CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In April 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
851 CVE-2020-5266 79 XSS 2020-04-16 2020-04-22
3.5
None Remote Medium ??? None Partial None
In the ps_link module for PrestaShop before version 3.1.0, there is a stored XSS when you create or edit a link list block with the title field. The problem is fixed in 3.1.0
852 CVE-2020-5265 79 XSS 2020-04-20 2020-04-23
4.3
None Remote Medium Not required None Partial None
In PrestaShop between versions 1.7.6.1 and 1.7.6.5, there is a reflected XSS on AdminAttributesGroups page. The problem is patched in 1.7.6.5.
853 CVE-2020-5264 79 XSS 2020-04-20 2020-04-23
4.3
None Remote Medium Not required None Partial None
In PrestaShop before version 1.7.6.5, there is a reflected XSS while running the security compromised page. It allows anyone to execute arbitrary action. The problem is patched in the 1.7.6.5.
854 CVE-2020-5263 522 2020-04-09 2020-04-10
4.0
None Remote Low ??? Partial None None
auth0.js (NPM package auth0-js) greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification, the application risks password exposure. This is fixed in version 9.12.3
855 CVE-2020-5260 522 2020-04-14 2021-03-19
5.0
None Remote Low Not required Partial None None
Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1.
856 CVE-2020-4415 787 Exec Code Overflow 2020-04-23 2021-07-21
10.0
None Remote Low Not required Complete Complete Complete
IBM Spectrum Protect 7.1 and 8.1 server is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. This could allow a remote attacker to execute arbitrary code on the system with the privileges of an administrator or user associated with the Spectrum Protect server or cause the Spectrum Protect server to crash. IBM X-Force ID: 179990.
857 CVE-2020-4362 269 2020-04-10 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is vulnerable to a privilege escalation vulnerability when using token-based authentication in an admin request over the SOAP connector. IBM X-Force ID: 178929.
858 CVE-2020-4353 20 2020-04-23 2021-07-21
2.1
None Local Low Not required None None Partial
IBM MaaS360 6.82 could allow a user with pysical access to the device to crash the application which may enable the user to access restricted applications and device settings. IBM X-Force ID: 178505.
859 CVE-2020-4347 269 2020-04-16 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
IBM InfoSphere Information Server 11.3, 11.5, and 11.7 could be subject to attacks based on privilege escalation due to inappropriate file permissions for files used by WebSphere Application Server Network Deployment. IBM X-Force ID: 178412.
860 CVE-2020-4338 200 +Info 2020-04-16 2020-04-22
2.1
None Local Low Not required Partial None None
IBM MQ 9.1.4 could allow a local attacker to obtain sensitive information by inclusion of sensitive data within runmqras data. IBM X-Force ID: 177937.
861 CVE-2020-4329 200 +Info 2020-04-28 2021-07-21
4.0
None Remote Low ??? Partial None None
IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841.
862 CVE-2020-4325 119 Overflow 2020-04-02 2021-07-21
4.0
None Remote Low ??? None None Partial
The IBM Process Federation Server 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0.2, and 19.0.0.3 Global Teams REST API does not properly shutdown the thread pools that it creates to retrieve Global Teams information from the federated systems. As a consequence, the Java Virtual Machine can't recover the memory used by those thread pools, which leads to an OutOfMemory exception when the Process Federation Server Global Teams REST API is used extensively. IBM X-Force ID: 177596.
863 CVE-2020-4311 732 Exec Code 2020-04-23 2020-04-28
6.9
None Local Medium Not required Complete Complete Complete
IBM Tivoli Monitoring 6.3.0 could allow a local attacker to execute arbitrary code on the system. By placing a specially crafted file, an attacker could exploit this vulnerability to load other DLL files located in the same directory and execute arbitrary code on the system. IBM X-Force ID: 177083.
864 CVE-2020-4304 79 XSS 2020-04-02 2020-04-02
4.3
None Remote Medium Not required None Partial None
IBM WebSphere Application Server - Liberty 17.0.0.3 through 20.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176670.
865 CVE-2020-4303 79 XSS 2020-04-02 2020-04-02
4.3
None Remote Medium Not required None Partial None
IBM WebSphere Application Server - Liberty 17.0.0.3 through 20.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176668.
866 CVE-2020-4294 918 2020-04-15 2022-06-29
6.5
None Remote Low ??? Partial Partial Partial
IBM QRadar 7.3.0 to 7.3.3 Patch 2 is vulnerable to Server Side Request Forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-ForceID: 176404.
867 CVE-2020-4291 384 2020-04-08 2020-04-08
4.3
None Remote Medium Not required Partial None None
IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could disclose sensitive information to an unauthorized user due to insufficient timeout functionality in the Web UI. IBM X-Force ID: 176334.
868 CVE-2020-4290 290 2020-04-08 2020-04-08
5.5
None Remote Low ??? Partial Partial None
IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could allow any authenticated user to spoof the configuration owner of any other user which disclose sensitive information or allow for unauthorized access. IBM X-Force ID: 176333.
869 CVE-2020-4289 200 +Info 2020-04-08 2021-07-21
5.0
None Remote Low Not required Partial None None
IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. IBM X-Force ID: 176332.
870 CVE-2020-4284 200 +Info 2020-04-08 2021-07-21
5.0
None Remote Low Not required Partial None None
IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could disclose sensitive information to an unauthorized user due to insufficient timeout functionality in the Web UI. IBM X-Force ID: 176207.
871 CVE-2020-4282 287 Bypass 2020-04-08 2021-07-21
4.0
None Remote Low ??? None Partial None
IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could allow an authenticated user to perform unauthorized actions by bypassing illegal character restrictions. X-Force ID: 176205.
872 CVE-2020-4277 200 +Info 2020-04-17 2021-07-21
5.0
None Remote Low Not required Partial None None
IBM TRIRIGA Application Platform 3.5.3 and 3.6.1 discloses sensitive information in error messages that could aid an attacker formulate future attacks. IBM X-Force ID: 175993.
873 CVE-2020-4274 276 2020-04-15 2022-06-29
5.5
None Remote Low ??? Partial Partial None
IBM QRadar 7.3.0 to 7.3.3 Patch 2 could allow an authenticated user to access data and perform unauthorized actions due to inadequate permission checks. IBM X-ForceID: 175980.
874 CVE-2020-4273 269 Exec Code 2020-04-03 2021-07-21
6.9
None Local Medium Not required Complete Complete Complete
IBM Spectrum Scale 4.2 and 5.0 could allow a local unprivileged attacker with intimate knowledge of the enviornment to execute commands as root using specially crafted input. IBM X-Force ID: 175977.
875 CVE-2020-4272 22 Exec Code Dir. Trav. 2020-04-15 2022-04-18
6.5
None Remote Low ??? Partial Partial Partial
IBM QRadar 7.3.0 to 7.3.3 Patch 2 could allow a remote attacker to include arbitrary files. A remote attacker could send a specially-crafted request specify a malicious file from a remote system, which could allow the attacker to execute arbitrary code on the vulnerable server. IBM X-ForceID: 175898.
876 CVE-2020-4271 502 Exec Code 2020-04-15 2022-04-18
6.5
None Remote Low ??? Partial Partial Partial
IBM QRadar 7.3.0 to 7.3.3 Patch 2 could allow an authenticated user to send a specially crafted command which would be executed as a lower privileged user. IBM X-ForceID: 175897.
877 CVE-2020-4270 276 +Priv 2020-04-15 2022-06-29
4.6
None Local Low Not required Partial Partial Partial
IBM QRadar 7.3.0 to 7.3.3 Patch 2 could allow a local user to gain escalated privileges due to weak file permissions. IBM X-ForceID: 175846.
878 CVE-2020-4269 798 2020-04-15 2022-06-29
5.0
None Remote Low Not required Partial None None
IBM QRadar 7.3.0 to 7.3.3 Patch 2 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-ForceID: 175845.
879 CVE-2020-4268 79 XSS 2020-04-15 2020-04-20
3.5
None Remote Medium ??? None Partial None
IBM QRadar 7.3.0 to 7.3.3 Patch 2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-ForceID: 175841.
880 CVE-2020-4267 772 DoS 2020-04-24 2021-07-21
4.0
None Remote Low ??? None None Partial
IBM MQ and MQ Appliance 8.0, 9.1 LTS, and 9.1 CD could allow an authenticated user cause a denial of service due to a memory leak. IBM X-Force ID: 175840.
881 CVE-2020-4260 200 +Info 2020-04-16 2021-07-21
4.0
None Remote Low ??? Partial None None
IBM UrbanCode Deploy (UCD) 7.0.5 could allow a user with special permissions to obtain sensitive information via generic processes. IBM X-Force ID: 175639.
882 CVE-2020-4252 79 XSS 2020-04-08 2020-04-10
3.5
None Remote Medium ??? None Partial None
IBM DOORS Next Generation (DNG/RRC) 6.0.2. 6.0.6, and 6.0.61 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 175490.
883 CVE-2020-4202 269 2020-04-23 2021-07-21
6.0
None Remote Medium ??? Partial Partial Partial
IBM UrbanCode Deploy (UCD) 7.0.3.0 and 7.0.4.0 could allow an authenticated user to impersonate another user if the server is configured to enable Distributed Front End (DFE). IBM X-Force ID: 174955.
884 CVE-2020-4164 200 +Info 2020-04-08 2021-07-21
4.0
None Remote Low ??? Partial None None
IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could expose sensitive information from applicatino errors which could be used in further attacks against the system. IBM X-Force ID: 174400.
885 CVE-2020-4151 862 2020-04-14 2021-07-21
4.0
None Remote Low ??? None Partial None
IBM QRadar SIEM 7.3.0 through 7.3.3 could allow an authenticated attacker to perform unauthorized actions due to improper input validation. IBM X-Force ID: 174201.
886 CVE-2020-4085 200 +Info 2020-04-22 2021-07-21
4.0
None Remote Low ??? Partial None None
"HCL Connections is vulnerable to possible information leakage and could disclose sensitive information via stack trace to a local user."
887 CVE-2020-3955 79 XSS 2020-04-29 2020-05-08
4.3
None Remote Medium Not required None Partial None
ESXi 6.5 without patch ESXi650-201912104-SG and ESXi 6.7 without patch ESXi670-202004103-SG do not properly neutralize script-related HTML when viewing virtual machines attributes. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.3.
888 CVE-2020-3954 601 2020-04-15 2021-07-21
5.8
None Remote Medium Not required Partial Partial None
Open Redirect vulnerability exists in VMware vRealize Log Insight prior to 8.1.0 due to improper Input validation.
889 CVE-2020-3953 79 XSS 2020-04-15 2021-07-21
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) vulnerability exists in VMware vRealize Log Insight prior to 8.1.0 due to improper Input validation.
890 CVE-2020-3952 287 2020-04-10 2021-12-13
6.8
None Remote Medium Not required Partial Partial Partial
Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls.
891 CVE-2020-3946 400 2020-04-20 2021-07-21
5.0
None Remote Low Not required None None Partial
InstallBuilder AutoUpdate tool and regular installers enabling <checkForUpdates> built with versions earlier than 19.11 are vulnerable to Billion laughs attack (denial-of-service).
892 CVE-2020-3932 200 +Info 2020-04-15 2021-07-21
5.0
None Remote Low Not required Partial None None
A vulnerable SNMP in Draytek VigorAP910C cannot be disabled, which may cause information leakage.
893 CVE-2020-3919 119 Exec Code Overflow 2020-04-01 2021-07-21
9.3
None Remote Medium Not required Complete Complete Complete
A memory initialization issue was addressed with improved memory handling. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2. A malicious application may be able to execute arbitrary code with kernel privileges.
894 CVE-2020-3917 668 2020-04-01 2020-04-03
2.1
None Local Low Not required None Partial None
This issue was addressed with a new entitlement. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, watchOS 6.2. An application may be able to use an SSH client provided by private frameworks.
895 CVE-2020-3916 200 +Info 2020-04-01 2021-07-21
5.0
None Remote Low Not required Partial None None
An access issue was addressed with additional sandbox restrictions. This issue is fixed in iOS 13.4 and iPadOS 13.4, watchOS 6.2. Setting an alternate app icon may disclose a photo without needing permission to access photos.
896 CVE-2020-3914 401 2020-04-01 2020-04-02
4.3
None Remote Medium Not required Partial None None
A memory initialization issue was addressed with improved memory handling. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2. An application may be able to read restricted memory.
897 CVE-2020-3913 269 2020-04-01 2021-07-21
6.8
None Remote Medium Not required Partial Partial Partial
A permissions issue existed. This issue was addressed with improved permission validation. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, watchOS 6.2. A malicious application may be able to elevate privileges.
898 CVE-2020-3912 125 2020-04-01 2020-04-02
6.6
None Local Low Not required Complete None Complete
An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.4. A local user may be able to cause unexpected system termination or read kernel memory.
899 CVE-2020-3911 120 Overflow 2020-04-01 2020-04-02
7.5
None Remote Low Not required Partial Partial Partial
A buffer overflow was addressed with improved bounds checking. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. Multiple issues in libxml2.
900 CVE-2020-3910 120 Overflow 2020-04-01 2020-04-02
7.5
None Remote Low Not required Partial Partial Partial
A buffer overflow was addressed with improved size validation. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. Multiple issues in libxml2.
Total number of vulnerabilities : 2187   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 (This Page)19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.