CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In May 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
351 CVE-2020-4266 119 Exec Code Overflow Mem. Corr. 2020-05-14 2021-07-21
6.9
None Local Medium Not required Complete Complete Complete
IBM i2 Intelligent Analyis Platform 9.2.1 could allow a local attacker to execute arbitrary code on the system, caused by a memory corruption. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 175649.
352 CVE-2020-4285 119 Exec Code Overflow Mem. Corr. 2020-05-14 2021-07-21
9.3
None Remote Medium Not required Complete Complete Complete
IBM i2 Intelligent Analyis Platform 9.2.1 could allow a remote attacker to execute arbitrary code on the system, caused by a memory corruption error. By persuading a victim to open a specially-crafted document, a remote attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim or cause the application to crash. IBM X-Force ID: 176266
353 CVE-2020-4286 352 CSRF 2020-05-19 2020-05-19
4.3
None Remote Medium Not required None Partial None
IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 176268.
354 CVE-2020-4287 119 Exec Code Overflow Mem. Corr. 2020-05-14 2021-07-21
9.3
None Remote Medium Not required Complete Complete Complete
IBM i2 Intelligent Analyis Platform 9.2.1 could allow a remote attacker to execute arbitrary code on the system, caused by a memory corruption error. By persuading a victim to open a specially-crafted document, a remote attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim or cause the application to crash. IBM X-Force ID: 176269.
355 CVE-2020-4288 119 Exec Code Overflow Mem. Corr. 2020-05-14 2021-07-21
9.3
None Remote Medium Not required Complete Complete Complete
IBM i2 Intelligent Analyis Platform 9.2.1 could allow a remote attacker to execute arbitrary code on the system, caused by a memory corruption error. By persuading a victim to open a specially-crafted document, a remote attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim or cause the application to crash. IBM X-Force ID: 176270.
356 CVE-2020-4298 79 XSS 2020-05-19 2020-05-19
3.5
None Remote Medium ??? None Partial None
IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176475.
357 CVE-2020-4299 200 +Info 2020-05-14 2021-07-21
4.0
None Remote Low ??? Partial None None
IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.0.3.1 could expose sensitive information to a user through a specially crafted HTTP request. IBM X-Force ID: 176606.
358 CVE-2020-4306 79 XSS 2020-05-29 2020-05-29
3.5
None Remote Medium ??? None Partial None
IBM Planning Analytics Local 2.0.0 through 2.0.9 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176735.
359 CVE-2020-4312 200 +Info 2020-05-13 2021-07-21
4.0
None Remote Low ??? Partial None None
IBM Sterling B2B Integrator Standard Edition 5.2.0.0 trough 6.0.3.1 could allow an authenticated user to obtain sensitive information from a cached web page. IBM X-Force ID: 177089.
360 CVE-2020-4343 119 Exec Code Overflow Mem. Corr. 2020-05-14 2021-07-21
9.3
None Remote Medium Not required Complete Complete Complete
IBM i2 Intelligent Analyis Platform 9.2.1 could allow a remote attacker to execute arbitrary code on the system, caused by a memory corruption. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to execute arbitrary code on the system or cause the application to crash. IBM X-Force ID: 178244.
361 CVE-2020-4345 89 Sql +Info 2020-05-17 2020-05-18
1.9
None Local Medium Not required Partial None None
IBM i 7.2, 7.3, and 7.4 users running complex SQL statements under a specific set of circumstances may allow a local user to obtain sensitive information that they should not have access to. IBM X-Force ID: 178318.
362 CVE-2020-4346 200 +Info 2020-05-12 2021-07-21
5.0
None Remote Low Not required Partial None None
IBM API Connect's V2018.4.1.0 through 2018.4.1.10 management server has an unsecured api which can be exploited by an unauthenticated attacker to obtain sensitive information. IBM X-Force ID: 178322.
363 CVE-2020-4348 863 2020-05-27 2021-07-21
4.0
None Remote Low ??? None Partial None
IBM Spectrum Scale 4.2.0.0 through 4.2.3.21 and 5.0.0.0 through 5.0.4.4 could allow an authenticated GUI user to perform unauthorized actions due to missing function level access control. IBM X-Force ID: 178414
364 CVE-2020-4349 327 2020-05-27 2020-05-27
5.0
None Remote Low Not required Partial None None
IBM Spectrum Scale 5.0.0.0 through 5.0.4.4 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 178423.
365 CVE-2020-4350 327 2020-05-27 2020-05-27
5.0
None Remote Low Not required Partial None None
IBM Spectrum Scale 5.0.0.0 through 5.0.4.4 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 178424.
366 CVE-2020-4352 269 2020-05-29 2021-07-21
4.4
None Local Medium Not required Partial Partial Partial
IBM MQ on HPE NonStop 8.0.4 and 8.1.0 is vulnerable to a privilege escalation attack when running in restricted mode. IBM X-Force ID: 178427.
367 CVE-2020-4357 200 +Info 2020-05-27 2021-07-21
4.0
None Remote Low ??? Partial None None
IBM Spectrum Scale 5.0.0.0 through 5.0.4.4 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 178761.
368 CVE-2020-4358 79 XSS 2020-05-27 2020-05-27
3.5
None Remote Medium ??? None Partial None
IBM Spectrum Scale 5.0.0.0 through 5.0.4.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 178762.
369 CVE-2020-4365 918 2020-05-14 2020-05-15
4.0
None Remote Low ??? Partial None None
IBM WebSphere Application Server 8.5 is vulnerable to server-side request forgery. By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to obtain sensitive data. IBM X-Force ID: 178964.
370 CVE-2020-4378 2020-05-27 2020-05-27
4.0
None Remote Low ??? None Partial None
IBM Spectrum Scale 5.0.0.0 through 5.0.4.4 could allow a privileged authenticated user to perform unauthorized actions using a specially crated HTTP POST command. IBM X-Force ID: 179157.
371 CVE-2020-4379 327 2020-05-27 2020-05-27
5.0
None Remote Low Not required Partial None None
IBM Spectrum Scale 5.0.0.0 through 5.0.4.4 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 179158.
372 CVE-2020-4384 79 XSS 2020-05-06 2020-05-08
3.5
None Remote Medium ??? None Partial None
IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 179265.
373 CVE-2020-4411 20 DoS 2020-05-19 2020-05-19
4.9
None Local Low Not required None None Complete
The Spectrum Scale 4.2.0.0 through 4.2.3.21 and 5.0.0.0 through 5.0.4.3 file system component is affected by a denial of service vulnerability in its kernel module that could allow an attacker to cause a denial of service condition on the affected system. To exploit this vulnerability, a local attacker could invoke a subset of ioctls on the Spectrum Scale device with non-valid arguments. This could allow the attacker to crash the kernel. IBM X-Force ID: 179986.
374 CVE-2020-4412 DoS 2020-05-19 2020-05-19
5.0
None Remote Low Not required None None Partial
The Spectrum Scale 4.2.0.0 through 4.2.3.21 and 5.0.0.0 through 5.0.4.3 file system component is affected by a denial of service security vulnerability. An attacker can force the Spectrum Scale mmfsd/mmsdrserv daemons to unexpectedly exit, impacting the functionality of the Spectrum Scale cluster and the availability of file systems managed by Spectrum Scale. IBM X-Force ID: 179987.
375 CVE-2020-4419 79 XSS 2020-05-28 2020-05-29
3.5
None Remote Medium ??? None Partial None
IBM Jazz Reporting Service 6.0.6, 6.0.6.1, and 7.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 180071.
376 CVE-2020-4421 287 2020-05-06 2021-07-21
5.5
None Remote Low ??? Partial Partial None
IBM WebSphere Application Liberty 19.0.0.5 through 20.0.0.4 could allow an authenticated user using openidconnect to spoof another users identify. IBM X-Force ID: 180084.
377 CVE-2020-4422 119 Exec Code Overflow Mem. Corr. 2020-05-14 2021-07-21
9.3
None Remote Medium Not required Complete Complete Complete
IBM i2 Intelligent Analyis Platform 9.2.1 could allow a remote attacker to execute arbitrary code on the system, caused by a memory corruption. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to execute arbitrary code on the system or cause the application to crash. IBM X-Force ID: 180167.
378 CVE-2020-4427 287 Bypass 2020-05-07 2020-05-08
9.0
None Remote Low ??? Complete Complete Complete
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 could allow a remote attacker to bypass security restrictions when configured with SAML authentication. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to bypass the authentication process and gain full administrative access to the system. IBM X-Force ID: 180532.
379 CVE-2020-4428 78 Exec Code 2020-05-07 2020-05-08
9.0
None Remote Low ??? Complete Complete Complete
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to execute arbitrary commands on the system. IBM X-Force ID: 180533.
380 CVE-2020-4429 798 Exec Code 2020-05-07 2020-05-08
10.0
None Remote Low Not required Complete Complete Complete
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 contains a default password for an IDRM administrative account. A remote attacker could exploit this vulnerability to login and execute arbitrary code on the system with root privileges. IBM X-Force ID: 180534.
381 CVE-2020-4430 22 Dir. Trav. 2020-05-07 2020-05-08
4.0
None Remote Low ??? Partial None None
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to download arbitrary files from the system. IBM X-Force ID: 180535.
382 CVE-2020-4446 863 Bypass 2020-05-06 2020-05-08
4.0
None Remote Low ??? Partial None None
IBM Business Process Manager 8.0, 8.5, and 8.6 and IBM Business Automation Workflow 18.0 and 19.0 could allow a remote attacker to bypass security restrictions, caused by the failure to perform insufficient authorization checks. IBM X-Force ID: 181126.
383 CVE-2020-4461 20 Bypass 2020-05-20 2021-07-21
4.0
None Remote Low ??? None Partial None
IBM Security Access Manager Appliance 9.0.7.1 could allow an authenticated user to bypass security by allowing id_token claims manipulation without verification. IBM X-Force ID: 181481.
384 CVE-2020-4467 119 Exec Code Overflow Mem. Corr. 2020-05-14 2021-07-21
9.3
None Remote Medium Not required Complete Complete Complete
IBM i2 Intelligent Analyis Platform 9.2.1 could allow a remote attacker to execute arbitrary code on the system, caused by memory corruption. By persuading a victim to open a specially-crafted document, a remote attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim or cause the application to crash. IBM X-Force ID: 181721.
385 CVE-2020-4468 119 Exec Code Overflow Mem. Corr. 2020-05-14 2021-07-21
9.3
None Remote Medium Not required Complete Complete Complete
IBM i2 Intelligent Analyis Platform 9.2.1 could allow a remote attacker to execute arbitrary code on the system, caused by memory corruption. By persuading a victim to open a specially-crafted document, a remote attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim or cause the application to crash. IBM X-Force ID: 181723.
386 CVE-2020-4490 Bypass 2020-05-29 2020-05-29
5.8
None Remote Medium Not required Partial Partial None
IBM Business Automation Workflow 18 and 19, and IBM Business Process Manager 8.0, 8.5, and 8.6 could allow a remote attacker to bypass security restrictions, caused by a reverse tabnabbing flaw. An attacker could exploit this vulnerability and redirect a vitcim to a phishing site. IBM X-Force ID: 181989
387 CVE-2020-5248 798 2020-05-12 2020-05-14
5.0
None Remote Low Not required Partial None None
GLPI before before version 9.4.6 has a vulnerability involving a default encryption key. GLPIKEY is public and is used on every instance. This means anyone can decrypt sensitive data stored using this key. It is possible to change the key before installing GLPI. But on existing instances, data must be reencrypted with the new key. Problem is we can not know which columns or rows in the database are using that; espcially from plugins. Changing the key without updating data would lend in bad password sent from glpi; but storing them again from the UI will work.
388 CVE-2020-5331 200 +Info 2020-05-04 2020-05-11
2.1
None Local Low Not required Partial None None
RSA Archer, versions prior to 6.7 P3 (6.7.0.3), contain an information exposure vulnerability. Users’ session information could potentially be stored in cache or log files. An authenticated malicious local user with access to the log files may obtain the exposed information to use it in further attacks.
389 CVE-2020-5332 78 Exec Code 2020-05-04 2020-05-11
9.0
None Remote Low ??? Complete Complete Complete
RSA Archer, versions prior to 6.7 P3 (6.7.0.3), contain a command injection vulnerability. AN authenticated malicious user with administrator privileges could potentially exploit this vulnerability to execute arbitrary commands on the system where the vulnerable application is deployed.
390 CVE-2020-5333 863 Bypass 2020-05-04 2020-07-17
4.0
None Remote Low ??? Partial None None
RSA Archer, versions prior to 6.7 P3 (6.7.0.3), contain an authorization bypass vulnerability in the REST API. A remote authenticated malicious Archer user could potentially exploit this vulnerability to view unauthorized information.
391 CVE-2020-5334 79 Exec Code XSS 2020-05-04 2020-05-07
4.3
None Remote Medium Not required None Partial None
RSA Archer, versions prior to 6.7 P2 (6.7.0.2), contains a Document Object Model (DOM) based cross-site scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim application user to supply malicious HTML or JavaScript code to DOM environment in the browser. The malicious code is then executed by the web browser in the context of the vulnerable web application.
392 CVE-2020-5335 352 CSRF 2020-05-04 2020-05-07
6.8
None Remote Medium Not required Partial Partial Partial
RSA Archer, versions prior to 6.7 P2 (6.7.0.2), contain a cross-site request forgery vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim application user to send arbitrary requests to the vulnerable application to perform server operations with the privileges of the authenticated victim user.
393 CVE-2020-5336 74 Exec Code 2020-05-04 2020-05-07
5.8
None Remote Medium Not required Partial Partial None
RSA Archer, versions prior to 6.7 P1 (6.7.0.1), contain a URL injection vulnerability. An unauthenticated attacker could potentially exploit this vulnerability by tricking a victim application user to execute malicious JavaScript code on the affected system.
394 CVE-2020-5337 601 2020-05-04 2020-05-07
5.8
None Remote Medium Not required Partial Partial None
RSA Archer, versions prior to 6.7 P1 (6.7.0.1), contain a URL redirection vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to redirect application users to arbitrary web URLs by tricking the victim users to click on maliciously crafted links. The vulnerability could be used to conduct phishing attacks that cause users to unknowingly visit malicious sites.
395 CVE-2020-5343 863 +Priv 2020-05-04 2020-05-08
7.2
None Local Low Not required Complete Complete Complete
Dell Client platforms restored using a Dell OS recovery image downloaded before December 20, 2019, may contain an insecure inherited permissions vulnerability. A local authenticated malicious user with low privileges could exploit this vulnerability to gain unauthorized access on the root folder.
396 CVE-2020-5357 427 2020-05-28 2020-05-29
2.6
None Local High Not required None Partial Partial
Dell Dock Firmware Update Utilities for Dell Client Consumer and Commercial docking stations contain an Arbitrary File Overwrite vulnerability. The vulnerability is limited to the Dell Dock Firmware Update Utilities during the time window while being executed by an administrator. During this time window, a locally authenticated low-privileged malicious user could exploit this vulnerability by tricking an administrator into overwriting arbitrary files via a symlink attack. The vulnerability does not affect the actual binary payload that the update utility delivers.
397 CVE-2020-5364 200 +Info 2020-05-20 2020-05-21
5.0
None Remote Low Not required Partial None None
Dell EMC Isilon OneFS versions 8.2.2 and earlier contain an SNMPv2 vulnerability. The SNMPv2 services is enabled, by default, with a pre-configured community string. This community string allows read-only access to many aspects of the Isilon cluster, some of which are considered sensitive and can foster additional access.
398 CVE-2020-5365 330 2020-05-20 2020-05-21
5.0
None Remote Low Not required Partial None None
Dell EMC Isilon versions 8.2.2 and earlier contain a remotesupport vulnerability. The pre-configured support account, remotesupport, is bundled in the Dell EMC Isilon OneFS installation. This account is used for diagnostics and other support functions. Although the default password is different for every cluster, it is predictable.
399 CVE-2020-5407 347 2020-05-13 2021-06-14
6.5
None Remote Low ??? Partial Partial Partial
Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an arbitrary assertion that Spring Security will accept as valid.
400 CVE-2020-5408 330 2020-05-14 2021-06-14
4.0
None Remote Low ??? Partial None None
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
Total number of vulnerabilities : 1017   Page : 1 2 3 4 5 6 7 8 (This Page)9 10 11 12 13 14 15 16 17 18 19 20 21
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.