Weekly Vulnerabilities Reports > July 6 to 12, 2020

Overview

188 new vulnerabilities reported during this period, including 22 critical vulnerabilities and 69 high severity vulnerabilities. This weekly summary report vulnerabilities in 193 products from 83 vendors including Mozilla, Opensuse, Debian, Huawei, and Canonical. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Use After Free", "Out-of-bounds Write", and "Improper Input Validation".

  • 143 reported vulnerabilities are remotely exploitables.
  • 2 reported vulnerabilities have public exploit available.
  • 62 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 126 reported vulnerabilities are exploitable by an anonymous user.
  • Mozilla has the most reported vulnerabilities, with 26 reported vulnerabilities.
  • Phpzag has the most reported critical vulnerabilities, with 3 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

22 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2020-07-07 CVE-2020-4077 Electronjs Unspecified vulnerability in Electronjs Electron

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass.

9.9
2020-07-10 CVE-2020-15504 Sophos SQL Injection vulnerability in Sophos XG Firewall Firmware 17.0/17.5/18.0

A SQL injection vulnerability in the user and admin web interfaces of Sophos XG Firewall v18.0 MR1 and older potentially allows an attacker to run arbitrary code remotely.

9.8
2020-07-10 CVE-2020-8186 Devcert Project OS Command Injection vulnerability in Devcert Project Devcert 1.1.0

A command injection vulnerability in the `devcert` module may lead to remote code execution when users of the module pass untrusted input to the `certificateFor` function.

9.8
2020-07-10 CVE-2020-7815 Tobesoft Unspecified vulnerability in Tobesoft Xplatform

XPLATFORM v9.2.260 and eariler versions contain a vulnerability that could allow remote files to be downloaded by setting the arguments to the vulnerable method.

9.8
2020-07-10 CVE-2020-7814 Raonwiz Improper Input Validation vulnerability in Raonwiz Raon K Upload 2018.0.2.51

RAONWIZ v2018.0.2.50 and eariler versions contains a vulnerability that could allow remote files to be downloaded and excuted by lack of validation to file extension, witch can used as remote-code-excution attacks by hackers File download & execution vulnerability in ____COMPONENT____ of RAONWIZ RAON KUpload allows ____ATTACKER/ATTACK____ to cause ____IMPACT____.

9.8
2020-07-09 CVE-2020-7458 Freebsd Out-of-bounds Write vulnerability in Freebsd 11.4/12.1

In FreeBSD 12.1-STABLE before r362281, 11.4-STABLE before r362281, and 11.4-RELEASE before p1, long values in the user-controlled PATH environment variable cause posix_spawnp to write beyond the end of the heap allocated stack possibly leading to arbitrary code execution.

9.8
2020-07-08 CVE-2020-11849 Microfocus Unspecified vulnerability in Microfocus Identity Manager

Elevation of privilege and/or unauthorized access vulnerability in Micro Focus Identity Manager.

9.8
2020-07-08 CVE-2020-3931 Geovision Classic Buffer Overflow vulnerability in Geovision products

Buffer overflow exists in Geovision Door Access Control device family, an unauthenticated remote attacker can execute arbitrary command.

9.8
2020-07-07 CVE-2020-8521 Phpzag SQL Injection vulnerability in PHPzag

SQL injection with start and length parameters in Records.php for phpzag live add edit delete data tables records with ajax php mysql

9.8
2020-07-07 CVE-2020-8520 Phpzag SQL Injection vulnerability in PHPzag

SQL injection in order and column parameters in Records.php for phpzag live add edit delete data tables records with ajax php mysql

9.8
2020-07-07 CVE-2020-8519 Phpzag SQL Injection vulnerability in PHPzag

SQL injection with the search parameter in Records.php for phpzag live add edit delete data tables records with ajax php mysql

9.8
2020-07-07 CVE-2020-12821 Protocol Unspecified vulnerability in Protocol Gossipsub 1.0

Gossipsub 1.0 does not properly resist invalid message spam, such as an eclipse attack or a sybil attack.

9.8
2020-07-07 CVE-2019-20896 Webchess Project SQL Injection vulnerability in Webchess Project Webchess 1.0

WebChess 1.0 allows SQL injection via the messageFrom, gameID, opponent, messageID, or to parameter.

9.8
2020-07-07 CVE-2020-15350 Riot OS Incorrect Calculation of Buffer Size vulnerability in Riot-Os Riot 2020.04

RIOT 2020.04 has a buffer overflow in the base64 decoder.

9.8
2020-07-07 CVE-2020-15367 Venki Improper Restriction of Excessive Authentication Attempts vulnerability in Venki Supravizio BPM 10.1.2

Venki Supravizio BPM 10.1.2 does not limit the number of authentication attempts.

9.8
2020-07-07 CVE-2020-5599 Mitsubishielectric Argument Injection or Modification vulnerability in Mitsubishielectric Coreos 05.65.00.Bd/Y

TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains an improper neutralization of argument delimiters in a command ('Argument Injection') vulnerability, which may allow a remote attacker to stop the network functions of the products or execute a malicious program via a specially crafted packet.

9.8
2020-07-07 CVE-2020-5595 Mitsubishielectric Classic Buffer Overflow vulnerability in Mitsubishielectric Coreos 05.65.00.Bd/Y

TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains a buffer overflow vulnerability, which may allow a remote attacker to stop the network functions of the products or execute a malicious program via a specially crafted packet.

9.8
2020-07-07 CVE-2020-15506 Mobileiron Unspecified vulnerability in Mobileiron products

An authentication bypass vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0 that allows remote attackers to bypass authentication mechanisms via unspecified vectors.

9.8
2020-07-07 CVE-2020-15505 Mobileiron Use of Incorrectly-Resolved Name or Reference vulnerability in Mobileiron products

A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0; and Sentry versions 9.7.2 and earlier, and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier that allows remote attackers to execute arbitrary code via unspecified vectors.

9.8
2020-07-09 CVE-2019-17638 Eclipse Operation on a Resource after Expiration or Release vulnerability in Eclipse Jetty 9.4.27/9.4.28/9.4.29

In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error.

9.4
2020-07-09 CVE-2020-7692 Google Incorrect Authorization vulnerability in Google Oauth Client Library for Java

PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps.

9.1
2020-07-07 CVE-2020-4076 Electronjs Unspecified vulnerability in Electronjs Electron

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass.

9.0

69 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2020-07-10 CVE-2020-8197 Citrix Unspecified vulnerability in Citrix products

Privilege escalation vulnerability on Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 allows a low privileged user with management access to execute arbitrary commands.

8.8
2020-07-09 CVE-2020-4305 IBM Deserialization of Untrusted Data vulnerability in IBM products

IBM InfoSphere Information Server 11.3, 11.5, and 11.7 could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data.

8.8
2020-07-09 CVE-2020-13994 Mods FOR Hesk Unrestricted Upload of File with Dangerous Type vulnerability in Mods-For-Hesk Mods for Hesk

An issue was discovered in Mods for HESK 3.1.0 through 2019.1.0.

8.8
2020-07-09 CVE-2020-12426 Mozilla
Opensuse
Out-of-bounds Write vulnerability in multiple products

Mozilla developers and community members reported memory safety bugs present in Firefox 77.

8.8
2020-07-09 CVE-2020-12422 Mozilla
Opensuse
Out-of-bounds Write vulnerability in multiple products

In non-standard configurations, a JPEG image created by JavaScript could have caused an internal variable to overflow, resulting in an out of bounds write, memory corruption, and a potentially exploitable crash.

8.8
2020-07-09 CVE-2020-12420 Mozilla
Canonical
Opensuse
Use After Free vulnerability in multiple products

When trying to connect to a STUN server, a race condition could have caused a use-after-free of a pointer, leading to memory corruption and a potentially exploitable crash.

8.8
2020-07-09 CVE-2020-12419 Mozilla
Canonical
Opensuse
Use After Free vulnerability in multiple products

When processing callbacks that occurred during window flushing in the parent process, the associated window may die; causing a use-after-free condition.

8.8
2020-07-09 CVE-2020-12417 Mozilla
Canonical
Opensuse
Incorrect Conversion between Numeric Types vulnerability in multiple products

Due to confusion about ValueTags on JavaScript Objects, an object may pass through the type barrier, resulting in memory corruption and a potentially exploitable crash.

8.8
2020-07-09 CVE-2020-12416 Mozilla
Opensuse
Use After Free vulnerability in multiple products

A VideoStreamEncoder may have been freed in a race condition with VideoBroadcaster::AddOrUpdateSink, resulting in a use-after-free, memory corruption, and a potentially exploitable crash.

8.8
2020-07-09 CVE-2020-12411 Mozilla Out-of-bounds Write vulnerability in Mozilla Firefox

Mozilla developers reported memory safety bugs present in Firefox 76.

8.8
2020-07-09 CVE-2020-12410 Mozilla
Canonical
Out-of-bounds Write vulnerability in multiple products

Mozilla developers reported memory safety bugs present in Firefox 76 and Firefox ESR 68.8.

8.8
2020-07-09 CVE-2020-12409 Mozilla Unspecified vulnerability in Mozilla Firefox

When using certain blank characters in a URL, they where incorrectly rendered as spaces instead of an encoded URL.

8.8
2020-07-09 CVE-2020-12406 Mozilla
Canonical
Insufficient Verification of Data Authenticity vulnerability in multiple products

Mozilla Developer Iain Ireland discovered a missing type check during unboxed objects removal, resulting in a crash.

8.8
2020-07-09 CVE-2018-12371 Mozilla Integer Overflow or Wraparound vulnerability in Mozilla Firefox

An integer overflow vulnerability in the Skia library when allocating memory for edge builders on some systems with at least 16 GB of RAM.

8.8
2020-07-09 CVE-2020-9377 Dlink OS Command Injection vulnerability in Dlink Dir-610 Firmware

D-Link DIR-610 devices allow Remote Command Execution via the cmd parameter to command.php.

8.8
2020-07-08 CVE-2020-15072 Phplist SQL Injection vulnerability in PHPlist

An issue was discovered in phpList through 3.5.4.

8.8
2020-07-08 CVE-2020-5764 Mxplayer Path Traversal vulnerability in Mxplayer MX Player

MX Player Android App versions prior to v1.24.5, are vulnerable to a directory traversal vulnerability when user is using the MX Transfer feature in "Receive" mode.

8.8
2020-07-08 CVE-2020-3973 Vmware SQL Injection vulnerability in VMWare Velocloud Orchestrator

The VeloCloud Orchestrator does not apply correct input validation which allows for blind SQL-injection.

8.8
2020-07-07 CVE-2020-15515 Turn Project Unspecified vulnerability in Turn! Project Turn!

The turn extension through 0.3.2 for TYPO3 allows Remote Code Execution.

8.8
2020-07-07 CVE-2020-15565 XEN
Debian
Fedoraproject
Opensuse
Resource Exhaustion vulnerability in multiple products

An issue was discovered in Xen through 4.13.x, allowing x86 Intel HVM guest OS users to cause a host OS denial of service or possibly gain privileges because of insufficient cache write-back under VT-d.

8.8
2020-07-06 CVE-2020-6013 Checkpoint Improper Privilege Management vulnerability in Checkpoint Zonealarm Extreme Security

ZoneAlarm Firewall and Antivirus products before version 15.8.109.18436 allow an attacker who already has access to the system to execute code at elevated privileges through a combination of file permission manipulation and exploitation of Windows CVE-2020-00896 on unpatched systems.

8.8
2020-07-06 CVE-2020-5371 Dell Incorrect Permission Assignment for Critical Resource vulnerability in Dell EMC Isilon Onefs and EMC Powerscale Onefs

Dell EMC Isilon OneFS versions 8.2.2 and earlier and Dell EMC PowerScale version 9.0.0 contain a file permissions vulnerability.

8.8
2020-07-06 CVE-2020-5352 Dell OS Command Injection vulnerability in Dell EMC Data Protection Advisor 18.1/6.4/6.5

Dell EMC Data Protection Advisor 6.4, 6.5 and 18.1 contain an OS command injection vulnerability.

8.8
2020-07-09 CVE-2020-15093 Amazon Improper Verification of Cryptographic Signature vulnerability in Amazon Tough

The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures.

8.6
2020-07-10 CVE-2020-11081 Linuxfoundation Unspecified vulnerability in Linuxfoundation Osquery

osquery before version 4.4.0 enables a privilege escalation vulnerability.

8.2
2020-07-09 CVE-2020-7457 Freebsd Improper Synchronization vulnerability in Freebsd 11.3/11.4/12.1

In FreeBSD 12.1-STABLE before r359565, 12.1-RELEASE before p7, 11.4-STABLE before r362975, 11.4-RELEASE before p1, and 11.3-RELEASE before p11, missing synchronization in the IPV6_2292PKTOPTIONS socket option set handler contained a race condition allowing a malicious application to modify memory after being freed, possibly resulting in code execution.

8.1
2020-07-09 CVE-2020-5604 Mercari Unspecified vulnerability in Mercari 3.51.0

Android App 'Mercari' (Japan version) prior to version 3.52.0 allows arbitrary method execution of a Java object by a remote attacker via a Man-In-The-Middle attack by using Java Reflection API of JavaScript code on WebView.

8.1
2020-07-08 CVE-2020-2034 Paloaltonetworks OS Command Injection vulnerability in Paloaltonetworks Pan-Os

An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network based attacker to execute arbitrary OS commands with root privileges.

8.1
2020-07-06 CVE-2020-9395 Realtek Out-of-bounds Write vulnerability in Realtek products

An issue was discovered on Realtek RTL8195AM, RTL8711AM, RTL8711AF, and RTL8710AF devices before 2.0.6.

8.0
2020-07-10 CVE-2020-8199 Citrix Unspecified vulnerability in Citrix Gateway Plug-In for Linux

Improper access control in Citrix ADC Gateway Linux client versions before 1.0.0.137 results in local privilege escalation to root.

7.8
2020-07-10 CVE-2020-3974 Vmware Unspecified vulnerability in VMWare Fusion, Horizon Client and Remote Console

VMware Fusion (11.x before 11.5.5), VMware Remote Console for Mac (11.x and prior before 11.2.0 ) and Horizon Client for Mac (5.x and prior before 5.4.3) contain a privilege escalation vulnerability due to improper XPC Client validation.

7.8
2020-07-09 CVE-2020-12423 Mozilla Uncontrolled Search Path Element vulnerability in Mozilla Firefox

When the Windows DLL "webauthn.dll" was missing from the Operating System, and a malicious one was placed in a folder in the user's %PATH%, Firefox may have loaded the DLL, leading to arbitrary code execution.

7.8
2020-07-08 CVE-2020-5974 Nvidia Incorrect Default Permissions vulnerability in Nvidia Jetpack Software Development KIT 4.2/4.3

NVIDIA JetPack SDK, version 4.2 and 4.3, contains a vulnerability in its installation scripts in which permissions are incorrectly set on certain directories, which can lead to escalation of privileges.

7.8
2020-07-07 CVE-2020-15567 XEN
Debian
Opensuse
Fedoraproject
Race Condition vulnerability in multiple products

An issue was discovered in Xen through 4.13.x, allowing Intel guest OS users to gain privileges or cause a denial of service because of non-atomic modification of a live EPT PTE.

7.8
2020-07-06 CVE-2020-9262 Huawei Use After Free vulnerability in Huawei Mate 30 Firmware

HUAWEI Mate 30 with versions earlier than 10.1.0.150(C00E136R5P3) have a use after free vulnerability.

7.8
2020-07-06 CVE-2020-9261 Huawei Type Confusion vulnerability in Huawei Mate 30 Firmware

HUAWEI Mate 30 with versions earlier than 10.1.0.150(C00E136R5P3) have a type confusion vulnerability.

7.8
2020-07-06 CVE-2020-9100 Huawei Uncontrolled Search Path Element vulnerability in Huawei Hisuite

Earlier than HiSuite 10.1.0.500 have a DLL hijacking vulnerability.

7.8
2020-07-06 CVE-2019-8250 Adobe Type Confusion vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have a type confusion vulnerability.

7.8
2020-07-06 CVE-2019-8249 Adobe Type Confusion vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have a type confusion vulnerability.

7.8
2020-07-06 CVE-2019-8066 Adobe Out-of-bounds Write vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have a heap overflow vulnerability.

7.8
2020-07-10 CVE-2020-8190 Citrix Improper Preservation of Permissions vulnerability in Citrix products

Incorrect file permissions in Citrix ADC and Citrix Gateway before versions 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 allows privilege escalation.

7.5
2020-07-10 CVE-2020-8187 Citrix Improper Input Validation vulnerability in Citrix products

Improper input validation in Citrix ADC and Citrix Gateway versions before 11.1-63.9 and 12.0-62.10 allows unauthenticated users to perform a denial of service attack.

7.5
2020-07-09 CVE-2020-13993 Mods FOR Hesk SQL Injection vulnerability in Mods-For-Hesk Mods for Hesk

An issue was discovered in Mods for HESK 3.1.0 through 2019.1.0.

7.5
2020-07-09 CVE-2020-12398 Mozilla
Canonical
Cleartext Transmission of Sensitive Information vulnerability in multiple products

If Thunderbird is configured to use STARTTLS for an IMAP server, and the server sends a PREAUTH response, then Thunderbird will continue with an unencrypted connection, causing email data to be sent without protection.

7.5
2020-07-09 CVE-2020-9376 Dlink Injection vulnerability in Dlink Dir-610 Firmware

D-Link DIR-610 devices allow Information Disclosure via SERVICES=DEVICE.ACCOUNT%0AAUTHORIZED_GROUP=1 to getcfg.php.

7.5
2020-07-08 CVE-2019-19417 Huawei Improper Input Validation vulnerability in Huawei products

The SIP module of some Huawei products have a denial of service (DoS) vulnerability.

7.5
2020-07-08 CVE-2019-19416 Huawei Improper Input Validation vulnerability in Huawei products

The SIP module of some Huawei products have a denial of service (DoS) vulnerability.

7.5
2020-07-08 CVE-2019-19415 Huawei Improper Input Validation vulnerability in Huawei products

The SIP module of some Huawei products have a denial of service (DoS) vulnerability.

7.5
2020-07-08 CVE-2020-6938 Tableau Information Exposure Through Log Files vulnerability in Tableau Server

A sensitive information disclosure vulnerability in Tableau Server 10.5, 2018.x, 2019.x, 2020.x released before June 26, 2020, could allow access to sensitive information in log files.

7.5
2020-07-08 CVE-2020-5839 Symantec Unspecified vulnerability in Symantec Endpoint Detection and Response 4.1.0/4.2.0/4.3.0

Symantec Endpoint Detection And Response, prior to 4.4, may be susceptible to an information disclosure issue, which is a type of vulnerability that could potentially allow unauthorized access to data.

7.5
2020-07-08 CVE-2020-11994 Apache
Oracle
Injection vulnerability in multiple products

Server-Side Template Injection and arbitrary file disclosure on Camel templating components

7.5
2020-07-07 CVE-2020-15008 Connectwise SQL Injection vulnerability in Connectwise Automate 2019.12

A SQLi exists in the probe code of all Connectwise Automate versions before 2020.7 or 2019.12.

7.5
2020-07-07 CVE-2020-15579 Google Unspecified vulnerability in Google Android

An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software.

7.5
2020-07-07 CVE-2020-15576 Solarwinds Unspecified vulnerability in Solarwinds Serv-U

SolarWinds Serv-U File Server before 15.2.1 allows information disclosure via an HTTP response.

7.5
2020-07-07 CVE-2020-15574 Solarwinds Unspecified vulnerability in Solarwinds Serv-U

SolarWinds Serv-U File Server before 15.2.1 mishandles the Same-Site cookie attribute, aka Case Number 00331893.

7.5
2020-07-07 CVE-2020-10745 Samba
Fedoraproject
Opensuse
Debian
Resource Exhaustion vulnerability in multiple products

A flaw was found in all Samba versions before 4.10.17, before 4.11.11 and before 4.12.4 in the way it processed NetBios over TCP/IP.

7.5
2020-07-07 CVE-2020-5600 Mitsubishielectric Unspecified vulnerability in Mitsubishielectric Coreos 05.65.00.Bd/Y

TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains a resource management error vulnerability, which may allow a remote attacker to stop the network functions of the products or execute a malicious program via a specially crafted packet.

7.5
2020-07-07 CVE-2020-5598 Mitsubishielectric Unspecified vulnerability in Mitsubishielectric Coreos 05.65.00.Bd/Y

TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains an improper access control vulnerability, which may which may allow a remote attacker tobypass access restriction and stop the network functions of the products or execute a malicious program via a specially crafted packet.

7.5
2020-07-07 CVE-2020-5597 Mitsubishielectric NULL Pointer Dereference vulnerability in Mitsubishielectric Coreos 05.65.00.Bd/Y

TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains a null pointer dereference vulnerability, which may allow a remote attacker to stop the network functions of the products or execute a malicious program via a specially crafted packet.

7.5
2020-07-07 CVE-2020-5596 Mitsubishielectric Session Fixation vulnerability in Mitsubishielectric Coreos 05.65.00.Bd/Y

TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) does not properly manage sessions, which may allow a remote attacker to stop the network functions of the products or execute a malicious program via a specially crafted packet.

7.5
2020-07-07 CVE-2020-15507 Mobileiron Unspecified vulnerability in Mobileiron products

An arbitrary file reading vulnerability in MobileIron Core versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0 that allows remote attackers to read files on the system via unspecified vectors.

7.5
2020-07-07 CVE-2020-4075 Electronjs Files or Directories Accessible to External Parties vulnerability in Electronjs Electron

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open.

7.5
2020-07-06 CVE-2020-5372 Dell Incorrect Authorization vulnerability in Dell products

Dell EMC PowerStore versions prior to 1.0.1.0.5.002 contain a vulnerability that exposes test interface ports to external network.

7.5
2020-07-06 CVE-2020-5368 Dell Missing Authorization vulnerability in Dell Vxrail D560 Firmware and Vxrail D560F Firmware

Dell EMC VxRail versions 4.7.410 and 4.7.411 contain an improper authentication vulnerability.

7.5
2020-07-06 CVE-2020-14303 Samba
Fedoraproject
Opensuse
Debian
Canonical
Excessive Iteration vulnerability in multiple products

A flaw was found in the AD DC NBT server in all Samba versions before 4.10.17, before 4.11.11 and before 4.12.4.

7.5
2020-07-10 CVE-2020-11061 Bareos
Debian
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job.
7.4
2020-07-10 CVE-2020-6114 Icehrm SQL Injection vulnerability in Icehrm 26.6.0.Os

An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) .

7.2
2020-07-08 CVE-2020-2030 Paloaltonetworks OS Command Injection vulnerability in Paloaltonetworks Pan-Os

An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges.

7.2
2020-07-07 CVE-2020-12736 Code42 Injection vulnerability in Code42

Code42 environments with on-premises server versions 7.0.4 and earlier allow for possible remote code execution.

7.2

97 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2020-07-10 CVE-2020-4042 Bareos Authentication Bypass by Capture-replay vulnerability in Bareos

Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself.

6.8
2020-07-07 CVE-2020-15096 Electronjs Unspecified vulnerability in Electronjs Electron

In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

6.8
2020-07-10 CVE-2020-8195 Citrix Path Traversal vulnerability in Citrix products

Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in limited information disclosure to low privileged users.

6.5
2020-07-10 CVE-2020-8194 Citrix Code Injection vulnerability in Citrix products

Reflected code injection in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows the modification of a file download.

6.5
2020-07-10 CVE-2020-8193 Citrix Improper Authentication vulnerability in Citrix products

Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows unauthenticated access to certain URL endpoints.

6.5
2020-07-10 CVE-2020-9260 Huawei Unspecified vulnerability in Huawei P30 Firmware and P30 PRO Firmware

HUAWEI P30 and HUAWEI P30 Pro smartphones with versions earlier than 10.1.0.123(C432E22R2P5) and versions earlier than 10.1.0.160(C00E160R2P8) have an information disclosure vulnerability.

6.5
2020-07-09 CVE-2020-14171 Atlassian Cleartext Transmission of Sensitive Information vulnerability in Atlassian Bitbucket

Atlassian Bitbucket Server from version 4.9.0 before version 7.2.4 allows remote attackers to intercept unencrypted repository import requests via a Man-in-the-Middle (MITM) attack.

6.5
2020-07-09 CVE-2020-10756 Libslirp Project
Redhat
Canonical
Debian
Opensuse
Out-of-bounds Read vulnerability in multiple products

An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator.

6.5
2020-07-09 CVE-2020-12425 Mozilla Out-of-bounds Read vulnerability in Mozilla Firefox

Due to confusion processing a hyphen character in Date.parse(), a one-byte out of bounds read could have occurred, leading to potential information disclosure.

6.5
2020-07-09 CVE-2020-12421 Mozilla
Canonical
Improper Certificate Validation vulnerability in multiple products

When performing add-on updates, certificate chains terminating in non-built-in-roots were rejected (even if they were legitimately added by an administrator.) This could have caused add-ons to become out-of-date silently without notification to the user.

6.5
2020-07-09 CVE-2020-12418 Mozilla
Canonical
Opensuse
Out-of-bounds Read vulnerability in multiple products

Manipulating individual parts of a URL object could have caused an out-of-bounds read, leaking process memory to malicious JavaScript.

6.5
2020-07-09 CVE-2020-12415 Mozilla
Opensuse
Incorrect Default Permissions vulnerability in multiple products

When "%2F" was present in a manifest URL, Firefox's AppCache behavior may have become confused and allowed a manifest to be served from a subdirectory.

6.5
2020-07-09 CVE-2020-12414 Mozilla Incomplete Cleanup vulnerability in Mozilla Firefox

IndexedDB should be cleared when leaving private browsing mode and it is not, the API for WKWebViewConfiguration was being used incorrectly and requires the private instance of this object be deleted when leaving private mode.

6.5
2020-07-09 CVE-2020-12408 Mozilla Unspecified vulnerability in Mozilla Firefox

When browsing a document hosted on an IP address, an attacker could insert certain characters to flip domain and path information in the address bar.

6.5
2020-07-09 CVE-2020-12407 Mozilla Out-of-bounds Read vulnerability in Mozilla Firefox

Mozilla Developer Nicolas Silva found that when using WebRender, Firefox would under certain conditions leak arbitrary GPU memory to the visible screen.

6.5
2020-07-09 CVE-2020-5366 Dell Path Traversal vulnerability in Dell Idrac9 Firmware

Dell EMC iDRAC9 versions prior to 4.20.20.20 contain a Path Traversal Vulnerability.

6.5
2020-07-09 CVE-2020-12424 Mozilla
Opensuse
Incorrect Default Permissions vulnerability in multiple products

When constructing a permission prompt for WebRTC, a URI was supplied from the content process.

6.5
2020-07-07 CVE-2020-15600 Cmsuno Project Cross-Site Request Forgery (CSRF) vulnerability in Cmsuno Project Cmsuno

An issue was discovered in CMSUno before 1.6.1.

6.5
2020-07-07 CVE-2020-15509 Nordicsemi Cleartext Transmission of Sensitive Information vulnerability in Nordicsemi Android BLE Library and DFU Library

Nordic Semiconductor Android BLE Library through 2.2.1 and DFU Library through 1.10.4 for Android (as used by nRF Connect and other applications) can engage in unencrypted communication while showing the user that the communication is purportedly encrypted.

6.5
2020-07-07 CVE-2020-10730 Samba
Redhat
Opensuse
Fedoraproject
Debian
Use After Free vulnerability in multiple products

A NULL pointer dereference, or possible use-after-free flaw was found in Samba AD LDAP server in versions before 4.10.17, before 4.11.11 and before 4.12.4.

6.5
2020-07-07 CVE-2020-15566 XEN
Debian
Improper Check for Unusual or Exceptional Conditions vulnerability in multiple products

An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a host OS crash because of incorrect error handling in event-channel port allocation.

6.5
2020-07-07 CVE-2020-15564 XEN
Debian
Fedoraproject
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

An issue was discovered in Xen through 4.13.x, allowing Arm guest OS users to cause a hypervisor crash because of a missing alignment check in VCPUOP_register_vcpu_info.

6.5
2020-07-07 CVE-2020-15563 XEN
Debian
Fedoraproject
Opensuse
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

An issue was discovered in Xen through 4.13.x, allowing x86 HVM guest OS users to cause a hypervisor crash.

6.5
2020-07-06 CVE-2020-10760 Samba
Canonical
Opensuse
Fedoraproject
Use After Free vulnerability in multiple products

A use-after-free flaw was found in all samba LDAP server versions before 4.10.17, before 4.11.11, before 4.12.4 used in a AC DC configuration.

6.5
2020-07-06 CVE-2019-14900 Hibernate
Redhat
Quarkus
SQL Injection vulnerability in multiple products

A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1.

6.5
2020-07-06 CVE-2020-5356 Dell Files or Directories Accessible to External Parties vulnerability in Dell products

Dell PowerProtect Data Manager (PPDM) versions prior to 19.4 and Dell PowerProtect X400 versions prior to 3.2 contain an improper authorization vulnerability.

6.5
2020-07-06 CVE-2020-1839 Huawei Race Condition vulnerability in Huawei Mate 30 Firmware

HUAWEI Mate 30 with versions earlier than 10.1.0.150(C00E136R5P3) have a race condition vulnerability.

6.3
2020-07-10 CVE-2020-8198 Citrix Cross-site Scripting vulnerability in Citrix products

Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in Stored Cross-Site Scripting (XSS).

6.1
2020-07-10 CVE-2020-8191 Citrix Cross-site Scripting vulnerability in Citrix products

Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows reflected Cross Site Scripting (XSS).

6.1
2020-07-10 CVE-2020-5607 SS Proj Open Redirect vulnerability in Ss-Proj Shirasagi

Open redirect vulnerability in SHIRASAGI v1.13.1 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

6.1
2020-07-09 CVE-2020-15299 King Theme Cross-site Scripting vulnerability in King-Theme Kingcomposer 2.7.6/2.9.4

A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is executed in the victim's browser.

6.1
2020-07-09 CVE-2020-13992 Mods FOR Hesk Cross-site Scripting vulnerability in Mods-For-Hesk Mods for Hesk

An issue was discovered in Mods for HESK 3.1.0 through 2019.1.0.

6.1
2020-07-08 CVE-2020-7140 HP Cross-site Scripting vulnerability in HP Icewall SSO DFW and Icewall SSO Dgfw

A security vulnerability in HPE IceWall SSO Dfw and Dgfw (Domain Gateway Option) could be exploited remotely to cause a remote cross-site scripting (XSS).

6.1
2020-07-07 CVE-2020-15599 Victor CMS Project Cross-site Scripting vulnerability in Victor CMS Project Victor CMS 1.0/20180510/20190228

Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.

6.1
2020-07-07 CVE-2020-11882 Telefonica Open Redirect vulnerability in Telefonica O2 Business 1.2.0

The O2 Business application 1.2.0 for Android exposes the canvasm.myo2.SplashActivity activity to other applications.

6.1
2020-07-07 CVE-2019-19935 Froala Cross-site Scripting vulnerability in Froala Editor

Froala Editor before 3.2.3 allows XSS.

6.1
2020-07-07 CVE-2019-4324 Hcltech Cross-site Scripting vulnerability in Hcltech Appscan 10.0.0/9.0.3.14

"HCL AppScan Enterprise is susceptible to Cross-Site Scripting while importing a specially crafted test policy."

6.1
2020-07-07 CVE-2020-15575 Solarwinds Cross-site Scripting vulnerability in Solarwinds Serv-U

SolarWinds Serv-U File Server before 15.2.1 allows XSS as demonstrated by Tenable Scan, aka Case Number 00484194.

6.1
2020-07-07 CVE-2020-15573 Solarwinds Cross-site Scripting vulnerability in Solarwinds Serv-U

SolarWinds Serv-U File Server before 15.2.1 has a "Cross-script vulnerability," aka Case Numbers 00041778 and 00306421.

6.1
2020-07-06 CVE-2020-7691 Parall Cross-site Scripting vulnerability in Parall Jspdf

In all versions of the package jspdf, it is possible to use <<script>script> in order to go over the filtering regex.

6.1
2020-07-06 CVE-2020-7690 Parall Cross-site Scripting vulnerability in Parall Jspdf

All affected versions <2.0.0 of package jspdf are vulnerable to Cross-site Scripting (XSS).

6.1
2020-07-06 CVE-2020-15562 Roundcube
Debian
Cross-site Scripting vulnerability in multiple products

An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7.

6.1
2020-07-09 CVE-2020-15000 Yubico Unspecified vulnerability in Yubico Yubikey 5 NFC Firmware 5.2.0/5.2.6

A PIN management problem was discovered on Yubico YubiKey 5 devices 5.2.0 to 5.2.6.

5.9
2020-07-09 CVE-2020-15526 RED Gate Improper Certificate Validation vulnerability in Red-Gate SQL Monitor

In Redgate SQL Monitor 7.1.4 through 10.1.6 (inclusive), the scope for disabling some TLS security certificate checks can extend beyond that defined by various options on the Configuration > Notifications pages to disable certificate checking for alert notifications.

5.9
2020-07-10 CVE-2020-9258 Huawei Improper Input Validation vulnerability in Huawei P30 Firmware

HUAWEI P30 smartphone with versions earlier than 10.1.0.135(C00E135R2P11) have an improper input verification vulnerability.

5.5
2020-07-07 CVE-2020-8916 Openthread Memory Leak vulnerability in Openthread Wpantund 20200528

A memory leak in Openthread's wpantund versions up to commit 0e5d1601febb869f583e944785e5685c6c747be7, when used in an environment where wpanctl is directly interfacing with the control driver (eg: debug environments) can allow an attacker to crash the service (DoS).

5.5
2020-07-07 CVE-2020-15584 Google Improper Input Validation vulnerability in Google Android 10.0

An issue was discovered on Samsung mobile devices with Q(10.0) software.

5.5
2020-07-07 CVE-2020-15583 Google Path Traversal vulnerability in Google Android

An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software.

5.5
2020-07-07 CVE-2020-15582 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android 10.0/9.0

An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) (Exynos 7885 chipsets) software.

5.5
2020-07-07 CVE-2020-15580 Google Unspecified vulnerability in Google Android

An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software.

5.5
2020-07-07 CVE-2020-15578 Google Incorrect Default Permissions vulnerability in Google Android 8.0/8.1

An issue was discovered on Samsung mobile devices with O(8.x) software.

5.5
2020-07-07 CVE-2020-15577 Google Unspecified vulnerability in Google Android 10.0/9.0

An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software.

5.5
2020-07-06 CVE-2020-9226 Huawei Improper Verification of Cryptographic Signature vulnerability in Huawei P30 Firmware

HUAWEI P30 with versions earlier than 10.1.0.135(C00E135R2P11) have an improper signature verification vulnerability.

5.5
2020-07-06 CVE-2020-1838 Huawei Improper Authentication vulnerability in Huawei Mate 30 PRO Firmware 10.0.0.203(C00E202R7P2)/10.0.0.205(C00E202R7P2)

HUAWEI Mate 30 Pro with versions earlier than 10.1.0.150(C00E136R5P3) have is an improper authentication vulnerability.

5.5
2020-07-06 CVE-2019-8252 Adobe Type Confusion vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have a type confusion vulnerability.

5.5
2020-07-06 CVE-2019-8251 Adobe Type Confusion vulnerability in Adobe Acrobat DC

Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have a type confusion vulnerability.

5.5
2020-07-06 CVE-2020-15570 Whoopsie Project Allocation of Resources Without Limits or Throttling vulnerability in Whoopsie Project Whoopsie

The parse_report() function in whoopsie.c in Whoopsie through 0.2.69 mishandles memory allocation failures, which allows an attacker to cause a denial of service via a malformed crash file.

5.5
2020-07-06 CVE-2020-15569 Milkytracker Project
Debian
Use After Free vulnerability in multiple products

PlayerGeneric.cpp in MilkyTracker through 1.02.00 has a use-after-free in the PlayerGeneric destructor.

5.5
2020-07-10 CVE-2020-15105 Django TWO Factor Authentication Project Cleartext Storage of Sensitive Information vulnerability in Django Two-Factor Authentication Project Django Two-Factor Authentication

Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded).

5.4
2020-07-08 CVE-2020-15073 Phplist Cross-site Scripting vulnerability in PHPlist

An issue was discovered in phpList through 3.5.4.

5.4
2020-07-07 CVE-2020-15035 Nedi Cross-site Scripting vulnerability in Nedi 1.9C

NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack.

5.4
2020-07-07 CVE-2020-15034 Nedi Cross-site Scripting vulnerability in Nedi 1.9C

NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack.

5.4
2020-07-07 CVE-2020-15033 Nedi Cross-site Scripting vulnerability in Nedi 1.9C

NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack.

5.4
2020-07-07 CVE-2020-15032 Nedi Cross-site Scripting vulnerability in Nedi 1.9C

NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack.

5.4
2020-07-07 CVE-2020-15031 Nedi Cross-site Scripting vulnerability in Nedi 1.9C

NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack.

5.4
2020-07-07 CVE-2020-15030 Nedi Cross-site Scripting vulnerability in Nedi 1.9C

NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack.

5.4
2020-07-07 CVE-2020-15029 Nedi Cross-site Scripting vulnerability in Nedi 1.9C

NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack.

5.4
2020-07-07 CVE-2020-15028 Nedi Cross-site Scripting vulnerability in Nedi 1.9C

NeDi 1.9C is vulnerable to a cross-site scripting (XSS) attack.

5.4
2020-07-07 CVE-2020-15037 Nedi Cross-site Scripting vulnerability in Nedi 1.9C

NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack.

5.4
2020-07-07 CVE-2020-15036 Nedi Cross-site Scripting vulnerability in Nedi 1.9C

NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack.

5.4
2020-07-07 CVE-2020-15517 Faceted Search Project Cross-site Scripting vulnerability in Faceted Search Project Faceted Search

The ke_search (aka Faceted Search) extension through 2.8.2, and 3.x through 3.1.3, for TYPO3 allows XSS.

5.4
2020-07-07 CVE-2020-15516 MM Forum Project Cross-site Scripting vulnerability in MM Forum Project MM Forum

The mm_forum extension through 1.9.5 for TYPO3 allows XSS that can be exploited via CSRF.

5.4
2020-07-07 CVE-2020-15514 JH Captcha Project Cross-site Scripting vulnerability in JH Captcha Project JH Captcha

The jh_captcha extension through 2.1.3, and 3.x through 3.0.2, for TYPO3 allows XSS.

5.4
2020-07-09 CVE-2020-15001 Yubico Missing Authorization vulnerability in Yubico Yubikey 5 NFC Firmware

An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1.

5.3
2020-07-09 CVE-2020-12405 Mozilla
Canonical
Use After Free vulnerability in multiple products

When browsing a malicious page, a race condition in our SharedWorkerService could occur and lead to a potentially exploitable crash.

5.3
2020-07-09 CVE-2020-7693 Sockjs Project Improper Handling of Exceptional Conditions vulnerability in Sockjs Project Sockjs

Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps.

5.3
2020-07-07 CVE-2020-15581 Google Information Exposure Through Log Files vulnerability in Google Android

An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software.

5.3
2020-07-07 CVE-2020-15525 Gitlab Unspecified vulnerability in Gitlab

GitLab EE 11.3 through 13.1.2 has Incorrect Access Control because of the Maven package upload endpoint.

5.3
2020-07-07 CVE-2020-15513 Mittwald Incorrect Authorization vulnerability in Mittwald Typo3 Forum

The typo3_forum extension before 1.2.1 for TYPO3 has Incorrect Access Control.

5.3
2020-07-07 CVE-2020-15392 Venki Information Exposure Through Discrepancy vulnerability in Venki Supravizio BPM 10.1.2

A user enumeration vulnerability flaw was found in Venki Supravizio BPM 10.1.2.

5.3
2020-07-06 CVE-2020-1836 Huawei Unspecified vulnerability in Huawei P30 Firmware and P30 PRO Firmware

HUAWEI P30 with versions earlier than 10.1.0.160(C00E160R2P11) and HUAWEI P30 Pro with versions earlier than 10.1.0.160(C00E160R2P8) have an information disclosure vulnerability.

5.3
2020-07-06 CVE-2020-1837 Huawei Unspecified vulnerability in Huawei Changxiang 8 Plus Firmware 9.1.0.111(C00E111R1P6T8)

ChangXiang 8 Plus with versions earlier than 9.1.0.136(C00E121R1P6T8) have a denial of service vulnerability.

5.3
2020-07-08 CVE-2020-2031 Paloaltonetworks Integer Underflow (Wrap or Wraparound) vulnerability in Paloaltonetworks Pan-Os 9.1.0/9.1.1/9.1.2

An integer underflow vulnerability in the dnsproxyd component of the PAN-OS management interface allows authenticated administrators to issue a command from the command line interface that causes the component to stop responding.

4.9
2020-07-09 CVE-2020-15092 Northwestern Cross-site Scripting vulnerability in Northwestern Timelinejs

In TimelineJS before version 3.7.0, some user data renders as HTML.

4.8
2020-07-08 CVE-2020-1982 Paloaltonetworks Inadequate Encryption Strength vulnerability in Paloaltonetworks Pan-Os

Certain communication between PAN-OS and cloud-delivered services inadvertently use TLS 1.0, which is known to be a cryptographically weak protocol.

4.8
2020-07-09 CVE-2020-13132 Yubico Release of Invalid Pointer or Reference vulnerability in Yubico products

An issue was discovered in Yubico libykpiv before 2.1.0.

4.6
2020-07-09 CVE-2020-12402 Mozilla
Opensuse
Fedoraproject
Debian
Information Exposure Through Discrepancy vulnerability in multiple products

During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow.

4.4
2020-07-09 CVE-2020-12399 Mozilla
Debian
Information Exposure Through Discrepancy vulnerability in multiple products

NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys.

4.4
2020-07-07 CVE-2020-15095 Npmjs
Opensuse
Fedoraproject
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files.
4.4
2020-07-10 CVE-2020-8196 Citrix Improper Authentication vulnerability in Citrix products

Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in limited information disclosure to low privileged users.

4.3
2020-07-10 CVE-2020-8181 Nextcloud Unrestricted Upload of File with Dangerous Type vulnerability in Nextcloud Contacts

A missing file type check in Nextcloud Contacts 3.2.0 allowed a malicious user to upload any file as avatars.

4.3
2020-07-09 CVE-2020-4173 IBM Unspecified vulnerability in IBM products

IBM Guardium Activity Insights 10.6 and 11.0 does not set the secure attribute on authorization tokens or session cookies.

4.3
2020-07-09 CVE-2020-14170 Atlassian Server-Side Request Forgery (SSRF) vulnerability in Atlassian Bitbucket

Webhooks in Atlassian Bitbucket Server from version 5.4.0 before version 7.3.1 allow remote attackers to access the content of internal network resources via a Server-Side Request Forgery (SSRF) vulnerability.

4.3
2020-07-09 CVE-2020-13131 Yubico Out-of-bounds Read vulnerability in Yubico products

An issue was discovered in Yubico libykpiv before 2.1.0.

4.3
2020-07-09 CVE-2020-12412 Mozilla Unspecified vulnerability in Mozilla Firefox

By navigating a tab using the history API, an attacker could cause the address bar to display the incorrect domain (with the https:// scheme, a blocked port number such as '1', and without a lock icon) while controlling the page contents.

4.3
2020-07-09 CVE-2020-12404 Mozilla Cross-site Scripting vulnerability in Mozilla Firefox

For native-to-JS bridging the app requires a unique token to be passed that ensures non-app code can't call the bridging functions.

4.3
2020-07-07 CVE-2019-4323 Hcltech Improper Restriction of Rendered UI Layers or Frames vulnerability in Hcltech Appscan 10.0.0/9.0.3.14

"HCL AppScan Enterprise advisory API documentation is susceptible to clickjacking, which could allow an attacker to embed the contents of untrusted web pages in a frame."

4.3

0 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS