CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In May 2020 (CVSS score >= 6)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
151 CVE-2020-10027 697 Exec Code 2020-05-11 2020-06-05
7.2
None Local Low Not required Complete Complete Complete
An attacker who has obtained code execution within a user thread is able to elevate privileges to that of the kernel. See NCC-ZEP-001 This issue affects: zephyrproject-rtos zephyr version 1.14.0 and later versions. version 2.1.0 and later versions.
152 CVE-2020-10024 697 Exec Code 2020-05-11 2020-06-05
7.2
None Local Low Not required Complete Complete Complete
The arm platform-specific code uses a signed integer comparison when validating system call numbers. An attacker who has obtained code execution within a user thread is able to elevate privileges to that of the kernel. See NCC-ZEP-001 This issue affects: zephyrproject-rtos zephyr version 1.14.0 and later versions. version 2.1.0 and later versions.
153 CVE-2020-10022 120 DoS Exec Code Mem. Corr. 2020-05-11 2020-06-05
7.5
None Remote Low Not required Partial Partial Partial
A malformed JSON payload that is received from an UpdateHub server may trigger memory corruption in the Zephyr OS. This could result in a denial of service in the best case, or code execution in the worst case. See NCC-NCC-016 This issue affects: zephyrproject-rtos zephyr version 2.1.0 and later versions. version 2.2.0 and later versions.
154 CVE-2020-9753 347 2020-05-20 2020-05-21
6.4
None Remote Low Not required Partial Partial None
Whale Browser Installer before 1.2.0.5 versions don't support signature verification for Flash installer.
155 CVE-2020-9502 330 2020-05-13 2020-05-18
7.5
None Remote Low Not required Partial Partial Partial
Some Dahua products with Build time before December 2019 have Session ID predictable vulnerabilities. During normal user access, an attacker can use the predicted Session ID to construct a data packet to attack the device.
156 CVE-2020-9475 362 2020-05-07 2021-07-21
6.9
None Local Medium Not required Complete Complete Complete
The S. Siedle & Soehne SG 150-0 Smart Gateway before 1.2.4 allows local privilege escalation via a race condition in logrotate. By using an exploit chain, an attacker with access to the network can get root access on the gateway.
157 CVE-2020-9474 494 Exec Code 2020-05-07 2020-05-14
9.0
None Remote Low ??? Complete Complete Complete
The S. Siedle & Soehne SG 150-0 Smart Gateway before 1.2.4 allows remote code execution via the backup functionality in the web frontend. By using an exploit chain, an attacker with access to the network can get root access on the gateway.
158 CVE-2020-9410 79 +Priv XSS 2020-05-20 2022-04-28
6.8
None Remote Medium Not required Partial Partial Partial
The report generator component of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server for AWS Marketplace, and TIBCO JasperReports Server for ActiveMatrix BPM contains a vulnerability that theoretically allows an attacker to exploit HTML injection to gain full control of a web interface containing the output of the report generator component with the privileges of any user that views the affected report(s). The attacker can theoretically exploit this vulnerability when other users view a maliciously generated report, where those reports use Fusion Charts and a data source with contents controlled by the attacker. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Library: versions 7.1.1 and below, versions 7.2.0 and 7.2.1, version 7.3.0, version 7.5.0, TIBCO JasperReports Library for ActiveMatrix BPM: versions 7.1.1 and below, TIBCO JasperReports Server: versions 7.1.1 and below, version 7.2.0, version 7.5.0, TIBCO JasperReports Server for AWS Marketplace: versions 7.5.0 and below, and TIBCO JasperReports Server for ActiveMatrix BPM: versions 7.1.1 and below.
159 CVE-2020-9409 276 2020-05-20 2020-10-20
10.0
None Remote Low Not required Complete Complete Complete
The administrative UI component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server for AWS Marketplace, and TIBCO JasperReports Server for ActiveMatrix BPM contains a vulnerability that theoretically allows an unauthenticated attacker to obtain the permissions of a JasperReports Server "superuser" for the affected systems. The attacker can theoretically exploit the vulnerability consistently, remotely, and without authenticating. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: versions 7.1.1 and below, TIBCO JasperReports Server for AWS Marketplace: versions 7.1.1 and below, and TIBCO JasperReports Server for ActiveMatrix BPM: versions 7.1.1 and below.
160 CVE-2020-9046 269 +Priv 2020-05-26 2020-06-03
7.2
None Local Low Not required Complete Complete Complete
A vulnerability in all versions of Kantech EntraPass Editions could potentially allow an authorized low-privileged user to gain full system-level privileges by replacing critical files with specifically crafted files.
161 CVE-2020-8899 787 Exec Code Overflow 2020-05-06 2020-05-15
10.0
None Remote Low Not required Complete Complete Complete
There is a buffer overwrite vulnerability in the Quram qmg library of Samsung's Android OS versions O(8.x), P(9.0) and Q(10.0). An unauthenticated, unauthorized attacker sending a specially crafted MMS to a vulnerable phone can trigger a heap-based buffer overflow in the Quram image codec leading to an arbitrary remote code execution (RCE) without any user interaction. The Samsung ID is SVE-2020-16747.
162 CVE-2020-8830 352 CSRF 2020-05-05 2021-07-21
6.8
None Remote Medium Not required Partial Partial Partial
CSRF in login.asp on Ruckus devices allows an attacker to access the panel, and use SSRF to perform scraping or other analysis via the SUBCA-1 field on the Wireless Admin screen.
163 CVE-2020-8829 352 CSRF 2020-05-05 2020-05-07
6.8
None Remote Medium Not required Partial Partial Partial
CSRF on Intelbras CIP 92200 devices allows an attacker to access the panel and perform scraping or other analysis.
164 CVE-2020-8816 78 Exec Code 2020-05-29 2022-07-12
6.5
None Remote Low ??? Partial Partial Partial
Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease.
165 CVE-2020-8790 521 2020-05-04 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlock FB50 (2.3) has weak password requirements combined with improper restriction of excessive authentication attempts, which could allow a remote attacker to discover user credentials and obtain access via a brute force attack.
166 CVE-2020-8606 287 Bypass 2020-05-27 2022-06-02
7.5
None Remote Low Not required Partial Partial Partial
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to bypass authentication on affected installations of Trend Micro InterScan Web Security Virtual Appliance.
167 CVE-2020-8605 78 Exec Code 2020-05-27 2022-06-02
6.5
None Remote Low ??? Partial Partial Partial
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to execute arbitrary code on affected installations. Authentication is required to exploit this vulnerability.
168 CVE-2020-8330 20 DoS 2020-05-28 2021-07-21
7.8
None Remote Low Not required None None Complete
A denial of service vulnerability was reported in the firmware prior to version 1.01 used in Lenovo Printer LJ4010DN that could be triggered by a remote user sending a crafted packet to the device, preventing subsequent print jobs until the printer is rebooted.
169 CVE-2020-8329 20 DoS 2020-05-28 2021-07-21
7.8
None Remote Low Not required None None Complete
A denial of service vulnerability was reported in the firmware prior to version 1.01 used in Lenovo Printer LJ4010DN that could be triggered by a remote user sending a crafted packet to the device, causing an error to be displayed and preventing printer from functioning until the printer is rebooted.
170 CVE-2020-8171 78 Exec Code 2020-05-26 2020-05-28
7.5
None Remote Low Not required Partial Partial Partial
We have recently released new version of AirMax AirOS firmware v6.3.0 for TI, XW and XM boards that fixes vulnerabilities found on AirMax AirOS v6.2.0 and prior TI, XW and XM boards, according to the description below:There are certain end-points containing functionalities that are vulnerable to command injection. It is possible to craft an input string that passes the filter check but still contains commands, resulting in remote code execution.Mitigation:Update to the latest AirMax AirOS firmware version available at the AirMax download page.
171 CVE-2020-8168 352 CSRF 2020-05-26 2020-05-28
6.8
None Remote Medium Not required Partial Partial Partial
We have recently released new version of AirMax AirOS firmware v6.3.0 for TI, XW and XM boards that fixes vulnerabilities found on AirMax AirOS v6.2.0 and prior TI, XW and XM boards, according to the description below:Attackers can abuse multiple end-points not protected against cross-site request forgery (CSRF), as a result authenticated users can be persuaded to visit malicious web pages, which allows attackers to perform arbitrary actions, such as downgrade the device's firmware to older versions, modify configuration, upload arbitrary firmware, exfiltrate files and tokens.Mitigation:Update to the latest AirMax AirOS firmware version available at the AirMax download page.
172 CVE-2020-8159 22 Exec Code Dir. Trav. 2020-05-12 2022-04-05
7.5
None Remote Low Not required Partial Partial Partial
There is a vulnerability in actionpack_page-caching gem < v1.2.1 that allows an attacker to write arbitrary files to a web server, potentially resulting in remote code execution if the attacker can write unescaped ERB to a view.
173 CVE-2020-8157 2020-05-02 2020-05-07
7.2
None Local Low Not required Complete Complete Complete
UniFi Cloud Key firmware <= v1.1.10 for Cloud Key gen2 and Cloud Key gen2 Plus contains a vulnerability that allows unrestricted root access through the serial interface (UART).
174 CVE-2020-8156 295 2020-05-12 2022-05-24
6.8
None Remote Medium Not required Partial Partial Partial
A missing verification of the TLS host in Nextcloud Mail 1.1.3 allowed a man in the middle attack.
175 CVE-2020-8154 639 2020-05-12 2020-10-19
6.8
None Remote Low ??? None None Complete
An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint.
176 CVE-2020-8149 94 Exec Code 2020-05-15 2020-05-19
7.5
None Remote Low Not required Partial Partial Partial
Lack of output sanitization allowed an attack to execute arbitrary shell commands via the logkitty npm package before version 0.7.1.
177 CVE-2020-8018 276 2020-05-04 2020-05-12
7.2
None Local Low Not required Complete Complete Complete
A Incorrect Default Permissions vulnerability in the SLES15-SP1-CHOST-BYOS and SLES15-SP1-CAP-Deployment-BYOS images of SUSE Linux Enterprise Server 15 SP1 allows local attackers with the UID 1000 to escalate to root due to a /etc directory owned by the user This issue affects: SUSE Linux Enterprise Server 15 SP1 SLES15-SP1-CAP-Deployment-BYOS version 1.0.1 and prior versions; SLES15-SP1-CHOST-BYOS versions prior to 1.0.3 and prior versions;
178 CVE-2020-7813 494 Exec Code 2020-05-22 2020-05-27
7.5
None Remote Low Not required Partial Partial Partial
Ezhttptrans.ocx ActiveX Control in Kaoni ezHTTPTrans 1.0.0.70 and prior versions contain a vulnerability that could allow remote attacker to download and execute arbitrary file by setting the arguments to the activex method. This can be leveraged for code execution.
179 CVE-2020-7812 494 Exec Code 2020-05-28 2020-05-28
7.5
None Remote Low Not required Partial Partial Partial
Ezhttptrans.ocx ActiveX Control in Kaoni ezHTTPTrans 1.0.0.70 and prior versions contain a vulnerability that could allow remote attacker to download arbitrary file by setting the arguments to the activex method. This can be leveraged for code execution by rebooting the victim’s PC.
180 CVE-2020-7808 88 2020-05-21 2020-05-22
7.5
None Remote Low Not required Partial Partial Partial
In RAONWIZ K Upload v2018.0.2.51 and prior, automatic update processing without integrity check on update module(web.js) allows an attacker to modify arguments which causes downloading a random DLL and injection on it.
181 CVE-2020-7806 494 Exec Code 2020-05-06 2020-05-12
7.5
None Remote Low Not required Partial Partial Partial
Tobesoft Xplatform 9.2.2.250 and earlier version have an arbitrary code execution vulnerability by using method supported by Xplatform ActiveX Control. It allows attacker to cause remote code execution.
182 CVE-2020-7805 78 Exec Code 2020-05-07 2020-05-14
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered on KT Slim egg IML500 (R7283, R8112, R8424) and IML520 (R8112, R8368, R8411) wifi device. This issue is a command injection allowing attackers to execute arbitrary OS commands.
183 CVE-2020-7803 Exec Code 2020-05-07 2020-08-06
6.8
None Remote Medium Not required Partial Partial Partial
IMGTech Co,Ltd ZInsX.ocx ActiveX Control in Zoneplayer 2.0.1.3, version 2.0.1.4 and prior versions on Windows. File Donwload vulnerability in ZInsX.ocx of IMGTech Co,Ltd Zoneplayer allows attacker to cause arbitrary code execution.
184 CVE-2020-7646 78 2020-05-07 2020-06-09
7.5
None Remote Low Not required Partial Partial Partial
curlrequest through 1.0.1 allows reading any file by populating the file parameter with user input.
185 CVE-2020-7645 78 Exec Code 2020-05-02 2022-06-08
7.5
None Remote Low Not required Partial Partial Partial
All versions of chrome-launcher allow execution of arbitrary commands, by controlling the $HOME environment variable in Linux operating systems.
186 CVE-2020-7454 20 2020-05-13 2022-04-26
7.5
None Remote Low Not required Partial Partial Partial
In FreeBSD 12.1-STABLE before r360971, 12.1-RELEASE before p5, 11.4-STABLE before r360971, 11.4-BETA1 before p1 and 11.3-RELEASE before p9, libalias does not properly validate packet length resulting in modules causing an out of bounds read/write condition if no checking was built into the module.
187 CVE-2020-7351 78 Exec Code 2020-05-01 2022-04-18
9.0
None Remote Low ??? Complete Complete Complete
An OS Command Injection vulnerability in the endpoint_devicemap.php component of Fonality Trixbox Community Edition allows an attacker to execute commands on the underlying operating system as the "asterisk" user. Note that Trixbox Community Edition has been unsupported by the vendor since 2012. This issue affects: Fonality Trixbox Community Edition, versions 1.2.0 through 2.8.0.4. Versions 1.0 and 1.1 are unaffected.
188 CVE-2020-7138 20 Exec Code +Priv 2020-05-19 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
Potential remote code execution security vulnerabilities have been identified with HPE Nimble Storage systems that could be exploited by an attacker to gain elevated privileges on the array. The following NimbleOS versions, and all subsequent releases, contain a software fix for this vulnerability: 3.9.3.0 4.5.6.0 5.0.9.0 5.1.4.100
189 CVE-2020-6831 120 Overflow Mem. Corr. 2020-05-26 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
A buffer overflow could occur when parsing and validating SCTP chunks in WebRTC. This could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0.
190 CVE-2020-6774 668 2020-05-27 2020-05-29
7.2
None Local Low Not required Complete Complete Complete
Improper Access Control in the Kiosk Mode functionality of Bosch Recording Station allows a local unauthenticated attacker to escape from the Kiosk Mode and access the underlying operating system.
191 CVE-2020-6651 20 Exec Code 2020-05-07 2020-05-12
6.0
None Remote Medium ??? Partial Partial Partial
Improper Input Validation in Eaton's Intelligent Power Manager (IPM) v 1.67 & prior on file name during configuration file import functionality allows attackers to perform command injection or code execution via specially crafted file names while uploading the configuration file in the application.
192 CVE-2020-6474 416 2020-05-21 2021-07-21
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in Blink in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
193 CVE-2020-6471 276 2020-05-21 2021-01-28
6.8
None Remote Medium Not required Partial Partial Partial
Insufficient policy enforcement in developer tools in Google Chrome prior to 83.0.4103.61 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension.
194 CVE-2020-6469 276 2020-05-21 2020-07-08
6.8
None Remote Medium Not required Partial Partial Partial
Insufficient policy enforcement in developer tools in Google Chrome prior to 83.0.4103.61 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension.
195 CVE-2020-6468 787 2020-05-21 2022-04-26
6.8
None Remote Medium Not required Partial Partial Partial
Type confusion in V8 in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
196 CVE-2020-6467 416 2020-05-21 2021-07-21
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in WebRTC in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
197 CVE-2020-6466 416 2020-05-21 2020-07-08
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in media in Google Chrome prior to 83.0.4103.61 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
198 CVE-2020-6465 416 2020-05-21 2020-07-08
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in reader mode in Google Chrome on Android prior to 83.0.4103.61 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
199 CVE-2020-6464 787 2020-05-21 2022-04-26
6.8
None Remote Medium Not required Partial Partial Partial
Type confusion in Blink in Google Chrome prior to 81.0.4044.138 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
200 CVE-2020-6463 787 2020-05-21 2022-04-26
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in ANGLE in Google Chrome prior to 81.0.4044.122 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Total number of vulnerabilities : 393   Page : 1 2 3 4 (This Page)5 6 7 8
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.