| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
651 |
CVE-2020-7273 |
269 |
|
|
2020-04-15 |
2020-04-20 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
Accessing functionality not properly constrained by ACLs vulnerability in the autorun start-up protection in McAfee Endpoint Security (ENS) for Windows Prior to 10.7.0 April 2020 Update allows local users to delete or rename programs in the autorun key via manipulation of some parameters. |
|
652 |
CVE-2020-7263 |
732 |
|
|
2020-04-01 |
2022-06-02 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Improper access control vulnerability in ESconfigTool.exe in McAfee Endpoint Security (ENS) for Windows all current versions allows local administrator to alter ENS configuration up to and including disabling all protection offered by ENS via insecurely implemented encryption of configuration for export and import. |
|
653 |
CVE-2020-7261 |
120 |
|
Overflow |
2020-04-15 |
2020-04-20 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
Buffer Overflow via Environment Variables vulnerability in AMSI component in McAfee Endpoint Security (ENS) Prior to 10.7.0 February 2020 Update allows local users to disable Endpoint Security via a carefully crafted user input. |
|
654 |
CVE-2020-7259 |
269 |
|
Bypass |
2020-04-15 |
2020-04-20 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Exploitation of Privilege/Trust vulnerability in file in McAfee Endpoint Security (ENS) Prior to 10.7.0 February 2020 Update allows local users to bypass local security protection via a carefully crafted input file |
|
655 |
CVE-2020-7257 |
269 |
|
|
2020-04-15 |
2020-04-17 |
3.3 |
None |
Local |
Medium |
Not required |
None |
Partial |
Partial |
|
Privilege escalation vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 February 2020 Update allows local users to cause the deletion and creation of files they would not normally have permission to through altering the target of symbolic links whilst an anti-virus scan was in progress. This is timing dependent. |
|
656 |
CVE-2020-7255 |
269 |
|
+Priv |
2020-04-15 |
2020-04-21 |
3.6 |
None |
Local |
Low |
Not required |
None |
Partial |
Partial |
|
Privilege escalation vulnerability in the administrative user interface in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 February 2020 Update allows local users to gain elevated privileges via ENS not checking user permissions when editing configuration in the ENS client interface. Administrators can lock the ENS client interface through ePO to prevent users being able to edit the configuration. |
|
657 |
CVE-2020-7250 |
59 |
|
+Priv |
2020-04-15 |
2020-04-21 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Symbolic link manipulation vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 February 2020 Update allows authenticated local user to potentially gain an escalation of privileges by pointing the link to files which the user which not normally have permission to alter via carefully creating symbolic links from the ENS log file directory. |
|
658 |
CVE-2020-7224 |
20 |
|
|
2020-04-16 |
2020-04-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The Aviatrix OpenVPN client through 2.5.7 on Linux, macOS, and Windows is vulnerable when OpenSSL parameters are altered from the issued value set; the parameters could allow unauthorized third-party libraries to load. |
|
659 |
CVE-2020-7136 |
|
|
|
2020-04-30 |
2020-05-07 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
A security vulnerability in HPE Smart Update Manager (SUM) prior to version 8.5.6 could allow remote unauthorized access. Hewlett Packard Enterprise has provided a software update to resolve this vulnerability in HPE Smart Update Manager (SUM) prior to 8.5.6. Please visit the HPE Support Center at https://support.hpe.com/hpesc/public/home to download the latest version of HPE Smart Update Manager (SUM). Download the latest version of HPE Smart Update Manager (SUM) or download the latest Service Pack For ProLiant (SPP). |
|
660 |
CVE-2020-7135 |
269 |
|
Exec Code |
2020-04-27 |
2021-07-21 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
A potential security vulnerability has been identified in the disk drive firmware installers named Supplemental Update / Online ROM Flash Component on HPE servers running Linux. The vulnerable software is included in the HPE Service Pack for ProLiant (SPP) releases 2018.06.0, 2018.09.0, and 2018.11.0. The vulnerable software is the Supplemental Update / Online ROM Flash Component for Linux (x64) software. The installer in this software component could be locally exploited to execute arbitrary code. Drive Models can be found in the Vulnerability Resolution field of the security bulletin. The 2019_03 SPP and Supplemental update / Online ROM Flash Component for Linux (x64) after 2019.03.0 has fixed this issue. |
|
661 |
CVE-2020-7134 |
200 |
|
+Info |
2020-04-24 |
2021-07-21 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
A remote access to sensitive data vulnerability was discovered in HPE IOT + GCP version(s): 1.4.0, 1.4.1, 1.4.2, 1.2.4.2. |
|
662 |
CVE-2020-7133 |
862 |
|
|
2020-04-24 |
2021-07-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
A unauthorized remote access vulnerability was discovered in HPE IOT + GCP version(s): 1.4.0, 1.4.1, 1.4.2, 1.2.4.2. |
|
663 |
CVE-2020-7132 |
79 |
|
XSS |
2020-04-23 |
2020-04-30 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
A potential security vulnerability has been identified in HPE Onboard Administrator. The vulnerability could be remotely exploited to allow Reflected Cross Site Scripting. HPE has made the following software updates and mitigation information to resolve the vulnerability in HPE Onboard Administrator. * OA 4.95 (Linux and Windows). |
|
664 |
CVE-2020-7131 |
862 |
|
Mem. Corr. |
2020-04-24 |
2021-07-21 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
This document describes a security vulnerability in Blade Maintenance Entity, Integrated Maintenance Entity and Maintenance Entity products. All J/H-series NonStop systems have a security vulnerability associated with an open UDP port 17185 on the Maintenance LAN which could result in information disclosure, denial-of-service attacks or local memory corruption against the affected system and a complete control of the system may also be possible. This vulnerability exists only if one gains access to the Maintenance LAN to which Blade Maintenance Entity, Integrated Maintenance Entity or Maintenance Entity product is connected. **Workaround:** Block the UDP port 17185(In the Maintenance LAN Network Switch/Firewall). Fix: Install following SPRs, which are already available: * T1805A01^AAI (Integrated Maintenance Entity) * T4805A01^AAZ (Blade Maintenance Entity). These SPRs are also usable with the following RVUs: * J06.19.00 ? J06.23.01. No fix planned for the following RVUs: J06.04.00 ? J06.18.01. No fix planned for H-Series NonStop systems. No fix planned for the product T2805 (Maintenance Entity). |
|
665 |
CVE-2020-7114 |
306 |
|
|
2020-04-16 |
2020-04-23 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
A vulnerability exists allowing attackers, when present in the same network segment as ClearPass' management interface, to make changes to certain databases in ClearPass by crafting HTTP packets. As a result of this attack, a possible complete cluster compromise might occur. Resolution: Fixed in 6.7.13, 6.8.4, 6.9.0 and higher. |
|
666 |
CVE-2020-7113 |
200 |
|
+Info |
2020-04-16 |
2021-07-21 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
A vulnerability was found when an attacker, while communicating with the ClearPass management interface, is able to intercept and change parameters in the HTTP packets resulting in the compromise of some of ClearPass' service accounts. Resolution: Fixed in 6.7.10, 6.8.1, 6.9.0 and higher. |
|
667 |
CVE-2020-7111 |
74 |
|
Exec Code |
2020-04-16 |
2020-04-22 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
A server side injection vulnerability exists which could allow an authenticated administrative user to achieve Remote Code Execution in ClearPass. Resolution: Fixed in 6.7.13, 6.8.4, 6.9.0 and higher. |
|
668 |
CVE-2020-7110 |
79 |
|
XSS |
2020-04-16 |
2020-04-22 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
ClearPass is vulnerable to Stored Cross Site Scripting by allowing a malicious administrator, or a compromised administrator account, to save malicious scripts within ClearPass that could be executed resulting in a privilege escalation attack. Resolution: Fixed in 6.7.13, 6.8.4, 6.9.0 and higher. |
|
669 |
CVE-2020-7085 |
787 |
|
Exec Code Overflow |
2020-04-17 |
2020-04-21 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
A heap overflow vulnerability in the Autodesk FBX-SDK versions 2019.2 and earlier may lead to arbitrary code execution on a system running it. |
|
670 |
CVE-2020-7084 |
476 |
|
DoS |
2020-04-17 |
2020-04-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
A NULL pointer dereference vulnerability in the Autodesk FBX-SDK versions 2019.0 and earlier may lead to denial of service of the application. |
|
671 |
CVE-2020-7083 |
190 |
|
DoS Overflow |
2020-04-17 |
2020-04-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
An intager overflow vulnerability in the Autodesk FBX-SDK versions 2019.0 and earlier may lead to denial of service of the application. |
|
672 |
CVE-2020-7082 |
416 |
|
Exec Code |
2020-04-17 |
2020-04-23 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
A use-after-free vulnerability in the Autodesk FBX-SDK versions 2019.0 and earlier may lead to code execution on a system running it. |
|
673 |
CVE-2020-7081 |
843 |
|
|
2020-04-17 |
2022-05-03 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
A type confusion vulnerability in the Autodesk FBX-SDK versions 2019.0 and earlier may lead to arbitary code read/write on the system running it. |
|
674 |
CVE-2020-7080 |
120 |
|
Exec Code Overflow |
2020-04-17 |
2020-04-21 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
A buffer overflow vulnerability in the Autodesk FBX-SDK versions 2019.0 and earlier may lead to arbitrary code execution on a system running it. |
|
675 |
CVE-2020-7079 |
426 |
|
Exec Code |
2020-04-17 |
2020-04-23 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An improper signature validation vulnerability in Autodesk Dynamo BIM versions 2.5.1 and 2.5.0 may lead to code execution through maliciously crafted DLL files. |
|
676 |
CVE-2020-7067 |
125 |
|
|
2020-04-27 |
2022-05-16 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17 and 7.4.x below 7.4.5, if PHP is compiled with EBCDIC support (uncommon), urldecode() function can be made to access locations past the allocated memory, due to erroneously using signed numbers as array indexes. |
|
677 |
CVE-2020-7066 |
|
|
|
2020-04-01 |
2022-05-08 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
In PHP versions 7.2.x below 7.2.29, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using get_headers() with user-supplied URL, if the URL contains zero (\0) character, the URL will be silently truncated at it. This may cause some software to make incorrect assumptions about the target of the get_headers() and possibly send some information to a wrong server. |
|
678 |
CVE-2020-7065 |
787 |
|
Exec Code Mem. Corr. |
2020-04-01 |
2021-12-02 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
In PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using mb_strtolower() function with UTF-32LE encoding, certain invalid strings could cause PHP to overwrite stack-allocated buffer. This could lead to memory corruption, crashes and potentially code execution. |
|
679 |
CVE-2020-7064 |
125 |
|
|
2020-04-01 |
2022-05-09 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
None |
Partial |
|
In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while parsing EXIF data with exif_read_data() function, it is possible for malicious data to cause PHP to read one byte of uninitialized memory. This could potentially lead to information disclosure or crash. |
|
680 |
CVE-2020-7055 |
434 |
|
Exec Code |
2020-04-22 |
2020-04-28 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
An issue was discovered in Elementor 2.7.4. Arbitrary file upload is possible in the Elementor Import Templates function, allowing an attacker to execute code via a crafted ZIP archive. |
|
681 |
CVE-2020-7008 |
22 |
|
Dir. Trav. |
2020-04-03 |
2020-04-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
VISAM VBASE Editor version 11.5.0.2 and VBASE Web-Remote Module may allow input passed in the URL that is not properly verified before use, which may allow an attacker to read arbitrary files from local resources. |
|
682 |
CVE-2020-7004 |
276 |
|
|
2020-04-03 |
2020-04-06 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
VISAM VBASE Editor version 11.5.0.2 and VBASE Web-Remote Module may allow weak or insecure permissions on the VBASE directory resulting in elevation of privileges or malicious effects on the system the next time a privileged user runs the application. |
|
683 |
CVE-2020-7000 |
922 |
|
Bypass |
2020-04-03 |
2020-04-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
VISAM VBASE Editor version 11.5.0.2 and VBASE Web-Remote Module may allow an unauthenticated attacker to discover the cryptographic key from the web server and gain information about the login and the encryption/decryption mechanism, which may be exploited to bypass authentication of the HTML5 HMI web interface. |
|
684 |
CVE-2020-6996 |
787 |
|
Overflow |
2020-04-15 |
2020-04-22 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Triangle MicroWorks DNP3 Outstation LibrariesDNP3 Outstation .NET Protocol components and DNP3 Outstation ANSI C source code libraries are affected:3.16.00 through 3.25.01. A specially crafted message may cause a stack-based buffer overflow. Authentication is not required to exploit this vulnerability. |
|
685 |
CVE-2020-6994 |
120 |
|
Overflow |
2020-04-03 |
2021-06-17 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
A buffer overflow vulnerability was found in some devices of Hirschmann Automation and Control HiOS and HiSecOS. The vulnerability is due to improper parsing of URL arguments. An attacker could exploit this vulnerability by specially crafting HTTP requests to overflow an internal buffer. The following devices using HiOS Version 07.0.02 and lower are affected: RSP, RSPE, RSPS, RSPL, MSP, EES, EES, EESX, GRS, OS, RED. The following devices using HiSecOS Version 03.2.00 and lower are affected: EAGLE20/30. |
|
686 |
CVE-2020-6992 |
269 |
|
Exec Code |
2020-04-15 |
2020-04-22 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
A local privilege escalation vulnerability has been identified in the GE Digital CIMPLICITY HMI/SCADA product v10.0 and prior. If exploited, this vulnerability could allow an adversary to modify the system, leading to the arbitrary execution of code. This vulnerability is only exploitable if an attacker has access to an authenticated session. GE Digital CIMPLICITY v11.0, released January 2020, contains mitigation for this local privilege escalation vulnerability. GE Digital recommends all users upgrade to GE CIMPLICITY v11.0 or newer. |
|
687 |
CVE-2020-6974 |
22 |
|
Dir. Trav. Bypass |
2020-04-07 |
2020-04-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Honeywell Notifier Web Server (NWS) Version 3.50 is vulnerable to a path traversal attack, which allows an attacker to bypass access to restricted directories. Honeywell has released a firmware update to address the problem. |
|
688 |
CVE-2020-6867 |
400 |
|
Overflow |
2020-04-30 |
2020-05-06 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
ZTE's SDON controller is impacted by the resource management error vulnerability. When RPC is frequently called by other applications in the case of mass traffic data in the system, it will result in no response for a long time and memory overflow risk. This affects: ZENIC ONE R22b versions V16.19.10P02SP002 and V16.19.10P02SP005. |
|
689 |
CVE-2020-6866 |
400 |
|
DoS |
2020-04-30 |
2021-07-21 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
A ZTE product is impacted by a resource management error vulnerability. An attacker could exploit this vulnerability to cause a denial of service by issuing a specific command. This affects: ZXCTN 6500 version V2.10.00R3B87. |
|
690 |
CVE-2020-6865 |
200 |
|
+Info |
2020-04-30 |
2020-05-05 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
ZTE SDN controller platform is impacted by an information leakage vulnerability. Due to the program's failure to optimize the response of failure to the request, the caller can directly view the internal error code location of the component. Attackers could exploit this vulnerability to obtain sensitive information. This affects: OSCP versions V16.19.10 and V16.19.20. |
|
691 |
CVE-2020-6852 |
287 |
|
|
2020-04-02 |
2021-07-21 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
CACAGOO Cloud Storage Intelligent Camera TV-288ZD-2MP with firmware 3.4.2.0919 has weak authentication of TELNET access, leading to root privileges without any password required. |
|
692 |
CVE-2020-6828 |
119 |
|
Exec Code Overflow |
2020-04-24 |
2021-07-21 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
|
A malicious Android application could craft an Intent that would have been processed by Firefox for Android and potentially result in a file overwrite in the user's profile directory. One exploitation vector for this would be to supply a user.js file providing arbitrary malicious preference values. Control of arbitrary preferences can lead to sufficient compromise such that it is generally equivalent to arbitrary code execution.<br> *Note: This issue only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 68.7. |
|
693 |
CVE-2020-6827 |
1021 |
|
|
2020-04-24 |
2020-05-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
When following a link that opened an intent://-schemed URL, causing a custom tab to be opened, Firefox for Android could be tricked into displaying the incorrect URI. <br> *Note: This issue only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 68.7. |
|
694 |
CVE-2020-6826 |
119 |
|
Overflow Mem. Corr. |
2020-04-24 |
2021-07-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Mozilla developers Tyson Smith, Bob Clary, and Alexandru Michis reported memory safety bugs present in Firefox 74. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 75. |
|
695 |
CVE-2020-6825 |
119 |
|
Overflow Mem. Corr. |
2020-04-24 |
2021-07-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Mozilla developers and community members Tyson Smith and Christian Holler reported memory safety bugs present in Firefox 74 and Firefox ESR 68.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.7.0, Firefox ESR < 68.7, and Firefox < 75. |
|
696 |
CVE-2020-6824 |
384 |
|
|
2020-04-24 |
2020-05-01 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
Initially, a user opens a Private Browsing Window and generates a password for a site, then closes the Private Browsing Window but leaves Firefox open. Subsequently, if the user had opened a new Private Browsing Window, revisited the same site, and generated a new password - the generated passwords would have been identical, rather than independent. This vulnerability affects Firefox < 75. |
|
697 |
CVE-2020-6823 |
269 |
|
|
2020-04-24 |
2021-07-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
A malicious extension could have called <code>browser.identity.launchWebAuthFlow</code>, controlling the redirect_uri, and through the Promise returned, obtain the Auth code and gain access to the user's account at the service provider. This vulnerability affects Firefox < 75. |
|
698 |
CVE-2020-6822 |
787 |
|
|
2020-04-24 |
2020-05-01 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
On 32-bit builds, an out of bounds write could have occurred when processing an image larger than 4 GB in <code>GMPDecodeData</code>. It is possible that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.7.0, Firefox ESR < 68.7, and Firefox < 75. |
|
699 |
CVE-2020-6821 |
119 |
|
Overflow |
2020-04-24 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
When reading from areas partially or fully outside the source resource with WebGL's <code>copyTexSubImage</code> method, the specification requires the returned values be zero. Previously, this memory was uninitialized, leading to potentially sensitive data disclosure. This vulnerability affects Thunderbird < 68.7.0, Firefox ESR < 68.7, and Firefox < 75. |
|
700 |
CVE-2020-6820 |
415 |
|
|
2020-04-24 |
2021-07-21 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Under certain conditions, when handling a ReadableStream, a race condition can cause a use-after-free. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Thunderbird < 68.7.0, Firefox < 74.0.1, and Firefox ESR < 68.6.1. |
