Weekly Vulnerabilities Reports > August 3 to 9, 2020
Overview
163 new vulnerabilities reported during this period, including 19 critical vulnerabilities and 78 high severity vulnerabilities. This weekly summary report vulnerabilities in 184 products from 85 vendors including IBM, Jetbrains, Fedoraproject, Canonical, and Opensuse. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "Improper Authentication", "OS Command Injection", and "Improper Input Validation".
- 99 reported vulnerabilities are remotely exploitables.
- 53 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 101 reported vulnerabilities are exploitable by an anonymous user.
- IBM has the most reported vulnerabilities, with 20 reported vulnerabilities.
- Debian has the most reported critical vulnerabilities, with 2 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
19 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2020-08-06 | CVE-2020-7357 | Cayintech | OS Command Injection vulnerability in Cayintech products Cayin CMS suffers from an authenticated OS semi-blind command injection vulnerability using default credentials. | 9.9 |
2020-08-07 | CVE-2020-16169 | Robotemi | Improper Authentication vulnerability in Robotemi Robox OS 117.21/119.24 Authentication Bypass Using an Alternate Path or Channel in temi Robox OS prior to120, temi Android app up to 1.3.7931 allows remote attackers to gain elevated privileges on the temi and have it automatically answer the attacker's calls, granting audio, video, and motor control via unspecified vectors. | 9.8 |
2020-08-07 | CVE-2020-11984 | Apache Netapp Canonical Debian Fedoraproject Opensuse Oracle | Classic Buffer Overflow vulnerability in multiple products Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE | 9.8 |
2020-08-06 | CVE-2020-13793 | Ivanti | Use of Hard-coded Credentials vulnerability in Ivanti DSM Netinst 5.1 Unsafe storage of AD credentials in Ivanti DSM netinst 5.1 due to a static, hard-coded encryption key. | 9.8 |
2020-08-06 | CVE-2020-12441 | Ivanti | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Ivanti products Denial-of-Service (DoS) in Ivanti Service Manager HEAT Remote Control 7.4 due to a buffer overflow in the protocol parser of the ‘HEATRemoteService’ agent. | 9.8 |
2020-08-06 | CVE-2020-7356 | Cayintech | SQL Injection vulnerability in Cayintech Xpost 1.0/2.0/2.5.18103 CAYIN xPost suffers from an unauthenticated SQL Injection vulnerability. | 9.8 |
2020-08-05 | CVE-2020-5609 | Yokogawa | Path Traversal vulnerability in Yokogawa products Directory traversal vulnerability in CAMS for HIS CENTUM CS 3000 (includes CENTUM CS 3000 Small) R3.08.10 to R3.09.50, CENTUM VP (includes CENTUM VP Small, Basic) R4.01.00 to R6.07.00, B/M9000CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R8.03.01 allows a remote unauthenticated attacker to create or overwrite arbitrary files and run arbitrary commands via unspecified vectors. | 9.8 |
2020-08-05 | CVE-2020-5608 | Yokogawa | Improper Authentication vulnerability in Yokogawa products CAMS for HIS CENTUM CS 3000 (includes CENTUM CS 3000 Small) R3.08.10 to R3.09.50, CENTUM VP (includes CENTUM VP Small, Basic) R4.01.00 to R6.07.00, B/M9000CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R8.03.01 allows a remote unauthenticated attacker to bypass authentication and send altered communication packets via unspecified vectors. | 9.8 |
2020-08-05 | CVE-2020-17353 | Lilypond Fedoraproject Debian Opensuse | scm/define-stencil-commands.scm in LilyPond through 2.20.0, and 2.21.x through 2.21.4, when -dsafe is used, lacks restrictions on embedded-ps and embedded-svg, as demonstrated by including dangerous PostScript code. | 9.8 |
2020-08-05 | CVE-2020-13921 | Apache | SQL Injection vulnerability in Apache Skywalking **Resolved** Only when using H2/MySQL/TiDB as Apache SkyWalking storage, there is a SQL injection vulnerability in the wildcard query cases. | 9.8 |
2020-08-05 | CVE-2020-13151 | Aerospike | OS Command Injection vulnerability in Aerospike Server Aerospike Community Edition 4.9.0.5 allows for unauthenticated submission and execution of user-defined functions (UDFs), written in Lua, as part of a database query. | 9.8 |
2020-08-04 | CVE-2020-4459 | IBM | Use of Hard-coded Credentials vulnerability in IBM Security Secret Server 10.6/10.7/10.7.000059 IBM Security Verify Access 10.7 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. | 9.8 |
2020-08-04 | CVE-2020-5616 | Calendar02 Project Calendar01 Project Link01 Project Calendarform01 Project Gallery01 Project Telop01 Project Pkobo Vote01 Project Pkobo News01 Project | Improper Authentication vulnerability in multiple products [Calendar01], [Calendar02], [PKOBO-News01], [PKOBO-vote01], [Telop01], [Gallery01], [CalendarForm01], and [Link01] [Calendar01] free edition ver1.0.0, [Calendar02] free edition ver1.0.0, [PKOBO-News01] free edition ver1.0.3 and earlier, [PKOBO-vote01] free edition ver1.0.1 and earlier, [Telop01] free edition ver1.0.0, [Gallery01] free edition ver1.0.3 and earlier, [CalendarForm01] free edition ver1.0.3 and earlier, and [Link01] free edition ver1.0.0 allows remote attackers to bypass authentication and log in to the product with administrative privileges via unspecified vectors. | 9.8 |
2020-08-07 | CVE-2020-8025 | Suse | Unspecified vulnerability in Suse products A Incorrect Execution-Assigned Permissions vulnerability in the permissions package of SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 15; openSUSE Leap 15.1, openSUSE Tumbleweed sets the permissions for some of the directories of the pcp package to unintended settings. | 9.3 |
2020-08-07 | CVE-2020-16167 | Robotemi | Missing Authentication for Critical Function vulnerability in Robotemi Launcher OS 11969/13146 Missing Authentication for Critical Function in temi Robox OS prior to 120, temi Android app up to 1.3.7931 allows remote attackers to receive and answer calls intended for another temi user. | 9.1 |
2020-08-03 | CVE-2020-16272 | KEE | Improper Input Validation vulnerability in KEE Keepassrpc The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 is missing validation for a client-provided parameter, which allows remote attackers to read and modify data in the KeePass database via an A=0 WebSocket connection. | 9.1 |
2020-08-03 | CVE-2020-16271 | KEE | Use of Insufficiently Random Values vulnerability in KEE Keepassrpc The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 generates insufficiently random numbers, which allows remote attackers to read and modify data in the KeePass database via a WebSocket connection. | 9.1 |
2020-08-03 | CVE-2020-4377 | IBM | XXE vulnerability in IBM Cognos Analytics 11.0.0/11.1.0 IBM Cognos Anaytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. | 9.1 |
2020-08-07 | CVE-2020-13376 | Securenvoy | Path Traversal vulnerability in Securenvoy Securmail 9.3.503 SecurEnvoy SecurMail 9.3.503 allows attackers to upload executable files and achieve OS command execution via a crafted SecurEnvoyReply cookie. | 9.0 |
78 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2020-08-08 | CVE-2020-15825 | Jetbrains | Unspecified vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges. | 8.8 |
2020-08-08 | CVE-2020-15824 | Jetbrains Oracle | Improper Privilege Management vulnerability in multiple products In JetBrains Kotlin from 1.4-M1 to 1.4-RC (as Kotlin 1.3.7x is not affected by the issue. | 8.8 |
2020-08-08 | CVE-2020-15817 | Jetbrains | Unspecified vulnerability in Jetbrains Youtrack In JetBrains YouTrack before 2020.1.1331, an external user could execute commands against arbitrary issues. | 8.8 |
2020-08-07 | CVE-2020-15063 | Digitus | Improper Authentication vulnerability in Digitus Da-70254 Firmware 2.073.000.E0008 DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter. | 8.8 |
2020-08-07 | CVE-2020-15062 | Digitus | Insufficiently Protected Credentials vulnerability in Digitus Da-70254 Firmware 2.073.000.E0008 DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic. | 8.8 |
2020-08-07 | CVE-2020-15059 | Lindy International | Improper Authentication vulnerability in Lindy-International 42633 Firmware 2.078.000 Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter. | 8.8 |
2020-08-07 | CVE-2020-15058 | Lindy International | Insufficiently Protected Credentials vulnerability in Lindy-International 42633 Firmware 2.078.000 Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic. | 8.8 |
2020-08-07 | CVE-2020-15055 | TP Link | Improper Authentication vulnerability in Tp-Link Tl-Ps310U Firmware TP-Link USB Network Server TL-PS310U devices before 2.079.000.t0210 allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter. | 8.8 |
2020-08-07 | CVE-2020-15054 | TP Link | Insufficiently Protected Credentials vulnerability in Tp-Link Tl-Ps310U Firmware TP-Link USB Network Server TL-PS310U devices before 2.079.000.t0210 allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic. | 8.8 |
2020-08-07 | CVE-2020-15480 | Passmark | Unspecified vulnerability in Passmark Burnintest, Osforensics and Performancetest An issue was discovered in PassMark BurnInTest through 9.1, OSForensics through 7.1, and PerformanceTest through 10. | 8.8 |
2020-08-07 | CVE-2020-15479 | Passmark | Classic Buffer Overflow vulnerability in Passmark Burnintest, Osforensics and Performancetest An issue was discovered in PassMark BurnInTest through 9.1, OSForensics through 7.1, and PerformanceTest through 10. | 8.8 |
2020-08-07 | CVE-2020-17352 | Sophos | OS Command Injection vulnerability in Sophos XG Firewall Firmware 17.5/18.0 Two OS command injection vulnerabilities in the User Portal of Sophos XG Firewall through 2020-08-05 potentially allow an authenticated attacker to remotely execute arbitrary code. | 8.8 |
2020-08-07 | CVE-2020-7810 | Handysoft | Improper Validation of Integrity Check Value vulnerability in Handysoft Hslogin2.Dll 6.7.8.4/7.3.4 hslogin2.dll ActiveX Control in Groupware contains a vulnerability that could allow remote files to be downloaded and executed by setting the arguments to the activex method. | 8.8 |
2020-08-07 | CVE-2020-11852 | Microfocus | OS Command Injection vulnerability in Microfocus Secure Messaging Gateway 471 DKIM key management page vulnerability on Micro Focus Secure Messaging Gateway (SMG). | 8.8 |
2020-08-06 | CVE-2020-13365 | Zyxel | Improper Authentication vulnerability in Zyxel products Certain Zyxel products have a locally accessible binary that allows a non-root user to generate a password for an undocumented user account that can be used for a TELNET session as root. | 8.8 |
2020-08-06 | CVE-2020-13364 | Zyxel | Unspecified vulnerability in Zyxel products A backdoor in certain Zyxel products allows remote TELNET access via a CGI script. | 8.8 |
2020-08-06 | CVE-2020-7361 | Easycorp | OS Command Injection vulnerability in Easycorp Zentao PRO 8.8.2 The EasyCorp ZenTao Pro application suffers from an OS command injection vulnerability in its '/pro/repo-create.html' component. | 8.8 |
2020-08-06 | CVE-2020-7352 | GOG | Use of Hard-coded Credentials vulnerability in GOG Galaxy The GalaxyClientService component of GOG Galaxy runs with elevated SYSTEM privileges in a Windows environment. | 8.8 |
2020-08-05 | CVE-2020-13404 | Quadra Informatique | OS Command Injection vulnerability in Quadra-Informatique Atos/Sips The ATOS/Sips (aka Atos-Magento) community module 3.0.0 to 3.0.5 for Magento allows command injection. | 8.8 |
2020-08-04 | CVE-2020-15467 | Cohesive | OS Command Injection vulnerability in Cohesive Vns3 The administrative interface of Cohesive Networks vns3:vpn appliances before version 4.11.1 is vulnerable to authenticated remote code execution leading to server compromise. | 8.8 |
2020-08-04 | CVE-2020-5615 | Calendar02 Project Calendar01 Project | Cross-Site Request Forgery (CSRF) vulnerability in multiple products Cross-site request forgery (CSRF) vulnerability in [Calendar01] free edition ver1.0.0 and [Calendar02] free edition ver1.0.0 allows remote attackers to hijack the authentication of administrators via unspecified vectors. | 8.8 |
2020-08-03 | CVE-2020-5773 | Teltonika Networks | Improper Privilege Management vulnerability in Teltonika-Networks Trb245 Firmware 00.02.04.01 Improper Access Control in Teltonika firmware TRB2_R_00.02.04.01 allows a low privileged user to perform unauthorized write operations. | 8.8 |
2020-08-03 | CVE-2020-5770 | Teltonika Networks | Cross-Site Request Forgery (CSRF) vulnerability in Teltonika-Networks Trb245 Firmware 00.02.04.01 Cross-site request forgery in Teltonika firmware TRB2_R_00.02.04.01 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link. | 8.8 |
2020-08-03 | CVE-2020-4534 | IBM | Unspecified vulnerability in IBM Websphere Application Server IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper handling of UNC paths. | 8.8 |
2020-08-03 | CVE-2020-8108 | Bitdefender | Improper Authentication vulnerability in Bitdefender Endpoint Security Improper Authentication vulnerability in Bitdefender Endpoint Security for Mac allows an unprivileged process to restart the main service and potentially inject third-party code into a trusted process. | 8.8 |
2020-08-05 | CVE-2020-7298 | Mcafee | Unspecified vulnerability in Mcafee Total Protection Unexpected behavior violation in McAfee Total Protection (MTP) prior to 16.0.R26 allows local users to turn off real time scanning via a specially crafted object making a specific function call. | 8.4 |
2020-08-05 | CVE-2020-4481 | IBM | XXE vulnerability in IBM Urbancode Deploy IBM UrbanCode Deploy (UCD) 6.2.7.3, 6.2.7.4, 7.0.3.0, and 7.0.4.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. | 8.2 |
2020-08-05 | CVE-2020-16253 | Pghero Project | Cross-Site Request Forgery (CSRF) vulnerability in Pghero Project Pghero The PgHero gem through 2.6.0 for Ruby allows CSRF. | 8.1 |
2020-08-04 | CVE-2020-15943 | Gantt Chart Project | Missing Authorization vulnerability in Gantt-Chart Project Gantt-Chart An issue was discovered in the Gantt-Chart module before 5.5.4 for Jira. | 8.1 |
2020-08-04 | CVE-2020-16134 | Swisscom | Unspecified vulnerability in Swisscom products An issue was discovered on Swisscom Internet Box 2, Internet Box Standard, Internet Box Plus prior to 10.04.38, Internet Box 3 prior to 11.01.20, and Internet Box light prior to 08.06.06. | 8.0 |
2020-08-07 | CVE-2020-8026 | Opensuse | Unspecified vulnerability in Opensuse Backports Sle, Leap and Tumbleweed A Incorrect Default Permissions vulnerability in the packaging of inn in openSUSE Leap 15.2, openSUSE Tumbleweed, openSUSE Leap 15.1 allows local attackers with control of the new user to escalate their privileges to root. | 7.8 |
2020-08-07 | CVE-2020-16227 | Deltaww | Improper Input Validation vulnerability in Deltaww Tpeditor Delta Electronics TPEditor Versions 1.97 and prior. | 7.8 |
2020-08-07 | CVE-2020-16225 | Deltaww | Out-of-bounds Write vulnerability in Deltaww Tpeditor Delta Electronics TPEditor Versions 1.97 and prior. | 7.8 |
2020-08-07 | CVE-2020-16223 | Deltaww | Out-of-bounds Write vulnerability in Deltaww Tpeditor Delta Electronics TPEditor Versions 1.97 and prior. | 7.8 |
2020-08-07 | CVE-2020-16221 | Deltaww | Out-of-bounds Write vulnerability in Deltaww Tpeditor Delta Electronics TPEditor Versions 1.97 and prior. | 7.8 |
2020-08-07 | CVE-2020-16219 | Deltaww | Out-of-bounds Read vulnerability in Deltaww Tpeditor Delta Electronics TPEditor Versions 1.97 and prior. | 7.8 |
2020-08-06 | CVE-2020-16229 | Advantech | Type Confusion vulnerability in Advantech Webaccess/Hmi Designer 2.1/2.1.9.31 Advantech WebAccess HMI Designer, Versions 2.1.9.31 and prior. | 7.8 |
2020-08-06 | CVE-2020-16217 | Advantech | Double Free vulnerability in Advantech Webaccess/Hmi Designer 2.1/2.1.9.31 Advantech WebAccess HMI Designer, Versions 2.1.9.31 and prior. | 7.8 |
2020-08-06 | CVE-2020-16215 | Advantech | Improper Input Validation vulnerability in Advantech Webaccess/Hmi Designer 2.1/2.1.9.31 Advantech WebAccess HMI Designer, Versions 2.1.9.31 and prior. | 7.8 |
2020-08-06 | CVE-2020-16213 | Advantech | Out-of-bounds Write vulnerability in Advantech Webaccess/Hmi Designer 2.1/2.1.9.31 Advantech WebAccess HMI Designer, Versions 2.1.9.31 and prior. | 7.8 |
2020-08-06 | CVE-2020-16207 | Advantech | Out-of-bounds Write vulnerability in Advantech Webaccess/Hmi Designer 2.1/2.1.9.31 Advantech WebAccess HMI Designer, Versions 2.1.9.31 and prior. | 7.8 |
2020-08-06 | CVE-2020-7817 | Raonwiz | Download of Code Without Integrity Check vulnerability in Raonwiz K Upload 6.2.2018.529 MyBrowserPlus downloads the files needed to run the program through the setup file (Setup.inf). | 7.8 |
2020-08-04 | CVE-2020-16203 | Deltaww | Access of Uninitialized Pointer vulnerability in Deltaww Cncsoft Screeneditor 1.00.88/1.00.96/1.01.23 Delta Industrial Automation CNCSoft ScreenEditor, Versions 1.01.23 and prior. | 7.8 |
2020-08-04 | CVE-2020-16199 | Deltaww | Out-of-bounds Write vulnerability in Deltaww Cncsoft Screeneditor 1.00.88/1.00.96/1.01.23 Delta Industrial Automation CNCSoft ScreenEditor, Versions 1.01.23 and prior. | 7.8 |
2020-08-04 | CVE-2020-7823 | Hmtalk | Out-of-bounds Write vulnerability in Hmtalk Daviewindy 8.98.4/8.98.7 DaviewIndy has a Memory corruption vulnerability, triggered when the user opens a malformed image file that is mishandled by Daview.exe. | 7.8 |
2020-08-04 | CVE-2020-7822 | Hmtalk | Out-of-bounds Write vulnerability in Hmtalk Daviewindy 8.98.4/8.98.7 DaviewIndy has a Heap-based overflow vulnerability, triggered when the user opens a malformed image file that is mishandled by Daview.exe. | 7.8 |
2020-08-04 | CVE-2019-20001 | Ricoh | Unspecified vulnerability in Ricoh Streamline NX Client Tool and Streamline NX PC Client An issue was discovered in RICOH Streamline NX Client Tool and RICOH Streamline NX PC Client that allows attackers to escalate local privileges. | 7.8 |
2020-08-04 | CVE-2020-5617 | Skygroup | Improper Privilege Management vulnerability in Skygroup Skysea Client View 12.200.12N/15.210.05F Privilege escalation vulnerability in SKYSEA Client View Ver.12.200.12n to 15.210.05f allows an attacker to obtain unauthorized privileges and modify/obtain sensitive information or perform unintended operations via unspecified vectors. | 7.8 |
2020-08-03 | CVE-2020-8574 | Netapp | Unspecified vulnerability in Netapp Active IQ Unified Manager 7.3 Active IQ Unified Manager for Linux versions prior to 9.6 ship with the Java Management Extension Remote Method Invocation (JMX RMI) service enabled allowing unauthorized code execution to local users. | 7.8 |
2020-08-03 | CVE-2019-19455 | Wowza | Incorrect Permission Assignment for Critical Resource vulnerability in Wowza Streaming Engine Wowza Streaming Engine before 4.8.5 has Insecure Permissions which may allow a local attacker to escalate privileges in / usr / local / WowzaStreamingEngine / manager / bin / in the Linux version of the server by writing arbitrary commands in any file and execute them as root. | 7.8 |
2020-08-03 | CVE-2020-4554 | IBM | Out-of-bounds Write vulnerability in IBM I2 Analysts Notebook 9.2.1/9.2.2 IBM i2 Analyst Notebook 9.2.1 and 9.2.2 could allow a local attacker to execute arbitrary code on the system, caused by a memory corruption. | 7.8 |
2020-08-03 | CVE-2020-4553 | IBM | Out-of-bounds Write vulnerability in IBM I2 Analysts Notebook 9.2.1/9.2.2 IBM i2 Analyst Notebook 9.2.1 and 9.2.2 could allow a local attacker to execute arbitrary code on the system, caused by a memory corruption. | 7.8 |
2020-08-03 | CVE-2020-4552 | IBM | Out-of-bounds Write vulnerability in IBM I2 Analysts Notebook 9.2.1 IBM i2 Analyst Notebook 9.2.1 could allow a local attacker to execute arbitrary code on the system, caused by a memory corruption. | 7.8 |
2020-08-03 | CVE-2020-4551 | IBM | Out-of-bounds Write vulnerability in IBM I2 Analysts Notebook 9.2.1/9.2.2 IBM i2 Analyst Notebook 9.2.1 and 9.2.2 could allow a local attacker to execute arbitrary code on the system, caused by a memory corruption. | 7.8 |
2020-08-03 | CVE-2020-4550 | IBM | Out-of-bounds Write vulnerability in IBM I2 Analysts Notebook 9.2.1/9.2.2 IBM i2 Analyst Notebook 9.2.1 and 9.2.2 could allow a local attacker to execute arbitrary code on the system, caused by a memory corruption. | 7.8 |
2020-08-03 | CVE-2020-4549 | IBM | Out-of-bounds Write vulnerability in IBM I2 Analysts Notebook 9.2.1 IBM i2 Analyst Notebook 9.2.1 could allow a local attacker to execute arbitrary code on the system, caused by a memory corruption. | 7.8 |
2020-08-06 | CVE-2020-15114 | Redhat Fedoraproject | Missing Release of Resource after Effective Lifetime vulnerability in multiple products In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP proxy to allow for basic service discovery and access. | 7.7 |
2020-08-04 | CVE-2020-15135 | Save Server Project | Cross-Site Request Forgery (CSRF) vulnerability in Save-Server Project Save-Server 1.0.3/1.0.4 save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). | 7.6 |
2020-08-08 | CVE-2020-15827 | Jetbrains | Improper Verification of Cryptographic Signature vulnerability in Jetbrains Toolbox 1.17/1.17.6802 In JetBrains ToolBox version 1.17 before 1.17.6856, the set of signature verifications omitted the jetbrains-toolbox.exe file. | 7.5 |
2020-08-08 | CVE-2020-15823 | Jetbrains | Server-Side Request Forgery (SSRF) vulnerability in Jetbrains Youtrack JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component. | 7.5 |
2020-08-08 | CVE-2019-19704 | Jetbrains | Unspecified vulnerability in Jetbrains Upsource In JetBrains Upsource before 2020.1, information disclosure is possible because of an incorrect user matching algorithm. | 7.5 |
2020-08-07 | CVE-2019-7005 | Avaya | Unspecified vulnerability in Avaya IP Office A vulnerability was discovered in the web interface component of IP Office that may potentially allow a remote, unauthenticated user with network access to gain sensitive information. | 7.5 |
2020-08-07 | CVE-2020-15138 | Prismjs | Cross-site Scripting vulnerability in Prismjs Previewers Prism is vulnerable to Cross-Site Scripting. | 7.5 |
2020-08-07 | CVE-2020-9490 | Apache Oracle Opensuse Debian Fedoraproject Canonical Redhat | HTTP Request Smuggling vulnerability in multiple products Apache HTTP Server versions 2.4.20 to 2.4.43. | 7.5 |
2020-08-07 | CVE-2020-11993 | Apache Netapp Canonical Opensuse Debian Fedoraproject Oracle | HTTP Request Smuggling vulnerability in multiple products Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. | 7.5 |
2020-08-06 | CVE-2020-15115 | Redhat Fedoraproject | etcd before versions 3.3.23 and 3.4.10 does not perform any password length validation, which allows for very short passwords, such as those with a length of one. | 7.5 |
2020-08-06 | CVE-2020-16845 | Golang Opensuse Debian Fedoraproject | Infinite Loop vulnerability in multiple products Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs. | 7.5 |
2020-08-05 | CVE-2020-15127 | Projectcontour | Missing Authentication for Critical Function vulnerability in Projectcontour Contour In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. | 7.5 |
2020-08-04 | CVE-2020-15956 | Acti | Classic Buffer Overflow vulnerability in Acti NVR 2.3.04.07/3.0.12.42 ActiveMediaServer.exe in ACTi NVR3 Standard Server 3.0.12.42 allows remote unauthenticated attackers to trigger a buffer overflow and application termination via a malformed payload. | 7.5 |
2020-08-03 | CVE-2020-5772 | Teltonika Networks | Download of Code Without Integrity Check vulnerability in Teltonika-Networks Trb245 Firmware 00.02.04.01 Improper Input Validation in Teltonika firmware TRB2_R_00.02.04.01 allows a remote, authenticated attacker to gain root privileges by uploading a malicious package file. | 7.5 |
2020-08-03 | CVE-2020-5771 | Teltonika Networks | Improper Input Validation vulnerability in Teltonika-Networks Trb245 Firmware 00.02.04.01 Improper Input Validation in Teltonika firmware TRB2_R_00.02.04.01 allows a remote, authenticated attacker to gain root privileges by uploading a malicious backup archive. | 7.5 |
2020-08-05 | CVE-2020-17366 | Nlnetlabs | Improper Certificate Validation vulnerability in Nlnetlabs Routinator An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. | 7.4 |
2020-08-04 | CVE-2020-6012 | Checkpoint | Link Following vulnerability in Checkpoint Zonealarm Anti-Ransomware 1.0.0601/1.0.710 ZoneAlarm Anti-Ransomware before version 1.0.713 copies files for the report from a directory with low privileges. | 7.4 |
2020-08-09 | CVE-2020-17452 | Flatcore | Unrestricted Upload of File with Dangerous Type vulnerability in Flatcore flatCore before 1.5.7 allows upload and execution of a .php file by an admin. | 7.2 |
2020-08-05 | CVE-2020-15113 | Etcd Fedoraproject | In etcd before versions 3.3.23 and 3.4.10, certain directory paths are created (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients) with restricted access permissions (700) by using the os.MkdirAll. | 7.1 |
2020-08-04 | CVE-2020-13522 | Softperfect | Unspecified vulnerability in Softperfect RAM Disk 4.1 An exploitable arbitrary file delete vulnerability exists in SoftPerfect RAM Disk 4.1 spvve.sys driver. | 7.1 |
2020-08-06 | CVE-2020-15702 | Canonical | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Canonical Apport TOCTOU Race Condition vulnerability in apport allows a local attacker to escalate privileges and execute arbitrary code. | 7.0 |
2020-08-06 | CVE-2020-7460 | Freebsd | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Freebsd 11.3/11.4/12.1 In FreeBSD 12.1-STABLE before r363918, 12.1-RELEASE before p8, 11.4-STABLE before r363919, 11.4-RELEASE before p2, and 11.3-RELEASE before p12, the sendmsg system call in the compat32 subsystem on 64-bit platforms has a time-of-check to time-of-use vulnerability allowing a mailcious userspace program to modify control message headers after they were validation. | 7.0 |
62 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2020-08-06 | CVE-2020-7459 | Freebsd | Improper Input Validation vulnerability in Freebsd 11.3/11.4/12.1 In FreeBSD 12.1-STABLE before r362166, 12.1-RELEASE before p8, 11.4-STABLE before r362167, 11.4-RELEASE before p2, and 11.3-RELEASE before p12, missing length validation code common to mulitple USB network drivers allows a malicious USB device to write beyond the end of an allocated network packet buffer. | 6.8 |
2020-08-05 | CVE-2020-8607 | Trendmicro | Improper Input Validation vulnerability in Trendmicro products An input validation vulnerability found in multiple Trend Micro products utilizing a particular version of a specific rootkit protection driver could allow an attacker in user-mode with administrator permissions to abuse the driver to modify a kernel address that may cause a system crash or potentially lead to code execution in kernel mode. | 6.7 |
2020-08-05 | CVE-2020-14344 | X ORG Fedoraproject Canonical Opensuse | Integer Overflow or Wraparound vulnerability in multiple products An integer overflow leading to a heap-buffer overflow was found in The X Input Method (XIM) client was implemented in libX11 before version 1.6.10. | 6.7 |
2020-08-08 | CVE-2020-15828 | Jetbrains | Unspecified vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2020.1.1, project parameter values can be retrieved by a user without appropriate permissions. | 6.5 |
2020-08-08 | CVE-2020-15821 | Jetbrains | Incorrect Default Permissions vulnerability in Jetbrains Youtrack In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft. | 6.5 |
2020-08-07 | CVE-2020-15065 | Digitus | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Digitus Da-70254 Firmware 2.073.000.E0008 DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to denial-of-service the device via long input values. | 6.5 |
2020-08-07 | CVE-2020-15061 | Lindy International | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Lindy-International 42633 Firmware 2.078.000 Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to denial-of-service the device via long input values. | 6.5 |
2020-08-07 | CVE-2020-15057 | TP Link | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Tp-Link Tl-Ps310U Firmware TP-Link USB Network Server TL-PS310U devices before 2.079.000.t0210 allow an attacker on the same network to denial-of-service the device via long input values. | 6.5 |
2020-08-07 | CVE-2020-5412 | Vmware | Externally Controlled Reference to a Resource in Another Sphere vulnerability in VMWare Spring Cloud Netflix Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. | 6.5 |
2020-08-07 | CVE-2020-16168 | Robotemi | Origin Validation Error vulnerability in Robotemi Temi Firmware Origin Validation Error in temi Robox OS prior to 120, temi Android app up to 1.3.7931 allows remote attackers to access the REST API and MQTT broker used by the temi and send it custom data/requests via unspecified vectors. | 6.5 |
2020-08-06 | CVE-2020-15136 | Redhat Fedoraproject | Missing Authentication for Critical Function vulnerability in multiple products In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only applied to endpoints detected in DNS SRV records. | 6.5 |
2020-08-05 | CVE-2020-15112 | Etcd Fedoraproject | Improper Validation of Array Index vulnerability in multiple products In etcd before versions 3.3.23 and 3.4.10, it is possible to have an entry index greater then the number of entries in the ReadAll method in wal/wal.go. | 6.5 |
2020-08-05 | CVE-2020-15106 | Etcd Fedoraproject | In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. | 6.5 |
2020-08-05 | CVE-2017-18112 | Atlassian | Information Exposure vulnerability in Atlassian Fisheye Affected versions of Atlassian Fisheye allow remote attackers to view the HTTP password of a repository via an Information Disclosure vulnerability in the logging feature. | 6.5 |
2020-08-03 | CVE-2020-4328 | IBM | SQL Injection vulnerability in IBM Financial Transaction Manager for Multiplatform 3.2.4 IBM Financial Transaction Manager 3.2.4 is vulnerable to SQL injection. | 6.3 |
2020-08-08 | CVE-2020-15831 | Jetbrains | Cross-site Scripting vulnerability in Jetbrains Teamcity JetBrains TeamCity before 2019.2.3 is vulnerable to reflected XSS in the administration UI. | 6.1 |
2020-08-08 | CVE-2020-15830 | Jetbrains | Cross-site Scripting vulnerability in Jetbrains Teamcity JetBrains TeamCity before 2019.2.3 is vulnerable to stored XSS in the administration UI. | 6.1 |
2020-08-07 | CVE-2020-15907 | Mahara | Cross-site Scripting vulnerability in Mahara In Mahara 19.04 before 19.04.6, 19.10 before 19.10.4, and 20.04 before 20.04.1, certain places could execute file or folder names containing JavaScript. | 6.1 |
2020-08-05 | CVE-2020-9036 | Jeedom | Cross-site Scripting vulnerability in Jeedom 4.0.38 Jeedom through 4.0.38 allows XSS. | 6.1 |
2020-08-05 | CVE-2020-16254 | Chartkick Project | Injection vulnerability in Chartkick Project Chartkick The Chartkick gem through 3.3.2 for Ruby allows Cascading Style Sheets (CSS) Injection (without attribute). | 6.1 |
2020-08-05 | CVE-2020-16192 | Limesurvey | Cross-site Scripting vulnerability in Limesurvey 4.3.2 LimeSurvey 4.3.2 allows reflected XSS because application/controllers/LSBaseController.php lacks code to validate parameters. | 6.1 |
2020-08-05 | CVE-2020-17364 | Usvn | Cross-site Scripting vulnerability in Usvn User-Friendly SVN USVN (aka User-friendly SVN) before 1.0.9 allows XSS via SVN logs. | 6.1 |
2020-08-05 | CVE-2020-13819 | Extremenetworks | Cross-site Scripting vulnerability in Extremenetworks Extreme Management Center 8.4.1.24/8.5 Extreme EAC Appliance 8.4.1.24 allows unauthenticated reflected XSS via a parameter in a GET request. | 6.1 |
2020-08-04 | CVE-2020-16847 | Extremenetworks | Cross-site Scripting vulnerability in Extremenetworks Extreme Management Center 8.4.1.24/8.5 Extreme Analytics in Extreme Management Center before 8.5.0.169 allows unauthenticated reflected XSS via a parameter in a GET request, aka CFD-4887. | 6.1 |
2020-08-03 | CVE-2020-11584 | Plesk | Cross-site Scripting vulnerability in Plesk Onyx 17.8.11 A GET-based XSS reflected vulnerability in Plesk Onyx 17.8.11 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter. | 6.1 |
2020-08-03 | CVE-2020-11583 | Plesk | Cross-site Scripting vulnerability in Plesk Obsidian 18.0.17 A GET-based XSS reflected vulnerability in Plesk Obsidian 18.0.17 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter. | 6.1 |
2020-08-03 | CVE-2020-16131 | Tiki | Cross-site Scripting vulnerability in Tiki Tiki before 21.2 allows XSS because [\s\/"\'] is not properly considered in lib/core/TikiFilter/PreventXss.php. | 6.1 |
2020-08-03 | CVE-2020-13820 | Extremenetworks | Cross-site Scripting vulnerability in Extremenetworks Extreme Management Center 8.4.1.24 Extreme Management Center 8.4.1.24 allows unauthenticated reflected XSS via a parameter in a GET request. | 6.1 |
2020-08-03 | CVE-2015-9549 | Ocportal | Cross-site Scripting vulnerability in Ocportal 9.0.20 A reflected Cross-site Scripting (XSS) vulnerability exists in OcPortal 9.0.20 via the OCF_EMOTICON_CELL.tpl FIELD_NAME field to data/emoticons.php. | 6.1 |
2020-08-03 | CVE-2020-4560 | IBM | Cross-site Scripting vulnerability in IBM Financial Transaction Manager 3.2.4.0 IBM Financial Transaction Manager 3.2.4 is vulnerable to cross-site scripting. | 6.1 |
2020-08-04 | CVE-2020-16843 | Amazon | Unspecified vulnerability in Amazon Firecracker 0.20.0/0.21.0/0.21.1 In Firecracker 0.20.x before 0.20.1 and 0.21.x before 0.21.2, the network stack can freeze under heavy ingress traffic. | 5.9 |
2020-08-03 | CVE-2020-14319 | Redhat | Cross-Site Request Forgery (CSRF) vulnerability in Redhat Enmasse It was found that the AMQ Online console is vulnerable to a Cross-Site Request Forgery (CSRF) which is exploitable in cases where preflight checks are not instigated or bypassed. | 5.9 |
2020-08-09 | CVE-2020-16248 | Prometheus | Server-Side Request Forgery (SSRF) vulnerability in Prometheus Blackbox Exporter Prometheus Blackbox Exporter through 0.17.0 allows /probe?target= SSRF. | 5.8 |
2020-08-06 | CVE-2020-15701 | Canonical | Improper Handling of Exceptional Conditions vulnerability in Canonical Apport An unhandled exception in check_ignored() in apport/report.py can be exploited by a local attacker to cause a denial of service. | 5.5 |
2020-08-06 | CVE-2020-11937 | Canonical | Memory Leak vulnerability in Canonical Whoopsie In whoopsie, parse_report() from whoopsie.c allows a local attacker to cause a denial of service via a crafted file. | 5.5 |
2020-08-06 | CVE-2020-16211 | Advantech | Out-of-bounds Read vulnerability in Advantech Webaccess/Hmi Designer 2.1/2.1.9.31 Advantech WebAccess HMI Designer, Versions 2.1.9.31 and prior. | 5.5 |
2020-08-05 | CVE-2020-14347 | X ORG Debian Canonical | A flaw was found in the way xserver memory was not properly initialized. | 5.5 |
2020-08-04 | CVE-2020-4631 | IBM | Incorrect Permission Assignment for Critical Resource vulnerability in IBM Spectrum Protect Plus IBM Spectrum Protect Plus 10.1.0 through 10.1.6 agent files, in non-default configurations, on Windows are assigned access to everyone with full control permissions, which could allow a local user to cause interruption of the service operations. | 5.5 |
2020-08-03 | CVE-2020-16269 | Radare Fedoraproject | radare2 4.5.0 misparses DWARF information in executable files, causing a segmentation fault in parse_typedef in type_dwarf.c via a malformed DW_AT_name in the .debug_info section. | 5.5 |
2020-08-04 | CVE-2020-15944 | Gantt Chart Project | Cross-site Scripting vulnerability in Gantt-Chart Project Gantt-Chart An issue was discovered in the Gantt-Chart module before 5.5.5 for Jira. | 5.4 |
2020-08-04 | CVE-2020-4542 | IBM | Cross-site Scripting vulnerability in IBM Engineering Requirements Management Doors Next 7.0 IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. | 5.4 |
2020-08-04 | CVE-2020-4525 | IBM | Cross-site Scripting vulnerability in IBM products IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. | 5.4 |
2020-08-04 | CVE-2020-4396 | IBM | Cross-site Scripting vulnerability in IBM Engineering Test Management 7.0.0 IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. | 5.4 |
2020-08-03 | CVE-2019-19453 | Wowza | Cross-site Scripting vulnerability in Wowza Streaming Engine Wowza Streaming Engine before 4.8.5 allows XSS (issue 1 of 2). | 5.4 |
2020-08-08 | CVE-2020-15829 | Jetbrains | Information Exposure Through Log Files vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2019.2.3, password parameters could be disclosed via build logs. | 5.3 |
2020-08-08 | CVE-2020-15820 | Jetbrains | Unspecified vulnerability in Jetbrains Youtrack In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence. | 5.3 |
2020-08-08 | CVE-2020-15819 | Jetbrains | Server-Side Request Forgery (SSRF) vulnerability in Jetbrains Youtrack JetBrains YouTrack before 2020.2.10643 was vulnerable to SSRF that allowed scanning internal ports. | 5.3 |
2020-08-08 | CVE-2020-15818 | Jetbrains | Unspecified vulnerability in Jetbrains Youtrack In JetBrains YouTrack before 2020.2.8527, the subtasks workflow could disclose issue existence. | 5.3 |
2020-08-07 | CVE-2020-11985 | Apache | Insufficient Verification of Data Authenticity vulnerability in Apache Http Server IP address spoofing when proxying using mod_remoteip and mod_rewrite For configurations using proxying with mod_remoteip and certain mod_rewrite rules, an attacker could spoof their IP address for logging and PHP scripts. | 5.3 |
2020-08-05 | CVE-2020-15132 | Sulu | Information Exposure Through an Error Message vulnerability in Sulu In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. | 5.3 |
2020-08-04 | CVE-2020-15109 | Nebulab | Missing Authorization vulnerability in Nebulab Solidus In solidus before versions 2.8.6, 2.9.6, and 2.10.2, there is an bility to change order address without triggering address validations. | 5.3 |
2020-08-03 | CVE-2020-12739 | Fanuc | Resource Exhaustion vulnerability in Fanuc products A denial-of-service vulnerability in the Fanuc i Series CNC (0i-MD and 0i Mate-MD) could allow an unauthenticated, remote attacker to cause an affected CNC to become inaccessible to other devices. | 5.3 |
2020-08-03 | CVE-2019-4366 | IBM | Unspecified vulnerability in IBM Cognos Analytics 11.0.0/11.1.0 IBM Cognos Analytics 11.0 and 11.1 is susceptible to an information disclosure vulnerability where an attacker could gain access to cached browser data. | 5.3 |
2020-08-09 | CVE-2020-17451 | Flatcore | Cross-site Scripting vulnerability in Flatcore flatCore before 1.5.7 allows XSS by an admin via the acp/acp.php?tn=pages&sub=edit&editpage=1 page_linkname, page_title, page_content, or page_extracontent parameter, or the acp/acp.php?tn=system&sub=sys_pref prefs_pagename, prefs_pagetitle, or prefs_pagesubtitle parameter. | 4.8 |
2020-08-03 | CVE-2020-8575 | Netapp | Unspecified vulnerability in Netapp Active IQ Unified Manager 7.3/9.5/9.6 Active IQ Unified Manager for VMware vSphere and Windows versions prior to 9.5 are susceptible to a vulnerability which allows administrative users to cause Denial of Service (DoS). | 4.4 |
2020-08-08 | CVE-2020-15826 | Jetbrains | Improper Privilege Management vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2020.1, users are able to assign more permissions than they have. | 4.3 |
2020-08-07 | CVE-2020-15064 | Digitus | Cross-site Scripting vulnerability in Digitus Da-70254 Firmware 2.073.000.E0008 DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name. | 4.3 |
2020-08-07 | CVE-2020-15060 | Lindy International | Cross-site Scripting vulnerability in Lindy-International 42633 Firmware 2.078.000 Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name. | 4.3 |
2020-08-07 | CVE-2020-15056 | TP Link | Cross-site Scripting vulnerability in Tp-Link Tl-Ps310U Firmware TP-Link USB Network Server TL-PS310U devices before 2.079.000.t0210 allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name. | 4.3 |
2020-08-05 | CVE-2020-16252 | Field Test Project | Cross-Site Request Forgery (CSRF) vulnerability in Field Test Project Field Test The Field Test gem 0.2.0 through 0.3.2 for Ruby allows CSRF. | 4.3 |
2020-08-04 | CVE-2020-4410 | IBM | Unspecified vulnerability in IBM products IBM Jazz Foundation and IBM Engineering products could allow an authenticated user to send a specially crafted HTTP GET request to read attachments on the server that they should not have access to. | 4.3 |
2020-08-03 | CVE-2019-4589 | IBM | Improper Privilege Management vulnerability in IBM Cognos Analytics 11.0.0/11.1.0 IBM Cognos Analytics 11.0 and 11.1 is vulnerable to privlege escalation where the "My schedules and subscriptions" page is visible and accessible to a less privileged user. | 4.3 |
4 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2020-08-05 | CVE-2020-4243 | IBM | Session Fixation vulnerability in IBM Security Identity Governance and Intelligence 5.2.6 IBM Security Identity Governance and Intelligence 5.2.6 Virtual Appliance could allow a remote attacker to obtain sensitive information using man in the middle techniques due to not properly invalidating session tokens. | 3.7 |
2020-08-04 | CVE-2020-16201 | Deltaww | Out-of-bounds Read vulnerability in Deltaww Cncsoft Screeneditor 1.00.88/1.00.96/1.01.23 Delta Industrial Automation CNCSoft ScreenEditor, Versions 1.01.23 and prior. | 3.3 |
2020-08-04 | CVE-2020-13523 | Softperfect | Missing Authorization vulnerability in Softperfect RAM Disk 4.1 An exploitable information disclosure vulnerability exists in SoftPerfect’s RAM Disk 4.1 spvve.sys driver. | 3.3 |
2020-08-03 | CVE-2020-16116 | KDE Debian Fedoraproject Opensuse Canonical | Path Traversal vulnerability in multiple products In kerfuffle/jobs.cpp in KDE Ark before 20.08.0, a crafted archive can install files outside the extraction directory via ../ directory traversal. | 3.3 |