CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In April 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
601 CVE-2020-7643 2020-04-23 2020-05-01
5.0
None Remote Low Not required None Partial None
paypal-adaptive through 0.4.2 manipulation of JavaScript objects resulting in Prototype Pollution. The PayPal function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
602 CVE-2020-7642 79 XSS 2020-04-22 2020-05-01
3.5
None Remote Medium ??? None Partial None
lazysizes through 5.2.0 allows execution of malicious JavaScript. The following attributes are not sanitized by the video-embed plugin: data-vimeo, data-vimeoparams, data-youtube and data-ytparams which can be abused to inject malicious JavaScript.
603 CVE-2020-7640 78 Exec Code 2020-04-27 2020-05-01
7.5
None Remote Low Not required Partial Partial Partial
pixl-class prior to 1.0.3 allows execution of arbitrary commands. The members argument of the create function can be controlled by users without any sanitization.
604 CVE-2020-7639 20 2020-04-06 2021-07-21
5.0
None Remote Low Not required None Partial None
eivindfjeldstad-dot below 1.0.3 is vulnerable to Prototype Pollution.The function 'set' could be tricked into adding or modifying properties of 'Object.prototype' using a '__proto__' payload.
605 CVE-2020-7638 20 2020-04-06 2021-07-21
5.0
None Remote Low Not required None Partial None
confinit through 0.3.0 is vulnerable to Prototype Pollution.The 'setDeepProperty' function could be tricked into adding or modifying properties of 'Object.prototype' using a '__proto__' payload.
606 CVE-2020-7637 915 2020-04-06 2022-04-27
5.0
None Remote Low Not required None Partial None
class-transformer before 0.3.1 allow attackers to perform Prototype Pollution. The classToPlainFromExist function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
607 CVE-2020-7636 74 Exec Code 2020-04-06 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
adb-driver through 0.1.8 is vulnerable to Command Injection.It allows execution of arbitrary commands via the command function.
608 CVE-2020-7635 74 Exec Code 2020-04-06 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
compass-compile through 0.0.1 is vulnerable to Command Injection.It allows execution of arbitrary commands via tha options argument.
609 CVE-2020-7634 74 2020-04-06 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
heroku-addonpool through 0.1.15 is vulnerable to Command Injection.
610 CVE-2020-7633 74 Exec Code 2020-04-06 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
apiconnect-cli-plugins through 6.0.1 is vulnerable to Command Injection.It allows execution of arbitrary commands via the pluginUri argument.
611 CVE-2020-7632 74 Exec Code 2020-04-06 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
node-mpv through 1.4.3 is vulnerable to Command Injection. It allows execution of arbitrary commands via the options argument.
612 CVE-2020-7631 74 Exec Code 2020-04-06 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
diskusage-ng through 0.2.4 is vulnerable to Command Injection.It allows execution of arbitrary commands via the path argument.
613 CVE-2020-7630 74 Exec Code 2020-04-02 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
git-add-remote through 1.0.0 is vulnerable to Command Injection. It allows execution of arbitrary commands via the name argument.
614 CVE-2020-7629 74 Exec Code 2020-04-02 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
install-package through 0.4.0 is vulnerable to Command Injection. It allows execution of arbitrary commands via the options argument.
615 CVE-2020-7628 78 2020-04-02 2022-04-22
7.5
None Remote Low Not required Partial Partial Partial
umount through 1.1.6 is vulnerable to Command Injection. The argument device can be controlled by users without any sanitization.
616 CVE-2020-7627 74 Exec Code 2020-04-02 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
node-key-sender through 1.0.11 is vulnerable to Command Injection. It allows execution of arbitrary commands via the 'arrParams' argument in the 'execute()' function.
617 CVE-2020-7626 74 Exec Code 2020-04-02 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
karma-mojo through 1.0.1 is vulnerable to Command Injection. It allows execution of arbitrary commands via the config argument.
618 CVE-2020-7625 74 Exec Code 2020-04-02 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
op-browser through 1.0.6 is vulnerable to Command Injection. It allows execution of arbitrary commands via the url function.
619 CVE-2020-7624 74 Exec Code 2020-04-02 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
effect through 1.0.4 is vulnerable to Command Injection. It allows execution of arbitrary command via the options argument.
620 CVE-2020-7623 74 Exec Code 2020-04-02 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
jscover through 1.0.0 is vulnerable to Command Injection. It allows execution of arbitrary command via the source argument.
621 CVE-2020-7622 Http R.Spl. 2020-04-06 2021-08-03
7.5
None Remote Low Not required Partial Partial Partial
This affects the package io.jooby:jooby-netty before 1.6.9, from 2.0.0 and before 2.2.1. The DefaultHttpHeaders is set to false which means it does not validates that the header isn't being abused for HTTP Response Splitting.
622 CVE-2020-7621 74 Exec Code 2020-04-02 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
strong-nginx-controller through 1.0.2 is vulnerable to Command Injection. It allows execution of arbitrary command as part of the '_nginxCmd()' function.
623 CVE-2020-7620 74 2020-04-02 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
pomelo-monitor through 0.3.7 is vulnerable to Command Injection.It allows injection of arbitrary commands as part of 'pomelo-monitor' params.
624 CVE-2020-7619 74 2020-04-02 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
get-git-data through 1.3.1 is vulnerable to Command Injection. It is possible to inject arbitrary commands as part of the arguments provided to get-git-data.
625 CVE-2020-7618 20 2020-04-07 2021-07-21
5.0
None Remote Low Not required None Partial None
sds through 3.2.0 is vulnerable to Prototype Pollution.The library could be tricked into adding or modifying properties of the 'Object.prototype' by abusing the 'set' function located in 'js/set.js'.
626 CVE-2020-7617 915 2020-04-02 2020-04-07
7.5
None Remote Low Not required Partial Partial Partial
ini-parser through 0.0.2 is vulnerable to Prototype Pollution.The library could be tricked into adding or modifying properties of Object.prototype using a '__proto__' payload.
627 CVE-2020-7616 20 2020-04-07 2021-07-21
5.0
None Remote Low Not required None Partial None
express-mock-middleware through 0.0.6 is vulnerable to Prototype Pollution. Exported functions by the package can be tricked into adding or modifying properties of the `Object.prototype`. Exploitation of this vulnerability requires creation of a new directory where an attack code can be placed which will then be exported by `express-mock-middleware`. As such, this is considered to be a low risk.
628 CVE-2020-7615 78 2020-04-07 2020-04-07
4.6
None Local Low Not required Partial Partial Partial
fsa through 0.5.1 is vulnerable to Command Injection. The first argument of 'execGitCommand()', located within 'lib/rep.js#63' can be controlled by users without any sanitization to inject arbitrary commands.
629 CVE-2020-7614 78 2020-04-07 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
npm-programmatic through 0.0.12 is vulnerable to Command Injection.The packages and option properties are concatenated together without any validation and are used by the 'exec' function directly.
630 CVE-2020-7613 74 Exec Code 2020-04-07 2021-07-21
6.8
None Remote Medium Not required Partial Partial Partial
clamscan through 1.2.0 is vulnerable to Command Injection. It is possible to inject arbitrary commands as part of the `_is_clamav_binary` function located within `Index.js`. It should be noted that this vulnerability requires a pre-requisite that a folder should be created with the same command that will be chained to execute. This lowers the risk of this issue.
631 CVE-2020-7609 74 2020-04-27 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
node-rules including 3.0.0 and prior to 5.0.0 allows injection of arbitrary commands. The argument rules of function "fromJSON()" can be controlled by users without any sanitization.
632 CVE-2020-7575 79 Exec Code XSS 2020-04-14 2021-03-04
4.3
None Remote Medium Not required None Partial None
A vulnerability has been identified in Climatix POL908 (BACnet/IP module) (All versions), Climatix POL909 (AWM module) (All versions < V11.32). A persistent cross-site scripting (XSS) vulnerability exists in the web server access log page of the affected devices that could allow an attacker to inject arbitrary JavaScript code via specially crafted GET requests. The code could be potentially executed later by another (privileged) user. The security vulnerability could be exploited by an attacker with network access to the affected system. Successful exploitation requires no system privileges. An attacker could use the vulnerability to compromise the confidentiality and integrity of other users' web sessions.
633 CVE-2020-7574 79 Exec Code XSS 2020-04-14 2021-03-04
4.3
None Remote Medium Not required None Partial None
A vulnerability has been identified in Climatix POL908 (BACnet/IP module) (All versions), Climatix POL909 (AWM module) (All versions < V11.32). A persistent cross-site scripting (XSS) vulnerability exists in the "Server Config" web interface of the affected devices that could allow an attacker to inject arbitrary JavaScript code. The code could be potentially executed later by another (possibly privileged) user. The security vulnerability could be exploited by an attacker with network access to the affected system. Successful exploitation requires no system privileges. An attacker could use the vulnerability to compromise the confidentiality and integrity of other users' web session.
634 CVE-2020-7490 426 Exec Code 2020-04-22 2022-01-31
6.9
None Local Medium Not required Complete Complete Complete
A CWE-426: Untrusted Search Path vulnerability exists in Vijeo Designer Basic (V1.1 HotFix 15 and prior) and Vijeo Designer (V6.9 SP9 and prior), which could cause arbitrary code execution on the system running Vijeo Basic when a malicious DLL library is loaded by the Product.
635 CVE-2020-7489 74 2020-04-22 2022-01-31
7.5
None Remote Low Not required Partial Partial Partial
A CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability exists on EcoStruxure Machine Expert – Basic or SoMachine Basic programming software (versions in security notification). The result of this vulnerability, DLL substitution, could allow the transference of malicious code to the controller.
636 CVE-2020-7488 319 +Info 2020-04-22 2022-02-03
5.0
None Remote Low Not required Partial None None
A CWE-319: Cleartext Transmission of Sensitive Information vulnerability exists which could leak sensitive information transmitted between the software and the Modicon M218, M241, M251, and M258 controllers.
637 CVE-2020-7487 345 Exec Code 2020-04-22 2022-02-03
7.5
None Remote Low Not required Partial Partial Partial
A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists which could allow the attacker to execute malicious code on the Modicon M218, M241, M251, and M258 controllers.
638 CVE-2020-7486 400 2020-04-16 2022-02-03
5.0
None Remote Low Not required None None Partial
**VERSION NOT SUPPORTED WHEN ASSIGNED** A vulnerability could cause TCM modules to reset when under high network load in TCM v10.4.x and in system v10.3.x. This vulnerability was discovered and remediated in version v10.5.x on August 13, 2009. TCMs from v10.5.x and on will no longer exhibit this behavior.
639 CVE-2020-7485 2020-04-16 2020-07-30
7.5
None Remote Low Not required Partial Partial Partial
**VERSION NOT SUPPORTED WHEN ASSIGNED** A legacy support account in the TriStation software version v4.9.0 and earlier could cause improper access to the TriStation host machine. This was addressed in TriStation version v4.9.1 and v4.10.1 released on May 30, 2013.1
640 CVE-2020-7484 DoS 2020-04-16 2021-11-10
4.3
None Remote Medium Not required None None Partial
**VERSION NOT SUPPORTED WHEN ASSIGNED** A vulnerability with the former 'password' feature could allow a denial of service attack if the user is not following documented guidelines pertaining to dedicated TriStation connection and key-switch protection. This vulnerability was discovered and remediated in versions v4.9.1 and v4.10.1 on May 30, 2013. This feature is not present in version v4.9.1 and v4.10.1 through current. Therefore, the vulnerability is not present in these versions.
641 CVE-2020-7483 319 2020-04-16 2021-11-08
5.0
None Remote Low Not required Partial None None
**VERSION NOT SUPPORTED WHEN ASSIGNED** A vulnerability could cause certain data to be visible on the network when the 'password' feature is enabled. This vulnerability was discovered in and remediated in versions v4.9.1 and v4.10.1 on May 30, 2013. The 'password' feature is an additional optional check performed by TS1131 that it is connected to a specific controller. This data is sent as clear text and is visible on the network. This feature is not present in TriStation 1131 versions v4.9.1 and v4.10.1 through current. Therefore, the vulnerability is not present in these versions.
642 CVE-2020-7453 754 2020-04-29 2020-05-06
3.3
None Local Medium Not required Partial Partial None
In FreeBSD 12.1-STABLE before r359021, 12.1-RELEASE before 12.1-RELEASE-p3, 11.3-STABLE before r359020, and 11.3-RELEASE before 11.3-RELEASE-p7, a missing null termination check in the jail_set configuration option "osrelease" may return more bytes with a subsequent jail_get system call allowing a malicious jail superuser with permission to create nested jails to read kernel memory.
643 CVE-2020-7452 20 Exec Code 2020-04-29 2020-05-06
9.0
None Remote Low ??? Complete Complete Complete
In FreeBSD 12.1-STABLE before r357490, 12.1-RELEASE before 12.1-RELEASE-p3, 11.3-STABLE before r357489, and 11.3-RELEASE before 11.3-RELEASE-p7, incorrect use of a user-controlled pointer in the epair virtual network module allowed vnet jailed privileged users to panic the host system and potentially execute arbitrary code in the kernel.
644 CVE-2020-7451 200 +Info 2020-04-28 2021-07-21
5.0
None Remote Low Not required Partial None None
In FreeBSD 12.1-STABLE before r358739, 12.1-RELEASE before 12.1-RELEASE-p3, 11.3-STABLE before r358740, and 11.3-RELEASE before 11.3-RELEASE-p7, a TCP SYN-ACK or challenge TCP-ACK segment over IPv6 that is transmitted or retransmitted does not properly initialize the Traffic Class field disclosing one byte of kernel memory over the network.
645 CVE-2020-7350 78 2020-04-22 2020-04-30
6.8
None Remote Medium Not required Partial Partial Partial
Rapid7 Metasploit Framework versions before 5.0.85 suffers from an instance of CWE-78: OS Command Injection, wherein the libnotify plugin accepts untrusted user-supplied data via a remote computer's hostname or service name. An attacker can create a specially-crafted hostname or service name to be imported by Metasploit from a variety of sources and trigger a command injection on the operator's terminal. Note, only the Metasploit Framework and products that expose the plugin system is susceptible to this issue -- notably, this does not include Rapid7 Metasploit Pro. Also note, this vulnerability cannot be triggered through a normal scan operation -- the attacker would have to supply a file that is processed with the db_import command.
646 CVE-2020-7278 862 2020-04-15 2020-04-20
4.0
None Remote Low ??? None Partial None
Exploiting incorrectly configured access control security levels vulnerability in ENS Firewall in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 April 2020 and 10.6.1 April 2020 updates allows remote attackers and local users to allow or block unauthorized traffic via pre-existing rules not being handled correctly when updating to the February 2020 updates.
647 CVE-2020-7277 2020-04-15 2020-04-21
4.6
None Local Low Not required Partial Partial Partial
Protection mechanism failure in all processes in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 April 2020 Update allows local users to stop certain McAfee ENS processes, reducing the protection offered.
648 CVE-2020-7276 287 Bypass 2020-04-15 2020-04-21
4.6
None Local Low Not required Partial Partial Partial
Authentication bypass vulnerability in MfeUpgradeTool in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 April 2020 Update allows administrator users to access policy settings via running this tool.
649 CVE-2020-7275 428 Exec Code 2020-04-15 2020-04-21
4.6
None Local Low Not required Partial Partial Partial
Accessing, modifying or executing executable files vulnerability in the uninstaller in McAfee Endpoint Security (ENS) for Windows Prior to 10.7.0 April 2020 Update allows local users to execute arbitrary code via a carefully crafted input file.
650 CVE-2020-7274 269 2020-04-15 2020-04-20
4.6
None Local Low Not required Partial Partial Partial
Privilege escalation vulnerability in McTray.exe in McAfee Endpoint Security (ENS) for Windows Prior to 10.7.0 April 2020 Update allows local users to spawn unrelated processes with elevated privileges via the system administrator granting McTray.exe elevated privileges (by default it runs with the current user's privileges).
Total number of vulnerabilities : 2187   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 (This Page)14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.