CVE List - 2020 / March
Showing 901 - 1000 of 1754 CVEs for March 2020 (Page 10 of 18)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2020-7604 | 2020-03-15 | pulverizr through 0.7.0 allows execution of arbitrary commands. Within "lib/job.js", the variable "filename" can be controlled by the attacker. This function uses the variable "filename" to construct the argument of... |
| CVE-2020-7606 | 2020-03-15 | docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within 'index.js' of the package, the function 'exec(serviceName, cmd, fnStdout, fnStderr, fnExit)' uses the variable 'serviceName' which can be controlled by users... |
| CVE-2020-7605 | 2020-03-15 | gulp-tape through 1.0.0 allows execution of arbitrary commands. It is possible to inject arbitrary commands as part of 'gulp-tape' options. |
| CVE-2020-7607 | 2020-03-15 | gulp-styledocco through 0.0.3 allows execution of arbitrary commands. The argument 'options' of the exports function in 'index.js' can be controlled by users without any sanitization. |
| CVE-2020-7603 | 2020-03-15 | closure-compiler-stream through 0.1.15 allows execution of arbitrary commands. The argument "options" of the exports function in "index.js" can be controlled by users without any sanitization. |
| CVE-2020-9290 | 2020-03-15 | An Unsafe Search Path vulnerability in FortiClient for Windows online installer 6.2.3 and below may allow a local attacker with control over the directory in which FortiClientOnlineInstaller.exe and FortiClientVPNOnlineInstaller.exe resides... |
| CVE-2020-9287 | 2020-03-15 | An Unsafe Search Path vulnerability in FortiClient EMS online installer 6.2.1 and below may allow a local attacker with control over the directory in which FortiClientEMSOnlineInstaller.exe resides to execute arbitrary... |
| CVE-2019-6696 | 2020-03-15 | An improper input validation vulnerability in FortiOS 6.2.1, 6.2.0, 6.0.8 and below until 5.4.0 under admin webUI may allow an attacker to perform an URL redirect attack via a specifically... |
| CVE-2019-17654 | 2020-03-15 | An Insufficient Verification of Data Authenticity vulnerability in FortiManager 6.2.1, 6.2.0, 6.0.6 and below may allow an unauthenticated attacker to perform a Cross-Site WebSocket Hijacking (CSWSH) attack. |
| CVE-2019-15708 | 2020-03-15 | A system command injection vulnerability in the FortiAP-S/W2 6.2.1, 6.2.0, 6.0.5 and below, FortiAP 6.0.5 and below and FortiAP-U below 6.0.0 under CLI admin console may allow unauthorized administrators to... |
| CVE-2020-5542 | 2020-03-16 | Buffer error vulnerability in TCP function included in the firmware of Mitsubishi Electric MELQIC IU1 series IU1-1M20-D firmware version 1.0.7 and earlier allows remote attackers to stop the network functions... |
| CVE-2020-5543 | 2020-03-16 | TCP function included in the firmware of Mitsubishi Electric MELQIC IU1 series IU1-1M20-D firmware version 1.0.7 and earlier does not properly manage sessions, which allows remote attackers to stop the... |
| CVE-2020-5544 | 2020-03-16 | Null Pointer Dereference vulnerability in TCP function included in the firmware of Mitsubishi Electric MELQIC IU1 series IU1-1M20-D firmware version 1.0.7 and earlier allows remote attackers to stop the network... |
| CVE-2020-5545 | 2020-03-16 | TCP function included in the firmware of Mitsubishi Electric MELQIC IU1 series IU1-1M20-D firmware version 1.0.7 and earlier allows remote attackers to bypass access restriction and to stop the network... |
| CVE-2020-5546 | 2020-03-16 | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in TCP function included in the firmware of Mitsubishi Electric MELQIC IU1 series IU1-1M20-D firmware version 1.0.7 and earlier... |
| CVE-2020-5547 | 2020-03-16 | Resource Management Errors vulnerability in TCP function included in the firmware of Mitsubishi Electric MELQIC IU1 series IU1-1M20-D firmware version 1.0.7 and earlier allows remote attackers to stop the network... |
| CVE-2020-9519 | 2020-03-16 | HTTP methods reveled in Web services vulnerability in Micro Focus Service manager (server), affecting versions 9.40, 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62, 9.63. The vulnerability could be exploited to... |
| CVE-2020-9518 | 2020-03-16 | Login filter can access configuration files vulnerability in Micro Focus Service Manager (Web Tier), affecting versions 9.50, 9.51, 9.52, 9.60, 9.61, 9.62. The vulnerability could be exploited to allow unauthorized... |
| CVE-2019-10091 | 2020-03-16 | When TLS is enabled with ssl-endpoint-identification-enabled set to true, Apache Geode fails to perform hostname verification of the entries in the certificate SAN during the SSL handshake. This could compromise... |
| CVE-2020-10557 | 2020-03-16 | An issue was discovered in AContent through 1.4. It allows the user to run commands on the server with a low-privileged account. The upload section in the file manager page... |
| CVE-2018-13060 | 2020-03-16 | Easy!Appointments 1.3.0 has a Guessable CAPTCHA issue. |
| CVE-2018-13063 | 2020-03-16 | Easy!Appointments 1.3.0 has a Missing Authorization issue allowing retrieval of hashed passwords and salts. |
| CVE-2020-1753 | 2020-03-16 | A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7,... |
| CVE-2018-10125 | 2020-03-16 | Contao before 4.5.7 has XSS in the system log. |
| CVE-2019-14512 | 2020-03-16 | LimeSurvey 3.17.7+190627 has XSS via Boxes in application/extensions/PanelBoxWidget/views/box.php or a label title in application/views/admin/labels/labelview_view.php. |
| CVE-2019-19208 | 2020-03-16 | Codiad Web IDE through 2.8.4 allows PHP Code injection. |
| CVE-2019-19209 | 2020-03-16 | Dolibarr ERP/CRM before 10.0.3 allows SQL Injection. |
| CVE-2019-14887 | 2020-03-16 | A flaw was found when an OpenSSL security provider is used with Wildfly, the 'enabled-protocols' value in the Wildfly configuration isn't honored. An attacker could target the traffic sent from... |
| CVE-2019-19210 | 2020-03-16 | Dolibarr ERP/CRM before 10.0.3 allows XSS because uploaded HTML documents are served as text/html despite being renamed to .noexe files. |
| CVE-2019-19211 | 2020-03-16 | Dolibarr ERP/CRM before 10.0.3 has an Insufficient Filtering issue that can lead to user/card.php XSS. |
| CVE-2020-1736 | 2020-03-16 | A flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode cannot be specified. This sets the destination files world-readable if the... |
| CVE-2020-1735 | 2020-03-16 | A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination... |
| CVE-2020-1740 | 2020-03-16 | A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the... |
| CVE-2019-19851 | 2020-03-16 | An XSS Injection vulnerability exists in Sangoma FreePBX and PBXact 13, 14, and 15 within the Debug/Test page of the Superfecta module at the admin/config.php?display=superfecta URI. This affects Superfecta through... |
| CVE-2020-1738 | 2020-03-16 | A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a... |
| CVE-2019-19940 | 2020-03-16 | Incorrect input sanitation in text-oriented user interfaces (telnet, ssh) in Swisscom Centro Grande before 6.16.12 allows remote authenticated users to execute arbitrary commands via command injection. |
| CVE-2019-19941 | 2020-03-16 | Missing hostname validation in Swisscom Centro Grande before 6.16.12 allows a remote attacker to inject its local IP address as a domain entry in the DNS service of the router... |
| CVE-2019-19942 | 2020-03-16 | Missing output sanitation in Swisscom Centro Grande Centro Grande before 6.16.12, Centro Business 1.0 (ADB) before 7.10.18, and Centro Business 2.0 before 8.02.04 allows a remote attacker to perform DNS... |
| CVE-2019-4617 | 2020-03-16 | IBM Cloud Automation Manager 3.2.1.0 does not renew a session variable after a successful authentication which could lead to session fixation/hijacking vulnerability. This could force a user to utilize a... |
| CVE-2019-4619 | 2020-03-16 | IBM MQ and IBM MQ Appliance 7.1, 7.5, 8.0, 9.0 LTS, 9.1 LTS, and 9.1 CD could allow a local attacker to obtain sensitive information by inclusion of sensitive data... |
| CVE-2019-4656 | 2020-03-16 | IBM MQ and IBM MQ Appliance 7.1, 7.5, 8.0, 9.0 LTS, 9.1 LTS, and 9.1 CD is vulnerable to a denial of service attack that would allow an authenticated user... |
| CVE-2019-4719 | 2020-03-16 | IBM MQ and IBM MQ Appliance 7.1, 7.5, 8.0, 9.0 LTS, 9.1 LTS, and 9.1 CD could allow a local attacker to obtain sensitive information by inclusion of sensitive data... |
| CVE-2020-6586 | 2020-03-16 | Nagios Log Server 2.1.3 allows XSS by visiting /profile and entering a crafted name field that is mishandled on the /admin/users page. Any malicious user with limited access can store... |
| CVE-2020-6585 | 2020-03-16 | Nagios Log Server 2.1.3 has CSRF. |
| CVE-2020-6584 | 2020-03-16 | Nagios Log Server 2.1.3 has Incorrect Access Control. |
| CVE-2020-10230 | 2020-03-16 | CentOS-WebPanel.com (aka CWP) CentOS Web Panel (for CentOS 6 and 7) allows SQL Injection via the /cwp_{SESSION_HASH}/admin/loader_ajax.php term parameter. |
| CVE-2020-6980 | 2020-03-16 | Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, If Simple Mail Transfer Protocol... |
| CVE-2020-6988 | 2020-03-16 | Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, A remote, unauthenticated attacker can... |
| CVE-2020-6990 | 2020-03-16 | Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, The cryptographic key utilized to... |
| CVE-2020-6984 | 2020-03-16 | Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, The cryptographic function utilized to... |
| CVE-2020-10238 | 2020-03-16 | An issue was discovered in Joomla! before 3.9.16. Various actions in com_templates lack the required ACL checks, leading to various potential attack vectors. |
| CVE-2020-10239 | 2020-03-16 | An issue was discovered in Joomla! before 3.9.16. Incorrect Access Control in the SQL fieldtype of com_fields allows access for non-superadmin users. |
| CVE-2020-10240 | 2020-03-16 | An issue was discovered in Joomla! before 3.9.16. Missing length checks in the user table can lead to the creation of users with duplicate usernames and/or email addresses. |
| CVE-2019-19135 | 2020-03-16 | In OPC Foundation OPC UA .NET Standard codebase 1.4.357.28, servers do not create sufficiently random numbers in OPCFoundation.NetStandard.Opc.Ua before 1.4.359.31, which allows man in the middle attackers to reuse encrypted... |
| CVE-2020-10241 | 2020-03-16 | An issue was discovered in Joomla! before 3.9.16. Missing token checks in the image actions of com_templates lead to CSRF. |
| CVE-2020-10242 | 2020-03-16 | An issue was discovered in Joomla! before 3.9.16. Inadequate handling of CSS selectors in the Protostar and Beez3 JavaScript allows XSS attacks. |
| CVE-2020-10243 | 2020-03-16 | An issue was discovered in Joomla! before 3.9.16. The lack of type casting of a variable in a SQL statement leads to a SQL injection vulnerability in the Featured Articles... |
| CVE-2020-7916 | 2020-03-16 | be_teacher in class-lp-admin-ajax.php in the LearnPress plugin 3.2.6.5 and earlier for WordPress allows any registered user to assign itself the teacher role via the wp-admin/admin-ajax.php?action=learnpress_be_teacher URI without any additional permission... |
| CVE-2020-6581 | 2020-03-16 | Nagios NRPE 3.2.1 has Insufficient Filtering because, for example, nasty_metachars interprets \n as the character \ and the character n (not as the \n newline sequence). This can cause command... |
| CVE-2020-6582 | 2020-03-16 | Nagios NRPE 3.2.1 has a Heap-Based Buffer Overflow, as demonstrated by interpretation of a small negative number as a large positive number during a bzero call. |
| CVE-2019-19821 | 2020-03-16 | A post-authentication privilege escalation in the web application of Combodo iTop allows regular authenticated users to access information and modify information with administrative privileges by not following the HTTP Location... |
| CVE-2019-19945 | 2020-03-16 | uhttpd in OpenWrt through 18.06.5 and 19.x through 19.07.0-rc2 has an integer signedness error. This leads to out-of-bounds access to a heap buffer and a subsequent crash. It can be... |
| CVE-2020-3948 | 2020-03-16 | Linux Guest VMs running on VMware Workstation (15.x before 15.5.2) and Fusion (11.x before 11.5.2) contain a local privilege escalation vulnerability due to improper file permissions in Cortado Thinprint. Local... |
| CVE-2020-3947 | 2020-03-16 | VMware Workstation (15.x before 15.5.2) and Fusion (11.x before 11.5.2) contain a use-after vulnerability in vmnetdhcp. Successful exploitation of this issue may lead to code execution on the host from... |
| CVE-2020-5844 | 2020-03-16 | index.php?sec=godmode/extensions&sec2=extensions/files_repo in Pandora FMS v7.0 NG allows authenticated administrators to upload malicious PHP scripts, and execute them via base64 decoding of the file location. This affects v7.0NG.742_FIX_PERL2020. |
| CVE-2020-5847 | 2020-03-16 | Unraid through 6.8.0 allows Remote Code Execution. |
| CVE-2020-5849 | 2020-03-16 | Unraid 6.8.0 allows authentication bypass. |
| CVE-2019-5543 | 2020-03-16 | For VMware Horizon Client for Windows (5.x and prior before 5.3.0), VMware Remote Console for Windows (10.x before 11.0.0), VMware Workstation for Windows (15.x before 15.5.2) the folder containing configuration... |
| CVE-2019-19946 | 2020-03-16 | The API in Dradis Pro 3.4.1 allows any user to extract the content of a project, even if this user is not part of the project team. |
| CVE-2020-9321 | 2020-03-16 | configurationwatcher.go in Traefik 2.x before 2.1.4 and TraefikEE 2.0.0 mishandles the purging of certificate contents from providers before logging. |
| CVE-2019-11073 | 2020-03-16 | A Remote Code Execution vulnerability exists in PRTG Network Monitor before 19.4.54.1506 that allows attackers to execute code due to insufficient sanitization when passing arguments to the HttpTransactionSensor.exe binary. In... |
| CVE-2017-12842 | 2020-03-16 | Bitcoin Core before 0.14 allows an attacker to create an ostensibly valid SPV proof for a payment to a victim who uses an SPV wallet, even if that payment did... |
| CVE-2020-9471 | 2020-03-16 | Umbraco Cloud 8.5.3 allows an authenticated file upload (and consequently Remote Code Execution) via the Install Packages functionality. |
| CVE-2019-19937 | 2020-03-16 | In JFrog Artifactory before 6.18, it is not possible to restrict either system or repository imports by any admin user in the enterprise, which can lead to "undesirable results." |
| CVE-2020-9472 | 2020-03-16 | Umbraco CMS 8.5.3 allows an authenticated file upload (and consequently Remote Code Execution) via the Install Package functionality. |
| CVE-2019-19212 | 2020-03-16 | Dolibarr ERP/CRM 3.0 through 10.0.3 allows XSS via the qty parameter to product/fournisseurs.php (product price screen). |
| CVE-2020-7608 | 2020-03-16 | yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload. |
| CVE-2019-18917 | 2020-03-16 | A potential security vulnerability has been identified for certain HP Printers and All-in-Ones that would allow bypassing account lockout. |
| CVE-2019-19461 | 2020-03-16 | Post-authentication Stored XSS in Team Password Manager through 7.93.204 allows attackers to steal other users' credentials by creating a shared password with HTML code as the title. |
| CVE-2019-19538 | 2020-03-16 | In Sangoma FreePBX 13 through 15 and sysadmin (aka System Admin) 13.0.92 through 15.0.13.6 modules have a Remote Command Execution vulnerability that results in Privilege Escalation. |
| CVE-2019-20491 | 2020-03-16 | cPanel before 82.0.18 allows attackers to leverage virtual mail accounts in order to bypass account suspensions (SEC-508). |
| CVE-2019-19610 | 2020-03-16 | An issue was discovered in Halvotec RaQuest 10.23.10801.0. It allows session fixation. Fixed in Release 24.2020.20608.0. |
| CVE-2019-19612 | 2020-03-16 | An issue was discovered in Halvotec RaQuest 10.23.10801.0. Several features of the application allow stored Cross-site Scripting (XSS). Fixed in Release 24.2020.20608.0. |
| CVE-2019-19613 | 2020-03-16 | An issue was discovered in Halvotec RaQuest 10.23.10801.0. The login page of the admin application is vulnerable to an Open Redirect attack allowing an attacker to redirect a user to... |
| CVE-2019-19615 | 2020-03-16 | Multiple XSS vulnerabilities exist in the Backup & Restore module \ v14.0.10.2 through v14.0.10.7 for FreePBX, as shown at /admin/config.php?display=backup on the FreePBX Administrator web site. An attacker can modify... |
| CVE-2019-19852 | 2020-03-16 | An XSS Injection vulnerability exists in Sangoma FreePBX and PBXact 13, 14, and 15 within the Call Event Logging report screen in the cel module at the admin/config.php?display=cel URI via... |
| CVE-2020-6175 | 2020-03-16 | Citrix SD-WAN 10.2.x before 10.2.6 and 11.0.x before 11.0.3 has Missing SSL Certificate Validation. |
| CVE-2020-7248 | 2020-03-16 | libubox in OpenWrt before 18.06.7 and 19.x before 19.07.1 has a tagged binary data JSON serialization vulnerability that may cause a stack based buffer overflow. |
| CVE-2020-7919 | 2020-03-16 | Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate. |
| CVE-2020-7982 | 2020-03-16 | An issue was discovered in OpenWrt 18.06.0 to 18.06.6 and 19.07.0, and LEDE 17.01.0 to 17.01.7. A bug in the fork of the opkg package manager before 2020-01-25 prevents correct... |
| CVE-2020-8783 | 2020-03-16 | SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 1 of 4). |
| CVE-2019-20326 | 2020-03-16 | A heap-based buffer overflow in _cairo_image_surface_create_from_jpeg() in extensions/cairo_io/cairo-image-surface-jpeg.c in GNOME gThumb before 3.8.3 and Linux Mint Pix before 2.4.5 allows attackers to cause a crash and potentially execute arbitrary code... |
| CVE-2020-8787 | 2020-03-16 | SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow for an invalid Bean ID to be submitted. |
| CVE-2020-8786 | 2020-03-16 | SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 4 of 4). |
| CVE-2020-8785 | 2020-03-16 | SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 3 of 4). |
| CVE-2020-8784 | 2020-03-16 | SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 2 of 4). |
| CVE-2019-20191 | 2020-03-16 | Oxygen XML Editor 21.1.1 allows XXE to read any file. |
| CVE-2020-9346 | 2020-03-16 | Zoho ManageEngine Password Manager Pro 10.4 and prior has no protection against Cross-site Request Forgery (CSRF) attacks, as demonstrated by changing a user's role. |
| CVE-2020-9347 | 2020-03-16 | Zoho ManageEngine Password Manager Pro through 10.x has a CSV Excel Macro Injection vulnerability via a crafted name that is mishandled by the Export Passwords feature. NOTE: the vendor disputes... |
| CVE-2019-20105 | 2020-03-17 | The EditApplinkServlet resource in the Atlassian Application Links plugin before version 5.4.20, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.1,... |