CVE List - 2020 / March
Showing 1001 - 1100 of 1754 CVEs for March 2020 (Page 11 of 18)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2019-20407 | 2020-03-17 | The ConfigureBambooRelease resource in Jira Software and Jira Software Data Center before version 8.6.1 allows authenticated remote attackers to view release version information in projects that they do not have... |
| CVE-2020-6646 | 2020-03-17 | An improper neutralization of input vulnerability in FortiWeb allows a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Disclaimer Description of a Replacement Message. |
| CVE-2019-20452 | 2020-03-17 | A problem was found in Pydio Core before 8.2.4 and Pydio Enterprise before 8.2.4. A PHP object injection is present in the page plugins/core.access/src/RecycleBinManager.php. An authenticated user with basic privileges... |
| CVE-2019-20453 | 2020-03-17 | A problem was found in Pydio Core before 8.2.4 and Pydio Enterprise before 8.2.4. A PHP object injection is present in the page plugins/uploader.http/HttpDownload.php. An authenticated user with basic privileges... |
| CVE-2020-10380 | 2020-03-17 | RMySQL through 0.10.19 allows SQL Injection. |
| CVE-2019-11074 | 2020-03-17 | A Write to Arbitrary Location in Disk vulnerability exists in PRTG Network Monitor 19.1.49 and below that allows attackers to place files in arbitrary locations with SYSTEM privileges (although not... |
| CVE-2018-18576 | 2020-03-17 | The Hustle (aka wordpress-popup) plugin through 6.0.5 for WordPress allows Directory Traversal to obtain a directory listing via the views/admin/dashboard/ URI. |
| CVE-2019-20490 | 2020-03-17 | cPanel before 82.0.18 allows authentication bypass because webmail usernames are processed inconsistently (SEC-499). |
| CVE-2019-20492 | 2020-03-17 | cPanel before 82.0.18 allows authentication bypass because of misparsing of the format of the password file (SEC-516). |
| CVE-2019-20493 | 2020-03-17 | cPanel before 82.0.18 allows self-XSS because JSON string escaping is mishandled (SEC-520). |
| CVE-2019-20494 | 2020-03-17 | In cPanel before 82.0.18, Cpanel::Rand::Get can produce a predictable series of numbers (SEC-525). |
| CVE-2019-20495 | 2020-03-17 | cPanel before 82.0.18 allows attackers to read an arbitrary database via MySQL dump streaming (SEC-531). |
| CVE-2019-20496 | 2020-03-17 | cPanel before 82.0.18 allows attackers to conduct arbitrary chown operations as root during log processing (SEC-532). |
| CVE-2019-20497 | 2020-03-17 | cPanel before 82.0.18 allows stored XSS via WHM Backup Restoration (SEC-533). |
| CVE-2019-20498 | 2020-03-17 | cPanel before 82.0.18 allows WebDAV authentication bypass because the connection-sharing logic is incorrect (SEC-534). |
| CVE-2020-10113 | 2020-03-17 | cPanel before 84.0.20 allows self XSS via a temporary character-set specification (SEC-515). |
| CVE-2020-10114 | 2020-03-17 | cPanel before 84.0.20 allows stored self-XSS via the HTML file editor (SEC-535). |
| CVE-2020-10115 | 2020-03-17 | cPanel before 84.0.20, when PowerDNS is used, allows arbitrary code execution as root via dnsadmin. (SEC-537). |
| CVE-2020-10116 | 2020-03-17 | cPanel before 84.0.20 allows attackers to bypass intended restrictions on features and demo accounts via WebDisk UAPI calls (SEC-541). |
| CVE-2020-10117 | 2020-03-17 | cPanel before 84.0.20 mishandles enforcement of demo checks in the Market UAPI namespace (SEC-542). |
| CVE-2020-10118 | 2020-03-17 | cPanel before 84.0.20 allows a demo account to modify files via Branding API calls (SEC-543). |
| CVE-2020-10119 | 2020-03-17 | cPanel before 84.0.20 allows a demo account to achieve remote code execution via a cpsrvd rsync shell (SEC-544). |
| CVE-2020-10120 | 2020-03-17 | cPanel before 84.0.20 allows resellers to achieve remote code execution as root via a cpsrvd rsync shell (SEC-545). |
| CVE-2020-10121 | 2020-03-17 | cPanel before 84.0.20 allows a demo account to achieve code execution via PassengerApps APIs (SEC-546). |
| CVE-2020-10122 | 2020-03-17 | cPanel before 84.0.20 allows a webmail or demo account to delete arbitrary files (SEC-547). |
| CVE-2020-10596 | 2020-03-17 | OpenCart 3.0.3.2 allows remote authenticated users to conduct XSS attacks via a crafted filename in the users' image upload section. |
| CVE-2018-21037 | 2020-03-17 | Subrion CMS 4.1.5 (and possibly earlier versions) allow CSRF to change the administrator password via the panel/members/edit/1 URI. |
| CVE-2020-1720 | 2020-03-17 | A flaw was found in PostgreSQL's "ALTER ... DEPENDS ON EXTENSION", where sub-commands did not perform authorization checks. An authenticated attacker could use this flaw in certain configurations to perform... |
| CVE-2020-3951 | 2020-03-17 | VMware Workstation (15.x before 15.5.2) and Horizon Client for Windows (5.x and prior before 5.4.0) contain a denial-of-service vulnerability due to a heap-overflow issue in Cortado Thinprint. Attackers with non-administrative... |
| CVE-2020-3950 | 2020-03-17 | VMware Fusion (11.x before 11.5.2), VMware Remote Console for Mac (11.x and prior before 11.0.1) and Horizon Client for Mac (5.x and prior before 5.4.0) contain a privilege escalation vulnerability... |
| CVE-2020-8467 | 2020-03-18 | A migration tool component of Trend Micro Apex One (2019) and OfficeScan XG contains a vulnerability which could allow remote attackers to execute arbitrary code on affected installations (RCE). An... |
| CVE-2020-8468 | 2020-03-18 | Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (9.0, 9.5, 10.0) agents are affected by a content validation escape vulnerability which could allow an attacker to manipulate... |
| CVE-2020-8470 | 2020-03-18 | Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (9.0, 9.5, 10.0) server contains a vulnerable service DLL file that could allow an attacker to delete any file... |
| CVE-2020-8598 | 2020-03-18 | Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (9.0, 9.5, 10.0) server contains a vulnerable service DLL file that could allow a remote attacker to execute arbitrary... |
| CVE-2020-8599 | 2020-03-18 | Trend Micro Apex One (2019) and OfficeScan XG server contain a vulnerable EXE file that could allow a remote attacker to write arbitrary data to an arbitrary path on affected... |
| CVE-2020-8600 | 2020-03-18 | Trend Micro Worry-Free Business Security (9.0, 9.5, 10.0) is affected by a directory traversal vulnerability that could allow an attacker to manipulate a key file to bypass authentication. |
| CVE-2019-11939 | 2020-03-18 | Golang Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result... |
| CVE-2020-10659 | 2020-03-18 | Entrust Entelligence Security Provider (ESP) before 10.0.60 on Windows mishandles errors during SSL Certificate Validation, leading to situations where (for example) a user continues to interact with a web site... |
| CVE-2020-3922 | 2020-03-18 | ArmorX LisoMail - SQL Injection |
| CVE-2019-14882 | 2020-03-18 | A vulnerability was found in Moodle 3.7 to 3.7.3, 3.6 to 3.6.7, 3.5 to 3.5.9 and earlier where an open redirect existed in the Lesson edit page. |
| CVE-2019-14883 | 2020-03-18 | A vulnerability was found in Moodle 3.6 before 3.6.7 and 3.7 before 3.7.3, where tokens used to fetch inline atachments in email notifications were not disabled when a user's account... |
| CVE-2019-14884 | 2020-03-18 | A vulnerability was found in Moodle 3.7 before 3.73, 3.6 before 3.6.7 and 3.5 before 3.5.9, where a reflected XSS possible from some fatal error messages. |
| CVE-2019-14881 | 2020-03-18 | A vulnerability was found in moodle 3.7 before 3.7.3, where there is blind XSS reflected in some locations where user email is displayed. |
| CVE-2020-9443 | 2020-03-18 | Zulip Desktop before 4.0.3 loaded untrusted content in an Electron webview with web security disabled, which can be exploited for XSS in a number of ways. This especially affects Zulip... |
| CVE-2020-7002 | 2020-03-18 | Delta Industrial Automation CNCSoft ScreenEditor, v1.00.96 and prior. Multiple stack-based buffer overflows can be exploited when a valid user opens a specially crafted, malicious input file. |
| CVE-2020-6976 | 2020-03-18 | Delta Industrial Automation CNCSoft ScreenEditor, v1.00.96 and prior. An out-of-bounds read overflow can be exploited when a valid user opens a specially crafted, malicious input file due to the lack... |
| CVE-2020-9323 | 2020-03-18 | Aquaforest TIFF Server 4.0 allows Unauthenticated File and Directory Enumeration via tiffserver/tssp.aspx. |
| CVE-2020-9324 | 2020-03-18 | Aquaforest TIFF Server 4.0 allows Unauthenticated SMB Hash Capture via UNC. |
| CVE-2020-9325 | 2020-03-18 | Aquaforest TIFF Server 4.0 allows Unauthenticated Arbitrary File Download. |
| CVE-2020-4199 | 2020-03-18 | IBM Tivoli Netcool/OMNIbus 8.1.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM... |
| CVE-2020-9326 | 2020-03-18 | BeyondTrust Privilege Management for Windows and Mac (aka PMWM; formerly Avecto Defendpoint) 5.1 through 5.5 before 5.5 SR1 mishandles command-line arguments with PowerShell .ps1 file extensions present, leading to a... |
| CVE-2019-10146 | 2020-03-18 | A Reflected Cross Site Scripting flaw was found in all pki-core 10.x.x versions module from the pki-core server due to the CA Agent Service not properly sanitizing the certificate request... |
| CVE-2019-10178 | 2020-03-18 | It was found that the Token Processing Service (TPS) did not properly sanitize the Token IDs from the "Activity" page, enabling a Stored Cross Site Scripting (XSS) vulnerability. An unauthenticated... |
| CVE-2019-11688 | 2020-03-18 | An issue was discovered in ASUSTOR exFAT Driver through 1.0.0.r20. When conducting license validation, exfat.cgi and exfatctl accept any certificate for asustornasapi.asustor.com. In other words, there is Missing SSL Certificate... |
| CVE-2019-11689 | 2020-03-18 | An issue was discovered in ASUSTOR exFAT Driver through 1.0.0.r20. When conducting license validation, exfat.cgi and exfatctl fail to properly validate server responses and pass unsanitized text to the system... |
| CVE-2019-10682 | 2020-03-18 | django-nopassword before 5.0.0 stores cleartext secrets in the database. |
| CVE-2019-14871 | 2020-03-18 | The REENT_CHECK macro (see newlib/libc/include/sys/reent.h) as used by REENT_CHECK_TM, REENT_CHECK_MISC, REENT_CHECK_MP and other newlib macros in versions prior to 3.3.0, does not check for memory allocation problems when the DEBUG... |
| CVE-2019-19335 | 2020-03-18 | During installation of an OpenShift 4 cluster, the `openshift-install` command line tool creates an `auth` directory, with `kubeconfig` and `kubeadmin-password` files. Both files contain credentials used to authenticate to the... |
| CVE-2019-19351 | 2020-03-18 | An insecure modification vulnerability in the /etc/passwd file was found in the container openshift/jenkins. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate... |
| CVE-2019-19355 | 2020-03-18 | An insecure modification vulnerability in the /etc/passwd file was found in the openshift/ocp-release-operator-sdk. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their... |
| CVE-2019-12112 | 2020-03-18 | An issue was discovered in ONAP SDNC before Dublin. By executing sla/upload with a crafted filename parameter, an unauthenticated attacker can execute an arbitrary command. All SDC setups that include... |
| CVE-2019-12113 | 2020-03-18 | An issue was discovered in ONAP SDNC before Dublin. By executing sla/printAsGv with a crafted module parameter, an authenticated user can execute an arbitrary command. All SDC setups that include... |
| CVE-2019-12114 | 2020-03-18 | An issue was discovered in ONAP HOLMES before Dublin. By accessing port 9202 of dep-holmes-engine-mgmt pod, an unauthenticated attacker (who already has access to pod-to-pod communication) may execute arbitrary code... |
| CVE-2019-12115 | 2020-03-18 | An issue was discovered in ONAP SDC through Dublin. By accessing port 4000 of demo-sdc-sdc-be pod, an unauthenticated attacker (who already has access to pod-to-pod communication) may execute arbitrary code... |
| CVE-2019-12116 | 2020-03-18 | An issue was discovered in ONAP SDC through Dublin. By accessing port 6000 of demo-sdc-sdc-fe pod, an unauthenticated attacker (who already has access to pod-to-pod communication) may execute arbitrary code... |
| CVE-2019-12117 | 2020-03-18 | An issue was discovered in ONAP SDC through Dublin. By accessing port 4001 of demo-sdc-sdc-onboarding-be pod, an unauthenticated attacker (who already has access to pod-to-pod communication) may execute arbitrary code... |
| CVE-2019-12118 | 2020-03-18 | An issue was discovered in ONAP SDC through Dublin. By accessing port 7001 of demo-sdc-sdc-wfd-be pod, an unauthenticated attacker (who already has access to pod-to-pod communication) may execute arbitrary code... |
| CVE-2019-12119 | 2020-03-18 | An issue was discovered in ONAP SDC through Dublin. By accessing port 7000 of demo-sdc-sdc-wfd-fe pod, an unauthenticated attacker (who already has access to pod-to-pod communication) may execute arbitrary code... |
| CVE-2019-12120 | 2020-03-18 | An issue was discovered in ONAP VNFSDK through Dublin. By accessing port 8000 of demo-vnfsdk-vnfsdk, an unauthenticated attacker (who already has access to pod-to-pod communication) may execute arbitrary code inside... |
| CVE-2019-12121 | 2020-03-18 | An issue was detected in ONAP Portal through Dublin. By executing a padding oracle attack using the ONAPPORTAL/processSingleSignOn UserId field, an attacker is able to decrypt arbitrary information encrypted with... |
| CVE-2019-12122 | 2020-03-18 | An issue was discovered in ONAP Portal through Dublin. By executing a call to ONAPPORTAL/portalApi/loggedinUser, an attacker who possesses a user's cookie may retrieve that user's password from the database.... |
| CVE-2019-12123 | 2020-03-18 | An issue was discovered in ONAP SDNC before Dublin. By executing sla/printAsXml with a crafted module parameter, an authenticated user can execute an arbitrary command. All SDC setups that include... |
| CVE-2019-12124 | 2020-03-18 | An issue was discovered in ONAP APPC before Dublin. By using an exposed unprotected Jolokia interface, an unauthenticated attacker can read or overwrite an arbitrary file. All APPC setups are... |
| CVE-2019-12132 | 2020-03-18 | An issue was discovered in ONAP SDNC before Dublin. By executing sla/dgUpload with a crafted filename parameter, an unauthenticated attacker can execute an arbitrary command. All SDC setups that include... |
| CVE-2019-12131 | 2020-03-18 | An issue was detected in ONAP APPC through Dublin and SDC through Dublin. By setting a USER_ID parameter in an HTTP header, an attacker may impersonate an arbitrary existing user... |
| CVE-2019-12365 | 2020-03-18 | The Newton application through 10.0.23 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission. |
| CVE-2019-12366 | 2020-03-18 | The Nine application through 4.5.3a for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission. |
| CVE-2019-20529 | 2020-03-18 | In core/doctype/prepared_report/prepared_report.py in Frappe 11 and 12, data files generated with Prepared Report were being stored as public files (no authentication is required to access; having a link is sufficient)... |
| CVE-2019-12367 | 2020-03-18 | The BlueMail application through 1.9.5.36 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission. |
| CVE-2019-12368 | 2020-03-18 | The Edison Mail application through 1.7.1 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission. |
| CVE-2019-12369 | 2020-03-18 | The TypeApp application through 1.9.5.35 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission. |
| CVE-2019-12370 | 2020-03-18 | The Spark application through 2.0.2 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ_EXTERNAL_STORAGE permission. |
| CVE-2019-12769 | 2020-03-18 | SolarWinds Serv-U Managed File Transfer (MFT) Web client before 15.1.6 Hotfix 2 is vulnerable to Cross-Site Request Forgery in the file upload functionality via ?Command=Upload with the Dir and File... |
| CVE-2019-12921 | 2020-03-18 | In GraphicsMagick before 1.3.32, the text filename component allows remote attackers to read arbitrary files via a crafted image because of TranslateTextEx for SVG. |
| CVE-2019-20511 | 2020-03-18 | ERPNext 11.1.47 allows blog?blog_category= Frame Injection. |
| CVE-2019-20512 | 2020-03-18 | Open edX Ironwood.1 allows support/certificates?course_id= reflected XSS. |
| CVE-2019-18581 | 2020-03-18 | Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions prior to patch 83, and 19.1 versions prior to patch 71 contain a server missing authorization vulnerability in the... |
| CVE-2019-18582 | 2020-03-18 | Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions prior to patch 83, and 19.1 versions prior to patch 71 contain a server-side template injection vulnerability in the... |
| CVE-2019-3762 | 2020-03-18 | Data Protection Central versions 1.0, 1.0.1, 18.1, 18.2, and 19.1 contains an Improper Certificate Chain of Trust Vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by obtaining a... |
| CVE-2019-20528 | 2020-03-18 | Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp username parameter. |
| CVE-2020-10665 | 2020-03-18 | Docker Desktop allows local privilege escalation to NT AUTHORITY\SYSTEM because it mishandles the collection of diagnostics with Administrator privileges, leading to arbitrary DACL permissions overwrites and arbitrary file writes. This... |
| CVE-2019-18979 | 2020-03-18 | Adaware antivirus 12.6.1005.11662 and 12.7.1055.0 has a quarantine flaw that allows privilege escalation. Exploitation uses an NTFS directory junction to restore a malicious DLL from quarantine into the system32 folder. |
| CVE-2020-9423 | 2020-03-18 | LogicalDoc before 8.3.3 could allow an attacker to upload arbitrary files, leading to command execution or retrieval of data from the database. LogicalDoc provides a functionality to add documents. Those... |
| CVE-2020-7258 | 2020-03-18 | Network Security Management (NSM) - Cross site scripting vulnerability |
| CVE-2020-7256 | 2020-03-18 | Network Security Management (NSM) - Cross site scripting vulnerability |
| CVE-2020-10673 | 2020-03-18 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus). |
| CVE-2020-10672 | 2020-03-18 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms). |
| CVE-2020-10365 | 2020-03-18 | LogicalDoc before 8.3.3 allows SQL Injection. LogicalDoc populates the list of available documents by querying the database. This list could be filtered by modifying some of the parameters. Some of... |
| CVE-2020-10674 | 2020-03-18 | PerlSpeak through 2.01 allows attackers to execute arbitrary OS commands, as demonstrated by use of system and 2-argument open. |
| CVE-2019-19676 | 2020-03-18 | A CSV injection in arxes-tolina 3.0.0 allows malicious users to gain remote control of other computers. By entering formula code in the following columns: Kundennummer, Firma, Street, PLZ, Ort, Zahlziel,... |