | 3.5 |
2020-03-25 | CVE-2020-10790 | IT Novum | Cross-site Scripting vulnerability in It-Novum Openitcockpit openITCOCKPIT before 3.7.3 has unnecessary files (such as Lodash files) under the web root, which leads to XSS. | 3.5 |
2020-03-24 | CVE-2019-17276 | Netapp | Cross-site Scripting vulnerability in Netapp Oncommand System Manager 9.3/9.4 OnCommand System Manager versions 9.3 prior to 9.3P18 and 9.4 prior to 9.4P2 are susceptible to a cross site scripting vulnerability that could allow an authenticated attacker to inject arbitrary scripts into the SNMP Community Names label field. | 3.5 |
2020-03-23 | CVE-2019-4718 | IBM | Cross-site Scripting vulnerability in IBM Jazz for Service Management 1.1.3.0 IBM Jazz for Service Management 3.13 is vulnerable to cross-site scripting. | 3.5 |
2020-03-24 | CVE-2019-20609 | Information Exposure vulnerability in Google Android 9.0 An issue was discovered on Samsung mobile devices with P(9.0) software. | 3.3 | |
2020-03-24 | CVE-2019-20546 | Improper Input Validation vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (Broadcom Wi-Fi chipsets) software. | 3.3 | |
2020-03-26 | CVE-2019-15796 | Ubuntu Canonical Debian | Improper Verification of Cryptographic Signature vulnerability in multiple products Python-apt doesn't check if hashes are signed in `Version.fetch_binary()` and `Version.fetch_source()` of apt/package.py or in `_fetch_archives()` of apt/cache.py in version 1.9.3ubuntu2 and earlier. | 2.6 |
2020-03-26 | CVE-2019-15795 | Ubuntu Canonical Debian | Use of a Broken or Risky Cryptographic Algorithm vulnerability in multiple products python-apt only checks the MD5 sums of downloaded files in `Version.fetch_binary()` and `Version.fetch_source()` of apt/package.py in version 1.9.0ubuntu1 and earlier. | 2.6 |
2020-03-26 | CVE-2020-9065 | Huawei | Use After Free vulnerability in Huawei Taurus-Al00B Firmware 10.0.0.133(C00E132R5P1)/10.0.0.41(Sp2C00E41R3P2) Huawei smart phone Taurus-AL00B with versions earlier than 10.0.0.203(C00E201R7P2) have a use-after-free (UAF) vulnerability. | 2.1 |
2020-03-24 | CVE-2019-20625 | Information Exposure vulnerability in Google Android 7.1/8.0/8.1 An issue was discovered on Samsung mobile devices with N(7.1) and O(8.x) (Exynos chipsets) software. | 2.1 | |
2020-03-24 | CVE-2019-20615 | Improper Input Validation vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.x) and O(8.x) software. | 2.1 | |
2020-03-24 | CVE-2019-20598 | Information Exposure vulnerability in Google Android 8.0/8.1 An issue was discovered on Samsung mobile devices with O(8.x) software. | 2.1 | |
2020-03-24 | CVE-2019-20595 | Missing Authentication for Critical Function vulnerability in Google Android 9.0 An issue was discovered on Samsung mobile devices with P(9.0) software. | 2.1 | |
2020-03-24 | CVE-2019-20579 | Information Exposure vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software. | 2.1 | |
2020-03-24 | CVE-2019-20569 | Improper Input Validation vulnerability in Google Android 9.0 An issue was discovered on Samsung mobile devices with P(9.0) software. | 2.1 | |
2020-03-24 | CVE-2019-20559 | Information Exposure vulnerability in Google Android 9.0 An issue was discovered on Samsung mobile devices with P(9.0) software. | 2.1 | |
2020-03-24 | CVE-2019-20557 | Improper Input Validation vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software. | 2.1 | |
2020-03-24 | CVE-2019-20554 | Improper Input Validation vulnerability in Google Android 8.0/8.1 An issue was discovered on Samsung mobile devices with O(8.x) software. | 2.1 | |
2020-03-24 | CVE-2019-20550 | Information Exposure vulnerability in Google Android 8.0/8.1 An issue was discovered on Samsung mobile devices with O(8.x) (released in China and India) software. | 2.1 | |
2020-03-24 | CVE-2020-10855 | Improper Input Validation vulnerability in Google Android 9.0 An issue was discovered on Samsung mobile devices with P(9.0) software. | 2.1 | |
2020-03-24 | CVE-2020-10830 | Information Exposure vulnerability in Google Android 10.0/9.0 An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software. | 2.1 | |
2020-03-24 | CVE-2019-20543 | Unspecified vulnerability in Google Android 9.0 An issue was discovered on Samsung mobile devices with P(9.0) software. | 2.1 | |
2020-03-24 | CVE-2019-20540 | Out-of-bounds Read vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (Exynos chipsets) software. | 2.1 | |
2020-03-24 | CVE-2019-20535 | Unspecified vulnerability in Google Android 8.0/8.1/9.0 An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) software. | 2.1 | |
2020-03-24 | CVE-2019-20534 | Information Exposure vulnerability in Google Android 9.0 An issue was discovered on Samsung mobile devices with P(9.0) software. | 2.1 | |
2020-03-24 | CVE-2019-20533 | Improper Authentication vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (released in China or India) software. | 2.1 | |
2020-03-23 | CVE-2020-10870 | ZIM Wiki | Improper Input Validation vulnerability in Zim-Wiki ZIM Zim through 0.72.1 creates temporary directories with predictable names. | 2.1 |
2020-03-23 | CVE-2020-8876 | Parallels | Out-of-bounds Read vulnerability in Parallels Desktop This vulnerability allows local attackers to disclose information on affected installations of Parallels Desktop 15.1.2-47123. | 2.1 |
2020-03-23 | CVE-2020-8872 | Parallels | Out-of-bounds Read vulnerability in Parallels Desktop This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 15.1.1-47117. | 2.1 |
2020-03-24 | CVE-2019-20623 | Use of Uninitialized Resource vulnerability in Google Android An issue was discovered on Samsung mobile devices with N(7.1), O(8.x), and P(9.0) software. | 1.9 | |
2020-03-24 | CVE-2020-10846 | Improper Input Validation vulnerability in Google Android 10.0/9.0 An issue was discovered on Samsung mobile devices with P(9.x) and Q(10.x) software. | 1.9 | |
2020-03-23 | CVE-2020-5252 | Pyup | Unspecified vulnerability in Pyup Safety The command-line "safety" package for Python has a potential security issue. | 1.9 |