Weekly Vulnerabilities Reports > March 23 to 29, 2020

Overview

423 new vulnerabilities reported during this period, including 49 critical vulnerabilities and 116 high severity vulnerabilities. This weekly summary report vulnerabilities in 472 products from 118 vendors including Google, Adobe, Debian, Fedoraproject, and Opensuse. Vulnerabilities are notably categorized as "Out-of-bounds Write", "Information Exposure", "Improper Input Validation", "Cross-site Scripting", and "Out-of-bounds Read".

  • 335 reported vulnerabilities are remotely exploitables.
  • 2 reported vulnerabilities have public exploit available.
  • 89 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 366 reported vulnerabilities are exploitable by an anonymous user.
  • Google has the most reported vulnerabilities, with 130 reported vulnerabilities.
  • Google has the most reported critical vulnerabilities, with 19 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

49 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2020-03-27 CVE-2015-5684 Lenovo Classic Buffer Overflow vulnerability in Lenovo products

MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA.

10.0
2020-03-26 CVE-2020-10826 Draytek Command Injection vulnerability in Draytek products

/cgi-bin/activate.cgi on Draytek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1 allows remote attackers to achieve command injection via a remote HTTP request in DEBUG mode.

10.0
2020-03-26 CVE-2020-10245 Codesys Out-of-bounds Write vulnerability in Codesys products

CODESYS V3 web server before 3.5.15.40, as used in CODESYS Control runtime systems, has a buffer overflow.

10.0
2020-03-25 CVE-2020-10881 TP Link Out-of-bounds Write vulnerability in Tp-Link Ac1750 Firmware 190726

This vulnerability allows remote attackers to execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers.

10.0
2020-03-25 CVE-2020-3794 Adobe Improper Input Validation vulnerability in Adobe Coldfusion 2016/2018

ColdFusion versions ColdFusion 2016, and ColdFusion 2018 have a file inclusion vulnerability.

10.0
2020-03-25 CVE-2020-3805 Adobe Use After Free vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011.30158 and earlier, 2017.011.30158 and earlier, 2015.006.30510 and earlier, and 2015.006.30510 and earlier have a use-after-free vulnerability.

10.0
2020-03-25 CVE-2020-10789 IT Novum OS Command Injection vulnerability in It-Novum Openitcockpit

openITCOCKPIT before 3.7.3 has a web-based terminal that allows attackers to execute arbitrary OS commands via shell metacharacters that are mishandled on an su command line in app/Lib/SudoMessageInterface.php.

10.0
2020-03-25 CVE-2020-5561 Keijiban Tsumiki Project OS Command Injection vulnerability in Keijiban Tsumiki Project Keijiban Tsumiki 1.15

Keijiban Tsumiki v1.15 allows remote attackers to execute arbitrary OS commands via unspecified vectors.

10.0
2020-03-25 CVE-2020-5560 WL ENQ Project OS Command Injection vulnerability in Wl-Enq Project Wl-Enq 1.11/1.12

WL-Enq 1.11 and 1.12 allows remote attackers to execute arbitrary OS commands with the administrative privilege via unspecified vectors.

10.0
2020-03-25 CVE-2020-5556 Shihonkanri Plus Goout Project OS Command Injection vulnerability in Shihonkanri Plus Goout Project Shihonkanri Plus Goout 1.5.8/2.2.10

Shihonkanri Plus GOOUT Ver1.5.8 and Ver2.2.10 allows remote attackers to execute arbitrary OS commands via unspecified vectors.

10.0
2020-03-25 CVE-2020-5553 Mailform Code Injection vulnerability in Mailform 1.04

mailform version 1.04 allows remote attackers to execute arbitrary PHP code via unspecified vectors.

10.0
2020-03-24 CVE-2020-7007 Moxa Out-of-bounds Write vulnerability in Moxa Eds-510E Firmware and Eds-G516E Firmware

In Moxa EDS-G516E Series firmware, Version 5.2 or lower, the attacker may execute arbitrary codes or target the device, causing it to go out of service.

10.0
2020-03-24 CVE-2020-6981 Moxa Use of Hard-coded Credentials vulnerability in Moxa Eds-510E Firmware and Eds-G516E Firmware

In Moxa EDS-G516E Series firmware, Version 5.2 or lower, an attacker may gain access to the system without proper authentication.

10.0
2020-03-24 CVE-2020-6985 Moxa Use of Hard-coded Credentials vulnerability in Moxa products

In Moxa PT-7528 series firmware, Version 4.0 or lower, and PT-7828 series firmware, Version 3.9 or lower, these devices use a hard-coded service code for access to the console.

10.0
2020-03-24 CVE-2019-20622 Google Out-of-bounds Write vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (Exynos chipsets) software.

10.0
2020-03-24 CVE-2019-20621 Google Out-of-bounds Write vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (Exynos chipsets) software.

10.0
2020-03-24 CVE-2019-20611 Google Out-of-bounds Write vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), Go(8.1), P(9.0), and Go(9.0) (Exynos chipsets) software.

10.0
2020-03-24 CVE-2019-20607 Google
Qualcomm
Samsung
Out-of-bounds Write vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (MSM8996, MSM8998, Exynos7420, Exynos7870, Exynos8890, and Exynos8895 chipsets) software.

10.0
2020-03-24 CVE-2019-20605 Google Out-of-bounds Write vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (Exynos chipsets) software.

10.0
2020-03-24 CVE-2019-20589 Google Type Confusion vulnerability in Google Android 8.0/8.1/9.0

An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) (with TEEGRIS) software.

10.0
2020-03-24 CVE-2019-20588 Google Type Confusion vulnerability in Google Android 8.0/8.1/9.0

An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) (with TEEGRIS) software.

10.0
2020-03-24 CVE-2019-20587 Google Type Confusion vulnerability in Google Android 8.1/9.0

An issue was discovered on Samsung mobile devices with O(8.1) and P(9.0) (with TEEGRIS) software.

10.0
2020-03-24 CVE-2019-20586 Google Type Confusion vulnerability in Google Android 8.1/9.0

An issue was discovered on Samsung mobile devices with O(8.1) and P(9.0) (with TEEGRIS) software.

10.0
2020-03-24 CVE-2019-20585 Google Type Confusion vulnerability in Google Android 8.0/8.1/9.0

An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) (with TEEGRIS) software.

10.0
2020-03-24 CVE-2019-20584 Google Type Confusion vulnerability in Google Android 8.0/8.1/9.0

An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) (with TEEGRIS) software.

10.0
2020-03-24 CVE-2019-20583 Google Type Confusion vulnerability in Google Android 8.0/8.1/9.0

An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) (with TEEGRIS) software.

10.0
2020-03-24 CVE-2019-20567 Google Out-of-bounds Write vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (Exynos chipsets) software.

10.0
2020-03-24 CVE-2020-10850 Google Classic Buffer Overflow vulnerability in Google Android

An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) (Exynos chipsets) software.

10.0
2020-03-24 CVE-2020-10848 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android

An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) (Exynos 9810 chipsets) software.

10.0
2020-03-24 CVE-2020-10837 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android 10.0/9.0

An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) (with TEEGRIS) software.

10.0
2020-03-24 CVE-2020-10835 Samsung Classic Buffer Overflow vulnerability in Samsung Exynos

An issue was discovered on Samsung mobile devices with any (before February 2020 for Exynos modem chipsets) software.

10.0
2020-03-24 CVE-2019-20545 Google Classic Buffer Overflow vulnerability in Google Android 8.0/8.1/9.0

An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) (Exynos chipsets) software.

10.0
2020-03-24 CVE-2019-20537 Google Out-of-bounds Write vulnerability in Google Android 9.0

An issue was discovered on Samsung mobile devices with P(9.0) (TEEGRIS and Qualcomm chipsets).

10.0
2020-03-23 CVE-2020-8868 Quest Use of Hard-coded Credentials vulnerability in Quest Foglight Evolve 9.0.0

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Quest Foglight Evolve 9.0.0.

10.0
2020-03-23 CVE-2020-6967 Rockwellautomation Deserialization of Untrusted Data vulnerability in Rockwellautomation Factorytalk Services Platform

In Rockwell Automation all versions of FactoryTalk Diagnostics software, a subsystem of the FactoryTalk Services Platform, FactoryTalk Diagnostics exposes a .NET Remoting endpoint via RNADiagnosticsSrv.exe at TCPtcp/8082, which can insecurely deserialize untrusted data.

10.0
2020-03-23 CVE-2020-5722 Grandstream SQL Injection vulnerability in Grandstream Ucm6200 Firmware

The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request.

10.0
2020-03-27 CVE-2020-3936 Unisoon SQL Injection vulnerability in Unisoon Ultralog Express Firmware 1.4.0

UltraLog Express device management interface does not properly filter user inputted string in some specific parameters, attackers can inject arbitrary SQL command.

9.8
2020-03-25 CVE-2020-1957 Apache
Debian
Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
9.8
2020-03-24 CVE-2020-1747 Pyyaml
Fedoraproject
Opensuse
Oracle
Improper Input Validation vulnerability in multiple products

A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader.

9.8
2020-03-23 CVE-2020-1944 Apache
Debian
HTTP Request Smuggling vulnerability in multiple products

There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8, and 8.0.0 to 8.0.5 with a smuggling attack and Transfer-Encoding and Content length headers.

9.8
2020-03-23 CVE-2019-17565 Apache
Debian
HTTP Request Smuggling vulnerability in multiple products

There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8, and 8.0.0 to 8.0.5 with a smuggling attack and chunked encoding.

9.8
2020-03-23 CVE-2019-17559 Apache
Debian
HTTP Request Smuggling vulnerability in multiple products

There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8, and 8.0.0 to 8.0.5 with a smuggling attack and scheme parsing.

9.8
2020-03-23 CVE-2019-20627 Rbsoft XXE vulnerability in Rbsoft Autoupdater.Net

AutoUpdater.cs in AutoUpdater.NET before 1.5.8 allows XXE.

9.8
2020-03-24 CVE-2019-20610 Google
Samsung
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.X) and O(8.X) (Exynos 7570, 7870, 7880, 7885, 8890, 8895, and 9810 chipsets) software.

9.3
2020-03-23 CVE-2020-9759 LG Download of Code Without Integrity Check vulnerability in LG Webos

A Vulnerability of LG Electronic web OS TV Emulator could allow an attacker to escalate privileges and overwrite certain files.

9.3
2020-03-25 CVE-2019-7245 Techpowerup Improper Initialization vulnerability in Techpowerup Gpu-Z

An issue was discovered in GPU-Z.sys in TechPowerUp GPU-Z before 2.23.0.

9.0
2020-03-25 CVE-2019-7244 Aida64 Improper Initialization vulnerability in Aida64

An issue was discovered in kerneld.sys in AIDA64 before 5.99.

9.0
2020-03-25 CVE-2019-7240 Moo0 Improper Initialization vulnerability in Moo0 System Monitor 1.83

An issue was discovered in WinRing0x64.sys in Moo0 System Monitor 1.83.

9.0
2020-03-25 CVE-2020-5558 Cutephp Injection vulnerability in Cutephp Cutenews 2.0.1

CuteNews 2.0.1 allows remote authenticated attackers to execute arbitrary PHP code via unspecified vectors.

9.0

116 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2020-03-26 CVE-2020-9521 Microfocus SQL Injection vulnerability in Microfocus Service Manager Automation

An SQL injection vulnerability was discovered in Micro Focus Service Manager Automation (SMA), affecting versions 2019.08, 2019.05, 2019.02, 2018.08, 2018.05, 2018.02.

8.8
2020-03-26 CVE-2020-10969 Fasterxml
Debian
Netapp
Oracle
Deserialization of Untrusted Data vulnerability in multiple products

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.

8.8
2020-03-26 CVE-2020-10968 Fasterxml
Debian
Netapp
Oracle
Deserialization of Untrusted Data vulnerability in multiple products

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).

8.8
2020-03-25 CVE-2020-6807 Mozilla
Canonical
Use After Free vulnerability in multiple products

When a device was changed while a stream was about to be destroyed, the <code>stream-reinit</code> task may have been executed after the stream was destroyed, causing a use-after-free and a potentially exploitable crash.

8.8
2020-03-25 CVE-2020-6806 Mozilla
Canonical
Out-of-bounds Read vulnerability in multiple products

By carefully crafting promise resolutions, it was possible to cause an out-of-bounds read off the end of an array resized during script execution.

8.8
2020-03-25 CVE-2020-6805 Mozilla
Canonical
Use After Free vulnerability in multiple products

When removing data about an origin whose tab was recently closed, a use-after-free could occur in the Quota manager, resulting in a potentially exploitable crash.

8.8
2020-03-25 CVE-2020-10884 TP Link Use of Hard-coded Credentials vulnerability in Tp-Link Ac1750 Firmware 190726

This vulnerability allows network-adjacent attackers execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers.

8.8
2020-03-25 CVE-2020-10882 TP Link OS Command Injection vulnerability in Tp-Link Ac1750 Firmware 190726

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers.

8.8
2020-03-25 CVE-2020-2171 Jenkins XXE vulnerability in Jenkins Rapiddeploy

Jenkins RapidDeploy Plugin 4.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

8.8
2020-03-25 CVE-2020-2168 Jenkins Improper Input Validation vulnerability in Jenkins Azure Container Service

Jenkins Azure Container Service Plugin 1.0.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

8.8
2020-03-25 CVE-2020-2167 Jenkins Improper Input Validation vulnerability in Jenkins Openshift Pipeline

Jenkins OpenShift Pipeline Plugin 1.0.56 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

8.8
2020-03-25 CVE-2020-2166 Jenkins Improper Input Validation vulnerability in Jenkins Pipeline: AWS Steps

Jenkins Pipeline: AWS Steps Plugin 1.40 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

8.8
2020-03-25 CVE-2020-2160 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier uses different representations of request URL paths, which allows attackers to craft URLs that allow bypassing CSRF protection of any target URL.

8.8
2020-03-23 CVE-2020-6449 Google
Debian
Fedoraproject
Suse
Opensuse
Use After Free vulnerability in multiple products

Use after free in audio in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2020-03-23 CVE-2020-6429 Google
Debian
Fedoraproject
Suse
Opensuse
Out-of-bounds Write vulnerability in multiple products

Use after free in audio in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2020-03-23 CVE-2020-6428 Google
Suse
Opensuse
Fedoraproject
Debian
Out-of-bounds Write vulnerability in multiple products

Use after free in audio in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2020-03-23 CVE-2020-6427 Google
Debian
Fedoraproject
Suse
Opensuse
Out-of-bounds Write vulnerability in multiple products

Use after free in audio in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2020-03-23 CVE-2020-6424 Google
Debian
Fedoraproject
Suse
Opensuse
Use After Free vulnerability in multiple products

Use after free in media in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2020-03-23 CVE-2020-6422 Google
Fedoraproject
Debian
Suse
Opensuse
Out-of-bounds Write vulnerability in multiple products

Use after free in WebGL in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2020-03-23 CVE-2020-6420 Google
Debian
Fedoraproject
Insufficient policy enforcement in media in Google Chrome prior to 80.0.3987.132 allowed a remote attacker to bypass same origin policy via a crafted HTML page.
8.8
2020-03-23 CVE-2020-10793 Codeigniter Improper Privilege Management vulnerability in Codeigniter

CodeIgniter through 4.0.0 allows remote attackers to gain privileges via a modified Email ID to the "Select Role of the User" page.

8.8
2020-03-26 CVE-2020-1764 Kiali
Redhat
Use of Hard-coded Credentials vulnerability in multiple products

A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1.

8.6
2020-03-23 CVE-2020-8864 Dlink Incorrect Comparison vulnerability in Dlink products

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-867, DIR-878, and DIR-882 routers with firmware 1.10B04.

8.3
2020-03-23 CVE-2020-8863 Dlink Improper Authentication vulnerability in Dlink products

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-867, DIR-878, and DIR-882 routers with firmware 1.10B04.

8.3
2020-03-27 CVE-2020-1773 Otrs Insufficient Entropy vulnerability in Otrs

An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may be able to predict other users session IDs, password reset tokens and automatically generated passwords.

8.1
2020-03-27 CVE-2020-3920 Unisoon Missing Authentication for Critical Function vulnerability in Unisoon Ultralog Express Firmware 1.4.0

UltraLog Express device management interface does not properly perform access authentication in some specific pages/functions.

8.1
2020-03-26 CVE-2020-7260 Mcafee Untrusted Search Path vulnerability in Mcafee Application and Change Control

DLL Side Loading vulnerability in the installer for McAfee Application and Change Control (MACC) prior to 8.3 allows local users to execute arbitrary code via execution from a compromised folder.

7.8
2020-03-25 CVE-2020-10883 TP Link Incorrect Permission Assignment for Critical Resource vulnerability in Tp-Link Ac1750 Firmware 190726

This vulnerability allows local attackers to escalate privileges on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers.

7.8
2020-03-25 CVE-2020-9375 TP Link Missing Release of Resource after Effective Lifetime vulnerability in Tp-Link Archer C50 Build170822/Build171227/Build200318

TP-Link Archer C50 V3 devices before Build 200318 Rel.

7.8
2020-03-24 CVE-2019-20577 Google Unspecified vulnerability in Google Android 9.0

An issue was discovered on Samsung mobile devices with P(9.0) (Exynos chipsets) software.

7.8
2020-03-23 CVE-2020-7479 Schneider Electric Missing Authentication for Critical Function vulnerability in Schneider-Electric Interactive Graphical Scada System 14.0/14.0.0.19120

A CWE-306: Missing Authentication for Critical Function vulnerability exists in IGSS (Versions 14 and prior using the service: IGSSupdate), which could allow a local user to execute processes that otherwise require escalation privileges when sending local network commands to the IGSS Update Service.

7.8
2020-03-23 CVE-2020-10364 Mikrotik Resource Exhaustion vulnerability in Mikrotik Routeros

The SSH daemon on MikroTik routers through v6.44.3 could allow remote attackers to generate CPU activity, trigger refusal of new authorized connections, and cause a reboot via connect and write system calls, because of uncontrolled resource management.

7.8
2020-03-23 CVE-2020-10592 Torproject
Opensuse
Tor before 0.3.5.10, 0.4.x before 0.4.1.9, and 0.4.2.x before 0.4.2.7 allows remote attackers to cause a Denial of Service (CPU consumption), aka TROVE-2020-002.
7.8
2020-03-27 CVE-2020-10956 Gitlab Server-Side Request Forgery (SSRF) vulnerability in Gitlab

GitLab 8.10 and later through 12.9 is vulnerable to an SSRF in a project import note feature.

7.5
2020-03-27 CVE-2020-5863 F5
Netapp
In NGINX Controller versions prior to 3.2.0, an unauthenticated attacker with network access to the Controller API can create unprivileged user accounts.
7.5
2020-03-27 CVE-2020-1772 Otrs
Opensuse
Debian
It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords.
7.5
2020-03-27 CVE-2020-3921 Unisoon Cleartext Storage of Sensitive Information vulnerability in Unisoon Ultralog Express Firmware 1.4.0

UltraLog Express device management software stores user’s information in cleartext.

7.5
2020-03-27 CVE-2020-10992 Azkaban Project XXE vulnerability in Azkaban Project Azkaban

Azkaban through 3.84.0 allows XXE, related to validator/XmlValidatorManager.java and user/XmlUserManager.java.

7.5
2020-03-27 CVE-2020-10991 Mulesoft XXE vulnerability in Mulesoft Aplkit

Mulesoft APIkit through 1.3.0 allows XXE because of validation/RestXmlSchemaValidator.java

7.5
2020-03-27 CVE-2020-10990 Accenture XXE vulnerability in Accenture Mercury

An XXE issue exists in Accenture Mercury before 1.12.28 because of the platformlambda/core/serializers/SimpleXmlParser.java component.

7.5
2020-03-26 CVE-2020-10828 Draytek Out-of-bounds Write vulnerability in Draytek products

A stack-based buffer overflow in cvmd on Draytek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1 allows remote attackers to achieve code execution via a remote HTTP request.

7.5
2020-03-26 CVE-2020-10827 Draytek Out-of-bounds Write vulnerability in Draytek products

A stack-based buffer overflow in apmd on Draytek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1 allows remote attackers to achieve code execution via a remote HTTP request.

7.5
2020-03-26 CVE-2020-10825 Draytek Out-of-bounds Write vulnerability in Draytek products

A stack-based buffer overflow in /cgi-bin/activate.cgi while base64 decoding ticket parameter on Draytek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1 allows remote attackers to achieve code execution via a remote HTTP request (issue 3 of 3).

7.5
2020-03-26 CVE-2020-10824 Draytek Out-of-bounds Write vulnerability in Draytek products

A stack-based buffer overflow in /cgi-bin/activate.cgi through ticket parameter on Draytek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1 allows remote attackers to achieve code execution via a remote HTTP request (issue 2 of 3).

7.5
2020-03-26 CVE-2020-10823 Draytek Out-of-bounds Write vulnerability in Draytek products

A stack-based buffer overflow in /cgi-bin/activate.cgi through var parameter on Draytek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1 allows remote attackers to achieve code execution via a remote HTTP request (issue 1 of 3).

7.5
2020-03-25 CVE-2020-6815 Mozilla Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Mozilla Firefox

Mozilla developers reported memory safety and script safety bugs present in Firefox 73.

7.5
2020-03-25 CVE-2020-6814 Mozilla
Canonical
Out-of-bounds Write vulnerability in multiple products

Mozilla developers reported memory safety bugs present in Firefox and Thunderbird 68.5.

7.5
2020-03-25 CVE-2020-10964 S9Y Unrestricted Upload of File with Dangerous Type vulnerability in S9Y Serendipity

Serendipity before 2.3.4 on Windows allows remote attackers to execute arbitrary code because the filename of a renamed file may end with a dot.

7.5
2020-03-25 CVE-2020-3789 Adobe Out-of-bounds Write vulnerability in Adobe Photoshop 2020 and Photoshop CC

Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have a memory corruption vulnerability.

7.5
2020-03-25 CVE-2020-3788 Adobe Out-of-bounds Write vulnerability in Adobe Photoshop 2020 and Photoshop CC

Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have a memory corruption vulnerability.

7.5
2020-03-25 CVE-2020-3787 Adobe Out-of-bounds Write vulnerability in Adobe Photoshop 2020 and Photoshop CC

Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have a memory corruption vulnerability.

7.5
2020-03-25 CVE-2020-3786 Adobe Out-of-bounds Write vulnerability in Adobe Photoshop 2020 and Photoshop CC

Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have a memory corruption vulnerability.

7.5
2020-03-25 CVE-2020-3785 Adobe Out-of-bounds Write vulnerability in Adobe Photoshop 2020 and Photoshop CC

Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have a memory corruption vulnerability.

7.5
2020-03-25 CVE-2020-3784 Adobe Out-of-bounds Write vulnerability in Adobe Photoshop 2020 and Photoshop CC

Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have a memory corruption vulnerability.

7.5
2020-03-25 CVE-2020-3783 Adobe Out-of-bounds Write vulnerability in Adobe Photoshop 2020 and Photoshop CC

Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have a heap corruption vulnerability.

7.5
2020-03-25 CVE-2020-3775 Adobe Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Photoshop 2020 and Photoshop CC

Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have a buffer errors vulnerability.

7.5
2020-03-25 CVE-2020-10888 TP Link Improper Authentication vulnerability in Tp-Link Ac1750 Firmware 190726

This vulnerability allows remote attackers to bypass authentication on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers.

7.5
2020-03-25 CVE-2020-10887 TP Link Unspecified vulnerability in Tp-Link Ac1750 Firmware 190726

This vulnerability allows a firewall bypass on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers.

7.5
2020-03-25 CVE-2020-10886 TP Link OS Command Injection vulnerability in Tp-Link Ac1750 Firmware 190726

This vulnerability allows remote attackers to execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers.

7.5
2020-03-25 CVE-2020-10885 TP Link Improper Input Validation vulnerability in Tp-Link Ac1750 Firmware 190726

This vulnerability allows remote attackers to execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers.

7.5
2020-03-25 CVE-2020-5282 Nick Chan BOT Project OS Command Injection vulnerability in Nick Chan BOT Project Nick Chan BOT 1.0.0

In Nick Chan Bot before version 1.0.0-beta there is a vulnerability in the `npm` command which is part of this software package.

7.5
2020-03-25 CVE-2020-3807 Adobe Classic Buffer Overflow vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011.30158 and earlier, 2017.011.30158 and earlier, 2015.006.30510 and earlier, and 2015.006.30510 and earlier have a buffer overflow vulnerability.

7.5
2020-03-25 CVE-2020-3801 Adobe Use After Free vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011.30158 and earlier, 2017.011.30158 and earlier, 2015.006.30510 and earlier, and 2015.006.30510 and earlier have a use-after-free vulnerability.

7.5
2020-03-25 CVE-2020-2165 Jfrog Insufficiently Protected Credentials vulnerability in Jfrog Artifactory

Jenkins Artifactory Plugin 3.6.0 and earlier transmits configured passwords in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure.

7.5
2020-03-25 CVE-2020-3799 Adobe Out-of-bounds Write vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011.30158 and earlier, 2017.011.30158 and earlier, 2015.006.30510 and earlier, and 2015.006.30510 and earlier have a stack-based buffer overflow vulnerability.

7.5
2020-03-25 CVE-2020-3797 Adobe Out-of-bounds Write vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011.30158 and earlier, 2017.011.30158 and earlier, 2015.006.30510 and earlier, and 2015.006.30510 and earlier have a memory corruption vulnerability.

7.5
2020-03-25 CVE-2020-3795 Adobe Out-of-bounds Write vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011.30158 and earlier, 2017.011.30158 and earlier, 2015.006.30510 and earlier, and 2015.006.30510 and earlier have an out-of-bounds write vulnerability.

7.5
2020-03-25 CVE-2020-3793 Adobe Use After Free vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011.30158 and earlier, 2017.011.30158 and earlier, 2015.006.30510 and earlier, and 2015.006.30510 and earlier have a use-after-free vulnerability.

7.5
2020-03-25 CVE-2020-3792 Adobe Use After Free vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011.30158 and earlier, 2017.011.30158 and earlier, 2015.006.30510 and earlier, and 2015.006.30510 and earlier have a use-after-free vulnerability.

7.5
2020-03-24 CVE-2020-8986 Zend Improper Check for Unusual or Exceptional Conditions vulnerability in Zend Zendto

lib/NSSDropbox.php in ZendTo prior to 5.22-2 Beta failed to properly check for equality when validating the session cookie, allowing an attacker to gain administrative access with a large number of requests.

7.5
2020-03-24 CVE-2020-6078 Videolabs
Debian
Unchecked Return Value vulnerability in multiple products

An exploitable denial-of-service vulnerability exists in the message-parsing functionality of Videolabs libmicrodns 0.1.0.

7.5
2020-03-24 CVE-2020-6072 Videolabs
Debian
Double Free vulnerability in multiple products

An exploitable code execution vulnerability exists in the label-parsing functionality of Videolabs libmicrodns 0.1.0.

7.5
2020-03-24 CVE-2020-6995 Moxa Weak Password Requirements vulnerability in Moxa products

In Moxa PT-7528 series firmware, Version 4.0 or lower, and PT-7828 series firmware, Version 3.9 or lower, the application utilizes weak password requirements, which may allow an attacker to gain unauthorized access.

7.5
2020-03-24 CVE-2019-20590 Google
Qualcomm
Integer Underflow (Wrap or Wraparound) vulnerability in Google Android 8.0/8.1

An issue was discovered on Samsung mobile devices with O(8.x) (Qualcomm chipsets) software.

7.5
2020-03-24 CVE-2019-20576 Google SQL Injection vulnerability in Google Android 9.0

An issue was discovered on Samsung mobile devices with P(9.0) software.

7.5
2020-03-24 CVE-2020-6989 Moxa Out-of-bounds Write vulnerability in Moxa products

In Moxa PT-7528 series firmware, Version 4.0 or lower, and PT-7828 series firmware, Version 3.9 or lower, a buffer overflow in the web server allows remote attackers to cause a denial-of-service condition or execute arbitrary code.

7.5
2020-03-24 CVE-2019-20582 Google
Samsung
Use After Free vulnerability in Google Android 8.0/8.1/9.0

An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) devices (Exynos9810 chipsets) software.

7.5
2020-03-24 CVE-2019-20581 Google Out-of-bounds Write vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (Exynos chipsets) software.

7.5
2020-03-24 CVE-2019-20578 Google
Samsung
Classic Buffer Overflow vulnerability in Google Android 9.0

An issue was discovered on Samsung mobile devices with P(9.0) (Exynos 9820 chipsets) software.

7.5
2020-03-24 CVE-2019-20572 Google
Samsung
Classic Buffer Overflow vulnerability in Google Android 8.1/9.0

An issue was discovered on Samsung mobile devices with O(8.1) and P(9.0) (Exynos chipsets) software.

7.5
2020-03-24 CVE-2019-20571 Google Type Confusion vulnerability in Google Android 8.0/8.1

An issue was discovered on Samsung mobile devices with O(8.x) (with TEEGRIS) software.

7.5
2020-03-24 CVE-2019-20566 Samsung Out-of-bounds Write vulnerability in Samsung Exynos Smp1300

An issue was discovered on Samsung mobile devices with any (before September 2019 for SMP1300 Exynos modem chipsets) software.

7.5
2020-03-24 CVE-2019-20563 Google Out-of-bounds Write vulnerability in Google Android 8.0/8.1/9.0

An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) (with TEEGRIS) software.

7.5
2020-03-24 CVE-2019-20562 Google Classic Buffer Overflow vulnerability in Google Android 9.0

An issue was discovered on Samsung mobile devices with P(9.0) (with TEEGRIS) software.

7.5
2020-03-24 CVE-2019-20561 Google Integer Overflow or Wraparound vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (Exynos chipsets) software.

7.5
2020-03-24 CVE-2019-20560 Google Out-of-bounds Write vulnerability in Google Android 8.0/8.1/9.0

An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) (with TEEGRIS) software.

7.5
2020-03-24 CVE-2019-20558 Google
Samsung
Classic Buffer Overflow vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (Exynos chipsets) software.

7.5
2020-03-24 CVE-2019-20556 Google
Qualcomm
Samsung
Out-of-bounds Write vulnerability in Google Android 9.0

An issue was discovered on Samsung mobile devices with P(9.0) (SM6150, SM8150, SM8150_FUSION, exynos7885, exynos9610, and exynos9820 chipsets) software.

7.5
2020-03-24 CVE-2019-20553 Google
Qualcomm
Samsung
Unspecified vulnerability in Google Android 9.0

An issue was discovered on Samsung mobile devices with P(9.0) (SM6150, SM8150, SM8150_FUSION, exynos7885, exynos9610, and exynos9820 chipsets) software.

7.5
2020-03-24 CVE-2019-20549 Google
Broadcom
Out-of-bounds Read vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (Broadcom chipsets) software.

7.5
2020-03-24 CVE-2019-20548 Google Classic Buffer Overflow vulnerability in Google Android 9.0

An issue was discovered on Samsung mobile devices with P(9.0) devices (Qualcomm chipsets) software.

7.5
2020-03-24 CVE-2020-10836 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android

An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) (Exynos chipsets) software.

7.5
2020-03-24 CVE-2019-20544 Google Out-of-bounds Write vulnerability in Google Android 8.0/8.1/9.0

An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) (Exynos chipsets) software.

7.5
2020-03-24 CVE-2019-20536 Google Incorrect Default Permissions vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.1), O(8.x), and P(9.0) (released in China) software.

7.5
2020-03-24 CVE-2019-20530 Google Code Injection vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.1), O(8.x), P(9.0), and Q(10.0) software.

7.5
2020-03-24 CVE-2020-10938 Graphicsmagick
Debian
Opensuse
Integer Overflow or Wraparound vulnerability in multiple products

GraphicsMagick before 1.3.35 has an integer overflow and resultant heap-based buffer overflow in HuffmanDecodeImage in magick/compress.c.

7.5
2020-03-23 CVE-2020-10879 Rconfig Injection vulnerability in Rconfig

rConfig before 3.9.5 allows command injection by sending a crafted GET request to lib/crud/search.crud.php since the nodeId parameter is passed directly to the exec function without being escaped.

7.5
2020-03-23 CVE-2020-7480 Schneider Electric Code Injection vulnerability in Schneider-Electric products

A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists in Andover Continuum (All versions), which could cause files on the application server filesystem to be viewable when an attacker interferes with an application's processing of XML data.

7.5
2020-03-23 CVE-2020-7478 Schneider Electric Path Traversal vulnerability in Schneider-Electric Interactive Graphical Scada System 14.0/14.0.0.19120

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory exists in IGSS (Versions 14 and prior using the service: IGSSupdate), which could allow a remote unauthenticated attacker to read arbitrary files from the IGSS server PC on an unrestricted or shared network when the IGSS Update Service is enabled.

7.5
2020-03-23 CVE-2020-7475 Schneider Electric Injection vulnerability in Schneider-Electric products

A CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), reflective DLL, vulnerability exists in EcoStruxure Control Expert (all versions prior to 14.1 Hot Fix), Unity Pro (all versions), Modicon M340 (all versions prior to V3.20), Modicon M580 (all versions prior to V3.10), which, if exploited, could allow attackers to transfer malicious code to the controller.

7.5
2020-03-23 CVE-2020-9392 Supsystic Incorrect Default Permissions vulnerability in Supsystic Pricing Table BY Supsystic 1.8.0/1.8.1

An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress.

7.5
2020-03-23 CVE-2020-9760 Weechat
Debian
Classic Buffer Overflow vulnerability in multiple products

An issue was discovered in WeeChat before 2.7.1 (0.3.4 to 2.7 are affected).

7.5
2020-03-23 CVE-2020-10593 Torproject
Opensuse
Memory Leak vulnerability in multiple products

Tor before 0.3.5.10, 0.4.x before 0.4.1.9, and 0.4.2.x before 0.4.2.7 allows remote attackers to cause a Denial of Service (memory leak), aka TROVE-2020-004.

7.5
2020-03-23 CVE-2020-9752 Naver Externally Controlled Reference to a Resource in Another Sphere vulnerability in Naver Cloud Explorer

Naver Cloud Explorer before 2.2.2.11 allows the attacker can move a local file in any path on the filesystem as a system privilege through its named pipe.

7.5
2020-03-27 CVE-2015-8535 Lenovo Path Traversal vulnerability in Lenovo Solution Center

MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA.

7.2
2020-03-27 CVE-2015-8534 Lenovo Improper Privilege Management vulnerability in Lenovo Solution Center

MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA.

7.2
2020-03-27 CVE-2015-7334 Lenovo Improper Privilege Management vulnerability in Lenovo System Update 5.06.0027/5.06.0043/5.07.0008

MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA.

7.2
2020-03-27 CVE-2015-7333 Lenovo Improper Privilege Management vulnerability in Lenovo System Update 5.06.0027/5.06.0043/5.07.0008

MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA.

7.2
2020-03-25 CVE-2020-10963 Frozennode Unrestricted Upload of File with Dangerous Type vulnerability in Frozennode Laravel-Administrator

FrozenNode Laravel-Administrator through 5.0.12 allows unrestricted file upload (and consequently Remote Code Execution) via admin/tips_image/image/file_upload image upload with PHP content within a GIF image that has the .php extension.

7.2
2020-03-25 CVE-2020-3766 Adobe Incorrect Default Permissions vulnerability in Adobe Genuine Integrity Service 6.4

Adobe Genuine Integrity Service versions Version 6.4 and earlier have an insecure file permissions vulnerability.

7.2
2020-03-25 CVE-2020-10649 Asus Improper Privilege Management vulnerability in Asus Device Activation

DevActSvc.exe in ASUS Device Activation before 1.0.7.0 for Windows 10 notebooks and PCs could lead to unsigned code execution with no additional restrictions when a user puts an application at a particular path with a particular file name.

7.2
2020-03-25 CVE-2019-7630 Gigabyte Improper Initialization vulnerability in Gigabyte APP Center 1.05.21

An issue was discovered in gdrv.sys in Gigabyte APP Center before 19.0227.1.

7.2
2020-03-24 CVE-2020-10934 Acyba Unrestricted Upload of File with Dangerous Type vulnerability in Acyba Acymailing

Acyba AcyMailing before 6.9.2 mishandles file uploads by admins.

7.2
2020-03-23 CVE-2020-8875 Parallels Out-of-bounds Write vulnerability in Parallels Desktop

This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 15.1.2-47123.

7.2
2020-03-23 CVE-2019-19034 Zohocorp OS Command Injection vulnerability in Zohocorp Manageengine Assetexplorer 6.5

Zoho ManageEngine Asset Explorer 6.5 does not validate the System Center Configuration Manager (SCCM) database username when dynamically generating a command to schedule scans for SCCM.

7.2
2020-03-24 CVE-2020-10684 Redhat
Debian
Fedoraproject
Missing Authorization vulnerability in multiple products

A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean.

7.1

221 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2020-03-27 CVE-2015-7335 Lenovo Race Condition vulnerability in Lenovo System Update 5.06.0027/5.06.0043/5.07.0008

MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA.

6.9
2020-03-27 CVE-2020-5860 F5 Inadequate Encryption Strength vulnerability in F5 products

On BIG-IP 15.0.0-15.1.0.2, 14.1.0-14.1.2.3, 13.1.0-13.1.3.2, 12.1.0-12.1.5.1, and 11.5.2-11.6.5.1 and BIG-IQ 7.0.0, 6.0.0-6.1.0, and 5.2.0-5.4.0, in a High Availability (HA) network failover in Device Service Cluster (DSC), the failover service does not require a strong form of authentication and HA network failover traffic is not encrypted by Transport Layer Security (TLS).

6.8
2020-03-27 CVE-2015-8536 Lenovo Cross-Site Request Forgery (CSRF) vulnerability in Lenovo Solution Center

MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA.

6.8
2020-03-26 CVE-2020-9066 Huawei Improper Authentication vulnerability in Huawei Oxfordp-An10B Firmware

Huawei smartphones OxfordP-AN10B with versions earlier than 10.0.1.169(C00E166R4P1) have an improper authentication vulnerability.

6.8
2020-03-26 CVE-2020-1800 Huawei Incorrect Authorization vulnerability in Huawei P30 Firmware

HUAWEI smartphones P30 with versions earlier than 10.0.0.185(C00E85R1P11) have an improper access control vulnerability.

6.8
2020-03-25 CVE-2020-10965 Teradici Insufficiently Protected Credentials vulnerability in Teradici Pcoip Management Console 19.11.1/20.01.0

Teradici PCoIP Management Console 20.01.0 and 19.11.1 is vulnerable to unauthenticated password resets via login/resetadminpassword of the default admin account.

6.8
2020-03-25 CVE-2020-6811 Mozilla
Canonical
Command Injection vulnerability in multiple products

The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website.

6.8
2020-03-25 CVE-2020-3790 Adobe Out-of-bounds Write vulnerability in Adobe Photoshop 2020 and Photoshop CC

Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have a memory corruption vulnerability.

6.8
2020-03-25 CVE-2020-3780 Adobe Out-of-bounds Write vulnerability in Adobe Photoshop 2020 and Photoshop CC

Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have a buffer errors vulnerability.

6.8
2020-03-25 CVE-2020-3779 Adobe Out-of-bounds Write vulnerability in Adobe Photoshop 2020 and Photoshop CC

Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have an out-of-bounds write vulnerability.

6.8
2020-03-25 CVE-2020-3776 Adobe Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Photoshop 2020 and Photoshop CC

Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have a buffer errors vulnerability.

6.8
2020-03-25 CVE-2020-3774 Adobe Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Photoshop 2020 and Photoshop CC

Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have a buffer errors vulnerability.

6.8
2020-03-25 CVE-2020-3773 Adobe Out-of-bounds Write vulnerability in Adobe Photoshop 2020 and Photoshop CC

Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have an out-of-bounds write vulnerability.

6.8
2020-03-25 CVE-2020-3772 Adobe Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Photoshop 2020 and Photoshop CC

Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have a buffer errors vulnerability.

6.8
2020-03-25 CVE-2020-3770 Adobe Out-of-bounds Write vulnerability in Adobe Photoshop 2020 and Photoshop CC

Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have a buffer errors vulnerability.

6.8
2020-03-25 CVE-2020-9552 Adobe Out-of-bounds Write vulnerability in Adobe Bridge 10.0

Adobe Bridge versions 10.0 have a heap-based buffer overflow vulnerability.

6.8
2020-03-25 CVE-2020-9551 Adobe Out-of-bounds Write vulnerability in Adobe Bridge 10.0

Adobe Bridge versions 10.0 have an out-of-bounds write vulnerability.

6.8
2020-03-25 CVE-2020-3802 Adobe Use After Free vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011.30158 and earlier, 2017.011.30158 and earlier, 2015.006.30510 and earlier, and 2015.006.30510 and earlier have a use-after-free vulnerability.

6.8
2020-03-25 CVE-2019-19127 Tribalgroup Cleartext Transmission of Sensitive Information vulnerability in Tribalgroup Sits:Vision 9.7.0

An authentication bypass vulnerability is present in the standalone SITS:Vision 9.7.0 component of Tribal SITS in its default configuration, related to unencrypted communications sent by the client each time it is launched.

6.8
2020-03-24 CVE-2020-8985 Zend Cross-Site Request Forgery (CSRF) vulnerability in Zend Zendto

ZendTo prior to 5.22-2 Beta allowed reflected XSS and CSRF via the unlock.tpl unlock user functionality.

6.8
2020-03-24 CVE-2020-7005 Honeywell Cross-Site Request Forgery (CSRF) vulnerability in Honeywell Win-Pak 4.7.2

In Honeywell WIN-PAK 4.7.2, Web and prior versions, the affected product is vulnerable to a cross-site request forgery, which may allow an attacker to remotely execute arbitrary code.

6.8
2020-03-24 CVE-2019-20613 Google SQL Injection vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x) and O(8.x) software.

6.8
2020-03-24 CVE-2019-20568 Google Use After Free vulnerability in Google Android 8.0/8.1/9.0

An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) devices (Exynos and Qualcomm chipsets) software.

6.8
2020-03-27 CVE-2020-10817 Custom Searchable Data Entry System Project SQL Injection vulnerability in Custom Searchable Data Entry System Project Custom Searchable Data Entry System

The custom-searchable-data-entry-system (aka Custom Searchable Data Entry System) plugin through 1.7.1 for WordPress allows SQL Injection.

6.5
2020-03-27 CVE-2020-8551 Kubernetes
Fedoraproject
Allocation of Resources Without Limits or Throttling vulnerability in multiple products

The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.

6.5
2020-03-27 CVE-2020-10607 Advantech Out-of-bounds Write vulnerability in Advantech Webaccess

In Advantech WebAccess, Versions 8.4.2 and prior.

6.5
2020-03-26 CVE-2020-8910 Google Unspecified vulnerability in Google Closure Library

A URL parsing issue in goog.uri of the Google Closure Library versions up to and including v20200224 allows an attacker to send malicious URLs to be parsed by the library and return the wrong authority.

6.5
2020-03-25 CVE-2020-2164 Jfrog Insufficiently Protected Credentials vulnerability in Jfrog Artifactory

Jenkins Artifactory Plugin 3.5.0 and earlier stores its Artifactory server password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.

6.5
2020-03-24 CVE-2020-4253 IBM Insufficient Session Expiration vulnerability in IBM Content Navigator 3.0.0

IBM Content Navigator 3.0CD does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.

6.5
2020-03-23 CVE-2020-8866 Horde
Debian
Unrestricted Upload of File with Dangerous Type vulnerability in multiple products

This vulnerability allows remote attackers to create arbitrary files on affected installations of Horde Groupware Webmail Edition 5.2.22.

6.5
2020-03-23 CVE-2019-20626 Honda Authentication Bypass by Capture-replay vulnerability in Honda Hr-V 2017 Firmware

The remote keyless system on Honda HR-V 2017 vehicles sends the same RF signal for each door-open request, which might allow a replay attack.

6.5
2020-03-23 CVE-2020-8511 Artica Unrestricted Upload of File with Dangerous Type vulnerability in Artica Pandora FMS

In Artica Pandora FMS through 7.42, Web Admin users can execute arbitrary code by uploading a .php file via the File Repository component, a different issue than CVE-2020-7935 and CVE-2020-8500.

6.5
2020-03-23 CVE-2020-7935 Artica Unrestricted Upload of File with Dangerous Type vulnerability in Artica Pandora FMS

Artica Pandora FMS through 7.42 is vulnerable to remote PHP code execution because of an Unrestricted Upload Of A File With A Dangerous Type issue in the File Manager.

6.5
2020-03-23 CVE-2020-6426 Google
Suse
Opensuse
Fedoraproject
Debian
Out-of-bounds Write vulnerability in multiple products

Inappropriate implementation in V8 in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.5
2020-03-23 CVE-2016-11022 Netgear OS Command Injection vulnerability in Netgear products

NETGEAR Prosafe WC9500 5.1.0.17, WC7600 5.1.0.17, and WC7520 2.5.0.35 devices allow a remote attacker to execute code with root privileges via shell metacharacters in the reqMethod parameter to login_handler.php.

6.5
2020-03-27 CVE-2020-10993 Osmand XXE vulnerability in Osmand 2.0.0

Osmand through 2.0.0 allow XXE because of binary/BinaryMapIndexReader.java.

6.4
2020-03-25 CVE-2020-10788 IT Novum Use of a Broken or Risky Cryptographic Algorithm vulnerability in It-Novum Openitcockpit

openITCOCKPIT before 3.7.3 uses the 1fea123e07f730f76e661bced33a94152378611e API key rather than generating a random API Key for WebSocket connections.

6.4
2020-03-25 CVE-2020-5555 Shihonkanri Plus Goout Project Improper Input Validation vulnerability in Shihonkanri Plus Goout Project Shihonkanri Plus Goout 1.5.8/2.2.10

Shihonkanri Plus GOOUT Ver1.5.8 and Ver2.2.10 allows remote attackers to read and write data of the files placed in the same directory where it is placed via unspecified vector due to the improper input validation issue.

6.4
2020-03-25 CVE-2020-5554 Shihonkanri Plus Goout Project Path Traversal vulnerability in Shihonkanri Plus Goout Project Shihonkanri Plus Goout 1.5.8/2.2.10

Directory traversal vulnerability in Shihonkanri Plus GOOUT Ver1.5.8 and Ver2.2.10 allows remote attackers to read and write arbitrary files via unspecified vectors.

6.4
2020-03-24 CVE-2020-6978 Honeywell Unspecified vulnerability in Honeywell Win-Pak 4.7.2

In Honeywell WIN-PAK 4.7.2, Web and prior versions, the affected product is vulnerable due to the usage of old jQuery libraries.

6.4
2020-03-24 CVE-2019-20597 Google Information Exposure vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.1), O(8.x), and P(9.0) software.

6.4
2020-03-24 CVE-2019-20596 Google
Samsung
Unspecified vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x) and O(8.x) (Exynos chipsets) software.

6.4
2020-03-24 CVE-2020-10844 Google Out-of-bounds Read vulnerability in Google Android

An issue was discovered on Samsung mobile devices with O(8.x), P(9.x), and Q(10.0) software.

6.4
2020-03-24 CVE-2020-6972 Honeywell Authentication Bypass by Capture-replay vulnerability in Honeywell Notifier Webserver 3.50

In Notifier Web Server (NWS) Version 3.50 and earlier, the Honeywell Fire Web Server’s authentication may be bypassed by a capture-replay attack from a web browser.

6.4
2020-03-23 CVE-2019-6560 Auto Maskin Weak Password Recovery Mechanism for Forgotten Password vulnerability in Auto-Maskin products

In Auto-Maskin RP210E Versions 3.7 and prior, DCU210E Versions 3.7 and prior and Marine Observer Pro (Android App), the software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

6.4
2020-03-23 CVE-2020-8838 Zohocorp Improper Validation of Integrity Check Value vulnerability in Zohocorp Manageengine Assetexplorer 6.5

An issue was discovered in Zoho ManageEngine AssetExplorer 6.5.

6.4
2020-03-23 CVE-2020-8865 Horde
Debian
Path Traversal vulnerability in multiple products

This vulnerability allows remote attackers to execute local PHP files on affected installations of Horde Groupware Webmail Edition 5.2.22.

6.3
2020-03-25 CVE-2020-2169 Jenkins Cross-site Scripting vulnerability in Jenkins Queue Cleanup 1.0/1.2/1.3

A form validation endpoint in Jenkins Queue cleanup Plugin 1.3 and earlier does not properly escape a query parameter displayed in an error message, resulting in a reflected XSS vulnerability.

6.1
2020-03-24 CVE-2020-6816 Mozilla
Fedoraproject
Cross-site Scripting vulnerability in multiple products

In Mozilla Bleach before 3.12, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are whitelisted and the keyword argument strip=False.

6.1
2020-03-24 CVE-2020-6802 Mozilla
Fedoraproject
Cross-site Scripting vulnerability in multiple products

In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.

6.1
2020-03-23 CVE-2019-15510 Zohocorp Cross-site Scripting vulnerability in Zohocorp Manageengine Desktop Central 10.0

ManageEngine_DesktopCentral.exe in Zoho ManageEngine Desktop Central 10 allows HTML injection on the user administration page via the description of a role.

6.1
2020-03-26 CVE-2020-4276 IBM Improper Privilege Management vulnerability in IBM Websphere Application Server

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is vulnerable to a privilege escalation vulnerability when using token-based authentication in an admin request over the SOAP connector.

6.0
2020-03-24 CVE-2020-10941 ARM
Fedoraproject
Debian
Arm Mbed TLS before 2.16.5 allows attackers to obtain sensitive information (an RSA private key) by measuring cache usage during an import.
5.9
2020-03-27 CVE-2020-10952 Gitlab Incorrect Authorization vulnerability in Gitlab

GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images.

5.8
2020-03-25 CVE-2020-3808 Adobe Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Adobe Creative Cloud

Creative Cloud Desktop Application versions 5.0 and earlier have a time-of-check to time-of-use (toctou) race condition vulnerability.

5.8
2020-03-24 CVE-2020-6982 Honeywell Injection vulnerability in Honeywell Win-Pak 4.7.2

In Honeywell WIN-PAK 4.7.2, Web and prior versions, the header injection vulnerability has been identified, which may allow remote code execution.

5.8
2020-03-24 CVE-2019-20606 Google Improper Input Validation vulnerability in Google Android

An issue was discovered on Samsung mobile devices with any (before May 2019) software.

5.8
2020-03-23 CVE-2020-6650 Eaton Code Injection vulnerability in Eaton UPS Companion

UPS companion software v1.05 & Prior is affected by ‘Eval Injection’ vulnerability.

5.8
2020-03-23 CVE-2020-10661 Hashicorp Unspecified vulnerability in Hashicorp Vault

HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing nested-path policies grant access to Namespaces created after-the-fact.

5.8
2020-03-24 CVE-2020-1744 Redhat Improper Handling of Exceptional Conditions vulnerability in Redhat Keycloak

A flaw was found in keycloak before version 9.0.1.

5.6
2020-03-27 CVE-2020-7918 Totemo Authorization Bypass Through User-Controlled Key vulnerability in Totemo Totemomail 7.0.0

An insecure direct object reference in webmail in totemo totemomail 7.0.0 allows an authenticated remote user to read and modify mail folder names of other users via enumeration.

5.5
2020-03-23 CVE-2020-1951 Apache
Oracle
Debian
Canonical
Infinite Loop vulnerability in multiple products

A carefully crafted or corrupt PSD file can cause an infinite loop in Apache Tika's PSDParser in versions 1.0-1.23.

5.5
2020-03-23 CVE-2020-1950 Apache
Oracle
Debian
Canonical
Resource Exhaustion vulnerability in multiple products

A carefully crafted or corrupt PSD file can cause excessive memory usage in Apache Tika's PSDParser in versions 1.0-1.23.

5.5
2020-03-27 CVE-2020-1771 Otrs Cross-site Scripting vulnerability in Otrs

Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript).

5.4
2020-03-25 CVE-2020-9520 Microfocus Cross-site Scripting vulnerability in Microfocus Vibe 4.0.2

A stored XSS vulnerability was discovered in Micro Focus Vibe, affecting all Vibe version prior to 4.0.7.

5.4
2020-03-25 CVE-2020-2170 Jenkins Cross-site Scripting vulnerability in Jenkins Rapiddeploy

Jenkins RapidDeploy Plugin 4.2 and earlier does not escape package names in the table of packages obtained from a remote server, resulting in a stored XSS vulnerability.

5.4
2020-03-25 CVE-2020-2163 Jenkins Cross-site Scripting vulnerability in Jenkins

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier improperly processes HTML content of list view column headers, resulting in a stored XSS vulnerability exploitable by users able to control column headers.

5.4
2020-03-25 CVE-2020-2162 Jenkins Cross-site Scripting vulnerability in Jenkins

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not set Content-Security-Policy headers for files uploaded as file parameters to a build, resulting in a stored XSS vulnerability.

5.4
2020-03-25 CVE-2020-2161 Jenkins Cross-site Scripting vulnerability in Jenkins

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are shown in the form validation for label expressions on job configuration pages, resulting in a stored XSS vulnerability exploitable by users able to define node labels.

5.4
2020-03-24 CVE-2020-10942 Linux
Opensuse
Debian
Canonical
Out-of-bounds Write vulnerability in multiple products

In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls.

5.4
2020-03-24 CVE-2020-10385 Wpforms Cross-site Scripting vulnerability in Wpforms Contact Form

A stored cross-site scripting (XSS) vulnerability exists in the WPForms Contact Form (aka wpforms-lite) plugin before 1.5.9 for WordPress.

5.4
2020-03-23 CVE-2020-6425 Google
Debian
Fedoraproject
Opensuse
Improper Input Validation vulnerability in multiple products

Insufficient policy enforcement in extensions in Google Chrome prior to 80.0.3987.149 allowed an attacker who convinced a user to install a malicious extension to bypass site isolation via a crafted Chrome Extension.

5.4
2020-03-25 CVE-2020-6812 Mozilla
Canonical
Information Exposure vulnerability in multiple products

The first time AirPods are connected to an iPhone, they become named after the user's name by default (e.g.

5.3
2020-03-24 CVE-2020-9359 KDE
Debian
Fedoraproject
KDE Okular before 1.10.0 allows code execution via an action link in a PDF document.
5.3
2020-03-23 CVE-2020-10871 Openwrt Information Exposure vulnerability in Openwrt Luci Git20.049.11521Bebfe20/Git20.078.229020Ed0D42

In OpenWrt LuCI git-20.x, remote unauthenticated attackers can retrieve the list of installed packages and services.

5.3
2020-03-27 CVE-2020-6095 Gstreamer Project
Opensuse
NULL Pointer Dereference vulnerability in multiple products

An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5.

5.0
2020-03-27 CVE-2020-10954 Gitlab Resource Exhaustion vulnerability in Gitlab

GitLab through 12.9 is affected by a potential DoS in repository archive download.

5.0
2020-03-27 CVE-2020-10953 Gitlab Path Traversal vulnerability in Gitlab

In GitLab EE 11.7 through 12.9, the NPM feature is vulnerable to a path traversal issue.

5.0
2020-03-27 CVE-2020-5862 F5 Improper Input Validation vulnerability in F5 products

On BIG-IP 15.1.0-15.1.0.1, 15.0.0-15.0.1.1, and 14.1.0-14.1.2.2, under certain conditions, TMM may crash or stop processing new traffic with the DPDK/ENA driver on AWS systems while sending traffic.

5.0
2020-03-27 CVE-2020-5861 F5 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in F5 products

On BIG-IP 12.1.0-12.1.5, the TMM process may produce a core file in some cases when Ram Cache incorrectly optimizes stored data resulting in memory errors.

5.0
2020-03-27 CVE-2020-5859 F5 Improper Input Validation vulnerability in F5 products

On BIG-IP 15.1.0.1, specially formatted HTTP/3 messages may cause TMM to produce a core file.

5.0
2020-03-27 CVE-2020-5857 F5 Improper Input Validation vulnerability in F5 products

On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.2.2, 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.5.2-11.6.5.1, undisclosed HTTP behavior may lead to a denial of service.

5.0
2020-03-27 CVE-2015-7336 Lenovo Improper Verification of Cryptographic Signature vulnerability in Lenovo System Update 5.06.0027/5.06.0043/5.07.0008

MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA.

5.0
2020-03-27 CVE-2020-10508 SUN Information Exposure vulnerability in SUN Ehrd 8/9

Sunnet eHRD, a human training and development management system, improperly stores system files.

5.0
2020-03-26 CVE-2019-5105 Codesys Out-of-bounds Write vulnerability in Codesys 3.5.13.2

An exploitable memory corruption vulnerability exists in the Name Service Client functionality of 3S-Smart Software Solutions CODESYS GatewayService.

5.0
2020-03-26 CVE-2020-5129 Sonicwall HTTP Request Smuggling vulnerability in Sonicwall Sma1000 Firmware

A vulnerability in the SonicWall SMA1000 HTTP Extraweb server allows an unauthenticated remote attacker to cause HTTP server crash which leads to Denial of Service.

5.0
2020-03-25 CVE-2020-6813 Mozilla Unspecified vulnerability in Mozilla Firefox

When protecting CSS blocks with the nonce feature of Content Security Policy, the @import statement in the CSS block could allow an attacker to inject arbitrary styles, bypassing the intent of the Content Security Policy.

5.0
2020-03-25 CVE-2020-6809 Mozilla Information Exposure vulnerability in Mozilla Firefox

When a Web Extension had the all-urls permission and made a fetch request with a mode set to 'same-origin', it was possible for the Web Extension to read local files.

5.0
2020-03-25 CVE-2020-3777 Adobe Out-of-bounds Read vulnerability in Adobe Photoshop 2020 and Photoshop CC

Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have an out-of-bounds read vulnerability.

5.0
2020-03-25 CVE-2020-3769 Adobe Server-Side Request Forgery (SSRF) vulnerability in Adobe Experience Manager

Adobe Experience Manager versions 6.5 and earlier have a server-side request forgery (ssrf) vulnerability.

5.0
2020-03-25 CVE-2020-3761 Adobe Information Exposure vulnerability in Adobe Coldfusion 2016/2018

ColdFusion versions ColdFusion 2016, and ColdFusion 2018 have a remote file read vulnerability.

5.0
2020-03-25 CVE-2020-5281 Cesnet Incorrect Permission Assignment for Critical Resource vulnerability in Cesnet Perun

In Perun before version 3.9.1, VO or group manager can modify configuration of the LDAP extSource to retrieve all from Perun LDAP.

5.0
2020-03-25 CVE-2020-5280 Typelevel Path Traversal vulnerability in Typelevel Http4S

http4s before versions 0.18.26, 0.20.20, and 0.21.2 has a local file inclusion vulnerability.

5.0
2020-03-25 CVE-2020-3806 Adobe Out-of-bounds Read vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011.30158 and earlier, 2017.011.30158 and earlier, 2015.006.30510 and earlier, and 2015.006.30510 and earlier have an out-of-bounds read vulnerability.

5.0
2020-03-25 CVE-2020-3804 Adobe Out-of-bounds Read vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011.30158 and earlier, 2017.011.30158 and earlier, 2015.006.30510 and earlier, and 2015.006.30510 and earlier have an out-of-bounds read vulnerability.

5.0
2020-03-25 CVE-2020-3800 Adobe Information Exposure vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011.30158 and earlier, 2017.011.30158 and earlier, 2015.006.30510 and earlier, and 2015.006.30510 and earlier have a memory address leak vulnerability.

5.0
2020-03-24 CVE-2020-8984 Zend Origin Validation Error vulnerability in Zend Zendto

lib/NSSDropbox.php in ZendTo prior to 5.22-2 Beta allowed IP address spoofing via the X-Forwarded-For header.

5.0
2020-03-24 CVE-2020-7001 Moxa Use of a Broken or Risky Cryptographic Algorithm vulnerability in Moxa Eds-510E Firmware and Eds-G516E Firmware

In Moxa EDS-G516E Series firmware, Version 5.2 or lower, the affected products use a weak cryptographic algorithm, which may allow confidential information to be disclosed.

5.0
2020-03-24 CVE-2020-6997 Moxa Cleartext Transmission of Sensitive Information vulnerability in Moxa Eds-510E Firmware and Eds-G516E Firmware

In Moxa EDS-G516E Series firmware, Version 5.2 or lower, sensitive information is transmitted over some web applications in cleartext.

5.0
2020-03-24 CVE-2020-6991 Moxa Weak Password Requirements vulnerability in Moxa Eds-510E Firmware and Eds-G516E Firmware

In Moxa EDS-G516E Series firmware, Version 5.2 or lower, weak password requirements may allow an attacker to gain access using brute force.

5.0
2020-03-24 CVE-2020-6979 Moxa Use of Hard-coded Credentials vulnerability in Moxa Eds-510E Firmware and Eds-G516E Firmware

In Moxa EDS-G516E Series firmware, Version 5.2 or lower, the affected products use a hard-coded cryptographic key, increasing the possibility that confidential data can be recovered.

5.0
2020-03-24 CVE-2020-6080 Videolabs
Debian
Memory Leak vulnerability in multiple products

An exploitable denial-of-service vulnerability exists in the resource allocation handling of Videolabs libmicrodns 0.1.0.

5.0
2020-03-24 CVE-2020-6079 Videolabs
Debian
Memory Leak vulnerability in multiple products

An exploitable denial-of-service vulnerability exists in the resource allocation handling of Videolabs libmicrodns 0.1.0.

5.0
2020-03-24 CVE-2020-6077 Videolabs
Debian
Out-of-bounds Read vulnerability in multiple products

An exploitable denial-of-service vulnerability exists in the message-parsing functionality of Videolabs libmicrodns 0.1.0.

5.0
2020-03-24 CVE-2020-6073 Videolabs
Debian
Integer Overflow or Wraparound vulnerability in multiple products

An exploitable denial-of-service vulnerability exists in the TXT record-parsing functionality of Videolabs libmicrodns 0.1.0.

5.0
2020-03-24 CVE-2020-6071 Videolabs
Debian
Uncontrolled Recursion vulnerability in multiple products

An exploitable denial-of-service vulnerability exists in the resource record-parsing functionality of Videolabs libmicrodns 0.1.0.

5.0
2020-03-24 CVE-2020-6993 Moxa Information Exposure vulnerability in Moxa products

In Moxa PT-7528 series firmware, Version 4.0 or lower, and PT-7828 series firmware, Version 3.9 or lower, an attacker can gain access to sensitive information from the web service without authorization.

5.0
2020-03-24 CVE-2019-20624 Google Information Exposure vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x) and O(8.x) software.

5.0
2020-03-24 CVE-2019-20620 Google Improper Authentication vulnerability in Google Android 9.0

An issue was discovered on Samsung mobile devices with P(9.0) software.

5.0
2020-03-24 CVE-2019-20619 Google Information Exposure vulnerability in Google Android 9.0

An issue was discovered on Samsung mobile devices with P(9.0) software.

5.0
2020-03-24 CVE-2019-20618 Google Improper Authentication vulnerability in Google Android 9.0

An issue was discovered on Samsung mobile devices with P(9.0) software.

5.0
2020-03-24 CVE-2019-20617 Google Information Exposure vulnerability in Google Android 9.0

An issue was discovered on Samsung mobile devices with P(9.0) software.

5.0
2020-03-24 CVE-2019-20616 Google Information Exposure vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x) and O(8.x) software.

5.0
2020-03-24 CVE-2019-20614 Google Information Exposure vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software.

5.0
2020-03-24 CVE-2019-20612 Google Unspecified vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x) and O(8.x) (Broadcom Wi-Fi, and SEC Wi-Fi chipsets) software.

5.0
2020-03-24 CVE-2019-20608 Google Unspecified vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software.

5.0
2020-03-24 CVE-2019-20604 Google Unspecified vulnerability in Google Android 8.0/8.1

An issue was discovered on Samsung mobile devices with O(8.x) software.

5.0
2020-03-24 CVE-2019-20603 Google NULL Pointer Dereference vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x), O(8.0), and P(9.0) (Qualcomm chipsets) software.

5.0
2020-03-24 CVE-2019-20602 Google NULL Pointer Dereference vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x), O(8.0), and P(9.0) (Qualcomm chipsets) software.

5.0
2020-03-24 CVE-2019-20601 Google
Samsung
Out-of-bounds Write vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (Exynos7570, 7580, 7870, 7880, and 8890 chipsets) software.

5.0
2020-03-24 CVE-2019-20599 Google Improper Input Validation vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software.

5.0
2020-03-24 CVE-2019-20593 Google Information Exposure vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x) and O(8.x) software.

5.0
2020-03-24 CVE-2020-6987 Moxa Use of a Broken or Risky Cryptographic Algorithm vulnerability in Moxa products

In Moxa PT-7528 series firmware, Version 4.0 or lower, and PT-7828 series firmware, Version 3.9 or lower, the affected products use a weak cryptographic algorithm, which may allow confidential information to be disclosed.

5.0
2020-03-24 CVE-2020-6983 Moxa Use of Hard-coded Credentials vulnerability in Moxa products

In Moxa PT-7528 series firmware, Version 4.0 or lower, and PT-7828 series firmware, Version 3.9 or lower, the affected products use a hard-coded cryptographic key, which increases the possibility that confidential data can be recovered.

5.0
2020-03-24 CVE-2019-20580 Google Information Exposure vulnerability in Google Android 9.0

An issue was discovered on Samsung mobile devices with P(9.0) software.

5.0
2020-03-24 CVE-2019-20570 Google Improper Input Validation vulnerability in Google Android 7.1/8.0/9.0

An issue was discovered on Samsung mobile devices with P(9.0), O(8.0), and N(7.1) software.

5.0
2020-03-24 CVE-2019-20565 Google Improper Authentication vulnerability in Google Android 8.0/8.1/9.0

An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) software.

5.0
2020-03-24 CVE-2019-20564 Samsung Improper Input Validation vulnerability in Samsung Note9 and S9

An issue was discovered on Samsung mobile devices with any (before October 2019 for S9 or Note9) software.

5.0
2020-03-24 CVE-2019-20555 Google Information Exposure vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x) software.

5.0
2020-03-24 CVE-2019-20552 Google Improper Input Validation vulnerability in Google Android 9.0

An issue was discovered on Samsung mobile devices with P(9.0) software.

5.0
2020-03-24 CVE-2019-20551 Google Improper Input Validation vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software.

5.0
2020-03-24 CVE-2019-20547 Google Information Exposure vulnerability in Google Android 8.0/8.1/9.0

An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) software.

5.0
2020-03-24 CVE-2020-7003 Moxa Cleartext Transmission of Sensitive Information vulnerability in Moxa products

In Moxa ioLogik 2500 series firmware, Version 3.0 or lower, and IOxpress configuration utility, Version 2.3.0 or lower, sensitive information is transmitted over some web applications in clear text.

5.0
2020-03-24 CVE-2020-10854 Google Information Exposure vulnerability in Google Android

An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software.

5.0
2020-03-24 CVE-2020-10853 Google Information Exposure vulnerability in Google Android 9.0

An issue was discovered on Samsung mobile devices with P(9.0) software.

5.0
2020-03-24 CVE-2020-10849 Google Improper Restriction of Excessive Authentication Attempts vulnerability in Google Android

An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) (Exynos7885, Exynos8895, and Exynos9810 chipsets) software.

5.0
2020-03-24 CVE-2020-10834 Google Information Exposure vulnerability in Google Android 9.0

An issue was discovered on Samsung mobile devices with P(9.0) software.

5.0
2020-03-24 CVE-2020-10833 Google Improper Authentication vulnerability in Google Android 10.0

An issue was discovered on Samsung mobile devices with Q(10.0) software.

5.0
2020-03-24 CVE-2020-10831 Google Insufficient Verification of Data Authenticity vulnerability in Google Android

An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software.

5.0
2020-03-24 CVE-2019-20539 Google Out-of-bounds Read vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (Broadcom chipsets) software.

5.0
2020-03-24 CVE-2019-20532 Google Missing Authentication for Critical Function vulnerability in Google Android

An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software.

5.0
2020-03-24 CVE-2019-18242 Moxa Unspecified vulnerability in Moxa products

In Moxa ioLogik 2500 series firmware, Version 3.0 or lower, and IOxpress configuration utility, Version 2.3.0 or lower, frequent and multiple requests for short-term use may cause the web server to fail.

5.0
2020-03-24 CVE-2020-4309 IBM Information Exposure vulnerability in IBM Content Navigator 3.0.0

IBM Content Navigator 3.0CD could disclose sensitive information to an unauthenticated user which could be used to aid in further attacks against the system.

5.0
2020-03-24 CVE-2019-4553 IBM Use of a Broken or Risky Cryptographic Algorithm vulnerability in IBM API Connect

IBM API Connect V5.0.0.0 through 5.0.8.7iFix3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

5.0
2020-03-24 CVE-2020-10931 Memcached Classic Buffer Overflow vulnerability in Memcached 1.6.0/1.6.1

Memcached 1.6.x before 1.6.2 allows remote attackers to cause a denial of service (daemon crash) via a crafted binary protocol header to try_read_command_binary in memcached.c.

5.0
2020-03-23 CVE-2020-10875 Zebra Path Traversal vulnerability in Zebra Fx9500 Firmware

Motorola FX9500 devices allow remote attackers to conduct absolute path traversal attacks, as demonstrated by PL/SQL Server Pages files such as /include/viewtagdb.psp.

5.0
2020-03-23 CVE-2020-8859 PSI NULL Pointer Dereference vulnerability in PSI Electronic Logbook 3.1.4283534D

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of ELOG Electronic Logbook 3.1.4-283534d.

5.0
2020-03-23 CVE-2020-10874 Motorola Information Exposure vulnerability in Motorola products

Motorola FX9500 devices allow remote attackers to read database files.

5.0
2020-03-23 CVE-2019-6558 Auto Maskin Weak Password Requirements vulnerability in Auto-Maskin products

In Auto-Maskin RP210E Versions 3.7 and prior, DCU210E Versions 3.7 and prior and Marine Observer Pro (Android App), the software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

5.0
2020-03-23 CVE-2020-7477 Schneider Electric Improper Check for Unusual or Exceptional Conditions vulnerability in Schneider-Electric products

A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Quantum Ethernet Network module 140NOE771x1 (Versions 7.0 and prior), Quantum processors with integrated Ethernet – 140CPU65xxxxx (all Versions), and Premium processors with integrated Ethernet (all Versions), which could cause a Denial of Service when sending a specially crafted command over Modbus.

5.0
2020-03-23 CVE-2020-8497 Artica Information Exposure vulnerability in Artica Pandora FMS

In Artica Pandora FMS through 7.42, an unauthenticated attacker can read the chat history.

5.0
2020-03-25 CVE-2020-5261 Sustainsys Authentication Bypass by Capture-replay vulnerability in Sustainsys Saml2

Saml2 Authentication services for ASP.NET (NuGet package Sustainsys.Saml2) greater than 2.0.0, and less than version 2.5.0 has a faulty implementation of Token Replay Detection.

4.9
2020-03-26 CVE-2020-5340 EMC Cross-site Scripting vulnerability in EMC RSA Authentication Manager

RSA Authentication Manager versions prior to 8.4 P10 contain a stored cross-site scripting vulnerability in the Security Console.

4.8
2020-03-26 CVE-2020-5339 EMC Cross-site Scripting vulnerability in EMC RSA Authentication Manager

RSA Authentication Manager versions prior to 8.4 P10 contain a stored cross-site scripting vulnerability in the Security Console.

4.8
2020-03-24 CVE-2019-20575 Google Use of Password Hash With Insufficient Computational Effort vulnerability in Google Android 9.0

An issue was discovered on Samsung mobile devices with P(9.0) software.

4.8
2020-03-27 CVE-2020-10940 Phoenixcontact Improper Privilege Management vulnerability in Phoenixcontact products

Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service.

4.6
2020-03-27 CVE-2020-10939 Phoenixcontact Improper Privilege Management vulnerability in Phoenixcontact PC Worx SRT

Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation.

4.6
2020-03-27 CVE-2020-5858 F5 Improper Privilege Management vulnerability in F5 products

On BIG-IP 15.0.0-15.0.1.2, 14.1.0-14.1.2.2, 13.1.0-13.1.3.2, 12.1.0-12.1.5, and 11.5.2-11.6.5.1 and BIG-IQ 7.0.0, 6.0.0-6.1.0, and 5.2.0-5.4.0, users with non-administrator roles (for example, Guest or Resource Administrator) with tmsh shell access can execute arbitrary commands with elevated privilege via a crafted tmsh command.

4.6
2020-03-24 CVE-2019-4001 Druva Incorrect Default Permissions vulnerability in Druva Insync 6.5.0

Improper input validation in Druva inSync Client 6.5.0 allows a local, authenticated attacker to execute arbitrary NodeJS code.

4.6
2020-03-24 CVE-2019-20594 Google Out-of-bounds Write vulnerability in Google Android 8.1/9.0

An issue was discovered on Samsung mobile devices with O(8.1) and P(9.0) (Exynos chipsets) software.

4.6
2020-03-24 CVE-2019-20592 Google SQL Injection vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software.

4.6
2020-03-24 CVE-2019-20591 Google SQL Injection vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software.

4.6
2020-03-24 CVE-2019-20574 Google SQL Injection vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software.

4.6
2020-03-24 CVE-2019-20573 Google SQL Injection vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software.

4.6
2020-03-24 CVE-2020-10852 Google Out-of-bounds Write vulnerability in Google Android

An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software.

4.6
2020-03-24 CVE-2020-10851 Google Out-of-bounds Write vulnerability in Google Android 10.0/9.0

An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software.

4.6
2020-03-24 CVE-2020-10847 Google Improper Authentication vulnerability in Google Android 9.0

An issue was discovered on Samsung mobile devices with P(9.0) (Galaxy S8 and Note8) software.

4.6
2020-03-24 CVE-2020-10842 Google Out-of-bounds Write vulnerability in Google Android

An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) (S.LSI chipsets) software.

4.6
2020-03-24 CVE-2020-10841 Google Unspecified vulnerability in Google Android 10.0/9.0

An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) (Exynos 9610 chipsets) software.

4.6
2020-03-24 CVE-2020-10839 Google Incorrect Authorization vulnerability in Google Android

An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software.

4.6
2020-03-24 CVE-2020-10838 Google Use After Free vulnerability in Google Android 10.0/9.0

An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software.

4.6
2020-03-24 CVE-2020-10832 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android 9.0

An issue was discovered on Samsung mobile devices with P(9.0) (Exynos chipsets) software.

4.6
2020-03-24 CVE-2020-10829 Google Out-of-bounds Write vulnerability in Google Android 10.0/8.0/9.0

An issue was discovered on Samsung mobile devices with O(8.0), P(9.0), and Q(10.0) (Broadcom chipsets) software.

4.6
2020-03-24 CVE-2019-20542 Google Out-of-bounds Write vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.1), O(8.x), and P(9.0) (Exynos chipsets) software.

4.6
2020-03-24 CVE-2019-20541 Google Out-of-bounds Write vulnerability in Google Android 9.0

An issue was discovered on Samsung mobile devices with P(9.0) (Exynos chipsets) software.

4.6
2020-03-24 CVE-2019-20538 Google Out-of-bounds Write vulnerability in Google Android 9.0

An issue was discovered on Samsung mobile devices with P(9.0) software.

4.6
2020-03-23 CVE-2020-8874 Parallels Integer Overflow or Wraparound vulnerability in Parallels Desktop

This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 15.1.2-47123.

4.6
2020-03-23 CVE-2020-8873 Parallels Improper Privilege Management vulnerability in Parallels Desktop

This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 15.1.2-47123.

4.6
2020-03-23 CVE-2020-8871 Parallels Out-of-bounds Write vulnerability in Parallels Desktop

This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 15.1.0-47107 .

4.6
2020-03-23 CVE-2019-5184 Wago Double Free vulnerability in Wago Pfc200 Firmware 03.02.02(14)

An exploitable double free vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200.

4.6
2020-03-25 CVE-2020-3803 Adobe Uncontrolled Search Path Element vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011.30158 and earlier, 2017.011.30158 and earlier, 2015.006.30510 and earlier, and 2015.006.30510 and earlier have an insecure library loading (dll hijacking) vulnerability.

4.4
2020-03-24 CVE-2020-10845 Google Use After Free vulnerability in Google Android

An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software.

4.4
2020-03-24 CVE-2020-10843 Google Race Condition vulnerability in Google Android

An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) (S.LSI chipsets) software.

4.4
2020-03-23 CVE-2020-7476 Schneider Electric Untrusted Search Path vulnerability in Schneider-Electric Ulti Zigbee Installation Toolkit

A CWE-426: Untrusted Search Path vulnerability exists in ZigBee Installation Kit (Versions prior to 1.0.1), which could cause execution of malicious code when a malicious file is put in the search path.

4.4
2020-03-23 CVE-2020-7474 Schneider Electric Uncontrolled Search Path Element vulnerability in Schneider-Electric Pmepxm0100 Prosoft Configurator 1.002

A CWE-427: Uncontrolled Search Path Element vulnerability exists in ProSoft Configurator (v1.002 and prior), for the PMEPXM0100 (H) module, which could cause the execution of untrusted code when using double click to open a project file which may trigger execution of a malicious DLL.

4.4
2020-03-23 CVE-2019-5186 Wago Classic Buffer Overflow vulnerability in Wago Pfc200 Firmware 03.02.02(14)

An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200.

4.4
2020-03-23 CVE-2019-5185 Wago Classic Buffer Overflow vulnerability in Wago Pfc200 Firmware 03.02.02(14)

An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200.

4.4
2020-03-27 CVE-2020-8552 Kubernetes
Fedoraproject
Allocation of Resources Without Limits or Throttling vulnerability in multiple products

The Kubernetes API server component in versions prior to 1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via successful API requests.

4.3
2020-03-27 CVE-2020-1770 Otrs
Opensuse
Debian
Information Exposure vulnerability in multiple products

Support bundle generated files could contain sensitive information that might be unwanted to be disclosed.

4.3
2020-03-27 CVE-2020-1769 Otrs
Opensuse
In the login screens (in agent and customer interface), Username and Password fields use autocomplete, which might be considered as security issue.
4.3
2020-03-27 CVE-2020-10509 SUN Cross-site Scripting vulnerability in SUN Ehrd 8.0/9.0

Sunnet eHRD, a human training and development management system, contains vulnerability of Cross-Site Scripting (XSS), attackers can inject arbitrary command into the system and launch XSS attack.

4.3
2020-03-26 CVE-2020-8923 Dart Cross-site Scripting vulnerability in Dart Software Development KIT

An improper HTML sanitization in Dart versions up to and including 2.7.1 and dev versions 2.8.0-dev.16.0, allows an attacker leveraging DOM Clobbering techniques to skip the sanitization and inject custom html/javascript (XSS).

4.3
2020-03-25 CVE-2020-10966 Hestiacp
Vestacp
In the Password Reset Module in VESTA Control Panel through 0.9.8-25 and Hestia Control Panel before 1.1.1, Host header manipulation leads to account takeover because the victim receives a reset URL containing an attacker-controlled server name.
4.3
2020-03-25 CVE-2020-6810 Mozilla Authentication Bypass by Spoofing vulnerability in Mozilla Firefox

After a website had entered fullscreen mode, it could have used a previously opened popup to obscure the notification that indicates the browser is in fullscreen mode.

4.3
2020-03-25 CVE-2020-6808 Mozilla Authentication Bypass by Spoofing vulnerability in Mozilla Firefox

When a JavaScript URL (javascript:) is evaluated and the result is a string, this string is parsed to create an HTML document, which is then presented.

4.3
2020-03-25 CVE-2020-3791 Adobe Out-of-bounds Read vulnerability in Adobe Photoshop 2020 and Photoshop CC

Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have an out-of-bounds read vulnerability.

4.3
2020-03-25 CVE-2020-3782 Adobe Out-of-bounds Read vulnerability in Adobe Photoshop 2020 and Photoshop CC

Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have an out-of-bounds read vulnerability.

4.3
2020-03-25 CVE-2020-3781 Adobe Out-of-bounds Read vulnerability in Adobe Photoshop 2020 and Photoshop CC

Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have an out-of-bounds read vulnerability.

4.3
2020-03-25 CVE-2020-3778 Adobe Out-of-bounds Read vulnerability in Adobe Photoshop 2020 and Photoshop CC

Adobe Photoshop versions Photoshop CC 2019, and Photoshop 2020 have an out-of-bounds read vulnerability.

4.3
2020-03-25 CVE-2020-3771 Adobe Out-of-bounds Read vulnerability in Adobe Photoshop 2020 and Photoshop CC

Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 2020 versions 21.1 and earlier have an out-of-bounds read vulnerability.

4.3
2020-03-25 CVE-2019-20633 GNU Double Free vulnerability in GNU Patch

GNU patch through 2.7.6 contains a free(p_line[p_end]) Double Free vulnerability in the function another_hunk in pch.c that can cause a denial of service via a crafted patch file.

4.3
2020-03-25 CVE-2020-5559 WL ENQ Project Cross-site Scripting vulnerability in Wl-Enq Project Wl-Enq 1.11/1.12

Cross-site scripting vulnerability in WL-Enq 1.11 and 1.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2020-03-25 CVE-2020-5557 Cutephp Cross-site Scripting vulnerability in Cutephp Cutenews 2.0.1

Cross-site scripting vulnerability in CuteNews 2.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2020-03-25 CVE-2020-5552 Mailform Cross-site Scripting vulnerability in Mailform 1.04

Cross-site scripting vulnerability in mailform version 1.04 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2020-03-24 CVE-2019-20632 Gpac Release of Invalid Pointer or Reference vulnerability in Gpac

An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstrated by MP4Box.

4.3
2020-03-24 CVE-2019-20631 Gpac Release of Invalid Pointer or Reference vulnerability in Gpac

An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstrated by MP4Box.

4.3
2020-03-24 CVE-2019-20630 Gpac Out-of-bounds Read vulnerability in Gpac

An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstrated by MP4Box.

4.3
2020-03-24 CVE-2019-20629 Gpac Out-of-bounds Read vulnerability in Gpac

An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstrated by MP4Box.

4.3
2020-03-24 CVE-2019-20628 Gpac Use After Free vulnerability in Gpac

An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstrated by MP4Box.

4.3
2020-03-24 CVE-2019-4681 IBM
Linux
Microsoft
Oracle
Cross-site Scripting vulnerability in IBM Tivoli Netcool/Impact

IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.17 is vulnerable to cross-site scripting.

4.3
2020-03-23 CVE-2020-7482 Schneider Electric Cross-site Scripting vulnerability in Schneider-Electric products

A CWE-79:Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists Andover Continuum (All versions), which could cause a Reflective Cross-site Scripting (XSS attack) when using the products' web server.

4.3
2020-03-23 CVE-2020-7481 Schneider Electric Cross-site Scripting vulnerability in Schneider-Electric products

A CWE-79:Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists Andover Continuum (All versions), which could enable a successful Cross-site Scripting (XSS attack) when using the products' web server.

4.3
2020-03-23 CVE-2020-10660 Hashicorp Incorrect Default Permissions vulnerability in Hashicorp Vault

HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership inadvertently include Groups the Entity no longer has permissions to.

4.3
2020-03-27 CVE-2020-10955 Gitlab
Debian
Missing Authorization vulnerability in multiple products

GitLab EE/CE 11.1 through 12.9 is vulnerable to parameter tampering on an upload feature that allows an unauthorized user to read content available under specific folders.

4.0
2020-03-27 CVE-2020-10510 SUN Improper Input Validation vulnerability in SUN Ehrd 8/9

Sunnet eHRD, a human training and development management system, contains a vulnerability of Broken Access Control.

4.0
2020-03-26 CVE-2020-9468 Piwigo Improper Input Validation vulnerability in Piwigo 2.9.0

The Community plugin 2.9.e-beta for Piwigo allows users to set image information on images in albums for which they do not have permission, by manipulating the image_id parameter.

4.0
2020-03-26 CVE-2020-7944 Puppet Information Exposure vulnerability in Puppet Continuous Delivery

In Continuous Delivery for Puppet Enterprise (CD4PE) before 3.4.0, changes to resources or classes containing Sensitive parameters can result in the Sensitive parameters ending up in the impact analysis report.

4.0
2020-03-26 CVE-2020-6999 Moxa Classic Buffer Overflow vulnerability in Moxa Mds-G516E Firmware 5.2

In Moxa EDS-G516E Series firmware, Version 5.2 or lower, some of the parameters in the setting pages do not ensure text is the correct size for its buffer.

4.0
2020-03-25 CVE-2019-18626 Harriscomputer Information Exposure vulnerability in Harriscomputer Ormed MIS

Harris Ormed Self Service before 2019.1.4 allows an authenticated user to view W-2 forms belonging to other users via an arbitrary empNo value to the ORMEDMIS/Data/PY/T4W2Service.svc/RetrieveW2EntriesForEmployee URI, thus exposing sensitive information including employee tax information, social security numbers, home addresses, and more.

4.0
2020-03-25 CVE-2020-10791 IT Novum Server-Side Request Forgery (SSRF) vulnerability in It-Novum Openitcockpit

app/Plugin/GrafanaModule/Controller/GrafanaConfigurationController.php in openITCOCKPIT before 3.7.3 allows remote authenticated users to trigger outbound TCP requests (aka SSRF) via the Test Connection feature (aka testGrafanaConnection) of the Grafana Module.

4.0
2020-03-23 CVE-2019-19964 Netgear Unspecified vulnerability in Netgear Gs728Tps Firmware

On NETGEAR GS728TPS devices through 5.3.0.35, a remote attacker having network connectivity to the web-administration panel can access part of the web panel, bypassing authentication.

4.0

37 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2020-03-24 CVE-2019-20600 Google
Samsung
Use After Free vulnerability in Google Android 8.0/9.0

An issue was discovered on Samsung mobile devices with O(8.0) and P(9.0) (Exynos8890 chipsets) software.

3.6
2020-03-24 CVE-2020-10840 Google Memory Leak vulnerability in Google Android 10.0/9.0

An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) (Exynos 9610 chipsets) software.

3.6
2020-03-24 CVE-2019-20531 Google Out-of-bounds Read vulnerability in Google Android 9.0

An issue was discovered on Samsung mobile devices with P(9.0) (Exynos chipsets) software.

3.6
2020-03-24 CVE-2020-10570 Telegram Improper Authentication vulnerability in Telegram

The Telegram application through 5.12 for Android, when Show Popup is enabled, might allow physically proximate attackers to bypass intended restrictions on message reading and message replying.

3.6
2020-03-26 CVE-2020-9467 Piwigo Cross-site Scripting vulnerability in Piwigo 2.10.1

Piwigo 2.10.1 has stored XSS via the file parameter in a /ws.php request because of the pwg.images.setInfo function.

3.5
2020-03-25 CVE-2020-5277 Prestashop Cross-site Scripting vulnerability in Prestashop Faceted Search Module

PrestaShop module ps_facetedsearch versions before 3.5.0 has a reflected XSS with `url_name` parameter.

3.5
2020-03-25 CVE-2020-10790 IT Novum Cross-site Scripting vulnerability in It-Novum Openitcockpit

openITCOCKPIT before 3.7.3 has unnecessary files (such as Lodash files) under the web root, which leads to XSS.

3.5
2020-03-24 CVE-2019-17276 Netapp Cross-site Scripting vulnerability in Netapp Oncommand System Manager 9.3/9.4

OnCommand System Manager versions 9.3 prior to 9.3P18 and 9.4 prior to 9.4P2 are susceptible to a cross site scripting vulnerability that could allow an authenticated attacker to inject arbitrary scripts into the SNMP Community Names label field.

3.5
2020-03-23 CVE-2019-4718 IBM Cross-site Scripting vulnerability in IBM Jazz for Service Management 1.1.3.0

IBM Jazz for Service Management 3.13 is vulnerable to cross-site scripting.

3.5
2020-03-24 CVE-2019-20609 Google Information Exposure vulnerability in Google Android 9.0

An issue was discovered on Samsung mobile devices with P(9.0) software.

3.3
2020-03-24 CVE-2019-20546 Google Improper Input Validation vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (Broadcom Wi-Fi chipsets) software.

3.3
2020-03-26 CVE-2019-15796 Ubuntu
Canonical
Debian
Improper Verification of Cryptographic Signature vulnerability in multiple products

Python-apt doesn't check if hashes are signed in `Version.fetch_binary()` and `Version.fetch_source()` of apt/package.py or in `_fetch_archives()` of apt/cache.py in version 1.9.3ubuntu2 and earlier.

2.6
2020-03-26 CVE-2019-15795 Ubuntu
Canonical
Debian
Use of a Broken or Risky Cryptographic Algorithm vulnerability in multiple products

python-apt only checks the MD5 sums of downloaded files in `Version.fetch_binary()` and `Version.fetch_source()` of apt/package.py in version 1.9.0ubuntu1 and earlier.

2.6
2020-03-26 CVE-2020-9065 Huawei Use After Free vulnerability in Huawei Taurus-Al00B Firmware 10.0.0.133(C00E132R5P1)/10.0.0.41(Sp2C00E41R3P2)

Huawei smart phone Taurus-AL00B with versions earlier than 10.0.0.203(C00E201R7P2) have a use-after-free (UAF) vulnerability.

2.1
2020-03-24 CVE-2019-20625 Google Information Exposure vulnerability in Google Android 7.1/8.0/8.1

An issue was discovered on Samsung mobile devices with N(7.1) and O(8.x) (Exynos chipsets) software.

2.1
2020-03-24 CVE-2019-20615 Google Improper Input Validation vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x) and O(8.x) software.

2.1
2020-03-24 CVE-2019-20598 Google Information Exposure vulnerability in Google Android 8.0/8.1

An issue was discovered on Samsung mobile devices with O(8.x) software.

2.1
2020-03-24 CVE-2019-20595 Google Missing Authentication for Critical Function vulnerability in Google Android 9.0

An issue was discovered on Samsung mobile devices with P(9.0) software.

2.1
2020-03-24 CVE-2019-20579 Google Information Exposure vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software.

2.1
2020-03-24 CVE-2019-20569 Google Improper Input Validation vulnerability in Google Android 9.0

An issue was discovered on Samsung mobile devices with P(9.0) software.

2.1
2020-03-24 CVE-2019-20559 Google Information Exposure vulnerability in Google Android 9.0

An issue was discovered on Samsung mobile devices with P(9.0) software.

2.1
2020-03-24 CVE-2019-20557 Google Improper Input Validation vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software.

2.1
2020-03-24 CVE-2019-20554 Google Improper Input Validation vulnerability in Google Android 8.0/8.1

An issue was discovered on Samsung mobile devices with O(8.x) software.

2.1
2020-03-24 CVE-2019-20550 Google Information Exposure vulnerability in Google Android 8.0/8.1

An issue was discovered on Samsung mobile devices with O(8.x) (released in China and India) software.

2.1
2020-03-24 CVE-2020-10855 Google Improper Input Validation vulnerability in Google Android 9.0

An issue was discovered on Samsung mobile devices with P(9.0) software.

2.1
2020-03-24 CVE-2020-10830 Google Information Exposure vulnerability in Google Android 10.0/9.0

An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software.

2.1
2020-03-24 CVE-2019-20543 Google Unspecified vulnerability in Google Android 9.0

An issue was discovered on Samsung mobile devices with P(9.0) software.

2.1
2020-03-24 CVE-2019-20540 Google Out-of-bounds Read vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (Exynos chipsets) software.

2.1
2020-03-24 CVE-2019-20535 Google Unspecified vulnerability in Google Android 8.0/8.1/9.0

An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) software.

2.1
2020-03-24 CVE-2019-20534 Google Information Exposure vulnerability in Google Android 9.0

An issue was discovered on Samsung mobile devices with P(9.0) software.

2.1
2020-03-24 CVE-2019-20533 Google Improper Authentication vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (released in China or India) software.

2.1
2020-03-23 CVE-2020-10870 ZIM Wiki Improper Input Validation vulnerability in Zim-Wiki ZIM

Zim through 0.72.1 creates temporary directories with predictable names.

2.1
2020-03-23 CVE-2020-8876 Parallels Out-of-bounds Read vulnerability in Parallels Desktop

This vulnerability allows local attackers to disclose information on affected installations of Parallels Desktop 15.1.2-47123.

2.1
2020-03-23 CVE-2020-8872 Parallels Out-of-bounds Read vulnerability in Parallels Desktop

This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 15.1.1-47117.

2.1
2020-03-24 CVE-2019-20623 Google Use of Uninitialized Resource vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.1), O(8.x), and P(9.0) software.

1.9
2020-03-24 CVE-2020-10846 Google Improper Input Validation vulnerability in Google Android 10.0/9.0

An issue was discovered on Samsung mobile devices with P(9.x) and Q(10.x) software.

1.9
2020-03-23 CVE-2020-5252 Pyup Unspecified vulnerability in Pyup Safety

The command-line "safety" package for Python has a potential security issue.

1.9