| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
751 |
CVE-2020-0020 |
119 |
|
Overflow |
2020-02-13 |
2020-02-18 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
|
In getAttributeRange of ExifInterface.java, there is a possible failure to redact location information from media files due to an incorrect bounds check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-143118731 |
|
752 |
CVE-2020-0018 |
532 |
|
|
2020-02-13 |
2020-02-18 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In MotionEntry::appendDescription of InputDispatcher.cpp, there is a possible log information disclosure. This could lead to local disclosure of user input with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-139945049 |
|
753 |
CVE-2020-0017 |
200 |
|
+Info |
2020-02-13 |
2021-07-21 |
3.3 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
None |
|
In multiple places, it was possible for the primary user’s dictionary to be visible to and modifiable by secondary users. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-123232892 |
|
754 |
CVE-2020-0015 |
269 |
|
|
2020-02-13 |
2021-07-21 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
In onCreate of CertInstaller.java, there is a possible way to overlay the Certificate Installation dialog by a malicious application. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-139017101 |
|
755 |
CVE-2020-0014 |
1021 |
|
|
2020-02-13 |
2020-02-19 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
It is possible for a malicious application to construct a TYPE_TOAST window manually and make that window clickable. This could lead to a local escalation of privilege with no additional execution privileges needed. User action is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-128674520 |
|
756 |
CVE-2020-0005 |
787 |
|
|
2020-02-13 |
2020-02-18 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
In btm_read_remote_ext_features_complete of btm_acl.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-141552859 |
|
757 |
CVE-2019-20481 |
287 |
|
|
2020-02-24 |
2020-08-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In MIELE XGW 3000 ZigBee Gateway before 2.4.0, the Password Change Function does not require knowledge of the old password. This can be exploited in conjunction with CVE-2019-20480. |
|
758 |
CVE-2019-20480 |
352 |
|
CSRF |
2020-02-24 |
2020-02-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
In MIELE XGW 3000 ZigBee Gateway before 2.4.0, a malicious website visited by an authenticated admin user or a malicious mail is allowed to make arbitrary changes in the "admin panel" because there is no CSRF protection. |
|
759 |
CVE-2019-20479 |
601 |
|
|
2020-02-20 |
2022-01-01 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
A flaw was found in mod_auth_openidc before version 2.4.1. An open redirect issue exists in URLs with a slash and backslash at the beginning. |
|
760 |
CVE-2019-20478 |
20 |
|
Exec Code |
2020-02-19 |
2021-07-21 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
In ruamel.yaml through 0.16.7, the load method allows remote code execution if the application calls this method with an untrusted argument. In other words, this issue affects developers who are unaware of the need to use methods such as safe_load in these use cases. |
|
761 |
CVE-2019-20477 |
502 |
|
|
2020-02-19 |
2022-01-01 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342. |
|
762 |
CVE-2019-20474 |
918 |
|
|
2020-02-17 |
2022-01-01 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
An issue was discovered in Zoho ManageEngine Remote Access Plus 10.0.447. The service to test the mail-server configuration suffers from an authorization issue allowing a user with the Guest role (read-only access) to use and abuse it. One of the abuses allows performing network and port scan operations of the localhost or the hosts on the same network segment, aka SSRF. |
|
763 |
CVE-2019-20456 |
426 |
|
|
2020-02-16 |
2020-02-26 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Goverlan Reach Console before 9.50, Goverlan Reach Server before 3.50, and Goverlan Client Agent before 9.20.50 have an Untrusted Search Path that leads to Command Injection and Local Privilege Escalation via DLL hijacking. |
|
764 |
CVE-2019-20455 |
295 |
|
|
2020-02-14 |
2021-11-30 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Gateways/Gateway.php in Heartland & Global Payments PHP SDK before 2.0.0 does not enforce SSL certificate validations. |
|
765 |
CVE-2019-20454 |
125 |
|
|
2020-02-14 |
2020-07-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c. |
|
766 |
CVE-2019-20451 |
434 |
|
Exec Code |
2020-02-10 |
2021-09-09 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
The HTTP API in Prismview System 9 11.10.17.00 and Prismview Player 11 13.09.1100 allows remote code execution by uploading RebootSystem.lnk and requesting /REBOOTSYSTEM or /RESTARTVNC. (Authentication is required but an XML file containing credentials can be downloaded.) |
|
767 |
CVE-2019-20447 |
89 |
|
Sql |
2020-02-05 |
2020-02-07 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Jobberbase 2.0 has SQL injection via the PATH_INFO to the jobs-in endpoint. |
|
768 |
CVE-2019-20446 |
400 |
|
DoS |
2020-02-02 |
2021-01-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially. |
|
769 |
CVE-2019-20406 |
427 |
|
|
2020-02-06 |
2021-12-13 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The usage of Tomcat in Confluence on the Microsoft Windows operating system before version 7.0.5, and from version 7.1.0 before version 7.1.1 allows local system attackers who have permission to write a DLL file in a directory in the global path environmental variable variable to inject code & escalate their privileges via a DLL hijacking vulnerability. |
|
770 |
CVE-2019-20405 |
352 |
|
CSRF |
2020-02-06 |
2022-03-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The JMX monitoring flag in Atlassian Jira Server and Data Center before version 8.6.0 allows remote attackers to turn the JMX monitoring flag off or on via a Cross-site request forgery (CSRF) vulnerability. |
|
771 |
CVE-2019-20404 |
|
|
|
2020-02-06 |
2022-03-30 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
The API in Atlassian Jira Server and Data Center before version 8.6.0 allows authenticated remote attackers to determine project titles they do not have access to via an improper authorization vulnerability. |
|
772 |
CVE-2019-20403 |
|
|
|
2020-02-06 |
2022-03-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The API in Atlassian Jira Server and Data Center before version 8.6.0 allows remote attackers to determine if a Jira project key exists or not via an information disclosure vulnerability. |
|
773 |
CVE-2019-20402 |
|
|
|
2020-02-06 |
2020-08-24 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
Support zip files in Atlassian Jira Server and Data Center before version 8.6.0 could be downloaded by a System Administrator user without requiring the user to re-enter their password via an improper authorization vulnerability. |
|
774 |
CVE-2019-20401 |
352 |
|
CSRF |
2020-02-06 |
2022-03-25 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Various installation setup resources in Jira before version 8.5.2 allow remote attackers to configure a Jira instance, which has not yet finished being installed, via Cross-site request forgery (CSRF) vulnerabilities. |
|
775 |
CVE-2019-20400 |
427 |
|
|
2020-02-06 |
2022-03-25 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The usage of Tomcat in Jira before version 8.5.2 allows local attackers with permission to write a dll file to a directory in the global path environmental variable can inject code into via a DLL hijacking vulnerability. |
|
776 |
CVE-2019-20174 |
79 |
|
XSS |
2020-02-03 |
2020-02-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Auth0 Lock before 11.21.0 allows XSS when additionalSignUpFields is used with an untrusted placeholder. |
|
777 |
CVE-2019-20173 |
79 |
|
XSS |
2020-02-05 |
2020-02-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The Auth0 wp-auth0 plugin 3.11.x before 3.11.3 for WordPress allows XSS via a wle parameter associated with wp-login.php. |
|
778 |
CVE-2019-20106 |
276 |
|
|
2020-02-06 |
2022-03-30 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1 allows remote attackers to make comments on a ticket to which they do not have commenting permissions via a broken access control bug. |
|
779 |
CVE-2019-20104 |
776 |
|
DoS |
2020-02-06 |
2022-01-01 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The OpenID client application in Atlassian Crowd before version 3.6.2, and from version 3.7.0 before 3.7.1 allows remote attackers to perform a Denial of Service attack via an XML Entity Expansion vulnerability. |
|
780 |
CVE-2019-20100 |
352 |
|
CSRF |
2020-02-12 |
2022-03-30 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Atlassian Application Links plugin is vulnerable to cross-site request forgery (CSRF). The following versions are affected: all versions prior to 5.4.21, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.2, and from version 7.1.0 before version 7.1.3. The vulnerable plugin is used by Atlassian Jira Server and Data Center before version 8.7.0. An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present. |
|
781 |
CVE-2019-20099 |
352 |
|
CSRF |
2020-02-12 |
2022-03-30 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The VerifyPopServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present. |
|
782 |
CVE-2019-20098 |
352 |
|
CSRF |
2020-02-12 |
2022-03-30 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The VerifySmtpServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present. |
|
783 |
CVE-2019-20062 |
916 |
|
|
2020-02-10 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
MFScripts YetiShare v3.5.2 through v4.5.4 might allow an attacker to reset a password by using a leaked hash (the hash never expires until used). |
|
784 |
CVE-2019-20061 |
319 |
|
|
2020-02-10 |
2020-02-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The user-introduction email in MFScripts YetiShare v3.5.2 through v4.5.4 may leak the (system-picked) password if this email is sent in cleartext. In other words, the user is not allowed to choose their own initial password. |
|
785 |
CVE-2019-20060 |
922 |
|
+Info |
2020-02-10 |
2020-02-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
MFScripts YetiShare v3.5.2 through v4.5.4 places sensitive information in the Referer header. If this leaks, then third parties may discover password-reset hashes, file-delete links, or other sensitive information. |
|
786 |
CVE-2019-20059 |
352 |
|
Sql |
2020-02-10 |
2020-02-11 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
payment_manage.ajax.php and various *_manage.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.4 directly insert values from the sSortDir_0 parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL Injection. NOTE: this issue exists because of an incomplete fix for CVE-2019-19732. |
|
787 |
CVE-2019-20046 |
287 |
|
Exec Code |
2020-02-14 |
2020-02-25 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The Synergy Systems & Solutions PLC & RTU system has a vulnerability in HUSKY RTU 6049-E70 firmware versions 5.0 and prior. The affected product does not require adequate authentication, which may allow an attacker to read sensitive information or execute arbitrary code. This is a different issue than CVE-2019-16879 and CVE-2019-20045. |
|
788 |
CVE-2019-20045 |
20 |
|
|
2020-02-14 |
2020-02-25 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
The Synergy Systems & Solutions PLC & RTU system has a vulnerability in HUSKY RTU 6049-E70 firmware versions 5.0 and prior. Specially crafted malicious packets could cause disconnection of active authentic connections or reboot of device. This is a different issue than CVE-2019-16879 and CVE-2019-20046. |
|
789 |
CVE-2019-20044 |
273 |
|
Exec Code +Priv |
2020-02-24 |
2021-09-16 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
In Zsh before 5.8, attackers able to execute commands can regain privileges dropped by the --no-PRIVILEGED option. Zsh fails to overwrite the saved uid, so the original privileges can be restored by executing MODULE_PATH=/dir/with/module zmodload with a module that calls setuid(). |
|
790 |
CVE-2019-19994 |
78 |
|
Exec Code |
2020-02-26 |
2020-02-27 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. It allows blind Command Injection. An attacker without authentication is able to execute arbitrary operating system command by injecting the vulnerable parameter in the PHP Web page /common/vam_monitor_sap.php. |
|
791 |
CVE-2019-19993 |
209 |
|
|
2020-02-26 |
2020-02-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. Several full path disclosure vulnerability were discovered. A user, even with no authentication, may simply send arbitrary content to the vulnerable pages to generate error messages that expose some full paths. |
|
792 |
CVE-2019-19992 |
200 |
|
+Info |
2020-02-26 |
2021-07-21 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. A user with valid credentials is able to read XML files on the filesystem via the web interface. The PHP page /common/vam_editXml.php doesn't check the parameter that identifies the file name to be read. Thus, an attacker can manipulate the file name to access a potentially sensitive file within the filesystem. |
|
793 |
CVE-2019-19991 |
79 |
|
XSS |
2020-02-26 |
2020-02-27 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. Multiple Reflected Cross-site scripting (XSS) vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML via the web pages /vam/vam_anagraphic.php, /vam/vam_vamuser.php, /common/vamp_main.php, and /wiz/change_password.php. |
|
794 |
CVE-2019-19990 |
79 |
|
XSS |
2020-02-26 |
2020-02-27 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. Multiple Stored Cross-site scripting (XSS) vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML via the web pages /monitor/s_headmodel.php and /vam/vam_user.php. |
|
795 |
CVE-2019-19989 |
862 |
|
|
2020-02-26 |
2020-02-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. Several PHP pages, and other type of files, are reachable by any user without checking for user identity and authorization. |
|
796 |
CVE-2019-19988 |
787 |
|
|
2020-02-26 |
2020-02-27 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. A user with valid credentials is able to create and write XML files on the filesystem via /common/vam_editXml.php in the web interface. The vulnerable PHP page checks none of these: the parameter that identifies the file name to be created, the destination path, or the extension. Thus, an attacker can manipulate the file name to create any type of file within the filesystem with arbitrary content. |
|
797 |
CVE-2019-19987 |
352 |
|
CSRF |
2020-02-26 |
2020-02-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. It allows Cross-Site Request Forgery (CSRF) on any HTML form. An attacker can exploit the vulnerability to abuse functionalities such as change password, add user, add privilege, and so on. |
|
798 |
CVE-2019-19986 |
89 |
|
Sql +Info |
2020-02-26 |
2020-02-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. An attacker without authentication is able to execute arbitrary SQL SELECT statements by injecting the HTTP (POST or GET) parameter persoid into /tools/VamPersonPhoto.php. The SQL Injection type is Error-based (this means that relies on error messages thrown by the database server to obtain information about the structure of the database). |
|
799 |
CVE-2019-19968 |
79 |
|
XSS |
2020-02-04 |
2020-02-05 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
PandoraFMS 742 suffers from multiple XSS vulnerabilities, affecting the Agent Management, Report Builder, and Graph Builder components. An authenticated user can inject dangerous content into a data store that is later read and included in dynamic content. |
|
800 |
CVE-2019-19943 |
415 |
|
Exec Code Mem. Corr. |
2020-02-28 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The HTTP service in quickweb.exe in Pablo Quick 'n Easy Web Server 3.3.8 allows Remote Unauthenticated Heap Memory Corruption via a large host or domain parameter. It may be possible to achieve remote code execution because of a double free. |
