CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In May 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
401 CVE-2020-5409 601 2020-05-14 2020-05-15
5.8
None Remote Medium Not required Partial Partial None
Pivotal Concourse, most versions prior to 6.0.0, allows redirects to untrusted websites in its login flow. A remote unauthenticated attacker could convince a user to click on a link using the OAuth redirect link with an untrusted website and gain access to that user's access token in Concourse. (This issue is similar to, but distinct from, CVE-2018-15798.)
402 CVE-2020-5517 352 CSRF 2020-05-05 2020-11-10
4.3
None Remote Medium Not required Partial None None
CSRF in the /login URI in BlueOnyx 5209R allows an attacker to access the dashboard and perform scraping or other analysis.
403 CVE-2020-5537 20 Exec Code 2020-05-25 2020-05-27
7.5
None Remote Low Not required Partial Partial Partial
Cybozu Desktop for Windows 2.0.23 to 2.2.40 allows remote code execution via unspecified vectors.
404 CVE-2020-5538 269 Exec Code 2020-05-11 2021-07-21
7.2
None Local Low Not required Complete Complete Complete
Improper Access Control in PALLET CONTROL Ver. 6.3 and earlier allows authenticated attackers to execute arbitrary code with the SYSTEM privilege on the computer where PALLET CONTROL is installed via unspecified vectors. PalletControl 7 to 9.1 are not affected by this vulnerability, however under the environment where PLS Management Add-on Module is used, all versions are affected.
405 CVE-2020-5572 200 +Info 2020-05-29 2020-05-29
2.1
None Local Low Not required Partial None None
Android App 'Mailwise for Android' 1.0.0 to 1.0.1 allows an attacker to obtain credential information registered in the product via unspecified vectors.
406 CVE-2020-5573 200 +Info 2020-05-29 2020-05-29
2.1
None Local Low Not required Partial None None
Android App 'kintone mobile for Android' 1.0.0 to 2.5 allows an attacker to obtain credential information registered in the product via unspecified vectors.
407 CVE-2020-5574 74 2020-05-14 2020-05-15
5.0
None Remote Low Not required None Partial None
HTML attribute value injection vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier) allows remote attackers to inject arbitrary HTML attribute value via unspecified vectors.
408 CVE-2020-5575 79 XSS 2020-05-14 2020-05-15
4.3
None Remote Medium Not required None Partial None
Cross-site scripting vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
409 CVE-2020-5576 352 CSRF 2020-05-14 2020-05-15
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier) allows remote attackers to hijack the authentication of administrators via unspecified vectors.
410 CVE-2020-5577 434 2020-05-14 2020-05-15
6.5
None Remote Low ??? Partial Partial Partial
Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier) allow remote authenticated attackers to upload arbitrary files and execute a php script via unspecified vectors.
411 CVE-2020-5579 89 Exec Code Sql 2020-05-20 2020-05-20
6.5
None Remote Low ??? Partial Partial Partial
SQL injection vulnerability in the Paid Memberships versions prior to 2.3.3 allows attacker with administrator rights to execute arbitrary SQL commands via unspecified vectors.
412 CVE-2020-5727 287 Bypass 2020-05-02 2020-05-07
2.1
None Local Low Not required None Partial None
Authentication bypass using an alternate path or channel in SimpliSafe SS3 firmware 1.4 allows a local, unauthenticated attacker to pair a rogue keypad to an armed system.
413 CVE-2020-5741 502 Exec Code 2020-05-08 2021-12-14
6.5
None Remote Low ??? Partial Partial Partial
Deserialization of Untrusted Data in Plex Media Server on Windows allows a remote, authenticated attacker to execute arbitrary Python code.
414 CVE-2020-5743 200 +Info 2020-05-07 2021-07-21
4.0
None Remote Low ??? Partial None None
Improper Control of Resource Identifiers in TCExam 14.2.2 allows a remote, authenticated attacker to access test metadata for which they don't have permission.
415 CVE-2020-5744 22 Dir. Trav. 2020-05-07 2020-05-13
4.0
None Remote Low ??? Partial None None
Relative Path Traversal in TCExam 14.2.2 allows a remote, authenticated attacker to read the contents of arbitrary files on disk.
416 CVE-2020-5745 79 XSS CSRF 2020-05-07 2021-07-21
4.3
None Remote Medium Not required None Partial None
Cross-site request forgery in TCExam 14.2.2 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
417 CVE-2020-5746 79 XSS 2020-05-07 2020-05-11
3.5
None Remote Medium ??? None Partial None
Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted test.
418 CVE-2020-5747 79 XSS 2020-05-07 2020-05-11
3.5
None Remote Medium ??? None Partial None
Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted test.
419 CVE-2020-5748 79 XSS 2020-05-07 2020-05-11
4.3
None Remote Medium Not required None Partial None
Insufficient output sanitization in TCExam 14.2.2 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks via the self-registration feature.
420 CVE-2020-5749 79 XSS 2020-05-07 2020-05-11
3.5
None Remote Medium ??? None Partial None
Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted group.
421 CVE-2020-5750 79 XSS 2020-05-07 2020-05-11
4.3
None Remote Medium Not required None Partial None
Insufficient output sanitization in TCExam 14.2.2 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks via the self-registration feature.
422 CVE-2020-5751 79 XSS 2020-05-07 2020-05-11
3.5
None Remote Medium ??? None Partial None
Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted operator.
423 CVE-2020-5752 22 Exec Code Dir. Trav. 2020-05-21 2020-12-08
7.2
None Local Low Not required Complete Complete Complete
Relative path traversal in Druva inSync Windows Client 6.6.3 allows a local, unauthenticated attacker to execute arbitrary operating system commands with SYSTEM privileges.
424 CVE-2020-5753 670 2020-05-20 2022-04-07
5.0
None Remote Low Not required Partial None None
Signal Private Messenger Android v4.59.0 and up and iOS v3.8.1.5 and up allows a remote non-contact to ring a victim's Signal phone and disclose currently used DNS server due to ICE Candidate handling before call is answered or declined.
425 CVE-2020-5833 125 2020-05-11 2020-05-14
2.1
None Local Low Not required Partial None None
Symantec Endpoint Protection Manager, prior to 14.3, may be susceptible to an out of bounds vulnerability, which is a type of issue that results in an existing application reading memory outside of the bounds of the memory that had been allocated to the program.
426 CVE-2020-5834 22 Dir. Trav. 2020-05-11 2020-05-14
5.0
None Remote Low Not required Partial None None
Symantec Endpoint Protection Manager, prior to 14.3, may be susceptible to a directory traversal attack that could allow a remote actor to determine the size of files in the directory.
427 CVE-2020-5835 362 2020-05-11 2020-05-14
4.4
None Local Medium Not required Partial Partial Partial
Symantec Endpoint Protection Manager, prior to 14.3, has a race condition in client remote deployment which may result in an elevation of privilege on the remote machine.
428 CVE-2020-5836 269 2020-05-11 2021-07-21
4.4
None Local Medium Not required Partial Partial Partial
Symantec Endpoint Protection, prior to 14.3, can potentially reset the ACLs on a file as a limited user while Symantec Endpoint Protection's Tamper Protection feature is disabled.
429 CVE-2020-5837 59 2020-05-11 2020-05-14
4.6
None Local Low Not required Partial Partial Partial
Symantec Endpoint Protection, prior to 14.3, may not respect file permissions when writing to log files that are replaced by symbolic links, which can lead to a potential elevation of privilege.
430 CVE-2020-5838 79 XSS 2020-05-13 2020-05-15
3.5
None Remote Medium ??? None Partial None
Symantec IT Analytics, prior to 2.9.1, may be susceptible to a cross-site scripting (XSS) exploit, which is a type of issue that can potentially enable attackers to inject client-side scripts into web pages viewed by other users.
431 CVE-2020-5894 384 2020-05-07 2020-05-12
5.8
None Remote Medium Not required Partial Partial None
On versions 3.0.0-3.3.0, the NGINX Controller webserver does not invalidate the server-side session token after users log out.
432 CVE-2020-5895 2020-05-07 2020-05-22
4.6
None Local Low Not required Partial Partial Partial
On NGINX Controller versions 3.1.0-3.3.0, AVRD uses world-readable and world-writable permissions on its socket, which allows processes or users on the local system to write arbitrary data into the socket. A local system attacker can make AVRD segmentation fault (SIGSEGV) by writing malformed messages to the socket.
433 CVE-2020-5896 276 2020-05-12 2020-05-14
4.6
None Local Low Not required Partial Partial Partial
On versions 7.1.5-7.1.9, the BIG-IP Edge Client's Windows Installer Service's temporary folder has weak file and folder permissions.
434 CVE-2020-5897 416 2020-05-12 2020-05-14
6.8
None Remote Medium Not required Partial Partial Partial
In versions 7.1.5-7.1.9, there is use-after-free memory vulnerability in the BIG-IP Edge Client Windows ActiveX component.
435 CVE-2020-5898 2020-05-12 2020-05-14
4.9
None Local Low Not required None None Complete
In versions 7.1.5-7.1.9, BIG-IP Edge Client Windows Stonewall driver does not sanitize the pointer received from the userland. A local user on the Windows client system can send crafted DeviceIoControl requests to \\.\urvpndrv device causing the Windows kernel to crash.
436 CVE-2020-6074 416 Exec Code 2020-05-18 2022-06-03
6.8
None Remote Medium Not required Partial Partial Partial
An exploitable code execution vulnerability exists in the PDF parser of Nitro Pro 13.9.1.155. A specially crafted PDF document can cause a use-after-free which can lead to remote code execution. An attacker can provide a malicious file to trigger this vulnerability.
437 CVE-2020-6075 787 Exec Code 2020-05-06 2022-04-19
6.8
None Remote Medium Not required Partial Partial Partial
An exploitable out-of-bounds write vulnerability exists in the store_data_buffer function of the igcore19d.dll library of Accusoft ImageGear 19.5.0. A specially crafted PNG file can cause an out-of-bounds write, resulting in a remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.
438 CVE-2020-6076 787 Exec Code 2020-05-06 2022-04-19
6.8
None Remote Medium Not required Partial Partial Partial
An exploitable out-of-bounds write vulnerability exists in the igcore19d.dll ICO icoread parser of the Accusoft ImageGear 19.5.0 library. A specially crafted ICO file can cause an out-of-bounds write, resulting in a remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.
439 CVE-2020-6081 345 Exec Code 2020-05-07 2022-06-03
6.5
None Remote Low ??? Partial Partial Partial
An exploitable code execution vulnerability exists in the PLC_Task functionality of 3S-Smart Software Solutions GmbH CODESYS Runtime 3.5.14.30. A specially crafted network request can cause remote code execution. An attacker can send a malicious packet to trigger this vulnerability.
440 CVE-2020-6082 787 Exec Code 2020-05-06 2022-04-19
6.8
None Remote Medium Not required Partial Partial Partial
An exploitable out-of-bounds write vulnerability exists in the ico_read function of the igcore19d.dll library of Accusoft ImageGear 19.6.0. A specially crafted ICO file can cause an out-of-bounds write, resulting in a remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.
441 CVE-2020-6091 287 Bypass 2020-05-22 2022-04-28
6.4
None Remote Low Not required Partial Partial None
An exploitable authentication bypass vulnerability exists in the ESPON Web Control functionality of Epson EB-1470Ui MAIN: 98009273ESWWV107 MAIN2: 8X7325WWV303. A specially crafted series of HTTP requests can cause authentication bypass resulting in information disclosure. An attacker can send an HTTP request to trigger this vulnerability.
442 CVE-2020-6092 190 Exec Code Overflow 2020-05-18 2022-05-12
6.8
None Remote Medium Not required Partial Partial Partial
An exploitable code execution vulnerability exists in the way Nitro Pro 13.9.1.155 parses Pattern objects. A specially crafted PDF file can trigger an integer overflow that can lead to arbitrary code execution. In order to trigger this vulnerability, victim must open a malicious file.
443 CVE-2020-6093 824 2020-05-18 2022-05-12
4.3
None Remote Medium Not required Partial None None
An exploitable information disclosure vulnerability exists in the way Nitro Pro 13.9.1.155 does XML error handling. A specially crafted PDF document can cause uninitialized memory access resulting in information disclosure. In order to trigger this vulnerability, victim must open a malicious file.
444 CVE-2020-6094 787 Exec Code 2020-05-06 2022-05-12
6.8
None Remote Medium Not required Partial Partial Partial
An exploitable code execution vulnerability exists in the TIFF fillinraster function of the igcore19d.dll library of Accusoft ImageGear 19.4, 19.5 and 19.6. A specially crafted TIFF file can cause an out-of-bounds write, resulting in remote code execution. An attacker can provide a malicious file to trigger this vulnerability.
445 CVE-2020-6240 20 DoS 2020-05-12 2021-07-21
5.0
None Remote Low Not required None None Partial
SAP NetWeaver AS ABAP (Web Dynpro ABAP), versions (SAP_UI 750, 752, 753, 754 and SAP_BASIS 700, 710, 730, 731, 804) allows an unauthenticated attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service leading to Denial of Service
446 CVE-2020-6241 89 Sql 2020-05-12 2020-05-14
6.5
None Remote Low ??? Partial Partial Partial
SAP Adaptive Server Enterprise, version 16.0, allows an authenticated user to execute crafted database queries to elevate privileges of users in the system, leading to SQL Injection.
447 CVE-2020-6242 306 2020-05-12 2020-07-02
7.5
None Remote Low Not required Partial Partial Partial
SAP Business Objects Business Intelligence Platform (Live Data Connect), versions 1.0, 2.0, 2.1, 2.2, 2.3, allows an attacker to logon on the Central Management Console without password in case of the BIPRWS application server was not protected with some specific certificate, leading to Missing Authentication Check.
448 CVE-2020-6243 74 2020-05-12 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
Under certain conditions, SAP Adaptive Server Enterprise (XP Server on Windows Platform), versions 15.7, 16.0, does not perform the necessary checks for an authenticated user while executing the extended stored procedure, allowing an attacker to read, modify, delete restricted data on connected servers, leading to Code Injection.
449 CVE-2020-6244 427 Exec Code 2020-05-12 2020-05-18
4.4
None Local Medium Not required Partial Partial Partial
SAP Business Client, version 7.0, allows an attacker after a successful social engineering attack to inject malicious code as a DLL file in untrusted directories that can be executed by the application, due to uncontrolled search path element. An attacker could thereby control the behavior of the application.
450 CVE-2020-6245 74 Exec Code 2020-05-12 2020-05-14
4.6
None Local Low Not required Partial Partial Partial
SAP Business Objects Business Intelligence Platform, version 4.2, allows an attacker with access to local instance, to inject file or code that can be executed by the application due to Improper Control of Resource Identifiers.
Total number of vulnerabilities : 1017   Page : 1 2 3 4 5 6 7 8 9 (This Page)10 11 12 13 14 15 16 17 18 19 20 21
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.