CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In April 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
701 CVE-2020-6819 416 2020-04-24 2021-07-21
6.8
None Remote Medium Not required Partial Partial Partial
Under certain conditions, when running the nsDocShell destructor, a race condition can cause a use-after-free. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Thunderbird < 68.7.0, Firefox < 74.0.1, and Firefox ESR < 68.6.1.
702 CVE-2020-6765 78 Exec Code 2020-04-10 2020-04-13
6.5
None Remote Low ??? Partial Partial Partial
D-Link DSL-GS225 J1 AU_1.0.4 devices allow an admin to execute OS commands by placing shell metacharacters after a supported CLI command, as demonstrated by ping -c1 127.0.0.1; cat/etc/passwd. The CLI is reachable by TELNET.
703 CVE-2020-6753 79 XSS 2020-04-01 2020-04-01
4.3
None Remote Medium Not required None Partial None
The Login by Auth0 plugin before 4.0.0 for WordPress allows stored XSS on multiple pages, a different issue than CVE-2020-5392.
704 CVE-2020-6647 79 XSS 2020-04-07 2020-04-09
3.5
None Remote Medium ??? None Partial None
An improper neutralization of input vulnerability in the dashboard of FortiADC may allow an authenticated attacker to perform a cross site scripting attack (XSS) via the name parameter.
705 CVE-2020-6579 79 XSS 2020-04-30 2020-05-01
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in mailhive/cloudbeez/cloudloader.php and mailhive/cloudbeez/cloudloader_core.php in the MailBeez plugin for ZenCart before 3.9.22 allows remote attackers to inject arbitrary web script or HTML via the cloudloader_mode parameter.
706 CVE-2020-6456 276 Bypass 2020-04-13 2020-07-02
4.3
None Remote Medium Not required Partial None None
Insufficient validation of untrusted input in clipboard in Google Chrome prior to 81.0.4044.92 allowed a local attacker to bypass site isolation via crafted clipboard contents.
707 CVE-2020-6455 125 2020-04-13 2020-07-02
6.8
None Remote Medium Not required Partial Partial Partial
Out of bounds read in WebSQL in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
708 CVE-2020-6454 416 2020-04-13 2022-05-03
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in extensions in Google Chrome prior to 81.0.4044.92 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.
709 CVE-2020-6452 787 Overflow 2020-04-13 2020-04-15
6.8
None Remote Medium Not required Partial Partial Partial
Heap buffer overflow in media in Google Chrome prior to 80.0.3987.162 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
710 CVE-2020-6451 416 2020-04-13 2022-04-06
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in WebAudio in Google Chrome prior to 80.0.3987.162 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
711 CVE-2020-6450 416 2020-04-13 2022-04-06
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in WebAudio in Google Chrome prior to 80.0.3987.162 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
712 CVE-2020-6448 416 2020-04-13 2022-05-03
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in V8 in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
713 CVE-2020-6447 125 2020-04-13 2022-04-22
6.8
None Remote Medium Not required Partial Partial Partial
Inappropriate implementation in developer tools in Google Chrome prior to 81.0.4044.92 allowed a remote attacker who had convinced the user to use devtools to potentially exploit heap corruption via a crafted HTML page.
714 CVE-2020-6446 276 Bypass 2020-04-13 2020-07-02
4.3
None Remote Medium Not required None Partial None
Insufficient policy enforcement in trusted types in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to bypass content security policy via a crafted HTML page.
715 CVE-2020-6445 276 Bypass 2020-04-13 2020-07-02
4.3
None Remote Medium Not required None Partial None
Insufficient policy enforcement in trusted types in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to bypass content security policy via a crafted HTML page.
716 CVE-2020-6444 908 2020-04-13 2022-04-22
6.8
None Remote Medium Not required Partial Partial Partial
Uninitialized use in WebRTC in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
717 CVE-2020-6443 345 Exec Code 2020-04-13 2020-07-02
6.8
None Remote Medium Not required Partial Partial Partial
Insufficient data validation in developer tools in Google Chrome prior to 81.0.4044.92 allowed a remote attacker who had convinced the user to use devtools to execute arbitrary code via a crafted HTML page.
718 CVE-2020-6442 668 2020-04-13 2020-07-02
4.3
None Remote Medium Not required Partial None None
Inappropriate implementation in cache in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
719 CVE-2020-6441 276 Bypass 2020-04-13 2020-07-02
4.3
None Remote Medium Not required None Partial None
Insufficient policy enforcement in omnibox in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to bypass security UI via a crafted HTML page.
720 CVE-2020-6440 +Info 2020-04-13 2020-07-02
4.3
None Remote Medium Not required Partial None None
Inappropriate implementation in extensions in Google Chrome prior to 81.0.4044.92 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information via a crafted Chrome Extension.
721 CVE-2020-6439 276 Bypass 2020-04-13 2020-07-02
6.8
None Remote Medium Not required Partial Partial Partial
Insufficient policy enforcement in navigations in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to bypass security UI via a crafted HTML page.
722 CVE-2020-6438 209 +Info 2020-04-13 2022-04-22
4.3
None Remote Medium Not required Partial None None
Insufficient policy enforcement in extensions in Google Chrome prior to 81.0.4044.92 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension.
723 CVE-2020-6437 2020-04-13 2020-07-02
4.3
None Remote Medium Not required None Partial None
Inappropriate implementation in WebView in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to spoof security UI via a crafted application.
724 CVE-2020-6436 416 2020-04-13 2022-04-22
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in window management in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
725 CVE-2020-6435 Bypass 2020-04-13 2020-07-02
4.3
None Remote Medium Not required None Partial None
Insufficient policy enforcement in extensions in Google Chrome prior to 81.0.4044.92 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page.
726 CVE-2020-6434 416 2020-04-13 2022-04-22
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in devtools in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
727 CVE-2020-6433 Bypass 2020-04-13 2020-07-02
4.3
None Remote Medium Not required None Partial None
Insufficient policy enforcement in extensions in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
728 CVE-2020-6432 Bypass 2020-04-13 2020-07-02
4.3
None Remote Medium Not required None Partial None
Insufficient policy enforcement in navigations in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
729 CVE-2020-6431 276 2020-04-13 2020-07-02
4.3
None Remote Medium Not required None Partial None
Insufficient policy enforcement in full screen in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to spoof security UI via a crafted HTML page.
730 CVE-2020-6430 843 2020-04-13 2022-04-22
6.8
None Remote Medium Not required Partial Partial Partial
Type Confusion in V8 in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
731 CVE-2020-6423 416 2020-04-13 2022-04-22
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in audio in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
732 CVE-2020-6238 20 2020-04-14 2020-04-24
6.4
None Remote Low Not required Partial None Partial
SAP Commerce, versions - 6.6, 6.7, 1808, 1811, 1905, does not process XML input securely in the Rest API from Servlet xyformsweb, leading to Missing XML Validation. This affects confidentiality and availability (partially) of SAP Commerce.
733 CVE-2020-6237 200 +Info 2020-04-14 2021-07-21
5.0
None Remote Low Not required Partial None None
Under certain conditions, SAP Business Objects Business Intelligence Platform, version 4.1, 4.2, dswsbobje web application allows an attacker to access information which would otherwise be restricted, leading to Information Disclosure.
734 CVE-2020-6236 269 2020-04-14 2020-04-15
6.5
None Remote Low ??? Partial Partial Partial
SAP Landscape Management, version 3.0, and SAP Adaptive Extensions, version 1.0, allows an attacker with admin_group privileges to change ownership and permissions (including S-user ID bit s-bit) of arbitrary files remotely. This results in the possibility to execute these files as root user from a non-root context, leading to Privilege Escalation.
735 CVE-2020-6235 306 2020-04-14 2022-04-06
5.0
None Remote Low Not required Partial None None
SAP Solution Manager (Diagnostics Agent), version 7.2, does not perform the authentication check for the functionalities of the Collector Simulator, leading to Missing Authentication.
736 CVE-2020-6234 +Priv 2020-04-14 2022-04-29
6.5
None Remote Low ??? Partial Partial Partial
SAP Host Agent, version 7.21, allows an attacker with admin privileges to use the operation framework to gain root privileges over the underlying operating system, leading to Privilege Escalation.
737 CVE-2020-6233 862 2020-04-14 2020-04-15
4.0
None Remote Low ??? None None Partial
SAP S/4 HANA (Financial Products Subledger and Banking Services), versions - FSAPPL 400, 450, 500 and S4FPSL 100, allows an authenticated user to run an analysis report due to Missing Authorization Check, resulting in slowing the system.
738 CVE-2020-6232 862 2020-04-14 2020-04-15
5.0
None Remote Low Not required Partial None None
SAP Commerce, versions 1811, 1905, does not perform necessary authorization checks for an anonymous user, due to Missing Authorization Check. This affects confidentiality of secure media.
739 CVE-2020-6231 79 XSS 2020-04-14 2020-04-15
3.5
None Remote Medium ??? None Partial None
SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface), version 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
740 CVE-2020-6230 94 Exec Code 2020-04-14 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
SAP OrientDB, version 3.0, allows an authenticated attacker with script execute/write permissions to inject code that can be executed by the application and lead to Code Injection. An attacker could thereby control the behavior of the application.
741 CVE-2020-6229 79 XSS 2020-04-14 2020-04-15
4.3
None Remote Medium Not required None Partial None
SAP NetWeaver AS ABAP (Business Server Pages application CRM_BSP_FRAME), versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75C, 75D, 75E, does not sufficiently encode user controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability.
742 CVE-2020-6228 354 2020-04-14 2020-04-15
4.3
None Remote Medium Not required None Partial None
SAP Business Client, versions 6.5, 7.0, does not perform necessary integrity checks which could be exploited by an attacker under certain conditions to modify the installer.
743 CVE-2020-6227 20 2020-04-14 2021-07-21
5.0
None Remote Low Not required None Partial None
SAP Business Objects Business Intelligence Platform (CMS / Auditing issues), version 4.2, allows attacker to send specially crafted GIOP packets to several services due to Improper Input Validation, allowing to forge additional entries in GLF log files.
744 CVE-2020-6226 79 XSS 2020-04-14 2020-04-15
3.5
None Remote Medium ??? None Partial None
SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface), version 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
745 CVE-2020-6225 22 Dir. Trav. 2020-04-14 2020-04-15
6.5
None Remote Low ??? Partial Partial Partial
SAP NetWeaver (Knowledge Management), versions (KMC-CM - 7.00, 7.01, 7.02, 7.30, 7.31, 7.40, 7.50 and KMC-WPC 7.30, 7.31, 7.40, 7.50), does not sufficiently validate path information provided by users, thus characters representing traverse to parent directory are passed through to the file APIs, allowing the attacker to overwrite, delete, or corrupt arbitrary files on the remote server, leading to Path Traversal.
746 CVE-2020-6224 200 +Info 2020-04-14 2021-07-21
3.5
None Remote Medium ??? Partial None None
SAP NetWeaver AS Java (HTTP Service), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker with administrator privileges to access user sensitive data such as passwords in trace files, when the user logs in and sends request with login credentials, leading to Information Disclosure.
747 CVE-2020-6223 601 2020-04-14 2020-04-15
5.8
None Remote Medium Not required Partial Partial None
The open document of SAP Business Objects Business Intelligence Platform, versions 4.1, 4.2, allows an attacker to modify certain error pages to include malicious content. This can misdirect a user who is tricked into accessing these error pages rendered by the application, leading to Content Spoofing.
748 CVE-2020-6222 79 XSS 2020-04-14 2020-04-15
3.5
None Remote Medium ??? None Partial None
SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface), versions 4.1, 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
749 CVE-2020-6221 79 XSS 2020-04-14 2020-04-15
3.5
None Remote Medium ??? None Partial None
Web Intelligence HTML interface in SAP Business Objects Business Intelligence Platform, versions 4.1, 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
750 CVE-2020-6219 502 DoS Exec Code 2020-04-14 2020-04-15
6.5
None Remote Low ??? Partial Partial Partial
SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer), versions 4.1, 4.2, and Crystal Reports for VS version 2010, allows an attacker with basic authorization to perform deserialization attack in the application, leading to service interruptions and denial of service and unauthorized execution of arbitrary commands, leading to Deserialization of Untrusted Data.
Total number of vulnerabilities : 2187   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 (This Page)16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.