Weekly Vulnerabilities Reports > May 4 to 10, 2020
Overview
289 new vulnerabilities reported during this period, including 41 critical vulnerabilities and 110 high severity vulnerabilities. This weekly summary report vulnerabilities in 290 products from 121 vendors including Cisco, Debian, Canonical, Linux, and Opensuse. Vulnerabilities are notably categorized as "Cross-site Scripting", "Path Traversal", "Out-of-bounds Write", "Improper Privilege Management", and "OS Command Injection".
- 226 reported vulnerabilities are remotely exploitables.
- 4 reported vulnerabilities have public exploit available.
- 108 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 161 reported vulnerabilities are exploitable by an anonymous user.
- Cisco has the most reported vulnerabilities, with 35 reported vulnerabilities.
- Advantech has the most reported critical vulnerabilities, with 4 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
41 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2020-05-09 | CVE-2020-12766 | Solis | SQL Injection vulnerability in Solis Gnuteca 3.8 Gnuteca 3.8 allows action=main:search:simpleSearch SQL Injection via the exemplaryStatusId parameter. | 9.8 |
2020-05-09 | CVE-2020-12637 | Zulipchat | Improper Certificate Validation vulnerability in Zulipchat Zulip Desktop Zulip Desktop before 5.2.0 has Missing SSL Certificate Validation because all validation was inadvertently disabled during an attempt to recognize the ignoreCerts option. | 9.8 |
2020-05-08 | CVE-2020-11532 | Zohocorp | Insecure Default Initialization of Resource vulnerability in Zohocorp products Zoho ManageEngine DataSecurity Plus prior to 6.0.1 uses default admin credentials to communicate with a DataEngine Xnode server. | 9.8 |
2020-05-08 | CVE-2020-11530 | Idangero | SQL Injection vulnerability in Idangero Chop Slider 3.0 A blind SQL injection vulnerability is present in Chop Slider 3, a WordPress plugin. | 9.8 |
2020-05-08 | CVE-2020-12022 | Advantech | Improper Validation of Array Index vulnerability in Advantech Webaccess Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. | 9.8 |
2020-05-08 | CVE-2020-12006 | Advantech | Path Traversal vulnerability in Advantech Webaccess Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. | 9.8 |
2020-05-08 | CVE-2020-12002 | Advantech | Out-of-bounds Write vulnerability in Advantech Webaccess Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. | 9.8 |
2020-05-08 | CVE-2020-10638 | Advantech | Out-of-bounds Write vulnerability in Advantech Webaccess Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. | 9.8 |
2020-05-08 | CVE-2020-12735 | Domainmod | Insufficient Entropy vulnerability in Domainmod 4.13.0 reset.php in DomainMOD 4.13.0 uses insufficient entropy for password reset requests, leading to account takeover. | 9.8 |
2020-05-08 | CVE-2020-12720 | Vbulletin | Missing Authentication for Critical Function vulnerability in Vbulletin vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control. | 9.8 |
2020-05-07 | CVE-2020-11052 | Sorcery Project | Improper Restriction of Excessive Authentication Attempts vulnerability in Sorcery Project Sorcery In Sorcery before 0.15.0, there is a brute force vulnerability when using password authentication via Sorcery. | 9.8 |
2020-05-07 | CVE-2020-10794 | Gira | Path Traversal vulnerability in Gira Tks-Ip-Gateway Firmware 4.0.7.7 Gira TKS-IP-Gateway 4.0.7.7 is vulnerable to unauthenticated path traversal that allows an attacker to download the application database. | 9.8 |
2020-05-07 | CVE-2020-10176 | Assaabloy | Code Injection vulnerability in Assaabloy Yale Wipc-301W Firmware 2.X.2.29/2.X.2.43 ASSA ABLOY Yale WIPC-301W 2.x.2.29 through 2.x.2.43_p1 devices allow Eval Injection of commands. | 9.8 |
2020-05-07 | CVE-2020-4429 | IBM | Use of Hard-coded Credentials vulnerability in IBM Data Risk Manager IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 contains a default password for an IDRM administrative account. | 9.8 |
2020-05-07 | CVE-2020-4427 | IBM | Unspecified vulnerability in IBM Data Risk Manager IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 could allow a remote attacker to bypass security restrictions when configured with SAML authentication. | 9.8 |
2020-05-07 | CVE-2020-7805 | Infomark | OS Command Injection vulnerability in Infomark Iml500 Firmware and Iml520 Firmware An issue was discovered on KT Slim egg IML500 (R7283, R8112, R8424) and IML520 (R8112, R8368, R8411) wifi device. | 9.8 |
2020-05-07 | CVE-2020-7646 | Curlrequest Project | OS Command Injection vulnerability in Curlrequest Project Curlrequest curlrequest through 1.0.1 allows reading any file by populating the file parameter with user input. | 9.8 |
2020-05-07 | CVE-2019-18869 | Blaauwproducts | Unspecified vulnerability in Blaauwproducts Remote Kiln Control 3.0.0 Leftover Debug Code in Blaauw Remote Kiln Control through v3.00r4 allows a user to execute arbitrary php code via /default.php?idx=17. | 9.8 |
2020-05-07 | CVE-2019-18868 | Blaauwproducts | Insufficiently Protected Credentials vulnerability in Blaauwproducts Remote Kiln Control 3.0.0 Blaauw Remote Kiln Control through v3.00r4 allows an unauthenticated attacker to access MySQL credentials in cleartext in /engine/db.inc, /lang/nl.bak, or /lang/en.bak. | 9.8 |
2020-05-06 | CVE-2020-8899 | Out-of-bounds Write vulnerability in Google Android There is a buffer overwrite vulnerability in the Quram qmg library of Samsung's Android OS versions O(8.x), P(9.0) and Q(10.0). | 9.8 | |
2020-05-06 | CVE-2020-3318 | Cisco | Use of Hard-coded Credentials vulnerability in Cisco Secure Firewall Management Center Multiple vulnerabilities in Cisco Firepower Management Center (FMC) Software and Cisco Firepower User Agent Software could allow an attacker to access a sensitive part of an affected system with a high-privileged account. | 9.8 |
2020-05-06 | CVE-2020-3125 | Cisco | Improper Authentication vulnerability in Cisco products A vulnerability in the Kerberos authentication feature of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to impersonate the Kerberos key distribution center (KDC) and bypass authentication on an affected device that is configured to perform Kerberos authentication for VPN or local device access. | 9.8 |
2020-05-06 | CVE-2020-7806 | Tobesoft | Download of Code Without Integrity Check vulnerability in Tobesoft Xplatform Tobesoft Xplatform 9.2.2.250 and earlier version have an arbitrary code execution vulnerability by using method supported by Xplatform ActiveX Control. | 9.8 |
2020-05-06 | CVE-2019-19169 | Raonwiz | Unspecified vulnerability in Raonwiz Dext5 2.7 Dext5.ocx ActiveX 5.0.0.116 and eariler versions contain a vulnerability, which could allow remote attacker to download arbitrary file by setting the arguments to the activex method. | 9.8 |
2020-05-06 | CVE-2019-19168 | Raonwiz | Unspecified vulnerability in Raonwiz Dext5 2.7 Dext5.ocx ActiveX 5.0.0.116 and eariler versions contain a vulnerability, which could allow remote attacker to download and execute remote arbitrary file by setting the arguments to the activex method. | 9.8 |
2020-05-06 | CVE-2019-19167 | Tobesoft | Unspecified vulnerability in Tobesoft Nexacro Tobesoft Nexacro v2019.9.25.1 and earlier version have an arbitrary code execution vulnerability by using method supported by Nexacro14 ActiveX Control. | 9.8 |
2020-05-04 | CVE-2020-12641 | Roundcube Opensuse | OS Command Injection vulnerability in multiple products rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path. | 9.8 |
2020-05-04 | CVE-2020-12640 | Roundcube Opensuse | Path Traversal vulnerability in multiple products Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php. | 9.8 |
2020-05-04 | CVE-2020-8790 | Oklok Project | Weak Password Requirements vulnerability in Oklok Project Oklok 3.1.1 The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlock FB50 (2.3) has weak password requirements combined with improper restriction of excessive authentication attempts, which could allow a remote attacker to discover user credentials and obtain access via a brute force attack. | 9.8 |
2020-05-04 | CVE-2020-12110 | TP Link | Use of Hard-coded Credentials vulnerability in Tp-Link products Certain TP-Link devices have a Hardcoded Encryption Key. | 9.8 |
2020-05-04 | CVE-2020-1961 | Apache | Injection vulnerability in Apache Syncope Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6, enabling attackers to inject arbitrary JEXL expressions, leading to Remote Code Execution (RCE) was discovered. | 9.8 |
2020-05-04 | CVE-2020-1959 | Apache | Expression Language Injection vulnerability in Apache Syncope A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE) vulnerability. | 9.8 |
2020-05-04 | CVE-2020-1631 | Juniper | Path Traversal vulnerability in Juniper Junos A vulnerability in the HTTP/HTTPS service used by J-Web, Web Authentication, Dynamic-VPN (DVPN), Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning (ZTP) allows an unauthenticated attacker to perform local file inclusion (LFI) or path traversal. | 9.8 |
2020-05-04 | CVE-2020-12627 | Janeczku | Use of Hard-coded Credentials vulnerability in Janeczku Calibre-Web 0.6.6 Calibre-Web 0.6.6 allows authentication bypass because of the 'A0Zr98j/3yX R~XHH!jmN]LWX/,?RT' hardcoded secret key. | 9.8 |
2020-05-05 | CVE-2020-11035 | Glpi Project Fedoraproject | Use of a Broken or Risky Cryptographic Algorithm vulnerability in multiple products In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are generated using an insecure algorithm. | 9.3 |
2020-05-09 | CVE-2020-12761 | Enlightenment | Integer Overflow or Wraparound vulnerability in Enlightenment Imlib2 1.6.0 modules/loaders/loader_ico.c in imlib2 1.6.0 has an integer overflow (with resultant invalid memory allocations and out-of-bounds reads) via an icon with many colors in its color map. | 9.1 |
2020-05-08 | CVE-2020-12740 | Broadcom Fedoraproject | Out-of-bounds Read vulnerability in multiple products tcprewrite in Tcpreplay through 4.3.2 has a heap-based buffer over-read during a get_c operation. | 9.1 |
2020-05-07 | CVE-2020-4428 | IBM | OS Command Injection vulnerability in IBM Data Risk Manager IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to execute arbitrary commands on the system. | 9.1 |
2020-05-07 | CVE-2020-11431 | Inetsoftware | Path Traversal vulnerability in Inetsoftware Clear Reports, Helpdesk and Pdfc The documentation component in i-net Clear Reports 16.0 to 19.2, HelpDesk 8.0 to 8.3, and PDFC 4.3 to 6.2 allows a remote unauthenticated attacker to read arbitrary system files and directories on the target server via Directory Traversal. | 9.1 |
2020-05-06 | CVE-2020-3187 | Cisco | Path Traversal vulnerability in Cisco products A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files on a targeted system. | 9.1 |
2020-05-05 | CVE-2020-10634 | SAE IT | Path Traversal vulnerability in Sae-It Net-Line Fw-50 Firmware SAE IT-systems FW-50 Remote Telemetry Unit (RTU). | 9.1 |
110 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2020-05-08 | CVE-2020-11531 | Zohocorp | Path Traversal vulnerability in Zohocorp products The DataEngine Xnode Server application in Zoho ManageEngine DataSecurity Plus prior to 6.0.1 does not validate the database schema name when handling a DR-SCHEMA-SYNC request. | 8.8 |
2020-05-08 | CVE-2020-12026 | Advantech | Path Traversal vulnerability in Advantech Webaccess Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. | 8.8 |
2020-05-07 | CVE-2020-9474 | Siedle | Download of Code Without Integrity Check vulnerability in Siedle SG 150-0 Firmware 1.1.0 The S. | 8.8 |
2020-05-07 | CVE-2020-7803 | Imgtech | Unspecified vulnerability in Imgtech Zoneplayer 2.0.1.3/2.0.1.4 IMGTech Co,Ltd ZInsX.ocx ActiveX Control in Zoneplayer 2.0.1.3, version 2.0.1.4 and prior versions on Windows. | 8.8 |
2020-05-07 | CVE-2020-10971 | Wavlink | Improper Input Validation vulnerability in Wavlink products An issue was discovered on Wavlink Jetstream devices where a crafted POST request can be sent to adm.cgi that will result in the execution of the supplied command if there is an active session at the same time. | 8.8 |
2020-05-07 | CVE-2019-19164 | Raonwiz | Unspecified vulnerability in Raonwiz Dext5 2.7 dext5.ocx ActiveX Control in Dext5 Upload 5.0.0.112 and earlier versions contains a vulnerability that could allow remote files to be executed by setting the arguments to the activex method. | 8.8 |
2020-05-07 | CVE-2019-18871 | Blaauwproducts | Path Traversal vulnerability in Blaauwproducts Remote Kiln Control 3.0.0 A path traversal in debug.php accessed via default.php in Blaauw Remote Kiln Control through v3.00r4 allows an authenticated attacker to upload arbitrary files, leading to arbitrary remote code execution. | 8.8 |
2020-05-07 | CVE-2020-6081 | Codesys | Insufficient Verification of Data Authenticity vulnerability in Codesys Runtime 3.5.14.30 An exploitable code execution vulnerability exists in the PLC_Task functionality of 3S-Smart Software Solutions GmbH CODESYS Runtime 3.5.14.30. | 8.8 |
2020-05-07 | CVE-2020-12691 | Openstack Canonical | Incorrect Authorization vulnerability in multiple products An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. | 8.8 |
2020-05-07 | CVE-2020-12690 | Openstack | Insufficient Session Expiration vulnerability in Openstack Keystone An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. | 8.8 |
2020-05-07 | CVE-2020-12689 | Openstack Canonical | Improper Privilege Management vulnerability in multiple products An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. | 8.8 |
2020-05-06 | CVE-2020-12669 | Dolibarr | Improper Input Validation vulnerability in Dolibarr core/get_menudiv.php in Dolibarr before 11.0.4 allows remote authenticated attackers to bypass intended access restrictions via a non-alphanumeric menu parameter. | 8.8 |
2020-05-06 | CVE-2020-6094 | Accusoft | Integer Overflow or Wraparound vulnerability in Accusoft Imagegear 19.4.0/19.5.0/19.6.0 An exploitable code execution vulnerability exists in the TIFF fillinraster function of the igcore19d.dll library of Accusoft ImageGear 19.4, 19.5 and 19.6. | 8.8 |
2020-05-06 | CVE-2020-6082 | Accusoft | Out-of-bounds Write vulnerability in Accusoft Imagegear 19.4.0/19.5.0/19.6.0 An exploitable out-of-bounds write vulnerability exists in the ico_read function of the igcore19d.dll library of Accusoft ImageGear 19.6.0. | 8.8 |
2020-05-06 | CVE-2020-6076 | Accusoft | Out-of-bounds Write vulnerability in Accusoft Imagegear 19.5.0 An exploitable out-of-bounds write vulnerability exists in the igcore19d.dll ICO icoread parser of the Accusoft ImageGear 19.5.0 library. | 8.8 |
2020-05-06 | CVE-2020-6075 | Accusoft | Out-of-bounds Write vulnerability in Accusoft Imagegear 19.5.0 An exploitable out-of-bounds write vulnerability exists in the store_data_buffer function of the igcore19d.dll library of Accusoft ImageGear 19.5.0. | 8.8 |
2020-05-06 | CVE-2020-2189 | Jenkins | Deserialization of Untrusted Data vulnerability in Jenkins Source Code Management Filter Jervis 0.1/0.2/0.2.1 Jenkins SCM Filter Jervis Plugin 0.2.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. | 8.8 |
2020-05-05 | CVE-2020-8830 | Commscope | Server-Side Request Forgery (SSRF) vulnerability in Commscope Ruckus Zoneflex R500 Firmware CSRF in login.asp on Ruckus devices allows an attacker to access the panel, and use SSRF to perform scraping or other analysis via the SUBCA-1 field on the Wireless Admin screen. | 8.8 |
2020-05-05 | CVE-2020-8829 | Intelbras | Cross-Site Request Forgery (CSRF) vulnerability in Intelbras CIP 92200 Firmware CSRF on Intelbras CIP 92200 devices allows an attacker to access the panel and perform scraping or other analysis. | 8.8 |
2020-05-05 | CVE-2019-19517 | Intelbras | Cross-Site Request Forgery (CSRF) vulnerability in Intelbras Action RF 1200 Firmware 1.1.3 Intelbras RF1200 1.1.3 devices allow CSRF to bypass the login.html form, as demonstrated by launching a scrapy process. | 8.8 |
2020-05-05 | CVE-2020-12104 | Internet Formation | SQL Injection vulnerability in Internet-Formation Wp-Advanced-Search The Import feature in the wp-advanced-search plugin 3.3.6 for WordPress is vulnerable to authenticated SQL injection via an uploaded .sql file. | 8.8 |
2020-05-05 | CVE-2017-18864 | Netgear | Classic Buffer Overflow vulnerability in Netgear products Certain NETGEAR devices are affected by a buffer overflow by an unauthenticated attacker. | 8.8 |
2020-05-04 | CVE-2020-5335 | RSA | Cross-Site Request Forgery (CSRF) vulnerability in RSA Archer RSA Archer, versions prior to 6.7 P2 (6.7.0.2), contain a cross-site request forgery vulnerability. | 8.8 |
2020-05-04 | CVE-2020-12109 | TP Link | OS Command Injection vulnerability in Tp-Link products Certain TP-Link devices allow Command Injection. | 8.8 |
2020-05-04 | CVE-2020-12111 | TP Link | OS Command Injection vulnerability in Tp-Link Nc260 Firmware and Nc450 Firmware Certain TP-Link devices allow Command Injection. | 8.8 |
2020-05-06 | CVE-2020-3283 | Cisco | Out-of-bounds Write vulnerability in Cisco products A vulnerability in the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) handler of Cisco Firepower Threat Defense (FTD) Software when running on the Cisco Firepower 1000 Series platform could allow an unauthenticated, remote attacker to trigger a denial of service (DoS) condition on an affected device. | 8.6 |
2020-05-06 | CVE-2020-3196 | Cisco | Resource Exhaustion vulnerability in Cisco products A vulnerability in the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) handler of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to exhaust memory resources on the affected device, leading to a denial of service (DoS) condition. | 8.6 |
2020-05-06 | CVE-2020-3191 | Cisco | Improper Input Validation vulnerability in Cisco products A vulnerability in DNS over IPv6 packet processing for Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to unexpectedly reload, resulting in a denial of service (DoS) condition. | 8.6 |
2020-05-06 | CVE-2020-3189 | Cisco | Memory Leak vulnerability in Cisco products A vulnerability in the VPN System Logging functionality for Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a memory leak that can deplete system memory over time, which can cause unexpected system behaviors or device crashes. | 8.6 |
2020-05-08 | CVE-2020-7267 | Mcafee | Improper Privilege Management vulnerability in Mcafee Virusscan Enterprise 8.8 Privilege Escalation vulnerability in McAfee VirusScan Enterprise (VSE) for Linux prior to 2.0.3 Hotfix 2635000 allows local users to delete files the user would otherwise not have access to via manipulating symbolic links to redirect a McAfee delete action to an unintended file. | 8.4 |
2020-05-08 | CVE-2020-7266 | Mcafee | Improper Privilege Management vulnerability in Mcafee Virusscan Enterprise 1.9.0/1.9.1/2.0.0 Privilege Escalation vulnerability in McAfee VirusScan Enterprise (VSE) for Windows prior to 8.8 Patch 14 Hotfix 116778 allows local users to delete files the user would otherwise not have access to via manipulating symbolic links to redirect a McAfee delete action to an unintended file. | 8.4 |
2020-05-08 | CVE-2020-7265 | Mcafee | Improper Privilege Management vulnerability in Mcafee Endpoint Security Privilege Escalation vulnerability in McAfee Endpoint Security (ENS) for Mac prior to 10.6.9 allows local users to delete files the user would otherwise not have access to via manipulating symbolic links to redirect a McAfee delete action to an unintended file. | 8.4 |
2020-05-08 | CVE-2020-7264 | Mcafee | Improper Privilege Management vulnerability in Mcafee Endpoint Security Privilege Escalation vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 Hotfix 199847 allows local users to delete files the user would otherwise not have access to via manipulating symbolic links to redirect a McAfee delete action to an unintended file. | 8.4 |
2020-05-07 | CVE-2020-11050 | Java Websocket Project | Improper Certificate Validation vulnerability in Java-Websocket Project Java-Websocket In Java-WebSocket less than or equal to 1.4.1, there is an Improper Validation of Certificate with Host Mismatch where WebSocketClient does not perform SSL hostname validation. | 8.1 |
2020-05-07 | CVE-2020-5894 | F5 | Session Fixation vulnerability in F5 Nginx Controller On versions 3.0.0-3.3.0, the NGINX Controller webserver does not invalidate the server-side session token after users log out. | 8.1 |
2020-05-06 | CVE-2020-3302 | Cisco | Improper Input Validation vulnerability in Cisco Secure Firewall Management Center A vulnerability in the web UI of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to overwrite files on the file system of an affected device. | 8.1 |
2020-05-05 | CVE-2020-7983 | Commscope | Cross-Site Request Forgery (CSRF) vulnerability in Commscope Ruckus Zoneflex R500 Firmware 3.4.2.0.384 A CSRF issue in login.asp on Ruckus R500 3.4.2.0.384 devices allows remote attackers to access the panel or conduct SSRF attacks. | 8.1 |
2020-05-04 | CVE-2020-11671 | Teampass | Missing Authorization vulnerability in Teampass Lack of authorization controls in REST API functions in TeamPass through 2.1.27.36 allows any TeamPass user with a valid API token to become a TeamPass administrator and read/modify all passwords via authenticated api/index.php REST API calls. | 8.1 |
2020-05-04 | CVE-2020-11443 | Zoom | Incorrect Permission Assignment for Critical Resource vulnerability in Zoom IT Installer The Zoom IT installer for Windows (ZoomInstallerFull.msi) prior to version 4.6.10 deletes files located in %APPDATA%\Zoom before installing an updated version of the client. | 8.1 |
2020-05-07 | CVE-2020-10916 | TP Link | Improper Authentication vulnerability in Tp-Link Tl-Wa855Re Firmware 190408/191213 This vulnerability allows network-adjacent attackers to escalate privileges on affected installations of TP-Link TL-WA855RE Firmware Ver: 855rev4-up-ver1-0-1-P1[20191213-rel60361] Wi-Fi extenders. | 8.0 |
2020-05-09 | CVE-2020-12762 | Json C Fedoraproject Debian Canonical Siemens | Integer Overflow or Wraparound vulnerability in multiple products json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend. | 7.8 |
2020-05-08 | CVE-2018-20225 | Pypa | Improper Input Validation vulnerability in Pypa PIP An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. | 7.8 |
2020-05-08 | CVE-2020-7291 | Mcafee | Improper Privilege Management vulnerability in Mcafee Active Response Privilege Escalation vulnerability in McAfee Active Response (MAR) for Mac prior to 2.4.3 Hotfix 1 allows a malicious script or program to perform functions that the local executing user has not been granted access to. | 7.8 |
2020-05-08 | CVE-2020-7290 | Mcafee | Improper Privilege Management vulnerability in Mcafee Active Response Privilege Escalation vulnerability in McAfee Active Response (MAR) for Linux prior to 2.4.3 Hotfix 1 allows a malicious script or program to perform functions that the local executing user has not been granted access to. | 7.8 |
2020-05-08 | CVE-2020-7289 | Mcafee | Improper Privilege Management vulnerability in Mcafee Active Response Privilege Escalation vulnerability in McAfee Active Response (MAR) for Windows prior to 2.4.3 Hotfix 1 allows a malicious script or program to perform functions that the local executing user has not been granted access to. | 7.8 |
2020-05-08 | CVE-2020-7288 | Mcafee | Improper Privilege Management vulnerability in Mcafee Endpoint Detection and Response 3.1.0 Privilege Escalation vulnerability in McAfee Exploit Detection and Response (EDR) for Mac prior to 3.1.0 Hotfix 1 allows a malicious script or program to perform functions that the local executing user has not been granted access to. | 7.8 |
2020-05-08 | CVE-2020-7287 | Mcafee | Improper Privilege Management vulnerability in Mcafee Endpoint Detection and Response 3.1.0 Privilege Escalation vulnerability in McAfee Exploit Detection and Response (EDR) for Linux prior to 3.1.0 Hotfix 1 allows a malicious script or program to perform functions that the local executing user has not been granted access to. | 7.8 |
2020-05-08 | CVE-2020-7286 | Mcafee | Improper Privilege Management vulnerability in Mcafee Endpoint Detection and Response Privilege Escalation vulnerability in McAfee Exploit Detection and Response (EDR) for Windows prior to 3.1.0 Hotfix 1 allows a malicious script or program to perform functions that the local executing user has not been granted access to. | 7.8 |
2020-05-08 | CVE-2020-7285 | Mcafee | Improper Privilege Management vulnerability in Mcafee Mvision Endpoint 18.11.31.62 Privilege Escalation vulnerability in McAfee MVISION Endpoint prior to 20.5.0.94 allows a malicious script or program to perform functions that the local executing user has not been granted access to. | 7.8 |
2020-05-07 | CVE-2020-12608 | Solarwinds | Incorrect Default Permissions vulnerability in Solarwinds Managed Service Provider Patch Management Engine An issue was discovered in SolarWinds MSP PME (Patch Management Engine) Cache Service before 1.1.15 in the Advanced Monitoring Agent. | 7.8 |
2020-05-07 | CVE-2020-6652 | Eaton | Improper Privilege Management vulnerability in Eaton Intelligent Power Manager 1.6/1.67 Incorrect Privilege Assignment vulnerability in Eaton's Intelligent Power Manager (IPM) v1.67 & prior allow non-admin users to upload the system configuration files by sending specially crafted requests. | 7.8 |
2020-05-07 | CVE-2020-5895 | F5 | Incorrect Permission Assignment for Critical Resource vulnerability in F5 Nginx Controller 3.1.0/3.2.0/3.3.0 On NGINX Controller versions 3.1.0-3.3.0, AVRD uses world-readable and world-writable permissions on its socket, which allows processes or users on the local system to write arbitrary data into the socket. | 7.8 |
2020-05-06 | CVE-2019-19166 | Tobesoft | Unspecified vulnerability in Tobesoft Xplatform Tobesoft XPlatform v9.1, 9.2.0, 9.2.1 and 9.2.2 have a vulnerability that can load unauthorized DLL files. | 7.8 |
2020-05-05 | CVE-2020-12463 | Avira | Unspecified vulnerability in Avira Software Updater An elevation of privilege vulnerability exists in Avira Software Updater before 2.0.6.27476 due to improperly handling file hard links. | 7.8 |
2020-05-05 | CVE-2020-12657 | Linux | Use After Free vulnerability in Linux Kernel An issue was discovered in the Linux kernel before 5.6.5. | 7.8 |
2020-05-05 | CVE-2020-12653 | Linux Opensuse Debian Netapp | Out-of-bounds Write vulnerability in multiple products An issue was found in Linux kernel before 5.5.4. | 7.8 |
2020-05-04 | CVE-2020-5343 | Dell | Incorrect Authorization vulnerability in Dell OS Recovery Image for Microsoft Windows 10 Dell Client platforms restored using a Dell OS recovery image downloaded before December 20, 2019, may contain an insecure inherited permissions vulnerability. | 7.8 |
2020-05-04 | CVE-2020-10622 | Lcds | Unspecified vulnerability in Lcds Laquis Scada LCDS LAquis SCADA Versions 4.3.1 and prior. | 7.8 |
2020-05-04 | CVE-2020-8018 | Suse | Incorrect Default Permissions vulnerability in Suse Linux Enterprise Desktop 15 A Incorrect Default Permissions vulnerability in the SLES15-SP1-CHOST-BYOS and SLES15-SP1-CAP-Deployment-BYOS images of SUSE Linux Enterprise Server 15 SP1 allows local attackers with the UID 1000 to escalate to root due to a /etc directory owned by the user This issue affects: SUSE Linux Enterprise Server 15 SP1 SLES15-SP1-CAP-Deployment-BYOS version 1.0.1 and prior versions; SLES15-SP1-CHOST-BYOS versions prior to 1.0.3 and prior versions; | 7.8 |
2020-05-10 | CVE-2020-9315 | Oracle | Missing Authentication for Critical Function vulnerability in Oracle Iplanet web Server 7.0/7.0.27 ** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** Oracle iPlanet Web Server 7.0.x has Incorrect Access Control for admingui/version URIs in the Administration console, as demonstrated by unauthenticated read access to encryption keys. | 7.5 |
2020-05-08 | CVE-2020-12018 | Advantech | Out-of-bounds Read vulnerability in Advantech Webaccess Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. | 7.5 |
2020-05-08 | CVE-2020-12014 | Advantech | SQL Injection vulnerability in Advantech Webaccess Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. | 7.5 |
2020-05-07 | CVE-2020-12116 | Zohocorp | Path Traversal vulnerability in Zohocorp Manageengine Opmanager Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request. | 7.5 |
2020-05-07 | CVE-2020-10974 | Wavlink | Missing Authentication for Critical Function vulnerability in Wavlink products An issue was discovered affecting a backup feature where a crafted POST request returns the current configuration of the device in cleartext, including the administrator password. | 7.5 |
2020-05-07 | CVE-2020-10973 | Wavlink | Missing Authentication for Critical Function vulnerability in Wavlink products An issue was discovered in Wavlink WN530HG4, Wavlink WN531G3, Wavlink WN533A8, and Wavlink WN551K1 affecting /cgi-bin/ExportAllSettings.sh where a crafted POST request returns the current configuration of the device, including the administrator password. | 7.5 |
2020-05-07 | CVE-2020-10972 | Wavlink | Insufficiently Protected Credentials vulnerability in Wavlink products An issue was discovered where a page is exposed that has the current administrator password in cleartext in the source code of the page. | 7.5 |
2020-05-07 | CVE-2020-8983 | Citrix | Path Traversal vulnerability in Citrix Sharefile Storagezones Controller An arbitrary file write issue exists in all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of May 2020, which allows remote code execution. | 7.5 |
2020-05-07 | CVE-2020-8982 | Citrix | Path Traversal vulnerability in Citrix Sharefile Storagezones Controller An unauthenticated arbitrary file read issue exists in all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of May 2020. | 7.5 |
2020-05-07 | CVE-2020-7473 | Citrix | Path Traversal vulnerability in Citrix Sharefile Storagezones Controller In certain situations, all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of May 2020, allow unauthenticated attackers to access the documents and folders of ShareFile users. | 7.5 |
2020-05-07 | CVE-2019-18872 | Blaauwproducts | Weak Password Requirements vulnerability in Blaauwproducts Remote Kiln Control 3.0.0 Weak password requirements in Blaauw Remote Kiln Control through v3.00r4 allow a user to set short or guessable passwords (e.g., 1 or 1234). | 7.5 |
2020-05-07 | CVE-2019-18866 | Blaauwproducts | SQL Injection vulnerability in Blaauwproducts Remote Kiln Control 3.0.0 Unauthenticated SQL injection via the username in the login mechanism in Blaauw Remote Kiln Control through v3.00r4 allows a user to extract arbitrary data from the rkc database. | 7.5 |
2020-05-07 | CVE-2019-18864 | Blaauwproducts | Unspecified vulnerability in Blaauwproducts Remote Kiln Control 3.0.0 /server-info and /server-status in Blaauw Remote Kiln Control through v3.00r4 allow an unauthenticated attacker to gain sensitive information about the host machine. | 7.5 |
2020-05-07 | CVE-2019-18867 | Blaauwproducts | Information Exposure vulnerability in Blaauwproducts Remote Kiln Control 3.0.0 Browsable directories in Blaauw Remote Kiln Control through v3.00r4 allow an attacker to enumerate sensitive filenames and locations, including source code. | 7.5 |
2020-05-07 | CVE-2018-5493 | Atto | Unspecified vulnerability in Atto Fibrebridge 7500N Firmware ATTO FibreBridge 7500N firmware versions prior to 2.90 are susceptible to a vulnerability which allows an unauthenticated remote attacker to cause Denial of Service (DoS). | 7.5 |
2020-05-06 | CVE-2020-3312 | Cisco | Incorrect Permission Assignment for Critical Resource vulnerability in Cisco Secure Firewall Management Center A vulnerability in the application policy configuration of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to gain unauthorized read access to sensitive data on an affected device. | 7.5 |
2020-05-06 | CVE-2020-3306 | Cisco | Resource Exhaustion vulnerability in Cisco Adaptive Security Appliance A vulnerability in the DHCP module of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on the affected device. | 7.5 |
2020-05-06 | CVE-2020-3305 | Cisco | Resource Exhaustion vulnerability in Cisco Adaptive Security Appliance A vulnerability in the implementation of the Border Gateway Protocol (BGP) module in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. | 7.5 |
2020-05-06 | CVE-2020-3303 | Cisco | Resource Exhaustion vulnerability in Cisco Adaptive Security Appliance A vulnerability in the Internet Key Exchange version 1 (IKEv1) feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. | 7.5 |
2020-05-06 | CVE-2020-3298 | Cisco | Out-of-bounds Read vulnerability in Cisco Firepower Threat Defense A vulnerability in the Open Shortest Path First (OSPF) implementation of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the reload of an affected device, resulting in a denial of service (DoS) condition. | 7.5 |
2020-05-06 | CVE-2020-3259 | Cisco | Unspecified vulnerability in Cisco products A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to retrieve memory contents on an affected device, which could lead to the disclosure of confidential information. | 7.5 |
2020-05-06 | CVE-2020-3255 | Cisco | Resource Exhaustion vulnerability in Cisco products A vulnerability in the packet processing functionality of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. | 7.5 |
2020-05-06 | CVE-2020-3254 | Cisco | Resource Exhaustion vulnerability in Cisco products Multiple vulnerabilities in the Media Gateway Control Protocol (MGCP) inspection feature of Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. | 7.5 |
2020-05-06 | CVE-2020-3195 | Cisco | Memory Leak vulnerability in Cisco products A vulnerability in the Open Shortest Path First (OSPF) implementation in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a memory leak on an affected device. | 7.5 |
2020-05-06 | CVE-2020-3179 | Cisco | Double Free vulnerability in Cisco products A vulnerability in the generic routing encapsulation (GRE) tunnel decapsulation feature of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. | 7.5 |
2020-05-06 | CVE-2020-10704 | Samba Fedoraproject Opensuse Debian | Uncontrolled Recursion vulnerability in multiple products A flaw was found when using samba as an Active Directory Domain Controller. | 7.5 |
2020-05-06 | CVE-2020-12672 | Graphicsmagick Debian Opensuse | Out-of-bounds Write vulnerability in multiple products GraphicsMagick through 1.3.35 has a heap-based buffer overflow in ReadMNGImage in coders/png.c. | 7.5 |
2020-05-05 | CVE-2020-12649 | Gurbalib Project | Path Traversal vulnerability in Gurbalib Project Gurbalib 20200430 Gurbalib through 2020-04-30 allows lib/cmds/player/help.c directory traversal for reading administrative paths. | 7.5 |
2020-05-04 | CVE-2020-12642 | Reportportal | XXE vulnerability in Reportportal Service-Api An issue was discovered in service-api before 4.3.12 and 5.x before 5.1.1 for Report Portal. | 7.5 |
2020-05-04 | CVE-2020-11462 | Openvpn | XML Entity Expansion vulnerability in Openvpn Access Server An issue was discovered in OpenVPN Access Server before 2.7.0 and 2.8.x before 2.8.3. | 7.5 |
2020-05-04 | CVE-2020-10876 | Oklok Project | Improper Restriction of Excessive Authentication Attempts vulnerability in Oklok Project Oklok 3.1.1 The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlock FB50 (2.3) does not correctly implement its timeout on the four-digit verification code that is required for resetting passwords, nor does it properly restrict excessive verification attempts. | 7.5 |
2020-05-04 | CVE-2020-10187 | Doorkeeper Project | Missing Authorization vulnerability in Doorkeeper Project Doorkeeper Doorkeeper version 5.0.0 and later contains an information disclosure vulnerability that allows an attacker to retrieve the client secret only intended for the OAuth application owner. | 7.5 |
2020-05-04 | CVE-2019-13285 | Cososys | Injection vulnerability in Cososys Endpoint Protector 5.1.0.2 CoSoSys Endpoint Protector 5.1.0.2 allows Host Header Injection. | 7.5 |
2020-05-04 | CVE-2020-11842 | Microfocus | Unspecified vulnerability in Microfocus Verastream Host Integrator Information disclosure vulnerability in Micro Focus Verastream Host Integrator (VHI) product, affecting versions earlier than 7.8 Update 1 (7.8.49 or 7.8.0.49). | 7.5 |
2020-05-04 | CVE-2019-11823 | Synology | Out-of-bounds Read vulnerability in Synology Router Manager CRLF injection vulnerability in Network Center in Synology Router Manager (SRM) before 1.2.3-8017-2 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via crafted network traffic. | 7.5 |
2020-05-07 | CVE-2020-5745 | Tecnick | Cross-Site Request Forgery (CSRF) vulnerability in Tecnick Tcexam 14.2.2 Cross-site request forgery in TCExam 14.2.2 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link. | 7.4 |
2020-05-06 | CVE-2020-3334 | Cisco | Resource Exhaustion vulnerability in Cisco products A vulnerability in the ARP packet processing of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software for Cisco Firepower 2100 Series Security Appliances could allow an unauthenticated, adjacent attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition on an affected device. | 7.4 |
2020-05-07 | CVE-2020-6651 | Eaton | OS Command Injection vulnerability in Eaton Intelligent Power Manager 1.6/1.67 Improper Input Validation in Eaton's Intelligent Power Manager (IPM) v 1.67 & prior on file name during configuration file import functionality allows attackers to perform command injection or code execution via specially crafted file names while uploading the configuration file in the application. | 7.3 |
2020-05-08 | CVE-2019-10170 | Redhat | Unspecified vulnerability in Redhat Keycloak A flaw was found in the Keycloak admin console, where the realm management interface permits a script to be set via the policy. | 7.2 |
2020-05-08 | CVE-2019-10169 | Redhat | Unspecified vulnerability in Redhat Keycloak A flaw was found in Keycloak’s user-managed access interface, where it would permit a script to be set in the UMA policy. | 7.2 |
2020-05-08 | CVE-2020-5741 | Plex | Deserialization of Untrusted Data vulnerability in Plex Media Server Deserialization of Untrusted Data in Plex Media Server on Windows allows a remote, authenticated attacker to execute arbitrary Python code. | 7.2 |
2020-05-08 | CVE-2020-12719 | Wso2 | XXE vulnerability in Wso2 products XXE during an EventPublisher update can occur in Management Console in WSO2 API Manager 3.0.0 and earlier, API Manager Analytics 2.5.0 and earlier, API Microgateway 2.2.0, Enterprise Integrator 6.4.0 and earlier, IS as Key Manager 5.9.0 and earlier, Identity Server 5.9.0 and earlier, and Identity Server Analytics 5.6.0 and earlier. | 7.2 |
2020-05-07 | CVE-2020-10795 | Gira | OS Command Injection vulnerability in Gira Tks-Ip-Gateway Firmware 4.0.7.7 Gira TKS-IP-Gateway 4.0.7.7 is vulnerable to authenticated remote code execution via the backup functionality of the web frontend. | 7.2 |
2020-05-06 | CVE-2020-3309 | Cisco | Out-of-bounds Write vulnerability in Cisco Firepower Device Manager On-Box A vulnerability in Cisco Firepower Device Manager (FDM) On-Box software could allow an authenticated, remote attacker to overwrite arbitrary files on the underlying operating system of an affected device. | 7.2 |
2020-05-05 | CVE-2020-11033 | Glpi Project Fedoraproject | Information Exposure vulnerability in multiple products In GLPI from version 9.1 and before version 9.4.6, any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User. | 7.2 |
2020-05-05 | CVE-2020-11032 | Glpi Project | SQL Injection vulnerability in Glpi-Project Glpi 9.4.5 In GLPI before version 9.4.6, there is a SQL injection vulnerability for all helpdesk instances. | 7.2 |
2020-05-04 | CVE-2020-5332 | RSA | OS Command Injection vulnerability in RSA Archer RSA Archer, versions prior to 6.7 P3 (6.7.0.3), contain a command injection vulnerability. | 7.2 |
2020-05-08 | CVE-2020-12010 | Advantech | Path Traversal vulnerability in Advantech Webaccess Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. | 7.1 |
2020-05-05 | CVE-2020-12654 | Linux | Out-of-bounds Write vulnerability in Linux Kernel An issue was found in Linux kernel before 5.5.4. | 7.1 |
2020-05-08 | CVE-2019-14898 | Linux Redhat | The fix for CVE-2019-11599, affecting the Linux kernel before 5.0.10 was not complete. | 7.0 |
2020-05-07 | CVE-2020-9475 | Siedle | Race Condition vulnerability in Siedle SG 150-0 Firmware 1.1.0 The S. | 7.0 |
130 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2020-05-05 | CVE-2017-18867 | Netgear | Improper Input Validation vulnerability in Netgear products Certain NETGEAR devices are affected by incorrect configuration of security settings. | 6.8 |
2020-05-05 | CVE-2017-18865 | Netgear | Out-of-bounds Write vulnerability in Netgear R8300 Firmware and R8500 Firmware Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. | 6.8 |
2020-05-09 | CVE-2020-12770 | Linux Fedoraproject Canonical Debian Netapp | An issue was discovered in the Linux kernel through 5.6.11. | 6.7 |
2020-05-06 | CVE-2020-3253 | Cisco | Unspecified vulnerability in Cisco Firepower Threat Defense A vulnerability in the support tunnel feature of Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to access the shell of an affected device even though expert mode is disabled. | 6.7 |
2020-05-05 | CVE-2020-12659 | Linux Netapp | Out-of-bounds Write vulnerability in multiple products An issue was discovered in the Linux kernel before 5.6.7. | 6.7 |
2020-05-08 | CVE-2020-6616 | Google Apple | Some Broadcom chips mishandle Bluetooth random-number generation because a low-entropy Pseudo Random Number Generator (PRNG) is used in situations where a Hardware Random Number Generator (HRNG) should have been used to prevent spoofing. | 6.5 |
2020-05-08 | CVE-2020-12737 | Maxum | Path Traversal vulnerability in Maxum Rumpus An issue was discovered in Maxum Rumpus before 8.2.12 on macOS. | 6.5 |
2020-05-07 | CVE-2020-12687 | Serpico Project | Exposure of Resource to Wrong Sphere vulnerability in Serpico Project Serpico 1.3.0 An issue was discovered in Serpico before 1.3.3. | 6.5 |
2020-05-07 | CVE-2019-18870 | Blaauwproducts | Path Traversal vulnerability in Blaauwproducts Remote Kiln Control 3.0.0 A path traversal via the iniFile parameter in excel.php in Blaauw Remote Kiln Control through v3.00r4 allows an authenticated attacker to download arbitrary files from the host machine. | 6.5 |
2020-05-06 | CVE-2020-12108 | GNU Debian Fedoraproject Opensuse Canonical | Injection vulnerability in multiple products /options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection. | 6.5 |
2020-05-06 | CVE-2020-2183 | Jenkins | Incorrect Default Permissions vulnerability in Jenkins Copy Artifact Jenkins Copy Artifact Plugin 1.43.1 and earlier performs improper permission checks, allowing attackers to copy artifacts from jobs they have no permission to access. | 6.5 |
2020-05-06 | CVE-2020-2181 | Jenkins | Insufficiently Protected Credentials vulnerability in Jenkins Credentials Binding Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets in the build log when the build contains no build steps. | 6.5 |
2020-05-05 | CVE-2020-10859 | Zohocorp | Path Traversal vulnerability in Zohocorp Manageengine Desktop Central Zoho ManageEngine Desktop Central before 10.0.484 allows authenticated arbitrary file writes during ZIP archive extraction via Directory Traversal in a crafted AppDependency API request. | 6.5 |
2020-05-05 | CVE-2020-5517 | Blueonyx | Cross-Site Request Forgery (CSRF) vulnerability in Blueonyx 5209R Firmware CSRF in the /login URI in BlueOnyx 5209R allows an attacker to access the dashboard and perform scraping or other analysis. | 6.5 |
2020-05-04 | CVE-2020-10717 | Qemu | Allocation of Resources Without Limits or Throttling vulnerability in Qemu 5.0/5.0.0 A potential DoS flaw was found in the virtio-fs shared file system daemon (virtiofsd) implementation of the QEMU version >= v5.0. | 6.5 |
2020-05-04 | CVE-2018-21233 | Out-of-bounds Read vulnerability in Google Tensorflow TensorFlow before 1.7.0 has an integer overflow that causes an out-of-bounds read, possibly causing disclosure of the contents of process memory. | 6.5 | |
2020-05-04 | CVE-2020-8791 | Oklok Project | Authorization Bypass Through User-Controlled Key vulnerability in Oklok Project Oklok 3.1.1 The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlock FB50 (2.3) allows remote attackers to submit API requests using authenticated but unauthorized tokens, resulting in IDOR issues. | 6.5 |
2020-05-04 | CVE-2020-12626 | Roundcube Debian | Cross-Site Request Forgery (CSRF) vulnerability in multiple products An issue was discovered in Roundcube Webmail before 1.4.4. | 6.5 |
2020-05-08 | CVE-2020-10690 | Linux Redhat Debian Canonical Opensuse Netapp | Use After Free vulnerability in multiple products There is a use-after-free in kernel versions before 5.5 due to a race condition between the release of ptp_clock and cdev while resource deallocation. | 6.4 |
2020-05-07 | CVE-2020-11056 | Barrelstrengthdesign | Injection vulnerability in Barrelstrengthdesign Sprout Forms In Sprout Forms before 3.9.0, there is a potential Server-Side Template Injection vulnerability when using custom fields in Notification Emails which could lead to the execution of Twig code. | 6.3 |
2020-05-07 | CVE-2020-11053 | Oauth2 Proxy Project | Open Redirect vulnerability in Oauth2 Proxy Project Oauth2 Proxy In OAuth2 Proxy before 5.1.1, there is an open redirect vulnerability. | 6.1 |
2020-05-07 | CVE-2020-12708 | PHP Fusion | Cross-site Scripting vulnerability in PHP-Fusion 9.03.50 Multiple cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the cat_id parameter to downloads/downloads.php or article.php. | 6.1 |
2020-05-07 | CVE-2020-12707 | Lepton CMS | Cross-site Scripting vulnerability in Lepton-Cms Lepton CMS 4.5.0 An XSS vulnerability exists in modules/wysiwyg/save.php of LeptonCMS 4.5.0. | 6.1 |
2020-05-07 | CVE-2020-12705 | Lepton CMS | Cross-site Scripting vulnerability in Lepton-Cms Leptoncms Multiple cross-site scripting (XSS) vulnerabilities exist in LeptonCMS before 4.6.0. | 6.1 |
2020-05-07 | CVE-2020-12704 | Ulicms | Cross-site Scripting vulnerability in Ulicms 2019.1/2019.2 UliCMS before 2020.2 has PageController stored XSS. | 6.1 |
2020-05-07 | CVE-2020-12703 | Ulicms | Cross-site Scripting vulnerability in Ulicms 2019.1/2019.2 UliCMS before 2020.2 has XSS during PackageController uninstall. | 6.1 |
2020-05-07 | CVE-2020-5750 | Tecnick | Cross-site Scripting vulnerability in Tecnick Tcexam 14.2.2 Insufficient output sanitization in TCExam 14.2.2 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks via the self-registration feature. | 6.1 |
2020-05-07 | CVE-2020-5748 | Tecnick | Cross-site Scripting vulnerability in Tecnick Tcexam 14.2.2 Insufficient output sanitization in TCExam 14.2.2 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks via the self-registration feature. | 6.1 |
2020-05-07 | CVE-2020-12679 | Mitel | Cross-site Scripting vulnerability in Mitel Mivoice Connect and Shoretel Conference web A reflected cross-site scripting (XSS) vulnerability in the Mitel ShoreTel Conference Web Application 19.50.1000.0 before MiVoice Connect 18.7 SP2 allows remote attackers to inject arbitrary JavaScript and HTML via the PATH_INFO to home.php. | 6.1 |
2020-05-07 | CVE-2020-12696 | Iframe Project | Cross-site Scripting vulnerability in Iframe Project Iframe The iframe plugin before 4.5 for WordPress does not sanitize a URL. | 6.1 |
2020-05-06 | CVE-2020-11727 | Algolplus | Cross-site Scripting vulnerability in Algolplus Advanced Order Export for Woocommerce 3.1.3 A cross-site scripting (XSS) vulnerability in the AlgolPlus Advanced Order Export For WooCommerce plugin 3.1.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the view/settings-form.php woe_post_type parameter. | 6.1 |
2020-05-06 | CVE-2020-3313 | Cisco | Cross-site Scripting vulnerability in Cisco Secure Firewall Management Center A vulnerability in the web UI of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of the FMC Software. | 6.1 |
2020-05-06 | CVE-2020-3311 | Cisco | Open Redirect vulnerability in Cisco Secure Firewall Management Center A vulnerability in the web interface of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. | 6.1 |
2020-05-06 | CVE-2020-3178 | Cisco | Open Redirect vulnerability in Cisco Content Security Management Appliance Multiple vulnerabilities in the web-based GUI of Cisco AsyncOS Software for Cisco Content Security Management Appliance (SMA) could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. | 6.1 |
2020-05-05 | CVE-2020-12666 | GO Macaron Fedoraproject | Open Redirect vulnerability in multiple products macaron before 1.3.7 has an open redirect in the static handler, as demonstrated by the http://127.0.0.1:4000//example.com/ URL. | 6.1 |
2020-05-05 | CVE-2020-11034 | Glpi Project | Open Redirect vulnerability in Glpi-Project Glpi In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. | 6.1 |
2020-05-05 | CVE-2020-10630 | SAE IT | Cross-site Scripting vulnerability in Sae-It Net-Line Fw-50 Firmware SAE IT-systems FW-50 Remote Telemetry Unit (RTU). | 6.1 |
2020-05-05 | CVE-2020-8033 | Commscope | Cross-site Scripting vulnerability in Commscope Ruckus Zoneflex R500 Firmware 3.4.2.0.384 Ruckus R500 3.4.2.0.384 devices allow XSS via the index.asp Device Name field. | 6.1 |
2020-05-05 | CVE-2019-19515 | Ayision | Cross-site Scripting vulnerability in Ayision Ays-Wr01 Firmware V28K.Rpt.20161224 Ayision Ays-WR01 v28K.RPT.20161224 devices allow stored XSS in wireless settings. | 6.1 |
2020-05-05 | CVE-2020-11737 | Zimbra | Cross-site Scripting vulnerability in Zimbra 9.0.0 A cross-site scripting (XSS) vulnerability in Web Client in Zimbra 9.0 allows a remote attacker to craft links in an E-Mail message or calendar invite to execute arbitrary JavaScript. | 6.1 |
2020-05-05 | CVE-2017-18866 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 6.1 |
2020-05-04 | CVE-2020-5337 | RSA | Open Redirect vulnerability in RSA Archer RSA Archer, versions prior to 6.7 P1 (6.7.0.1), contain a URL redirection vulnerability. | 6.1 |
2020-05-04 | CVE-2020-5336 | RSA | Injection vulnerability in RSA Archer RSA Archer, versions prior to 6.7 P1 (6.7.0.1), contain a URL injection vulnerability. | 6.1 |
2020-05-04 | CVE-2020-5334 | RSA | Cross-site Scripting vulnerability in RSA Archer RSA Archer, versions prior to 6.7 P2 (6.7.0.2), contains a Document Object Model (DOM) based cross-site scripting vulnerability. | 6.1 |
2020-05-04 | CVE-2020-12639 | Phplist | Cross-site Scripting vulnerability in PHPlist phpList before 3.5.3 allows XSS, with resultant privilege elevation, via lists/admin/template.php. | 6.1 |
2020-05-04 | CVE-2020-12625 | Roundcube Debian Opensuse | Cross-site Scripting vulnerability in multiple products An issue was discovered in Roundcube Webmail before 1.4.4. | 6.1 |
2020-05-07 | CVE-2020-11047 | Freerdp Canonical Debian | In FreeRDP after 1.1 and before 2.0.0, there is an out-of-bounds read in autodetect_recv_bandwidth_measure_results. | 5.9 |
2020-05-07 | CVE-2020-11042 | Freerdp Debian Canonical | In FreeRDP greater than 1.1 and before 2.0.0, there is an out-of-bounds read in update_read_icon_info. | 5.9 |
2020-05-04 | CVE-2020-8896 | Classic Buffer Overflow vulnerability in Google Earth A Buffer Overflow vulnerability in the khcrypt implementation in Google Earth Pro versions up to and including 7.3.2 allows an attacker to perform a Man-in-the-Middle attack using a specially crafted key to read data past the end of the buffer used to hold it. | 5.9 | |
2020-05-06 | CVE-2020-3285 | Cisco | Unspecified vulnerability in Cisco Firepower Threat Defense A vulnerability in the Transport Layer Security version 1.3 (TLS 1.3) policy with URL category functionality for Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass a configured TLS 1.3 policy to block traffic for a specific URL. | 5.8 |
2020-05-06 | CVE-2020-2187 | Jenkins | Improper Certificate Validation vulnerability in Jenkins Amazon EC2 Jenkins Amazon EC2 Plugin 1.50.1 and earlier unconditionally accepts self-signed certificates and does not perform hostname validation, enabling man-in-the-middle attacks. | 5.6 |
2020-05-06 | CVE-2020-2185 | Jenkins | Unspecified vulnerability in Jenkins Amazon EC2 Jenkins Amazon EC2 Plugin 1.50.1 and earlier does not validate SSH host keys when connecting agents, enabling man-in-the-middle attacks. | 5.6 |
2020-05-09 | CVE-2020-12771 | Linux Debian Opensuse Canonical Netapp Oracle | Improper Locking vulnerability in multiple products An issue was discovered in the Linux kernel through 5.6.11. | 5.5 |
2020-05-09 | CVE-2020-12769 | Linux Debian Canonical Opensuse Netapp | Improper Synchronization vulnerability in multiple products An issue was discovered in the Linux kernel before 5.4.17. | 5.5 |
2020-05-09 | CVE-2020-12768 | Linux Canonical Debian | Memory Leak vulnerability in multiple products An issue was discovered in the Linux kernel before 5.6. | 5.5 |
2020-05-09 | CVE-2020-12767 | Libexif Project Debian Canonical Opensuse | Divide By Zero vulnerability in multiple products exif_entry_get_value in exif-entry.c in libexif 0.6.21 has a divide-by-zero error. | 5.5 |
2020-05-08 | CVE-2020-11541 | Techsmith | XXE vulnerability in Techsmith Snagit In TechSmith SnagIt 11.2.1 through 20.0.3, an XML External Entity (XXE) injection issue exists that would allow a local attacker to exfiltrate data under the local Administrator account. | 5.5 |
2020-05-08 | CVE-2020-12680 | Avira | Unspecified vulnerability in Avira Free Antivirus Avira Free Antivirus through 15.0.2005.1866 allows local users to discover user credentials. | 5.5 |
2020-05-07 | CVE-2014-1423 | Signond Project Ubports | Insufficiently Protected Credentials vulnerability in multiple products signond before 8.57+15.04.20141127.1-0ubuntu1, as used in Ubuntu Touch, did not properly restrict applications from querying oath tokens due to incorrect checks and the missing installation of the signon-apparmor-extension. | 5.5 |
2020-05-06 | CVE-2020-6861 | Ledger | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Ledger Monero A flawed protocol design in the Ledger Monero app before 1.5.1 for Ledger Nano and Ledger S devices allows a local attacker to extract the master spending key by sending crafted messages to this app selected on a PIN-entered Ledger connected to a host PC. | 5.5 |
2020-05-05 | CVE-2020-12656 | Linux Canonical Opensuse | Memory Leak vulnerability in multiple products gss_mech_free in net/sunrpc/auth_gss/gss_mech_switch.c in the rpcsec_gss_krb5 implementation in the Linux kernel through 5.6.10 lacks certain domain_release calls, leading to a memory leak. | 5.5 |
2020-05-05 | CVE-2020-12655 | Linux | Infinite Loop vulnerability in Linux Kernel An issue was discovered in xfs_agf_verify in fs/xfs/libxfs/xfs_alloc.c in the Linux kernel through 5.6.10. | 5.5 |
2020-05-04 | CVE-2020-5331 | RSA | Information Exposure vulnerability in RSA Archer RSA Archer, versions prior to 6.7 P3 (6.7.0.3), contain an information exposure vulnerability. | 5.5 |
2020-05-04 | CVE-2020-10618 | Lcds | Information Exposure vulnerability in Lcds Laquis Scada LCDS LAquis SCADA Versions 4.3.1 and prior. | 5.5 |
2020-05-04 | CVE-2020-12475 | TP Link | Path Traversal vulnerability in Tp-Link Omada Controller 3.2.6 TP-Link Omada Controller Software 3.2.6 allows Directory Traversal for reading arbitrary files via com.tp_link.eap.web.portal.PortalController.getAdvertiseFile in /opt/tplink/EAPController/lib/eap-web-3.2.6.jar. | 5.5 |
2020-05-04 | CVE-2019-12864 | Solarwinds | Information Exposure Through an Error Message vulnerability in Solarwinds products SolarWinds Orion Platform 2018.4 HF3 (NPM 12.4, NetPath 1.1.4) is vulnerable to Information Leakage, because of improper error handling with stack traces, as demonstrated by discovering a full pathname upon a 500 Internal Server Error via the api2/swis/query?lang=en-us&swAlertOnError=false query parameter. | 5.5 |
2020-05-08 | CVE-2020-11006 | Shopizer | Cross-site Scripting vulnerability in Shopizer In Shopizer before version 2.11.0, a script can be injected in various forms and saved in the database, then executed when information is fetched from backend. | 5.4 |
2020-05-08 | CVE-2020-12718 | PHP Fusion | Cross-site Scripting vulnerability in PHP-Fusion 9.03.50 In administration/comments.php in PHP-Fusion 9.03.50, an authenticated attacker can take advantage of a stored XSS vulnerability in the Preview Comment feature. | 5.4 |
2020-05-07 | CVE-2020-11055 | Bookstackapp | Cross-site Scripting vulnerability in Bookstackapp Bookstack In BookStack greater than or equal to 0.18.0 and less than 0.29.2, there is an XSS vulnerability in comment creation. | 5.4 |
2020-05-07 | CVE-2020-12706 | PHP Fusion | Cross-site Scripting vulnerability in PHP-Fusion 9.03.50 Multiple Cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the go parameter to faq/faq_admin.php or shoutbox_panel/shoutbox_admin.php | 5.4 |
2020-05-07 | CVE-2020-5751 | Tecnick | Cross-site Scripting vulnerability in Tecnick Tcexam 14.2.2 Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted operator. | 5.4 |
2020-05-07 | CVE-2020-5749 | Tecnick | Cross-site Scripting vulnerability in Tecnick Tcexam 14.2.2 Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted group. | 5.4 |
2020-05-07 | CVE-2020-5747 | Tecnick | Cross-site Scripting vulnerability in Tecnick Tcexam 14.2.2 Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted test. | 5.4 |
2020-05-07 | CVE-2020-5746 | Tecnick | Cross-site Scripting vulnerability in Tecnick Tcexam 14.2.2 Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted test. | 5.4 |
2020-05-07 | CVE-2020-12683 | Katyshop2 Project | Cross-site Scripting vulnerability in Katyshop2 Project Katyshop2 Katyshop2 before 2.12 has multiple stored XSS issues. | 5.4 |
2020-05-07 | CVE-2020-12692 | Openstack Canonical | Authentication Bypass by Capture-replay vulnerability in multiple products An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. | 5.4 |
2020-05-06 | CVE-2020-4421 | IBM | Authentication Bypass by Spoofing vulnerability in IBM Websphere Application Server IBM WebSphere Application Liberty 19.0.0.5 through 20.0.0.4 could allow an authenticated user using openidconnect to spoof another users identify. | 5.4 |
2020-05-06 | CVE-2020-4384 | IBM | Cross-site Scripting vulnerability in IBM products IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable to cross-site scripting. | 5.4 |
2020-05-05 | CVE-2020-11036 | Glpi Project | Cross-site Scripting vulnerability in Glpi-Project Glpi In GLPI before version 9.4.6 there are multiple related stored XSS vulnerabilities. | 5.4 |
2020-05-05 | CVE-2019-20768 | Servicenow | Cross-site Scripting vulnerability in Servicenow IT Service Management Kingston/London/Madrid ServiceNow IT Service Management Kingston through Patch 14-1, London through Patch 7, and Madrid before patch 4 allow stored XSS via crafted sysparm_item_guid and sys_id parameters in an Incident Request to service_catalog.do. | 5.4 |
2020-05-05 | CVE-2019-19514 | Ayision | Cross-site Scripting vulnerability in Ayision Ays-Wr01 Firmware V28K.Rpt.20161224 Ayision Ays-WR01 v28K.RPT.20161224 devices allow stored XSS in basic repeater settings via an SSID. | 5.4 |
2020-05-04 | CVE-2020-4209 | IBM | Path Traversal vulnerability in IBM Spectrum Protect Plus IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow a remote attacker to traverse directories on the system. | 5.4 |
2020-05-04 | CVE-2020-12629 | Enhancesoft | Cross-site Scripting vulnerability in Enhancesoft Osticket include/class.sla.php in osTicket before 1.14.2 allows XSS via the SLA Name. | 5.4 |
2020-05-04 | CVE-2019-17557 | Apache | Cross-site Scripting vulnerability in Apache Syncope It was found that the Apache Syncope EndUser UI login page prio to 2.0.15 and 2.1.6 reflects the successMessage parameters. | 5.4 |
2020-05-09 | CVE-2020-12765 | Solis | Path Traversal vulnerability in Solis Miolo 2.0 Solis Miolo 2.0 allows index.php?module=install&action=view&item= Directory Traversal. | 5.3 |
2020-05-09 | CVE-2020-12764 | Solis | Path Traversal vulnerability in Solis Gnuteca 3.8 Gnuteca 3.8 allows file.php?folder=/&file= Directory Traversal. | 5.3 |
2020-05-07 | CVE-2020-12448 | Gitlab | Path Traversal vulnerability in Gitlab GitLab EE 12.8 and later allows Exposure of Sensitive Information to an Unauthorized Actor via NuGet. | 5.3 |
2020-05-07 | CVE-2019-18865 | Blaauwproducts | Information Exposure Through an Error Message vulnerability in Blaauwproducts Remote Kiln Control 3.0.0 Information disclosure via error message discrepancies in authentication functions in Blaauw Remote Kiln Control through v3.00r4 allows an unauthenticated attacker to enumerate valid usernames. | 5.3 |
2020-05-06 | CVE-2018-8956 | NTP | Improper Input Validation vulnerability in NTP 4.2.8 ntpd in ntp 4.2.8p10, 4.2.8p11, 4.2.8p12 and 4.2.8p13 allow remote attackers to prevent a broadcast client from synchronizing its clock with a broadcast NTP server via soofed mode 3 and mode 5 packets. | 5.3 |
2020-05-06 | CVE-2020-3315 | Cisco | Exposure of Resource to Wrong Sphere vulnerability in Cisco Firepower Threat Defense Multiple Cisco products are affected by a vulnerability in the Snort detection engine that could allow an unauthenticated, remote attacker to bypass the configured file policies on an affected system. | 5.3 |
2020-05-06 | CVE-2020-3307 | Cisco | Improper Input Validation vulnerability in Cisco Secure Firewall Management Center A vulnerability in the web UI of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to write arbitrary entries to the log file on an affected device. | 5.3 |
2020-05-06 | CVE-2020-3188 | Cisco | Insufficient Session Expiration vulnerability in Cisco products A vulnerability in how Cisco Firepower Threat Defense (FTD) Software handles session timeouts for management connections could allow an unauthenticated, remote attacker to cause a buildup of remote management connections to an affected device, which could result in a denial of service (DoS) condition. | 5.3 |
2020-05-06 | CVE-2020-3186 | Cisco | Unspecified vulnerability in Cisco products A vulnerability in the management access list configuration of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass a configured management interface access list on an affected system. | 5.3 |
2020-05-06 | CVE-2020-7921 | Mongodb | Incorrect Authorization vulnerability in Mongodb Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. | 5.3 |
2020-05-06 | CVE-2020-10693 | Redhat IBM Quarkus Oracle | A flaw was found in Hibernate Validator version 6.1.2.Final. | 5.3 |
2020-05-06 | CVE-2020-4092 | Hcltech | Cleartext Transmission of Sensitive Information vulnerability in Hcltech HCL Nomad "If port encryption is not enabled on the Domino Server, HCL Nomad on Android and iOS Platforms will communicate in clear text and does not currently have a user interface option to change the setting to request an encrypted communication channel with the Domino server. | 5.3 |
2020-05-05 | CVE-2020-12439 | Grin | Improper Resource Shutdown or Release vulnerability in Grin Grin before 3.1.0 allows attackers to adversely affect availability of data on a Mimblewimble blockchain. | 5.3 |
2020-05-04 | CVE-2020-10700 | Samba Fedoraproject Opensuse | Use After Free vulnerability in multiple products A use-after-free flaw was found in the way samba AD DC LDAP servers, handled 'Paged Results' control is combined with the 'ASQ' control. | 5.3 |
2020-05-04 | CVE-2020-10933 | Ruby Lang Fedoraproject Debian | Use of Uninitialized Resource vulnerability in multiple products An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and 2.7.0. | 5.3 |
2020-05-04 | CVE-2020-8792 | Oklok Project | Use of Insufficiently Random Values vulnerability in Oklok Project Oklok 3.1.1 The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlock FB50 (2.3) has an information-exposure issue. | 5.3 |
2020-05-08 | CVE-2012-0953 | Nvidia | Race Condition vulnerability in Nvidia Display Driver 295.49 A race condition was discovered in the Linux drivers for Nvidia graphics which allowed an attacker to exfiltrate kernel memory to userspace. | 5.0 |
2020-05-08 | CVE-2012-0952 | Nvidia | Out-of-bounds Write vulnerability in Nvidia Display Driver 295.49 A heap buffer overflow was discovered in the device control ioctl in the Linux driver for Nvidia graphics cards, which may allow an attacker to overflow 49 bytes. | 5.0 |
2020-05-07 | CVE-2020-5744 | Tecnick | Path Traversal vulnerability in Tecnick Tcexam 14.2.2 Relative Path Traversal in TCExam 14.2.2 allows a remote, authenticated attacker to read the contents of arbitrary files on disk. | 4.9 |
2020-05-06 | CVE-2020-3310 | Cisco | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco Firepower Device Manager On-Box A vulnerability in the XML parser code of Cisco Firepower Device Manager On-Box software could allow an authenticated, remote attacker to cause an affected system to become unstable or reload. | 4.9 |
2020-05-06 | CVE-2020-3308 | Cisco | Improper Verification of Cryptographic Signature vulnerability in Cisco products A vulnerability in the Image Signature Verification feature of Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker with administrator-level credentials to install a malicious software patch on an affected device. | 4.9 |
2020-05-06 | CVE-2020-3256 | Cisco | XXE vulnerability in Cisco Hosted Collaboration Mediation Fulfillment A vulnerability in the web-based management interface of Cisco Hosted Collaboration Mediation Fulfillment (HCM-F) Software could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. | 4.9 |
2020-05-05 | CVE-2020-12144 | Silver Peak | Improper Certificate Validation vulnerability in Silver-Peak products The certificate used to identify the Silver Peak Cloud Portal to EdgeConnect devices is not validated. | 4.9 |
2020-05-05 | CVE-2020-12143 | Silver Peak | Improper Certificate Validation vulnerability in Silver-Peak products The certificate used to identify Orchestrator to EdgeConnect devices is not validated, which makes it possible for someone to establish a TLS connection from EdgeConnect to an untrusted Orchestrator. | 4.9 |
2020-05-05 | CVE-2020-12142 | Silver Peak | Exposure of Resource to Wrong Sphere vulnerability in Silver-Peak products 1. | 4.9 |
2020-05-10 | CVE-2020-9314 | Oracle | Cross-site Scripting vulnerability in Oracle Iplanet web Server 7.0/7.0.27 ** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** Oracle iPlanet Web Server 7.0.x allows image injection in the Administration console via the productNameSrc parameter to an admingui URI. | 4.8 |
2020-05-05 | CVE-2020-11051 | Requarks | Cross-site Scripting vulnerability in Requarks Wiki.Js In Wiki.js before 2.3.81, there is a stored XSS in the Markdown editor. | 4.8 |
2020-05-05 | CVE-2020-8799 | Webtechideas | Cross-site Scripting vulnerability in Webtechideas WTI Like Post A Stored XSS vulnerability has been found in the administration page of the WTI Like Post plugin through 1.4.5 for WordPress. | 4.8 |
2020-05-09 | CVE-2019-20794 | Linux | Missing Release of Resource after Effective Lifetime vulnerability in Linux Kernel An issue was discovered in the Linux kernel 4.18 through 5.6.11 when unprivileged user namespaces are allowed. | 4.7 |
2020-05-04 | CVE-2020-10686 | Redhat | Unspecified vulnerability in Redhat Keycloak 8.0.2/9.0.0 A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself. | 4.7 |
2020-05-04 | CVE-2020-12114 | Linux | Race Condition vulnerability in Linux Kernel A pivot_root race condition in fs/namespace.c in the Linux kernel 4.4.x before 4.4.221, 4.9.x before 4.9.221, 4.14.x before 4.14.178, 4.19.x before 4.19.119, and 5.x before 5.3 allows local users to cause a denial of service (panic) by corrupting a mountpoint reference counter. | 4.7 |
2020-05-07 | CVE-2015-7946 | Ubports | Information Exposure vulnerability in Ubports Unity8 Information Exposure vulnerability in Unity8 as used on the Ubuntu phone and possibly also in Unity8 shipped elsewhere. | 4.6 |
2020-05-09 | CVE-2019-20795 | Iproute2 Project Canonical | Use After Free vulnerability in multiple products iproute2 before 5.1.0 has a use-after-free in get_netnsid_from_name in ip/ipnetns.c. | 4.4 |
2020-05-06 | CVE-2020-3301 | Cisco | Use of Hard-coded Credentials vulnerability in Cisco Secure Firewall Management Center Multiple vulnerabilities in Cisco Firepower Management Center (FMC) Software and Cisco Firepower User Agent Software could allow an attacker to access a sensitive part of an affected system with a high-privileged account. | 4.4 |
2020-05-07 | CVE-2020-4430 | IBM | Path Traversal vulnerability in IBM Data Risk Manager IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to traverse directories on the system. | 4.3 |
2020-05-07 | CVE-2020-5743 | Tecnick | Authorization Bypass Through User-Controlled Key vulnerability in Tecnick Tcexam 14.2.2 Improper Control of Resource Identifiers in TCExam 14.2.2 allows a remote, authenticated attacker to access test metadata for which they don't have permission. | 4.3 |
2020-05-06 | CVE-2020-3329 | Cisco | Unspecified vulnerability in Cisco products A vulnerability in role-based access control of Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow a read-only authenticated, remote attacker to disable user accounts on an affected system. | 4.3 |
2020-05-06 | CVE-2020-3246 | Cisco | Injection vulnerability in Cisco Umbrella A vulnerability in the web server of Cisco Umbrella could allow an unauthenticated, remote attacker to perform a carriage return line feed (CRLF) injection attack against a user of an affected service. | 4.3 |
2020-05-06 | CVE-2020-4446 | IBM | Incorrect Authorization vulnerability in IBM products IBM Business Process Manager 8.0, 8.5, and 8.6 and IBM Business Automation Workflow 18.0 and 19.0 could allow a remote attacker to bypass security restrictions, caused by the failure to perform insufficient authorization checks. | 4.3 |
2020-05-06 | CVE-2020-2188 | Jenkins | Incorrect Authorization vulnerability in Jenkins Amazon EC2 A missing permission check in Jenkins Amazon EC2 Plugin 1.50.1 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. | 4.3 |
2020-05-06 | CVE-2020-2186 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Amazon EC2 A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin 1.50.1 and earlier allows attackers to provision instances. | 4.3 |
2020-05-06 | CVE-2020-2184 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Current Versions Systems A cross-site request forgery vulnerability in Jenkins CVS Plugin 2.15 and earlier allows attackers to create and manipulate tags, and to connect to an attacker-specified URL. | 4.3 |
2020-05-06 | CVE-2020-2182 | Jenkins | Insufficiently Protected Credentials vulnerability in Jenkins Credentials Binding Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets containing a `$` character in some circumstances. | 4.3 |
2020-05-04 | CVE-2020-5333 | RSA | Incorrect Authorization vulnerability in RSA Archer RSA Archer, versions prior to 6.7 P3 (6.7.0.3), contain an authorization bypass vulnerability in the REST API. | 4.3 |
2020-05-04 | CVE-2020-1732 | Redhat | Improper Input Validation vulnerability in Redhat products A flaw was found in Soteria before 1.0.1, in a way that multiple requests occurring concurrently causing security identity corruption across concurrent threads when using EE Security with WildFly Elytron which can lead to the possibility of being handled using the identity from another request. | 4.2 |
2020-05-05 | CVE-2020-12652 | Linux | Race Condition vulnerability in Linux Kernel The __mptctl_ioctl function in drivers/message/fusion/mptctl.c in the Linux kernel before 5.4.14 allows local users to hold an incorrect lock during the ioctl operation and trigger a race condition, i.e., a "double fetch" vulnerability, aka CID-28d76df18f0a. | 4.1 |