Weekly Vulnerabilities Reports > April 6 to 12, 2020

Overview

373 new vulnerabilities reported during this period, including 24 critical vulnerabilities and 79 high severity vulnerabilities. This weekly summary report vulnerabilities in 262 products from 106 vendors including Google, Juniper, Samsung, IBM, and Cipplanner. Vulnerabilities are notably categorized as "Information Exposure", "Improper Input Validation", "Cross-site Scripting", "Out-of-bounds Write", and "Classic Buffer Overflow".

  • 296 reported vulnerabilities are remotely exploitables.
  • 81 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 318 reported vulnerabilities are exploitable by an anonymous user.
  • Google has the most reported vulnerabilities, with 147 reported vulnerabilities.
  • Google has the most reported critical vulnerabilities, with 13 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

24 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2020-04-10 CVE-2015-8546 Google
Samsung
Out-of-bounds Write vulnerability in Google Android

An issue was discovered on Samsung mobile devices with software through 2015-11-12, affecting the Galaxy S6/S6 Edge, Galaxy S6 Edge+, and Galaxy Note5 with the Shannon333 chipset.

10.0
2020-04-09 CVE-2020-10621 Advantech Unrestricted Upload of File with Dangerous Type vulnerability in Advantech Webaccess/Nms

Multiple issues exist that allow files to be uploaded and executed on the WebAccess/NMS (versions prior to 3.0.2).

10.0
2020-04-08 CVE-2020-1615 Juniper Use of Hard-coded Credentials vulnerability in Juniper Junos

The factory configuration for vMX installations, as shipped, includes default credentials for the root account.

10.0
2020-04-08 CVE-2018-21072 Google Out-of-bounds Read vulnerability in Google Android

An issue was discovered on Samsung mobile devices with M(6.0), N(7.x), and O(8.0) (Exynos chipsets) software.

10.0
2020-04-08 CVE-2018-21066 Google Classic Buffer Overflow vulnerability in Google Android 6.0

An issue was discovered on Samsung mobile devices with M(6.0) (Exynos or MediaTek chipsets) software.

10.0
2020-04-08 CVE-2018-21063 Google Unspecified vulnerability in Google Android

An issue was discovered on Samsung mobile devices with M(6.0), N(7.x), and O(8.x) (Exynos chipsets) software.

10.0
2020-04-08 CVE-2018-21057 Google Out-of-bounds Write vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x) O(8.x, and P(9.0) (Exynos chipsets) software.

10.0
2020-04-08 CVE-2018-21055 Google
Qualcomm
Improper Input Validation vulnerability in Google Android 7.0

An issue was discovered on Samsung mobile devices with N(7.0) (Qualcomm models using MSM8996 chipsets) software.

10.0
2020-04-08 CVE-2018-21052 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x) and O(8.X) (Exynos chipsets) software.

10.0
2020-04-08 CVE-2018-21051 Google Injection vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x) and O(8.x) (Exynos chipsets) software.

10.0
2020-04-08 CVE-2018-21050 Google Classic Buffer Overflow vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x) and O(8.X) (Exynos chipsets) software.

10.0
2020-04-08 CVE-2018-21049 Google Out-of-bounds Write vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x) and O(8.X) (Exynos chipsets) software.

10.0
2020-04-08 CVE-2020-11600 Google Out-of-bounds Write vulnerability in Google Android 10.0

An issue was discovered on Samsung mobile devices with Q(10.0) software.

10.0
2020-04-08 CVE-2018-21090 Google Classic Buffer Overflow vulnerability in Google Android

An issue was discovered on Samsung mobile devices with software through 2017-11-03 (S.LSI modem chipsets).

10.0
2020-04-08 CVE-2018-21089 Google
Mediatek
Integer Overflow or Wraparound vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x) (MT6755/MT6757 Mediatek models) software.

10.0
2020-04-08 CVE-2020-11543 Opsramp Use of Hard-coded Credentials vulnerability in Opsramp Gateway 3.0.0

OpsRamp Gateway before 7.0.0 has a backdoor account vadmin with the password [email protected] that allows root SSH access to the server.

10.0
2020-04-07 CVE-2017-18681 Samsung Classic Buffer Overflow vulnerability in Samsung Galaxy S5 Firmware 20161220

An issue was discovered on Samsung Galaxy S5 mobile devices with software through 2016-12-20 (Qualcomm AP chipsets).

10.0
2020-04-08 CVE-2020-1614 Juniper Use of Hard-coded Credentials vulnerability in Juniper Junos

A Use of Hard-coded Credentials vulnerability exists in the NFX250 Series for the vSRX Virtual Network Function (VNF) instance, which allows an attacker to take control of the vSRX VNF instance if they have the ability to access an administrative service (e.g.

9.3
2020-04-08 CVE-2020-1992 Paloaltonetworks Use of Externally-Controlled Format String vulnerability in Paloaltonetworks Pan-Os

A format string vulnerability in the Varrcvr daemon of PAN-OS on PA-7000 Series devices with a Log Forwarding Card (LFC) allows remote attackers to crash the daemon creating a denial of service condition or potentially execute code with root privileges.

9.3
2020-04-06 CVE-2020-11581 Pulsesecure OS Command Injection vulnerability in Pulsesecure Pulse Connect Secure 7.1/7.4

An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06.

9.3
2020-04-10 CVE-2020-11002 Dropwizard Injection vulnerability in Dropwizard Validation

dropwizard-validation before versions 2.0.3 and 1.3.21 has a remote code execution vulnerability.

9.0
2020-04-08 CVE-2020-1990 Paloaltonetworks Out-of-bounds Write vulnerability in Paloaltonetworks Pan-Os

A stack-based buffer overflow vulnerability in the management server component of PAN-OS allows an authenticated user to upload a corrupted PAN-OS configuration and potentially execute code with root privileges.

9.0
2020-04-06 CVE-2019-19699 Centreon Improper Privilege Management vulnerability in Centreon

There is Authenticated remote code execution in Centreon Infrastructure Monitoring Software through 19.10 via Pollers misconfiguration, leading to system compromise via apache crontab misconfiguration, This allows the apache user to modify an executable file executed by root at 22:30 every day.

9.0
2020-04-06 CVE-2020-10265 Universal Robots Missing Authentication for Critical Function vulnerability in Universal-Robots UR Software

Universal Robots Robot Controllers Version CB2 SW Version 1.4 upwards, CB3 SW Version 3.0 and upwards, e-series SW Version 5.0 and upwards expose a service called DashBoard server at port 29999 that allows for control over core robot functions like starting/stopping programs, shutdown, reset safety and more.

9.0

79 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2020-04-06 CVE-2020-9473 Siedle Missing Authentication for Critical Function vulnerability in Siedle SG 150-0 Firmware 1.1.0

The S.

8.5
2020-04-08 CVE-2020-5735 Amcrest Out-of-bounds Write vulnerability in Amcrest products

Amcrest cameras and NVR are vulnerable to a stack-based buffer overflow over port 37777.

8.0
2020-04-10 CVE-2015-9547 Google Information Exposure vulnerability in Google Android 4.3/4.4.2

An issue was discovered on Samsung mobile devices with JBP(4.3) and KK(4.4.2) software.

7.8
2020-04-08 CVE-2020-1617 Juniper Improper Initialization vulnerability in Juniper Junos

This issue occurs on Juniper Networks Junos OS devices which do not support Advanced Forwarding Interface (AFI) / Advanced Forwarding Toolkit (AFT).

7.8
2020-04-08 CVE-2018-21088 Google Improper Handling of Exceptional Conditions vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x) software.

7.8
2020-04-08 CVE-2018-21091 Google Improper Handling of Exceptional Conditions vulnerability in Google Android

An issue was discovered on Samsung mobile devices with M(6.x) and N(7.x) software.

7.8
2020-04-07 CVE-2017-18685 Google Improper Input Validation vulnerability in Google Android

An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/5.1), and M(6.0) software.

7.8
2020-04-07 CVE-2017-18682 Google Improper Handling of Exceptional Conditions vulnerability in Google Android

An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/5.1), M(6.0), and N(7.0) software.

7.8
2020-04-07 CVE-2017-18679 Google Improper Input Validation vulnerability in Google Android 6.0

An issue was discovered on Samsung mobile devices with M(6.0) software.

7.8
2020-04-07 CVE-2017-18674 Google Improper Input Validation vulnerability in Google Android 7.0

An issue was discovered on Samsung mobile devices with N(7.0) software.

7.8
2020-04-07 CVE-2016-11039 Google NULL Pointer Dereference vulnerability in Google Android

An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/5.1), and M(6.0) (AP + CP MDM9x35, or Qualcomm Onechip) software.

7.8
2020-04-07 CVE-2016-11031 Google Improper Input Validation vulnerability in Google Android

An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/5.1), and M(6.0) software.

7.8
2020-04-07 CVE-2016-11026 Google Improper Handling of Exceptional Conditions vulnerability in Google Android

An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/5.1), and M(6.0) software.

7.8
2020-04-12 CVE-2020-11722 Dungeon Crawl Stone Soup Project Unrestricted Upload of File with Dangerous Type vulnerability in Dungeon Crawl Stone Soup Project Dungeon Crawl Stone Soup

Dungeon Crawl Stone Soup (aka DCSS or crawl) before 0.25 allows remote attackers to execute arbitrary code via Lua bytecode embedded in an uploaded .crawlrc file.

7.5
2020-04-12 CVE-2020-11710 Konghq Unspecified vulnerability in Konghq Docker-Kong

** DISPUTED ** An issue was discovered in docker-kong (for Kong) through 2.0.3.

7.5
2020-04-12 CVE-2020-11708 Provideserver Improper Privilege Management vulnerability in Provideserver Provide FTP Server 13.1

An issue was discovered in ProVide (formerly zFTPServer) through 13.1.

7.5
2020-04-12 CVE-2020-11705 Provideserver Path Traversal vulnerability in Provideserver Provide FTP Server 13.1

An issue was discovered in ProVide (formerly zFTPServer) through 13.1.

7.5
2020-04-10 CVE-2015-5524 Google Classic Buffer Overflow vulnerability in Google Android 4.4

An issue was discovered on Samsung mobile devices with KK(4.4) and later software through 2015-05-13.

7.5
2020-04-10 CVE-2019-7305 Extplorer Files or Directories Accessible to External Parties vulnerability in Extplorer 2.0.0/2.1.0

Information Exposure vulnerability in eXtplorer makes the /usr/ and /etc/extplorer/ system directories world-accessible over HTTP.

7.5
2020-04-09 CVE-2020-8961 Avira Code Injection vulnerability in Avira Free Antivirus

An issue was discovered in Avira Free-Antivirus before 15.0.2004.1825.

7.5
2020-04-09 CVE-2020-10631 Advantech Path Traversal vulnerability in Advantech Webaccess/Nms

An attacker could use a specially crafted URL to delete or read files outside the WebAccess/NMS's (versions prior to 3.0.2) control.

7.5
2020-04-09 CVE-2020-10625 Advantech Missing Authentication for Critical Function vulnerability in Advantech Webaccess/Nms

WebAccess/NMS (versions prior to 3.0.2) allows an unauthenticated remote user to create a new admin account.

7.5
2020-04-09 CVE-2020-11656 Sqlite
Netapp
Oracle
Use After Free vulnerability in multiple products

In SQLite through 3.31.1, the ALTER TABLE implementation has a use-after-free, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.

7.5
2020-04-08 CVE-2020-10980 Gitlab Server-Side Request Forgery (SSRF) vulnerability in Gitlab

GitLab EE/CE 8.0.rc1 to 12.9 is vulnerable to a blind SSRF in the FogBugz integration.

7.5
2020-04-08 CVE-2018-21075 Google Unspecified vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x) and O(8.x) software.

7.5
2020-04-08 CVE-2018-21071 Google Information Exposure vulnerability in Google Android 6.0

An issue was discovered on Samsung mobile devices with M(6.0) software.

7.5
2020-04-08 CVE-2018-21065 Google Integer Underflow (Wrap or Wraparound) vulnerability in Google Android

An issue was discovered on Samsung mobile devices with M(6.0), N(7.x), and O(8.x) software.

7.5
2020-04-08 CVE-2018-21064 Google Classic Buffer Overflow vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x) and O(8.x) software.

7.5
2020-04-08 CVE-2018-21058 Google
Samsung
Use of a Broken or Risky Cryptographic Algorithm vulnerability in Google Android 7.0/8.0

An issue was discovered on Samsung mobile devices with N(7.0), O(8.0) (exynos7420 or Exynos 8890/8996 chipsets) software.

7.5
2020-04-08 CVE-2018-21054 Google
Samsung
Qualcomm
Unisoc
Mediatek
Integer Overflow or Wraparound vulnerability in Google Android

An issue was discovered on Samsung mobile devices with M(6.0), N(7.x) and O(8.x) except exynos9610/9820 in all Platforms, M(6.0) except MSM8909 SC77xx/9830 exynos3470/5420, N(7.0) except MSM8939, N(7.1) except MSM8996 SDM6xx/M6737T software.

7.5
2020-04-08 CVE-2018-21044 Google Classic Buffer Overflow vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x) and O(8.0) software.

7.5
2020-04-08 CVE-2018-21042 Google Missing Authorization vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software.

7.5
2020-04-08 CVE-2018-21038 Google Improper Authentication vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x) software.

7.5
2020-04-08 CVE-2020-11603 Google Type Confusion vulnerability in Google Android 10.0/9.0

An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) (incorporating TEEGRIS) software.

7.5
2020-04-08 CVE-2018-21087 Google Out-of-bounds Write vulnerability in Google Android

An issue was discovered on Samsung mobile devices with L(5.x), M(6.x), and N(7.x) software.

7.5
2020-04-08 CVE-2017-18645 Google Out-of-bounds Write vulnerability in Google Android

An issue was discovered on Samsung mobile devices with M(6.x) and N(7.x) (Qualcomm chipsets) software.

7.5
2020-04-08 CVE-2017-18644 Google Out-of-bounds Write vulnerability in Google Android

An issue was discovered on Samsung mobile devices with L(5.1), M(6.x), and N(7.x) software.

7.5
2020-04-08 CVE-2020-11630 Primekey Deserialization of Untrusted Data vulnerability in Primekey Ejbca 7.0.0

An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2.

7.5
2020-04-07 CVE-2020-6974 Honeywell Path Traversal vulnerability in Honeywell Notifier Webserver 3.50

Honeywell Notifier Web Server (NWS) Version 3.50 is vulnerable to a path traversal attack, which allows an attacker to bypass access to restricted directories.

7.5
2020-04-07 CVE-2020-11514 Rankmath Improper Privilege Management vulnerability in Rankmath

The Rank Math plugin through 1.0.40.2 for WordPress allows unauthenticated remote attackers to update arbitrary WordPress metadata, including the ability to escalate or revoke administrative privileges for existing users via the unsecured rankmath/v1/updateMeta REST API endpoint.

7.5
2020-04-07 CVE-2017-18691 Google
Samsung
Classic Buffer Overflow vulnerability in Google Android 6.0/7.0

An issue was discovered on Samsung mobile devices with M(6.0) and N(7.0) (Exynos8890 chipsets) software.

7.5
2020-04-07 CVE-2017-18690 Google
Samsung
Classic Buffer Overflow vulnerability in Google Android

An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/5.1), M(6.0), and N(7.0) (Exynos54xx, Exynos7420, Exynos8890, or Exynos8895 chipsets) software.

7.5
2020-04-07 CVE-2017-18684 Google Improper Input Validation vulnerability in Google Android 5.0/5.1/6.0

An issue was discovered on Samsung mobile devices with L(5.0/5.1) and M(6.0) software.

7.5
2020-04-07 CVE-2017-18683 Google Improper Input Validation vulnerability in Google Android 5.0/5.1/6.0

An issue was discovered on Samsung mobile devices with L(5.0/5.1) and M(6.0) software.

7.5
2020-04-07 CVE-2017-18661 Google Classic Buffer Overflow vulnerability in Google Android

An issue was discovered on Samsung mobile devices with M(6.0) and N(7.x) software.

7.5
2020-04-07 CVE-2017-18660 Google Classic Buffer Overflow vulnerability in Google Android

An issue was discovered on Samsung mobile devices with M(6.0) and N(7.x) software.

7.5
2020-04-07 CVE-2017-18655 Google Out-of-bounds Write vulnerability in Google Android

An issue was discovered on Samsung mobile devices with M(6.0) and N(7.x) software.

7.5
2020-04-07 CVE-2017-18652 Google Injection vulnerability in Google Android

An issue was discovered on Samsung mobile devices with M(6.0) and N(7.x) software.

7.5
2020-04-07 CVE-2020-7614 NPM Programmatic Project OS Command Injection vulnerability in Npm-Programmatic Project Npm-Programmatic 0.0.12

npm-programmatic through 0.0.12 is vulnerable to Command Injection.The packages and option properties are concatenated together without any validation and are used by the 'exec' function directly.

7.5
2020-04-07 CVE-2017-18696 Google
Qualcomm
Samsung
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android 6.0/7.0

An issue was discovered on Samsung mobile devices with M(6.0) and N(7.0) (Exynos7420, Exynos8890, or MSM8996 chipsets) software.

7.5
2020-04-07 CVE-2017-18693 Google Classic Buffer Overflow vulnerability in Google Android

An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/5.1), M(6.0), and N(7.0) software.

7.5
2020-04-07 CVE-2016-11038 Google
Samsung
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android

An issue was discovered on Samsung mobile devices with software through 2016-04-05 (incorporating the Samsung Professional Audio SDK).

7.5
2020-04-07 CVE-2016-11036 Google Missing Authorization vulnerability in Google Android 6.0

An issue was discovered on Samsung mobile devices with M(6.0) software.

7.5
2020-04-07 CVE-2016-11033 Google Out-of-bounds Write vulnerability in Google Android 6.0

An issue was discovered on Samsung mobile devices with M(6.0) software.

7.5
2020-04-07 CVE-2016-11028 Google
Samsung
Out-of-bounds Write vulnerability in Google Android

An issue was discovered on Samsung mobile devices with software through 2016-09-13 (Exynos AP chipsets).

7.5
2020-04-07 CVE-2016-11025 Google Out-of-bounds Write vulnerability in Google Android

An issue was discovered on Samsung mobile devices with software through 2016-09-13 (Exynos AP chipsets).

7.5
2020-04-07 CVE-2016-11051 Google Classic Buffer Overflow vulnerability in Google Android 4.2

An issue was discovered on Samsung mobile devices with J(4.2) (Qualcomm Wi-Fi chipsets) software.

7.5
2020-04-06 CVE-2020-11586 Cipplanner XXE vulnerability in Cipplanner Cipace 6.80

An XXE issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801.

7.5
2020-04-06 CVE-2020-11598 Cipplanner Improper Authentication vulnerability in Cipplanner Cipace 6.80

An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801.

7.5
2020-04-06 CVE-2020-11597 Cipplanner SQL Injection vulnerability in Cipplanner Cipace 6.80

An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801.

7.5
2020-04-06 CVE-2020-11545 Projectworlds SQL Injection vulnerability in Projectworlds Official CAR Rental System 1.0

Project Worlds Official Car Rental System 1 is vulnerable to multiple SQL injection issues, as demonstrated by the email and parameters (account.php), uname and pass parameters (login.php), and id parameter (book_car.php) This allows an attacker to dump the MySQL database and to bypass the login authentication prompt.

7.5
2020-04-06 CVE-2020-7622 Jooby Unspecified vulnerability in Jooby

This affects the package io.jooby:jooby-netty before 1.6.9, from 2.0.0 and before 2.2.1.

7.5
2020-04-06 CVE-2020-7636 ADB Driver Project Injection vulnerability in Adb-Driver Project Adb-Driver

adb-driver through 0.1.8 is vulnerable to Command Injection.It allows execution of arbitrary commands via the command function.

7.5
2020-04-06 CVE-2020-7635 Compass Compile Project Injection vulnerability in Compass-Compile Project Compass-Compile 0.0.1

compass-compile through 0.0.1 is vulnerable to Command Injection.It allows execution of arbitrary commands via tha options argument.

7.5
2020-04-06 CVE-2020-7634 Heroku Addonpool Project Injection vulnerability in Heroku-Addonpool Project Heroku-Addonpool

heroku-addonpool through 0.1.15 is vulnerable to Command Injection.

7.5
2020-04-06 CVE-2020-7633 Apiconnect CLI Plugins Project Injection vulnerability in Apiconnect-Cli-Plugins Project Apiconnect-Cli-Plugins

apiconnect-cli-plugins through 6.0.1 is vulnerable to Command Injection.It allows execution of arbitrary commands via the pluginUri argument.

7.5
2020-04-06 CVE-2020-7632 Node MPV Project Injection vulnerability in Node-Mpv Project Node-Mpv

node-mpv through 1.4.3 is vulnerable to Command Injection.

7.5
2020-04-06 CVE-2020-7631 Diskusage NG Project Injection vulnerability in Diskusage-Ng Project Diskusage-Ng 0.2.2/0.2.3/0.2.4

diskusage-ng through 0.2.4 is vulnerable to Command Injection.It allows execution of arbitrary commands via the path argument.

7.5
2020-04-09 CVE-2020-10551 Tencent Improper Privilege Management vulnerability in Tencent Qqbrowser

QQBrowser before 10.5.3870.400 installs a Windows service TsService.exe.

7.2
2020-04-08 CVE-2020-1989 Paloaltonetworks Improper Privilege Management vulnerability in Paloaltonetworks Globalprotect 5.0/5.0.4/5.1

An incorrect privilege assignment vulnerability when writing application-specific files in the Palo Alto Networks Global Protect Agent for Linux on ARM platform allows a local authenticated user to gain root privileges on the system.

7.2
2020-04-08 CVE-2020-1988 Paloaltonetworks Unquoted Search Path or Element vulnerability in Paloaltonetworks Globalprotect

An unquoted search path vulnerability in the Windows release of Global Protect Agent allows an authenticated local user with file creation privileges on the root of the OS disk (C:\) or to Program Files directory to gain system privileges.

7.2
2020-04-08 CVE-2020-1984 Paloaltonetworks Improper Input Validation vulnerability in Paloaltonetworks Secdo

Secdo tries to execute a script at a hardcoded path if present, which allows a local authenticated user with 'create folders or append data' access to the root of the OS disk (C:\) to gain system privileges if the path does not already exist or is writable.

7.2
2020-04-08 CVE-2020-10263 MI Improper Input Validation vulnerability in MI Xiaomi Xiaoai Speaker PRO Lx06 Firmware 1.52.4

An issue was discovered on XIAOMI XIAOAI speaker Pro LX06 1.52.4.

7.2
2020-04-08 CVE-2020-10262 MI Improper Input Validation vulnerability in MI Xiaomi Xiaoai Speaker PRO Lx06 Firmware 1.58.10

An issue was discovered on XIAOMI XIAOAI speaker Pro LX06 1.58.10.

7.2
2020-04-08 CVE-2018-21070 Google
Qualcomm
Improper Validation of Integrity Check Value vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x), O(8.0) devices (MSM8998 or SDM845 chipsets) software.

7.2
2020-04-08 CVE-2019-20636 Linux Out-of-bounds Write vulnerability in Linux Kernel

In the Linux kernel before 5.4.12, drivers/input/input.c has out-of-bounds writes via a crafted keycode table, as demonstrated by input_set_keycode, aka CID-cb222aed03d7.

7.2
2020-04-08 CVE-2019-15789 Canonical Unspecified vulnerability in Canonical Microk8S

Privilege escalation vulnerability in MicroK8s allows a low privilege user with local access to obtain root access to the host by provisioning a privileged container.

7.2
2020-04-07 CVE-2019-13559 GE Use of Hard-coded Credentials vulnerability in GE Mark VIE Controll System

GE Mark VIe Controller is shipped with pre-configured hard-coded credentials that may allow root-user access to the controller.

7.2
2020-04-07 CVE-2016-11034 Google Improper Handling of Exceptional Conditions vulnerability in Google Android 5.0/5.1/6.0

An issue was discovered on Samsung mobile devices with L(5.0/5.1) and M(6.0) software.

7.1

208 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2020-04-08 CVE-2020-1618 Juniper Improper Authentication vulnerability in Juniper Junos 14.1X53/15.1/18.2

On Juniper Networks EX and QFX Series, an authentication bypass vulnerability may allow a user connected to the console port to login as root without any password.

6.9
2020-04-06 CVE-2020-11507 Malwarebytes Untrusted Search Path vulnerability in Malwarebytes Adwcleaner 8.0.3

An Untrusted Search Path vulnerability in Malwarebytes AdwCleaner 8.0.3 could cause arbitrary code execution with SYSTEM privileges when a malicious DLL library is loaded.

6.9
2020-04-12 CVE-2020-11706 Provideserver Cross-Site Request Forgery (CSRF) vulnerability in Provideserver Provide FTP Server 13.1

An issue was discovered in ProVide (formerly zFTPServer) through 13.1.

6.8
2020-04-12 CVE-2020-11701 Provideserver Cross-Site Request Forgery (CSRF) vulnerability in Provideserver Provide FTP Server 13.1

An issue was discovered in ProVide (formerly zFTPServer) through 13.1.

6.8
2020-04-10 CVE-2020-3952 Vmware Incorrect Authorization vulnerability in VMWare Vcenter Server 6.7

Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls.

6.8
2020-04-09 CVE-2020-1895 Facebook Integer Overflow or Wraparound vulnerability in Facebook Instagram

A large heap overflow could occur in Instagram for Android when attempting to upload an image with specially crafted dimensions.

6.8
2020-04-09 CVE-2020-11553 Castlerock Cross-Site Request Forgery (CSRF) vulnerability in Castlerock Snmpc Online 12.10.10

An issue was discovered in Castle Rock SNMPc Online 12.10.10 before 2020-01-28.

6.8
2020-04-08 CVE-2018-21040 Google
Samsung
Use After Free vulnerability in Google Android 8.0/8.1/9.0

An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) (Exynos 9810 chipsets) software.

6.8
2020-04-08 CVE-2018-21086 Google Race Condition vulnerability in Google Android

An issue was discovered on Samsung mobile devices with L(5.x), M(6.0), and N(7.x) software.

6.8
2020-04-08 CVE-2018-21085 Google Use After Free vulnerability in Google Android

An issue was discovered on Samsung mobile devices with L(5.x), M(6.0), and N(7.x) software.

6.8
2020-04-08 CVE-2018-21084 Google Use After Free vulnerability in Google Android

An issue was discovered on Samsung mobile devices with L(5.1), M(6.0), and N(7.x) software.

6.8
2020-04-08 CVE-2020-5736 Amcrest NULL Pointer Dereference vulnerability in Amcrest products

Amcrest cameras and NVR are vulnerable to a null pointer dereference over port 37777.

6.8
2020-04-08 CVE-2020-5549 Plathome Cross-Site Request Forgery (CSRF) vulnerability in Plathome products

Cross-site request forgery (CSRF) vulnerability in EasyBlocks IPv6 Ver.

6.8
2020-04-08 CVE-2020-11627 Primekey Cross-Site Request Forgery (CSRF) vulnerability in Primekey Ejbca 7.0.0

An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2.

6.8
2020-04-07 CVE-2020-11620 Fasterxml
Debian
Netapp
Oracle
Deserialization of Untrusted Data vulnerability in multiple products

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).

6.8
2020-04-07 CVE-2020-11619 Fasterxml
Debian
Netapp
Oracle
Deserialization of Untrusted Data vulnerability in multiple products

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).

6.8
2020-04-07 CVE-2020-9286 Fortinet Incorrect Authorization vulnerability in Fortinet Fortiadc Firmware

An improper authorization vulnerability in FortiADC may allow a remote authenticated user with low privileges to perform certain actions such as rebooting the system.

6.8
2020-04-07 CVE-2020-11610 Cross Domain Local Storage Project Improper Input Validation vulnerability in Cross Domain Local Storage Project Cross Domain Local Storage

An issue was discovered in xdLocalStorage through 2.0.5.

6.8
2020-04-07 CVE-2017-18647 Google Race Condition vulnerability in Google Android 6.0/6.0.1/7.0

An issue was discovered on Samsung mobile devices with M(6,x) and N(7.0) software.

6.8
2020-04-07 CVE-2020-7613 Clamscan Project Injection vulnerability in Clamscan Project Clamscan

clamscan through 1.2.0 is vulnerable to Command Injection.

6.8
2020-04-07 CVE-2017-18692 Google
Qualcomm
Samsung
Race Condition vulnerability in Google Android 6.0/7.0

An issue was discovered on Samsung mobile devices with M(6.0) and N(7.0) (MSM8939, MSM8996, MSM8998, Exynos7580, Exynos8890, or Exynos8895 chipsets) software.

6.8
2020-04-07 CVE-2016-11030 Google Race Condition vulnerability in Google Android

An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/5.1), and M(6.0) (with Hrm sensor support) software.

6.8
2020-04-07 CVE-2016-11052 Google Improper Input Validation vulnerability in Google Android 5.0/5.1

An issue was discovered on Samsung mobile devices with L(5.0/5.1) software.

6.8
2020-04-07 CVE-2016-11045 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android 5.0/5.1

An issue was discovered on Samsung mobile devices with L(5.0/5.1) software.

6.8
2020-04-06 CVE-2020-11102 Qemu Out-of-bounds Write vulnerability in Qemu 4.2.0

hw/net/tulip.c in QEMU 4.2.0 has a buffer overflow during the copying of tx/rx buffers because the frame size is not validated against the r/w data length.

6.8
2020-04-06 CVE-2020-10266 Universal Robots Insufficient Verification of Data Authenticity vulnerability in Universal-Robots Ur+

UR+ (Universal Robots+) is a platform of hardware and software component sellers, for Universal Robots robots.

6.8
2020-04-12 CVE-2020-11707 Provideserver Improper Input Validation vulnerability in Provideserver Provide FTP Server 13.1

An issue was discovered in ProVide (formerly zFTPServer) through 13.1.

6.5
2020-04-10 CVE-2020-6765 Dlink OS Command Injection vulnerability in Dlink Dsl-Gs225 Firmware Au1.0.4

D-Link DSL-GS225 J1 AU_1.0.4 devices allow an admin to execute OS commands by placing shell metacharacters after a supported CLI command, as demonstrated by ping -c1 127.0.0.1; cat/etc/passwd.

6.5
2020-04-10 CVE-2020-4362 IBM Improper Privilege Management vulnerability in IBM Websphere Application Server

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is vulnerable to a privilege escalation vulnerability when using token-based authentication in an admin request over the SOAP connector.

6.5
2020-04-09 CVE-2020-9499 Dahuasecurity Classic Buffer Overflow vulnerability in Dahuasecurity products

Some Dahua products have buffer overflow vulnerabilities.

6.5
2020-04-09 CVE-2020-10603 Advantech OS Command Injection vulnerability in Advantech Webaccess/Nms

WebAccess/NMS (versions prior to 3.0.2) does not properly sanitize user input and may allow an attacker to inject system commands remotely.

6.5
2020-04-08 CVE-2020-8828 Linuxfoundation Improper Privilege Management vulnerability in Linuxfoundation Argo Continuous Delivery

As of v1.5.0, the default admin password is set to the argocd-server pod name.

6.5
2020-04-08 CVE-2020-11629 Primekey Unrestricted Upload of File with Dangerous Type vulnerability in Primekey Ejbca 7.0.0

An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2.

6.5
2020-04-07 CVE-2019-13554 GE Incorrect Authorization vulnerability in GE Mark VIE Control System

GE Mark VIe Controller has an unsecured Telnet protocol that may allow a user to create an authenticated session using generic default credentials.

6.5
2020-04-07 CVE-2020-11561 Nchsoftware Improper Privilege Management vulnerability in Nchsoftware Express Invoice 7.25

In NCH Express Invoice 7.25, an authenticated low-privilege user can enter a crafted URL to access higher-privileged functionalities such as the "Add New Item" screen.

6.5
2020-04-07 CVE-2017-18649 Google
Qualcomm
Improper Validation of Integrity Check Value vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x) software.

6.5
2020-04-06 CVE-2020-11544 Projectworlds Unrestricted Upload of File with Dangerous Type vulnerability in Projectworlds Official CAR Rental System 1.0

An issue was discovered in Project Worlds Official Car Rental System 1.

6.5
2020-04-10 CVE-2019-18375 Broadcom Unspecified vulnerability in Broadcom Advanced Secure Gateway and Symantec Proxysg

The ASG and ProxySG management consoles are susceptible to a session hijacking vulnerability.

6.4
2020-04-09 CVE-2020-10619 Advantech Path Traversal vulnerability in Advantech Webaccess/Nms

An attacker could use a specially crafted URL to delete files outside the WebAccess/NMS's (versions prior to 3.0.2) control.

6.4
2020-04-08 CVE-2020-11604 Google Out-of-bounds Read vulnerability in Google Android 10.0/9.0

An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) (incorporating TEEGRIS) software.

6.4
2020-04-08 CVE-2018-21081 Google Incorrect Permission Assignment for Critical Resource vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x) software.

6.4
2020-04-07 CVE-2020-5302 MH Wikibot Project Improper Privilege Management vulnerability in Mh-Wikibot Project Mh-Wikibot

MH-WikiBot (an IRC Bot for interacting with the Miraheze API), had a bug that allowed any unprivileged user to access the steward commands on the IRC interface by impersonating the Nickname used by a privileged user as no check was made to see if they were logged in.

6.4
2020-04-07 CVE-2019-4391 Hcltech XXE vulnerability in Hcltech Appscan 9.0.3.13/9.0.3.14

HCL AppScan Standard is vulnerable to XML External Entity Injection (XXE) attack when processing XML data

6.4
2020-04-07 CVE-2017-18648 Google Improper Input Validation vulnerability in Google Android

An issue was discovered on Samsung mobile devices with KK(4.4.x), L(5.x), M(6.x), and N(7.x) software.

6.4
2020-04-07 CVE-2016-11049 Google Unspecified vulnerability in Google Android

An issue was discovered on Samsung mobile devices with software through 2016-01-16 (Shannon333/308/310 chipsets).

6.4
2020-04-06 CVE-2020-11580 Pulsesecure Improper Certificate Validation vulnerability in Pulsesecure Pulse Connect Secure 7.1/7.4

An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06.

6.4
2020-04-10 CVE-2015-9546 Google Path Traversal vulnerability in Google Android 4.4

An issue was discovered on Samsung mobile devices with KK(4.4) and later software through 2015-06-16.

5.8
2020-04-08 CVE-2020-1637 Juniper Improper Authentication vulnerability in Juniper Junos

A vulnerability in Juniper Networks SRX Series device configured as a Junos OS Enforcer device may allow a user to access network resources that are not permitted by a UAC policy.

5.8
2020-04-08 CVE-2020-5550 Plathome Session Fixation vulnerability in Plathome products

Session fixation vulnerability in EasyBlocks IPv6 Ver.

5.8
2020-04-07 CVE-2020-11611 Cross Domain Local Storage Project Open Redirect vulnerability in Cross Domain Local Storage Project Cross Domain Local Storage

An issue was discovered in xdLocalStorage through 2.0.5.

5.8
2020-04-07 CVE-2015-9545 Cross Domain Local Storage Project Improper Input Validation vulnerability in Cross Domain Local Storage Project Cross Domain Local Storage

An issue was discovered in xdLocalStorage through 2.0.5.

5.8
2020-04-07 CVE-2015-9544 Cross Domain Local Storage Project Improper Input Validation vulnerability in Cross Domain Local Storage Project Cross Domain Local Storage

An issue was discovered in xdLocalStorage through 2.0.5.

5.8
2020-04-07 CVE-2020-11515 Rankmath Open Redirect vulnerability in Rankmath

The Rank Math plugin through 1.0.40.2 for WordPress allows unauthenticated remote attackers to create new URIs (that redirect to an external web site) via the unsecured rankmath/v1/updateRedirection REST API endpoint.

5.8
2020-04-07 CVE-2017-18665 Google NULL Pointer Dereference vulnerability in Google Android 6.0

An issue was discovered on Samsung mobile devices with M(6.0) software.

5.8
2020-04-06 CVE-2020-1728 Redhat
Quarkus
Improper Restriction of Rendered UI Layers or Frames vulnerability in multiple products

A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses.

5.8
2020-04-06 CVE-2020-10264 Universal Robots Missing Authentication for Critical Function vulnerability in Universal-Robots UR Software

CB3 SW Version 3.3 and upwards, e-series SW Version 5.0 and upwards allow authenticated access to the RTDE (Real-Time Data Exchange) interface on port 30004 which allows setting registers, the speed slider fraction as well as digital and analog Outputs.

5.8
2020-04-09 CVE-2020-11668 Linux NULL Pointer Dereference vulnerability in Linux Kernel

In the Linux kernel before 5.6.1, drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink camera USB driver) mishandles invalid descriptors, aka CID-a246b4d54770.

5.6
2020-04-08 CVE-2020-4290 IBM Authentication Bypass by Spoofing vulnerability in IBM Security Information Queue

IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could allow any authenticated user to spoof the configuration owner of any other user which disclose sensitive information or allow for unauthorized access.

5.5
2020-04-12 CVE-2020-11724 Openresty
Debian
HTTP Request Smuggling vulnerability in multiple products

An issue was discovered in OpenResty before 1.15.8.4.

5.0
2020-04-12 CVE-2020-11713 Wolfssl Use of a Broken or Risky Cryptographic Algorithm vulnerability in Wolfssl 4.3.0

wolfSSL 4.3.0 has mulmod code in wc_ecc_mulmod_ex in ecc.c that does not properly resist timing side-channel attacks.

5.0
2020-04-12 CVE-2020-11709 CPP Httplib Project Injection vulnerability in Cpp-Httplib Project Cpp-Httplib

cpp-httplib through 0.5.8 does not filter \r\n in parameters passed into the set_redirect and set_header functions, which creates possibilities for CRLF injection and HTTP response splitting in some specific contexts.

5.0
2020-04-12 CVE-2020-11703 Provideserver Injection vulnerability in Provideserver Provide FTP Server 13.1

An issue was discovered in ProVide (formerly zFTPServer) through 13.1.

5.0
2020-04-10 CVE-2020-11694 Jetbrains Insufficiently Protected Credentials vulnerability in Jetbrains Pycharm 2019.2.5/2019.3

In JetBrains PyCharm 2019.2.5 and 2019.3 on Windows, Apple Notarization Service credentials were included.

5.0
2020-04-10 CVE-2020-11647 Wireshark
Debian
Opensuse
Injection vulnerability in multiple products

In Wireshark 3.2.0 to 3.2.2, 3.0.0 to 3.0.9, and 2.6.0 to 2.6.15, the BACapp dissector could crash.

5.0
2020-04-10 CVE-2020-5330 Dell Information Exposure vulnerability in Dell products

Dell EMC Networking X-Series firmware versions 3.0.1.2 and older, Dell EMC Networking PC5500 firmware versions 4.1.0.22 and older and Dell EMC PowerEdge VRTX Switch Modules firmware versions 2.0.0.77 and older contain an information disclosure vulnerability.

5.0
2020-04-09 CVE-2020-10629 Advantech XXE vulnerability in Advantech Webaccess/Nms

WebAccess/NMS (versions prior to 3.0.2) does not sanitize XML input.

5.0
2020-04-09 CVE-2020-10617 Advantech SQL Injection vulnerability in Advantech Webaccess/Nms

There are multiple ways an unauthenticated attacker could perform SQL injection on WebAccess/NMS (versions prior to 3.0.2) to gain access to sensitive information.

5.0
2020-04-09 CVE-2020-11557 Castlerock Insufficiently Protected Credentials vulnerability in Castlerock Snmpc Online 12.10.10

An issue was discovered in Castle Rock SNMPc Online 12.10.10 before 2020-01-28.

5.0
2020-04-09 CVE-2020-11555 Castlerock Insufficiently Protected Credentials vulnerability in Castlerock Snmpc Online 12.10.10

An issue was discovered in Castle Rock SNMPc Online 12.10.10 before 2020-01-28.

5.0
2020-04-09 CVE-2020-11554 Castlerock Information Exposure vulnerability in Castlerock Snmpc Online 12.10.10

An issue was discovered in Castle Rock SNMPc Online 12.10.10 before 2020-01-28.

5.0
2020-04-09 CVE-2020-11655 Sqlite
Netapp
Debian
Canonical
Oracle
Improper Initialization vulnerability in multiple products

SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled.

5.0
2020-04-08 CVE-2020-11653 Varnish Cache Improper Input Validation vulnerability in Varnish-Cache Varnish Cache

An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x and 6.2.x before 6.2.3, and 6.3.x before 6.3.2.

5.0
2020-04-08 CVE-2020-11650 Ixsystems Improper Authentication vulnerability in Ixsystems Freenas Firmware and Truenas Firmware

An issue was discovered in iXsystems FreeNAS (and TrueNAS) 11.2 before 11.2-u8 and 11.3 before 11.3-U1.

5.0
2020-04-08 CVE-2019-20637 Varnish Cache Information Exposure vulnerability in Varnish-Cache Varnish Cache 6.0.2/6.0.3/6.0.4

An issue was discovered in Varnish Cache before 6.0.5 LTS, 6.1.x and 6.2.x before 6.2.2, and 6.3.x before 6.3.1.

5.0
2020-04-08 CVE-2020-8827 Linuxfoundation Improper Authentication vulnerability in Linuxfoundation Argo Continuous Delivery

As of v1.5.0, the Argo API does not implement anti-automation measures such as rate limiting, account lockouts, or other anti-bruteforce measures.

5.0
2020-04-08 CVE-2020-8826 Linuxfoundation Session Fixation vulnerability in Linuxfoundation Argo Continuous Delivery

As of v1.5.0, the Argo web interface authentication system issued immutable tokens.

5.0
2020-04-08 CVE-2020-1639 Juniper Improper Handling of Exceptional Conditions vulnerability in Juniper Junos

When an attacker sends a specific crafted Ethernet Operation, Administration, and Maintenance (Ethernet OAM) packet to a target device, it may improperly handle the incoming malformed data and fail to sanitize this incoming data resulting in an overflow condition.

5.0
2020-04-08 CVE-2020-1638 Juniper Improper Input Validation vulnerability in Juniper Junos and Junos Evolved

The FPC (Flexible PIC Concentrator) of Juniper Networks Junos OS and Junos OS Evolved may restart after processing a specific IPv4 packet.

5.0
2020-04-08 CVE-2020-1628 Juniper Information Exposure vulnerability in Juniper Junos 14.1X53/15.1/18.2

Juniper Networks Junos OS uses the 128.0.0.0/2 subnet for internal communications between the RE and PFEs.

5.0
2020-04-08 CVE-2020-1627 Juniper Improper Input Validation vulnerability in Juniper Junos

A vulnerability in Juniper Networks Junos OS on vMX and MX150 devices may allow an attacker to cause a Denial of Service (DoS) by sending specific packets requiring special processing in microcode that the flow cache can't handle, causing the riot forwarding daemon to crash.

5.0
2020-04-08 CVE-2020-1626 Juniper Resource Exhaustion vulnerability in Juniper Junos OS Evolved 18.3

A vulnerability in Juniper Networks Junos OS Evolved may allow an attacker to cause a Denial of Service (DoS) by sending a high rate of specific packets to the device, resulting in a pfemand process crash.

5.0
2020-04-08 CVE-2020-1616 Juniper Improper Restriction of Excessive Authentication Attempts vulnerability in Juniper products

Due to insufficient server-side login attempt limit enforcement, a vulnerability in the SSH login service of Juniper Networks Juniper Advanced Threat Prevention (JATP) Series and Virtual JATP (vJATP) devices allows an unauthenticated, remote attacker to perform multiple login attempts in excess of the configured login attempt limit.

5.0
2020-04-08 CVE-2020-1613 Juniper Improper Input Validation vulnerability in Juniper Junos 12.3/15.1/16.1

A vulnerability in the BGP FlowSpec implementation may cause a Juniper Networks Junos OS device to terminate an established BGP session upon receiving a specific BGP FlowSpec advertisement.

5.0
2020-04-08 CVE-2020-10978 Gitlab Information Exposure vulnerability in Gitlab

GitLab EE/CE 8.11 to 12.9 is leaking information on Issues opened in a public project and then moved to a private project through Web-UI and GraphQL API.

5.0
2020-04-08 CVE-2020-10976 Gitlab Information Exposure vulnerability in Gitlab

GitLab EE/CE 8.17 to 12.9 is vulnerable to information leakage when querying a merge request widget.

5.0
2020-04-08 CVE-2020-11576 Cncf Information Exposure vulnerability in Cncf Argo Continuous Delivery

Fixed in v1.5.1, Argo version v1.5.0 was vulnerable to a user-enumeration vulnerability which allowed attackers to determine the usernames of valid (non-SSO) accounts because /api/v1/session returned 401 for an existing username and 404 otherwise.

5.0
2020-04-08 CVE-2018-21079 Google Memory Leak vulnerability in Google Android

An issue was discovered on Samsung mobile devices with L(5.x), M(6.0), N(7.x), and O(8.0) software.

5.0
2020-04-08 CVE-2018-21078 Google Improper Input Validation vulnerability in Google Android

An issue was discovered on Samsung mobile devices with M(6.0), N(7.x), and O(8.0) software.

5.0
2020-04-08 CVE-2018-21069 Google Information Exposure vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x) (MediaTek chipsets) software.

5.0
2020-04-08 CVE-2018-21067 Google Information Exposure vulnerability in Google Android 6.0

An issue was discovered on Samsung mobile devices with M(6.0) software.

5.0
2020-04-08 CVE-2018-21060 Google Information Exposure vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x) and O(8.x) software.

5.0
2020-04-08 CVE-2018-21059 Google Information Exposure vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x) and O(8.x) software.

5.0
2020-04-08 CVE-2018-21047 Google Missing Authorization vulnerability in Google Android 8.0/8.1

An issue was discovered on Samsung mobile devices with O(8.x) software.

5.0
2020-04-08 CVE-2018-21041 Google Missing Authentication for Critical Function vulnerability in Google Android 8.0/8.1

An issue was discovered on Samsung mobile devices with O(8.x) software.

5.0
2020-04-08 CVE-2018-21039 Google Incorrect Authorization vulnerability in Google Android 7.0

An issue was discovered on Samsung mobile devices with N(7.0) software.

5.0
2020-04-08 CVE-2020-11607 Google Information Exposure vulnerability in Google Android 10.0/9.0

An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software.

5.0
2020-04-08 CVE-2020-11605 Google Information Exposure vulnerability in Google Android

An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software.

5.0
2020-04-08 CVE-2018-21083 Google Information Exposure vulnerability in Google Android

An issue was discovered on Samsung mobile devices with M(6.0), N(7.x), and O(8.0) (Exynos or Qualcomm chipsets) software.

5.0
2020-04-08 CVE-2020-4289 IBM Information Exposure vulnerability in IBM Security Information Queue

IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag.

5.0
2020-04-08 CVE-2020-4284 IBM Information Exposure vulnerability in IBM Security Information Queue

IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could disclose sensitive information to an unauthorized user due to insufficient timeout functionality in the Web UI.

5.0
2020-04-08 CVE-2017-18643 Google Information Exposure vulnerability in Google Android

An issue was discovered on Samsung mobile devices with M(6.x) and N(7.x) software.

5.0
2020-04-08 CVE-2020-11628 Primekey Incorrect Authorization vulnerability in Primekey Ejbca 7.0.0

An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2.

5.0
2020-04-08 CVE-2020-10366 Logicaldoc Path Traversal vulnerability in Logicaldoc

LogicalDoc before 8.3.3 allows /servlet.gupld Directory Traversal, a different vulnerability than CVE-2020-9423 and CVE-2020-10365.

5.0
2020-04-07 CVE-2020-11612 Netty
Debian
Fedoraproject
Netapp
Resource Exhaustion vulnerability in multiple products

The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream.

5.0
2020-04-07 CVE-2019-17657 Fortinet Resource Exhaustion vulnerability in Fortinet products

An Uncontrolled Resource Consumption vulnerability in Fortinet FortiSwitch below 3.6.11, 6.0.6 and 6.2.2, FortiAnalyzer below 6.2.3, FortiManager below 6.2.3 and FortiAP-S/W2 below 6.2.2 may allow an attacker to cause admin webUI denial of service (DoS) via handling special crafted HTTP requests/responses in pieces slowly, as demonstrated by Slow HTTP DoS Attacks.

5.0
2020-04-07 CVE-2013-7488 Convert Infinite Loop vulnerability in Convert::Asn1 Project Convert::Asn1

perl-Convert-ASN1 (aka the Convert::ASN1 module for Perl) through 0.27 allows remote attackers to cause an infinite loop via unexpected input.

5.0
2020-04-07 CVE-2019-4393 Hcltech Improper Restriction of Excessive Authentication Attempts vulnerability in Hcltech Appscan 10.0.0/9.0.3.13/9.0.3.14

HCL AppScan Standard is vulnerable to excessive authorization attempts

5.0
2020-04-07 CVE-2017-18688 Google Out-of-bounds Read vulnerability in Google Android 5.1/6.0/7.0

An issue was discovered on Samsung mobile devices with L(5.1), M(6.0), and N(7.0) software.

5.0
2020-04-07 CVE-2017-18687 Google Information Exposure vulnerability in Google Android

An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/5.1), M(6.0), and N(7.0) software.

5.0
2020-04-07 CVE-2017-18686 Google Information Exposure vulnerability in Google Android 6.0/7.0

An issue was discovered on Samsung mobile devices with M(6.0) and N(7.0) software.

5.0
2020-04-07 CVE-2017-18678 Google Improper Handling of Exceptional Conditions vulnerability in Google Android

An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/5.1), M(6.0), and N(7.x) software.

5.0
2020-04-07 CVE-2017-18677 Google Missing Authorization vulnerability in Google Android

An issue was discovered on Samsung mobile devices with M(6.0) and N(7.x) software.

5.0
2020-04-07 CVE-2017-18676 Google Improper Input Validation vulnerability in Google Android 7.0

An issue was discovered on Samsung mobile devices with N(7.0) (Qualcomm chipsets) software.

5.0
2020-04-07 CVE-2017-18675 Google
Samsung
Missing Release of Resource after Effective Lifetime vulnerability in Google Android

An issue was discovered on Samsung mobile devices with M(6.0) and N(7.x) (Exynos7420 or Exynox8890 chipsets) software.

5.0
2020-04-07 CVE-2017-18671 Google Improper Handling of Exceptional Conditions vulnerability in Google Android

An issue was discovered on Samsung mobile devices with L(5.0/5.1), M(6.0), and N(7.x) software.

5.0
2020-04-07 CVE-2017-18670 Google Improper Handling of Exceptional Conditions vulnerability in Google Android

An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/5.1), and M(6.0) software.

5.0
2020-04-07 CVE-2017-18669 Google Incorrect Default Permissions vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x) software.

5.0
2020-04-07 CVE-2017-18668 Google Incorrect Default Permissions vulnerability in Google Android 6.0

An issue was discovered on Samsung mobile devices with M(6.0) software.

5.0
2020-04-07 CVE-2017-18667 Google Improper Input Validation vulnerability in Google Android

An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/5.1), M(6.0), and N(7.x) software.

5.0
2020-04-07 CVE-2017-18666 Google Missing Authorization vulnerability in Google Android

An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/5.1), M(6.0), and N(7.x) software.

5.0
2020-04-07 CVE-2017-18664 Google NULL Pointer Dereference vulnerability in Google Android

An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/5.1), and M(6.0) software.

5.0
2020-04-07 CVE-2017-18663 Google Improper Handling of Exceptional Conditions vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x) software.

5.0
2020-04-07 CVE-2017-18662 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android

An issue was discovered on Samsung mobile devices with M(6.0) and N(7.x) software.

5.0
2020-04-07 CVE-2017-18659 Google Improper Handling of Exceptional Conditions vulnerability in Google Android

An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/5.1), M(6.0), and N(7.x) software.

5.0
2020-04-07 CVE-2017-18658 Google NULL Pointer Dereference vulnerability in Google Android 6.0

An issue was discovered on Samsung mobile devices with M(6.0) software.

5.0
2020-04-07 CVE-2017-18657 Google Improper Check for Unusual or Exceptional Conditions vulnerability in Google Android

An issue was discovered on Samsung mobile devices with M(6.0) and N(7.x) software.

5.0
2020-04-07 CVE-2017-18656 Google Out-of-bounds Read vulnerability in Google Android

An issue was discovered on Samsung mobile devices with M(6.0) and N(7.x) software.

5.0
2020-04-07 CVE-2017-18654 Google Improper Authentication vulnerability in Google Android 6.0/7.0/7.1

An issue was discovered on Samsung mobile devices with M(6.0) and N(7.0, 7.1) software.

5.0
2020-04-07 CVE-2017-18651 Google Integer Overflow or Wraparound vulnerability in Google Android

An issue was discovered on Samsung mobile devices with M(6.x) and N(7.x) software.

5.0
2020-04-07 CVE-2017-18650 Google Improper Check for Unusual or Exceptional Conditions vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x) software.

5.0
2020-04-07 CVE-2020-7618 SDS Project Improper Input Validation vulnerability in SDS Project SDS

sds through 3.2.0 is vulnerable to Prototype Pollution.The library could be tricked into adding or modifying properties of the 'Object.prototype' by abusing the 'set' function located in 'js/set.js'.

5.0
2020-04-07 CVE-2020-7616 Express Mock Middleware Project Improper Input Validation vulnerability in Express-Mock-Middleware Project Express-Mock-Middleware 0.0.6

express-mock-middleware through 0.0.6 is vulnerable to Prototype Pollution.

5.0
2020-04-07 CVE-2017-18694 Google
Samsung
Information Exposure vulnerability in Google Android

An issue was discovered on Samsung mobile devices with software through 2016-10-25 (Exynos5 chipsets).

5.0
2020-04-07 CVE-2016-11032 Google Improper Input Validation vulnerability in Google Android 6.0

An issue was discovered on Samsung mobile devices with M(6.0) software.

5.0
2020-04-07 CVE-2016-11029 Google Insufficiently Protected Credentials vulnerability in Google Android

An issue was discovered on Samsung mobile devices with L(5.0/5.1), M(6.0), and N(7.0) software.

5.0
2020-04-07 CVE-2016-11046 Google Improper Input Validation vulnerability in Google Android

An issue was discovered on Samsung mobile devices with JBP(4.3), KK(4.4), and L(5.0/5.1) software.

5.0
2020-04-07 CVE-2016-11043 Google Inadequate Encryption Strength vulnerability in Google Android 6.0

An issue was discovered on Samsung mobile devices with M(6.0) software.

5.0
2020-04-07 CVE-2016-11042 Google Improper Authentication vulnerability in Google Android 5.0/5.1/6.0

An issue was discovered on Samsung mobile devices with L(5.0/5.1) and M(6.0) software.

5.0
2020-04-06 CVE-2020-11587 Cipplanner Information Exposure vulnerability in Cipplanner Cipace 6.80

An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801.

5.0
2020-04-06 CVE-2020-11599 Cipplanner Information Exposure vulnerability in Cipplanner Cipace 6.80

An issue was discovered in CIPPlanner CIPAce 6.80 Build 2016031401.

5.0
2020-04-06 CVE-2020-11596 Cipplanner Path Traversal vulnerability in Cipplanner Cipace 6.80

A Directory Traversal issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801.

5.0
2020-04-06 CVE-2020-11595 Cipplanner Information Exposure vulnerability in Cipplanner Cipace 6.80

An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801.

5.0
2020-04-06 CVE-2020-11594 Cipplanner Information Exposure vulnerability in Cipplanner Cipace 6.80

An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801.

5.0
2020-04-06 CVE-2020-11593 Cipplanner Injection vulnerability in Cipplanner Cipace 6.80

An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801.

5.0
2020-04-06 CVE-2020-11592 Cipplanner Information Exposure vulnerability in Cipplanner Cipace 6.80

An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801.

5.0
2020-04-06 CVE-2020-11591 Cipplanner Information Exposure vulnerability in Cipplanner Cipace 6.80

An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801.

5.0
2020-04-06 CVE-2020-11590 Cipplanner Information Exposure vulnerability in Cipplanner Cipace 6.80

An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801.

5.0
2020-04-06 CVE-2020-11589 Cipplanner Information Exposure vulnerability in Cipplanner Cipace 6.80

An Insecure Direct Object Reference issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801.

5.0
2020-04-06 CVE-2020-11588 Cipplanner Information Exposure vulnerability in Cipplanner Cipace 6.80

An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801.

5.0
2020-04-06 CVE-2020-8004 ST Information Exposure vulnerability in ST Stm32F1 Firmware

STMicroelectronics STM32F1 devices have Incorrect Access Control.

5.0
2020-04-06 CVE-2020-7639 DOT Project Improper Input Validation vulnerability in DOT Project DOT 0.2.0/1.0.1/1.0.3

eivindfjeldstad-dot below 1.0.3 is vulnerable to Prototype Pollution.The function 'set' could be tricked into adding or modifying properties of 'Object.prototype' using a '__proto__' payload.

5.0
2020-04-06 CVE-2020-7638 Confinit Project Improper Input Validation vulnerability in Confinit Project Confinit 0.1.0/0.2.0/0.3.0

confinit through 0.3.0 is vulnerable to Prototype Pollution.The 'setDeepProperty' function could be tricked into adding or modifying properties of 'Object.prototype' using a '__proto__' payload.

5.0
2020-04-06 CVE-2020-7637 Class Transformer Project Improper Input Validation vulnerability in Class-Transformer Project Class-Transformer

class-transformer before 0.3.1 allow attackers to perform Prototype Pollution.

5.0
2020-04-06 CVE-2020-10267 Universal Robots Missing Encryption of Sensitive Data vulnerability in Universal-Robots UR Software

Universal Robots control box CB 3.1 across firmware versions (tested on 1.12.1, 1.12, 1.11 and 1.10) does not encrypt or protect in any way the intellectual property artifacts installed from the UR+ platform of hardware and software components (URCaps).

5.0
2020-04-09 CVE-2020-8834 Linux
Canonical
Race Condition vulnerability in multiple products

KVM in the Linux kernel on Power8 processors has a conflicting use of HSTATE_HOST_R1 to store r1 state in kvmppc_hv_entry plus in kvmppc_{save,restore}_tm, leading to a stack corruption.

4.9
2020-04-08 CVE-2020-1986 Paloaltonetworks Improper Input Validation vulnerability in Paloaltonetworks Secdo

Improper input validation vulnerability in Secdo allows an authenticated local user with 'create folders or append data' access to the root of the OS disk (C:\) to cause a system crash on every login.

4.9
2020-04-07 CVE-2020-11609 Linux
Canonical
NULL Pointer Dereference vulnerability in multiple products

An issue was discovered in the stv06xx subsystem in the Linux kernel before 5.6.1.

4.9
2020-04-07 CVE-2017-18672 Google Improper Handling of Exceptional Conditions vulnerability in Google Android

An issue was discovered on Samsung mobile devices with L(5.0/5.1), M(6.0), and N(7.x) software.

4.9
2020-04-07 CVE-2020-11608 Linux
Canonical
NULL Pointer Dereference vulnerability in multiple products

An issue was discovered in the Linux kernel before 5.6.1.

4.9
2020-04-07 CVE-2016-11035 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android

An issue was discovered on Samsung mobile devices with software through 2016-05-27 (Exynos AP chipsets).

4.9
2020-04-12 CVE-2020-11725 Linux Unspecified vulnerability in Linux Kernel

** DISPUTED ** snd_ctl_elem_add in sound/core/control.c in the Linux kernel through 5.6.3 has a count=info->owner line, which later affects a private_size*count multiplication for unspecified "interesting side effects." NOTE: kernel engineers dispute this finding, because it could be relevant only if new callers were added that were unfamiliar with the misuse of the info->owner field to represent data unrelated to the "owner" concept.

4.6
2020-04-08 CVE-2020-1885 Oculus Improper Privilege Management vulnerability in Oculus Desktop

Writing to an unprivileged file from a privileged OVRRedir.exe process in Oculus Desktop before 1.44.0.32849 on Windows allows local users to write to arbitrary files and consequently gain privileges via vectors involving a hard link to a log file.

4.6
2020-04-08 CVE-2020-1619 Juniper Improper Privilege Management vulnerability in Juniper Junos

A privilege escalation vulnerability in Juniper Networks QFX10K Series, EX9200 Series, MX Series, and PTX Series with Next-Generation Routing Engine (NG-RE), allows a local authenticated high privileged user to access the underlying WRL host.

4.6
2020-04-08 CVE-2020-1985 Paloaltonetworks Incorrect Default Permissions vulnerability in Paloaltonetworks Secdo

Incorrect Default Permissions on C:\Programdata\Secdo\Logs folder in Secdo allows local authenticated users to overwrite system files and gain escalated privileges.

4.6
2020-04-08 CVE-2018-21061 Google Incorrect Default Permissions vulnerability in Google Android 7.1/8.0/8.1

An issue was discovered on Samsung mobile devices with N(7.1) and O(8.x) software.

4.6
2020-04-08 CVE-2018-21082 Google Incorrect Authorization vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x) software.

4.6
2020-04-07 CVE-2020-7615 FSA Project OS Command Injection vulnerability in FSA Project FSA 0.5.1

fsa through 0.5.1 is vulnerable to Command Injection.

4.6
2020-04-07 CVE-2016-11047 Google Out-of-bounds Write vulnerability in Google Android 4.2/4.4

An issue was discovered on Samsung mobile devices with JBP(4.2) and KK(4.4) (Marvell chipsets) software.

4.6
2020-04-07 CVE-2016-11044 Google Improper Verification of Cryptographic Signature vulnerability in Google Android 5.0/5.1/6.0

An issue was discovered on Samsung mobile devices with L(5.0/5.1) and M(6.0) (with Fingerprint support) software.

4.6
2020-04-07 CVE-2020-8096 Bitdefender Untrusted Search Path vulnerability in Bitdefender Antimalware Software Development KIT

Untrusted Search Path vulnerability in Bitdefender High-Level Antimalware SDK for Windows allows an attacker to load third party code from a DLL library in the search path.

4.6
2020-04-06 CVE-2020-5832 Symantec Improper Privilege Management vulnerability in Symantec Data Center Security 6.8.1

Symantec Data Center Security Manager Component, prior to 6.8.2 (aka 6.8 MP2), may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.

4.6
2020-04-12 CVE-2020-11721 Libsixel Project Access of Uninitialized Pointer vulnerability in Libsixel Project Libsixel 1.8.6

load_png in loader.c in libsixel.a in libsixel 1.8.6 has an uninitialized pointer leading to an invalid call to free, which can cause a denial of service.

4.3
2020-04-12 CVE-2020-11712 Open Upload Project Cross-site Scripting vulnerability in Open Upload Project Open Upload

Open Upload through 0.4.3 allows XSS via index.php?action=u and the filename field.

4.3
2020-04-12 CVE-2020-11704 Provideserver Cross-site Scripting vulnerability in Provideserver Provide FTP Server 13.1

An issue was discovered in ProVide (formerly zFTPServer) through 13.1.

4.3
2020-04-12 CVE-2020-11702 Provideserver Cross-site Scripting vulnerability in Provideserver Provide FTP Server 13.1

An issue was discovered in ProVide (formerly zFTPServer) through 13.1.

4.3
2020-04-10 CVE-2020-5303 Tendermint Out-of-bounds Write vulnerability in Tendermint

Tendermint before versions 0.33.3, 0.32.10, and 0.31.12 has a denial-of-service vulnerability.

4.3
2020-04-10 CVE-2020-1801 Huawei Information Exposure vulnerability in Huawei Mate 30 Firmware and Mate 30 PRO Firmware

There is an improper authentication vulnerability in several smartphones.

4.3
2020-04-10 CVE-2019-18376 Symantec Missing Encryption of Sensitive Data vulnerability in Symantec Management Center 2.2/2.3/2.4

A CSRF token disclosure vulnerability allows a remote attacker, with access to an authenticated Management Center (MC) user's web browser history or a network device that intercepts/logs traffic to MC, to obtain CSRF tokens and use them to perform CSRF attacks against MC.

4.3
2020-04-08 CVE-2020-1634 Juniper Improper Input Validation vulnerability in Juniper Junos 12.3X48

On High-End SRX Series devices, in specific configurations and when specific networking events or operator actions occur, an SPC receiving genuine multicast traffic may core.

4.3
2020-04-08 CVE-2020-1629 Juniper Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Juniper Junos

A race condition vulnerability on Juniper Network Junos OS devices may cause the routing protocol daemon (RPD) process to crash and restart while processing a BGP NOTIFICATION message.

4.3
2020-04-08 CVE-2020-10814 Codeblocks Classic Buffer Overflow vulnerability in Codeblocks Code::Blocks 17.12

A buffer overflow vulnerability in Code::Blocks 17.12 allows an attacker to execute arbitrary code via a crafted project file.

4.3
2020-04-08 CVE-2020-11000 Greenbrowser Project Missing Authorization vulnerability in Greenbrowser Project Greenbrowser 1.1

GreenBrowser before version 1.2 has a vulnerability where apps that rely on URL Parsing to verify that a given URL is pointing to a trust server may be susceptible to many different ways to get URL parsing and verification wrong, which allows an attacker to circumvent the access control.

4.3
2020-04-08 CVE-2020-4291 IBM Session Fixation vulnerability in IBM Security Information Queue

IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could disclose sensitive information to an unauthorized user due to insufficient timeout functionality in the Web UI.

4.3
2020-04-08 CVE-2020-10633 HMS Networks Cross-site Scripting vulnerability in Hms-Networks Ewon Cosy Firmware and Ewon Flexy Firmware

A non-persistent XSS (cross-site scripting) vulnerability exists in eWON Flexy and Cosy (all firmware versions prior to 14.1s0).

4.3
2020-04-08 CVE-2020-11626 Primekey Cross-site Scripting vulnerability in Primekey Ejbca 7.0.0

An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2.

4.3
2020-04-07 CVE-2020-11509 Wpleadplus Cross-site Scripting vulnerability in Wpleadplus WP Lead Plus X

An XSS vulnerability in the WP Lead Plus X plugin through 0.98 for WordPress allows remote attackers to upload page templates containing arbitrary JavaScript via the c37_wpl_import_template admin-post action (which will execute in an administrator's browser if the template is used to create a page).

4.3
2020-04-07 CVE-2017-18689 Google
Samsung
Improper Validation of Integrity Check Value vulnerability in Google Android 6.0/7.0

An issue was discovered on Samsung mobile devices with M(6.0) and N(7.0) (Exynos5433, Exynos7420, or Exynos7870 chipsets) software.

4.3
2020-04-07 CVE-2020-5734 Solarwinds Classic Buffer Overflow vulnerability in Solarwinds Dameware 12.1

Classic buffer overflow in SolarWinds Dameware allows a remote, unauthenticated attacker to cause a denial of service by sending a large 'SigPubkeyLen' during ECDH key exchange.

4.3
2020-04-07 CVE-2020-6171 Communilink Cross-site Scripting vulnerability in Communilink Clink Office 2.0

A cross-site scripting (XSS) vulnerability in the index page of the CLink Office 2.0 management console allows remote attackers to inject arbitrary web script or HTML via the lang parameter.

4.3
2020-04-07 CVE-2020-2174 Jenkins Cross-site Scripting vulnerability in Jenkins Awseb Deployment

Jenkins AWSEB Deployment Plugin 0.3.19 and earlier does not escape various values printed as part of form validation output, resulting in a reflected cross-site scripting vulnerability.

4.3
2020-04-10 CVE-2020-5406 Vmware Insufficiently Protected Credentials vulnerability in VMWare Tanzu Application Service FOR VMS

VMware Tanzu Application Service for VMs, 2.6.x versions prior to 2.6.18, 2.7.x versions prior to 2.7.11, and 2.8.x versions prior to 2.8.5, includes a version of PCF Autoscaling that writes database connection properties to its log, including database username and password.

4.0
2020-04-09 CVE-2020-7922 Mongodb Improper Certificate Validation vulnerability in Mongodb Enterprise Kubernetes Operator

X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances.

4.0
2020-04-09 CVE-2018-21034 Linuxfoundation Information Exposure vulnerability in Linuxfoundation Argo Continuous Delivery

In Argo versions prior to v1.5.0-rc1, it was possible for authenticated Argo users to submit API calls to retrieve secrets and other manifests which were stored within git.

4.0
2020-04-09 CVE-2020-5263 Auth0 Insufficiently Protected Credentials vulnerability in Auth0 Auth0.Js

auth0.js (NPM package auth0-js) greater than version 8.0.0 and before version 9.12.3 has a vulnerability.

4.0
2020-04-09 CVE-2020-9500 Dahuasecurity Improper Input Validation vulnerability in Dahuasecurity products

Some products of Dahua have Denial of Service vulnerabilities.

4.0
2020-04-09 CVE-2020-10623 Advantech SQL Injection vulnerability in Advantech Webaccess/Nms

Multiple vulnerabilities could allow an attacker with low privileges to perform SQL injection on WebAccess/NMS (versions prior to 3.0.2) to gain access to sensitive information.

4.0
2020-04-08 CVE-2020-10981 Gitlab Improper Input Validation vulnerability in Gitlab

GitLab EE/CE 9.0 to 12.9 allows a maintainer to modify other maintainers' pipeline trigger descriptions within the same project.

4.0
2020-04-08 CVE-2020-10979 Gitlab Information Exposure vulnerability in Gitlab

GitLab EE/CE 11.10 to 12.9 is leaking information on restricted CI pipelines metrics to unauthorized users.

4.0
2020-04-08 CVE-2020-10975 Gitlab Information Exposure vulnerability in Gitlab

GitLab EE/CE 10.8 to 12.9 is leaking metadata and comments on vulnerabilities to unauthorized users on the vulnerability feedback page.

4.0
2020-04-08 CVE-2020-4282 IBM Improper Authentication vulnerability in IBM Security Information Queue

IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could allow an authenticated user to perform unauthorized actions by bypassing illegal character restrictions.

4.0
2020-04-08 CVE-2020-4164 IBM Information Exposure vulnerability in IBM Security Information Queue

IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could expose sensitive information from applicatino errors which could be used in further attacks against the system.

4.0
2020-04-08 CVE-2019-4603 IBM Incorrect Permission Assignment for Critical Resource vulnerability in IBM Rational Quality Manager 6.0.2/6.0.6/6.0.6.1

IBM Quality Manager (RQM) 6.02, 6.06, and 6.0.6.1 could allow an authenticated user to create keywords through the REST API and have them appear as if they were created by another user.

4.0
2020-04-08 CVE-2019-4601 IBM Information Exposure Through an Error Message vulnerability in IBM Rational Quality Manager 6.0.2/6.0.6/6.0.6.1

IBM Quality Manager (RQM) 6.02, 6.06, and 6.0.6.1 could allow an authenticated user to obtain sensitive information from a stack trace that could aid in further attacks against the system.

4.0
2020-04-08 CVE-2020-11631 Primekey Improper Input Validation vulnerability in Primekey Ejbca 7.0.0

An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2.

4.0
2020-04-07 CVE-2020-9514 Idxbroker Improper Authentication vulnerability in Idxbroker Impress for IDX Broker

An issue was discovered in the IMPress for IDX Broker plugin before 2.6.2 for WordPress.

4.0
2020-04-07 CVE-2017-18653 Google Unspecified vulnerability in Google Android

An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/5.1), M(6.0), and N(7.x) software.

4.0
2020-04-07 CVE-2020-2172 Jenkins XML Entity Expansion vulnerability in Jenkins Code Coverage API

Jenkins Code Coverage API Plugin 1.1.4 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

4.0
2020-04-06 CVE-2020-11585 Dnnsoftware Information Exposure vulnerability in Dnnsoftware Dotnetnuke 9.5.0

There is an information disclosure issue in DNN (formerly DotNetNuke) 9.5 within the built-in Activity-Feed/Messaging/Userid/ Message Center module.

4.0

62 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2020-04-08 CVE-2020-1991 Paloaltonetworks Improper Privilege Management vulnerability in Paloaltonetworks Traps

An insecure temporary file vulnerability in Palo Alto Networks Traps allows a local authenticated Windows user to escalate privileges or overwrite system files.

3.6
2020-04-07 CVE-2017-18680 Google Improper Input Validation vulnerability in Google Android 5.0/5.1/6.0

An issue was discovered on Samsung mobile devices with L(5.0/5.1) and M(6.0) (tablets) software.

3.6
2020-04-06 CVE-2020-11565 Linux
Canonical
Out-of-bounds Write vulnerability in multiple products

** DISPUTED ** An issue was discovered in the Linux kernel through 5.6.2.

3.6
2020-04-12 CVE-2020-11714 Etentech Cross-site Scripting vulnerability in Etentech Psg-6528Vm Firmware 1.1

eten PSG-6528VM 1.1 devices allow XSS via System Contact or System Location.

3.5
2020-04-10 CVE-2020-9056 Periscopeholdings Cross-site Scripting vulnerability in Periscopeholdings Buyspeed 14.5

Periscope BuySpeed version 14.5 is vulnerable to stored cross-site scripting, which could allow a local, authenticated attacker to store arbitrary JavaScript within the application.

3.5
2020-04-09 CVE-2020-11556 Castlerock Cross-site Scripting vulnerability in Castlerock Snmpc Online 12.10.10

An issue was discovered in Castle Rock SNMPc Online 12.10.10 before 2020-01-28.

3.5
2020-04-08 CVE-2020-4252 IBM Cross-site Scripting vulnerability in IBM products

IBM DOORS Next Generation (DNG/RRC) 6.0.2.

3.5
2020-04-08 CVE-2019-4746 IBM Cross-site Scripting vulnerability in IBM products

IBM DOORS Next Generation (DNG/RRC) 6.0.2.

3.5
2020-04-08 CVE-2019-4740 IBM Cross-site Scripting vulnerability in IBM products

IBM DOORS Next Generation (DNG/RRC) 6.0.2.

3.5
2020-04-08 CVE-2019-4737 IBM Cross-site Scripting vulnerability in IBM products

IBM DOORS Next Generation (DNG/RRC) 6.0.2.

3.5
2020-04-08 CVE-2019-4602 IBM Cross-site Scripting vulnerability in IBM Rational Quality Manager 6.0.2/6.0.6/6.0.6.1

IBM Quality Manager (RQM) 6.02, 6.06, and 6.0.6.1 is vulnerable to cross-site scripting.

3.5
2020-04-07 CVE-2020-6647 Fortinet Cross-site Scripting vulnerability in Fortinet Fortiadc Firmware

An improper neutralization of input vulnerability in the dashboard of FortiADC may allow an authenticated attacker to perform a cross site scripting attack (XSS) via the name parameter.

3.5
2020-04-07 CVE-2020-11508 Wpleadplus Cross-site Scripting vulnerability in Wpleadplus WP Lead Plus X

An XSS vulnerability in the WP Lead Plus X plugin through 0.98 for WordPress allows logged-in users with minimal permissions to create or replace existing pages with a malicious page containing arbitrary JavaScript via the wp_ajax_core37_lp_save_page (aka core37_lp_save_page) AJAX action.

3.5
2020-04-07 CVE-2020-11516 Contact Form 7 Datepicker Project Cross-site Scripting vulnerability in Contact-Form-7-Datepicker Project Contact-Form-7-Datepicker 2.6.0

Stored XSS in the Contact Form 7 Datepicker plugin through 2.6.0 for WordPress allows authenticated attackers with minimal permissions to save arbitrary JavaScript to the plugin's settings via the unprotected wp_ajax_cf7dp_save_settings AJAX action and the ui_theme parameter.

3.5
2020-04-07 CVE-2020-11512 Idxbroker Cross-site Scripting vulnerability in Idxbroker Impress FOR IDX Broker

Stored XSS in the IMPress for IDX Broker WordPress plugin before 2.6.2 allows authenticated attackers with minimal (subscriber-level) permissions to save arbitrary JavaScript in the plugin's settings panel via the idx_update_recaptcha_key AJAX action and a crafted idx_recaptcha_site_key parameter, which would then be executed in the browser of any administrator visiting the panel.

3.5
2020-04-07 CVE-2017-18695 Google Insufficiently Protected Credentials vulnerability in Google Android

An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/5.1), M(6.0), and N(7.0) software.

3.5
2020-04-07 CVE-2020-2176 Jenkins Cross-site Scripting vulnerability in Jenkins Usemango Runner

Multiple form validation endpoints in Jenkins useMango Runner Plugin 1.4 and earlier do not escape values received from the useMango service, resulting in a cross-site scripting (XSS) vulnerability exploitable by users able to control the values returned from the useMango service.

3.5
2020-04-07 CVE-2020-2175 Jenkins Cross-site Scripting vulnerability in Jenkins Fitnesse

Jenkins FitNesse Plugin 1.31 and earlier does not correctly escape report contents before showing them on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users able to control the XML input files processed by the plugin.

3.5
2020-04-07 CVE-2020-2173 Jenkins Cross-site Scripting vulnerability in Jenkins Gatling

Jenkins Gatling Plugin 1.2.7 and earlier prevents Content-Security-Policy headers from being set for Gatling reports served by the plugin, resulting in an XSS vulnerability exploitable by users able to change report content.

3.5
2020-04-06 CVE-2020-5300 ORY Authentication Bypass by Capture-replay vulnerability in ORY Hydra

In Hydra (an OAuth2 Server and OpenID Certified™ OpenID Connect Provider written in Go), before version 1.4.0+oryOS.17, when using client authentication method 'private_key_jwt' [1], OpenId specification says the following about assertion `jti`: "A unique identifier for the token, which can be used to prevent reuse of the token.

3.5
2020-04-09 CVE-2020-1633 Juniper Improper Input Validation vulnerability in Juniper Junos

Due to a new NDP proxy feature for EVPN leaf nodes introduced in Junos OS 17.4, crafted NDPv6 packets could transit a Junos device configured as a Broadband Network Gateway (BNG) and reach the EVPN leaf node, causing a stale MAC address entry.

3.3
2020-04-08 CVE-2020-1625 Juniper Memory Leak vulnerability in Juniper Junos

The kernel memory usage represented as "temp" via 'show system virtual-memory' may constantly increase when Integrated Routing and Bridging (IRB) is configured with multiple underlay physical interfaces, and one interface flaps.

3.3
2020-04-08 CVE-2018-21092 Google Improper Input Validation vulnerability in Google Android

An issue was discovered on Samsung mobile devices with M(6.x) and N(7.x) software.

3.3
2020-04-06 CVE-2020-11582 Pulsesecure Exposure of Resource to Wrong Sphere vulnerability in Pulsesecure Pulse Connect Secure 7.1/7.4

An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06.

3.3
2020-04-08 CVE-2020-2732 Redhat Information Exposure vulnerability in Redhat Enterprise Linux 7.0/8.0

A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest when nested virtualisation is enabled.

2.3
2020-04-10 CVE-2020-11669 Linux
Opensuse
Redhat
An issue was discovered in the Linux kernel before 5.2 on the powerpc platform.
2.1
2020-04-10 CVE-2020-1802 Huawei Improper Validation of Integrity Check Value vulnerability in Huawei products

There is an insufficient integrity validation vulnerability in several products.

2.1
2020-04-10 CVE-2020-8832 Canonical Information Exposure vulnerability in Canonical Ubuntu Linux 18.04

The fix for the Linux kernel in Ubuntu 18.04 LTS for CVE-2019-14615 ("The Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors.") was discovered to be incomplete, meaning that in versions of the kernel before 4.15.0-91.92, an attacker could use this vulnerability to expose sensitive information.

2.1
2020-04-08 CVE-2020-1630 Juniper Improper Privilege Management vulnerability in Juniper Junos

A privilege escalation vulnerability in Juniper Networks Junos OS devices configured with dual Routing Engines (RE), Virtual Chassis (VC) or high-availability cluster may allow a local authenticated low-privileged user with access to the shell to perform unauthorized configuration modification.

2.1
2020-04-08 CVE-2020-1624 Juniper Information Exposure Through Log Files vulnerability in Juniper Junos OS Evolved 18.3/19.1

A local, authenticated user with shell can obtain the hashed values of login passwords and shared secrets via raw objmon configuration files.

2.1
2020-04-08 CVE-2020-1623 Juniper Information Exposure Through Log Files vulnerability in Juniper Junos OS Evolved 18.3/19.1/19.2

A local, authenticated user with shell can view sensitive configuration information via the ev.ops configuration file.

2.1
2020-04-08 CVE-2020-1622 Juniper Information Exposure Through Log Files vulnerability in Juniper Junos OS Evolved 18.3/19.1

A local, authenticated user with shell can obtain the hashed values of login passwords and shared secrets via the EvoSharedObjStore.

2.1
2020-04-08 CVE-2020-1621 Juniper Information Exposure Through Log Files vulnerability in Juniper Junos OS Evolved

A local, authenticated user with shell can obtain the hashed values of login passwords via configd traces.

2.1
2020-04-08 CVE-2020-1620 Juniper Information Exposure Through Log Files vulnerability in Juniper Junos OS Evolved

A local, authenticated user with shell can obtain the hashed values of login passwords via configd streamer log.

2.1
2020-04-08 CVE-2020-1987 Paloaltonetworks Information Exposure Through Log Files vulnerability in Paloaltonetworks Globalprotect

An information exposure vulnerability in the logging component of Palo Alto Networks Global Protect Agent allows a local authenticated user to read VPN cookie information when the troubleshooting logging level is set to "Dump".

2.1
2020-04-08 CVE-2020-10977 Gitlab Path Traversal vulnerability in Gitlab

GitLab EE/CE 8.5 to 12.9 is vulnerable to a an path traversal when moving an issue between projects.

2.1
2020-04-08 CVE-2018-21080 Google Inadequate Encryption Strength vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x) software.

2.1
2020-04-08 CVE-2018-21077 Google Information Exposure vulnerability in Google Android

An issue was discovered on Samsung mobile devices with M(6.0), N(7.x), and O(8.x) software.

2.1
2020-04-08 CVE-2018-21076 Google
Samsung
Information Exposure vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x) (Exynos8890/8895 chipsets) software.

2.1
2020-04-08 CVE-2018-21074 Google Information Exposure vulnerability in Google Android 6.0/6.0.1

An issue was discovered on Samsung mobile devices with M(6.x) (Exynos or Qualcomm chipsets) software.

2.1
2020-04-08 CVE-2018-21073 Google
Samsung
Information Exposure vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x) and O(8.0) (Galaxy S9+, Galaxy S9, Galaxy S8+, Galaxy S8, Note 8).

2.1
2020-04-08 CVE-2018-21068 Google Improper Input Validation vulnerability in Google Android 8.0

An issue was discovered on Samsung mobile devices with O(8.0) software.

2.1
2020-04-08 CVE-2018-21062 Google Improper Authentication vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x) and O(8.x) software.

2.1
2020-04-08 CVE-2018-21056 Google Information Exposure vulnerability in Google Android 8.0/8.1

An issue was discovered on Samsung mobile devices with O(8.x) software.

2.1
2020-04-08 CVE-2018-21053 Google Information Exposure vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software.

2.1
2020-04-08 CVE-2018-21048 Google Information Exposure vulnerability in Google Android 8.0/8.1

An issue was discovered on Samsung mobile devices with O(8.x) software.

2.1
2020-04-08 CVE-2018-21046 Google Missing Authorization vulnerability in Google Android 8.0/8.1

An issue was discovered on Samsung mobile devices with O(8.x) software.

2.1
2020-04-08 CVE-2018-21045 Google Information Exposure vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x) and O(8.x) software.

2.1
2020-04-08 CVE-2018-21043 Google
Samsung
Information Exposure vulnerability in Google Android 8.0/8.1/9.0

An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) (Exynos 9810 chipsets) software.

2.1
2020-04-08 CVE-2020-11606 Google Information Exposure vulnerability in Google Android 10.0

An issue was discovered on Samsung mobile devices with Q(10.0) software.

2.1
2020-04-08 CVE-2020-11602 Google Information Exposure vulnerability in Google Android 10.0/9.0

An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software.

2.1
2020-04-08 CVE-2020-11601 Google Missing Authorization vulnerability in Google Android 10.0/9.0

An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software.

2.1
2020-04-08 CVE-2017-18646 Google Improper Authentication vulnerability in Google Android

An issue was discovered on Samsung mobile devices with M(6.x) and N(7.x) software.

2.1
2020-04-07 CVE-2020-11560 Nchsoftware Insufficiently Protected Credentials vulnerability in Nchsoftware Express Invoice 7.25

NCH Express Invoice 7.25 allows local users to discover the cleartext password by reading the configuration file.

2.1
2020-04-07 CVE-2017-18673 Google Improper Input Validation vulnerability in Google Android

An issue was discovered on Samsung mobile devices with N(7.x) software.

2.1
2020-04-07 CVE-2016-11040 Google Improper Input Validation vulnerability in Google Android 5.0/5.1

An issue was discovered on Samsung mobile devices with L(5.0/5.1) (with USB OTG MyFile2014_L_ESS support) software.

2.1
2020-04-07 CVE-2016-11027 Google Information Exposure vulnerability in Google Android 6.0

An issue was discovered on Samsung mobile devices with M(6.0) software.

2.1
2020-04-07 CVE-2016-11053 Google Improper Input Validation vulnerability in Google Android

An issue was discovered on Samsung mobile devices with software through 2015-11-11 (supporting FRP/RL).

2.1
2020-04-07 CVE-2016-11050 Samsung Unspecified vulnerability in Samsung products

An issue was discovered on Samsung mobile devices with S3(KK), Note2(KK), S4(L), Note3(L), and S5(L) software.

2.1
2020-04-07 CVE-2016-11048 Google Improper Input Validation vulnerability in Google Android 5.0/5.1

An issue was discovered on Samsung mobile devices with L(5.0/5.1) (Spreadtrum or Marvell chipsets) software.

2.1
2020-04-07 CVE-2016-11041 Google Improper Authentication vulnerability in Google Android 4.4

An issue was discovered on Samsung mobile devices with KK(4.4) software.

2.1
2020-04-08 CVE-2020-1978 Paloaltonetworks Insufficiently Protected Credentials vulnerability in Paloaltonetworks Pan-Os and Vm-Series

TechSupport files generated on Palo Alto Networks VM Series firewalls for Microsoft Azure platform configured with high availability (HA) inadvertently collect Azure dashboard service account credentials.

1.9