Weekly Vulnerabilities Reports > July 6 to 12, 2020
Overview
188 new vulnerabilities reported during this period, including 22 critical vulnerabilities and 69 high severity vulnerabilities. This weekly summary report vulnerabilities in 193 products from 83 vendors including Mozilla, Opensuse, Debian, Huawei, and Canonical. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Use After Free", "Out-of-bounds Write", and "Improper Input Validation".
- 143 reported vulnerabilities are remotely exploitables.
- 2 reported vulnerabilities have public exploit available.
- 62 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 126 reported vulnerabilities are exploitable by an anonymous user.
- Mozilla has the most reported vulnerabilities, with 26 reported vulnerabilities.
- Phpzag has the most reported critical vulnerabilities, with 3 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
22 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2020-07-07 | CVE-2020-4077 | Electronjs | Unspecified vulnerability in Electronjs Electron In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. | 9.9 |
2020-07-10 | CVE-2020-15504 | Sophos | SQL Injection vulnerability in Sophos XG Firewall Firmware 17.0/17.5/18.0 A SQL injection vulnerability in the user and admin web interfaces of Sophos XG Firewall v18.0 MR1 and older potentially allows an attacker to run arbitrary code remotely. | 9.8 |
2020-07-10 | CVE-2020-8186 | Devcert Project | OS Command Injection vulnerability in Devcert Project Devcert 1.1.0 A command injection vulnerability in the `devcert` module may lead to remote code execution when users of the module pass untrusted input to the `certificateFor` function. | 9.8 |
2020-07-10 | CVE-2020-7815 | Tobesoft | Unspecified vulnerability in Tobesoft Xplatform XPLATFORM v9.2.260 and eariler versions contain a vulnerability that could allow remote files to be downloaded by setting the arguments to the vulnerable method. | 9.8 |
2020-07-10 | CVE-2020-7814 | Raonwiz | Improper Input Validation vulnerability in Raonwiz Raon K Upload 2018.0.2.51 RAONWIZ v2018.0.2.50 and eariler versions contains a vulnerability that could allow remote files to be downloaded and excuted by lack of validation to file extension, witch can used as remote-code-excution attacks by hackers File download & execution vulnerability in ____COMPONENT____ of RAONWIZ RAON KUpload allows ____ATTACKER/ATTACK____ to cause ____IMPACT____. | 9.8 |
2020-07-09 | CVE-2020-7458 | Freebsd | Out-of-bounds Write vulnerability in Freebsd 11.4/12.1 In FreeBSD 12.1-STABLE before r362281, 11.4-STABLE before r362281, and 11.4-RELEASE before p1, long values in the user-controlled PATH environment variable cause posix_spawnp to write beyond the end of the heap allocated stack possibly leading to arbitrary code execution. | 9.8 |
2020-07-08 | CVE-2020-11849 | Microfocus | Unspecified vulnerability in Microfocus Identity Manager Elevation of privilege and/or unauthorized access vulnerability in Micro Focus Identity Manager. | 9.8 |
2020-07-08 | CVE-2020-3931 | Geovision | Classic Buffer Overflow vulnerability in Geovision products Buffer overflow exists in Geovision Door Access Control device family, an unauthenticated remote attacker can execute arbitrary command. | 9.8 |
2020-07-07 | CVE-2020-8521 | Phpzag | SQL Injection vulnerability in PHPzag SQL injection with start and length parameters in Records.php for phpzag live add edit delete data tables records with ajax php mysql | 9.8 |
2020-07-07 | CVE-2020-8520 | Phpzag | SQL Injection vulnerability in PHPzag SQL injection in order and column parameters in Records.php for phpzag live add edit delete data tables records with ajax php mysql | 9.8 |
2020-07-07 | CVE-2020-8519 | Phpzag | SQL Injection vulnerability in PHPzag SQL injection with the search parameter in Records.php for phpzag live add edit delete data tables records with ajax php mysql | 9.8 |
2020-07-07 | CVE-2020-12821 | Protocol | Unspecified vulnerability in Protocol Gossipsub 1.0 Gossipsub 1.0 does not properly resist invalid message spam, such as an eclipse attack or a sybil attack. | 9.8 |
2020-07-07 | CVE-2019-20896 | Webchess Project | SQL Injection vulnerability in Webchess Project Webchess 1.0 WebChess 1.0 allows SQL injection via the messageFrom, gameID, opponent, messageID, or to parameter. | 9.8 |
2020-07-07 | CVE-2020-15350 | Riot OS | Incorrect Calculation of Buffer Size vulnerability in Riot-Os Riot 2020.04 RIOT 2020.04 has a buffer overflow in the base64 decoder. | 9.8 |
2020-07-07 | CVE-2020-15367 | Venki | Improper Restriction of Excessive Authentication Attempts vulnerability in Venki Supravizio BPM 10.1.2 Venki Supravizio BPM 10.1.2 does not limit the number of authentication attempts. | 9.8 |
2020-07-07 | CVE-2020-5599 | Mitsubishielectric | Argument Injection or Modification vulnerability in Mitsubishielectric Coreos 05.65.00.Bd/Y TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains an improper neutralization of argument delimiters in a command ('Argument Injection') vulnerability, which may allow a remote attacker to stop the network functions of the products or execute a malicious program via a specially crafted packet. | 9.8 |
2020-07-07 | CVE-2020-5595 | Mitsubishielectric | Classic Buffer Overflow vulnerability in Mitsubishielectric Coreos 05.65.00.Bd/Y TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains a buffer overflow vulnerability, which may allow a remote attacker to stop the network functions of the products or execute a malicious program via a specially crafted packet. | 9.8 |
2020-07-07 | CVE-2020-15506 | Mobileiron | Unspecified vulnerability in Mobileiron products An authentication bypass vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0 that allows remote attackers to bypass authentication mechanisms via unspecified vectors. | 9.8 |
2020-07-07 | CVE-2020-15505 | Mobileiron | Use of Incorrectly-Resolved Name or Reference vulnerability in Mobileiron products A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0; and Sentry versions 9.7.2 and earlier, and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier that allows remote attackers to execute arbitrary code via unspecified vectors. | 9.8 |
2020-07-09 | CVE-2019-17638 | Eclipse | Operation on a Resource after Expiration or Release vulnerability in Eclipse Jetty 9.4.27/9.4.28/9.4.29 In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. | 9.4 |
2020-07-09 | CVE-2020-7692 | Incorrect Authorization vulnerability in Google Oauth Client Library for Java PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. | 9.1 | |
2020-07-07 | CVE-2020-4076 | Electronjs | Unspecified vulnerability in Electronjs Electron In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. | 9.0 |
69 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2020-07-10 | CVE-2020-8197 | Citrix | Unspecified vulnerability in Citrix products Privilege escalation vulnerability on Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 allows a low privileged user with management access to execute arbitrary commands. | 8.8 |
2020-07-09 | CVE-2020-4305 | IBM | Deserialization of Untrusted Data vulnerability in IBM products IBM InfoSphere Information Server 11.3, 11.5, and 11.7 could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data. | 8.8 |
2020-07-09 | CVE-2020-13994 | Mods FOR Hesk | Unrestricted Upload of File with Dangerous Type vulnerability in Mods-For-Hesk Mods for Hesk An issue was discovered in Mods for HESK 3.1.0 through 2019.1.0. | 8.8 |
2020-07-09 | CVE-2020-12426 | Mozilla Opensuse | Out-of-bounds Write vulnerability in multiple products Mozilla developers and community members reported memory safety bugs present in Firefox 77. | 8.8 |
2020-07-09 | CVE-2020-12422 | Mozilla Opensuse | Out-of-bounds Write vulnerability in multiple products In non-standard configurations, a JPEG image created by JavaScript could have caused an internal variable to overflow, resulting in an out of bounds write, memory corruption, and a potentially exploitable crash. | 8.8 |
2020-07-09 | CVE-2020-12420 | Mozilla Canonical Opensuse | Use After Free vulnerability in multiple products When trying to connect to a STUN server, a race condition could have caused a use-after-free of a pointer, leading to memory corruption and a potentially exploitable crash. | 8.8 |
2020-07-09 | CVE-2020-12419 | Mozilla Canonical Opensuse | Use After Free vulnerability in multiple products When processing callbacks that occurred during window flushing in the parent process, the associated window may die; causing a use-after-free condition. | 8.8 |
2020-07-09 | CVE-2020-12417 | Mozilla Canonical Opensuse | Incorrect Conversion between Numeric Types vulnerability in multiple products Due to confusion about ValueTags on JavaScript Objects, an object may pass through the type barrier, resulting in memory corruption and a potentially exploitable crash. | 8.8 |
2020-07-09 | CVE-2020-12416 | Mozilla Opensuse | Use After Free vulnerability in multiple products A VideoStreamEncoder may have been freed in a race condition with VideoBroadcaster::AddOrUpdateSink, resulting in a use-after-free, memory corruption, and a potentially exploitable crash. | 8.8 |
2020-07-09 | CVE-2020-12411 | Mozilla | Out-of-bounds Write vulnerability in Mozilla Firefox Mozilla developers reported memory safety bugs present in Firefox 76. | 8.8 |
2020-07-09 | CVE-2020-12410 | Mozilla Canonical | Out-of-bounds Write vulnerability in multiple products Mozilla developers reported memory safety bugs present in Firefox 76 and Firefox ESR 68.8. | 8.8 |
2020-07-09 | CVE-2020-12409 | Mozilla | Unspecified vulnerability in Mozilla Firefox When using certain blank characters in a URL, they where incorrectly rendered as spaces instead of an encoded URL. | 8.8 |
2020-07-09 | CVE-2020-12406 | Mozilla Canonical | Insufficient Verification of Data Authenticity vulnerability in multiple products Mozilla Developer Iain Ireland discovered a missing type check during unboxed objects removal, resulting in a crash. | 8.8 |
2020-07-09 | CVE-2018-12371 | Mozilla | Integer Overflow or Wraparound vulnerability in Mozilla Firefox An integer overflow vulnerability in the Skia library when allocating memory for edge builders on some systems with at least 16 GB of RAM. | 8.8 |
2020-07-09 | CVE-2020-9377 | Dlink | OS Command Injection vulnerability in Dlink Dir-610 Firmware D-Link DIR-610 devices allow Remote Command Execution via the cmd parameter to command.php. | 8.8 |
2020-07-08 | CVE-2020-15072 | Phplist | SQL Injection vulnerability in PHPlist An issue was discovered in phpList through 3.5.4. | 8.8 |
2020-07-08 | CVE-2020-5764 | Mxplayer | Path Traversal vulnerability in Mxplayer MX Player MX Player Android App versions prior to v1.24.5, are vulnerable to a directory traversal vulnerability when user is using the MX Transfer feature in "Receive" mode. | 8.8 |
2020-07-08 | CVE-2020-3973 | Vmware | SQL Injection vulnerability in VMWare Velocloud Orchestrator The VeloCloud Orchestrator does not apply correct input validation which allows for blind SQL-injection. | 8.8 |
2020-07-07 | CVE-2020-15515 | Turn Project | Unspecified vulnerability in Turn! Project Turn! The turn extension through 0.3.2 for TYPO3 allows Remote Code Execution. | 8.8 |
2020-07-07 | CVE-2020-15565 | XEN Debian Fedoraproject Opensuse | Resource Exhaustion vulnerability in multiple products An issue was discovered in Xen through 4.13.x, allowing x86 Intel HVM guest OS users to cause a host OS denial of service or possibly gain privileges because of insufficient cache write-back under VT-d. | 8.8 |
2020-07-06 | CVE-2020-6013 | Checkpoint | Improper Privilege Management vulnerability in Checkpoint Zonealarm Extreme Security ZoneAlarm Firewall and Antivirus products before version 15.8.109.18436 allow an attacker who already has access to the system to execute code at elevated privileges through a combination of file permission manipulation and exploitation of Windows CVE-2020-00896 on unpatched systems. | 8.8 |
2020-07-06 | CVE-2020-5371 | Dell | Incorrect Permission Assignment for Critical Resource vulnerability in Dell EMC Isilon Onefs and EMC Powerscale Onefs Dell EMC Isilon OneFS versions 8.2.2 and earlier and Dell EMC PowerScale version 9.0.0 contain a file permissions vulnerability. | 8.8 |
2020-07-06 | CVE-2020-5352 | Dell | OS Command Injection vulnerability in Dell EMC Data Protection Advisor 18.1/6.4/6.5 Dell EMC Data Protection Advisor 6.4, 6.5 and 18.1 contain an OS command injection vulnerability. | 8.8 |
2020-07-09 | CVE-2020-15093 | Amazon | Improper Verification of Cryptographic Signature vulnerability in Amazon Tough The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. | 8.6 |
2020-07-10 | CVE-2020-11081 | Linuxfoundation | Unspecified vulnerability in Linuxfoundation Osquery osquery before version 4.4.0 enables a privilege escalation vulnerability. | 8.2 |
2020-07-09 | CVE-2020-7457 | Freebsd | Improper Synchronization vulnerability in Freebsd 11.3/11.4/12.1 In FreeBSD 12.1-STABLE before r359565, 12.1-RELEASE before p7, 11.4-STABLE before r362975, 11.4-RELEASE before p1, and 11.3-RELEASE before p11, missing synchronization in the IPV6_2292PKTOPTIONS socket option set handler contained a race condition allowing a malicious application to modify memory after being freed, possibly resulting in code execution. | 8.1 |
2020-07-09 | CVE-2020-5604 | Mercari | Unspecified vulnerability in Mercari 3.51.0 Android App 'Mercari' (Japan version) prior to version 3.52.0 allows arbitrary method execution of a Java object by a remote attacker via a Man-In-The-Middle attack by using Java Reflection API of JavaScript code on WebView. | 8.1 |
2020-07-08 | CVE-2020-2034 | Paloaltonetworks | OS Command Injection vulnerability in Paloaltonetworks Pan-Os An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network based attacker to execute arbitrary OS commands with root privileges. | 8.1 |
2020-07-06 | CVE-2020-9395 | Realtek | Out-of-bounds Write vulnerability in Realtek products An issue was discovered on Realtek RTL8195AM, RTL8711AM, RTL8711AF, and RTL8710AF devices before 2.0.6. | 8.0 |
2020-07-10 | CVE-2020-8199 | Citrix | Unspecified vulnerability in Citrix Gateway Plug-In for Linux Improper access control in Citrix ADC Gateway Linux client versions before 1.0.0.137 results in local privilege escalation to root. | 7.8 |
2020-07-10 | CVE-2020-3974 | Vmware | Unspecified vulnerability in VMWare Fusion, Horizon Client and Remote Console VMware Fusion (11.x before 11.5.5), VMware Remote Console for Mac (11.x and prior before 11.2.0 ) and Horizon Client for Mac (5.x and prior before 5.4.3) contain a privilege escalation vulnerability due to improper XPC Client validation. | 7.8 |
2020-07-09 | CVE-2020-12423 | Mozilla | Uncontrolled Search Path Element vulnerability in Mozilla Firefox When the Windows DLL "webauthn.dll" was missing from the Operating System, and a malicious one was placed in a folder in the user's %PATH%, Firefox may have loaded the DLL, leading to arbitrary code execution. | 7.8 |
2020-07-08 | CVE-2020-5974 | Nvidia | Incorrect Default Permissions vulnerability in Nvidia Jetpack Software Development KIT 4.2/4.3 NVIDIA JetPack SDK, version 4.2 and 4.3, contains a vulnerability in its installation scripts in which permissions are incorrectly set on certain directories, which can lead to escalation of privileges. | 7.8 |
2020-07-07 | CVE-2020-15567 | XEN Debian Opensuse Fedoraproject | Race Condition vulnerability in multiple products An issue was discovered in Xen through 4.13.x, allowing Intel guest OS users to gain privileges or cause a denial of service because of non-atomic modification of a live EPT PTE. | 7.8 |
2020-07-06 | CVE-2020-9262 | Huawei | Use After Free vulnerability in Huawei Mate 30 Firmware HUAWEI Mate 30 with versions earlier than 10.1.0.150(C00E136R5P3) have a use after free vulnerability. | 7.8 |
2020-07-06 | CVE-2020-9261 | Huawei | Type Confusion vulnerability in Huawei Mate 30 Firmware HUAWEI Mate 30 with versions earlier than 10.1.0.150(C00E136R5P3) have a type confusion vulnerability. | 7.8 |
2020-07-06 | CVE-2020-9100 | Huawei | Uncontrolled Search Path Element vulnerability in Huawei Hisuite Earlier than HiSuite 10.1.0.500 have a DLL hijacking vulnerability. | 7.8 |
2020-07-06 | CVE-2019-8250 | Adobe | Type Confusion vulnerability in Adobe Acrobat DC Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have a type confusion vulnerability. | 7.8 |
2020-07-06 | CVE-2019-8249 | Adobe | Type Confusion vulnerability in Adobe Acrobat DC Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have a type confusion vulnerability. | 7.8 |
2020-07-06 | CVE-2019-8066 | Adobe | Out-of-bounds Write vulnerability in Adobe Acrobat DC Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have a heap overflow vulnerability. | 7.8 |
2020-07-10 | CVE-2020-8190 | Citrix | Improper Preservation of Permissions vulnerability in Citrix products Incorrect file permissions in Citrix ADC and Citrix Gateway before versions 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 allows privilege escalation. | 7.5 |
2020-07-10 | CVE-2020-8187 | Citrix | Improper Input Validation vulnerability in Citrix products Improper input validation in Citrix ADC and Citrix Gateway versions before 11.1-63.9 and 12.0-62.10 allows unauthenticated users to perform a denial of service attack. | 7.5 |
2020-07-09 | CVE-2020-13993 | Mods FOR Hesk | SQL Injection vulnerability in Mods-For-Hesk Mods for Hesk An issue was discovered in Mods for HESK 3.1.0 through 2019.1.0. | 7.5 |
2020-07-09 | CVE-2020-12398 | Mozilla Canonical | Cleartext Transmission of Sensitive Information vulnerability in multiple products If Thunderbird is configured to use STARTTLS for an IMAP server, and the server sends a PREAUTH response, then Thunderbird will continue with an unencrypted connection, causing email data to be sent without protection. | 7.5 |
2020-07-09 | CVE-2020-9376 | Dlink | Injection vulnerability in Dlink Dir-610 Firmware D-Link DIR-610 devices allow Information Disclosure via SERVICES=DEVICE.ACCOUNT%0AAUTHORIZED_GROUP=1 to getcfg.php. | 7.5 |
2020-07-08 | CVE-2019-19417 | Huawei | Improper Input Validation vulnerability in Huawei products The SIP module of some Huawei products have a denial of service (DoS) vulnerability. | 7.5 |
2020-07-08 | CVE-2019-19416 | Huawei | Improper Input Validation vulnerability in Huawei products The SIP module of some Huawei products have a denial of service (DoS) vulnerability. | 7.5 |
2020-07-08 | CVE-2019-19415 | Huawei | Improper Input Validation vulnerability in Huawei products The SIP module of some Huawei products have a denial of service (DoS) vulnerability. | 7.5 |
2020-07-08 | CVE-2020-6938 | Tableau | Information Exposure Through Log Files vulnerability in Tableau Server A sensitive information disclosure vulnerability in Tableau Server 10.5, 2018.x, 2019.x, 2020.x released before June 26, 2020, could allow access to sensitive information in log files. | 7.5 |
2020-07-08 | CVE-2020-5839 | Symantec | Unspecified vulnerability in Symantec Endpoint Detection and Response 4.1.0/4.2.0/4.3.0 Symantec Endpoint Detection And Response, prior to 4.4, may be susceptible to an information disclosure issue, which is a type of vulnerability that could potentially allow unauthorized access to data. | 7.5 |
2020-07-08 | CVE-2020-11994 | Apache Oracle | Injection vulnerability in multiple products Server-Side Template Injection and arbitrary file disclosure on Camel templating components | 7.5 |
2020-07-07 | CVE-2020-15008 | Connectwise | SQL Injection vulnerability in Connectwise Automate 2019.12 A SQLi exists in the probe code of all Connectwise Automate versions before 2020.7 or 2019.12. | 7.5 |
2020-07-07 | CVE-2020-15579 | Unspecified vulnerability in Google Android An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. | 7.5 | |
2020-07-07 | CVE-2020-15576 | Solarwinds | Unspecified vulnerability in Solarwinds Serv-U SolarWinds Serv-U File Server before 15.2.1 allows information disclosure via an HTTP response. | 7.5 |
2020-07-07 | CVE-2020-15574 | Solarwinds | Unspecified vulnerability in Solarwinds Serv-U SolarWinds Serv-U File Server before 15.2.1 mishandles the Same-Site cookie attribute, aka Case Number 00331893. | 7.5 |
2020-07-07 | CVE-2020-10745 | Samba Fedoraproject Opensuse Debian | Resource Exhaustion vulnerability in multiple products A flaw was found in all Samba versions before 4.10.17, before 4.11.11 and before 4.12.4 in the way it processed NetBios over TCP/IP. | 7.5 |
2020-07-07 | CVE-2020-5600 | Mitsubishielectric | Unspecified vulnerability in Mitsubishielectric Coreos 05.65.00.Bd/Y TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains a resource management error vulnerability, which may allow a remote attacker to stop the network functions of the products or execute a malicious program via a specially crafted packet. | 7.5 |
2020-07-07 | CVE-2020-5598 | Mitsubishielectric | Unspecified vulnerability in Mitsubishielectric Coreos 05.65.00.Bd/Y TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains an improper access control vulnerability, which may which may allow a remote attacker tobypass access restriction and stop the network functions of the products or execute a malicious program via a specially crafted packet. | 7.5 |
2020-07-07 | CVE-2020-5597 | Mitsubishielectric | NULL Pointer Dereference vulnerability in Mitsubishielectric Coreos 05.65.00.Bd/Y TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains a null pointer dereference vulnerability, which may allow a remote attacker to stop the network functions of the products or execute a malicious program via a specially crafted packet. | 7.5 |
2020-07-07 | CVE-2020-5596 | Mitsubishielectric | Session Fixation vulnerability in Mitsubishielectric Coreos 05.65.00.Bd/Y TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) does not properly manage sessions, which may allow a remote attacker to stop the network functions of the products or execute a malicious program via a specially crafted packet. | 7.5 |
2020-07-07 | CVE-2020-15507 | Mobileiron | Unspecified vulnerability in Mobileiron products An arbitrary file reading vulnerability in MobileIron Core versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0 that allows remote attackers to read files on the system via unspecified vectors. | 7.5 |
2020-07-07 | CVE-2020-4075 | Electronjs | Files or Directories Accessible to External Parties vulnerability in Electronjs Electron In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. | 7.5 |
2020-07-06 | CVE-2020-5372 | Dell | Incorrect Authorization vulnerability in Dell products Dell EMC PowerStore versions prior to 1.0.1.0.5.002 contain a vulnerability that exposes test interface ports to external network. | 7.5 |
2020-07-06 | CVE-2020-5368 | Dell | Missing Authorization vulnerability in Dell Vxrail D560 Firmware and Vxrail D560F Firmware Dell EMC VxRail versions 4.7.410 and 4.7.411 contain an improper authentication vulnerability. | 7.5 |
2020-07-06 | CVE-2020-14303 | Samba Fedoraproject Opensuse Debian Canonical | Excessive Iteration vulnerability in multiple products A flaw was found in the AD DC NBT server in all Samba versions before 4.10.17, before 4.11.11 and before 4.12.4. | 7.5 |
2020-07-10 | CVE-2020-11061 | Bareos Debian | In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. | 7.4 |
2020-07-10 | CVE-2020-6114 | Icehrm | SQL Injection vulnerability in Icehrm 26.6.0.Os An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . | 7.2 |
2020-07-08 | CVE-2020-2030 | Paloaltonetworks | OS Command Injection vulnerability in Paloaltonetworks Pan-Os An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges. | 7.2 |
2020-07-07 | CVE-2020-12736 | Code42 | Injection vulnerability in Code42 Code42 environments with on-premises server versions 7.0.4 and earlier allow for possible remote code execution. | 7.2 |
97 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2020-07-10 | CVE-2020-4042 | Bareos | Authentication Bypass by Capture-replay vulnerability in Bareos Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. | 6.8 |
2020-07-07 | CVE-2020-15096 | Electronjs | Unspecified vulnerability in Electronjs Electron In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. | 6.8 |
2020-07-10 | CVE-2020-8195 | Citrix | Path Traversal vulnerability in Citrix products Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in limited information disclosure to low privileged users. | 6.5 |
2020-07-10 | CVE-2020-8194 | Citrix | Code Injection vulnerability in Citrix products Reflected code injection in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows the modification of a file download. | 6.5 |
2020-07-10 | CVE-2020-8193 | Citrix | Improper Authentication vulnerability in Citrix products Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows unauthenticated access to certain URL endpoints. | 6.5 |
2020-07-10 | CVE-2020-9260 | Huawei | Unspecified vulnerability in Huawei P30 Firmware and P30 PRO Firmware HUAWEI P30 and HUAWEI P30 Pro smartphones with versions earlier than 10.1.0.123(C432E22R2P5) and versions earlier than 10.1.0.160(C00E160R2P8) have an information disclosure vulnerability. | 6.5 |
2020-07-09 | CVE-2020-14171 | Atlassian | Cleartext Transmission of Sensitive Information vulnerability in Atlassian Bitbucket Atlassian Bitbucket Server from version 4.9.0 before version 7.2.4 allows remote attackers to intercept unencrypted repository import requests via a Man-in-the-Middle (MITM) attack. | 6.5 |
2020-07-09 | CVE-2020-10756 | Libslirp Project Redhat Canonical Debian Opensuse | Out-of-bounds Read vulnerability in multiple products An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator. | 6.5 |
2020-07-09 | CVE-2020-12425 | Mozilla | Out-of-bounds Read vulnerability in Mozilla Firefox Due to confusion processing a hyphen character in Date.parse(), a one-byte out of bounds read could have occurred, leading to potential information disclosure. | 6.5 |
2020-07-09 | CVE-2020-12421 | Mozilla Canonical | Improper Certificate Validation vulnerability in multiple products When performing add-on updates, certificate chains terminating in non-built-in-roots were rejected (even if they were legitimately added by an administrator.) This could have caused add-ons to become out-of-date silently without notification to the user. | 6.5 |
2020-07-09 | CVE-2020-12418 | Mozilla Canonical Opensuse | Out-of-bounds Read vulnerability in multiple products Manipulating individual parts of a URL object could have caused an out-of-bounds read, leaking process memory to malicious JavaScript. | 6.5 |
2020-07-09 | CVE-2020-12415 | Mozilla Opensuse | Incorrect Default Permissions vulnerability in multiple products When "%2F" was present in a manifest URL, Firefox's AppCache behavior may have become confused and allowed a manifest to be served from a subdirectory. | 6.5 |
2020-07-09 | CVE-2020-12414 | Mozilla | Incomplete Cleanup vulnerability in Mozilla Firefox IndexedDB should be cleared when leaving private browsing mode and it is not, the API for WKWebViewConfiguration was being used incorrectly and requires the private instance of this object be deleted when leaving private mode. | 6.5 |
2020-07-09 | CVE-2020-12408 | Mozilla | Unspecified vulnerability in Mozilla Firefox When browsing a document hosted on an IP address, an attacker could insert certain characters to flip domain and path information in the address bar. | 6.5 |
2020-07-09 | CVE-2020-12407 | Mozilla | Out-of-bounds Read vulnerability in Mozilla Firefox Mozilla Developer Nicolas Silva found that when using WebRender, Firefox would under certain conditions leak arbitrary GPU memory to the visible screen. | 6.5 |
2020-07-09 | CVE-2020-5366 | Dell | Path Traversal vulnerability in Dell Idrac9 Firmware Dell EMC iDRAC9 versions prior to 4.20.20.20 contain a Path Traversal Vulnerability. | 6.5 |
2020-07-09 | CVE-2020-12424 | Mozilla Opensuse | Incorrect Default Permissions vulnerability in multiple products When constructing a permission prompt for WebRTC, a URI was supplied from the content process. | 6.5 |
2020-07-07 | CVE-2020-15600 | Cmsuno Project | Cross-Site Request Forgery (CSRF) vulnerability in Cmsuno Project Cmsuno An issue was discovered in CMSUno before 1.6.1. | 6.5 |
2020-07-07 | CVE-2020-15509 | Nordicsemi | Cleartext Transmission of Sensitive Information vulnerability in Nordicsemi Android BLE Library and DFU Library Nordic Semiconductor Android BLE Library through 2.2.1 and DFU Library through 1.10.4 for Android (as used by nRF Connect and other applications) can engage in unencrypted communication while showing the user that the communication is purportedly encrypted. | 6.5 |
2020-07-07 | CVE-2020-10730 | Samba Redhat Opensuse Fedoraproject Debian | Use After Free vulnerability in multiple products A NULL pointer dereference, or possible use-after-free flaw was found in Samba AD LDAP server in versions before 4.10.17, before 4.11.11 and before 4.12.4. | 6.5 |
2020-07-07 | CVE-2020-15566 | XEN Debian | Improper Check for Unusual or Exceptional Conditions vulnerability in multiple products An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a host OS crash because of incorrect error handling in event-channel port allocation. | 6.5 |
2020-07-07 | CVE-2020-15564 | XEN Debian Fedoraproject | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products An issue was discovered in Xen through 4.13.x, allowing Arm guest OS users to cause a hypervisor crash because of a missing alignment check in VCPUOP_register_vcpu_info. | 6.5 |
2020-07-07 | CVE-2020-15563 | XEN Debian Fedoraproject Opensuse | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products An issue was discovered in Xen through 4.13.x, allowing x86 HVM guest OS users to cause a hypervisor crash. | 6.5 |
2020-07-06 | CVE-2020-10760 | Samba Canonical Opensuse Fedoraproject | Use After Free vulnerability in multiple products A use-after-free flaw was found in all samba LDAP server versions before 4.10.17, before 4.11.11, before 4.12.4 used in a AC DC configuration. | 6.5 |
2020-07-06 | CVE-2019-14900 | Hibernate Redhat Quarkus | SQL Injection vulnerability in multiple products A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. | 6.5 |
2020-07-06 | CVE-2020-5356 | Dell | Files or Directories Accessible to External Parties vulnerability in Dell products Dell PowerProtect Data Manager (PPDM) versions prior to 19.4 and Dell PowerProtect X400 versions prior to 3.2 contain an improper authorization vulnerability. | 6.5 |
2020-07-06 | CVE-2020-1839 | Huawei | Race Condition vulnerability in Huawei Mate 30 Firmware HUAWEI Mate 30 with versions earlier than 10.1.0.150(C00E136R5P3) have a race condition vulnerability. | 6.3 |
2020-07-10 | CVE-2020-8198 | Citrix | Cross-site Scripting vulnerability in Citrix products Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in Stored Cross-Site Scripting (XSS). | 6.1 |
2020-07-10 | CVE-2020-8191 | Citrix | Cross-site Scripting vulnerability in Citrix products Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows reflected Cross Site Scripting (XSS). | 6.1 |
2020-07-10 | CVE-2020-5607 | SS Proj | Open Redirect vulnerability in Ss-Proj Shirasagi Open redirect vulnerability in SHIRASAGI v1.13.1 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | 6.1 |
2020-07-09 | CVE-2020-15299 | King Theme | Cross-site Scripting vulnerability in King-Theme Kingcomposer 2.7.6/2.9.4 A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is executed in the victim's browser. | 6.1 |
2020-07-09 | CVE-2020-13992 | Mods FOR Hesk | Cross-site Scripting vulnerability in Mods-For-Hesk Mods for Hesk An issue was discovered in Mods for HESK 3.1.0 through 2019.1.0. | 6.1 |
2020-07-08 | CVE-2020-7140 | HP | Cross-site Scripting vulnerability in HP Icewall SSO DFW and Icewall SSO Dgfw A security vulnerability in HPE IceWall SSO Dfw and Dgfw (Domain Gateway Option) could be exploited remotely to cause a remote cross-site scripting (XSS). | 6.1 |
2020-07-07 | CVE-2020-15599 | Victor CMS Project | Cross-site Scripting vulnerability in Victor CMS Project Victor CMS 1.0/20180510/20190228 Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field. | 6.1 |
2020-07-07 | CVE-2020-11882 | Telefonica | Open Redirect vulnerability in Telefonica O2 Business 1.2.0 The O2 Business application 1.2.0 for Android exposes the canvasm.myo2.SplashActivity activity to other applications. | 6.1 |
2020-07-07 | CVE-2019-19935 | Froala | Cross-site Scripting vulnerability in Froala Editor Froala Editor before 3.2.3 allows XSS. | 6.1 |
2020-07-07 | CVE-2019-4324 | Hcltech | Cross-site Scripting vulnerability in Hcltech Appscan 10.0.0/9.0.3.14 "HCL AppScan Enterprise is susceptible to Cross-Site Scripting while importing a specially crafted test policy." | 6.1 |
2020-07-07 | CVE-2020-15575 | Solarwinds | Cross-site Scripting vulnerability in Solarwinds Serv-U SolarWinds Serv-U File Server before 15.2.1 allows XSS as demonstrated by Tenable Scan, aka Case Number 00484194. | 6.1 |
2020-07-07 | CVE-2020-15573 | Solarwinds | Cross-site Scripting vulnerability in Solarwinds Serv-U SolarWinds Serv-U File Server before 15.2.1 has a "Cross-script vulnerability," aka Case Numbers 00041778 and 00306421. | 6.1 |
2020-07-06 | CVE-2020-7691 | Parall | Cross-site Scripting vulnerability in Parall Jspdf In all versions of the package jspdf, it is possible to use <<script>script> in order to go over the filtering regex. | 6.1 |
2020-07-06 | CVE-2020-7690 | Parall | Cross-site Scripting vulnerability in Parall Jspdf All affected versions <2.0.0 of package jspdf are vulnerable to Cross-site Scripting (XSS). | 6.1 |
2020-07-06 | CVE-2020-15562 | Roundcube Debian | Cross-site Scripting vulnerability in multiple products An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. | 6.1 |
2020-07-09 | CVE-2020-15000 | Yubico | Unspecified vulnerability in Yubico Yubikey 5 NFC Firmware 5.2.0/5.2.6 A PIN management problem was discovered on Yubico YubiKey 5 devices 5.2.0 to 5.2.6. | 5.9 |
2020-07-09 | CVE-2020-15526 | RED Gate | Improper Certificate Validation vulnerability in Red-Gate SQL Monitor In Redgate SQL Monitor 7.1.4 through 10.1.6 (inclusive), the scope for disabling some TLS security certificate checks can extend beyond that defined by various options on the Configuration > Notifications pages to disable certificate checking for alert notifications. | 5.9 |
2020-07-10 | CVE-2020-9258 | Huawei | Improper Input Validation vulnerability in Huawei P30 Firmware HUAWEI P30 smartphone with versions earlier than 10.1.0.135(C00E135R2P11) have an improper input verification vulnerability. | 5.5 |
2020-07-07 | CVE-2020-8916 | Openthread | Memory Leak vulnerability in Openthread Wpantund 20200528 A memory leak in Openthread's wpantund versions up to commit 0e5d1601febb869f583e944785e5685c6c747be7, when used in an environment where wpanctl is directly interfacing with the control driver (eg: debug environments) can allow an attacker to crash the service (DoS). | 5.5 |
2020-07-07 | CVE-2020-15584 | Improper Input Validation vulnerability in Google Android 10.0 An issue was discovered on Samsung mobile devices with Q(10.0) software. | 5.5 | |
2020-07-07 | CVE-2020-15583 | Path Traversal vulnerability in Google Android An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. | 5.5 | |
2020-07-07 | CVE-2020-15582 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android 10.0/9.0 An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) (Exynos 7885 chipsets) software. | 5.5 | |
2020-07-07 | CVE-2020-15580 | Unspecified vulnerability in Google Android An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. | 5.5 | |
2020-07-07 | CVE-2020-15578 | Incorrect Default Permissions vulnerability in Google Android 8.0/8.1 An issue was discovered on Samsung mobile devices with O(8.x) software. | 5.5 | |
2020-07-07 | CVE-2020-15577 | Unspecified vulnerability in Google Android 10.0/9.0 An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software. | 5.5 | |
2020-07-06 | CVE-2020-9226 | Huawei | Improper Verification of Cryptographic Signature vulnerability in Huawei P30 Firmware HUAWEI P30 with versions earlier than 10.1.0.135(C00E135R2P11) have an improper signature verification vulnerability. | 5.5 |
2020-07-06 | CVE-2020-1838 | Huawei | Improper Authentication vulnerability in Huawei Mate 30 PRO Firmware 10.0.0.203(C00E202R7P2)/10.0.0.205(C00E202R7P2) HUAWEI Mate 30 Pro with versions earlier than 10.1.0.150(C00E136R5P3) have is an improper authentication vulnerability. | 5.5 |
2020-07-06 | CVE-2019-8252 | Adobe | Type Confusion vulnerability in Adobe Acrobat DC Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have a type confusion vulnerability. | 5.5 |
2020-07-06 | CVE-2019-8251 | Adobe | Type Confusion vulnerability in Adobe Acrobat DC Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have a type confusion vulnerability. | 5.5 |
2020-07-06 | CVE-2020-15570 | Whoopsie Project | Allocation of Resources Without Limits or Throttling vulnerability in Whoopsie Project Whoopsie The parse_report() function in whoopsie.c in Whoopsie through 0.2.69 mishandles memory allocation failures, which allows an attacker to cause a denial of service via a malformed crash file. | 5.5 |
2020-07-06 | CVE-2020-15569 | Milkytracker Project Debian | Use After Free vulnerability in multiple products PlayerGeneric.cpp in MilkyTracker through 1.02.00 has a use-after-free in the PlayerGeneric destructor. | 5.5 |
2020-07-10 | CVE-2020-15105 | Django TWO Factor Authentication Project | Cleartext Storage of Sensitive Information vulnerability in Django Two-Factor Authentication Project Django Two-Factor Authentication Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). | 5.4 |
2020-07-08 | CVE-2020-15073 | Phplist | Cross-site Scripting vulnerability in PHPlist An issue was discovered in phpList through 3.5.4. | 5.4 |
2020-07-07 | CVE-2020-15035 | Nedi | Cross-site Scripting vulnerability in Nedi 1.9C NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. | 5.4 |
2020-07-07 | CVE-2020-15034 | Nedi | Cross-site Scripting vulnerability in Nedi 1.9C NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. | 5.4 |
2020-07-07 | CVE-2020-15033 | Nedi | Cross-site Scripting vulnerability in Nedi 1.9C NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. | 5.4 |
2020-07-07 | CVE-2020-15032 | Nedi | Cross-site Scripting vulnerability in Nedi 1.9C NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. | 5.4 |
2020-07-07 | CVE-2020-15031 | Nedi | Cross-site Scripting vulnerability in Nedi 1.9C NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. | 5.4 |
2020-07-07 | CVE-2020-15030 | Nedi | Cross-site Scripting vulnerability in Nedi 1.9C NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. | 5.4 |
2020-07-07 | CVE-2020-15029 | Nedi | Cross-site Scripting vulnerability in Nedi 1.9C NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. | 5.4 |
2020-07-07 | CVE-2020-15028 | Nedi | Cross-site Scripting vulnerability in Nedi 1.9C NeDi 1.9C is vulnerable to a cross-site scripting (XSS) attack. | 5.4 |
2020-07-07 | CVE-2020-15037 | Nedi | Cross-site Scripting vulnerability in Nedi 1.9C NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. | 5.4 |
2020-07-07 | CVE-2020-15036 | Nedi | Cross-site Scripting vulnerability in Nedi 1.9C NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. | 5.4 |
2020-07-07 | CVE-2020-15517 | Faceted Search Project | Cross-site Scripting vulnerability in Faceted Search Project Faceted Search The ke_search (aka Faceted Search) extension through 2.8.2, and 3.x through 3.1.3, for TYPO3 allows XSS. | 5.4 |
2020-07-07 | CVE-2020-15516 | MM Forum Project | Cross-site Scripting vulnerability in MM Forum Project MM Forum The mm_forum extension through 1.9.5 for TYPO3 allows XSS that can be exploited via CSRF. | 5.4 |
2020-07-07 | CVE-2020-15514 | JH Captcha Project | Cross-site Scripting vulnerability in JH Captcha Project JH Captcha The jh_captcha extension through 2.1.3, and 3.x through 3.0.2, for TYPO3 allows XSS. | 5.4 |
2020-07-09 | CVE-2020-15001 | Yubico | Missing Authorization vulnerability in Yubico Yubikey 5 NFC Firmware An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. | 5.3 |
2020-07-09 | CVE-2020-12405 | Mozilla Canonical | Use After Free vulnerability in multiple products When browsing a malicious page, a race condition in our SharedWorkerService could occur and lead to a potentially exploitable crash. | 5.3 |
2020-07-09 | CVE-2020-7693 | Sockjs Project | Improper Handling of Exceptional Conditions vulnerability in Sockjs Project Sockjs Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. | 5.3 |
2020-07-07 | CVE-2020-15581 | Information Exposure Through Log Files vulnerability in Google Android An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. | 5.3 | |
2020-07-07 | CVE-2020-15525 | Gitlab | Unspecified vulnerability in Gitlab GitLab EE 11.3 through 13.1.2 has Incorrect Access Control because of the Maven package upload endpoint. | 5.3 |
2020-07-07 | CVE-2020-15513 | Mittwald | Incorrect Authorization vulnerability in Mittwald Typo3 Forum The typo3_forum extension before 1.2.1 for TYPO3 has Incorrect Access Control. | 5.3 |
2020-07-07 | CVE-2020-15392 | Venki | Information Exposure Through Discrepancy vulnerability in Venki Supravizio BPM 10.1.2 A user enumeration vulnerability flaw was found in Venki Supravizio BPM 10.1.2. | 5.3 |
2020-07-06 | CVE-2020-1836 | Huawei | Unspecified vulnerability in Huawei P30 Firmware and P30 PRO Firmware HUAWEI P30 with versions earlier than 10.1.0.160(C00E160R2P11) and HUAWEI P30 Pro with versions earlier than 10.1.0.160(C00E160R2P8) have an information disclosure vulnerability. | 5.3 |
2020-07-06 | CVE-2020-1837 | Huawei | Unspecified vulnerability in Huawei Changxiang 8 Plus Firmware 9.1.0.111(C00E111R1P6T8) ChangXiang 8 Plus with versions earlier than 9.1.0.136(C00E121R1P6T8) have a denial of service vulnerability. | 5.3 |
2020-07-08 | CVE-2020-2031 | Paloaltonetworks | Integer Underflow (Wrap or Wraparound) vulnerability in Paloaltonetworks Pan-Os 9.1.0/9.1.1/9.1.2 An integer underflow vulnerability in the dnsproxyd component of the PAN-OS management interface allows authenticated administrators to issue a command from the command line interface that causes the component to stop responding. | 4.9 |
2020-07-09 | CVE-2020-15092 | Northwestern | Cross-site Scripting vulnerability in Northwestern Timelinejs In TimelineJS before version 3.7.0, some user data renders as HTML. | 4.8 |
2020-07-08 | CVE-2020-1982 | Paloaltonetworks | Inadequate Encryption Strength vulnerability in Paloaltonetworks Pan-Os Certain communication between PAN-OS and cloud-delivered services inadvertently use TLS 1.0, which is known to be a cryptographically weak protocol. | 4.8 |
2020-07-09 | CVE-2020-13132 | Yubico | Release of Invalid Pointer or Reference vulnerability in Yubico products An issue was discovered in Yubico libykpiv before 2.1.0. | 4.6 |
2020-07-09 | CVE-2020-12402 | Mozilla Opensuse Fedoraproject Debian | Information Exposure Through Discrepancy vulnerability in multiple products During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. | 4.4 |
2020-07-09 | CVE-2020-12399 | Mozilla Debian | Information Exposure Through Discrepancy vulnerability in multiple products NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. | 4.4 |
2020-07-07 | CVE-2020-15095 | Npmjs Opensuse Fedoraproject | Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. | 4.4 |
2020-07-10 | CVE-2020-8196 | Citrix | Improper Authentication vulnerability in Citrix products Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in limited information disclosure to low privileged users. | 4.3 |
2020-07-10 | CVE-2020-8181 | Nextcloud | Unrestricted Upload of File with Dangerous Type vulnerability in Nextcloud Contacts A missing file type check in Nextcloud Contacts 3.2.0 allowed a malicious user to upload any file as avatars. | 4.3 |
2020-07-09 | CVE-2020-4173 | IBM | Unspecified vulnerability in IBM products IBM Guardium Activity Insights 10.6 and 11.0 does not set the secure attribute on authorization tokens or session cookies. | 4.3 |
2020-07-09 | CVE-2020-14170 | Atlassian | Server-Side Request Forgery (SSRF) vulnerability in Atlassian Bitbucket Webhooks in Atlassian Bitbucket Server from version 5.4.0 before version 7.3.1 allow remote attackers to access the content of internal network resources via a Server-Side Request Forgery (SSRF) vulnerability. | 4.3 |
2020-07-09 | CVE-2020-13131 | Yubico | Out-of-bounds Read vulnerability in Yubico products An issue was discovered in Yubico libykpiv before 2.1.0. | 4.3 |
2020-07-09 | CVE-2020-12412 | Mozilla | Unspecified vulnerability in Mozilla Firefox By navigating a tab using the history API, an attacker could cause the address bar to display the incorrect domain (with the https:// scheme, a blocked port number such as '1', and without a lock icon) while controlling the page contents. | 4.3 |
2020-07-09 | CVE-2020-12404 | Mozilla | Cross-site Scripting vulnerability in Mozilla Firefox For native-to-JS bridging the app requires a unique token to be passed that ensures non-app code can't call the bridging functions. | 4.3 |
2020-07-07 | CVE-2019-4323 | Hcltech | Improper Restriction of Rendered UI Layers or Frames vulnerability in Hcltech Appscan 10.0.0/9.0.3.14 "HCL AppScan Enterprise advisory API documentation is susceptible to clickjacking, which could allow an attacker to embed the contents of untrusted web pages in a frame." | 4.3 |
0 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|