Weekly Vulnerabilities Reports > April 27 to May 3, 2020
Overview
333 new vulnerabilities reported during this period, including 48 critical vulnerabilities and 152 high severity vulnerabilities. This weekly summary report vulnerabilities in 680 products from 130 vendors including Netgear, Debian, F5, ABB, and Huawei. Vulnerabilities are notably categorized as "Out-of-bounds Write", "Cross-site Scripting", "Classic Buffer Overflow", "OS Command Injection", and "Path Traversal".
- 199 reported vulnerabilities are remotely exploitables.
- 4 reported vulnerabilities have public exploit available.
- 98 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 182 reported vulnerabilities are exploitable by an anonymous user.
- Netgear has the most reported vulnerabilities, with 95 reported vulnerabilities.
- Debian has the most reported critical vulnerabilities, with 6 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
48 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2020-05-02 | CVE-2020-7645 | OS Command Injection vulnerability in Google Chrome-Launcher All versions of chrome-launcher allow execution of arbitrary commands, by controlling the $HOME environment variable in Linux operating systems. | 9.8 | |
2020-05-01 | CVE-2020-10683 | Dom4J Project Oracle Opensuse Netapp Canonical | XXE vulnerability in multiple products dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. | 9.8 |
2020-04-30 | CVE-2020-7136 | HPE | Unspecified vulnerability in HPE Smart Update Manager A security vulnerability in HPE Smart Update Manager (SUM) prior to version 8.5.6 could allow remote unauthorized access. | 9.8 |
2020-04-30 | CVE-2020-11651 | Saltstack Opensuse Debian Canonical Vmware | An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. | 9.8 |
2020-04-29 | CVE-2019-5623 | Accellion | OS Command Injection vulnerability in Accellion File Transfer Appliance 80540 Accellion File Transfer Appliance version FTA_8_0_540 suffers from an instance of CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection'). | 9.8 |
2020-04-29 | CVE-2019-5622 | Accellion | Use of Hard-coded Credentials vulnerability in Accellion File Transfer Appliance 80540 Accellion File Transfer Appliance version FTA_8_0_540 suffers from an instance of CWE-798: Use of Hard-coded Credentials. | 9.8 |
2020-04-29 | CVE-2019-5620 | Hitachienergy | Missing Authentication for Critical Function vulnerability in Hitachienergy Microscada PRO Sys600 9.3 ABB MicroSCADA Pro SYS600 version 9.3 suffers from an instance of CWE-306: Missing Authentication for Critical Function. | 9.8 |
2020-04-29 | CVE-2019-5619 | Aasync | Out-of-bounds Write vulnerability in Aasync 2.2.1.0 AASync.com AASync version 2.2.1.0 suffers from an instance of CWE-121: Stack-based Buffer Overflow. | 9.8 |
2020-04-29 | CVE-2020-11942 | Opmantek | SQL Injection vulnerability in Opmantek Open-Audit 3.2.2 An issue was discovered in Open-AudIT 3.2.2. | 9.8 |
2020-04-29 | CVE-2016-11061 | Xerox | OS Command Injection vulnerability in Xerox products Xerox WorkCentre 3655, 3655i, 58XX, 58XXi, 59XX, 59XXi, 6655, 6655i, 72XX, 72XXi, 78XX, 78XXi, 7970, and 7970i devices before 073.xxx.086.15410 do not properly escape parameters in the support/remoteUI/configrui.php script, which can allow an unauthenticated attacker to execute OS commands on the device. | 9.8 |
2020-04-29 | CVE-2020-12471 | Mono | Deserialization of Untrusted Data vulnerability in Mono Monox 5.1.40.5152 MonoX through 5.1.40.5152 allows remote code execution via HTML5Upload.ashx or Pages/SocialNetworking/lng/en-US/PhotoGallery.aspx because of deserialization in ModuleGallery.HTML5Upload, ModuleGallery.SilverLightUploadModule, HTML5Upload, and SilverLightUploadHandler. | 9.8 |
2020-04-29 | CVE-2020-11020 | Faye Project | Improper Authentication vulnerability in Faye Project Faye Faye (NPM, RubyGem) versions greater than 0.5.0 and before 1.0.4, 1.1.3 and 1.2.5, has the potential for authentication bypass in the extension system. | 9.8 |
2020-04-29 | CVE-2020-8481 | ABB | Insecure Storage of Sensitive Information vulnerability in ABB 800Xa System 5.1 For ABB products ABB Ability™ System 800xA and related system extensions versions 5.1, 6.0 and 6.1, Compact HMI versions 5.1 and 6.0, Control Builder Safe 1.0, 1.1 and 2.0, Symphony Plus -S+ Operations 3.0 to 3.2 Symphony Plus -S+ Engineering 1.1 to 2.2, Composer Harmony 5.1, 6.0 and 6.1, Melody Composer 5.3, 6.1/6.2 and SPE for Melody 1.0SPx (Composer 6.3), Harmony OPC Server (HAOPC) Standalone 6.0, 6.1 and 7.0, ABB Ability™ System 800xA/ Advant® OCS Control Builder A 1.3 and 1.4, Advant® OCS AC100 OPC Server 5.1, 6.0 and 6.1, Composer CTK 6.1 and 6.2, AdvaBuild 3.7 SP1 and SP2, OPCServer for MOD 300 (non-800xA) 1.4, OPC Data Link 2.1 and 2.2, Knowledge Manager 8.0, 9.0 and 9.1, Manufacturing Operations Management 1812 and 1909, confidential data is written in an unprotected file. | 9.8 |
2020-04-29 | CVE-2020-8479 | ABB | XML Injection (aka Blind XPath Injection) vulnerability in ABB 800Xa System, Compact HMI and Control Builder Safe For the Central Licensing Server component used in ABB products ABB Ability™ System 800xA and related system extensions versions 5.1, 6.0 and 6.1, Compact HMI versions 5.1 and 6.0, Control Builder Safe 1.0, 1.1 and 2.0, Symphony Plus -S+ Operations 3.0 to 3.2 Symphony Plus -S+ Engineering 1.1 to 2.2, Composer Harmony 5.1, 6.0 and 6.1, Melody Composer 5.3, 6.1/6.2 and SPE for Melody 1.0SPx (Composer 6.3), Harmony OPC Server (HAOPC) Standalone 6.0, 6.1 and 7.0, ABB Ability™ System 800xA/ Advant® OCS Control Builder A 1.3 and 1.4, Advant® OCS AC100 OPC Server 5.1, 6.0 and 6.1, Composer CTK 6.1 and 6.2, AdvaBuild 3.7 SP1 and SP2, OPCServer for MOD 300 (non-800xA) 1.4, OPC Data Link 2.1 and 2.2, Knowledge Manager 8.0, 9.0 and 9.1, Manufacturing Operations Management 1812 and 1909, ABB AbilityTM SCADAvantage versions 5.1 to 5.6.5. | 9.8 |
2020-04-29 | CVE-2020-12443 | Bigbluebutton | Path Traversal vulnerability in Bigbluebutton BigBlueButton before 2.2.6 allows remote attackers to read arbitrary files because the presfilename (lowercase) value can be a .pdf filename while the presFilename (mixed case) value has a ../ sequence. | 9.8 |
2020-04-29 | CVE-2019-5614 | Freebsd Netapp | Improper Input Validation vulnerability in multiple products In FreeBSD 12.1-STABLE before r356035, 12.1-RELEASE before 12.1-RELEASE-p4, 11.3-STABLE before r356036, and 11.3-RELEASE before 11.3-RELEASE-p8, incomplete packet data validation may result in accessing out-of-bounds memory leading to a kernel panic or other unpredictable results. | 9.8 |
2020-04-29 | CVE-2019-15874 | Freebsd Netapp | Use After Free vulnerability in multiple products In FreeBSD 12.1-STABLE before r356035, 12.1-RELEASE before 12.1-RELEASE-p4, 11.3-STABLE before r356036, and 11.3-RELEASE before 11.3-RELEASE-p8, incomplete packet data validation may result in memory access after it has been freed leading to a kernel panic or other unpredictable results. | 9.8 |
2020-04-28 | CVE-2020-12442 | Ivanti | SQL Injection vulnerability in Ivanti Avalanche 6.3 Ivanti Avalanche 6.3 allows a SQL injection that is vaguely associated with the Apache HTTP Server, aka Bug 683250. | 9.8 |
2020-04-28 | CVE-2020-12429 | Phpgurukul | SQL Injection vulnerability in PHPgurukul Online Course Registration 2.0 Online Course Registration 2.0 has multiple SQL injections that would can lead to a complete database compromise and authentication bypass in the login pages: admin/change-password.php, admin/check_availability.php, admin/index.php, change-password.php, check_availability.php, includes/header.php, index.php, and pincode-verification.php. | 9.8 |
2020-04-28 | CVE-2019-20791 | Out-of-bounds Write vulnerability in Google Openthread OpenThread before 2019-12-13 has a stack-based buffer overflow in MeshCoP::Commissioner::GeneratePskc. | 9.8 | |
2020-04-28 | CVE-2017-18858 | Netgear | OS Command Injection vulnerability in Netgear products Certain NETGEAR devices are affected by command execution. | 9.8 |
2020-04-28 | CVE-2017-18857 | Netgear | Weak Password Requirements vulnerability in Netgear Insight The NETGEAR Insight application before 2.42 for Android and iOS is affected by password mismanagement. | 9.8 |
2020-04-28 | CVE-2020-1745 | Redhat | Unspecified vulnerability in Redhat Undertow A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before and was fixed in 2.0.30.Final. | 9.8 |
2020-04-28 | CVE-2020-12284 | Ffmpeg Canonical Debian | Out-of-bounds Write vulnerability in multiple products cbs_jpeg_split_fragment in libavcodec/cbs_jpeg.c in FFmpeg 4.1 and 4.2.2 has a heap-based buffer overflow during JPEG_MARKER_SOS handling because of a missing length check. | 9.8 |
2020-04-27 | CVE-2020-7640 | Pixlcore | OS Command Injection vulnerability in Pixlcore Pixl-Class 1.0.0/1.0.1/1.0.2 pixl-class prior to 1.0.3 allows execution of arbitrary commands. | 9.8 |
2020-04-27 | CVE-2020-7609 | Node Rules Project | Code Injection vulnerability in Node-Rules Project Node-Rules 3.0.0/4.0.2 node-rules including 3.0.0 and prior to 5.0.0 allows injection of arbitrary commands. | 9.8 |
2020-04-27 | CVE-2018-21153 | Netgear | Classic Buffer Overflow vulnerability in Netgear products Certain NETGEAR devices are affected by a buffer overflow by an unauthenticated attacker. | 9.8 |
2020-04-27 | CVE-2020-9294 | Fortinet | Improper Authentication vulnerability in Fortinet Fortimail An improper authentication vulnerability in FortiMail 5.4.10, 6.0.7, 6.2.2 and earlier and FortiVoiceEntreprise 6.0.0 and 6.0.1 may allow a remote unauthenticated attacker to access the system as a legitimate user by requesting a password change via the user interface. | 9.8 |
2020-04-27 | CVE-2020-1952 | Apache | Improper Certificate Validation vulnerability in Apache Iotdb An issue was found in Apache IoTDB .9.0 to 0.9.1 and 0.8.0 to 0.8.2. | 9.8 |
2020-04-27 | CVE-2020-12279 | Libgit2 Debian | Use of Incorrectly-Resolved Name or Reference vulnerability in multiple products An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. | 9.8 |
2020-04-27 | CVE-2020-12278 | Libgit2 Debian | Use of Incorrectly-Resolved Name or Reference vulnerability in multiple products An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. | 9.8 |
2020-04-27 | CVE-2020-9068 | Huawei | Improper Authentication vulnerability in Huawei Ar3200 Firmware Huawei AR3200 products with versions of V200R007C00SPC900, V200R007C00SPCa00, V200R007C00SPCb00, V200R007C00SPCc00, V200R009C00SPC500 have an improper authentication vulnerability. | 9.8 |
2020-04-27 | CVE-2018-21097 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an unauthenticated attacker. | 9.8 |
2020-04-27 | CVE-2020-12133 | Farukawa | Deserialization of Untrusted Data vulnerability in Farukawa Electric Consciousmap The Apros Evolution, ConsciusMap, and Furukawa provisioning systems through 2.8.1 allow remote code execution because of javax.faces.ViewState Java deserialization. | 9.8 |
2020-04-27 | CVE-2020-11817 | Rukovoditel | Unrestricted Upload of File with Dangerous Type vulnerability in Rukovoditel 2.5.2 In Rukovoditel V2.5.2, attackers can upload an arbitrary file to the server just changing the the content-type value. | 9.8 |
2020-04-27 | CVE-2019-18823 | Wisc Fedoraproject Debian | Improper Authentication vulnerability in multiple products HTCondor up to and including stable series 8.8.6 and development series 8.9.4 has Incorrect Access Control. | 9.8 |
2020-04-27 | CVE-2019-20790 | Trusteddomain Pypolicyd SPF Project Fedoraproject | Authentication Bypass by Spoofing vulnerability in multiple products OpenDMARC through 1.3.2 and 1.4.x, when used with pypolicyd-spf 2.0.2, allows attacks that bypass SPF and DMARC authentication in situations where the HELO field is inconsistent with the MAIL FROM field. | 9.8 |
2020-04-27 | CVE-2020-12274 | Testlink | Unspecified vulnerability in Testlink 1.9.20 In TestLink 1.9.20, the lib/cfields/cfieldsExport.php goback_url parameter causes a security risk because it depends on client input and is not constrained to lib/cfields/cfieldsView.php at the web site associated with the session. | 9.8 |
2020-04-27 | CVE-2020-12271 | Sophos | SQL Injection vulnerability in Sophos Sfos A SQL injection issue was found in SFOS 17.0, 17.1, 17.5, and 18.0 before 2020-04-25 on Sophos XG Firewall devices, as exploited in the wild in April 2020. | 9.8 |
2020-04-27 | CVE-2020-12268 | Artifex Debian Opensuse | Out-of-bounds Write vulnerability in multiple products jbig2_image_compose in jbig2_image.c in Artifex jbig2dec before 0.18 has a heap-based buffer overflow. | 9.8 |
2020-04-27 | CVE-2020-12267 | QT | Use After Free vulnerability in QT 5.14.1 setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock. | 9.8 |
2020-04-29 | CVE-2020-3955 | Vmware | Cross-site Scripting vulnerability in VMWare Esxi 6.5/6.7 ESXi 6.5 without patch ESXi650-201912104-SG and ESXi 6.7 without patch ESXi670-202004103-SG do not properly neutralize script-related HTML when viewing virtual machines attributes. | 9.3 |
2020-04-30 | CVE-2020-5887 | F5 | Exposure of Resource to Wrong Sphere vulnerability in F5 products On versions 15.1.0-15.1.0.1, 15.0.0-15.0.1.2, and 14.1.0-14.1.2.3, BIG-IP Virtual Edition (VE) may expose a mechanism for remote attackers to access local daemons and bypass port lockdown settings. | 9.1 |
2020-04-30 | CVE-2020-5886 | F5 | Cleartext Transmission of Sensitive Information vulnerability in F5 products On versions 15.0.0-15.1.0.1, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, and 12.1.0-12.1.5.1, BIG-IP systems setup for connection mirroring in a High Availability (HA) pair transfers sensitive cryptographic objects over an insecure communications channel. | 9.1 |
2020-04-30 | CVE-2020-5885 | F5 | Cleartext Transmission of Sensitive Information vulnerability in F5 products On versions 15.0.0-15.1.0.1, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, and 12.1.0-12.1.5.1, BIG-IP systems set up for connection mirroring in a high availability (HA) pair transfer sensitive cryptographic objects over an insecure communications channel. | 9.1 |
2020-04-30 | CVE-2020-5884 | F5 | Unspecified vulnerability in F5 products On versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.4, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the default deployment mode for BIG-IP high availability (HA) pair mirroring is insecure. | 9.1 |
2020-04-30 | CVE-2020-11015 | Thinx Device API Project | Unspecified vulnerability in Thinx-Device-Api Project Thinx-Device-Api A vulnerability has been disclosed in thinx-device-api IoT Device Management Server before version 2.5.0. | 9.1 |
2020-04-29 | CVE-2020-7452 | Freebsd | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Freebsd 11.3/12.1 In FreeBSD 12.1-STABLE before r357490, 12.1-RELEASE before 12.1-RELEASE-p3, 11.3-STABLE before r357489, and 11.3-RELEASE before 11.3-RELEASE-p7, incorrect use of a user-controlled pointer in the epair virtual network module allowed vnet jailed privileged users to panic the host system and potentially execute arbitrary code in the kernel. | 9.1 |
152 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2020-04-29 | CVE-2020-8775 | Pega | Cross-site Scripting vulnerability in Pega Platform Pega Platform before version 8.2.6 is affected by a Stored Cross-Site Scripting (XSS) vulnerability in the comment tags. | 8.9 |
2020-04-29 | CVE-2020-8773 | Pega | Cross-site Scripting vulnerability in Pega Platform The Richtext Editor in Pega Platform before 8.2.6 is affected by a Stored Cross-Site Scripting (XSS) vulnerability. | 8.9 |
2020-05-01 | CVE-2020-7351 | Netfortris | OS Command Injection vulnerability in Netfortris Trixbox 1.2.0/2.8.0.4 An OS Command Injection vulnerability in the endpoint_devicemap.php component of Fonality Trixbox Community Edition allows an attacker to execute commands on the underlying operating system as the "asterisk" user. | 8.8 |
2020-04-30 | CVE-2020-11016 | Intelmq Manager Project | OS Command Injection vulnerability in Intelmq Manager Project Intelmq Manager 1.1.0/2.0.0/2.1.0 IntelMQ Manager from version 1.1.0 and before version 2.1.1 has a vulnerability where the backend incorrectly handled messages given by user-input in the "send" functionality of the Inspect-tool of the Monitor component. | 8.8 |
2020-04-30 | CVE-2019-0235 | Apache | Cross-Site Request Forgery (CSRF) vulnerability in Apache Ofbiz 17.12.01 Apache OFBiz 17.12.01 is vulnerable to some CSRF attacks. | 8.8 |
2020-04-30 | CVE-2020-6010 | Thimpress | SQL Injection vulnerability in Thimpress Learnpress LearnPress Wordpress plugin version prior and including 3.2.6.7 is vulnerable to SQL Injection | 8.8 |
2020-04-30 | CVE-2019-19220 | Bmcsoftware | OS Command Injection vulnerability in Bmcsoftware Control-M/Agent 7.0.00.000 BMC Control-M/Agent 7.0.00.000 allows OS Command Injection (issue 2 of 2). | 8.8 |
2020-04-30 | CVE-2019-19217 | Bmcsoftware | OS Command Injection vulnerability in Bmcsoftware Control-M/Agent 7.0.00.000 BMC Control-M/Agent 7.0.00.000 allows OS Command Injection. | 8.8 |
2020-04-30 | CVE-2019-19216 | Bmcsoftware | Improper Privilege Management vulnerability in Bmcsoftware Control-M/Agent 7.0.00.000 BMC Control-M/Agent 7.0.00.000 has an Insecure File Copy. | 8.8 |
2020-04-30 | CVE-2019-19215 | Bmcsoftware | Classic Buffer Overflow vulnerability in Bmcsoftware Control-M/Agent 7.0.00.000 A buffer overflow vulnerability in BMC Control-M/Agent 7.0.00.000 when the On-Do action destination is Mail and the Control-M/Agent is configured to send the email, allows remote attackers to have unspecified impact via vectors related to the configured IP address or SMTP server. | 8.8 |
2020-04-29 | CVE-2020-12479 | Teampass | Path Traversal vulnerability in Teampass 2.1.27.36 TeamPass 2.1.27.36 allows any authenticated TeamPass user to trigger a PHP file include vulnerability via a crafted HTTP request with sources/users.queries.php newValue directory traversal. | 8.8 |
2020-04-29 | CVE-2020-11943 | Opmantek | Unrestricted Upload of File with Dangerous Type vulnerability in Opmantek Open-Audit 3.2.2 An issue was discovered in Open-AudIT 3.2.2. | 8.8 |
2020-04-29 | CVE-2020-12461 | PHP Fusion | SQL Injection vulnerability in PHP-Fusion 9.03.50 PHP-Fusion 9.03.50 allows SQL Injection because maincore.php has an insufficient protection mechanism. | 8.8 |
2020-04-29 | CVE-2020-8774 | Pega | Cross-site Scripting vulnerability in Pega Platform Pega Platform before version 8.2.6 is affected by a Reflected Cross-Site Scripting vulnerability in the "ActionStringID" function. | 8.8 |
2020-04-29 | CVE-2020-11677 | Cerner | Classic Buffer Overflow vulnerability in Cerner Medico 26.00 Cerner medico 26.00 has a Local Buffer Overflow (issue 3 of 3). | 8.8 |
2020-04-29 | CVE-2020-11676 | Cerner | Classic Buffer Overflow vulnerability in Cerner Medico 26.00 Cerner medico 26.00 has a Local Buffer Overflow (issue 2 of 3). | 8.8 |
2020-04-29 | CVE-2020-11675 | Cerner | Classic Buffer Overflow vulnerability in Cerner Medico 26.00 Cerner medico 26.00 has a Local Buffer Overflow (issue 1 of 3). | 8.8 |
2020-04-29 | CVE-2020-11674 | Cerner | Unspecified vulnerability in Cerner Medico 26.00 Cerner medico 26.00 allows variable reuse, possibly causing data corruption. | 8.8 |
2020-04-29 | CVE-2019-16653 | Geniusbytes | Unspecified vulnerability in Geniusbytes Genius Server 3.2.2 An application plugin in Genius Bytes Genius Server (Genius CDDS) 3.2.2 allows remote authenticated users to gain admin privileges. | 8.8 |
2020-04-29 | CVE-2017-18855 | Netgear | Injection vulnerability in Netgear Wnr854T Firmware NETGEAR WNR854T devices before 1.5.2 are affected by command execution. | 8.8 |
2020-04-29 | CVE-2020-12246 | Beeline | OS Command Injection vulnerability in Beeline Smart BOX Firmware 2.0.38 Beeline Smart Box 2.0.38 routers allow "Advanced settings > Other > Diagnostics" OS command injection via the Ping ping_ipaddr parameter, the Nslookup nslookup_ipaddr parameter, or the Traceroute traceroute_ipaddr parameter. | 8.8 |
2020-04-28 | CVE-2018-21226 | Netgear | Improper Privilege Management vulnerability in Netgear products Certain NETGEAR devices are affected by authentication bypass. | 8.8 |
2020-04-28 | CVE-2018-21224 | Netgear | Classic Buffer Overflow vulnerability in Netgear products Certain NETGEAR devices are affected by a buffer overflow by an unauthenticated attacker. | 8.8 |
2020-04-28 | CVE-2018-21223 | Netgear | Classic Buffer Overflow vulnerability in Netgear products Certain NETGEAR devices are affected by a buffer overflow by an unauthenticated attacker. | 8.8 |
2020-04-28 | CVE-2018-21222 | Netgear | Classic Buffer Overflow vulnerability in Netgear products Certain NETGEAR devices are affected by a buffer overflow by an unauthenticated attacker. | 8.8 |
2020-04-28 | CVE-2018-21221 | Netgear | Classic Buffer Overflow vulnerability in Netgear D3600 Firmware, D6000 Firmware and R9000 Firmware Certain NETGEAR devices are affected by a buffer overflow by an unauthenticated attacker. | 8.8 |
2020-04-28 | CVE-2018-21220 | Netgear | Classic Buffer Overflow vulnerability in Netgear products Certain NETGEAR devices are affected by a buffer overflow by an unauthenticated attacker. | 8.8 |
2020-04-28 | CVE-2018-21219 | Netgear | Classic Buffer Overflow vulnerability in Netgear products Certain NETGEAR devices are affected by a buffer overflow by an unauthenticated attacker. | 8.8 |
2020-04-28 | CVE-2018-21218 | Netgear | Classic Buffer Overflow vulnerability in Netgear products Certain NETGEAR devices are affected by a buffer overflow by an unauthenticated attacker. | 8.8 |
2020-04-28 | CVE-2018-21217 | Netgear | Classic Buffer Overflow vulnerability in Netgear products Certain NETGEAR devices are affected by a buffer overflow by an unauthenticated attacker. | 8.8 |
2020-04-28 | CVE-2018-21216 | Netgear | Classic Buffer Overflow vulnerability in Netgear products Certain NETGEAR devices are affected by a buffer overflow by an unauthenticated attacker. | 8.8 |
2020-04-28 | CVE-2018-21215 | Netgear | Classic Buffer Overflow vulnerability in Netgear products Certain NETGEAR devices are affected by a buffer overflow by an unauthenticated attacker. | 8.8 |
2020-04-28 | CVE-2018-21214 | Netgear | Classic Buffer Overflow vulnerability in Netgear products Certain NETGEAR devices are affected by a buffer overflow by an unauthenticated attacker. | 8.8 |
2020-04-28 | CVE-2018-21213 | Netgear | Classic Buffer Overflow vulnerability in Netgear products Certain NETGEAR devices are affected by a buffer overflow by an unauthenticated attacker. | 8.8 |
2020-04-28 | CVE-2018-21212 | Netgear | Classic Buffer Overflow vulnerability in Netgear products Certain NETGEAR devices are affected by a buffer overflow by an unauthenticated attacker. | 8.8 |
2020-04-28 | CVE-2018-21211 | Netgear | Classic Buffer Overflow vulnerability in Netgear products Certain NETGEAR devices are affected by a buffer overflow by an unauthenticated attacker. | 8.8 |
2020-04-28 | CVE-2018-21210 | Netgear | Classic Buffer Overflow vulnerability in Netgear products Certain NETGEAR devices are affected by a buffer overflow by an unauthenticated attacker. | 8.8 |
2020-04-28 | CVE-2018-21208 | Netgear | Injection vulnerability in Netgear products Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. | 8.8 |
2020-04-28 | CVE-2018-21207 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an unauthenticated attacker. | 8.8 |
2020-04-28 | CVE-2018-21206 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an unauthenticated attacker. | 8.8 |
2020-04-28 | CVE-2018-21205 | Netgear | Classic Buffer Overflow vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an unauthenticated attacker. | 8.8 |
2020-04-28 | CVE-2018-21204 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an unauthenticated attacker. | 8.8 |
2020-04-28 | CVE-2018-21203 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an unauthenticated attacker. | 8.8 |
2020-04-28 | CVE-2018-21202 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an unauthenticated attacker. | 8.8 |
2020-04-28 | CVE-2016-11056 | Netgear | Unspecified vulnerability in Netgear Readynas Surveillance 1.1.1/1.1.13/1.4.13 Certain NETGEAR devices are affected by anonymous root access. | 8.8 |
2020-04-28 | CVE-2020-12078 | Opmantek | OS Command Injection vulnerability in Opmantek Open-Audit 3.3.1 An issue was discovered in Open-AudIT 3.3.1. | 8.8 |
2020-04-27 | CVE-2018-21170 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an unauthenticated attacker. | 8.8 |
2020-04-27 | CVE-2018-21169 | Netgear | Unspecified vulnerability in Netgear products Certain NETGEAR devices are affected by incorrect configuration of security settings. | 8.8 |
2020-04-27 | CVE-2018-21158 | Netgear | Unspecified vulnerability in Netgear R7800 Firmware NETGEAR R7800 devices before 1.0.2.46 are affected by incorrect configuration of security settings. | 8.8 |
2020-04-27 | CVE-2020-11941 | Opmantek | OS Command Injection vulnerability in Opmantek Open-Audit 3.2.2 An issue was discovered in Open-AudIT 3.2.2. | 8.8 |
2020-04-27 | CVE-2020-12138 | AMD | Missing Authorization vulnerability in AMD Atillk64 5.11.9.0 AMD ATI atillk64.sys 5.11.9.0 allows low-privileged users to interact directly with physical memory by calling one of several driver routines that map physical memory into the virtual address space of the calling process. | 8.8 |
2020-04-27 | CVE-2018-21093 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an unauthenticated attacker. | 8.8 |
2020-04-28 | CVE-2020-11014 | Simpleledger | Unspecified vulnerability in Simpleledger Electron-Cash-Slp Electron-Cash-SLP before version 3.6.2 has a vulnerability. | 8.6 |
2020-04-27 | CVE-2020-1762 | Kiali Redhat | Session Fixation vulnerability in multiple products An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to view and alter the Istio configuration. | 8.6 |
2020-04-29 | CVE-2020-11024 | Moonlight Stream | Information Exposure vulnerability in Moonlight-Stream Moonlight In Moonlight iOS/tvOS before 4.0.1, the pairing process is vulnerable to a man-in-the-middle attack. | 8.2 |
2020-04-30 | CVE-2020-11027 | Debian Wordpress | In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. | 8.1 |
2020-04-30 | CVE-2020-5888 | F5 | Unspecified vulnerability in F5 products On versions 15.1.0-15.1.0.1, 15.0.0-15.0.1.2, and 14.1.0-14.1.2.3, BIG-IP Virtual Edition (VE) may expose a mechanism for adjacent network (layer 2) attackers to access local daemons and bypass port lockdown settings. | 8.1 |
2020-04-30 | CVE-2020-5876 | F5 | Cleartext Transmission of Sensitive Information vulnerability in F5 products On BIG-IP 15.0.0-15.0.1.3, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, a race condition exists where mcpd and other processes may make unencrypted connection attempts to a new configuration sync peer. | 8.1 |
2020-04-28 | CVE-2020-7644 | FUN MAP Project | Unspecified vulnerability in Fun-Map Project Fun-Map fun-map through 3.3.1 is vulnerable to Prototype Pollution. | 8.1 |
2020-04-27 | CVE-2020-10996 | Percona | Inappropriate Encoding for Output Context vulnerability in Percona Xtradb Cluster An issue was discovered in Percona XtraDB Cluster before 5.7.28-31.41.2. | 8.1 |
2020-04-28 | CVE-2017-18861 | Netgear | Cross-Site Request Forgery (CSRF) vulnerability in Netgear Readynas Surveillance 1.1.45/1.4.315 Certain NETGEAR devices are affected by CSRF. | 8.0 |
2020-04-27 | CVE-2018-21100 | Netgear | OS Command Injection vulnerability in Netgear R7800 Firmware NETGEAR R7800 devices before 1.0.2.60 are affected by command injection by an authenticated user. | 8.0 |
2020-04-27 | CVE-2018-21099 | Netgear | OS Command Injection vulnerability in Netgear R7800 Firmware NETGEAR R7800 devices before 1.0.2.60 are affected by command injection by an authenticated user. | 8.0 |
2020-04-30 | CVE-2020-1817 | Huawei | Unspecified vulnerability in Huawei Pcmanager 9.0.1.50/9.1.3.1 Huawei PCManager with versions earlier than 10.0.1.36 has a privilege escalation vulnerability. | 7.8 |
2020-04-29 | CVE-2019-5621 | Abbs Software Audio Media Player Project | Out-of-bounds Write vulnerability in Abbs Software Audio Media Player Project Abbs Software Audio Media Player 3.1 ABBS Software Audio Media Player version 3.1 suffers from an instance of CWE-121: Stack-based Buffer Overflow. | 7.8 |
2020-04-29 | CVE-2019-5618 | A PDF | Out-of-bounds Write vulnerability in A-Pdf WAV to MP3 1.0.0 A-PDF WAV to MP3 version 1.0.0 suffers from an instance of CWE-121: Stack-based Buffer Overflow. | 7.8 |
2020-04-29 | CVE-2020-12468 | Intelliants | Unspecified vulnerability in Intelliants Subrion 4.2.1 Subrion CMS 4.2.1 allows CSV injection via a phrase value within a language. | 7.8 |
2020-04-29 | CVE-2019-16011 | Cisco | Improper Input Validation vulnerability in Cisco IOS XE A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. | 7.8 |
2020-04-29 | CVE-2020-12446 | Gskill | Unspecified vulnerability in Gskill Trident Z Lighting Control The ene.sys driver in G.SKILL Trident Z Lighting Control through 1.00.08 exposes mapping and un-mapping of physical memory, reading and writing to Model Specific Register (MSR) registers, and input from and output to I/O ports to local non-privileged users. | 7.8 |
2020-04-29 | CVE-2020-11446 | Eset | Link Following vulnerability in Eset products ESET Antivirus and Antispyware Module module 1553 through 1560 allows a user with limited access rights to create hard links in some ESET directories and then force the product to write through these links into files that would normally not be write-able by the user, thus achieving privilege escalation. | 7.8 |
2020-04-29 | CVE-2019-20781 | LG | Uncontrolled Search Path Element vulnerability in LG Bridge An issue was discovered in LG Bridge before April 2019 on Windows. | 7.8 |
2020-04-29 | CVE-2020-8489 | ABB | Unspecified vulnerability in ABB 800Xa Information Management Insufficient protection of the inter-process communication functions in ABB System 800xA Information Management (all published versions) enables an attacker authenticated on the local system to inject data, affecting the runtime values to be stored in the archive, or making Information Management history services unavailable. | 7.8 |
2020-04-29 | CVE-2020-8488 | ABB | Unspecified vulnerability in ABB 800Xa Batch Management Insufficient protection of the inter-process communication functions in ABB System 800xA Batch Management (all published versions) enables an attacker authenticated on the local system to inject data, affecting User Interface update during batch execution and/or compare/printing functionalities. | 7.8 |
2020-04-29 | CVE-2020-8487 | ABB | Unspecified vulnerability in ABB 800Xa Base System Insufficient protection of the inter-process communication functions in ABB System 800xA Base (all published versions) enables an attacker authenticated on the local system to inject data, affect node redundancy handling. | 7.8 |
2020-04-29 | CVE-2020-8486 | ABB | Unspecified vulnerability in ABB 800Xa Rnrp Insufficient protection of the inter-process communication functions in ABB System 800xA RNRP (all published versions) enables an attacker authenticated on the local system to inject data, affect node redundancy handling. | 7.8 |
2020-04-29 | CVE-2020-8485 | ABB | Unspecified vulnerability in ABB 800Xa Insufficient protection of the inter-process communication functions in ABB System 800xA for MOD 300 (all published versions) enables an attacker authenticated on the local system to inject data, allowing reads and writes to the controllers or cause windows processes to crash. | 7.8 |
2020-04-29 | CVE-2020-8484 | ABB | Unspecified vulnerability in ABB 800Xa Insufficient protection of the inter-process communication functions in ABB System 800xA for DCI (all published versions) enables an attacker authenticated on the local system to inject data, allowing reads and writes to the controllers or cause windows processes to crash. | 7.8 |
2020-04-29 | CVE-2020-8471 | ABB | Incorrect Default Permissions vulnerability in ABB 800Xa System, Compact HMI and Control Builder Safe For the Central Licensing Server component used in ABB products ABB Ability™ System 800xA and related system extensions versions 5.1, 6.0 and 6.1, Compact HMI versions 5.1 and 6.0, Control Builder Safe 1.0, 1.1 and 2.0, Symphony Plus -S+ Operations 3.0 to 3.2 Symphony Plus -S+ Engineering 1.1 to 2.2, Composer Harmony 5.1, 6.0 and 6.1, Melody Composer 5.3, 6.1/6.2 and SPE for Melody 1.0SPx (Composer 6.3), Harmony OPC Server (HAOPC) Standalone 6.0, 6.1 and 7.0, ABB Ability™ System 800xA/ Advant® OCS Control Builder A 1.3 and 1.4, Advant® OCS AC100 OPC Server 5.1, 6.0 and 6.1, Composer CTK 6.1 and 6.2, AdvaBuild 3.7 SP1 and SP2, OPCServer for MOD 300 (non-800xA) 1.4, OPC Data Link 2.1 and 2.2, Knowledge Manager 8.0, 9.0 and 9.1, Manufacturing Operations Management 1812 and 1909, weak file permissions allow an authenticated attacker to block the license handling, escalate his/her privileges and execute arbitrary code. | 7.8 |
2020-04-29 | CVE-2020-8473 | ABB | Incorrect Permission Assignment for Critical Resource vulnerability in ABB 800Xa Base System Insufficient folder permissions used by system functions in ABB System 800xA Base (version 6.1 and earlier) allow low privileged users to read, modify, add and delete system and application files. | 7.8 |
2020-04-29 | CVE-2020-8472 | ABB | Incorrect Permission Assignment for Critical Resource vulnerability in ABB products Insufficient folder permissions used by system functions in ABB System 800xA products OPCServer for AC800M (versions 6.0 and earlier) and Control Builder M Professional, MMSServer for AC800M, Base Software for SoftControl (version 6.1 and earlier) allow low privileged users to read, modify, add and delete system and application files. | 7.8 |
2020-04-27 | CVE-2020-7135 | HP | Unspecified vulnerability in HP Service Pack for Proliant A potential security vulnerability has been identified in the disk drive firmware installers named Supplemental Update / Online ROM Flash Component on HPE servers running Linux. | 7.8 |
2020-04-27 | CVE-2020-12242 | Valvesoftware | OS Command Injection vulnerability in Valvesoftware Source Valve Source allows local users to gain privileges by writing to the /tmp/hl2_relaunch file, which is later executed in the context of a different user account. | 7.8 |
2020-04-27 | CVE-2019-20002 | Solarwinds | Improper Neutralization of Formula Elements in a CSV File vulnerability in Solarwinds Webhelpdesk 12.7.1 Formula Injection exists in the export feature in SolarWinds WebHelpDesk 12.7.1 via a value (provided by a low-privileged user in the Subject field of a help request form) that is mishandled in a TicketActions/view?tab=group TSV export by an admin user. | 7.8 |
2020-04-29 | CVE-2017-18860 | Netgear | Injection vulnerability in Netgear products Certain NETGEAR devices are affected by debugging command execution. | 7.7 |
2020-04-28 | CVE-2020-12103 | Tiny File Manager Project | Path Traversal vulnerability in Tiny File Manager Project Tiny File Manager 2.4.1 In Tiny File Manager 2.4.1 there is a vulnerability in the ajax file backup copy functionality which allows authenticated users to create backup copies of files (with .bak extension) outside the scope in the same directory in which they are stored. | 7.7 |
2020-04-28 | CVE-2020-12102 | Tiny File Manager Project | Path Traversal vulnerability in Tiny File Manager Project Tiny File Manager 2.4.1 In Tiny File Manager 2.4.1, there is a Path Traversal vulnerability in the ajax recursive directory listing functionality. | 7.7 |
2020-04-30 | CVE-2020-11028 | Wordpress Debian | Missing Authentication for Critical Function vulnerability in multiple products In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. | 7.5 |
2020-04-30 | CVE-2020-9098 | Huawei | Release of Invalid Pointer or Reference vulnerability in Huawei Oceanstor 5310 Firmware V500R007C60Spc100 Huawei OceanStor 5310 product with version of V500R007C60SPC100 has an invalid pointer access vulnerability. | 7.5 |
2020-04-30 | CVE-2020-5891 | F5 | Unspecified vulnerability in F5 products On BIG-IP 15.1.0-15.1.0.1, 15.0.0-15.0.1.2, and 14.1.0-14.1.2.3, undisclosed HTTP/2 requests can lead to a denial of service when sent to a virtual server configured with the Fallback Host setting and a server-side HTTP/2 profile. | 7.5 |
2020-04-30 | CVE-2020-5883 | F5 | Memory Leak vulnerability in F5 products On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.2.3, 14.0.0-14.0.1, and 13.1.0-13.1.3.1, when a virtual server is configured with HTTP explicit proxy and has an attached HTTP_PROXY_REQUEST iRule, POST requests sent to the virtual server cause an xdata memory leak. | 7.5 |
2020-04-30 | CVE-2020-5882 | F5 | Unspecified vulnerability in F5 products On BIG-IP 15.0.0-15.0.1.3, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, 12.1.0-12.1.5, and 11.6.1-11.6.5.1, under certain conditions, the Intel QuickAssist Technology (QAT) cryptography driver may produce a Traffic Management Microkernel (TMM) core file. | 7.5 |
2020-04-30 | CVE-2020-5881 | F5 | Unspecified vulnerability in F5 products On versions 15.0.0-15.1.0.1, 14.1.0-14.1.2.3, and 13.1.0-13.1.3.3, when the BIG-IP Virtual Edition (VE) is configured with VLAN groups and there are devices configured with OSPF connected to it, the Network Device Abstraction Layer (NDAL) Interfaces can lock up and in turn disrupting the communication between the mcpd and tmm processes. | 7.5 |
2020-04-30 | CVE-2020-5879 | F5 | Cleartext Transmission of Sensitive Information vulnerability in F5 Big-Ip Application Security Manager On BIG-IP ASM 11.6.1-11.6.5.1, under certain configurations, the BIG-IP system sends data plane traffic to back-end servers unencrypted, even when a Server SSL profile is applied. | 7.5 |
2020-04-30 | CVE-2020-5878 | F5 | Unspecified vulnerability in F5 products On versions 15.1.0-15.1.0.1, 15.0.0-15.0.1.1, and 14.1.0-14.1.2.3, Traffic Management Microkernel (TMM) may restart on BIG-IP Virtual Edition (VE) while processing unusual IP traffic. | 7.5 |
2020-04-30 | CVE-2020-5877 | F5 | Unspecified vulnerability in F5 products On BIG-IP 15.0.0-15.1.0.1, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, malformed input to the DATAGRAM::tcp iRules command within a FLOW_INIT event may lead to a denial of service. | 7.5 |
2020-04-30 | CVE-2020-5875 | F5 | Unspecified vulnerability in F5 products On BIG-IP 15.0.0-15.0.1 and 14.1.0-14.1.2.3, under certain conditions, the Traffic Management Microkernel (TMM) may generate a core file and restart while processing SSL traffic with an HTTP/2 full proxy. | 7.5 |
2020-04-30 | CVE-2020-5874 | F5 | Unspecified vulnerability in F5 Big-Ip Access Policy Manager On BIG-IP APM 15.0.0-15.0.1.2, 14.1.0-14.1.2.3, and 14.0.0-14.0.1, in certain circumstances, an attacker sending specifically crafted requests to a BIG-IP APM virtual server may cause a disruption of service provided by the Traffic Management Microkernel(TMM). | 7.5 |
2020-04-30 | CVE-2020-5872 | F5 | Unspecified vulnerability in F5 products On BIG-IP 14.1.0-14.1.2.3, 14.0.0-14.0.1, 13.1.0-13.1.3.1, and 12.1.0-12.1.4.1, when processing TLS traffic with hardware cryptographic acceleration enabled on platforms with Intel QAT hardware, the Traffic Management Microkernel (TMM) may stop responding and cause a failover event. | 7.5 |
2020-04-30 | CVE-2020-5871 | F5 | Unspecified vulnerability in F5 products On BIG-IP 14.1.0-14.1.2.3, undisclosed requests can lead to a denial of service (DoS) when sent to BIG-IP HTTP/2 virtual servers. | 7.5 |
2020-04-30 | CVE-2019-12425 | Apache | Injection vulnerability in Apache Ofbiz 17.12.01 Apache OFBiz 17.12.01 is vulnerable to Host header injection by accepting arbitrary host | 7.5 |
2020-04-30 | CVE-2019-19219 | Bmcsoftware | Unspecified vulnerability in Bmcsoftware Control-M/Agent 7.0.00.000 BMC Control-M/Agent 7.0.00.000 allows Arbitrary File Download. | 7.5 |
2020-04-30 | CVE-2019-19218 | Bmcsoftware | Incorrect Permission Assignment for Critical Resource vulnerability in Bmcsoftware Control-M/Agent 7.0.00.000 BMC Control-M/Agent 7.0.00.000 has Insecure Password Storage. | 7.5 |
2020-04-29 | CVE-2020-12478 | Teampass | Missing Authentication for Critical Function vulnerability in Teampass 2.1.27.36 TeamPass 2.1.27.36 allows an unauthenticated attacker to retrieve files from the TeamPass web root. | 7.5 |
2020-04-29 | CVE-2020-12477 | Teampass | Incorrect Authorization vulnerability in Teampass 2.1.27.36 The REST API functions in TeamPass 2.1.27.36 allow any user with a valid API token to bypass IP address whitelist restrictions via an X-Forwarded-For client HTTP header to the getIp function. | 7.5 |
2020-04-29 | CVE-2020-11021 | Http Client Project | Unspecified vulnerability in Http-Client Project Http-Client 0.0.1/1.0.0 Actions Http-Client (NPM @actions/http-client) before version 1.0.8 can disclose Authorization headers to incorrect domain in certain redirect scenarios. | 7.5 |
2020-04-29 | CVE-2020-2575 | Oracle | Use of Uninitialized Resource vulnerability in Oracle VM Virtualbox Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). | 7.5 |
2020-04-29 | CVE-2020-12447 | Onkyo | Path Traversal vulnerability in Onkyo Tx-Nr585 Firmware 1000000000000080000 A Local File Inclusion (LFI) issue on Onkyo TX-NR585 1000-0000-000-0008-0000 devices allows remote unauthenticated users on the network to read sensitive files via %2e%2e%2f directory traversal, as demonstrated by reading /etc/shadow. | 7.5 |
2020-04-29 | CVE-2019-19102 | BR Automation | Path Traversal vulnerability in Br-Automation Automation Studio A directory traversal vulnerability in SharpZipLib used in the upgrade service in B&R Automation Studio versions 4.0.x, 4.1.x and 4.2.x allow unauthenticated users to write to certain local directories. | 7.5 |
2020-04-29 | CVE-2020-8476 | ABB | Improper Input Validation vulnerability in ABB 800Xa System, Compact HMI and Control Builder Safe For the Central Licensing Server component used in ABB products ABB Ability™ System 800xA and related system extensions versions 5.1, 6.0 and 6.1, Compact HMI versions 5.1 and 6.0, Control Builder Safe 1.0, 1.1 and 2.0, Symphony Plus -S+ Operations 3.0 to 3.2 Symphony Plus -S+ Engineering 1.1 to 2.2, Composer Harmony 5.1, 6.0 and 6.1, Melody Composer 5.3, 6.1/6.2 and SPE for Melody 1.0SPx (Composer 6.3), Harmony OPC Server (HAOPC) Standalone 6.0, 6.1 and 7.0, ABB Ability™ System 800xA/ Advant® OCS Control Builder A 1.3 and 1.4, Advant® OCS AC100 OPC Server 5.1, 6.0 and 6.1, Composer CTK 6.1 and 6.2, AdvaBuild 3.7 SP1 and SP2, OPCServer for MOD 300 (non-800xA) 1.4, OPC Data Link 2.1 and 2.2, Knowledge Manager 8.0, 9.0 and 9.1, Manufacturing Operations Management 1812 and 1909, ABB AbilityTM SCADAvantage versions 5.1 to 5.6.5, a weakness in validation of input exists that allows an attacker to alter licenses assigned to the system nodes by sending specially crafted messages to the CLS web service. | 7.5 |
2020-04-29 | CVE-2020-8475 | ABB | Improper Input Validation vulnerability in ABB 800Xa System, Compact HMI and Control Builder Safe For the Central Licensing Server component used in ABB products ABB Ability™ System 800xA and related system extensions versions 5.1, 6.0 and 6.1, Compact HMI versions 5.1 and 6.0, Control Builder Safe 1.0, 1.1 and 2.0, Symphony Plus -S+ Operations 3.0 to 3.2 Symphony Plus -S+ Engineering 1.1 to 2.2, Composer Harmony 5.1, 6.0 and 6.1, Melody Composer 5.3, 6.1/6.2 and SPE for Melody 1.0SPx (Composer 6.3), Harmony OPC Server (HAOPC) Standalone 6.0, 6.1 and 7.0, ABB Ability™ System 800xA/ Advant® OCS Control Builder A 1.3 and 1.4, Advant® OCS AC100 OPC Server 5.1, 6.0 and 6.1, Composer CTK 6.1 and 6.2, AdvaBuild 3.7 SP1 and SP2, OPCServer for MOD 300 (non-800xA) 1.4, OPC Data Link 2.1 and 2.2, Knowledge Manager 8.0, 9.0 and 9.1, Manufacturing Operations Management 1812 and 1909, ABB AbilityTM SCADAvantage versions 5.1 to 5.6.5, a weakness in validation of input exists that allows an attacker to block license handling by sending specially crafted messages to the CLS web service. | 7.5 |
2020-04-28 | CVE-2020-10663 | Json Project Fedoraproject Opensuse Debian Apple | Improper Input Validation vulnerability in multiple products The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. | 7.5 |
2020-04-28 | CVE-2020-12243 | Openldap Debian Opensuse Canonical Netapp Broadcom Apple Oracle | Uncontrolled Recursion vulnerability in multiple products In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters with nested boolean expressions can result in denial of service (daemon crash). | 7.5 |
2020-04-28 | CVE-2020-10641 | Inductiveautomation | Missing Authentication for Critical Function vulnerability in Inductiveautomation Ignition Gateway An unprotected logging route may allow an attacker to write endless log statements into the database without space limits or authentication. | 7.5 |
2020-04-28 | CVE-2017-18859 | Netgear | Unspecified vulnerability in Netgear products Certain NETGEAR devices are affected by slowdown/stoppage. | 7.5 |
2020-04-28 | CVE-2016-11060 | Netgear | Unspecified vulnerability in Netgear products Certain NETGEAR devices are affected by insecure renegotiation. | 7.5 |
2020-04-28 | CVE-2016-11059 | Netgear | Information Exposure vulnerability in Netgear products Certain NETGEAR devices are affected by password exposure. | 7.5 |
2020-04-28 | CVE-2016-11058 | Netgear | Insufficient Session Expiration vulnerability in Netgear Genie The NETGEAR genie application before 2.4.34 for Android is affected by mishandling of hard-coded API keys and session IDs. | 7.5 |
2020-04-28 | CVE-2016-11057 | Netgear | Improper Authentication vulnerability in Netgear products Certain NETGEAR devices are affected by mishandling of repeated URL calls. | 7.5 |
2020-04-28 | CVE-2020-5567 | Cybozu | Improper Authentication vulnerability in Cybozu Garoon Improper authentication vulnerability in Cybozu Garoon 4.0.0 to 4.10.3 allows remote attackers to obtain data in Application Menu. | 7.5 |
2020-04-27 | CVE-2020-9481 | Apache Debian | Resource Exhaustion vulnerability in multiple products Apache ATS 6.0.0 to 6.2.3, 7.0.0 to 7.1.9, and 8.0.0 to 8.0.6 is vulnerable to a HTTP/2 slow read attack. | 7.5 |
2020-04-27 | CVE-2020-7067 | PHP Tenable Oracle Debian | Out-of-bounds Read vulnerability in multiple products In PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17 and 7.4.x below 7.4.5, if PHP is compiled with EBCDIC support (uncommon), urldecode() function can be made to access locations past the allocated memory, due to erroneously using signed numbers as array indexes. | 7.5 |
2020-04-27 | CVE-2018-21168 | Netgear | Information Exposure vulnerability in Netgear products Certain NETGEAR devices are affected by disclosure of sensitive information. | 7.5 |
2020-04-27 | CVE-2019-15234 | Ushareit | Allocation of Resources Without Limits or Throttling vulnerability in Ushareit Shareit 4.0.5.171/4.0.5.177/4.0.6.177 SHAREit through 4.0.6.177 does not check the full message length from the received packet header (which is used to allocate memory for the next set of data). | 7.5 |
2020-04-27 | CVE-2019-14941 | Ushareit | Allocation of Resources Without Limits or Throttling vulnerability in Ushareit Shareit 4.0.5.171/4.0.5.177/4.0.6.177 SHAREit through 4.0.6.177 does not check the body length from the received packet header (which is used to allocate memory for the next set of data). | 7.5 |
2020-04-27 | CVE-2020-12266 | Wavlink | Missing Authentication for Critical Function vulnerability in Wavlink products An issue was discovered where there are multiple externally accessible pages that do not require any sort of authentication, and store system information for internal usage. | 7.5 |
2020-04-27 | CVE-2020-12120 | Prestashop | Incorrect Permission Assignment for Critical Resource vulnerability in Prestashop Correos Express 1.6/1.6.0.4/1.7 The Correos Express addon for PrestaShop 1.6 through 1.7 allows remote attackers to obtain sensitive information, such as a service's owner password that can be used to modify orders via SOAP. | 7.5 |
2020-04-27 | CVE-2020-12273 | Testlink | Insufficiently Protected Credentials vulnerability in Testlink 1.9.20 In TestLink 1.9.20, a crafted login.php viewer parameter exposes cleartext credentials. | 7.5 |
2020-04-27 | CVE-2020-10664 | Windriver | NULL Pointer Dereference vulnerability in Windriver Vxworks 6.8.3 The IGMP component in VxWorks 6.8.3 IPNET CVE patches created in 2019 has a NULL Pointer Dereference. | 7.5 |
2020-04-27 | CVE-2018-21096 | Netgear | Cross-Site Request Forgery (CSRF) vulnerability in Netgear products Certain NETGEAR devices are affected by CSRF. | 7.4 |
2020-04-27 | CVE-2018-21094 | Netgear | Unspecified vulnerability in Netgear products Certain NETGEAR devices are affected by incorrect configuration of security settings. | 7.3 |
2020-04-30 | CVE-2020-5873 | F5 | Unspecified vulnerability in F5 products On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.2.3, 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.6.1-11.6.5 and BIG-IQ 5.2.0-7.1.0, a user associated with the Resource Administrator role who has access to the secure copy (scp) utility but does not have access to Advanced Shell (bash) can execute arbitrary commands using a maliciously crafted scp request. | 7.2 |
2020-04-29 | CVE-2020-12470 | Mono | Files or Directories Accessible to External Parties vulnerability in Mono Monox 5.1.40.5152 MonoX through 5.1.40.5152 allows administrators to execute arbitrary code by modifying an ASPX template. | 7.2 |
2020-04-29 | CVE-2020-12473 | Mono | Unspecified vulnerability in Mono Monox 5.1.40.5152 MonoX through 5.1.40.5152 allows admins to execute arbitrary programs by reconfiguring the Converter Executable setting from ffmpeg.exe to a different program. | 7.2 |
2020-04-29 | CVE-2019-19165 | Inogard | Download of Code Without Integrity Check vulnerability in Inogard Activex AxECM.cab(ActiveX Control) in Inogard Ebiz4u contains a vulnerability that could allow remote files to be downloaded and executed by setting arguments to the activeX method. | 7.2 |
2020-04-29 | CVE-2020-7804 | Handysoft | OS Command Injection vulnerability in Handysoft Groupware 1.7.3.1 ActiveX Control(HShell.dll) in Handy Groupware 1.7.3.1 for Windows 7, 8, and 10 allows an attacker to execute arbitrary command via the ShellExec method. | 7.2 |
2020-04-29 | CVE-2019-16652 | Geniusbytes | Unspecified vulnerability in Geniusbytes Genius Server 3.2.2 The BPM component in Genius Bytes Genius Server (Genius CDDS) 3.2.2 allows remote authenticated users to execute arbitrary commands. | 7.2 |
2020-04-28 | CVE-2016-11054 | Netgear | OS Command Injection vulnerability in Netgear Dgn2200 Firmware NETGEAR DGN2200v4 devices before 2017-01-06 are affected by command execution and an FTP insecure root directory. | 7.2 |
2020-04-28 | CVE-2018-21181 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. | 7.2 |
2020-04-27 | CVE-2018-21177 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. | 7.2 |
2020-04-27 | CVE-2018-21176 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. | 7.2 |
2020-04-27 | CVE-2018-21175 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. | 7.2 |
2020-04-27 | CVE-2018-21174 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. | 7.2 |
2020-04-27 | CVE-2018-21156 | Netgear | Classic Buffer Overflow vulnerability in Netgear products Certain NETGEAR devices are affected by a buffer overflow by an authenticated user. | 7.2 |
2020-04-30 | CVE-2020-5880 | F5 | Unrestricted Upload of File with Dangerous Type vulnerability in F5 products Om BIG-IP 15.0.0-15.0.1.3 and 14.1.0-14.1.2.3, the restjavad process may expose a way for attackers to upload arbitrary files on the BIG-IP system, bypassing the authorization system. | 7.1 |
2020-04-29 | CVE-2019-19100 | BR Automation | Unspecified vulnerability in Br-Automation Automation Studio A privilege escalation vulnerability in the upgrade service in B&R Automation Studio versions 4.0.x, 4.1.x, 4.2.x, < 4.3.11SP, < 4.4.9SP, < 4.5.4SP, <. | 7.1 |
2020-04-28 | CVE-2017-18863 | Netgear | Injection vulnerability in Netgear products Certain NETGEAR devices are affected by command execution via a PHP form. | 7.1 |
2020-04-27 | CVE-2020-1806 | Huawei | Out-of-bounds Read vulnerability in Huawei Honor V10 Firmware Huawei Honor V10 smartphones with versions earlier than 10.0.0.156(C00E156R2P4) has three out of bounds vulnerabilities. | 7.1 |
2020-04-27 | CVE-2020-1805 | Huawei | Out-of-bounds Read vulnerability in Huawei Honor V10 Firmware Huawei Honor V10 smartphones with versions earlier than 10.0.0.156(C00E156R2P4) has three out of bounds vulnerabilities. | 7.1 |
2020-04-27 | CVE-2020-1804 | Huawei | Out-of-bounds Read vulnerability in Huawei Honor V10 Firmware Huawei Honor V10 smartphones with versions earlier than 10.0.0.156(C00E156R2P4) has three out of bounds vulnerabilities. | 7.1 |
2020-04-30 | CVE-2020-1752 | GNU Canonical Netapp Debian | A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. | 7.0 |
2020-04-30 | CVE-2020-12050 | Fedoraproject Opensuse Sqliteodbc Project | Race Condition vulnerability in multiple products SQLiteODBC 0.9996, as packaged for certain Linux distributions as 0.9996-4, has a race condition leading to root privilege escalation because any user can replace a /tmp/sqliteodbc$$ file with new contents that cause loading of an arbitrary library. | 7.0 |
2020-04-29 | CVE-2020-11884 | Linux Canonical Debian Fedoraproject Netapp | Race Condition vulnerability in multiple products In the Linux kernel 4.19 through 5.6.7 on the s390 platform, code execution may occur because of a race condition, as demonstrated by code in enable_sacf_uaccess in arch/s390/lib/uaccess.c that fails to protect against a concurrent page table upgrade, aka CID-3f777e19d171. | 7.0 |
125 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2020-05-02 | CVE-2020-8157 | UI | Unspecified vulnerability in UI products UniFi Cloud Key firmware <= v1.1.10 for Cloud Key gen2 and Cloud Key gen2 Plus contains a vulnerability that allows unrestricted root access through the serial interface (UART). | 6.8 |
2020-04-29 | CVE-2019-20792 | Opensc Project | Double Free vulnerability in Opensc Project Opensc OpenSC before 0.20.0 has a double free in coolkey_free_private_data because coolkey_add_object in libopensc/card-coolkey.c lacks a uniqueness check. | 6.8 |
2020-04-28 | CVE-2018-21225 | Netgear | OS Command Injection vulnerability in Netgear products Certain NETGEAR devices are affected by command injection by an authenticated user. | 6.8 |
2020-04-28 | CVE-2018-21201 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. | 6.8 |
2020-04-28 | CVE-2018-21200 | Netgear | Out-of-bounds Write vulnerability in Netgear R7800 Firmware and R9000 Firmware Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. | 6.8 |
2020-04-28 | CVE-2018-21199 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. | 6.8 |
2020-04-28 | CVE-2018-21198 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. | 6.8 |
2020-04-28 | CVE-2018-21197 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. | 6.8 |
2020-04-28 | CVE-2018-21196 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. | 6.8 |
2020-04-28 | CVE-2018-21195 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. | 6.8 |
2020-04-28 | CVE-2018-21194 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. | 6.8 |
2020-04-28 | CVE-2018-21193 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. | 6.8 |
2020-04-28 | CVE-2018-21192 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. | 6.8 |
2020-04-28 | CVE-2018-21191 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. | 6.8 |
2020-04-28 | CVE-2018-21190 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. | 6.8 |
2020-04-28 | CVE-2018-21189 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. | 6.8 |
2020-04-28 | CVE-2018-21188 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. | 6.8 |
2020-04-28 | CVE-2018-21187 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. | 6.8 |
2020-04-28 | CVE-2018-21186 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. | 6.8 |
2020-04-28 | CVE-2018-21185 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. | 6.8 |
2020-04-28 | CVE-2018-21184 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. | 6.8 |
2020-04-28 | CVE-2018-21183 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. | 6.8 |
2020-04-28 | CVE-2018-21182 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. | 6.8 |
2020-04-27 | CVE-2018-21180 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. | 6.8 |
2020-04-27 | CVE-2018-21179 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. | 6.8 |
2020-04-27 | CVE-2018-21178 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. | 6.8 |
2020-04-27 | CVE-2018-21173 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. | 6.8 |
2020-04-27 | CVE-2018-21172 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. | 6.8 |
2020-04-27 | CVE-2018-21171 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. | 6.8 |
2020-04-27 | CVE-2018-21157 | Netgear | OS Command Injection vulnerability in Netgear products Certain NETGEAR devices are affected by command injection by an authenticated user. | 6.8 |
2020-04-27 | CVE-2018-21154 | Netgear | OS Command Injection vulnerability in Netgear products Certain NETGEAR devices are affected by command injection by an authenticated user. | 6.8 |
2020-04-27 | CVE-2018-21152 | Netgear | OS Command Injection vulnerability in Netgear products Certain NETGEAR devices are affected by command injection by an authenticated user. | 6.8 |
2020-04-27 | CVE-2018-21149 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. | 6.8 |
2020-04-27 | CVE-2018-21098 | Netgear | OS Command Injection vulnerability in Netgear R7800 Firmware NETGEAR R7800 devices before 1.0.2.60 are affected by command injection by an authenticated user. | 6.8 |
2020-04-30 | CVE-2020-5892 | F5 | Unspecified vulnerability in F5 Big-Ip Access Policy Manager In versions 7.1.5-7.1.8, the BIG-IP Edge Client components in BIG-IP APM, Edge Gateway, and FirePass legacy allow attackers to obtain the full session ID from process memory. | 6.7 |
2020-04-29 | CVE-2020-12465 | Linux Netapp | Classic Buffer Overflow vulnerability in multiple products An array overflow was discovered in mt76_add_fragment in drivers/net/wireless/mediatek/mt76/dma.c in the Linux kernel before 5.5.10, aka CID-b102f0c522cf. | 6.7 |
2020-04-29 | CVE-2020-12464 | Linux Netapp | Use After Free vulnerability in multiple products usb_sg_cancel in drivers/usb/core/message.c in the Linux kernel before 5.6.8 has a use-after-free because a transfer occurs without a reference, aka CID-056ad39ee925. | 6.7 |
2020-04-29 | CVE-2017-18856 | Netgear | Injection vulnerability in Netgear Readynas OS Firmware NETGEAR ReadyNAS devices before 6.6.1 are affected by command injection. | 6.7 |
2020-04-29 | CVE-2017-18854 | Netgear | Injection vulnerability in Netgear Readynas OS Firmware NETGEAR ReadyNAS 6.6.1 and earlier is affected by command injection. | 6.7 |
2020-04-27 | CVE-2020-9072 | Huawei | Unspecified vulnerability in Huawei OSD Firmware Huawei OSD product with versions earlier than OSD_uwp_9.0.32.0 have a local privilege escalation vulnerability. | 6.7 |
2020-04-27 | CVE-2020-1845 | Huawei | Unspecified vulnerability in Huawei Pcmanager Huawei PCManager product with versions earlier than 10.0.5.53 have a local privilege escalation vulnerability. | 6.7 |
2020-05-03 | CVE-2020-12624 | Theleague | Incomplete Cleanup vulnerability in Theleague the League The League application before 2020-05-02 on Android sends a bearer token in an HTTP Authorization header to an arbitrary web site that hosts an external image because an OkHttp object is reused, which allows remote attackers to hijack sessions. | 6.5 |
2020-05-01 | CVE-2020-12474 | Telegram | Unspecified vulnerability in Telegram and Telegram Desktop Telegram Desktop through 2.0.1, Telegram through 6.0.1 for Android, and Telegram through 6.0.1 for iOS allow an IDN Homograph attack via Punycode in a public URL or a group chat invitation URL. | 6.5 |
2020-04-30 | CVE-2020-6865 | ZTE | Information Exposure vulnerability in ZTE Oscp 16.19.10/16.19.20 ZTE SDN controller platform is impacted by an information leakage vulnerability. | 6.5 |
2020-04-30 | CVE-2020-11652 | Saltstack Opensuse Debian Canonical Blackberry Vmware | Path Traversal vulnerability in multiple products An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. | 6.5 |
2020-04-29 | CVE-2020-12469 | Intelliants | Deserialization of Untrusted Data vulnerability in Intelliants Subrion admin/blocks.php in Subrion CMS through 4.2.1 allows PHP Object Injection (with resultant file deletion) via serialized data in the subpages value within a block to blocks/edit. | 6.5 |
2020-04-29 | CVE-2020-12467 | Intelliants | Session Fixation vulnerability in Intelliants Subrion 4.2.1 Subrion CMS 4.2.1 allows session fixation via an alphanumeric value in a session cookie. | 6.5 |
2020-04-29 | CVE-2020-11009 | Pagerduty | Authorization Bypass Through User-Controlled Key vulnerability in Pagerduty Rundeck In Rundeck before version 3.2.6, authenticated users can craft a request that reveals Execution data and logs and Job details that they are not authorized to see. | 6.5 |
2020-04-29 | CVE-2017-18853 | Netgear | Information Exposure vulnerability in Netgear products Certain NETGEAR devices are affected by password recovery and file access. | 6.5 |
2020-04-28 | CVE-2020-12430 | Redhat | Memory Leak vulnerability in Redhat Enterprise Linux and Libvirt An issue was discovered in qemuDomainGetStatsIOThread in qemu/qemu_driver.c in libvirt 4.10.0 though 6.x before 6.1.0. | 6.5 |
2020-04-28 | CVE-2020-9482 | Apache | Insufficient Session Expiration vulnerability in Apache Nifi Registry 0.1.0/0.5.0 If NiFi Registry 0.1.0 to 0.5.0 uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi Registry invalidates the authentication token on the client side but not on the server side. | 6.5 |
2020-04-28 | CVE-2017-18862 | Netgear | Improper Authentication vulnerability in Netgear products Certain NETGEAR devices are affected by authentication bypass. | 6.5 |
2020-04-27 | CVE-2020-11420 | ABB Generex | Path Traversal vulnerability in multiple products UPS Adapter CS141 before 1.90 allows Directory Traversal. | 6.5 |
2020-04-27 | CVE-2020-10997 | Percona | Information Exposure vulnerability in Percona Xtrabackup Percona XtraBackup before 2.4.20 unintentionally writes the command line to any resulting backup file output. | 6.5 |
2020-04-27 | CVE-2020-12270 | Bluezone | Use of Insufficiently Random Values vulnerability in Bluezone 1.0.0 React Native Bluetooth Scan in Bluezone 1.0.0 uses six-character alphanumeric IDs, which might make it easier for remote attackers to interfere with COVID-19 contact tracing by using many IDs. | 6.5 |
2020-04-29 | CVE-2020-12252 | Gigamon | Unrestricted Upload of File with Dangerous Type vulnerability in Gigamon Gigavue An issue was discovered in Gigamon GigaVUE 5.5.01.11. | 6.2 |
2020-05-01 | CVE-2019-4209 | Hcltech | Open Redirect vulnerability in Hcltech Connections 5.5/6.0/6.5 HCL Connections v5.5, v6.0, and v6.5 contains an open redirect vulnerability which could be exploited by an attacker to conduct phishing attacks. | 6.1 |
2020-04-30 | CVE-2020-11029 | Debian Wordpress | Cross-site Scripting vulnerability in multiple products In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. | 6.1 |
2020-04-30 | CVE-2020-6579 | Mailbeez | Cross-site Scripting vulnerability in Mailbeez Cross-site scripting (XSS) vulnerability in mailhive/cloudbeez/cloudloader.php and mailhive/cloudbeez/cloudloader_core.php in the MailBeez plugin for ZenCart before 3.9.22 allows remote attackers to inject arbitrary web script or HTML via the cloudloader_mode parameter. | 6.1 |
2020-04-30 | CVE-2020-12283 | Sourcegraph | Open Redirect vulnerability in Sourcegraph Sourcegraph before 3.15.1 has a vulnerable authentication workflow because of improper validation in the SafeRedirectURL method in cmd/frontend/auth/redirect.go, such as for the //foo//example.com substring. | 6.1 |
2020-04-29 | CVE-2020-11022 | Jquery Drupal Debian Fedoraproject Oracle Netapp Opensuse Tenable | In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. | 6.1 |
2020-04-29 | CVE-2020-11023 | Jquery Debian Fedoraproject Drupal Oracle Netapp Tenable | In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. | 6.1 |
2020-04-29 | CVE-2020-12462 | Ninjaforms | Cross-Site Request Forgery (CSRF) vulnerability in Ninjaforms Ninja Forms The ninja-forms plugin before 3.4.24.2 for WordPress allows CSRF with resultant XSS. | 6.1 |
2020-04-29 | CVE-2020-10797 | Netgate | Cross-site Scripting vulnerability in Netgate Pfsense An XSS vulnerability resides in the hostname field of the diag_ping.php page in pfsense before 2.4.5 version. | 6.1 |
2020-04-28 | CVE-2020-5568 | Cybozu | Cross-site Scripting vulnerability in Cybozu Garoon Cross-site scripting vulnerability in Cybozu Garoon 4.6.0 to 5.0.0 allows remote attackers to inject arbitrary web script or HTML via the applications 'Messages' and 'Bulletin Board'. | 6.1 |
2020-04-28 | CVE-2020-5564 | Cybozu | Cross-site Scripting vulnerability in Cybozu Garoon Cross-site scripting vulnerability in Cybozu Garoon 4.0.0 to 4.10.3 allows remote attackers to inject arbitrary web script or HTML via the application 'E-mail'. | 6.1 |
2020-04-27 | CVE-2018-21155 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 6.1 |
2020-04-27 | CVE-2020-11822 | Rukovoditel | Cross-site Scripting vulnerability in Rukovoditel 2.5.2 In Rukovoditel 2.5.2, there is a stored XSS vulnerability on the application structure --> user access groups page. | 6.1 |
2020-04-27 | CVE-2020-12052 | Grafana | Cross-site Scripting vulnerability in Grafana Grafana version < 6.7.3 is vulnerable for annotation popup XSS. | 6.1 |
2020-04-29 | CVE-2020-7453 | Freebsd | Improper Check for Unusual or Exceptional Conditions vulnerability in Freebsd 11.3/12.1 In FreeBSD 12.1-STABLE before r359021, 12.1-RELEASE before 12.1-RELEASE-p3, 11.3-STABLE before r359020, and 11.3-RELEASE before 11.3-RELEASE-p7, a missing null termination check in the jail_set configuration option "osrelease" may return more bytes with a subsequent jail_get system call allowing a malicious jail superuser with permission to create nested jails to read kernel memory. | 6.0 |
2020-04-29 | CVE-2019-19101 | BR Automation | Improper Certificate Validation vulnerability in Br-Automation Automation Studio A missing secure communication definition and an incomplete TLS validation in the upgrade service in B&R Automation Studio versions 4.0.x, 4.1.x, 4.2.x, < 4.3.11SP, < 4.4.9SP, < 4.5.5SP, < 4.6.4 and < 4.7.2 enable unauthenticated users to perform MITM attacks via the B&R upgrade server. | 5.9 |
2020-04-30 | CVE-2020-6867 | ZTE | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in ZTE Zenic ONE R22B 16.19.10P02Sp002/6.19.10P02Sp005 ZTE's SDON controller is impacted by the resource management error vulnerability. | 5.5 |
2020-04-30 | CVE-2020-5890 | F5 | Information Exposure vulnerability in F5 products On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, and 12.1.0-12.1.5.1 and BIG-IQ 5.2.0-7.1.0, when creating a QKView, credentials for binding to LDAP servers used for remote authentication of the BIG-IP administrative interface will not fully obfuscate if they contain whitespace. | 5.5 |
2020-04-29 | CVE-2020-12459 | Grafana Fedoraproject | Incorrect Permission Assignment for Critical Resource vulnerability in multiple products In certain Red Hat packages for Grafana 6.x through 6.3.6, the configuration files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml (which contain a secret_key and a bind_password) are world readable. | 5.5 |
2020-04-29 | CVE-2020-12458 | Grafana Redhat Fedoraproject | Incorrect Permission Assignment for Critical Resource vulnerability in multiple products An information-disclosure flaw was found in Grafana through 6.7.3. | 5.5 |
2020-04-29 | CVE-2018-21232 | Re2C | Uncontrolled Recursion vulnerability in Re2C 1.3 re2c before 2.0 has uncontrolled recursion that causes stack consumption in find_fixed_tags. | 5.5 |
2020-04-28 | CVE-2019-15877 | Freebsd | Missing Authorization vulnerability in Freebsd 12.1 In FreeBSD 12.1-STABLE before r356606 and 12.1-RELEASE before 12.1-RELEASE-p3, driver specific ioctl command handlers in the ixl network driver failed to check whether the caller has sufficient privileges allowing unprivileged users to trigger updates to the device's non-volatile memory. | 5.5 |
2020-04-28 | CVE-2019-15876 | Freebsd | Missing Authorization vulnerability in Freebsd 11.3/12.1 In FreeBSD 12.1-STABLE before r356089, 12.1-RELEASE before 12.1-RELEASE-p3, 11.3-STABLE before r356090, and 11.3-RELEASE before 11.3-RELEASE-p7, driver specific ioctl command handlers in the oce network driver failed to check whether the caller has sufficient privileges allowing unprivileged users to send passthrough commands to the device firmware. | 5.5 |
2020-04-27 | CVE-2018-21167 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 5.5 |
2020-04-27 | CVE-2020-1880 | Huawei | Improper Input Validation vulnerability in Huawei Lion-Al00C Firmware Huawei smartphone Lion-AL00C with versions earlier than 10.0.0.205(C00E202R7P2) have a denial of service vulnerability. | 5.5 |
2020-04-27 | CVE-2020-9489 | Apache Oracle | Infinite Loop vulnerability in multiple products A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. | 5.5 |
2020-04-30 | CVE-2020-11030 | Wordpress Debian | Cross-site Scripting vulnerability in multiple products In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. | 5.4 |
2020-04-30 | CVE-2020-11026 | Wordpress Debian | Cross-site Scripting vulnerability in multiple products In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. | 5.4 |
2020-04-30 | CVE-2020-11025 | Wordpress Debian | Cross-site Scripting vulnerability in multiple products In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. | 5.4 |
2020-04-30 | CVE-2020-5889 | F5 | Cross-site Scripting vulnerability in F5 Big-Ip Access Policy Manager On versions 15.1.0-15.1.0.1, 15.0.0-15.0.1.2, and 14.1.0-14.1.2.3, in BIG-IP APM portal access, a specially crafted HTTP request can lead to reflected XSS after the BIG-IP APM system rewrites the HTTP response from the untrusted backend server and sends it to the client. | 5.4 |
2020-04-29 | CVE-2020-12472 | Mono | Cross-site Scripting vulnerability in Mono Monox 5.1.40.5152 MonoX through 5.1.40.5152 allows stored XSS via User Status, Blog Comments, or Blog Description. | 5.4 |
2020-04-29 | CVE-2019-7634 | Ifrn | Cross-site Scripting vulnerability in Ifrn Sistema Unificado DE Administracao Publica 2.0 SUAP V2 allows XSS during the update of user information. | 5.4 |
2020-04-28 | CVE-2020-12261 | Opmantek | Cross-site Scripting vulnerability in Opmantek Open-Audit 3.3.0 Open-AudIT 3.3.0 allows an XSS attack after login. | 5.4 |
2020-04-28 | CVE-2020-12438 | PHP Fusion | Cross-site Scripting vulnerability in PHP-Fusion 9.03.50 An XSS vulnerability exists in the banners.php page of PHP-Fusion 9.03.50. | 5.4 |
2020-04-28 | CVE-2020-10944 | Hashicorp | Cross-site Scripting vulnerability in Hashicorp Nomad HashiCorp Nomad and Nomad Enterprise up to 0.10.4 contained a cross-site scripting vulnerability such that files from a malicious workload could cause arbitrary JavaScript to execute in the web UI. | 5.4 |
2020-04-28 | CVE-2020-10094 | Lexmark | Cross-site Scripting vulnerability in Lexmark products A cross-site scripting (XSS) vulnerability in Lexmark CS31x before LW74.VYL.P273; CS41x before LW74.VY2.P273; CS51x before LW74.VY4.P273; CX310 before LW74.GM2.P273; CX410 & XC2130 before LW74.GM4.P273; CX510 & XC2132 before LW74.GM7.P273; MS310, MS312, MS317 before LW74.PRL.P273; MS410, M1140 before LW74.PRL.P273; MS315, MS415, MS417 before LW74.TL2.P273; MS51x, MS610dn, MS617 before LW74.PR2.P273; M1145, M3150dn before LW74.PR2.P273; MS610de, M3150 before LW74.PR4.P273; MS71x,M5163dn before LW74.DN2.P273; MS810, MS811, MS812, MS817, MS818 before LW74.DN2.P273; MS810de, M5155, M5163 before LW74.DN4.P273; MS812de, M5170 before LW74.DN7.P273; MS91x before LW74.SA.P273; MX31x, XM1135 before LW74.SB2.P273; MX410, MX510 & MX511 before LW74.SB4.P273; XM1140, XM1145 before LW74.SB4.P273; MX610 & MX611 before LW74.SB7.P273; XM3150 before LW74.SB7.P273; MX71x, MX81x before LW74.TU.P273; XM51xx & XM71xx before LW74.TU.P273; MX91x & XM91x before LW74.MG.P273; MX6500e before LW74.JD.P273; C746 before LHS60.CM2.P738; C748, CS748 before LHS60.CM4.P738; C792, CS796 before LHS60.HC.P738; C925 before LHS60.HV.P738; C950 before LHS60.TP.P738; X548 & XS548 before LHS60.VK.P738; X74x & XS748 before LHS60.NY.P738; X792 & XS79x before LHS60.MR.P738; X925 & XS925 before LHS60.HK.P738; X95x & XS95x before LHS60.TQ.P738; 6500e before LHS60.JR.P738;C734 LR.SK.P824 and earlier; C736 LR.SKE.P824 and earlier; E46x LR.LBH.P824 and earlier; T65x LR.JP.P824 and earlier; X46x LR.BS.P824 and earlier; X65x LR.MN.P824 and earlier; X73x LR.FL.P824 and earlier; W850 LP.JB.P823 and earlier; and X86x LP.SP.P823 and earlier. | 5.4 |
2020-04-28 | CVE-2020-10093 | Lexmark | Cross-site Scripting vulnerability in Lexmark products A cross-site scripting (XSS) vulnerability in Lexmark Pro910 series inkjet and other discontinued products. | 5.4 |
2020-04-28 | CVE-2020-5570 | NI Consul | Cross-site Scripting vulnerability in Ni-Consul Sales Force Assistant 11.2.48 Cross-site scripting vulnerability in Sales Force Assistant version 11.2.48 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors. | 5.4 |
2020-04-27 | CVE-2019-18223 | Eleveo | Cross-site Scripting vulnerability in Eleveo Call Recording 6.3.1 ZOOM International Call Recording 6.3.1 suffers from multiple authenticated stored XSS vulnerabilities via the phoneNumber field in the (1) User Edit or (2) User Add form, (3) name field in the Role Add form, (4) name or number field in the Edit Group form, (5) tagKey or tagValue field in the Recording Rules Configuration, or (6) txt_69735:/VemailAddress/value or txt_75767:/VemailFrom/value field in callrec/config. | 5.4 |
2020-05-01 | CVE-2020-12117 | Moxa | Missing Authentication for Critical Function vulnerability in Moxa Nport 5100A Firmware 1.5 Moxa Service in Moxa NPort 5150A firmware version 1.5 and earlier allows attackers to obtain sensitive configuration values via a crafted packet to UDP port 4800. | 5.3 |
2020-04-29 | CVE-2020-12277 | Gitlab | Incorrect Default Permissions vulnerability in Gitlab GitLab 10.8 through 12.9 has a vulnerability that allows someone to mirror a repository even if the feature is not activated. | 5.3 |
2020-04-29 | CVE-2020-12275 | Gitlab | Unspecified vulnerability in Gitlab GitLab 12.6 through 12.9 is vulnerable to a privilege escalation that allows an external user to create a personal snippet through the API. | 5.3 |
2020-04-28 | CVE-2020-7451 | Freebsd | Use of Uninitialized Resource vulnerability in Freebsd 11.3/12.1 In FreeBSD 12.1-STABLE before r358739, 12.1-RELEASE before 12.1-RELEASE-p3, 11.3-STABLE before r358740, and 11.3-RELEASE before 11.3-RELEASE-p7, a TCP SYN-ACK or challenge TCP-ACK segment over IPv6 that is transmitted or retransmitted does not properly initialize the Traffic Class field disclosing one byte of kernel memory over the network. | 5.3 |
2020-04-28 | CVE-2020-5563 | Cybozu | Improper Authentication vulnerability in Cybozu Garoon Improper authentication vulnerability in Cybozu Garoon 4.0.0 to 4.10.3 allows remote attackers to obtain data in the affected product via the API. | 5.3 |
2020-04-27 | CVE-2020-1722 | Freeipa Redhat | A flaw was found in all ipa versions 4.x.x through 4.8.0. | 5.3 |
2020-04-27 | CVE-2019-5303 | Huawei | Improper Input Validation vulnerability in Huawei products There are two denial of service vulnerabilities on some Huawei smartphones. | 5.3 |
2020-04-27 | CVE-2019-5302 | Huawei | Improper Input Validation vulnerability in Huawei products There are two denial of service vulnerabilities on some Huawei smartphones. | 5.3 |
2020-04-27 | CVE-2020-11821 | Rukovoditel | Insufficiently Protected Credentials vulnerability in Rukovoditel 2.5.2 In Rukovoditel 2.5.2, users' passwords and usernames are stored in a cookie with URL encoding, base64 encoding, and hashing. | 5.3 |
2020-04-27 | CVE-2020-12272 | Trusteddomain Fedoraproject | Authentication Bypass by Spoofing vulnerability in multiple products OpenDMARC through 1.3.2 and 1.4.x allows attacks that inject authentication results to provide false information about the domain that originated an e-mail message. | 5.3 |
2020-04-30 | CVE-2020-10691 | Redhat | Path Traversal vulnerability in Redhat Ansible Engine and Ansible Tower An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. | 5.2 |
2020-04-30 | CVE-2020-6866 | ZTE | Unspecified vulnerability in ZTE Zxctn 6500 Firmware 2.10.00R3B87 A ZTE product is impacted by a resource management error vulnerability. | 4.9 |
2020-04-28 | CVE-2020-1774 | Otrs Debian | When user downloads PGP or S/MIME keys/certificates, exported file has same name for private and public keys. | 4.9 |
2020-04-28 | CVE-2020-5562 | Cybozu | Server-Side Request Forgery (SSRF) vulnerability in Cybozu Garoon Server-side request forgery (SSRF) vulnerability in Cybozu Garoon 4.6.0 to 4.6.3 allows a remote attacker with an administrative privilege to issue arbitrary HTTP requests to other web servers via V-CUBE Meeting function. | 4.9 |
2020-04-27 | CVE-2018-21159 | Netgear | Unspecified vulnerability in Netgear Readynas OS NETGEAR ReadyNAS devices before 6.9.3 are affected by incorrect configuration of security settings. | 4.9 |
2020-04-27 | CVE-2020-11415 | Sonatype | Cleartext Storage of Sensitive Information vulnerability in Sonatype Nexus Repository Manager An issue was discovered in Sonatype Nexus Repository Manager 2.x before 2.14.17 and 3.x before 3.22.1. | 4.9 |
2020-04-29 | CVE-2020-12276 | Gitlab | Cross-site Scripting vulnerability in Gitlab GitLab 9.5.9 through 12.9 is vulnerable to stored XSS in an admin notification feature. | 4.8 |
2020-04-28 | CVE-2018-21209 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by reflected XSS. | 4.8 |
2020-04-30 | CVE-2020-11037 | Torchbox | Race Condition vulnerability in Torchbox Wagtail 2.8/2.8.1 In Wagtail before versions 2.7.3 and 2.8.2, a potential timing attack exists on pages or documents that have been protected with a shared password through Wagtail's "Privacy" controls. | 4.7 |
2020-05-02 | CVE-2020-5727 | Simplisafe | Improper Authentication vulnerability in Simplisafe SS3 Firmware 1.0/1.3 Authentication bypass using an alternate path or channel in SimpliSafe SS3 firmware 1.4 allows a local, unauthenticated attacker to pair a rogue keypad to an armed system. | 4.6 |
2020-04-30 | CVE-2020-12101 | XT Commerce | Incorrect Default Permissions vulnerability in Xt-Commerce The address-management feature in xt:Commerce 5.1 to 6.2.2 allows remote authenticated users to zero out other user's stored addresses by manipulating an id field in the POST request for altering an address. | 4.3 |
2020-04-30 | CVE-2020-9387 | Mahara | Information Exposure vulnerability in Mahara In Mahara 19.04 before 19.04.5 and 19.10 before 19.10.3, account details are shared in the Elasticsearch results for accounts that are not accessible when the config setting 'Isolated institutions' is turned on. | 4.3 |
2020-04-29 | CVE-2019-4288 | IBM | Unspecified vulnerability in IBM Maximo Anywhere IBM Maximo Anywhere 7.6.2.0, 7.6.2.1, 7.6.3.0, and 7.6.3.1 could disclose highly senstiive user information to an authenticated user with physical access to the device. | 4.3 |
2020-04-29 | CVE-2019-4286 | IBM | Information Exposure Through Log Files vulnerability in IBM Maximo Anywhere IBM Maximo Anywhere 7.6.2.0, 7.6.2.1, 7.6.3.0, and 7.6.3.1 could disclose highly senstiive user information to an authenticated user with physical access to the device. | 4.3 |
2020-04-28 | CVE-2016-11055 | Netgear | Cross-Site Request Forgery (CSRF) vulnerability in Netgear products Certain NETGEAR devices are affected by CSRF. | 4.3 |
2020-04-28 | CVE-2020-4329 | IBM | Unspecified vulnerability in IBM Websphere Application Server IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. | 4.3 |
2020-04-28 | CVE-2020-12286 | Octopus | Unspecified vulnerability in Octopus Deploy In Octopus Deploy before 2019.12.9 and 2020 before 2020.1.12, the TaskView permission is not scoped to any dimension. | 4.3 |
2020-04-28 | CVE-2020-5566 | Cybozu | Unspecified vulnerability in Cybozu Garoon Improper authorization vulnerability in Cybozu Garoon 4.0.0 to 4.10.3 allows remote authenticated attackers to alter the application's data via the applications 'E-mail' and 'Messages'. | 4.3 |
2020-04-28 | CVE-2020-5565 | Cybozu | Improper Input Validation vulnerability in Cybozu Garoon Improper input validation vulnerability in Cybozu Garoon 4.0.0 to 4.10.3 allows a remote authenticated attacker to alter the application's data via the applications 'Workflow' and 'MultiReport'. | 4.3 |
2020-04-27 | CVE-2018-21095 | Netgear | Cross-site Scripting vulnerability in Netgear Srr60 Firmware and Srs60 Firmware Certain NETGEAR devices are affected by stored XSS. | 4.3 |
2020-04-27 | CVE-2019-4729 | IBM Netapp | Information Exposure Through an Error Message vulnerability in multiple products IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. | 4.3 |
8 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2020-04-30 | CVE-2020-5893 | F5 | Cleartext Transmission of Sensitive Information vulnerability in F5 Big-Ip Access Policy Manager In versions 7.1.5-7.1.8, when a user connects to a VPN using BIG-IP Edge Client over an unsecure network, BIG-IP Edge Client responds to authentication requests over HTTP while sending probes for captive portal detection. | 3.7 |
2020-04-27 | CVE-2020-9488 | Apache Oracle Debian QOS | Improper Certificate Validation vulnerability in multiple products Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. | 3.7 |
2020-04-27 | CVE-2020-11810 | Openvpn Debian Fedoraproject | Race Condition vulnerability in multiple products An issue was discovered in OpenVPN 2.4.x before 2.4.9. | 3.7 |
2020-04-27 | CVE-2020-1807 | Huawei | Unspecified vulnerability in Huawei Mate 20 Firmware HUAWEI Mate 20 smartphones with versions earlier than 10.0.0.188(C00E74R3P8) have an improper authorization vulnerability. | 3.5 |
2020-04-29 | CVE-2020-8478 | ABB | Injection vulnerability in ABB Base Software, MMS Server and OPC Server Insufficient protection of the inter-process communication functions in ABB System 800xA products OPC Server for AC 800M, MMS Server for AC 800M and Base Software for SoftControl (all published versions) enables an attacker authenticated on the local system to inject data, affecting the online view of runtime data shown in Control Builder. | 3.3 |
2020-04-28 | CVE-2019-15790 | Apport Project Canonical | Improper Privilege Management vulnerability in multiple products Apport reads and writes information on a crashed process to /proc/pid with elevated privileges. | 3.3 |
2020-04-27 | CVE-2020-11869 | Qemu | Integer Overflow or Wraparound vulnerability in Qemu An integer overflow was found in QEMU 4.0.1 through 4.2.0 in the way it implemented ATI VGA emulation. | 3.3 |
2020-04-29 | CVE-2020-12251 | Gigamon | Path Traversal vulnerability in Gigamon Gigavue An issue was discovered in Gigamon GigaVUE 5.5.01.11. | 2.2 |