CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In May 2020 (CVSS score >= 2)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
551 CVE-2020-6458 125 2020-05-21 2020-07-02
6.8
None Remote Medium Not required Partial Partial Partial
Out of bounds read and write in PDFium in Google Chrome prior to 81.0.4044.122 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.
552 CVE-2020-6457 416 2020-05-21 2020-07-02
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in speech recognizer in Google Chrome prior to 81.0.4044.113 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.
553 CVE-2020-6262 74 Exec Code 2020-05-12 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
Service Data Download in SAP Application Server ABAP (ST-PI, before versions 2008_1_46C, 2008_1_620, 2008_1_640, 2008_1_700, 2008_1_710, 740) allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application and the whole ABAP system leading to Code Injection.
554 CVE-2020-6259 862 2020-05-12 2020-05-15
4.0
None Remote Low ??? Partial None None
Under certain conditions SAP Adaptive Server Enterprise, versions 15.7, 16.0, allows an attacker to access information which would otherwise be restricted leading to Missing Authorization Check.
555 CVE-2020-6258 862 2020-05-12 2020-05-15
4.0
None Remote Low ??? Partial None None
SAP Identity Management, version 8.0, does not perform necessary authorization checks for an authenticated user, allowing the attacker to view certain sensitive information of the victim, leading to Missing Authorization Check.
556 CVE-2020-6257 79 XSS 2020-05-12 2020-05-15
3.5
None Remote Medium ??? None Partial None
SAP Business Objects Business Intelligence Platform (CMC and BI Launchpad) 4.2 does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability.
557 CVE-2020-6256 862 2020-05-12 2020-05-15
4.0
None Remote Low ??? Partial None None
SAP Master Data Governance, versions - 748, 749, 750, 751, 752, 800, 801, 802, 803, 804, allows users to display change request details without having required authorizations, due to Missing Authorization Check.
558 CVE-2020-6254 79 XSS 2020-05-12 2020-05-15
4.3
None Remote Medium Not required None Partial None
SAP Enterprise Threat Detection, versions 1.0, 2.0, does not sufficiently encode error response pages in case of errors, allowing XSS payload reflecting in the response, leading to reflected Cross Site Scripting.
559 CVE-2020-6253 89 Exec Code Sql 2020-05-12 2020-05-15
6.5
None Remote Low ??? Partial Partial Partial
Under certain conditions, SAP Adaptive Server Enterprise (Web Services), versions 15.7, 16.0, allows an authenticated user to execute crafted database queries to elevate their privileges, modify database objects, or execute commands they are not otherwise authorized to execute, leading to SQL Injection.
560 CVE-2020-6252 200 +Info 2020-05-12 2021-07-21
5.2
None Local Network Low ??? Partial Partial Partial
Under certain conditions SAP Adaptive Server Enterprise (Cockpit), version 16.0, allows an attacker with access to local network, to get sensitive and confidential information, leading to Information Disclosure. It can be used to get user account credentials, tamper with system data and impact system availability.
561 CVE-2020-6251 200 +Info 2020-05-12 2021-07-21
5.0
None Remote Low Not required Partial None None
Under certain conditions or error scenarios SAP Business Objects Business Intelligence Platform, version 4.2, allows an attacker to access information which would otherwise be restricted.
562 CVE-2020-6250 200 +Info 2020-05-12 2021-07-21
6.7
None Local Network Low ??? Partial Partial Complete
SAP Adaptive Server Enterprise, version 16.0, allows an authenticated attacker to exploit certain misconfigured endpoints exposed over the adjacent network, to read system administrator password leading to Information Disclosure. This could help the attacker to read/write any data and even stop the server like an administrator.
563 CVE-2020-6249 89 Sql 2020-05-12 2020-05-15
6.5
None Remote Low ??? Partial Partial Partial
The use of an admin backend report within SAP Master Data Governance, versions - S4CORE 101, S4FND 102, 103, 104, SAP_BS_FND 748; allows an attacker to execute crafted database queries, exposing the backend database, leading to SQL Injection.
564 CVE-2020-6248 20 Exec Code 2020-05-12 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
SAP Adaptive Server Enterprise (Backup Server), version 16.0, does not perform the necessary validation checks for an authenticated user while executing DUMP or LOAD command allowing arbitrary code execution or Code Injection.
565 CVE-2020-6247 20 2020-05-12 2021-07-21
5.0
None Remote Low Not required None None Partial
SAP Business Objects Business Intelligence Platform, version 4.2, allows an unauthenticated attacker to prevent legitimate users from accessing a service. Using a specially crafted request, the attacker can crash or flood the Central Management Server, thereby impacting system availability.
566 CVE-2020-6245 74 Exec Code 2020-05-12 2020-05-14
4.6
None Local Low Not required Partial Partial Partial
SAP Business Objects Business Intelligence Platform, version 4.2, allows an attacker with access to local instance, to inject file or code that can be executed by the application due to Improper Control of Resource Identifiers.
567 CVE-2020-6244 427 Exec Code 2020-05-12 2020-05-18
4.4
None Local Medium Not required Partial Partial Partial
SAP Business Client, version 7.0, allows an attacker after a successful social engineering attack to inject malicious code as a DLL file in untrusted directories that can be executed by the application, due to uncontrolled search path element. An attacker could thereby control the behavior of the application.
568 CVE-2020-6243 74 2020-05-12 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
Under certain conditions, SAP Adaptive Server Enterprise (XP Server on Windows Platform), versions 15.7, 16.0, does not perform the necessary checks for an authenticated user while executing the extended stored procedure, allowing an attacker to read, modify, delete restricted data on connected servers, leading to Code Injection.
569 CVE-2020-6242 306 2020-05-12 2020-07-02
7.5
None Remote Low Not required Partial Partial Partial
SAP Business Objects Business Intelligence Platform (Live Data Connect), versions 1.0, 2.0, 2.1, 2.2, 2.3, allows an attacker to logon on the Central Management Console without password in case of the BIPRWS application server was not protected with some specific certificate, leading to Missing Authentication Check.
570 CVE-2020-6241 89 Sql 2020-05-12 2020-05-14
6.5
None Remote Low ??? Partial Partial Partial
SAP Adaptive Server Enterprise, version 16.0, allows an authenticated user to execute crafted database queries to elevate privileges of users in the system, leading to SQL Injection.
571 CVE-2020-6240 20 DoS 2020-05-12 2021-07-21
5.0
None Remote Low Not required None None Partial
SAP NetWeaver AS ABAP (Web Dynpro ABAP), versions (SAP_UI 750, 752, 753, 754 and SAP_BASIS 700, 710, 730, 731, 804) allows an unauthenticated attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service leading to Denial of Service
572 CVE-2020-6094 787 Exec Code 2020-05-06 2022-05-12
6.8
None Remote Medium Not required Partial Partial Partial
An exploitable code execution vulnerability exists in the TIFF fillinraster function of the igcore19d.dll library of Accusoft ImageGear 19.4, 19.5 and 19.6. A specially crafted TIFF file can cause an out-of-bounds write, resulting in remote code execution. An attacker can provide a malicious file to trigger this vulnerability.
573 CVE-2020-6093 824 2020-05-18 2022-05-12
4.3
None Remote Medium Not required Partial None None
An exploitable information disclosure vulnerability exists in the way Nitro Pro 13.9.1.155 does XML error handling. A specially crafted PDF document can cause uninitialized memory access resulting in information disclosure. In order to trigger this vulnerability, victim must open a malicious file.
574 CVE-2020-6092 190 Exec Code Overflow 2020-05-18 2022-05-12
6.8
None Remote Medium Not required Partial Partial Partial
An exploitable code execution vulnerability exists in the way Nitro Pro 13.9.1.155 parses Pattern objects. A specially crafted PDF file can trigger an integer overflow that can lead to arbitrary code execution. In order to trigger this vulnerability, victim must open a malicious file.
575 CVE-2020-6091 287 Bypass 2020-05-22 2022-04-28
6.4
None Remote Low Not required Partial Partial None
An exploitable authentication bypass vulnerability exists in the ESPON Web Control functionality of Epson EB-1470Ui MAIN: 98009273ESWWV107 MAIN2: 8X7325WWV303. A specially crafted series of HTTP requests can cause authentication bypass resulting in information disclosure. An attacker can send an HTTP request to trigger this vulnerability.
576 CVE-2020-6082 787 Exec Code 2020-05-06 2022-04-19
6.8
None Remote Medium Not required Partial Partial Partial
An exploitable out-of-bounds write vulnerability exists in the ico_read function of the igcore19d.dll library of Accusoft ImageGear 19.6.0. A specially crafted ICO file can cause an out-of-bounds write, resulting in a remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.
577 CVE-2020-6081 345 Exec Code 2020-05-07 2022-06-03
6.5
None Remote Low ??? Partial Partial Partial
An exploitable code execution vulnerability exists in the PLC_Task functionality of 3S-Smart Software Solutions GmbH CODESYS Runtime 3.5.14.30. A specially crafted network request can cause remote code execution. An attacker can send a malicious packet to trigger this vulnerability.
578 CVE-2020-6076 787 Exec Code 2020-05-06 2022-04-19
6.8
None Remote Medium Not required Partial Partial Partial
An exploitable out-of-bounds write vulnerability exists in the igcore19d.dll ICO icoread parser of the Accusoft ImageGear 19.5.0 library. A specially crafted ICO file can cause an out-of-bounds write, resulting in a remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.
579 CVE-2020-6075 787 Exec Code 2020-05-06 2022-04-19
6.8
None Remote Medium Not required Partial Partial Partial
An exploitable out-of-bounds write vulnerability exists in the store_data_buffer function of the igcore19d.dll library of Accusoft ImageGear 19.5.0. A specially crafted PNG file can cause an out-of-bounds write, resulting in a remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.
580 CVE-2020-6074 416 Exec Code 2020-05-18 2022-06-03
6.8
None Remote Medium Not required Partial Partial Partial
An exploitable code execution vulnerability exists in the PDF parser of Nitro Pro 13.9.1.155. A specially crafted PDF document can cause a use-after-free which can lead to remote code execution. An attacker can provide a malicious file to trigger this vulnerability.
581 CVE-2020-5898 2020-05-12 2020-05-14
4.9
None Local Low Not required None None Complete
In versions 7.1.5-7.1.9, BIG-IP Edge Client Windows Stonewall driver does not sanitize the pointer received from the userland. A local user on the Windows client system can send crafted DeviceIoControl requests to \\.\urvpndrv device causing the Windows kernel to crash.
582 CVE-2020-5897 416 2020-05-12 2020-05-14
6.8
None Remote Medium Not required Partial Partial Partial
In versions 7.1.5-7.1.9, there is use-after-free memory vulnerability in the BIG-IP Edge Client Windows ActiveX component.
583 CVE-2020-5896 276 2020-05-12 2020-05-14
4.6
None Local Low Not required Partial Partial Partial
On versions 7.1.5-7.1.9, the BIG-IP Edge Client's Windows Installer Service's temporary folder has weak file and folder permissions.
584 CVE-2020-5895 2020-05-07 2020-05-22
4.6
None Local Low Not required Partial Partial Partial
On NGINX Controller versions 3.1.0-3.3.0, AVRD uses world-readable and world-writable permissions on its socket, which allows processes or users on the local system to write arbitrary data into the socket. A local system attacker can make AVRD segmentation fault (SIGSEGV) by writing malformed messages to the socket.
585 CVE-2020-5894 384 2020-05-07 2020-05-12
5.8
None Remote Medium Not required Partial Partial None
On versions 3.0.0-3.3.0, the NGINX Controller webserver does not invalidate the server-side session token after users log out.
586 CVE-2020-5838 79 XSS 2020-05-13 2020-05-15
3.5
None Remote Medium ??? None Partial None
Symantec IT Analytics, prior to 2.9.1, may be susceptible to a cross-site scripting (XSS) exploit, which is a type of issue that can potentially enable attackers to inject client-side scripts into web pages viewed by other users.
587 CVE-2020-5837 59 2020-05-11 2020-05-14
4.6
None Local Low Not required Partial Partial Partial
Symantec Endpoint Protection, prior to 14.3, may not respect file permissions when writing to log files that are replaced by symbolic links, which can lead to a potential elevation of privilege.
588 CVE-2020-5836 269 2020-05-11 2021-07-21
4.4
None Local Medium Not required Partial Partial Partial
Symantec Endpoint Protection, prior to 14.3, can potentially reset the ACLs on a file as a limited user while Symantec Endpoint Protection's Tamper Protection feature is disabled.
589 CVE-2020-5835 362 2020-05-11 2020-05-14
4.4
None Local Medium Not required Partial Partial Partial
Symantec Endpoint Protection Manager, prior to 14.3, has a race condition in client remote deployment which may result in an elevation of privilege on the remote machine.
590 CVE-2020-5834 22 Dir. Trav. 2020-05-11 2020-05-14
5.0
None Remote Low Not required Partial None None
Symantec Endpoint Protection Manager, prior to 14.3, may be susceptible to a directory traversal attack that could allow a remote actor to determine the size of files in the directory.
591 CVE-2020-5833 125 2020-05-11 2020-05-14
2.1
None Local Low Not required Partial None None
Symantec Endpoint Protection Manager, prior to 14.3, may be susceptible to an out of bounds vulnerability, which is a type of issue that results in an existing application reading memory outside of the bounds of the memory that had been allocated to the program.
592 CVE-2020-5753 670 2020-05-20 2022-04-07
5.0
None Remote Low Not required Partial None None
Signal Private Messenger Android v4.59.0 and up and iOS v3.8.1.5 and up allows a remote non-contact to ring a victim's Signal phone and disclose currently used DNS server due to ICE Candidate handling before call is answered or declined.
593 CVE-2020-5752 22 Exec Code Dir. Trav. 2020-05-21 2020-12-08
7.2
None Local Low Not required Complete Complete Complete
Relative path traversal in Druva inSync Windows Client 6.6.3 allows a local, unauthenticated attacker to execute arbitrary operating system commands with SYSTEM privileges.
594 CVE-2020-5751 79 XSS 2020-05-07 2020-05-11
3.5
None Remote Medium ??? None Partial None
Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted operator.
595 CVE-2020-5750 79 XSS 2020-05-07 2020-05-11
4.3
None Remote Medium Not required None Partial None
Insufficient output sanitization in TCExam 14.2.2 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks via the self-registration feature.
596 CVE-2020-5749 79 XSS 2020-05-07 2020-05-11
3.5
None Remote Medium ??? None Partial None
Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted group.
597 CVE-2020-5748 79 XSS 2020-05-07 2020-05-11
4.3
None Remote Medium Not required None Partial None
Insufficient output sanitization in TCExam 14.2.2 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks via the self-registration feature.
598 CVE-2020-5747 79 XSS 2020-05-07 2020-05-11
3.5
None Remote Medium ??? None Partial None
Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted test.
599 CVE-2020-5746 79 XSS 2020-05-07 2020-05-11
3.5
None Remote Medium ??? None Partial None
Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted test.
600 CVE-2020-5745 79 XSS CSRF 2020-05-07 2021-07-21
4.3
None Remote Medium Not required None Partial None
Cross-site request forgery in TCExam 14.2.2 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
Total number of vulnerabilities : 1008   Page : 1 2 3 4 5 6 7 8 9 10 11 12 (This Page)13 14 15 16 17 18 19 20 21
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.