Weekly Vulnerabilities Reports > July 27 to August 2, 2020
Overview
255 new vulnerabilities reported during this period, including 43 critical vulnerabilities and 64 high severity vulnerabilities. This weekly summary report vulnerabilities in 327 products from 94 vendors including Control Webpanel, IBM, Qualcomm, Canonical, and Debian. Vulnerabilities are notably categorized as "OS Command Injection", "Cross-site Scripting", "SQL Injection", "Information Exposure", and "Improper Input Validation".
- 207 reported vulnerabilities are remotely exploitables.
- 113 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 190 reported vulnerabilities are exploitable by an anonymous user.
- Control Webpanel has the most reported vulnerabilities, with 38 reported vulnerabilities.
- Control Webpanel has the most reported critical vulnerabilities, with 26 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
43 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2020-07-31 | CVE-2020-3382 | Cisco | Use of Hard-coded Credentials vulnerability in Cisco Data Center Network Manager A vulnerability in the REST API of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. | 10.0 |
2020-07-31 | CVE-2020-3375 | Cisco | Improper Input Validation vulnerability in Cisco IOS XE Sd-Wan and Sd-Wan A vulnerability in Cisco SD-WAN Solution Software could allow an unauthenticated, remote attacker to cause a buffer overflow on an affected device. | 10.0 |
2020-07-29 | CVE-2019-20025 | NEC | Use of Hard-coded Credentials vulnerability in NEC Sv9100 Firmware Certain builds of NEC SV9100 software could allow an unauthenticated, remote attacker to log into a device running an affected release with a hardcoded username and password, aka a Static Credential Vulnerability. | 10.0 |
2020-07-28 | CVE-2020-15609 | Centos Webpanel | OS Command Injection vulnerability in Centos-Webpanel Centos web Panel 17.0.9.8.923 This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 10.0 |
2020-07-31 | CVE-2020-3376 | Cisco | Missing Authentication for Critical Function vulnerability in Cisco Data Center Network Manager A vulnerability in the Device Manager application of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions on an affected device. | 9.8 |
2020-07-30 | CVE-2020-7699 | Express Fileupload Project Netapp | This affects the package express-fileupload before 1.1.8. | 9.8 |
2020-07-28 | CVE-2020-15623 | Control Webpanel | Exposed Dangerous Method or Function vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to write arbitrary files on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 9.8 |
2020-07-28 | CVE-2020-15615 | Control Webpanel | OS Command Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 9.8 |
2020-07-28 | CVE-2020-15614 | Control Webpanel | OS Command Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 9.8 |
2020-07-28 | CVE-2020-15613 | Control Webpanel | OS Command Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 9.8 |
2020-07-28 | CVE-2020-15612 | Control Webpanel | OS Command Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 9.8 |
2020-07-28 | CVE-2020-15611 | Control Webpanel | OS Command Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 9.8 |
2020-07-28 | CVE-2020-15610 | Control Webpanel | OS Command Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 9.8 |
2020-07-28 | CVE-2020-15608 | Control Webpanel | OS Command Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 9.8 |
2020-07-28 | CVE-2020-15607 | Control Webpanel | OS Command Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 9.8 |
2020-07-28 | CVE-2020-15606 | Control Webpanel | OS Command Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 9.8 |
2020-07-28 | CVE-2020-15435 | Control Webpanel | OS Command Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 9.8 |
2020-07-28 | CVE-2020-15434 | Control Webpanel | OS Command Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 9.8 |
2020-07-28 | CVE-2020-15433 | Control Webpanel | OS Command Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 9.8 |
2020-07-28 | CVE-2020-15432 | Control Webpanel | OS Command Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 9.8 |
2020-07-28 | CVE-2020-15431 | Control Webpanel | OS Command Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 9.8 |
2020-07-28 | CVE-2020-15430 | Control Webpanel | OS Command Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 9.8 |
2020-07-28 | CVE-2020-15429 | Control Webpanel | OS Command Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 9.8 |
2020-07-28 | CVE-2020-15428 | Control Webpanel | OS Command Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 9.8 |
2020-07-28 | CVE-2020-15427 | Control Webpanel | OS Command Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 9.8 |
2020-07-28 | CVE-2020-15426 | Control Webpanel | OS Command Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 9.8 |
2020-07-28 | CVE-2020-15425 | Control Webpanel | OS Command Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 9.8 |
2020-07-28 | CVE-2020-15424 | Control Webpanel | OS Command Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 9.8 |
2020-07-28 | CVE-2020-15423 | Control Webpanel | OS Command Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 9.8 |
2020-07-28 | CVE-2020-15422 | Control Webpanel | OS Command Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 9.8 |
2020-07-28 | CVE-2020-15421 | Control Webpanel | OS Command Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 9.8 |
2020-07-28 | CVE-2020-15420 | Control Webpanel | OS Command Injection vulnerability in Control-Webpanel Webpanel 0.9.8.891 This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-el7-0.9.8.891. | 9.8 |
2020-07-28 | CVE-2020-15900 | Artifex Canonical Opensuse | Integer Underflow (Wrap or Wraparound) vulnerability in multiple products A memory corruption issue was found in Artifex Ghostscript 9.50 and 9.52. | 9.8 |
2020-07-27 | CVE-2020-12460 | Trusteddomain Fedoraproject Debian | Out-of-bounds Write vulnerability in multiple products OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 has improper null termination in the function opendmarc_xml_parse that can result in a one-byte heap overflow in opendmarc_xml when parsing a specially crafted DMARC aggregate report. | 9.8 |
2020-07-30 | CVE-2020-5610 | Toyota | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Toyota Global Techstream Global TechStream (GTS) for TOYOTA dealers version 15.10.032 and earlier allows an attacker to cause a denial-of-service (DoS) condition and execute arbitrary code via unspecified vectors. | 9.3 |
2020-07-29 | CVE-2020-5760 | Grandstream | OS Command Injection vulnerability in Grandstream products Grandstream HT800 series firmware version 1.0.17.5 and below is vulnerable to an OS command injection vulnerability. | 9.3 |
2020-07-29 | CVE-2020-9691 | Magento | Cross-site Scripting vulnerability in Magento Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a dom-based cross-site scripting vulnerability. | 9.3 |
2020-07-30 | CVE-2020-16163 | Ripe | Improper Certificate Validation vulnerability in Ripe Rpki Validator 3 An issue was discovered in RIPE NCC RPKI Validator 3.x before 3.1-2020.07.06.14.28. | 9.1 |
2020-07-31 | CVE-2020-3386 | Cisco | Incorrect Authorization vulnerability in Cisco Data Center Network Manager A vulnerability in the REST API endpoint of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker with a low-privileged account to bypass authorization on the API of an affected device. | 9.0 |
2020-07-31 | CVE-2020-3374 | Cisco | Incorrect Authorization vulnerability in Cisco Sd-Wan A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to bypass authorization, enabling them to access sensitive information, modify the system configuration, or impact the availability of the affected system. | 9.0 |
2020-07-29 | CVE-2020-5763 | Grandstream | Inadequate Encryption Strength vulnerability in Grandstream products Grandstream HT800 series firmware version 1.0.17.5 and below contain a backdoor in the SSH service. | 9.0 |
2020-07-29 | CVE-2020-14488 | Freemedsoftware | Unrestricted Upload of File with Dangerous Type vulnerability in Freemedsoftware Openclinic GA 5.09.02/5.89.05B OpenClinic GA 5.09.02 and 5.89.05b does not properly verify uploaded files, which may allow a low-privilege user to upload and execute arbitrary files on the system. | 9.0 |
2020-07-28 | CVE-2020-11476 | Concretecms | Unrestricted Upload of File with Dangerous Type vulnerability in Concretecms Concrete CMS Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. | 9.0 |
64 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2020-07-31 | CVE-2020-14334 | Redhat | Insufficiently Protected Credentials vulnerability in Redhat Satellite 6.0 A flaw was found in Red Hat Satellite 6 which allows privileged attacker to read cache files. | 8.8 |
2020-07-31 | CVE-2020-3383 | Cisco | Improper Input Validation vulnerability in Cisco Data Center Network Manager A vulnerability in the archive utility of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to conduct directory traversal attacks on an affected device. | 8.8 |
2020-07-31 | CVE-2020-3377 | Cisco | OS Command Injection vulnerability in Cisco Data Center Network Manager A vulnerability in the Device Manager application of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to inject arbitrary commands on the affected device. | 8.8 |
2020-07-29 | CVE-2020-9692 | Magento | Incorrect Authorization vulnerability in Magento Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a security mitigation bypass vulnerability. | 8.5 |
2020-07-29 | CVE-2020-9689 | Magento | Path Traversal vulnerability in Magento Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a path traversal vulnerability. | 8.5 |
2020-07-28 | CVE-2020-15416 | Netgear | Stack-based Buffer Overflow vulnerability in Netgear R6700 Firmware 1.0.4.8410.0.58 This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6700 V1.0.4.84_10.0.58 routers. | 8.3 |
2020-07-28 | CVE-2020-10929 | Netgear | Integer Overflow or Wraparound vulnerability in Netgear R6700 Firmware 1.0.4.8410.0.58 This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6700 V1.0.4.84_10.0.58 routers. | 8.3 |
2020-07-28 | CVE-2020-10927 | Netgear | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Netgear R6700 Firmware 1.0.4.8410.0.58 This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6700 V1.0.4.84_10.0.58 routers. | 8.3 |
2020-07-28 | CVE-2020-10926 | Netgear | Download of Code Without Integrity Check vulnerability in Netgear R6700 Firmware 1.0.4.8410.0.58 This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6700 V1.0.4.84_10.0.58 routers. | 8.3 |
2020-07-28 | CVE-2020-10925 | Netgear | Improper Certificate Validation vulnerability in Netgear R6700 Firmware 1.0.4.8410.0.58 This vulnerability allows network-adjacent attackers to compromise the integrity of downloaded information on affected installations of NETGEAR R6700 V1.0.4.84_10.0.58 routers. | 8.3 |
2020-07-28 | CVE-2020-10924 | Netgear | Stack-based Buffer Overflow vulnerability in Netgear R6700 Firmware 1.0.4.8410.0.58 This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6700 V1.0.4.84_10.0.58 routers. | 8.3 |
2020-07-28 | CVE-2020-10923 | Netgear | Authentication Bypass by Primary Weakness vulnerability in Netgear R6700 Firmware 1.0.4.8410.0.58 This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6700 V1.0.4.84_10.0.58 routers. | 8.3 |
2020-07-31 | CVE-2020-3384 | Cisco | Unspecified vulnerability in Cisco Data Center Network Manager A vulnerability in specific REST API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to inject arbitrary commands on the underlying operating system with the privileges of the logged-in user. | 8.2 |
2020-07-30 | CVE-2020-10713 | GNU Debian Opensuse Vmware | Classic Buffer Overflow vulnerability in multiple products A flaw was found in grub2, prior to version 2.06. | 8.2 |
2020-07-30 | CVE-2020-8206 | Pulsesecure Ivanti | Improper Authentication vulnerability in multiple products An improper authentication vulnerability exists in Pulse Connect Secure <9.1RB that allows an attacker with a users primary credentials to bypass the Google TOTP. | 8.1 |
2020-07-29 | CVE-2020-5761 | Grandstream | Infinite Loop vulnerability in Grandstream products Grandstream HT800 series firmware version 1.0.17.5 and below is vulnerable to CPU exhaustion due to an infinite loop in the TR-069 service. | 7.8 |
2020-07-28 | CVE-2020-15419 | Veeam | XXE vulnerability in Veeam ONE Firmware 10.0.0.0 This vulnerability allows remote attackers to disclose sensitive information on affected installations of Veeam ONE 10.0.0.750_20200415. | 7.8 |
2020-07-28 | CVE-2020-15418 | Veeam | XXE vulnerability in Veeam ONE Firmware 10.0.0.0 This vulnerability allows remote attackers to disclose sensitive information on affected installations of Veeam ONE 10.0.0.750_20200415. | 7.8 |
2020-07-31 | CVE-2020-5413 | Vmware Oracle | Deserialization of Untrusted Data vulnerability in multiple products Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. | 7.5 |
2020-07-31 | CVE-2020-3681 | Qualcomm | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Qualcomm - Authenticated and encrypted payload MMEs can be forged and remotely sent to any HPAV2 system using a jailbreak key recoverable from code. | 7.5 |
2020-07-30 | CVE-2020-16165 | Springblade Project | SQL Injection vulnerability in Springblade Project Springblade 2.7.1 The DAO/DTO implementation in SpringBlade through 2.7.1 allows SQL Injection in an ORDER BY clause. | 7.5 |
2020-07-30 | CVE-2020-16162 | Ripe | Improper Certificate Validation vulnerability in Ripe Rpki Validator 3 An issue was discovered in RIPE NCC RPKI Validator 3.x through 3.1-2020.07.06.14.28. | 7.5 |
2020-07-30 | CVE-2020-3699 | Qualcomm | Classic Buffer Overflow vulnerability in Qualcomm products Possible out of bound access while processing assoc response from host due to improper length check before copying into buffer in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ8053, APQ8096AU, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, Nicobar, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCM2150, QCN7605, QCS405, QCS605, QM215, SA6155P, Saipan, SC8180X, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130 | 7.5 |
2020-07-30 | CVE-2020-3698 | Qualcomm | Out-of-bounds Write vulnerability in Qualcomm products Out of bound write while QoS DSCP mapping due to improper input validation for data received from association response frame in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, Nicobar, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCM2150, QCN7605, QCS405, QCS605, QM215, SA6155P, Saipan, SC8180X, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SDX55, SM8150, SM8250, SXR2130 | 7.5 |
2020-07-30 | CVE-2020-3688 | Qualcomm | Classic Buffer Overflow vulnerability in Qualcomm products Possible buffer overflow while parsing mp4 clip with corrupted sample atoms due to improper validation of index in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, Kamorta, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA6574AU, QCM2150, QCS405, QCS605, QM215, Rennell, SA6155P, Saipan, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 | 7.5 |
2020-07-30 | CVE-2020-3671 | Qualcomm | Use After Free vulnerability in Qualcomm products Use-after-free issue could occur due to dangling pointer when generating a frame buffer in OpenGL ES in Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music in APQ8009, Nicobar, QCM2150, QCS405, Saipan, SDM845, SM8150, SM8250, SXR2130 | 7.5 |
2020-07-29 | CVE-2020-16118 | Gnome Opensuse | NULL Pointer Dereference vulnerability in multiple products In GNOME Balsa before 2.6.0, a malicious server operator or man in the middle can trigger a NULL pointer dereference and client crash by sending a PREAUTH response to imap_mbox_connect in libbalsa/imap/imap-handle.c. | 7.5 |
2020-07-29 | CVE-2020-15588 | Zohocorp | Integer Overflow or Wraparound vulnerability in Zohocorp Manageengine Desktop Central An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.552.W. | 7.5 |
2020-07-29 | CVE-2019-20033 | NEC | Insufficiently Protected Credentials vulnerability in NEC Sv8100 Firmware On Aspire-derived NEC PBXes, including all versions of SV8100 devices, a set of documented, static login credentials may be used to access the DIM interface. | 7.5 |
2020-07-29 | CVE-2019-20027 | NEC | Improper Authentication vulnerability in NEC products Aspire-derived NEC PBXes, including the SV8100, SV9100, SL1100 and SL2100 with software releases 7.0 or higher contain the possibility if incorrectly configured to allow a blank username and password combination to be entered as a valid, successfully authenticating account. | 7.5 |
2020-07-29 | CVE-2020-15086 | Typo3 | Unspecified vulnerability in Typo3 Mediace 7.6.2/7.6.3/7.6.4 In TYPO3 installations with the "mediace" extension from version 7.6.2 and before version 7.6.5, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. | 7.5 |
2020-07-29 | CVE-2020-4574 | IBM | Weak Password Requirements vulnerability in IBM Security KEY Lifecycle Manager 3.0.1/4.0 IBM Tivoli Key Lifecycle Manager does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. | 7.5 |
2020-07-29 | CVE-2020-2076 | Sick | Improper Authentication vulnerability in Sick Package Analytics 04.0.0 SICK Package Analytics software up to and including version V04.0.0 are vulnerable to an authentication bypass by directly interfacing with the REST API. | 7.5 |
2020-07-29 | CVE-2020-14487 | Freemedsoftware | Unspecified vulnerability in Freemedsoftware Openclinic GA 5.09.02 OpenClinic GA 5.09.02 contains a hidden default user account that may be accessed if an administrator has not expressly turned off this account, which may allow an attacker to login and execute arbitrary commands. | 7.5 |
2020-07-29 | CVE-2020-7698 | Gerapy | Injection vulnerability in Gerapy This affects the package Gerapy from 0 and before 0.9.3. | 7.5 |
2020-07-29 | CVE-2020-7697 | Mock2Easy Project | Injection vulnerability in Mock2Easy Project Mock2Easy This affects all versions of package mock2easy. | 7.5 |
2020-07-28 | CVE-2020-16094 | Claws Mail Fedoraproject | Uncontrolled Recursion vulnerability in multiple products In imap_scan_tree_recursive in Claws Mail through 3.17.6, a malicious IMAP server can trigger stack consumption because of unlimited recursion into subdirectories during a rebuild of the folder tree. | 7.5 |
2020-07-28 | CVE-2020-7685 | Umbraco | Insecure Default Initialization of Resource vulnerability in Umbraco Forms This affects all versions of package UmbracoForms. | 7.5 |
2020-07-28 | CVE-2020-15628 | Control Webpanel | SQL Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 7.5 |
2020-07-28 | CVE-2020-15627 | Control Webpanel | SQL Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 7.5 |
2020-07-28 | CVE-2020-15626 | Control Webpanel | SQL Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 7.5 |
2020-07-28 | CVE-2020-15625 | Control Webpanel | SQL Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 7.5 |
2020-07-28 | CVE-2020-15624 | Control Webpanel | SQL Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 7.5 |
2020-07-28 | CVE-2020-15622 | Control Webpanel | SQL Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 7.5 |
2020-07-28 | CVE-2020-15621 | Control Webpanel | SQL Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 7.5 |
2020-07-28 | CVE-2020-15620 | Control Webpanel | SQL Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 7.5 |
2020-07-28 | CVE-2020-15619 | Control Webpanel | SQL Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 7.5 |
2020-07-28 | CVE-2020-15618 | Control Webpanel | SQL Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 7.5 |
2020-07-28 | CVE-2020-15617 | Control Webpanel | SQL Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 7.5 |
2020-07-28 | CVE-2020-15616 | Control Webpanel | SQL Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923 This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. | 7.5 |
2020-07-28 | CVE-2020-13919 | Ruckuswireless | OS Command Injection vulnerability in Ruckuswireless Unleashed Firmware emfd/libemf in Ruckus Wireless Unleashed through 200.7.10.102.92 allows a remote attacker to achieve command injection via a crafted HTTP request. | 7.5 |
2020-07-28 | CVE-2020-13917 | Ruckuswireless | OS Command Injection vulnerability in Ruckuswireless Unleashed Firmware rkscli in Ruckus Wireless Unleashed through 200.7.10.92 allows a remote attacker to achieve command injection and jailbreak the CLI via a crafted CLI command. | 7.5 |
2020-07-28 | CVE-2020-13916 | Ruckuswireless | Out-of-bounds Write vulnerability in Ruckuswireless Unleashed Firmware 200.7.10.102.92 A stack buffer overflow in webs in Ruckus Wireless Unleashed through 200.7.10.102.92 allows a remote attacker to execute code via an unauthenticated crafted HTTP request. | 7.5 |
2020-07-28 | CVE-2020-16088 | Openbsd | Improper Authentication vulnerability in Openbsd iked in OpenIKED, as used in OpenBSD through 6.7, allows authentication bypass because ca.c has the wrong logic for checking whether a public key matches. | 7.5 |
2020-07-27 | CVE-2020-12845 | Cherokee Project | NULL Pointer Dereference vulnerability in Cherokee-Project Cherokee Cherokee 0.4.27 to 1.2.104 is affected by a denial of service due to a NULL pointer dereferences. | 7.5 |
2020-07-30 | CVE-2020-16164 | Ripe | Improper Certificate Validation vulnerability in Ripe Rpki Validator 3 An issue was discovered in RIPE NCC RPKI Validator 3.x through 3.1-2020.07.06.14.28. | 7.4 |
2020-07-27 | CVE-2020-15953 | Libetpan Project Libmailcore Fedoraproject Debian | Injection vulnerability in multiple products LibEtPan through 1.9.4, as used in MailCore 2 through 0.6.3 and other products, has a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. | 7.4 |
2020-07-31 | CVE-2020-5384 | RSA | Improper Authentication vulnerability in RSA Multifactor Authentication Agent 2.0 Authentication Bypass Vulnerability RSA MFA Agent 2.0 for Microsoft Windows contains an Authentication Bypass vulnerability. | 7.2 |
2020-07-30 | CVE-2020-7205 | HPE | Code Injection vulnerability in HPE products A potential security vulnerability has been identified in HPE Intelligent Provisioning, Service Pack for ProLiant, and HPE Scripting ToolKit. | 7.2 |
2020-07-30 | CVE-2020-14162 | PI Hole | Improper Privilege Management vulnerability in Pi-Hole An issue was discovered in Pi-Hole through 5.0. | 7.2 |
2020-07-30 | CVE-2020-12620 | PI Hole | Improper Privilege Management vulnerability in Pi-Hole Pi-hole 4.4 allows a user able to write to /etc/pihole/dns-servers.conf to escalate privileges through command injection (shell metacharacters after an IP address). | 7.2 |
2020-07-30 | CVE-2020-8219 | Pulsesecure Ivanti | Incorrect Default Permissions vulnerability in multiple products An insufficient permission check vulnerability exists in Pulse Connect Secure <9.1R8 that allows an attacker to change the password of a full administrator. | 7.2 |
2020-07-30 | CVE-2020-8218 | Pulsesecure Ivanti | Code Injection vulnerability in multiple products A code injection vulnerability exists in Pulse Connect Secure <9.1R8 that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface. | 7.2 |
2020-07-27 | CVE-2020-15593 | Riverbed | Incorrect Permission Assignment for Critical Resource vulnerability in Riverbed Steelcentral Aternity Agent 11.0.0.120 SteelCentral Aternity Agent 11.0.0.120 on Windows mishandles IPC. | 7.2 |
129 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2020-07-31 | CVE-2020-15871 | Sonatype | Incorrect Permission Assignment for Critical Resource vulnerability in Sonatype Nexus Repository Manager 3 Sonatype Nexus Repository Manager OSS/Pro version before 3.25.1 allows Remote Code Execution. | 6.8 |
2020-07-31 | CVE-2020-16136 | Tgstation13 | Incorrect Permission Assignment for Critical Resource vulnerability in Tgstation13 Tgstation-Server 4.4.0/4.4.1 In tgstation-server 4.4.0 and 4.4.1, an authenticated user with permission to download logs can download any file on the server machine (accessible by the owner of the server process) via directory traversal ../ sequences in /Administration/Logs/ requests. | 6.8 |
2020-07-30 | CVE-2020-7829 | Hmtalk | Out-of-bounds Write vulnerability in Hmtalk Daviewindy 8.98.4 DaviewIndy 8.98.4 and earlier version contain Heap-based overflow vulnerability, triggered when the user opens a malformed specific file that is mishandled by Daview.exe. | 6.8 |
2020-07-30 | CVE-2020-7828 | Hmtalk | Out-of-bounds Write vulnerability in Hmtalk Daviewindy 8.98.4 DaviewIndy 8.98.4 and earlier version contain Heap-based overflow vulnerability, triggered when the user opens a malformed specific file that is mishandled by Daview.exe. | 6.8 |
2020-07-30 | CVE-2020-7827 | Hmtalk | Use After Free vulnerability in Hmtalk Daviewindy 8.98.4/8.98.7 DaviewIndy 8.98.7 and earlier version contain Use-After-Free vulnerability, triggered when the user opens a malformed specific file that is mishandled by Daview.exe. | 6.8 |
2020-07-30 | CVE-2020-8222 | Pulsesecure Ivanti | Path Traversal vulnerability in multiple products A path traversal vulnerability exists in Pulse Connect Secure <9.1R8 that allowed an authenticated attacker via the administrator web interface to perform an arbitrary file reading vulnerability through Meeting. | 6.8 |
2020-07-29 | CVE-2020-15099 | Typo3 | Improper Input Validation vulnerability in Typo3 In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, in a case where an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1) - either by using a different existing vulnerability or in case the internal encryptionKey was exposed - it is possible to retrieve arbitrary files of a TYPO3 installation. | 6.8 |
2020-07-29 | CVE-2020-13699 | Teamviewer | Unquoted Search Path or Element vulnerability in Teamviewer TeamViewer Desktop for Windows before 15.8.3 does not properly quote its custom URI handlers. | 6.8 |
2020-07-28 | CVE-2020-10984 | Gambio | Cross-Site Request Forgery (CSRF) vulnerability in Gambio GX 4.0.0.0 Gambio GX before 4.0.1.0 allows admin/admin.php CSRF. | 6.8 |
2020-07-27 | CVE-2020-1457 | Microsoft | Out-of-bounds Write vulnerability in Microsoft Windows 10 A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory, aka 'Microsoft Windows Codecs Library Remote Code Execution Vulnerability'. | 6.8 |
2020-07-27 | CVE-2020-1425 | Microsoft | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft Windows 10 A remoted code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory, aka 'Microsoft Windows Codecs Library Remote Code Execution Vulnerability'. | 6.8 |
2020-07-27 | CVE-2020-5611 | Wpsocialrocket | Cross-Site Request Forgery (CSRF) vulnerability in Wpsocialrocket Social Sharing Cross-site request forgery (CSRF) vulnerability in Social Sharing Plugin versions prior to 1.2.10 allows remote attackers to hijack the authentication of administrators via unspecified vectors. | 6.8 |
2020-07-27 | CVE-2020-7017 | Elasticsearch Oracle | Cross-site Scripting vulnerability in multiple products In Kibana versions before 6.8.11 and 7.8.1 the region map visualization in contains a stored XSS flaw. | 6.7 |
2020-07-31 | CVE-2020-5396 | Vmware | Missing Authorization vulnerability in VMWare Gemfire and Tanzu Gemfire FOR Virtual Machines VMware GemFire versions prior to 9.10.0, 9.9.2, 9.8.7, and 9.7.6, and VMware Tanzu GemFire for VMs versions prior to 1.11.1 and 1.10.2, when deployed without a SecurityManager, contain a JMX service available which contains an insecure default configuration. | 6.5 |
2020-07-31 | CVE-2019-11286 | Vmware | Deserialization of Untrusted Data vulnerability in VMWare Gemfire and Tanzu Gemfire FOR Virtual Machines VMware GemFire versions prior to 9.10.0, 9.9.1, 9.8.5, and 9.7.5, and VMware Tanzu GemFire for VMs versions prior to 1.11.0, 1.10.1, 1.9.2, and 1.8.2, contain a JMX service available to the network which does not properly restrict input. | 6.5 |
2020-07-31 | CVE-2020-10731 | Redhat | Unspecified vulnerability in Redhat Openstack Platform 15.0/16.0/16.1 A flaw was found in the nova_libvirt container provided by the Red Hat OpenStack Platform 16, where it does not have SELinux enabled. | 6.5 |
2020-07-30 | CVE-2020-8220 | Pulsesecure Ivanti | Resource Exhaustion vulnerability in multiple products A denial of service vulnerability exists in Pulse Connect Secure <9.1R8 that allows an authenticated attacker to perform command injection via the administrator web which can cause DOS. | 6.5 |
2020-07-29 | CVE-2020-14316 | Kubevirt Redhat | Improper Privilege Management vulnerability in multiple products A flaw was found in kubevirt 0.29 and earlier. | 6.5 |
2020-07-29 | CVE-2019-20029 | NEC | Improper Privilege Management vulnerability in NEC products An exploitable privilege escalation vulnerability exists in the WebPro functionality of Aspire-derived NEC PBXes, including all versions of SV8100, SV9100, SL1100 and SL2100 devices. | 6.5 |
2020-07-29 | CVE-2020-15098 | Typo3 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Typo3 In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. | 6.5 |
2020-07-29 | CVE-2020-14486 | Openclinic GA Project | Incorrect Authorization vulnerability in Openclinic GA Project Openclinic GA 5.09.02/5.89.05B An attacker may bypass permission/authorization checks in OpenClinic GA 5.09.02 and 5.89.05b by ignoring the redirect of a permission failure, which may allow unauthorized execution of commands. | 6.5 |
2020-07-29 | CVE-2020-14493 | Openclinic GA Project | Improper Privilege Management vulnerability in Openclinic GA Project Openclinic GA 5.09.02/5.89.05B A low-privilege user may use SQL syntax to write arbitrary files to the OpenClinic GA 5.09.02 and 5.89.05b server, which may allow the execution of arbitrary commands. | 6.5 |
2020-07-29 | CVE-2020-14490 | Openclinic GA Project | Path Traversal vulnerability in Openclinic GA Project Openclinic GA 5.09.02/5.89.05B OpenClinic GA 5.09.02 and 5.89.05b includes arbitrary local files specified within its parameter and executes some files, which may allow disclosure of sensitive files or the execution of malicious uploaded files. | 6.5 |
2020-07-28 | CVE-2020-13970 | Shopware | Server-Side Request Forgery (SSRF) vulnerability in Shopware Shopware before 6.2.3 is vulnerable to a Server-Side Request Forgery (SSRF) in its "Mediabrowser upload by URL" feature. | 6.5 |
2020-07-28 | CVE-2020-15715 | Rconfig | Unspecified vulnerability in Rconfig 3.9.5 rConfig 3.9.5 could allow a remote authenticated attacker to execute arbitrary code on the system, because of an error in the search.crud.php script. | 6.5 |
2020-07-28 | CVE-2020-15714 | Rconfig | SQL Injection vulnerability in Rconfig 3.9.5 rConfig 3.9.5 is vulnerable to SQL injection. | 6.5 |
2020-07-28 | CVE-2020-15713 | Rconfig | SQL Injection vulnerability in Rconfig 3.9.5 rConfig 3.9.5 is vulnerable to SQL injection. | 6.5 |
2020-07-31 | CVE-2020-15134 | Faye Project | Improper Certificate Validation vulnerability in Faye Project Faye Faye before version 1.4.0, there is a lack of certification validation in TLS handshakes. | 6.4 |
2020-07-30 | CVE-2020-14158 | Abus | Improper Authentication vulnerability in Abus Secvest Hybrid Fumo50110 Firmware The ABUS Secvest FUMO50110 hybrid module does not have any security mechanism that ensures confidentiality or integrity of RF packets that are exchanged with an alarm panel. | 6.4 |
2020-07-29 | CVE-2020-15706 | GNU Redhat Canonical Debian Suse Microsoft Opensuse | Use After Free vulnerability in multiple products GRUB2 contains a race condition in grub_script_function_create() leading to a use-after-free vulnerability which can be triggered by redefining a function whilst the same function is already executing, leading to arbitrary code execution and secure boot restriction bypass. | 6.4 |
2020-07-29 | CVE-2019-20031 | NEC | Improper Restriction of Excessive Authentication Attempts vulnerability in NEC Um8000 Firmware and Um4730 Firmware NEC UM8000, UM4730 and prior non-InMail voicemail systems with all known software versions may permit an infinite number of login attempts in the telephone user interface (TUI), effectively allowing brute force attacks. | 6.4 |
2020-07-29 | CVE-2020-4569 | IBM | Unspecified vulnerability in IBM Security KEY Lifecycle Manager 3.0.1/4.0 IBM Tivoli Key Lifecycle Manager 3.0.1 and 4.0 uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. | 6.4 |
2020-07-29 | CVE-2020-4463 | IBM | XXE vulnerability in IBM Maximo Asset Management 7.6.0.1/7.6.0.2 IBM Maximo Asset Management 7.6.0.1 and 7.6.0.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. | 6.4 |
2020-07-28 | CVE-2020-5377 | Dell | Path Traversal vulnerability in Dell EMC Openmanage Server Administrator Dell EMC OpenManage Server Administrator (OMSA) versions 9.4 and prior contain multiple path traversal vulnerabilities. | 6.4 |
2020-07-28 | CVE-2020-13915 | Ruckuswireless | Insufficiently Protected Credentials vulnerability in Ruckuswireless Unleashed Firmware Insecure permissions in emfd/libemf in Ruckus Wireless Unleashed through 200.7.10.102.92 allow a remote attacker to overwrite admin credentials via an unauthenticated crafted HTTP request. | 6.4 |
2020-07-31 | CVE-2020-3462 | Cisco | SQL Injection vulnerability in Cisco Data Center Network Manager A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. | 6.3 |
2020-07-30 | CVE-2020-8204 | Pulsesecure Ivanti | Cross-site Scripting vulnerability in multiple products A cross site scripting (XSS) vulnerability exists in Pulse Connect Secure <9.1R5 on the PSAL Page. | 6.1 |
2020-07-31 | CVE-2020-14311 | GNU Redhat Opensuse Canonical | Heap-based Buffer Overflow vulnerability in multiple products There is an issue with grub2 before version 2.06 while handling symlink on ext filesystems. | 6.0 |
2020-07-31 | CVE-2020-14310 | GNU Redhat Opensuse Canonical | Integer Overflow or Wraparound vulnerability in multiple products There is an issue on grub2 before version 2.06 at function read_section_as_string(). | 6.0 |
2020-07-31 | CVE-2020-5414 | Vmware | Information Exposure Through Log Files vulnerability in VMWare products VMware Tanzu Application Service for VMs (2.7.x versions prior to 2.7.19, 2.8.x versions prior to 2.8.13, and 2.9.x versions prior to 2.9.7) contains an App Autoscaler that logs the UAA admin password. | 6.0 |
2020-07-29 | CVE-2020-16135 | Libssh Debian Fedoraproject Canonical Oracle | NULL Pointer Dereference vulnerability in multiple products libssh 0.9.4 has a NULL pointer dereference in tftpserver.c if ssh_buffer_new returns NULL. | 5.9 |
2020-07-31 | CVE-2020-15133 | Faye Websocket Project | Improper Certificate Validation vulnerability in Faye-Websocket Project Faye-Websocket In faye-websocket before version 0.11.0, there is a lack of certification validation in TLS handshakes. | 5.8 |
2020-07-29 | CVE-2020-4644 | IBM | Improper Input Validation vulnerability in IBM Planning Analytics Local IBM Planning Analytics Local 2.0.0 through 2.0.9.1 could allow a remote attacker to hijack the clicking action of the victim. | 5.8 |
2020-07-28 | CVE-2020-15417 | Netgear | Stack-based Buffer Overflow vulnerability in Netgear R6700 Firmware 1.0.4.8410.0.58 This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6700 V1.0.4.84_10.0.58 routers. | 5.8 |
2020-07-28 | CVE-2020-15408 | Pulsesecure | Missing Authorization vulnerability in Pulsesecure Pulse Connect Secure 7.1/7.4 An issue was discovered in Pulse Secure Pulse Connect Secure before 9.1R8. | 5.8 |
2020-07-27 | CVE-2020-8558 | Kubernetes | Unspecified vulnerability in Kubernetes The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. | 5.8 |
2020-07-27 | CVE-2020-12880 | Pulsesecure Ivanti | An issue was discovered in Pulse Policy Secure (PPS) and Pulse Connect Secure (PCS) Virtual Appliance before 9.1R8. | 5.5 |
2020-07-30 | CVE-2020-16157 | Nagios | Cross-site Scripting vulnerability in Nagios LOG Server A Stored XSS vulnerability exists in Nagios Log Server before 2.1.7 via the Notification Methods -> Email Users menu. | 5.4 |
2020-07-30 | CVE-2020-8217 | Pulsesecure Ivanti | Cross-site Scripting vulnerability in multiple products A cross site scripting (XSS) vulnerability in Pulse Connect Secure <9.1R8 allowed attackers to exploit in the URL used for Citrix ICA. | 5.4 |
2020-07-27 | CVE-2020-11110 | Grafana Netapp | Cross-site Scripting vulnerability in multiple products Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot. | 5.4 |
2020-07-28 | CVE-2020-15863 | Qemu Debian Canonical | Out-of-bounds Write vulnerability in multiple products hw/net/xgmac.c in the XGMAC Ethernet controller in QEMU before 07-20-2020 has a buffer overflow. | 5.3 |
2020-07-27 | CVE-2020-7695 | Encode | Injection vulnerability in Encode Uvicorn Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. | 5.3 |
2020-07-31 | CVE-2020-12081 | Flexera | Information Exposure vulnerability in Flexera Flexnet Publisher 11.14.0.2 An information disclosure vulnerability has been identified in FlexNet Publisher lmadmin.exe 11.14.0.2. | 5.0 |
2020-07-31 | CVE-2020-14520 | Inductiveautomation | Missing Authorization vulnerability in Inductiveautomation Ignition Gateway The affected product is vulnerable to an information leak, which may allow an attacker to obtain sensitive information on the Ignition 8 (all versions prior to 8.0.13). | 5.0 |
2020-07-31 | CVE-2020-14337 | Redhat | Information Exposure Through an Error Message vulnerability in Redhat Ansible Tower 3.0.0 A data exposure flaw was found in Tower, where sensitive data was revealed from the HTTP return error codes. | 5.0 |
2020-07-31 | CVE-2020-3461 | Cisco | Missing Authentication for Critical Function vulnerability in Cisco Data Center Network Manager A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to obtain confidential information from an affected device. | 5.0 |
2020-07-30 | CVE-2020-15131 | Simpleledger | Incorrect Comparison vulnerability in Simpleledger Slp-Validate 1.0.0/1.2.1 In SLP Validate (npm package slp-validate) before version 1.2.2, there is a vulnerability to false-positive validation outcomes for the NFT1 Child Genesis transaction type. | 5.0 |
2020-07-30 | CVE-2020-15130 | Simpleledger | Incorrect Comparison vulnerability in Simpleledger Slpjs In SLPJS (npm package slpjs) before version 0.27.4, there is a vulnerability to false-positive validation outcomes for the NFT1 Child Genesis transaction type. | 5.0 |
2020-07-30 | CVE-2020-15957 | Dp3T Backend Software Development KIT Project | Improper Verification of Cryptographic Signature vulnerability in Dp3T-Backend-Software Development KIT Project Dp3T-Backend-Software Development KIT An issue was discovered in DP3T-Backend-SDK before 1.1.1 for Decentralised Privacy-Preserving Proximity Tracing (DP3T). | 5.0 |
2020-07-30 | CVE-2020-15511 | Hashicorp | Improper Input Validation vulnerability in Hashicorp Terraform Enterprise HashiCorp Terraform Enterprise up to v202006-1 contained a default signup page that allowed user registration even when disabled, bypassing SAML enforcement. | 5.0 |
2020-07-30 | CVE-2020-8213 | UI | Information Exposure Through an Error Message vulnerability in UI Unifi Protect 1.13.3 An information exposure vulnerability exists in UniFi Protect before v1.13.4-beta.5 that allowed unauthenticated attackers access to valid usernames for the UniFi Protect web application via HTTP response code and response timing. | 5.0 |
2020-07-30 | CVE-2020-8202 | Nextcloud | Improper Restriction of Excessive Authentication Attempts vulnerability in Nextcloud Preferred Providers 1.6.0 Improper check of inputs in Nextcloud Preferred Providers app v1.6.0 allowed to perform a denial of service attack when using a very long password. | 5.0 |
2020-07-30 | CVE-2020-4186 | IBM | Information Exposure vulnerability in IBM Security Guardium 10.5/10.6/11.1 IBM Security Guardium 10.5, 10.6, and 11.1 could disclose sensitive information on the login page that could aid in further attacks against the system. | 5.0 |
2020-07-30 | CVE-2020-4185 | IBM | Use of a Broken or Risky Cryptographic Algorithm vulnerability in IBM Security Guardium 10.5/10.6/11.1 IBM Security Guardium 10.5, 10.6, and 11.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | 5.0 |
2020-07-30 | CVE-2020-3700 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products Possible out of bounds read due to a missing bounds check and could lead to local information disclosure in the wifi driver with no additional execution privileges needed in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in APQ8053, APQ8096AU, IPQ4019, IPQ8064, IPQ8074, MDM9607, MSM8909W, MSM8996AU, QCA6574AU, QCA9531, QCA9558, QCA9980, SC8180X, SDM439, SDX55, SM8150, SM8250, SXR2130 | 5.0 |
2020-07-29 | CVE-2017-18923 | Beronet | Injection vulnerability in Beronet Voice Over Internet Protocol Gateways Firmware beroNet VoIP Gateways before 3.0.16 have a PHP script that allows downloading arbitrary files, including ones with credentials. | 5.0 |
2020-07-29 | CVE-2020-5762 | Grandstream | NULL Pointer Dereference vulnerability in Grandstream products Grandstream HT800 series firmware version 1.0.17.5 and below is vulnerable to a denial of service attack against the TR-069 service. | 5.0 |
2020-07-29 | CVE-2019-20028 | NEC | Information Exposure vulnerability in NEC products Aspire-derived NEC PBXes operating InMail software, including all versions of SV8100, SV9100, SL1100 and SL2100 devices allow unauthenticated read-only access to voicemails, greetings, and voice response system content through a system's WebPro administration interface. | 5.0 |
2020-07-29 | CVE-2019-20026 | NEC | Improper Input Validation vulnerability in NEC Sv9100 Firmware 7.0 The WebPro interface in NEC SV9100 software releases 7.0 or higher allows unauthenticated remote attackers to reset all existing usernames and passwords to default values via a crafted request. | 5.0 |
2020-07-29 | CVE-2020-4573 | IBM | Information Exposure vulnerability in IBM Security KEY Lifecycle Manager 3.0.1/4.0 IBM Tivoli Key Lifecycle Manager 3.0.1 and 4.0 could disclose sensitive information due to responding to unauthenticated HTTP requests. | 5.0 |
2020-07-29 | CVE-2020-4572 | IBM | Information Exposure vulnerability in IBM Security KEY Lifecycle Manager 3.0.1/4.0 IBM Tivoli Key Lifecycle Manager 3.0.1 and 4.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. | 5.0 |
2020-07-29 | CVE-2020-4567 | IBM | Insufficiently Protected Credentials vulnerability in IBM Security KEY Lifecycle Manager 3.0.1/4.0 IBM Tivoli Key Lifecycle Manager 3.0.1 and 4.0 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. | 5.0 |
2020-07-29 | CVE-2020-2077 | Sick | Incorrect Default Permissions vulnerability in Sick Package Analytics 04.0.0 SICK Package Analytics software up to and including version V04.0.0 are vulnerable due to incorrect default permissions settings. | 5.0 |
2020-07-29 | CVE-2020-14489 | Openclinic GA Project | Insufficiently Protected Credentials vulnerability in Openclinic GA Project Openclinic GA 5.09.02/5.89.05B OpenClinic GA 5.09.02 and 5.89.05b stores passwords using inadequate hashing complexity, which may allow an attacker to recover passwords using known password cracking techniques. | 5.0 |
2020-07-29 | CVE-2020-5614 | Kujirahand | Path Traversal vulnerability in Kujirahand Konawiki Directory traversal vulnerability in KonaWiki 3.1.0 and earlier allows remote attackers to read arbitrary files via unspecified vectors. | 5.0 |
2020-07-28 | CVE-2020-6098 | Freediameter | Integer Underflow (Wrap or Wraparound) vulnerability in Freediameter 1.3.2 An exploitable denial of service vulnerability exists in the freeDiameter functionality of freeDiameter 1.3.2. | 5.0 |
2020-07-28 | CVE-2020-13997 | Shopware | Insufficiently Protected Credentials vulnerability in Shopware In Shopware before 6.2.3, the database password is leaked to an unauthenticated user when a DriverException occurs and verbose error handling is enabled. | 5.0 |
2020-07-28 | CVE-2020-15899 | Grin | Insufficient Verification of Data Authenticity vulnerability in Grin 3.0.0/3.1.0/3.1.1 Grin 3.0.0 before 4.0.0 has insufficient validation of data related to Mimblewimble. | 5.0 |
2020-07-28 | CVE-2020-13918 | Ruckuswireless | Information Exposure vulnerability in Ruckuswireless Unleashed Firmware Incorrect access control in webs in Ruckus Wireless Unleashed through 200.7.10.102.92 allows a remote attacker to leak system information (that can be used for a jailbreak) via an unauthenticated crafted HTTP request. | 5.0 |
2020-07-28 | CVE-2020-13914 | Ruckuswireless | Improper Input Validation vulnerability in Ruckuswireless Unleashed Firmware webs in Ruckus Wireless Unleashed through 200.7.10.102.92 allows a remote attacker to cause a denial of service (Segmentation fault) to the webserver via an unauthenticated crafted HTTP request. | 5.0 |
2020-07-28 | CVE-2020-4375 | IBM | Missing Release of Resource after Effective Lifetime vulnerability in IBM MQ Appliance IBM MQ, IBM MQ Appliance, IBM MQ for HPE NonStop 8.0, 9.1 CD, and 9.1 LTS could allow an attacker to cause a denial of service due to a memory leak caused by an error creating a dynamic queue. | 5.0 |
2020-07-27 | CVE-2020-10609 | Grundfos | Insufficiently Protected Credentials vulnerability in Grundfos CIM 500 06.16.00 Grundfos CIM 500 v06.16.00 stores plaintext credentials, which may allow sensitive information to be read or allow modification to system settings by someone with access to the device. | 5.0 |
2020-07-27 | CVE-2020-15592 | Riverbed | Path Traversal vulnerability in Riverbed Steelcentral Aternity Agent SteelCentral Aternity Agent before 11.0.0.120 on Windows allows Privilege Escalation via a crafted file. | 5.0 |
2020-07-27 | CVE-2020-7694 | Encode | Injection vulnerability in Encode Uvicorn This affects all versions of package uvicorn. | 5.0 |
2020-07-30 | CVE-2020-8221 | Pulsesecure Ivanti | Path Traversal vulnerability in multiple products A path traversal vulnerability exists in Pulse Connect Secure <9.1R8 which allows an authenticated attacker to read arbitrary files via the administrator web interface. | 4.9 |
2020-07-29 | CVE-2020-8553 | Kubernetes | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Kubernetes Ingress-Nginx The Kubernetes ingress-nginx component prior to version 0.28.0 allows a user with the ability to create namespaces and to read and create ingress objects to overwrite the password file of another ingress which uses nginx.ingress.kubernetes.io/auth-type: basic and which has a hyphenated namespace or secret name. | 4.9 |
2020-07-27 | CVE-2020-7016 | Elasticsearch Oracle | Resource Exhaustion vulnerability in multiple products Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion. | 4.8 |
2020-07-31 | CVE-2020-9248 | Huawei | Incorrect Authorization vulnerability in Huawei Fusioncompute 8.0.0 Huawei FusionComput 8.0.0 have an improper authorization vulnerability. | 4.6 |
2020-07-30 | CVE-2020-14309 | GNU Opensuse | Integer Overflow or Wraparound vulnerability in multiple products There's an issue with grub2 in all versions before 2.06 when handling squashfs filesystems containing a symbolic link with name length of UINT32 bytes in size. | 4.6 |
2020-07-30 | CVE-2020-3701 | Qualcomm | Use After Free vulnerability in Qualcomm Saipan Firmware, Sm8250 Firmware and Sxr2130 Firmware Use after free issue while processing error notification from camx driver due to not properly releasing the sequence data in Snapdragon Mobile in Saipan, SM8250, SXR2130 | 4.6 |
2020-07-30 | CVE-2019-14130 | Qualcomm | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Qualcomm products Memory corruption can occurs in trusted application if offset size from HLOS is more than actual mapped buffer size in Snapdragon Auto, Snapdragon Compute, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking in Kamorta, QCS404, Rennell, SC7180, SDX55, SM6150, SM7150, SM8250, SXR2130 | 4.6 |
2020-07-30 | CVE-2019-14124 | Qualcomm | Access of Uninitialized Pointer vulnerability in Qualcomm products Memory failure in content protection module due to not having pointer within the scope in Snapdragon Auto, Snapdragon Compute, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking in Kamorta, QCS404, Rennell, SC7180, SDX55, SM6150, SM7150, SM8250, SXR2130 | 4.6 |
2020-07-30 | CVE-2019-14123 | Qualcomm | Improper Input Validation vulnerability in Qualcomm products Possible buffer overflow and over read possible due to missing bounds checks for fixed limits if we consider widevine HLOS client as non-trustable in Snapdragon Auto, Snapdragon Compute, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking in Kamorta, QCS404, Rennell, SC7180, SDX55, SM6150, SM7150, SM8250, SXR2130 | 4.6 |
2020-07-30 | CVE-2019-14100 | Qualcomm | Improper Input Validation vulnerability in Qualcomm products Register write via debugfs is disabled by default to prevent register writing via debugfs. | 4.6 |
2020-07-30 | CVE-2019-14099 | Qualcomm | Classic Buffer Overflow vulnerability in Qualcomm products Device misbehavior may be observed when incorrect offset, length or number of buffers is passed by user space in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8053, MDM9206, MDM9207C, MDM9607, MSM8909W, MSM8917, MSM8953, Nicobar, QCM2150, QCS405, QCS605, QM215, Saipan, SC8180X, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM632, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 | 4.6 |
2020-07-30 | CVE-2019-14093 | Qualcomm | Improper Validation of Array Index vulnerability in Qualcomm products Array out of bound access can occur in display module due to lack of bound check on input parcel received in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9650, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, QCM2150, QCS405, QCS605, QM215, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM636, SDM660, SDX20 | 4.6 |
2020-07-30 | CVE-2019-14037 | Qualcomm | Use After Free vulnerability in Qualcomm products Close and bind operations done on a socket can lead to a Use-After-Free condition. | 4.6 |
2020-07-30 | CVE-2019-10580 | Qualcomm | Use After Free vulnerability in Qualcomm products When kernel thread unregistered listener, Use after free issue happened as the listener client`s private data has been already freed in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9607, MSM8909W, Nicobar, QCM2150, QCS405, QCS605, Saipan, SC8180X, SDM429W, SDX55, SM8150, SM8250, SXR2130 | 4.6 |
2020-07-29 | CVE-2019-20030 | NEC | Unspecified vulnerability in NEC Um8000 Firmware An attacker with knowledge of the modem access number on a NEC UM8000 voicemail system may use SSH tunneling or standard Linux utilities to gain access to the system's LAN port. | 4.6 |
2020-07-29 | CVE-2020-11933 | Canonical | Unspecified vulnerability in Canonical Snapd cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices was run without restrictions on every boot, which a physical attacker could exploit by crafting cloud-init user-data/meta-data via external media to perform arbitrary changes on the device to bypass intended security mechanisms such as full disk encryption. | 4.6 |
2020-07-28 | CVE-2020-11474 | NCP E | Link Following vulnerability in Ncp-E Secure Enterprise Client 10.14/10.15 NCP Secure Enterprise Client before 10.15 r47589 allows a symbolic link attack on enumusb.reg via Support Assistant. | 4.6 |
2020-07-28 | CVE-2020-10928 | Netgear | Heap-based Buffer Overflow vulnerability in Netgear R6700 Firmware 1.0.4.8410.0.58 This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6700 V1.0.4.84_10.0.58 routers. | 4.6 |
2020-07-29 | CVE-2020-16143 | Seafile | Uncontrolled Search Path Element vulnerability in Seafile Seafile-Client 7.0.8 The seafile-client client 7.0.8 for Seafile is vulnerable to DLL hijacking because it loads exchndl.dll from the current working directory. | 4.4 |
2020-07-29 | CVE-2020-14308 | GNU Opensuse | Integer Overflow or Wraparound vulnerability in multiple products In grub2 versions before 2.06 the grub memory allocator doesn't check for possible arithmetic overflows on the requested allocation size. | 4.4 |
2020-07-29 | CVE-2020-15707 | GNU Redhat Microsoft Canonical Debian Opensuse Suse Netapp | Integer Overflow or Wraparound vulnerability in multiple products Integer overflows were discovered in the functions grub_cmd_initrd and grub_initrd_init in the efilinux component of GRUB2, as shipped in Debian, Red Hat, and Ubuntu (the functionality is not included in GRUB2 upstream), leading to a heap-based buffer overflow. | 4.4 |
2020-07-29 | CVE-2020-15705 | GNU Redhat Canonical Debian Opensuse Suse Microsoft | Improper Verification of Cryptographic Signature vulnerability in multiple products GRUB2 fails to validate kernel signature when booted directly without shim, allowing secure boot to be bypassed. | 4.4 |
2020-07-31 | CVE-2020-15870 | Sonatype | Cross-site Scripting vulnerability in Sonatype Nexus Repository Manager 3 Sonatype Nexus Repository Manager OSS/Pro versions before 3.25.1 allow XSS (Issue 2 of 2). | 4.3 |
2020-07-31 | CVE-2020-15869 | Sonatype | Cross-site Scripting vulnerability in Sonatype Nexus Repository Manager 3 Sonatype Nexus Repository Manager OSS/Pro versions before 3.25.1 allow XSS (issue 1 of 2). | 4.3 |
2020-07-31 | CVE-2020-3460 | Cisco | Cross-site Scripting vulnerability in Cisco Data Center Network Manager A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. | 4.3 |
2020-07-30 | CVE-2020-8216 | Pulsesecure Ivanti | An information disclosure vulnerability in meeting of Pulse Connect Secure <9.1R8 allowed an authenticated end-users to find meeting details, if they know the Meeting ID. | 4.3 |
2020-07-29 | CVE-2020-16117 | Gnome Debian | NULL Pointer Dereference vulnerability in multiple products In GNOME evolution-data-server before 3.35.91, a malicious server can crash the mail client with a NULL pointer dereference by sending an invalid (e.g., minimal) CAPABILITY line on a connection attempt. | 4.3 |
2020-07-29 | CVE-2020-16095 | Kitodo | Cross-site Scripting vulnerability in Kitodo Kitodo.Presentation The dlf (aka Kitodo.Presentation) extension before 3.1.2 for TYPO3 allows XSS. | 4.3 |
2020-07-29 | CVE-2020-14492 | Openclinic GA Project | Cross-site Scripting vulnerability in Openclinic GA Project Openclinic GA 5.09.02/5.89.05B OpenClinic GA 5.09.02 and 5.89.05b does not properly neutralize user-controllable input, which may allow the execution of malicious code within the user’s browser. | 4.3 |
2020-07-29 | CVE-2020-5613 | Kujirahand | Cross-site Scripting vulnerability in Kujirahand Konawiki Cross-site scripting vulnerability in KonaWiki 3.1.0 and earlier allows remote attackers to execute an arbitrary script via a specially crafted URL. | 4.3 |
2020-07-29 | CVE-2020-5612 | Kujirahand | Cross-site Scripting vulnerability in Kujirahand Konawiki Cross-site scripting vulnerability in KonaWiki 2.2.0 and earlier allows remote attackers to execute an arbitrary script via a specially crafted URL. | 4.3 |
2020-07-28 | CVE-2020-13913 | Ruckuswireless | Cross-site Scripting vulnerability in Ruckuswireless Unleashed Firmware 200.7.10.102.92 An XSS issue in emfd in Ruckus Wireless Unleashed through 200.7.10.102.92 allows a remote attacker to execute JavaScript code via an unauthenticated crafted HTTP request. | 4.3 |
2020-07-27 | CVE-2020-9077 | Huawei | Information Exposure vulnerability in Huawei P30 Firmware HUAWEI P30 smart phones with versions earlier than 10.1.0.160(C00E160R2P11) have an information exposure vulnerability. | 4.3 |
2020-07-27 | CVE-2020-15954 | KDE Debian | Cleartext Transmission of Sensitive Information vulnerability in multiple products KDE KMail 19.12.3 (aka 5.13.3) engages in unencrypted POP3 communication during times when the UI indicates that encryption is in use. | 4.3 |
2020-07-30 | CVE-2020-15129 | Traefik | Open Redirect vulnerability in Traefik 1.0 In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vulnerability in Traefik's handling of the "X-Forwarded-Prefix" header. | 4.0 |
2020-07-30 | CVE-2020-8192 | Fastify | Resource Exhaustion vulnerability in Fastify 2.14.1/3.0.0 A denial of service vulnerability exists in Fastify v2.14.1 and v3.0.0-rc.4 that allows a malicious user to trigger resource exhaustion (when the allErrors option is used) with specially crafted schemas. | 4.0 |
2020-07-29 | CVE-2019-20032 | NEC | Unspecified vulnerability in NEC products An attacker with access to an InMail voicemail box equipped with the find me/follow me feature on Aspire-derived NEC PBXes, including all versions of SV8100, SV9100, SL1100 and SL2100 devices, may access the system's administration modem. | 4.0 |
2020-07-29 | CVE-2020-15125 | Auth0 | Information Exposure Through an Error Message vulnerability in Auth0 In auth0 (npm package) versions before 2.27.1, a DenyList of specific keys that should be sanitized from the request object contained in the error object is used. | 4.0 |
2020-07-29 | CVE-2020-2078 | Sick | Insufficiently Protected Credentials vulnerability in Sick Package Analytics 04.0.0/04.1.1 Passwords are stored in plain text within the configuration of SICK Package Analytics software up to and including V04.1.1. | 4.0 |
2020-07-28 | CVE-2020-10983 | Gambio | SQL Injection vulnerability in Gambio GX 4.0.0.0 Gambio GX before 4.0.1.0 allows SQL Injection in admin/mobile.php. | 4.0 |
2020-07-28 | CVE-2020-10982 | Gambio | SQL Injection vulnerability in Gambio GX 4.0.0.0 Gambio GX before 4.0.1.0 allows SQL Injection in admin/gv_mail.php. | 4.0 |
2020-07-28 | CVE-2020-15712 | Rconfig | Path Traversal vulnerability in Rconfig 3.9.5 rConfig 3.9.5 could allow a remote authenticated attacker to traverse directories on the system. | 4.0 |
2020-07-28 | CVE-2020-4465 | IBM | Classic Buffer Overflow vulnerability in IBM MQ Appliance IBM MQ, IBM MQ Appliance, and IBM MQ for HPE NonStop 8.0, 9.1 CD, and 9.1 LTS is vulnerable to a buffer overflow vulnerability due to an error within the channel processing code. | 4.0 |
2020-07-27 | CVE-2020-15120 | Ihatemoney | Incorrect Authorization vulnerability in Ihatemoney I Hate Money In "I hate money" before version 4.1.5, an authenticated member of one project can modify and delete members of another project, without knowledge of this other project's private code. | 4.0 |
2020-07-27 | CVE-2020-4405 | IBM | Information Exposure Through Log Files vulnerability in IBM Verify Gateway 1.0.0/1.0.1 IBM Verify Gateway (IVG) 1.0.0 and 1.0.1 could disclose potentially sensitive information to an authenticated user due to world readable log files. | 4.0 |
19 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2020-07-30 | CVE-2020-16166 | Linux Opensuse Fedoraproject Debian Canonical Netapp Oracle | Use of Insufficiently Random Values vulnerability in multiple products The Linux kernel through 5.7.11 allows remote attackers to make observations that help to obtain sensitive information about the internal state of the network RNG, aka CID-f227e3ec3b5c. | 3.7 |
2020-07-30 | CVE-2019-14101 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products Out of bounds read can happen in diag event set mask command handler when user provided length in the command request is less than expected length in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in APQ8009, APQ8096, APQ8096AU, APQ8098, Kamorta, MDM9150, MDM9205, MDM9206, MDM9607, MDM9625, MDM9635M, MDM9640, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCM2150, QCN7605, QCS404, QCS405, QCS605, QM215, Rennell, SA415M, Saipan, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130 | 3.6 |
2020-07-31 | CVE-2020-15128 | Octobercms | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Octobercms October In OctoberCMS before version 1.0.468, encrypted cookie values were not tied to the name of the cookie the value belonged to. | 3.5 |
2020-07-29 | CVE-2020-4645 | IBM | Cross-site Scripting vulnerability in IBM Planning Analytics Local IBM Planning Analytics Local 2.0.0 through 2.0.9.1 is vulnerable to cross-site scripting. | 3.5 |
2020-07-29 | CVE-2020-9690 | Magento | Information Exposure Through Discrepancy vulnerability in Magento Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have an observable timing discrepancy vulnerability. | 3.5 |
2020-07-28 | CVE-2020-13971 | Shopware | Cross-site Scripting vulnerability in Shopware In Shopware before 6.2.3, authenticated users are allowed to use the Mediabrowser fileupload feature to upload SVG images containing JavaScript. | 3.5 |
2020-07-28 | CVE-2020-10985 | Gambio | Cross-site Scripting vulnerability in Gambio GX 4.0.0.0 Gambio GX before 4.0.1.0 allows XSS in admin/coupon_admin.php. | 3.5 |
2020-07-28 | CVE-2020-4319 | IBM | Information Exposure vulnerability in IBM MQ Appliance IBM MQ, IBM MQ Appliance, and IBM MQ for HPE NonStop 8.0, 9.1 LTS, and 9.1 CD could allow under special circumstances, an authenticated user to obtain sensitive information due to a data leak from an error message within the pre-v7 pubsub logic. | 3.5 |
2020-07-28 | CVE-2020-4318 | IBM | Cross-site Scripting vulnerability in IBM products IBM Intelligent Operations Center for Emergency Management, Intelligent Operations Center (IOC), and IBM Water Operations for Waternamics are vulnerable to cross-site scripting. | 3.5 |
2020-07-28 | CVE-2020-4317 | IBM | Cross-site Scripting vulnerability in IBM products IBM Intelligent Operations Center for Emergency Management, Intelligent Operations Center (IOC), and IBM Water Operations for Waternamics are vulnerable to cross-site scripting. | 3.5 |
2020-07-27 | CVE-2020-10643 | Osisoft | Cross-site Scripting vulnerability in Osisoft PI Vision 2019 An authenticated remote attacker could use specially crafted URLs to send a victim using PI Vision 2019 mobile to a vulnerable web page due to a known issue in a third-party component. | 3.5 |
2020-07-27 | CVE-2020-15103 | Freerdp Fedoraproject Opensuse Canonical Debian | Integer Overflow to Buffer Overflow vulnerability in multiple products In FreeRDP less than or equal to 2.1.2, an integer overflow exists due to missing input sanitation in rdpegfx channel. | 3.5 |
2020-07-31 | CVE-2020-9249 | Huawei | Improper Input Validation vulnerability in Huawei P30 Firmware HUAWEI P30 smartphones with versions earlier than 10.1.0.160(C00E160R2P11) have a denial of service vulnerability. | 3.3 |
2020-07-28 | CVE-2020-10930 | Netgear | Unspecified vulnerability in Netgear R6700 Firmware 1.0.4.8410.0.58 This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR R6700 V1.0.4.84_10.0.58 routers. | 3.3 |
2020-07-28 | CVE-2019-4731 | IBM | Information Exposure vulnerability in IBM MQ Appliance 9.1.4 IBM MQ Appliance 9.1.4.CD could allow a local attacker to obtain highly sensitive information by inclusion of sensitive data within trace. | 2.1 |
2020-07-27 | CVE-2020-4498 | IBM | Information Exposure vulnerability in IBM MQ Appliance IBM MQ Appliance 9.1 LTS and 9.1 CD could allow a local privileged user to obtain highly sensitve information due to inclusion of data within trace files. | 2.1 |
2020-07-27 | CVE-2020-4408 | IBM | Insufficiently Protected Credentials vulnerability in IBM Qradar Advisory The IBM QRadar Advisor 1.1 through 2.5.2 with Watson App for IBM QRadar SIEM does not adequately mask all passwords during input, which could be obtained by a physical attacker nearby. | 2.1 |
2020-07-27 | CVE-2020-9251 | Huawei | Improper Authentication vulnerability in Huawei P30 Firmware HUAWEI Mate 20 smartphones with versions earlier than 10.1.0.160(C00E160R2P11) have an improper authorization vulnerability. | 2.1 |
2020-07-29 | CVE-2020-11934 | Canonical | Exposure of Resource to Wrong Sphere vulnerability in Canonical Ubuntu Linux It was discovered that snapctl user-open allowed altering the $XDG_DATA_DIRS environment variable when calling the system xdg-open. | 1.9 |