CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In May 2020 (CVSS score >= 4)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
201 CVE-2020-12144 295 2020-05-05 2020-05-12
4.0
None Remote Low ??? None Partial None
The certificate used to identify the Silver Peak Cloud Portal to EdgeConnect devices is not validated. This makes it possible for someone to establish a TLS connection from EdgeConnect to an untrusted portal.
202 CVE-2020-12143 295 2020-05-05 2020-05-12
4.0
None Remote Low ??? None Partial None
The certificate used to identify Orchestrator to EdgeConnect devices is not validated, which makes it possible for someone to establish a TLS connection from EdgeConnect to an untrusted Orchestrator.
203 CVE-2020-12142 668 2020-05-05 2020-05-12
4.0
None Remote Low ??? Partial None None
1. IPSec UDP key material can be retrieved from machine-to-machine interfaces and human-accessible interfaces by a user with admin credentials. Such a user, with the required system knowledge, could use this material to decrypt in-flight communication. 2. The vulnerability requires administrative access and shell access to the EdgeConnect appliance. An admin user can access IPSec seed and nonce parameters using the CLI, REST APIs, and the Linux shell.
204 CVE-2020-12117 306 2020-05-01 2022-04-26
5.0
None Remote Low Not required Partial None None
Moxa Service in Moxa NPort 5150A firmware version 1.5 and earlier allows attackers to obtain sensitive configuration values via a crafted packet to UDP port 4800. NOTE: Moxa Service is an unauthenticated service that runs upon a first-time installation but can be disabled without ill effect.
205 CVE-2020-12116 200 +Info 2020-05-07 2021-07-21
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request.
206 CVE-2020-12111 78 2020-05-04 2020-05-12
9.0
None Remote Low ??? Complete Complete Complete
Certain TP-Link devices allow Command Injection. This affects NC260 1.5.2 build 200304 and NC450 1.5.3 build 200304.
207 CVE-2020-12110 798 2020-05-04 2020-05-12
5.0
None Remote Low Not required Partial None None
Certain TP-Link devices have a Hardcoded Encryption Key. This affects NC200 2.1.9 build 200225, N210 1.0.9 build 200304, NC220 1.3.0 build 200304, NC230 1.3.0 build 200304, NC250 1.3.0 build 200304, NC260 1.5.2 build 200304, and NC450 1.5.3 build 200304.
208 CVE-2020-12109 78 2020-05-04 2020-09-18
9.0
None Remote Low ??? Complete Complete Complete
Certain TP-Link devices allow Command Injection. This affects NC200 2.1.9 build 200225, NC210 1.0.9 build 200304, NC220 1.3.0 build 200304, NC230 1.3.0 build 200304, NC250 1.3.0 build 200304, NC260 1.5.2 build 200304, and NC450 1.5.3 build 200304.
209 CVE-2020-12108 74 2020-05-06 2021-12-02
4.3
None Remote Medium Not required None Partial None
/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection.
210 CVE-2020-12104 89 Exec Code Sql 2020-05-05 2020-05-07
6.5
None Remote Low ??? Partial Partial Partial
The Import feature in the wp-advanced-search plugin 3.3.6 for WordPress is vulnerable to authenticated SQL injection via an uploaded .sql file. An attacker can use this to execute SQL commands without any validation.
211 CVE-2020-12068 269 2020-05-14 2021-07-21
6.4
None Remote Low Not required Partial Partial None
An issue was discovered in CODESYS Development System before 3.5.16.0. CODESYS WebVisu and CODESYS Remote TargetVisu are susceptible to privilege escalation.
212 CVE-2020-12042 347 +Priv 2020-05-14 2020-05-18
4.0
None Remote Low ??? None Partial None
Opto 22 SoftPAC Project Version 9.6 and prior. Paths specified within the zip files used to update the SoftPAC firmware are not sanitized. As a result, an attacker with user privileges can gain arbitrary file write access with system access.
213 CVE-2020-12038 787 Mem. Corr. 2020-05-19 2021-09-23
4.3
None Remote Medium Not required None None Partial
Products that use EDS Subsystem: Version 28.0.1 and prior (FactoryTalk Linx software (Previously called RSLinx Enterprise): Versions 6.00, 6.10, and 6.11, RSLinx Classic: Version 4.11.00 and prior, RSNetWorx software: Version 28.00.00 and prior, Studio 5000 Logix Designer software: Version 32 and prior) is vulnerable. A memory corruption vulnerability exists in the algorithm that matches square brackets in the EDS subsystem. This may allow an attacker to craft specialized EDS files to crash the EDSParser COM object, leading to denial-of-service conditions.
214 CVE-2020-12034 89 Sql 2020-05-20 2020-05-22
4.8
None Local Network Low Not required None Partial Partial
Products that use EDS Subsystem: Version 28.0.1 and prior (FactoryTalk Linx software (Previously called RSLinx Enterprise): Versions 6.00, 6.10, and 6.11, RSLinx Classic: Version 4.11.00 and prior, RSNetWorx software: Version 28.00.00 and prior, Studio 5000 Logix Designer software: Version 32 and prior) is vulnerable.The EDS subsystem does not provide adequate input sanitation, which may allow an attacker to craft specialized EDS files to inject SQL queries and manipulate the database storing the EDS files. This can lead to denial-of-service conditions.
215 CVE-2020-12026 22 Dir. Trav. 2020-05-08 2021-09-23
6.5
None Remote Low ??? Partial Partial Partial
Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple relative path traversal vulnerabilities exist that may allow a low privilege user to overwrite files outside the application’s control.
216 CVE-2020-12022 129 2020-05-08 2020-05-11
7.5
None Remote Low Not required Partial Partial Partial
Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. An improper validation vulnerability exists that could allow an attacker to inject specially crafted input into memory where it can be executed.
217 CVE-2020-12018 125 2020-05-08 2020-05-11
5.0
None Remote Low Not required Partial None None
Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. An out-of-bounds vulnerability exists that may allow access to unauthorized data.
218 CVE-2020-12014 89 Sql 2020-05-08 2020-05-11
5.0
None Remote Low Not required Partial None None
Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Input is not properly sanitized and may allow an attacker to inject SQL commands.
219 CVE-2020-12010 22 Dir. Trav. 2020-05-08 2021-09-23
5.8
None Remote Medium Not required None Partial Partial
Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple relative path traversal vulnerabilities exist that may allow an authenticated user to use a specially crafted file to delete files outside the application’s control.
220 CVE-2020-12006 22 Dir. Trav. 2020-05-08 2021-09-23
7.5
None Remote Low Not required Partial Partial Partial
Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple relative path traversal vulnerabilities exist that may allow a low privilege user to overwrite files outside the application’s control.
221 CVE-2020-12002 787 Exec Code Overflow 2020-05-08 2021-09-23
7.5
None Remote Low Not required Partial Partial Partial
Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple stack-based buffer overflow vulnerabilities exist caused by a lack of proper validation of the length of user-supplied data, which may allow remote code execution.
222 CVE-2020-11973 502 2020-05-14 2021-07-20
7.5
None Remote Low Not required Partial Partial Partial
Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.
223 CVE-2020-11972 502 2020-05-14 2021-03-15
7.5
None Remote Low Not required Partial Partial Partial
Apache Camel RabbitMQ enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.
224 CVE-2020-11971 2020-05-14 2022-05-12
5.0
None Remote Low Not required Partial None None
Apache Camel's JMX is vulnerable to Rebind Flaw. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.x, 3.0.0 up to 3.1.0 is affected. Users should upgrade to 3.2.0.
225 CVE-2020-11950 78 Exec Code 2020-05-28 2020-06-02
9.0
None Remote Low ??? Complete Complete Complete
VIVOTEK Network Cameras before XXXXX-VVTK-2.2002.xx.01x (and before XXXXX-VVTK-0XXXX_Beta2) allows an authenticated user to upload and execute a script (with resultant execution of OS commands). For example, this affects IT9388-HT devices.
226 CVE-2020-11949 200 +Info 2020-05-28 2021-07-21
4.0
None Remote Low ??? Partial None None
testserver.cgi of the web service on VIVOTEK Network Cameras before XXXXX-VVTK-2.2002.xx.01x (and before XXXXX-VVTK-0XXXX_Beta2) allows an authenticated user to obtain arbitrary files from a camera's local filesystem. For example, this affects IT9388-HT devices.
227 CVE-2020-11866 416 2020-05-11 2020-06-18
6.8
None Remote Medium Not required Partial Partial Partial
libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows a use-after-free.
228 CVE-2020-11865 119 Overflow 2020-05-11 2020-06-18
6.8
None Remote Medium Not required Partial Partial Partial
libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows out-of-bounds memory access.
229 CVE-2020-11864 DoS 2020-05-11 2020-06-18
4.3
None Remote Medium Not required None None Partial
libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows denial of service (issue 2 of 2).
230 CVE-2020-11863 DoS 2020-05-11 2020-06-18
4.3
None Remote Medium Not required None None Partial
libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows denial of service (issue 1 of 2).
231 CVE-2020-11845 79 XSS 2020-05-19 2020-05-19
4.3
None Remote Medium Not required None Partial None
Cross Site Scripting vulnerability in Micro Focus Service Manager product. Affecting versions 9.50, 9.51, 9.52, 9.60, 9.61, 9.62, 9.63. The vulnerability could be exploited to allow remote attackers to inject arbitrary web script or HTML.
232 CVE-2020-11844 863 2020-05-29 2021-05-12
7.5
None Remote Low Not required Partial Partial Partial
Incorrect Authorization vulnerability in Micro Focus Container Deployment Foundation component affects products: - Hybrid Cloud Management. Versions 2018.05 to 2019.11. - ArcSight Investigate. versions 2.4.0, 3.0.0 and 3.1.0. - ArcSight Transformation Hub. versions 3.0.0, 3.1.0, 3.2.0. - ArcSight Interset. version 6.0.0. - ArcSight ESM (when ArcSight Fusion 1.0 is installed). version 7.2.1. - Service Management Automation (SMA). versions 2018.05 to 2020.02 - Operation Bridge Suite (Containerized). Versions 2018.05 to 2020.02. - Network Operation Management. versions 2017.11 to 2019.11. - Data Center Automation Containerized. versions 2018.05 to 2019.11 - Identity Intelligence. versions 1.1.0 and 1.1.1. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
233 CVE-2020-11842 200 +Info 2020-05-04 2021-07-21
5.0
None Remote Low Not required Partial None None
Information disclosure vulnerability in Micro Focus Verastream Host Integrator (VHI) product, affecting versions earlier than 7.8 Update 1 (7.8.49 or 7.8.0.49). The vulnerability allows an unauthenticated attackers to view information they may not have been authorized to view.
234 CVE-2020-11807 434 Exec Code 2020-05-19 2020-05-20
4.6
None Local Low Not required Partial Partial Partial
Because of Unrestricted Upload of a File with a Dangerous Type, Sourcefabric Newscoop 4.4.7 allows an authenticated user to execute arbitrary PHP code (and sometimes terminal commands) on a server by making an avatar update and then visiting the avatar file under the /images/ path.
235 CVE-2020-11766 74 2020-05-19 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
sendfax.php in iFAX AvantFAX before 3.3.6 and HylaFAX Enterprise Web Interface before 0.2.5 allows authenticated Command Injection.
236 CVE-2020-11737 79 XSS 2020-05-05 2020-05-07
4.3
None Remote Medium Not required None Partial None
A cross-site scripting (XSS) vulnerability in Web Client in Zimbra 9.0 allows a remote attacker to craft links in an E-Mail message or calendar invite to execute arbitrary JavaScript. The attack requires an A element containing an href attribute with a "www" substring (including the quotes) followed immediately by a DOM event listener such as onmouseover. This is fixed in 9.0.0 Patch 2.
237 CVE-2020-11727 79 XSS 2020-05-06 2020-05-07
4.3
None Remote Medium Not required None Partial None
A cross-site scripting (XSS) vulnerability in the AlgolPlus Advanced Order Export For WooCommerce plugin 3.1.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the view/settings-form.php woe_post_type parameter.
238 CVE-2020-11716 276 2020-05-20 2020-05-22
7.5
None Remote Low Not required Partial Partial Partial
Panasonic P110, Eluga Z1 Pro, Eluga X1, and Eluga X1 Pro devices through 2020-04-10 have Insecure Permissions. NOTE: the vendor states that all affected products are at "End-of-software-support."
239 CVE-2020-11715 2020-05-19 2020-05-20
7.5
None Remote Low Not required Partial Partial Partial
Panasonic P99 devices through 2020-04-10 have Incorrect Access Control. NOTE: the vendor states that all affected products are at "End-of-software-support."
240 CVE-2020-11671 269 2020-05-04 2021-07-21
5.8
None Remote Medium Not required Partial Partial None
Lack of authorization controls in REST API functions in TeamPass through 2.1.27.36 allows any TeamPass user with a valid API token to become a TeamPass administrator and read/modify all passwords via authenticated api/index.php REST API calls. NOTE: the API is not available by default.
241 CVE-2020-11551 287 2020-05-18 2021-07-21
5.8
None Local Network Low Not required Partial Partial Partial
An issue was discovered on NETGEAR Orbi Tri-Band Business WiFi Add-on Satellite (SRS60) AC3000 V2.5.1.106, Outdoor Satellite (RBS50Y) V2.5.1.106, and Pro Tri-Band Business WiFi Router (SRR60) AC3000 V2.5.1.106. The administrative SOAP interface allows an unauthenticated remote write of arbitrary Wi-Fi configuration data such as authentication details (e.g., the Web-admin password), network settings, DNS settings, system administration interface configuration, etc.
242 CVE-2020-11549 798 Exec Code 2020-05-18 2020-05-20
8.3
None Local Network Low Not required Complete Complete Complete
An issue was discovered on NETGEAR Orbi Tri-Band Business WiFi Add-on Satellite (SRS60) AC3000 V2.5.1.106, Outdoor Satellite (RBS50Y) V2.5.1.106, and Pro Tri-Band Business WiFi Router (SRR60) AC3000 V2.5.1.106. The root account has the same password as the Web-admin component. Thus, by exploiting CVE-2020-11551, it is possible to achieve remote code execution with root privileges on the embedded Linux system.
243 CVE-2020-11532 287 Bypass 2020-05-08 2021-07-21
10.0
None Remote Low Not required Complete Complete Complete
Zoho ManageEngine DataSecurity Plus prior to 6.0.1 uses default admin credentials to communicate with a DataEngine Xnode server. This allows an attacker to bypass authentication for this server and execute all operations in the context of admin user.
244 CVE-2020-11531 22 Exec Code Dir. Trav. 2020-05-08 2020-05-18
6.5
None Remote Low ??? Partial Partial Partial
The DataEngine Xnode Server application in Zoho ManageEngine DataSecurity Plus prior to 6.0.1 does not validate the database schema name when handling a DR-SCHEMA-SYNC request. This allows an authenticated attacker to execute code in the context of the product by writing a JSP file to the webroot directory via directory traversal.
245 CVE-2020-11530 89 Sql 2020-05-08 2020-05-13
7.5
None Remote Low Not required Partial Partial Partial
A blind SQL injection vulnerability is present in Chop Slider 3, a WordPress plugin. The vulnerability is introduced in the id GET parameter supplied to get_script/index.php, and allows an attacker to execute arbitrary SQL queries in the context of the WP database user.
246 CVE-2020-11524 787 2020-05-15 2020-07-27
6.0
None Remote Medium ??? Partial Partial Partial
libfreerdp/codec/interleaved.c in FreeRDP versions > 1.0 through 2.0.0-rc4 has an Out-of-bounds Write.
247 CVE-2020-11523 190 Overflow 2020-05-15 2020-08-30
6.0
None Remote Medium ??? Partial Partial Partial
libfreerdp/gdi/region.c in FreeRDP versions > 1.0 through 2.0.0-rc4 has an Integer Overflow.
248 CVE-2020-11522 125 2020-05-15 2020-08-30
6.4
None Remote Low Not required Partial None Partial
libfreerdp/gdi/gdi.c in FreeRDP > 1.0 through 2.0.0-rc4 has an Out-of-bounds Read.
249 CVE-2020-11521 125 2020-05-15 2022-04-26
6.0
None Remote Medium ??? Partial Partial Partial
libfreerdp/codec/planar.c in FreeRDP version > 1.0 through 2.0.0-rc4 has an Out-of-bounds Write.
250 CVE-2020-11462 776 2020-05-04 2020-05-12
4.3
None Remote Medium Not required None None Partial
An issue was discovered in OpenVPN Access Server before 2.7.0 and 2.8.x before 2.8.3. With the full featured RPC2 interface enabled, it is possible to achieve a temporary DoS state of the management interface when sending an XML Entity Expansion (XEE) payload to the XMLRPC based RPC2 interface. The duration of the DoS state depends on available memory and CPU speed. The default restricted mode of the RPC2 interface is NOT vulnerable.
Total number of vulnerabilities : 866   Page : 1 2 3 4 5 (This Page)6 7 8 9 10 11 12 13 14 15 16 17 18
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.