CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In May 2020 (CVSS score >= 2)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
901 CVE-2020-1021 362 2020-05-21 2022-04-26
4.6
None Local Low Not required Partial Partial Partial
An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files, aka 'Windows Error Reporting Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1082, CVE-2020-1088.
902 CVE-2020-1010 269 2020-05-21 2021-07-21
7.2
None Local Low Not required Complete Complete Complete
An elevation of privilege vulnerability exists in Windows Block Level Backup Engine Service (wbengine) that allows file deletion in arbitrary locations.To exploit the vulnerability, an attacker would first have to log on to the system, aka 'Microsoft Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1068, CVE-2020-1079.
903 CVE-2020-0963 200 +Info 2020-05-21 2021-07-21
4.3
None Remote Medium Not required Partial None None
An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka 'Windows GDI Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2020-1141, CVE-2020-1145, CVE-2020-1179.
904 CVE-2020-0909 20 DoS 2020-05-21 2021-07-21
5.0
None Remote Low Not required None None Partial
A denial of service vulnerability exists when Hyper-V on a Windows Server fails to properly handle specially crafted network packets.To exploit the vulnerability, an attacker would send specially crafted network packets to the Hyper-V Server.The security update addresses the vulnerability by resolving the conditions where Hyper-V would fail to properly handle these network packets., aka 'Windows Hyper-V Denial of Service Vulnerability'.
905 CVE-2020-0901 119 Exec Code Overflow 2020-05-21 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft Excel Remote Code Execution Vulnerability'.
906 CVE-2020-0221 119 Overflow 2020-05-14 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
Airbrush FW's scratch memory allocator is susceptible to numeric overflow. When the overflow occurs, the next allocation could potentially return a pointer within the previous allocation's memory, which could lead to improper memory access.Product: AndroidVersions: Android kernelAndroid ID: A-135772851
907 CVE-2020-0220 787 2020-05-14 2020-05-15
4.6
None Local Low Not required Partial Partial Partial
In crus_afe_callback of msm-cirrus-playback.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-139739561
908 CVE-2020-0110 787 2020-05-14 2021-12-06
4.6
None Local Low Not required Partial Partial Partial
In psi_write of psi.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-148159562References: Upstream kernel
909 CVE-2020-0109 269 2020-05-14 2021-07-21
4.6
None Local Low Not required Partial Partial Partial
In simulatePackageSuspendBroadcast of NotificationManagerService.java, there is a missing permission check. This could lead to local escalation of privilege by creating fake system notifications with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10Android ID: A-148059175
910 CVE-2020-0106 200 Bypass +Info 2020-05-14 2021-07-21
2.1
None Local Low Not required Partial None None
In getCellLocation of PhoneInterfaceManager.java, there is a possible permission bypass due to a missing SDK version check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-148414207
911 CVE-2020-0105 269 2020-05-14 2021-07-21
4.6
None Local Low Not required Partial Partial Partial
In onKeyguardVisibilityChanged of key_store_service.cpp, there is a missing permission check. This could lead to local escalation of privilege, allowing apps to use keyguard-bound keys when the screen is locked, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10Android ID: A-144285084
912 CVE-2020-0104 200 +Info 2020-05-14 2021-07-21
2.1
None Local Low Not required Partial None None
In onShowingStateChanged of KeyguardStateMonitor.java, there is a possible inappropriate read due to a logic error. This could lead to local information disclosure of keyguard-protected data with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10Android ID: A-144430870
913 CVE-2020-0103 119 Exec Code Overflow Mem. Corr. 2020-05-14 2021-07-21
10.0
None Remote Low Not required Complete Complete Complete
In a2dp_aac_decoder_cleanup of a2dp_aac_decoder.cc, there is a possible invalid free due to memory corruption. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-9Android ID: A-148107188
914 CVE-2020-0102 787 2020-05-14 2020-05-15
4.6
None Local Low Not required Partial Partial Partial
In GattServer::SendResponse of gatt_server.cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-143231677
915 CVE-2020-0101 200 +Info 2020-05-14 2021-07-21
2.1
None Local Low Not required Partial None None
In BnCrypto::onTransact of ICrypto.cpp, there is a possible information disclosure due to uninitialized data. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-144767096
916 CVE-2020-0100 125 2020-05-14 2020-05-18
2.1
None Local Low Not required Partial None None
In onTransact of IHDCP.cpp, there is a possible out of bounds read due to incorrect error handling. This could lead to local information disclosure of data from a privileged process with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-8.0Android ID: A-150156584
917 CVE-2020-0098 269 Bypass 2020-05-14 2021-07-21
4.6
None Local Low Not required Partial Partial Partial
In navigateUpToLocked of ActivityStack.java, there is a possible permission bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-8.0 Android-8.1 Android-9Android ID: A-144285917
918 CVE-2020-0097 269 Bypass 2020-05-14 2021-07-21
4.6
None Local Low Not required Partial Partial Partial
In various methods of PackageManagerService.java, there is a possible permission bypass due to a missing condition for system apps. This could lead to local escalation of privilege with User privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10Android ID: A-145981139
919 CVE-2020-0096 269 2020-05-14 2021-07-21
7.2
None Local Low Not required Complete Complete Complete
In startActivities of ActivityStartController.java, there is a possible escalation of privilege due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9Android ID: A-145669109
920 CVE-2020-0094 787 2020-05-14 2020-05-18
4.6
None Local Low Not required Partial Partial Partial
In setImageHeight and setImageWidth of ExifUtils.cpp, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10Android ID: A-148223871
921 CVE-2020-0091 200 +Info 2020-05-14 2021-07-21
2.1
None Local Low Not required Partial None None
In mnld, an incorrect configuration in driver_cfg of mnld for meta factory mode.Product: AndroidVersions: Android SoCAndroid ID: A-149808700
922 CVE-2020-0090 863 2020-05-14 2021-07-21
2.1
None Local Low Not required Partial None None
An improper authorization in the receiver component of Email.Product: AndroidVersions: Android SoCAndroid ID: A-149813048
923 CVE-2020-0065 863 2020-05-14 2021-07-21
2.1
None Local Low Not required Partial None None
An improper authorization in the receiver component of the Android Suite Daemon.Product: AndroidVersions: Android SoCAndroid ID: A-149813448
924 CVE-2020-0064 863 2020-05-14 2021-07-21
2.1
None Local Low Not required Partial None None
An improper authorization while processing the provisioning data.Product: AndroidVersions: Android SoCAndroid ID: A-149866855
925 CVE-2020-0024 276 Bypass 2020-05-14 2020-05-18
4.4
None Local Medium Not required Partial Partial Partial
In onCreate of SettingsBaseActivity.java, there is a possible unauthorized setting modification due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-8.0Android ID: A-137015265
926 CVE-2019-20807 78 Exec Code 2020-05-28 2022-02-21
4.6
None Local Low Not required Partial Partial Partial
In Vim before 8.1.0881, users can circumvent the rvim restricted mode and execute arbitrary OS commands via scripting interfaces (e.g., Python, Ruby, or Lua).
927 CVE-2019-20806 476 DoS 2020-05-27 2020-06-19
2.1
None Local Low Not required None None Partial
An issue was discovered in the Linux kernel before 5.2. There is a NULL pointer dereference in tw5864_handle_frame() in drivers/media/pci/tw5864/tw5864-video.c, which may cause denial of service, aka CID-2e7682ebfc75.
928 CVE-2019-20804 352 XSS CSRF 2020-05-21 2020-06-23
6.8
None Remote Medium Not required Partial Partial Partial
Gila CMS before 1.11.6 allows CSRF with resultant XSS via the admin/themes URI, leading to compromise of the admin account.
929 CVE-2019-20803 79 XSS 2020-05-21 2020-06-23
4.3
None Remote Medium Not required None Partial None
Gila CMS before 1.11.6 has reflected XSS via the admin/content/postcategory id parameter, which is mishandled for g_preview_theme.
930 CVE-2019-20802 79 XSS 2020-05-18 2020-05-19
4.3
None Remote Medium Not required None Partial None
An issue was discovered in the Readdle Documents app before 6.9.7 for iOS. The application's file-transfer web server improperly displays directory names, leading to Stored XSS, which may be used to steal a user's data. This requires user interaction because there is no known direct way for an attacker to create a crafted directory name on a victim's device. However, a crafted directory name can occur if a victim extracts a ZIP archive that was provided by an attacker.
931 CVE-2019-20801 862 Exec Code 2020-05-18 2021-07-21
5.0
None Remote Low Not required Partial None None
An issue was discovered in the Readdle Documents app before 6.9.7 for iOS. The application's file-transfer web server allows for cross-origin requests from any domain, and the WebSocket server lacks authorization control. Any web site can execute JavaScript code (that accesses a user's data) via cross-origin requests.
932 CVE-2019-20800 787 2020-05-18 2020-12-23
7.5
None Remote Low Not required Partial Partial Partial
In Cherokee through 1.2.104, remote attackers can trigger an out-of-bounds write in cherokee_handler_cgi_add_env_pair in handler_cgi.c by sending many request headers, as demonstrated by a GET request with many "Host: 127.0.0.1" headers.
933 CVE-2019-20799 787 Mem. Corr. 2020-05-18 2022-04-28
5.0
None Remote Low Not required None None Partial
In Cherokee through 1.2.104, multiple memory corruption errors may be used by a remote attacker to destabilize the work of a server.
934 CVE-2019-20798 79 Exec Code XSS 2020-05-18 2020-12-23
6.0
None Remote Medium ??? Partial Partial Partial
An XSS issue was discovered in handler_server_info.c in Cherokee through 1.2.104. The requested URL is improperly displayed on the About page in the default configuration of the web server and its administrator panel. The XSS in the administrator panel can be used to reconfigure the server and execute arbitrary commands.
935 CVE-2019-20797 787 Overflow 2020-05-18 2020-06-16
5.0
None Remote Low Not required None None Partial
An issue was discovered in e6y prboom-plus 2.5.1.5. There is a buffer overflow in client and server code responsible for handling received UDP packets, as demonstrated by I_SendPacket or I_SendPacketTo in i_network.c.
936 CVE-2019-20795 416 2020-05-09 2020-09-10
2.1
None Local Low Not required None None Partial
iproute2 before 5.1.0 has a use-after-free in get_netnsid_from_name in ip/ipnetns.c. NOTE: security relevance may be limited to certain uses of setuid that, although not a default, are sometimes a configuration option offered to end users. Even when setuid is used, other factors (such as C library configuration) may block exploitability.
937 CVE-2019-20794 400 2020-05-09 2021-07-21
4.7
None Local Medium Not required None None Complete
An issue was discovered in the Linux kernel 4.18 through 5.6.11 when unprivileged user namespaces are allowed. A user can create their own PID namespace, and mount a FUSE filesystem. Upon interaction with this FUSE filesystem, if the userspace component is terminated via a kill of the PID namespace's pid 1, it will result in a hung task, and resources being permanently locked up until system reboot. This can result in resource exhaustion.
938 CVE-2019-20768 79 XSS 2020-05-05 2020-05-12
3.5
None Remote Medium ??? None Partial None
ServiceNow IT Service Management Kingston through Patch 14-1, London through Patch 7, and Madrid before patch 4 allow stored XSS via crafted sysparm_item_guid and sys_id parameters in an Incident Request to service_catalog.do.
939 CVE-2019-20390 352 CSRF 2020-05-15 2020-05-18
5.8
None Remote Medium Not required None Partial Partial
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Subrion CMS 4.2.1 that allows a remote attacker to remove files on the server without a victim's knowledge, by enticing an authenticated user to visit an attacker's web page. The application fails to validate the CSRF token for a GET request. An attacker can craft a panel/uploads/read.json?cmd=rm URL (removing this token) and send it to the victim.
940 CVE-2019-20389 79 XSS 2020-05-15 2020-05-18
4.3
None Remote Medium Not required None Partial None
An XSS issue was identified on the Subrion CMS 4.2.1 /panel/configuration/general settings page. A remote attacker can inject arbitrary JavaScript code in the v[language_switch] parameter (within multipart/form-data), which is reflected back within a user's browser without proper output encoding.
941 CVE-2019-19721 193 DoS Mem. Corr. 2020-05-15 2021-07-21
6.8
None Remote Medium Not required Partial Partial Partial
An off-by-one error in the DecodeBlock function in codec/sdl_image.c in VideoLAN VLC media player before 3.0.9 allows remote attackers to cause a denial of service (memory corruption) via a crafted image file. NOTE: this may be related to the SDL_Image product.
942 CVE-2019-19517 352 Bypass CSRF 2020-05-05 2020-05-07
6.8
None Remote Medium Not required Partial Partial Partial
Intelbras RF1200 1.1.3 devices allow CSRF to bypass the login.html form, as demonstrated by launching a scrapy process.
943 CVE-2019-19515 79 XSS 2020-05-05 2020-05-07
4.3
None Remote Medium Not required None Partial None
Ayision Ays-WR01 v28K.RPT.20161224 devices allow stored XSS in wireless settings.
944 CVE-2019-19514 79 XSS 2020-05-05 2020-05-07
3.5
None Remote Medium ??? None Partial None
Ayision Ays-WR01 v28K.RPT.20161224 devices allow stored XSS in basic repeater settings via an SSID.
945 CVE-2019-19456 79 XSS 2020-05-18 2020-09-30
4.3
None Remote Medium Not required None Partial None
A Reflected XSS was found in the server selection box inside the login page at: enginemanager/loginfailed.html in Wowza Streaming Engine <= 4.x.x. This issue was resolved in Wowza Streaming Engine 4.8.0.
946 CVE-2019-19454 2020-05-18 2020-09-30
5.0
None Remote Low Not required Partial None None
An arbitrary file download was found in the "Download Log" functionality of Wowza Streaming Engine <= 4.x.x. This issue was resolved in Wowza Streaming Engine 4.8.0.
947 CVE-2019-19169 Exec Code 2020-05-06 2020-05-19
7.5
None Remote Low Not required Partial Partial Partial
Dext5.ocx ActiveX 5.0.0.116 and eariler versions contain a vulnerability, which could allow remote attacker to download arbitrary file by setting the arguments to the activex method. This can be leveraged for code execution.
948 CVE-2019-19168 Exec Code 2020-05-06 2020-05-19
7.5
None Remote Low Not required Partial Partial Partial
Dext5.ocx ActiveX 5.0.0.116 and eariler versions contain a vulnerability, which could allow remote attacker to download and execute remote arbitrary file by setting the arguments to the activex method. This can be leveraged for code execution.
949 CVE-2019-19167 Exec Code 2020-05-06 2020-05-11
7.5
None Remote Low Not required Partial Partial Partial
Tobesoft Nexacro v2019.9.25.1 and earlier version have an arbitrary code execution vulnerability by using method supported by Nexacro14 ActiveX Control. It allows attacker to cause remote code execution.
950 CVE-2019-19166 Exec Code 2020-05-06 2020-05-07
4.4
None Local Medium Not required Partial Partial Partial
Tobesoft XPlatform v9.1, 9.2.0, 9.2.1 and 9.2.2 have a vulnerability that can load unauthorized DLL files. It allows attacker to cause remote code execution.
Total number of vulnerabilities : 1008   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 (This Page)20 21
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.