Lista CVE - 2020 / Aprile
Visualizzazione 2101 - 2186 di 2186 CVE per Aprile 2020 (Pagina 22 di 22)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2020-12462 | 2020-04-29 | The ninja-forms plugin before 3.4.24.2 for WordPress allows CSRF with resultant XSS. |
| CVE-2020-12277 | 2020-04-29 | GitLab 10.8 through 12.9 has a vulnerability that allows someone to mirror a repository even if the feature is not activated. |
| CVE-2020-12276 | 2020-04-29 | GitLab 9.5.9 through 12.9 is vulnerable to stored XSS in an admin notification feature. |
| CVE-2020-12275 | 2020-04-29 | GitLab 12.6 through 12.9 is vulnerable to a privilege escalation that allows an external user to create a personal snippet through the API. |
| CVE-2020-11009 | 2020-04-29 | IDOR can reveal execution data and logs to unauthorized user in Rundeck |
| CVE-2020-11020 | 2020-04-29 | Authentication and extension bypass in Faye |
| CVE-2020-12464 | 2020-04-29 | usb_sg_cancel in drivers/usb/core/message.c in the Linux kernel before 5.6.8 has a use-after-free because a transfer occurs without a reference, aka CID-056ad39ee925. |
| CVE-2020-11021 | 2020-04-29 | HTTP request which redirect to another hostname do not strip authorization header in Actions Http-Client |
| CVE-2020-12465 | 2020-04-29 | An array overflow was discovered in mt76_add_fragment in drivers/net/wireless/mediatek/mt76/dma.c in the Linux kernel before 5.5.10, aka CID-b102f0c522cf. An oversized packet with too many rx fragments can corrupt memory of adjacent... |
| CVE-2020-12473 | 2020-04-29 | MonoX through 5.1.40.5152 allows admins to execute arbitrary programs by reconfiguring the Converter Executable setting from ffmpeg.exe to a different program. |
| CVE-2020-12472 | 2020-04-29 | MonoX through 5.1.40.5152 allows stored XSS via User Status, Blog Comments, or Blog Description. |
| CVE-2020-12471 | 2020-04-29 | MonoX through 5.1.40.5152 allows remote code execution via HTML5Upload.ashx or Pages/SocialNetworking/lng/en-US/PhotoGallery.aspx because of deserialization in ModuleGallery.HTML5Upload, ModuleGallery.SilverLightUploadModule, HTML5Upload, and SilverLightUploadHandler. |
| CVE-2020-12470 | 2020-04-29 | MonoX through 5.1.40.5152 allows administrators to execute arbitrary code by modifying an ASPX template. |
| CVE-2020-12469 | 2020-04-29 | admin/blocks.php in Subrion CMS through 4.2.1 allows PHP Object Injection (with resultant file deletion) via serialized data in the subpages value within a block to blocks/edit. |
| CVE-2020-12468 | 2020-04-29 | Subrion CMS 4.2.1 allows CSV injection via a phrase value within a language. This is related to phrases/add/ and languages/download/. |
| CVE-2020-12467 | 2020-04-29 | Subrion CMS 4.2.1 allows session fixation via an alphanumeric value in a session cookie. |
| CVE-2019-16011 | 2020-04-29 | Cisco IOS XE SD-WAN Software Command Injection Vulnerability |
| CVE-2020-11024 | 2020-04-29 | Man-in-the-middle attack in Moonlight iOS/tvOS |
| CVE-2020-11942 | 2020-04-29 | An issue was discovered in Open-AudIT 3.2.2. There are Multiple SQL Injections. |
| CVE-2020-11943 | 2020-04-29 | An issue was discovered in Open-AudIT 3.2.2. There is Arbitrary file upload. |
| CVE-2016-11061 | 2020-04-29 | Xerox WorkCentre 3655, 3655i, 58XX, 58XXi, 59XX, 59XXi, 6655, 6655i, 72XX, 72XXi, 78XX, 78XXi, 7970, and 7970i devices before 073.xxx.086.15410 do not properly escape parameters in the support/remoteUI/configrui.php script, which... |
| CVE-2020-12479 | 2020-04-29 | TeamPass 2.1.27.36 allows any authenticated TeamPass user to trigger a PHP file include vulnerability via a crafted HTTP request with sources/users.queries.php newValue directory traversal. |
| CVE-2020-12478 | 2020-04-29 | TeamPass 2.1.27.36 allows an unauthenticated attacker to retrieve files from the TeamPass web root. This may include backups or LDAP debug files. |
| CVE-2020-12477 | 2020-04-29 | The REST API functions in TeamPass 2.1.27.36 allow any user with a valid API token to bypass IP address whitelist restrictions via an X-Forwarded-For client HTTP header to the getIp... |
| CVE-2019-5618 | 2020-04-29 | A-PDF WAV to MP3 Stack-based Buffer Overflow |
| CVE-2019-5619 | 2020-04-29 | AASync.com AASync Stack-based Buffer Overflow |
| CVE-2019-5620 | 2020-04-29 | ABB MicroSCADA Pro SYS600 Missing Authentication for Critical Function |
| CVE-2019-5621 | 2020-04-29 | ABBS Software Audio Media Player Stack-based Buffer Overflow |
| CVE-2019-5622 | 2020-04-29 | Accellion File Transfer Appliance Use of Hard-coded Credentials |
| CVE-2019-5623 | 2020-04-29 | Accellion File Transfer Appliance Improper Neutralization of Special Elements used in a Command ('Command Injection') |
| CVE-2020-11027 | 2020-04-30 | Password reset links invalidation issue in WordPress |
| CVE-2020-1752 | 2020-04-30 | A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid... |
| CVE-2020-12283 | 2020-04-30 | Sourcegraph before 3.15.1 has a vulnerable authentication workflow because of improper validation in the SafeRedirectURL method in cmd/frontend/auth/redirect.go, such as for the //foo//example.com substring. |
| CVE-2020-9387 | 2020-04-30 | In Mahara 19.04 before 19.04.5 and 19.10 before 19.10.3, account details are shared in the Elasticsearch results for accounts that are not accessible when the config setting 'Isolated institutions' is... |
| CVE-2020-6579 | 2020-04-30 | Cross-site scripting (XSS) vulnerability in mailhive/cloudbeez/cloudloader.php and mailhive/cloudbeez/cloudloader_core.php in the MailBeez plugin for ZenCart before 3.9.22 allows remote attackers to inject arbitrary web script or HTML via the cloudloader_mode parameter. |
| CVE-2019-19220 | 2020-04-30 | BMC Control-M/Agent 7.0.00.000 allows OS Command Injection (issue 2 of 2). |
| CVE-2019-19219 | 2020-04-30 | BMC Control-M/Agent 7.0.00.000 allows Arbitrary File Download. |
| CVE-2019-19218 | 2020-04-30 | BMC Control-M/Agent 7.0.00.000 has Insecure Password Storage. |
| CVE-2019-19217 | 2020-04-30 | BMC Control-M/Agent 7.0.00.000 allows OS Command Injection. |
| CVE-2019-19216 | 2020-04-30 | BMC Control-M/Agent 7.0.00.000 has an Insecure File Copy. |
| CVE-2019-19215 | 2020-04-30 | A buffer overflow vulnerability in BMC Control-M/Agent 7.0.00.000 when the On-Do action destination is Mail and the Control-M/Agent is configured to send the email, allows remote attackers to have unspecified... |
| CVE-2020-12101 | 2020-04-30 | The address-management feature in xt:Commerce 5.1 to 6.2.2 allows remote authenticated users to zero out other user's stored addresses by manipulating an id field in the POST request for altering... |
| CVE-2020-6010 | 2020-04-30 | LearnPress Wordpress plugin version prior and including 3.2.6.7 is vulnerable to SQL Injection |
| CVE-2020-12050 | 2020-04-30 | SQLiteODBC 0.9996, as packaged for certain Linux distributions as 0.9996-4, has a race condition leading to root privilege escalation because any user can replace a /tmp/sqliteodbc$$ file with new contents... |
| CVE-2020-10691 | 2020-04-30 | An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without... |
| CVE-2020-11651 | 2020-04-30 | An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to... |
| CVE-2020-11652 | 2020-04-30 | An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow... |
| CVE-2020-7136 | 2020-04-30 | A security vulnerability in HPE Smart Update Manager (SUM) prior to version 8.5.6 could allow remote unauthorized access. Hewlett Packard Enterprise has provided a software update to resolve this vulnerability... |
| CVE-2019-12425 | 2020-04-30 | Apache OFBiz 17.12.01 is vulnerable to Host header injection by accepting arbitrary host |
| CVE-2019-0235 | 2020-04-30 | Apache OFBiz 17.12.01 is vulnerable to some CSRF attacks. |
| CVE-2020-5871 | 2020-04-30 | On BIG-IP 14.1.0-14.1.2.3, undisclosed requests can lead to a denial of service (DoS) when sent to BIG-IP HTTP/2 virtual servers. The problem can occur when ciphers, which have been blacklisted... |
| CVE-2020-5872 | 2020-04-30 | On BIG-IP 14.1.0-14.1.2.3, 14.0.0-14.0.1, 13.1.0-13.1.3.1, and 12.1.0-12.1.4.1, when processing TLS traffic with hardware cryptographic acceleration enabled on platforms with Intel QAT hardware, the Traffic Management Microkernel (TMM) may stop responding... |
| CVE-2020-5874 | 2020-04-30 | On BIG-IP APM 15.0.0-15.0.1.2, 14.1.0-14.1.2.3, and 14.0.0-14.0.1, in certain circumstances, an attacker sending specifically crafted requests to a BIG-IP APM virtual server may cause a disruption of service provided by... |
| CVE-2020-5873 | 2020-04-30 | On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.2.3, 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.6.1-11.6.5 and BIG-IQ 5.2.0-7.1.0, a user associated with the Resource Administrator role who has access to the secure copy (scp) utility but does... |
| CVE-2020-5878 | 2020-04-30 | On versions 15.1.0-15.1.0.1, 15.0.0-15.0.1.1, and 14.1.0-14.1.2.3, Traffic Management Microkernel (TMM) may restart on BIG-IP Virtual Edition (VE) while processing unusual IP traffic. |
| CVE-2020-5875 | 2020-04-30 | On BIG-IP 15.0.0-15.0.1 and 14.1.0-14.1.2.3, under certain conditions, the Traffic Management Microkernel (TMM) may generate a core file and restart while processing SSL traffic with an HTTP/2 full proxy. |
| CVE-2020-5876 | 2020-04-30 | On BIG-IP 15.0.0-15.0.1.3, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, a race condition exists where mcpd and other processes may make unencrypted connection attempts to a new configuration sync peer. The race... |
| CVE-2020-5877 | 2020-04-30 | On BIG-IP 15.0.0-15.1.0.1, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, malformed input to the DATAGRAM::tcp iRules command within a FLOW_INIT event may lead to a denial of service. |
| CVE-2020-5884 | 2020-04-30 | On versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.4, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the default deployment mode for BIG-IP high availability (HA) pair mirroring is insecure. This is a control plane issue that is exposed... |
| CVE-2020-5882 | 2020-04-30 | On BIG-IP 15.0.0-15.0.1.3, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, 12.1.0-12.1.5, and 11.6.1-11.6.5.1, under certain conditions, the Intel QuickAssist Technology (QAT) cryptography driver may produce a Traffic Management Microkernel (TMM) core file. |
| CVE-2020-5881 | 2020-04-30 | On versions 15.0.0-15.1.0.1, 14.1.0-14.1.2.3, and 13.1.0-13.1.3.3, when the BIG-IP Virtual Edition (VE) is configured with VLAN groups and there are devices configured with OSPF connected to it, the Network Device... |
| CVE-2020-5885 | 2020-04-30 | On versions 15.0.0-15.1.0.1, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, and 12.1.0-12.1.5.1, BIG-IP systems set up for connection mirroring in a high availability (HA) pair transfer sensitive cryptographic objects over an insecure communications channel. This... |
| CVE-2020-5887 | 2020-04-30 | On versions 15.1.0-15.1.0.1, 15.0.0-15.0.1.2, and 14.1.0-14.1.2.3, BIG-IP Virtual Edition (VE) may expose a mechanism for remote attackers to access local daemons and bypass port lockdown settings. |
| CVE-2020-5879 | 2020-04-30 | On BIG-IP ASM 11.6.1-11.6.5.1, under certain configurations, the BIG-IP system sends data plane traffic to back-end servers unencrypted, even when a Server SSL profile is applied. |
| CVE-2020-5883 | 2020-04-30 | On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.2.3, 14.0.0-14.0.1, and 13.1.0-13.1.3.1, when a virtual server is configured with HTTP explicit proxy and has an attached HTTP_PROXY_REQUEST iRule, POST requests sent to the virtual server... |
| CVE-2020-5886 | 2020-04-30 | On versions 15.0.0-15.1.0.1, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, and 12.1.0-12.1.5.1, BIG-IP systems setup for connection mirroring in a High Availability (HA) pair transfers sensitive cryptographic objects over an insecure communications channel. This is... |
| CVE-2020-5880 | 2020-04-30 | Om BIG-IP 15.0.0-15.0.1.3 and 14.1.0-14.1.2.3, the restjavad process may expose a way for attackers to upload arbitrary files on the BIG-IP system, bypassing the authorization system. Resulting error messages may... |
| CVE-2020-5891 | 2020-04-30 | On BIG-IP 15.1.0-15.1.0.1, 15.0.0-15.0.1.2, and 14.1.0-14.1.2.3, undisclosed HTTP/2 requests can lead to a denial of service when sent to a virtual server configured with the Fallback Host setting and a... |
| CVE-2020-5889 | 2020-04-30 | On versions 15.1.0-15.1.0.1, 15.0.0-15.0.1.2, and 14.1.0-14.1.2.3, in BIG-IP APM portal access, a specially crafted HTTP request can lead to reflected XSS after the BIG-IP APM system rewrites the HTTP response... |
| CVE-2020-5893 | 2020-04-30 | In versions 7.1.5-7.1.8, when a user connects to a VPN using BIG-IP Edge Client over an unsecure network, BIG-IP Edge Client responds to authentication requests over HTTP while sending probes... |
| CVE-2020-5892 | 2020-04-30 | In versions 7.1.5-7.1.8, the BIG-IP Edge Client components in BIG-IP APM, Edge Gateway, and FirePass legacy allow attackers to obtain the full session ID from process memory. |
| CVE-2020-5888 | 2020-04-30 | On versions 15.1.0-15.1.0.1, 15.0.0-15.0.1.2, and 14.1.0-14.1.2.3, BIG-IP Virtual Edition (VE) may expose a mechanism for adjacent network (layer 2) attackers to access local daemons and bypass port lockdown settings. |
| CVE-2020-5890 | 2020-04-30 | On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, and 12.1.0-12.1.5.1 and BIG-IQ 5.2.0-7.1.0, when creating a QKView, credentials for binding to LDAP servers used for remote authentication of the BIG-IP administrative interface will... |
| CVE-2020-6867 | 2020-04-30 | ZTE's SDON controller is impacted by the resource management error vulnerability. When RPC is frequently called by other applications in the case of mass traffic data in the system, it... |
| CVE-2020-6865 | 2020-04-30 | ZTE SDN controller platform is impacted by an information leakage vulnerability. Due to the program's failure to optimize the response of failure to the request, the caller can directly view... |
| CVE-2020-6866 | 2020-04-30 | A ZTE product is impacted by a resource management error vulnerability. An attacker could exploit this vulnerability to cause a denial of service by issuing a specific command. This affects:... |
| CVE-2020-1817 | 2020-04-30 | Huawei PCManager with versions earlier than 10.0.1.36 has a privilege escalation vulnerability. Due to improper permission management of specific files, local attackers with low permissions can inject commands to exploit... |
| CVE-2020-9098 | 2020-04-30 | Huawei OceanStor 5310 product with version of V500R007C60SPC100 has an invalid pointer access vulnerability. The software system access an invalid pointer when attacker malformed packet. Due to the insufficient validation... |
| CVE-2020-11025 | 2020-04-30 | Authenticated cross-site scripting (XSS) in WordPress Customizer |
| CVE-2020-11030 | 2020-04-30 | Cross-site scripting (XSS) in Search block in WordPress |
| CVE-2020-11029 | 2020-04-30 | Cross-site scripting in stats method (object cache) in WordPress |
| CVE-2020-11028 | 2020-04-30 | Unauthenticated disclosure of certain private posts in WordPress |
| CVE-2020-11026 | 2020-04-30 | Specially crafted filenames in WordPress leading to XSS |
| CVE-2020-11037 | 2020-04-30 | Potential Observable Timing Discrepancy in Wagtail |
| CVE-2020-11016 | 2020-04-30 | Remote code execution in Message sending functionality in IntelMQ Manager |
| CVE-2020-12117 | 2020-05-01 | Moxa Service in Moxa NPort 5150A firmware version 1.5 and earlier allows attackers to obtain sensitive configuration values via a crafted packet to UDP port 4800. NOTE: Moxa Service is... |
| CVE-2020-12474 | 2020-05-01 | Telegram Desktop through 2.0.1, Telegram through 6.0.1 for Android, and Telegram through 6.0.1 for iOS allow an IDN Homograph attack via Punycode in a public URL or a group chat... |
| CVE-2020-7351 | 2020-05-01 | Fonality Trixbox CE Post-Authentication Command Injection |
| CVE-2019-4209 | 2020-05-01 | HCL Connections v5.5, v6.0, and v6.5 contains an open redirect vulnerability which could be exploited by an attacker to conduct phishing attacks. |
| CVE-2020-10683 | 2020-05-01 | dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how... |
| CVE-2020-8157 | 2020-05-02 | UniFi Cloud Key firmware <= v1.1.10 for Cloud Key gen2 and Cloud Key gen2 Plus contains a vulnerability that allows unrestricted root access through the serial interface (UART). |
| CVE-2020-5727 | 2020-05-02 | Authentication bypass using an alternate path or channel in SimpliSafe SS3 firmware 1.4 allows a local, unauthenticated attacker to pair a rogue keypad to an armed system. |
| CVE-2020-7645 | 2020-05-02 | All versions of chrome-launcher allow execution of arbitrary commands, by controlling the $HOME environment variable in Linux operating systems. |
| CVE-2020-12624 | 2020-05-03 | The League application before 2020-05-02 on Android sends a bearer token in an HTTP Authorization header to an arbitrary web site that hosts an external image because an OkHttp object... |
| CVE-2020-10717 | 2020-05-04 | A potential DoS flaw was found in the virtio-fs shared file system daemon (virtiofsd) implementation of the QEMU version >= v5.0. Virtio-fs is meant to share a host file system... |
| CVE-2020-12626 | 2020-05-04 | An issue was discovered in Roundcube Webmail before 1.4.4. A CSRF attack can cause an authenticated user to be logged out because POST was not considered. |
| CVE-2020-12625 | 2020-05-04 | An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because JavaScript code can occur in the CDATA of an HTML message. |
| CVE-2020-12627 | 2020-05-04 | Calibre-Web 0.6.6 allows authentication bypass because of the 'A0Zr98j/3yX R~XHH!jmN]LWX/,?RT' hardcoded secret key. |
| CVE-2020-1631 | 2020-05-04 | Out of Cycle Security Advisory: Junos OS: Security vulnerability in J-Web and web based (HTTP/HTTPS) services |
| CVE-2019-11823 | 2020-05-04 | CRLF injection vulnerability in Network Center in Synology Router Manager (SRM) before 1.2.3-8017-2 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via crafted network... |