Lista CVE - 2020 / Maggio
Visualizzazione 201 - 300 di 1017 CVE per Maggio 2020 (Pagina 3 di 11)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2020-5745 | 2020-05-07 | Cross-site request forgery in TCExam 14.2.2 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link. |
| CVE-2020-5748 | 2020-05-07 | Insufficient output sanitization in TCExam 14.2.2 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks via the self-registration feature. |
| CVE-2020-5751 | 2020-05-07 | Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted operator. |
| CVE-2020-5749 | 2020-05-07 | Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted group. |
| CVE-2020-5750 | 2020-05-07 | Insufficient output sanitization in TCExam 14.2.2 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks via the self-registration feature. |
| CVE-2020-12448 | 2020-05-07 | GitLab EE 12.8 and later allows Exposure of Sensitive Information to an Unauthorized Actor via NuGet. |
| CVE-2020-12608 | 2020-05-07 | An issue was discovered in SolarWinds MSP PME (Patch Management Engine) Cache Service before 1.1.15 in the Advanced Monitoring Agent. There are insecure file permissions for %PROGRAMDATA%\SolarWinds MSP\SolarWinds.MSP.CacheService\config\. This can... |
| CVE-2020-7646 | 2020-05-07 | curlrequest through 1.0.1 allows reading any file by populating the file parameter with user input. |
| CVE-2020-12679 | 2020-05-07 | A reflected cross-site scripting (XSS) vulnerability in the Mitel ShoreTel Conference Web Application 19.50.1000.0 before MiVoice Connect 18.7 SP2 allows remote attackers to inject arbitrary JavaScript and HTML via the... |
| CVE-2020-7805 | 2020-05-07 | An issue was discovered on KT Slim egg IML500 (R7283, R8112, R8424) and IML520 (R8112, R8368, R8411) wifi device. This issue is a command injection allowing attackers to execute arbitrary... |
| CVE-2020-10974 | 2020-05-07 | An issue was discovered affecting a backup feature where a crafted POST request returns the current configuration of the device in cleartext, including the administrator password. No authentication is required.... |
| CVE-2020-7803 | 2020-05-07 | Zoneplayer ActiveX File Download Vulnerability |
| CVE-2020-10973 | 2020-05-07 | An issue was discovered in Wavlink WN530HG4, Wavlink WN531G3, Wavlink WN533A8, and Wavlink WN551K1 affecting /cgi-bin/ExportAllSettings.sh where a crafted POST request returns the current configuration of the device, including the... |
| CVE-2020-10972 | 2020-05-07 | An issue was discovered where a page is exposed that has the current administrator password in cleartext in the source code of the page. No authentication is required in order... |
| CVE-2020-10971 | 2020-05-07 | An issue was discovered on Wavlink Jetstream devices where a crafted POST request can be sent to adm.cgi that will result in the execution of the supplied command if there... |
| CVE-2019-19164 | 2020-05-07 | Dext5 Upload ActiveX Arbitrary File Execution Vulnerability |
| CVE-2020-12708 | 2020-05-07 | Multiple cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the cat_id parameter to downloads/downloads.php or article.php. NOTE: this might overlap CVE-2012-6043. |
| CVE-2020-12707 | 2020-05-07 | An XSS vulnerability exists in modules/wysiwyg/save.php of LeptonCMS 4.5.0. This can be exploited because the only security measure used against XSS is the stripping of SCRIPT elements. A malicious actor... |
| CVE-2020-12706 | 2020-05-07 | Multiple Cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the go parameter to faq/faq_admin.php or shoutbox_panel/shoutbox_admin.php |
| CVE-2020-12705 | 2020-05-07 | Multiple cross-site scripting (XSS) vulnerabilities exist in LeptonCMS before 4.6.0. |
| CVE-2020-12704 | 2020-05-07 | UliCMS before 2020.2 has PageController stored XSS. |
| CVE-2020-12703 | 2020-05-07 | UliCMS before 2020.2 has XSS during PackageController uninstall. |
| CVE-2020-12116 | 2020-05-07 | Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request. |
| CVE-2020-4427 | 2020-05-07 | IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 could allow a remote attacker to bypass security restrictions when configured with SAML authentication. By sending a specially crafted... |
| CVE-2020-4428 | 2020-05-07 | IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to execute arbitrary commands on the system. IBM X-Force ID: 180533. |
| CVE-2020-4429 | 2020-05-07 | IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 contains a default password for an IDRM administrative account. A remote attacker could exploit this vulnerability to login and... |
| CVE-2020-4430 | 2020-05-07 | IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to... |
| CVE-2020-11050 | 2020-05-07 | Improper Validation of Certificate with Host Mismatch in Java-WebSocket |
| CVE-2020-9474 | 2020-05-07 | The S. Siedle & Soehne SG 150-0 Smart Gateway before 1.2.4 allows remote code execution via the backup functionality in the web frontend. By using an exploit chain, an attacker... |
| CVE-2020-11052 | 2020-05-07 | Improper Restriction of Excessive Authentication Attempts in Sorcery |
| CVE-2020-9475 | 2020-05-07 | The S. Siedle & Soehne SG 150-0 Smart Gateway before 1.2.4 allows local privilege escalation via a race condition in logrotate. By using an exploit chain, an attacker with access... |
| CVE-2020-11053 | 2020-05-07 | Open Redirect in OAuth2 Proxy |
| CVE-2020-10794 | 2020-05-07 | Gira TKS-IP-Gateway 4.0.7.7 is vulnerable to unauthenticated path traversal that allows an attacker to download the application database. This can be combined with CVE-2020-10795 for remote root access. |
| CVE-2020-10795 | 2020-05-07 | Gira TKS-IP-Gateway 4.0.7.7 is vulnerable to authenticated remote code execution via the backup functionality of the web frontend. This can be combined with CVE-2020-10794 for remote root access. |
| CVE-2020-11054 | 2020-05-07 | Incorrect Provision of Specified Functionality in qutebrowser |
| CVE-2020-10176 | 2020-05-07 | ASSA ABLOY Yale WIPC-301W 2.x.2.29 through 2.x.2.43_p1 devices allow Eval Injection of commands. |
| CVE-2020-11055 | 2020-05-07 | Cross-site Scripting in BookStack |
| CVE-2020-11056 | 2020-05-07 | Potential Code Injection in Sprout Forms |
| CVE-2015-7946 | 2020-05-07 | MTP service exposed during emergency dialer |
| CVE-2020-10916 | 2020-05-07 | This vulnerability allows network-adjacent attackers to escalate privileges on affected installations of TP-Link TL-WA855RE Firmware Ver: 855rev4-up-ver1-0-1-P1[20191213-rel60361] Wi-Fi extenders. Although authentication is required to exploit this vulnerability, the existing authentication... |
| CVE-2014-1423 | 2020-05-07 | Online Accounts Signon daemon gives out all oauth tokens to any app |
| CVE-2020-12718 | 2020-05-07 | In administration/comments.php in PHP-Fusion 9.03.50, an authenticated attacker can take advantage of a stored XSS vulnerability in the Preview Comment feature. The protection mechanism can be bypassed by using HTML... |
| CVE-2020-12719 | 2020-05-07 | XXE during an EventPublisher update can occur in Management Console in WSO2 API Manager 3.0.0 and earlier, API Manager Analytics 2.5.0 and earlier, API Microgateway 2.2.0, Enterprise Integrator 6.4.0 and... |
| CVE-2020-12720 | 2020-05-07 | vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control. |
| CVE-2012-0952 | 2020-05-08 | Heap overflow in control device ioctl |
| CVE-2012-0953 | 2020-05-08 | Kernel heap contents leak race in ioctl handler |
| CVE-2020-12735 | 2020-05-08 | reset.php in DomainMOD 4.13.0 uses insufficient entropy for password reset requests, leading to account takeover. |
| CVE-2020-12022 | 2020-05-08 | Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. An improper validation vulnerability exists that could allow an attacker to inject specially crafted input into memory where it can be... |
| CVE-2020-12010 | 2020-05-08 | Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple relative path traversal vulnerabilities exist that may allow an authenticated user to use a specially crafted file to delete files... |
| CVE-2020-12006 | 2020-05-08 | Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple relative path traversal vulnerabilities exist that may allow a low privilege user to overwrite files outside the application’s control. |
| CVE-2020-7264 | 2020-05-08 | Privilege Escalation vulnerability through symbolic links in ENS for Windows |
| CVE-2020-12014 | 2020-05-08 | Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Input is not properly sanitized and may allow an attacker to inject SQL commands. |
| CVE-2020-12026 | 2020-05-08 | Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple relative path traversal vulnerabilities exist that may allow a low privilege user to overwrite files outside the application’s control. |
| CVE-2020-10638 | 2020-05-08 | Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple heap-based buffer overflow vulnerabilities exist caused by a lack of proper validation of the length of user-supplied data, which may... |
| CVE-2020-7265 | 2020-05-08 | Privilege Escalation vulnerability through symbolic links in ENSM |
| CVE-2020-12002 | 2020-05-08 | Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple stack-based buffer overflow vulnerabilities exist caused by a lack of proper validation of the length of user-supplied data, which may... |
| CVE-2020-12018 | 2020-05-08 | Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. An out-of-bounds vulnerability exists that may allow access to unauthorized data. |
| CVE-2020-7266 | 2020-05-08 | Privilege Escalation vulnerability through symbolic links in VSE for Windows |
| CVE-2020-12680 | 2020-05-08 | Avira Free Antivirus through 15.0.2005.1866 allows local users to discover user credentials. The functions of the executable file Avira.PWM.NativeMessaging.exe are aimed at collecting credentials stored in Chrome, Firefox, Opera, and... |
| CVE-2020-5741 | 2020-05-08 | Deserialization of Untrusted Data in Plex Media Server on Windows allows a remote, authenticated attacker to execute arbitrary Python code. |
| CVE-2020-7267 | 2020-05-08 | Privilege Escalation vulnerability through symbolic links in VSEL |
| CVE-2020-7286 | 2020-05-08 | Privilege Escalation vulnerability in EDR for Windows |
| CVE-2020-7285 | 2020-05-08 | Privilege Escalation vulnerability in MVISION Endpoint |
| CVE-2020-7289 | 2020-05-08 | Privilege Escalation vulnerability in MAR for Windows |
| CVE-2020-7288 | 2020-05-08 | Privilege Escalation vulnerability in EDR for Mac |
| CVE-2020-7287 | 2020-05-08 | Privilege Escalation vulnerability in EDR for Linux |
| CVE-2020-7291 | 2020-05-08 | Privilege Escalation vulnerability MAR for Mac |
| CVE-2020-7290 | 2020-05-08 | Privilege Escalation vulnerability in MAR for Linux |
| CVE-2020-11541 | 2020-05-08 | In TechSmith SnagIt 11.2.1 through 20.0.3, an XML External Entity (XXE) injection issue exists that would allow a local attacker to exfiltrate data under the local Administrator account. |
| CVE-2019-10169 | 2020-05-08 | A flaw was found in Keycloak’s user-managed access interface, where it would permit a script to be set in the UMA policy. This flaw allows an authenticated attacker with UMA... |
| CVE-2019-10170 | 2020-05-08 | A flaw was found in the Keycloak admin console, where the realm management interface permits a script to be set via the policy. This flaw allows an attacker with authenticated... |
| CVE-2020-10690 | 2020-05-08 | There is a use-after-free in kernel versions before 5.5 due to a race condition between the release of ptp_clock and cdev while resource deallocation. When a (high privileged) process allocates... |
| CVE-2019-14898 | 2020-05-08 | The fix for CVE-2019-11599, affecting the Linux kernel before 5.0.10 was not complete. A local user could use this flaw to obtain sensitive information, cause a denial of service, or... |
| CVE-2020-12737 | 2020-05-08 | An issue was discovered in Maxum Rumpus before 8.2.12 on macOS. Authenticated users can perform a path traversal using double escaped characters, enabling read access to arbitrary files on the... |
| CVE-2020-12740 | 2020-05-08 | tcprewrite in Tcpreplay through 4.3.2 has a heap-based buffer over-read during a get_c operation. The issue is being triggered in the function get_ipv6_next() at common/get.c. |
| CVE-2018-20225 | 2020-05-08 | An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from... |
| CVE-2020-11006 | 2020-05-08 | Potential remote code execution in Shopizer |
| CVE-2020-11530 | 2020-05-08 | A blind SQL injection vulnerability is present in Chop Slider 3, a WordPress plugin. The vulnerability is introduced in the id GET parameter supplied to get_script/index.php, and allows an attacker... |
| CVE-2020-6616 | 2020-05-08 | Some Broadcom chips mishandle Bluetooth random-number generation because a low-entropy Pseudo Random Number Generator (PRNG) is used in situations where a Hardware Random Number Generator (HRNG) should have been used... |
| CVE-2020-11531 | 2020-05-08 | The DataEngine Xnode Server application in Zoho ManageEngine DataSecurity Plus prior to 6.0.1 does not validate the database schema name when handling a DR-SCHEMA-SYNC request. This allows an authenticated attacker... |
| CVE-2020-11532 | 2020-05-08 | Zoho ManageEngine DataSecurity Plus prior to 6.0.1 uses default admin credentials to communicate with a DataEngine Xnode server. This allows an attacker to bypass authentication for this server and execute... |
| CVE-2020-12762 | 2020-05-09 | json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend. |
| CVE-2020-12755 | 2020-05-09 | fishProtocol::establishConnection in fish/fish.cpp in KDE kio-extras through 20.04.0 makes a cacheAuthentication call even if the user had not set the keepPassword option. This may lead to unintended KWallet storage of... |
| CVE-2020-12637 | 2020-05-09 | Zulip Desktop before 5.2.0 has Missing SSL Certificate Validation because all validation was inadvertently disabled during an attempt to recognize the ignoreCerts option. |
| CVE-2020-12761 | 2020-05-09 | modules/loaders/loader_ico.c in imlib2 1.6.0 has an integer overflow (with resultant invalid memory allocations and out-of-bounds reads) via an icon with many colors in its color map. |
| CVE-2019-20794 | 2020-05-09 | An issue was discovered in the Linux kernel 4.18 through 5.6.11 when unprivileged user namespaces are allowed. A user can create their own PID namespace, and mount a FUSE filesystem.... |
| CVE-2020-12766 | 2020-05-09 | Gnuteca 3.8 allows action=main:search:simpleSearch SQL Injection via the exemplaryStatusId parameter. |
| CVE-2020-12765 | 2020-05-09 | Solis Miolo 2.0 allows index.php?module=install&action=view&item= Directory Traversal. |
| CVE-2020-12764 | 2020-05-09 | Gnuteca 3.8 allows file.php?folder=/&file= Directory Traversal. |
| CVE-2019-20795 | 2020-05-09 | iproute2 before 5.1.0 has a use-after-free in get_netnsid_from_name in ip/ipnetns.c. NOTE: security relevance may be limited to certain uses of setuid that, although not a default, are sometimes a configuration... |
| CVE-2020-12771 | 2020-05-09 | An issue was discovered in the Linux kernel through 5.6.11. btree_gc_coalesce in drivers/md/bcache/btree.c has a deadlock if a coalescing operation fails. |
| CVE-2020-12770 | 2020-05-09 | An issue was discovered in the Linux kernel through 5.6.11. sg_write lacks an sg_remove_request call in a certain failure case, aka CID-83c6f2390040. |
| CVE-2020-12769 | 2020-05-09 | An issue was discovered in the Linux kernel before 5.4.17. drivers/spi/spi-dw.c allows attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one, aka CID-19b61392c5a8. |
| CVE-2020-12768 | 2020-05-09 | An issue was discovered in the Linux kernel before 5.6. svm_cpu_uninit in arch/x86/kvm/svm.c has a memory leak, aka CID-d80b64ff297e. NOTE: third parties dispute this issue because it's a one-time leak... |
| CVE-2020-12767 | 2020-05-09 | exif_entry_get_value in exif-entry.c in libexif 0.6.21 has a divide-by-zero error. |
| CVE-2020-9315 | 2020-05-10 | ** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** Oracle iPlanet Web Server 7.0.x has Incorrect Access Control for admingui/version URIs in the Administration console, as demonstrated by unauthenticated read access to... |
| CVE-2020-9314 | 2020-05-10 | ** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** Oracle iPlanet Web Server 7.0.x allows image injection in the Administration console via the productNameSrc parameter to an admingui URI. This issue exists... |
| CVE-2020-10685 | 2020-05-11 | A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including... |
| CVE-2020-5538 | 2020-05-11 | Improper Access Control in PALLET CONTROL Ver. 6.3 and earlier allows authenticated attackers to execute arbitrary code with the SYSTEM privilege on the computer where PALLET CONTROL is installed via... |
| CVE-2020-12743 | 2020-05-11 | An issue was discovered in Gazie 7.32. A successful installation does not remove or block (or in any other way prevent use of) its own file /setup/install/setup.php, meaning that anyone... |