CVE List - 2020 / March
Showing 1 - 100 of 1754 CVEs for March 2020 (Page 1 of 18)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2020-9534 | 2020-03-01 | fmwlan.c on D-Link DIR-615Jx10 devices has a stack-based buffer overflow via the formWlanSetup webpage parameter when f_radius_ip1 is malformed. |
| CVE-2020-9540 | 2020-03-01 | Sophos HitmanPro.Alert before build 861 allows local elevation of privilege. |
| CVE-2020-9545 | 2020-03-02 | Pale Moon 28.x before 28.8.4 has a segmentation fault related to module scripting, as demonstrated by a Lacoste web site. |
| CVE-2020-9548 | 2020-03-02 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core). |
| CVE-2020-9547 | 2020-03-02 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap). |
| CVE-2020-9546 | 2020-03-02 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config). |
| CVE-2020-6792 | 2020-03-02 | When deriving an identifier for an email message, uninitialized memory was used in addition to the message contents. This vulnerability affects Thunderbird < 68.5. |
| CVE-2020-6793 | 2020-03-02 | When processing an email message with an ill-formed envelope, Thunderbird could read data from a random memory location. This vulnerability affects Thunderbird < 68.5. |
| CVE-2020-6794 | 2020-03-02 | If a user saved passwords before Thunderbird 60 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored... |
| CVE-2020-6795 | 2020-03-02 | When processing a message that contains multiple S/MIME signatures, a bug in the MIME processing code caused a null pointer dereference, leading to an unexploitable crash. This vulnerability affects Thunderbird... |
| CVE-2020-6796 | 2020-03-02 | A content process could have modified shared memory relating to crash reporting information, crash itself, and cause an out-of-bound write. This could have caused memory corruption and a potentially exploitable... |
| CVE-2020-6797 | 2020-03-02 | By downloading a file with the .fileloc extension, a semi-privileged extension could launch an arbitrary application on the user's computer. The attacker is restricted as they are unable to download... |
| CVE-2020-6798 | 2020-03-02 | If a template tag was used in a select tag, the parser could be confused and allow JavaScript parsing and execution when it should not be allowed. A site that... |
| CVE-2020-6799 | 2020-03-02 | Command line arguments could have been injected during Firefox invocation as a shell handler for certain unsupported file types. This required Firefox to be configured as the default handler for... |
| CVE-2020-6800 | 2020-03-02 | Mozilla developers and community members reported memory safety bugs present in Firefox 72 and Firefox ESR 68.4. Some of these bugs showed evidence of memory corruption and we presume that... |
| CVE-2020-6801 | 2020-03-02 | Mozilla developers reported memory safety bugs present in Firefox 72. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could... |
| CVE-2019-17026 | 2020-03-02 | Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw. This... |
| CVE-2020-9549 | 2020-03-02 | In PDFResurrect 0.12 through 0.19, get_type in pdf.c has an out-of-bounds write via a crafted PDF document. |
| CVE-2020-5539 | 2020-03-02 | GRANDIT Ver.1.6, Ver.2.0, Ver.2.1, Ver.2.2, Ver.2.3, and Ver.3.0 do not properly manage sessions, which allows remote attackers to impersonate an arbitrary user and then alter or disclose the information via... |
| CVE-2018-17058 | 2020-03-02 | An issue was discovered in JABA XPress Online Shop through 2018-09-14. It contains an arbitrary file upload vulnerability in the picture-upload feature of ProductEdit.aspx. An authenticated attacker may bypass the... |
| CVE-2020-4283 | 2020-03-02 | IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, and 1.0.4 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound... |
| CVE-2020-4292 | 2020-03-02 | IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, and 1.0.4 uses a cross-domain policy file that includes domains that should not be trusted which could disclose sensitive information. IBM... |
| CVE-2020-8500 | 2020-03-02 | In Artica Pandora FMS 7.42, Web Admin users can execute arbitrary code by uploading a .php file via the Updater or Extension component. NOTE: The vendor reports that this is... |
| CVE-2019-20487 | 2020-03-02 | An issue was discovered on NETGEAR WNR1000V4 1.1.0.54 devices. Multiple actions within the WNR1000V4 web management console are vulnerable to an unauthenticated GET request (exploitable directly or through CSRF), as... |
| CVE-2019-20489 | 2020-03-02 | An issue was discovered on NETGEAR WNR1000V4 1.1.0.54 devices. The web management interface (setup.cgi) has an authentication bypass and other problems that ultimately allow an attacker to remotely compromise the... |
| CVE-2019-20488 | 2020-03-02 | An issue was discovered on NETGEAR WNR1000V4 1.1.0.54 devices. Multiple actions within the web management interface (setup.cgi) are vulnerable to command injection, allowing remote attackers to execute arbitrary commands, as... |
| CVE-2019-20486 | 2020-03-02 | An issue was discovered on NETGEAR WNR1000V4 1.1.0.54 devices. Multiple pages (setup.cgi and adv_index.htm) within the web management console are vulnerable to stored XSS, as demonstrated by the configuration of... |
| CVE-2019-12183 | 2020-03-02 | Incorrect Access Control in Safescan Timemoto TM-616 and TA-8000 series allows remote attackers to read any file via the administrative API. |
| CVE-2020-5249 | 2020-03-02 | HTTP Response Splitting (Early Hints) in Puma |
| CVE-2019-18897 | 2020-03-02 | Local privilege escalation from user salt to root |
| CVE-2015-1583 | 2020-03-02 | Multiple cross-site request forgery (CSRF) vulnerabilities in ATutor 2.2 allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator account via a request to... |
| CVE-2017-12580 | 2020-03-02 | An issue was discovered in IDM UltraEdit through 24.10.0.32. To exploit the vulnerability, on unpatched Windows systems, an attacker could include in the same directory as the affected executable a... |
| CVE-2019-18901 | 2020-03-02 | mysql-systemd-helper allows setting 640 permissions of arbitrary files |
| CVE-2020-1731 | 2020-03-02 | A flaw was found in all versions of the Keycloak operator, before version 8.0.2,(community only) where the operator generates a random admin password when installing Keycloak, however the password remains... |
| CVE-2019-14892 | 2020-03-02 | A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes.... |
| CVE-2018-14384 | 2020-03-02 | The Website Manager module in SEO Panel 3.13.0 and earlier is affected by a stored Cross-Site Scripting (XSS) vulnerability, allowing remote authenticated attackers to inject arbitrary web script or HTML... |
| CVE-2020-8013 | 2020-03-02 | permissions: chkstat sets unintended setuid/capabilities for mrsh and wodim |
| CVE-2019-18902 | 2020-03-02 | wicked: Use-after-free when receiving invalid DHCP6 client options |
| CVE-2019-18903 | 2020-03-02 | wicked: Use-after-free when receiving invalid DHCP6 IA_PD option |
| CVE-2019-18863 | 2020-03-02 | A key length vulnerability in the implementation of the SRTP 128-bit key on Mitel 6800 and 6900 SIP series phones, versions 5.1.0.2051 SP2 and earlier, could allow an attacker to... |
| CVE-2019-19370 | 2020-03-02 | A cross-site scripting (XSS) vulnerability in the web conferencing component of the Mitel MiCollab application before 9.0.15 for Android could allow an unauthenticated attacker to conduct a reflected cross-site scripting... |
| CVE-2019-19371 | 2020-03-02 | A cross-site scripting (XSS) vulnerability in the web conferencing component of Mitel MiCollab AWV before 8.1.2.2 could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due... |
| CVE-2019-19607 | 2020-03-02 | A SQL injection vulnerability in the web conferencing component of Mitel MiCollab AWV before 8.1.2.2 could allow an unauthenticated attack due to insufficient input validation for the session parameter. A... |
| CVE-2019-19608 | 2020-03-02 | A SQL injection vulnerability in in the web conferencing component of Mitel MiCollab AWV before 8.1.2.2 could allow an unauthenticated attack due to insufficient input validation for the registeredList.cgi page.... |
| CVE-2018-15819 | 2020-03-02 | EasyIO EasyIO-30P devices before 2.0.5.27 have Incorrect Access Control, related to webuser.js. |
| CVE-2018-15820 | 2020-03-02 | EasyIO EasyIO-30P devices before 2.0.5.27 allow XSS via the dev.htm GDN parameter. |
| CVE-2020-8776 | 2020-03-02 | Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via the URL property of a file. |
| CVE-2020-8777 | 2020-03-02 | Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via a user profile photo, as demonstrated by a SCRIPT element in an SVG document. |
| CVE-2020-8778 | 2020-03-02 | Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via an uploaded document, when the attacker has write access to a project. |
| CVE-2020-8437 | 2020-03-02 | The bencoding parser in BitTorrent uTorrent through 3.5.5 (build 45505) misparses nested bencoded dictionaries, which allows a remote attacker to cause a denial of service. |
| CVE-2018-16356 | 2020-03-02 | An issue was discovered in PbootCMS. There is a SQL injection via the api.php/List/index order parameter. |
| CVE-2018-16357 | 2020-03-02 | An issue was discovered in PbootCMS. There is a SQL injection via the api.php/Cms/search order parameter. |
| CVE-2018-17572 | 2020-03-02 | InfluxDB 0.9.5 has Reflected XSS in the Write Data module. |
| CVE-2018-19599 | 2020-03-02 | Monstra CMS 1.6 allows XSS via an uploaded SVG document to the admin/index.php?id=filesmanager&path=uploads/ URI. NOTE: this is a discontinued product. |
| CVE-2018-19658 | 2020-03-02 | The Markdown editor in YXBJ before 8.3.2 on macOS has stored XSS. This behavior may be encountered by some Evernote users; however, it is a vulnerability in YXBJ, not a... |
| CVE-2019-14893 | 2020-03-02 | A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used... |
| CVE-2018-19798 | 2020-03-02 | Fleetco Fleet Maintenance Management (FMM) 1.2 and earlier allows uploading an arbitrary ".php" file with the application/x-php Content-Type to the accidents_add.php?submit=1 URI, as demonstrated by the value_Images_1 field, which leads... |
| CVE-2018-20343 | 2020-03-02 | Multiple buffer overflow vulnerabilities have been found in Ken Silverman Build Engine 1. An attacker could craft a special map file to execute arbitrary code when the map file is... |
| CVE-2018-5951 | 2020-03-02 | An issue was discovered in Mikrotik RouterOS. Crafting a packet that has a size of 1 byte and sending it to an IPv6 address of a RouterOS box with IP... |
| CVE-2020-10018 | 2020-03-02 | WebKitGTK through 2.26.4 and WPE WebKit through 2.26.4 (which are the versions right before 2.28.0) contains a memory corruption issue (use-after-free) that may lead to arbitrary code execution. This issue... |
| CVE-2020-9751 | 2020-03-03 | Naver Cloud Explorer before 2.2.2.11 allows the system to download an arbitrary file from the attacker's server and execute it during the upgrade. |
| CVE-2019-3695 | 2020-03-03 | pcp: Local privilege escalation from user pcp to root |
| CVE-2019-3696 | 2020-03-03 | pcp: Local privilege escalation from user pcp to root through migrate_tempdirs |
| CVE-2020-4196 | 2020-03-03 | IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to... |
| CVE-2020-4197 | 2020-03-03 | IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 174908. |
| CVE-2020-4198 | 2020-03-03 | IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to... |
| CVE-2019-17549 | 2020-03-03 | ESET Cyber Security before 6.8.1.0 is vulnerable to a denial-of-service allowing any user to stop (kill) ESET processes. An attacker can abuse this bug to stop the protection from ESET... |
| CVE-2019-19792 | 2020-03-03 | A permissions issue in ESET Cyber Security before 6.8.300.0 for macOS allows a local attacker to escalate privileges by appending data to root-owned files. |
| CVE-2020-1888 | 2020-03-03 | Insufficient boundary checks when decoding JSON in handleBackslash reads out of bounds memory, potentially leading to DOS. This issue affects HHVM 4.45.0, 4.44.0, 4.43.0, 4.42.0, 4.41.0, 4.40.0, 4.39.0, versions between... |
| CVE-2020-1892 | 2020-03-03 | Insufficient boundary checks when decoding JSON in JSON_parser allows read access to out of bounds memory, potentially leading to information leak and DOS. This issue affects HHVM 4.45.0, 4.44.0, 4.43.0,... |
| CVE-2020-1893 | 2020-03-03 | Insufficient boundary checks when decoding JSON in TryParse reads out of bounds memory, potentially leading to DOS. This issue affects HHVM 4.45.0, 4.44.0, 4.43.0, 4.42.0, 4.41.0, 4.40.0, 4.39.0, versions between... |
| CVE-2020-5404 | 2020-03-03 | Authentication Leak On Redirect With Reactor Netty HttpClient |
| CVE-2020-5403 | 2020-03-03 | DoS Via Malformed URL with Reactor Netty HTTP Server |
| CVE-2020-1734 | 2020-03-03 | A flaw was found in the pipe lookup plugin of ansible. Arbitrary commands can be run, when the pipe lookup plugin uses subprocess.Popen() with shell=True, by overwriting ansible facts and... |
| CVE-2020-10029 | 2020-03-04 | The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical... |
| CVE-2020-5535 | 2020-03-04 | OpenBlocks IoT VX2 prior to Ver.4.0.0 (Ver.3 Series) allows an attacker on the same network segment to execute arbitrary OS commands with root privileges via unspecified vectors. |
| CVE-2020-5536 | 2020-03-04 | OpenBlocks IoT VX2 prior to Ver.4.0.0 (Ver.3 Series) allows an attacker on the same network segment to bypass authentication and to initialize the device via unspecified vectors. |
| CVE-2019-3404 | 2020-03-04 | By adding some special fields to the uri ofrouter app function, the user could abuse background app cgi functions withoutauthentication. This affects 360 router P0 and F5C. |
| CVE-2020-5251 | 2020-03-04 | Information disclosure in parse-server |
| CVE-2020-9364 | 2020-03-04 | An issue was discovered in helpers/mailer.php in the Creative Contact Form extension 4.6.2 before 2019-12-03 for Joomla!. A directory traversal vulnerability resides in the filename field for uploaded attachments via... |
| CVE-2020-9757 | 2020-03-04 | The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the metacontainers controller. |
| CVE-2020-9761 | 2020-03-04 | An issue was discovered in UNCTAD ASYCUDA World 2001 through 2020. The Java RMI Server has an Insecure Default Configuration, leading to Java Code Execution from a remote URL because... |
| CVE-2020-7988 | 2020-03-04 | An issue was discovered in tools/pass-change/result.php in phpIPAM 1.4. CSRF can be used to change the password of any user/admin, to escalate privileges, and to gain access to more data... |
| CVE-2020-10057 | 2020-03-04 | GeniXCMS 1.1.7 is vulnerable to user privilege escalation due to broken access control. This issue exists because of an incomplete fix for CVE-2015-2680, in which "token" is used as a... |
| CVE-2019-19222 | 2020-03-04 | A Stored XSS issue in the D-Link DSL-2680 web administration interface (Firmware EU_1.03) allows an authenticated attacker to inject arbitrary JavaScript code into the info.html administration page by sending a... |
| CVE-2019-19223 | 2020-03-04 | A Broken Access Control vulnerability in the D-Link DSL-2680 web administration interface (Firmware EU_1.03) allows an attacker to reboot the router by submitting a reboot.html GET request without being authenticated... |
| CVE-2019-19224 | 2020-03-04 | A Broken Access Control vulnerability in the D-Link DSL-2680 web administration interface (Firmware EU_1.03) allows an attacker to download the configuration (binary file) settings by submitting a rom-0 GET request... |
| CVE-2019-19225 | 2020-03-04 | A Broken Access Control vulnerability in the D-Link DSL-2680 web administration interface (Firmware EU_1.03) allows an attacker to change DNS servers without being authenticated on the admin interface by submitting... |
| CVE-2019-19226 | 2020-03-04 | A Broken Access Control vulnerability in the D-Link DSL-2680 web administration interface (Firmware EU_1.03) allows an attacker to enable or disable MAC address filtering by submitting a crafted Forms/WlanMacFilter_1 POST... |
| CVE-2020-9371 | 2020-03-04 | Stored XSS exists in the Appointment Booking Calendar plugin before 1.3.35 for WordPress. In the cpabc_appointments.php file, the Calendar Name input could allow attackers to inject arbitrary JavaScript or HTML. |
| CVE-2020-9372 | 2020-03-04 | The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or Name) in any booking form to be any formula, which then could... |
| CVE-2020-9476 | 2020-03-04 | ARRIS TG1692A devices allow remote attackers to discover the administrator login name and password by reading the /login page and performing base64 decoding. |
| CVE-2020-9477 | 2020-03-04 | An issue was discovered on HUMAX HGA12R-02 BRGCAA 1.1.53 devices. A vulnerability in the authentication functionality in the web-based interface could allow an unauthenticated remote attacker to capture packets at... |
| CVE-2020-9550 | 2020-03-04 | Rubetek SmartHome 2020 devices use unencrypted 433 MHz communication between controllers and beacons, allowing an attacker to sniff and spoof beacon requests remotely. |
| CVE-2020-3181 | 2020-03-04 | Cisco Email Security Appliance Uncontrolled Resource Exhaustion Vulnerability |
| CVE-2020-3182 | 2020-03-04 | Cisco Webex Meetings Client for MacOS Information Disclosure Vulnerability |
| CVE-2020-3185 | 2020-03-04 | Cisco TelePresence Management Suite Stored Cross-Site Scripting Vulnerability |
| CVE-2020-3190 | 2020-03-04 | Cisco IOS XR Software IPsec Packet Processor Denial of Service Vulnerability |
| CVE-2020-3192 | 2020-03-04 | Cisco Prime Collaboration Provisioning Cross-Site Scripting Vulnerability |
| CVE-2020-3193 | 2020-03-04 | Cisco Prime Collaboration Provisioning Information Disclosure Vulnerability |