CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In April 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
451 CVE-2020-10623 89 +Priv Sql 2020-04-09 2020-04-10
4.0
None Remote Low ??? Partial None None
Multiple vulnerabilities could allow an attacker with low privileges to perform SQL injection on WebAccess/NMS (versions prior to 3.0.2) to gain access to sensitive information.
452 CVE-2020-10621 434 2020-04-09 2020-04-10
10.0
None Remote Low Not required Complete Complete Complete
Multiple issues exist that allow files to be uploaded and executed on the WebAccess/NMS (versions prior to 3.0.2).
453 CVE-2020-10619 22 Dir. Trav. 2020-04-09 2020-04-10
6.4
None Remote Low Not required None Partial Partial
An attacker could use a specially crafted URL to delete files outside the WebAccess/NMS's (versions prior to 3.0.2) control.
454 CVE-2020-10617 89 Sql 2020-04-09 2020-04-09
5.0
None Remote Low Not required Partial None None
There are multiple ways an unauthenticated attacker could perform SQL injection on WebAccess/NMS (versions prior to 3.0.2) to gain access to sensitive information.
455 CVE-2020-10615 787 2020-04-15 2020-04-22
5.0
None Remote Low Not required None None Partial
Triangle MicroWorks SCADA Data Gateway 3.02.0697 through 4.0.122, 2.41.0213 through 4.0.122 allows remote attackers cause a denial-of-service condition due to a lack of proper validation of the length of user-supplied data, prior to copying it to a fixed-length stack-based buffer. Authentication is not required to exploit this vulnerability.
456 CVE-2020-10613 125 2020-04-15 2020-04-22
5.0
None Remote Low Not required Partial None None
Triangle MicroWorks SCADA Data Gateway 3.02.0697 through 4.0.122, 2.41.0213 through 4.0.122 allows remote attackers to disclose sensitive information due to the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated structure. Authentication is not required to exploit this vulnerability. Only applicable to installations using DNP3 Data Sets.
457 CVE-2020-10611 843 Exec Code 2020-04-15 2020-04-22
7.5
None Remote Low Not required Partial Partial Partial
Triangle MicroWorks SCADA Data Gateway 3.02.0697 through 4.0.122, 2.41.0213 through 4.0.122 allows remote attackers to execute arbitrary code due to the lack of proper validation of user-supplied data, which can result in a type confusion condition. Authentication is not required to exploit this vulnerability. Only applicable to installations using DNP3 Data Sets.
458 CVE-2020-10603 78 2020-04-09 2020-04-10
6.5
None Remote Low ??? Partial Partial Partial
WebAccess/NMS (versions prior to 3.0.2) does not properly sanitize user input and may allow an attacker to inject system commands remotely.
459 CVE-2020-10601 327 Bypass 2020-04-03 2021-12-20
4.6
None Local Low Not required Partial Partial Partial
VISAM VBASE Editor version 11.5.0.2 and VBASE Web-Remote Module allow weak hashing algorithm and insecure permissions which may allow a local attacker to bypass the password-protected mechanism through brute-force attacks, cracking techniques, or overwriting the password hash.
460 CVE-2020-10599 120 Exec Code Overflow 2020-04-03 2020-04-06
7.5
None Remote Low Not required Partial Partial Partial
VISAM VBASE Editor version 11.5.0.2 and VBASE Web-Remote Module may allow a vulnerable ActiveX component to be exploited resulting in a buffer overflow, which may lead to a denial-of-service condition and execution of arbitrary code.
461 CVE-2020-10598 2020-04-01 2021-09-14
3.6
None Local Low Not required Partial Partial None
In BD Pyxis MedStation ES System v1.6.1 and Pyxis Anesthesia (PAS) ES System v1.6.1, a restricted desktop environment escape vulnerability exists in the kiosk mode functionality of affected devices. Specially crafted inputs could allow the user to escape the restricted environment, resulting in access to sensitive data.
462 CVE-2020-10569 434 Exec Code 2020-04-21 2021-02-25
10.0
None Remote Low Not required Complete Complete Complete
** DISPUTED ** SysAid On-Premise 20.1.11, by default, allows the AJP protocol port, which is vulnerable to a GhostCat attack. Additionally, it allows unauthenticated access to upload files, which can be used to execute commands on the system by chaining it with a GhostCat attack. NOTE: This may be a duplicate of CVE-2020-1938.
463 CVE-2020-10551 269 2020-04-09 2021-07-21
7.2
None Local Low Not required Complete Complete Complete
QQBrowser before 10.5.3870.400 installs a Windows service TsService.exe. This file is writable by anyone belonging to the NT AUTHORITY\Authenticated Users group, which includes all local and remote users. This can be abused by local attackers to escalate privileges to NT AUTHORITY\SYSTEM by writing a malicious executable to the location of TsService.
464 CVE-2020-10515 427 Exec Code 2020-04-02 2020-04-06
10.0
None Remote Low Not required Complete Complete Complete
STARFACE UCC Client before 6.7.1.204 on WIndows allows binary planting to execute code with System rights, aka usd-2020-0006.
465 CVE-2020-10514 77 2020-04-15 2022-05-03
6.5
None Remote Low ??? Partial Partial Partial
iCatch DVR firmware before 20200103 do not validate function parameter properly, resulting attackers executing arbitrary command.
466 CVE-2020-10513 732 2020-04-15 2022-05-03
4.0
None Remote Low ??? None Partial None
The file management interface of iCatch DVR firmware before 20200103 contains broken access control which allows the attacker to remotely manipulate arbitrary file.
467 CVE-2020-10512 89 Exec Code Sql 2020-04-15 2020-04-30
9.0
None Remote Low ??? Complete Complete Complete
HGiga C&Cmail CCMAILQ before olln-calendar-6.0-100.i386.rpm and CCMAILN before olln-calendar-5.0-100.i386.rpm contains a SQL Injection vulnerability which allows attackers to injecting SQL commands in the URL parameter to execute unauthorized commands.
468 CVE-2020-10511 78 2020-04-15 2022-05-03
10.0
None Remote Low Not required Complete Complete Complete
HGiga C&Cmail CCMAILQ before olln-base-6.0-418.i386.rpm and CCMAILN before olln-base-5.0-418.i386.rpm contains insecure configurations. Attackers can exploit these flaws to access unauthorized functionality via a crafted URL.
469 CVE-2020-10507 434 2020-04-15 2020-04-30
7.5
None Remote Low Not required Partial Partial Partial
The School Manage System before 2020, developed by ALLE INFORMATION CO., LTD., contains a vulnerability of Unrestricted file upload (RCE) , that would allow attackers to gain access in the hosting machine.
470 CVE-2020-10506 22 Dir. Trav. 2020-04-15 2020-04-30
5.0
None Remote Low Not required Partial None None
The School Manage System before 2020, developed by ALLE INFORMATION CO., LTD., contains a vulnerability of Path Traversal, allowing attackers to access arbitrary files.
471 CVE-2020-10505 89 Sql 2020-04-15 2020-04-30
7.5
None Remote Low Not required Partial Partial Partial
The School Manage System before 2020, developed by ALLE INFORMATION CO., LTD., contains a vulnerability of SQL Injection, an attacker can use a union based injection query string to get databases schema and username/password.
472 CVE-2020-10384 269 2020-04-14 2021-02-19
7.2
None Local Low Not required Complete Complete Complete
An issue was discovered in the MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software in all versions through 2.6.1. There is a local privilege escalation from the www-data account to the root account.
473 CVE-2020-10383 Exec Code 2020-04-14 2020-10-02
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in the MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software in all versions through 2.5.0. There is an unauthenticated remote code execution in the com_mb24sysapi module.
474 CVE-2020-10382 Exec Code 2020-04-14 2020-10-02
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in the MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software in all versions through 2.5.0. There is an authenticated remote code execution in the backup-scheduler.
475 CVE-2020-10381 89 Sql 2020-04-14 2020-10-02
5.0
None Remote Low Not required Partial None None
An issue was discovered in the MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software in all versions through 2.5.0. There is an unauthenticated SQL injection in DATA24, allowing attackers to discover database and table names.
476 CVE-2020-10377 326 2020-04-17 2021-07-21
5.0
None Remote Low Not required Partial None None
A weak encryption vulnerability in Mitel MiVoice Connect Client before 214.100.1214.0 could allow an unauthenticated attacker to gain access to user credentials. A successful exploit could allow an attacker to access the system with compromised user credentials.
477 CVE-2020-10366 22 Dir. Trav. 2020-04-08 2020-04-09
5.0
None Remote Low Not required None Partial None
LogicalDoc before 8.3.3 allows /servlet.gupld Directory Traversal, a different vulnerability than CVE-2020-9423 and CVE-2020-10365.
478 CVE-2020-10267 312 2020-04-06 2021-12-20
5.0
None Remote Low Not required Partial None None
Universal Robots control box CB 3.1 across firmware versions (tested on 1.12.1, 1.12, 1.11 and 1.10) does not encrypt or protect in any way the intellectual property artifacts installed from the UR+ platform of hardware and software components (URCaps). These files (*.urcaps) are stored under '/root/.urcaps' as plain zip files containing all the logic to add functionality to the UR3, UR5 and UR10 robots. This flaw allows attackers with access to the robot or the robot network (while in combination with other flaws) to retrieve and easily exfiltrate all installed intellectual property.
479 CVE-2020-10266 345 2020-04-06 2020-04-06
6.8
None Remote Medium Not required Partial Partial Partial
UR+ (Universal Robots+) is a platform of hardware and software component sellers, for Universal Robots robots. When installing any of these components in the robots (e.g. in the UR10), no integrity checks are performed. Moreover, the SDK for making such components can be easily obtained from Universal Robots. An attacker could exploit this flaw by crafting a custom component with the SDK, performing Person-In-The-Middle attacks (PITM) and shipping the maliciously-crafted component on demand.
480 CVE-2020-10265 306 2020-04-06 2020-04-06
9.0
None Remote Low Not required Partial Partial Complete
Universal Robots Robot Controllers Version CB2 SW Version 1.4 upwards, CB3 SW Version 3.0 and upwards, e-series SW Version 5.0 and upwards expose a service called DashBoard server at port 29999 that allows for control over core robot functions like starting/stopping programs, shutdown, reset safety and more. The DashBoard server is not protected by any kind of authentication or authorization.
481 CVE-2020-10264 306 2020-04-06 2021-09-14
5.8
None Local Network Low Not required Partial Partial Partial
CB3 SW Version 3.3 and upwards, e-series SW Version 5.0 and upwards allow authenticated access to the RTDE (Real-Time Data Exchange) interface on port 30004 which allows setting registers, the speed slider fraction as well as digital and analog Outputs. Additionally unautheticated reading of robot data is also possible
482 CVE-2020-10263 20 2020-04-08 2021-07-21
7.2
None Local Low Not required Complete Complete Complete
An issue was discovered on XIAOMI XIAOAI speaker Pro LX06 1.52.4. Attackers can get root shell by accessing the UART interface and then they can (i) read Wi-Fi SSID or password, (ii) read the dialogue text files between users and XIAOMI XIAOAI speaker Pro LX06, (iii) use Text-To-Speech tools pretend XIAOMI speakers' voice achieve social engineering attacks, (iv) eavesdrop on users and record what XIAOMI XIAOAI speaker Pro LX06 hears, (v) modify system files, (vi) use commands to send any IR code through IR emitter on XIAOMI XIAOAI Speaker Pro LX06, (vii) stop voice assistant service, (viii) enable the XIAOMI XIAOAI Speaker Pro’ SSH or TELNET service as a backdoor, (IX) tamper with the router configuration of the router in the local area networks.
483 CVE-2020-10262 20 2020-04-08 2021-07-21
7.2
None Local Low Not required Complete Complete Complete
An issue was discovered on XIAOMI XIAOAI speaker Pro LX06 1.58.10. Attackers can activate the failsafe mode during the boot process, and use the mi_console command cascaded by the SN code shown on the product to get the root shell password, and then the attacker can (i) read Wi-Fi SSID or password, (ii) read the dialogue text files between users and XIAOMI XIAOAI speaker Pro LX06, (iii) use Text-To-Speech tools pretend XIAOMI speakers' voice achieve social engineering attacks, (iv) eavesdrop on users and record what XIAOMI XIAOAI speaker Pro LX06 hears, (v) modify system files, (vi) use commands to send any IR code through IR emitter on XIAOMI XIAOAI Speaker Pro (LX06), (vii) stop voice assistant service, (viii) enable the XIAOMI XIAOAI Speaker Pro’s SSH or TELNET service as a backdoor, (IX) tamper with the router configuration of the router in the local area networks.
484 CVE-2020-10231 476 2020-04-01 2020-05-12
5.0
None Remote Low Not required None None Partial
TP-Link NC200 through 2.1.8_Build_171109, NC210 through 1.0.9_Build_171214, NC220 through 1.3.0_Build_180105, NC230 through 1.3.0_Build_171205, NC250 through 1.3.0_Build_171205, NC260 through 1.5.1_Build_190805, and NC450 through 1.5.0_Build_181022 devices allow a remote NULL Pointer Dereference.
485 CVE-2020-10211 20 Exec Code 2020-04-17 2020-04-23
7.5
None Remote Low Not required Partial Partial Partial
A remote code execution vulnerability in UCB component of Mitel MiVoice Connect before 19.1 SP1 could allow an unauthenticated remote attacker to execute arbitrary scripts due to insufficient validation of URL parameters. A successful exploit could allow an attacker to gain access to sensitive information.
486 CVE-2020-10204 20 Exec Code 2020-04-01 2021-12-22
9.0
None Remote Low ??? Complete Complete Complete
Sonatype Nexus Repository before 3.21.2 allows Remote Code Execution.
487 CVE-2020-10203 79 XSS 2020-04-01 2020-04-02
3.5
None Remote Medium ??? None Partial None
Sonatype Nexus Repository before 3.21.2 allows XSS.
488 CVE-2020-10199 862 2020-04-01 2021-07-21
9.0
None Remote Low ??? Complete Complete Complete
Sonatype Nexus Repository before 3.21.2 allows JavaEL Injection (issue 1 of 2).
489 CVE-2020-10094 79 XSS 2020-04-28 2020-05-04
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) vulnerability in Lexmark CS31x before LW74.VYL.P273; CS41x before LW74.VY2.P273; CS51x before LW74.VY4.P273; CX310 before LW74.GM2.P273; CX410 & XC2130 before LW74.GM4.P273; CX510 & XC2132 before LW74.GM7.P273; MS310, MS312, MS317 before LW74.PRL.P273; MS410, M1140 before LW74.PRL.P273; MS315, MS415, MS417 before LW74.TL2.P273; MS51x, MS610dn, MS617 before LW74.PR2.P273; M1145, M3150dn before LW74.PR2.P273; MS610de, M3150 before LW74.PR4.P273; MS71x,M5163dn before LW74.DN2.P273; MS810, MS811, MS812, MS817, MS818 before LW74.DN2.P273; MS810de, M5155, M5163 before LW74.DN4.P273; MS812de, M5170 before LW74.DN7.P273; MS91x before LW74.SA.P273; MX31x, XM1135 before LW74.SB2.P273; MX410, MX510 & MX511 before LW74.SB4.P273; XM1140, XM1145 before LW74.SB4.P273; MX610 & MX611 before LW74.SB7.P273; XM3150 before LW74.SB7.P273; MX71x, MX81x before LW74.TU.P273; XM51xx & XM71xx before LW74.TU.P273; MX91x & XM91x before LW74.MG.P273; MX6500e before LW74.JD.P273; C746 before LHS60.CM2.P738; C748, CS748 before LHS60.CM4.P738; C792, CS796 before LHS60.HC.P738; C925 before LHS60.HV.P738; C950 before LHS60.TP.P738; X548 & XS548 before LHS60.VK.P738; X74x & XS748 before LHS60.NY.P738; X792 & XS79x before LHS60.MR.P738; X925 & XS925 before LHS60.HK.P738; X95x & XS95x before LHS60.TQ.P738; 6500e before LHS60.JR.P738;C734 LR.SK.P824 and earlier; C736 LR.SKE.P824 and earlier; E46x LR.LBH.P824 and earlier; T65x LR.JP.P824 and earlier; X46x LR.BS.P824 and earlier; X65x LR.MN.P824 and earlier; X73x LR.FL.P824 and earlier; W850 LP.JB.P823 and earlier; and X86x LP.SP.P823 and earlier.
490 CVE-2020-10093 79 XSS 2020-04-28 2020-05-05
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) vulnerability in Lexmark Pro910 series inkjet and other discontinued products.
491 CVE-2020-9785 119 Exec Code Overflow Mem. Corr. 2020-04-01 2021-07-21
9.3
None Remote Medium Not required Complete Complete Complete
Multiple memory corruption issues were addressed with improved state management. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2. A malicious application may be able to execute arbitrary code with kernel privileges.
492 CVE-2020-9784 2020-04-01 2020-04-03
4.3
None Remote Medium Not required None Partial None
A logic issue was addressed with improved restrictions. This issue is fixed in Safari 13.1. A malicious iframe may use another website’s download settings.
493 CVE-2020-9783 416 Exec Code 2020-04-01 2020-04-02
6.8
None Remote Medium Not required Partial Partial Partial
A use after free issue was addressed with improved memory management. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. Processing maliciously crafted web content may lead to code execution.
494 CVE-2020-9781 281 2020-04-01 2020-04-03
5.0
None Remote Low Not required None Partial None
The issue was addressed by clearing website permission prompts after navigation. This issue is fixed in iOS 13.4 and iPadOS 13.4. A user may grant website permissions to a site they didn't intend to.
495 CVE-2020-9780 200 +Info 2020-04-01 2021-07-21
2.1
None Local Low Not required Partial None None
The issue was resolved by clearing application previews when content is deleted. This issue is fixed in iOS 13.4 and iPadOS 13.4. A local user may be able to view deleted content in the app switcher.
496 CVE-2020-9777 20 2020-04-01 2021-07-21
5.0
None Remote Low Not required Partial None None
An issue existed in the selection of video file by Mail. The issue was fixed by selecting the latest version of a video. This issue is fixed in iOS 13.4 and iPadOS 13.4. Cropped videos may not be shared properly via Mail.
497 CVE-2020-9776 200 +Info 2020-04-01 2021-07-21
4.3
None Remote Medium Not required Partial None None
This issue was addressed with a new entitlement. This issue is fixed in macOS Catalina 10.15.4. A malicious application may be able to access a user's call history.
498 CVE-2020-9775 665 2020-04-01 2022-04-27
5.0
None Remote Low Not required Partial None None
An issue existed in the handling of tabs displaying picture in picture video. The issue was corrected with improved state handling. This issue is fixed in iOS 13.4 and iPadOS 13.4. A user's private browsing activity may be unexpectedly saved in Screen Time.
499 CVE-2020-9773 2020-04-01 2022-03-31
4.3
None Remote Medium Not required Partial None None
The issue was addressed with improved handling of icon caches. This issue is fixed in iOS 14.0 and iPadOS 14.0. A malicious application may be able to identify what other applications a user has installed.
500 CVE-2020-9770 326 2020-04-01 2021-07-21
4.0
None Remote Low ??? Partial None None
A logic issue was addressed with improved state management. This issue is fixed in iOS 13.4 and iPadOS 13.4. An attacker in a privileged network position may be able to intercept Bluetooth traffic.
Total number of vulnerabilities : 2187   Page : 1 2 3 4 5 6 7 8 9 10 (This Page)11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.