| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
401 |
CVE-2020-9046 |
269 |
|
+Priv |
2020-05-26 |
2020-06-03 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
A vulnerability in all versions of Kantech EntraPass Editions could potentially allow an authorized low-privileged user to gain full system-level privileges by replacing critical files with specifically crafted files. |
|
402 |
CVE-2020-9045 |
312 |
|
|
2020-05-21 |
2021-07-06 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
During installation or upgrade to Software House C•CURE 9000 v2.70 and American Dynamics victor Video Management System v5.2, the credentials of the user used to perform the installation or upgrade are logged in a file. The install log file persists after the installation. |
|
403 |
CVE-2020-8983 |
22 |
|
Exec Code Dir. Trav. |
2020-05-07 |
2020-05-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An arbitrary file write issue exists in all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of May 2020, which allows remote code execution. RCE and file access is granted to everything hosted by ShareFile, be it on-premise or inside Citrix Cloud itself (both are internet facing). NOTE: unlike most CVEs, exploitability depends on the product version that was in use when a particular setup step was performed, NOT the product version that is in use during a current assessment of a CVE consumer's product inventory. Specifically, the vulnerability can be exploited if a storage zone was created by one of these product versions: 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, or earlier. This CVE differs from CVE-2020-7473 and CVE-2020-8982. |
|
404 |
CVE-2020-8982 |
22 |
|
Dir. Trav. |
2020-05-07 |
2020-05-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An unauthenticated arbitrary file read issue exists in all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of May 2020. RCE and file access is granted to everything hosted by ShareFile, be it on-premise or inside Citrix Cloud itself (both are internet facing). NOTE: unlike most CVEs, exploitability depends on the product version that was in use when a particular setup step was performed, NOT the product version that is in use during a current assessment of a CVE consumer's product inventory. Specifically, the vulnerability can be exploited if a storage zone was created by one of these product versions: 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, or earlier. This CVE differs from CVE-2020-7473 and CVE-2020-8983. |
|
405 |
CVE-2020-8899 |
787 |
|
Exec Code Overflow |
2020-05-06 |
2020-05-15 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
There is a buffer overwrite vulnerability in the Quram qmg library of Samsung's Android OS versions O(8.x), P(9.0) and Q(10.0). An unauthenticated, unauthorized attacker sending a specially crafted MMS to a vulnerable phone can trigger a heap-based buffer overflow in the Quram image codec leading to an arbitrary remote code execution (RCE) without any user interaction. The Samsung ID is SVE-2020-16747. |
|
406 |
CVE-2020-8896 |
120 |
|
Overflow |
2020-05-04 |
2020-05-08 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
A Buffer Overflow vulnerability in the khcrypt implementation in Google Earth Pro versions up to and including 7.3.2 allows an attacker to perform a Man-in-the-Middle attack using a specially crafted key to read data past the end of the buffer used to hold it. Mitigation: Update to Google Earth Pro 7.3.3. |
|
407 |
CVE-2020-8830 |
352 |
|
CSRF |
2020-05-05 |
2021-07-21 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
CSRF in login.asp on Ruckus devices allows an attacker to access the panel, and use SSRF to perform scraping or other analysis via the SUBCA-1 field on the Wireless Admin screen. |
|
408 |
CVE-2020-8829 |
352 |
|
CSRF |
2020-05-05 |
2020-05-07 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
CSRF on Intelbras CIP 92200 devices allows an attacker to access the panel and perform scraping or other analysis. |
|
409 |
CVE-2020-8816 |
|
|
Exec Code |
2020-05-29 |
2022-06-05 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease. |
|
410 |
CVE-2020-8799 |
79 |
|
XSS |
2020-05-05 |
2020-05-07 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
A Stored XSS vulnerability has been found in the administration page of the WTI Like Post plugin through 1.4.5 for WordPress. Once the administrator has submitted the data, the script stored is executed for all the users visiting the website. |
|
411 |
CVE-2020-8792 |
200 |
|
+Info |
2020-05-04 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlock FB50 (2.3) has an information-exposure issue. In the mobile app, an attempt to add an already-bound lock by its barcode reveals the email address of the account to which the lock is bound, as well as the name of the lock. Valid barcode inputs can be easily guessed because barcode strings follow a predictable pattern. Correctly guessed valid barcode inputs entered through the app interface disclose arbitrary users' email addresses and lock names. |
|
412 |
CVE-2020-8791 |
200 |
|
+Info |
2020-05-04 |
2021-07-21 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlock FB50 (2.3) allows remote attackers to submit API requests using authenticated but unauthorized tokens, resulting in IDOR issues. A remote attacker can use their own token to make unauthorized API requests on behalf of arbitrary user IDs. Valid and current user IDs are trivial to guess because of the user ID assignment convention used by the app. A remote attacker could harvest email addresses, unsalted MD5 password hashes, owner-assigned lock names, and owner-assigned fingerprint names for any range of arbitrary user IDs. |
|
413 |
CVE-2020-8790 |
521 |
|
|
2020-05-04 |
2021-07-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlock FB50 (2.3) has weak password requirements combined with improper restriction of excessive authentication attempts, which could allow a remote attacker to discover user credentials and obtain access via a brute force attack. |
|
414 |
CVE-2020-8789 |
79 |
|
XSS |
2020-05-22 |
2020-05-26 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Composr 10.0.30 allows Persistent XSS via a Usergroup name under the Security configuration. |
|
415 |
CVE-2020-8617 |
617 |
|
|
2020-05-19 |
2020-10-20 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Using a specially-crafted message, an attacker may potentially cause a BIND server to reach an inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the server. Since BIND, by default, configures a local session key even on servers whose configuration does not otherwise make use of it, almost all current BIND servers are vulnerable. In releases of BIND dating from March 2018 and after, an assertion check in tsig.c detects this inconsistent state and deliberately exits. Prior to the introduction of the check the server would continue operating in an inconsistent state, with potentially harmful results. |
|
416 |
CVE-2020-8616 |
400 |
|
|
2020-05-19 |
2020-10-20 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral. This has at least two potential effects: The performance of the recursing server can potentially be degraded by the additional work required to perform these fetches, and The attacker can exploit this behavior to use the recursing server as a reflector in a reflection attack with a high amplification factor. |
|
417 |
CVE-2020-8606 |
287 |
|
Bypass |
2020-05-27 |
2022-06-02 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to bypass authentication on affected installations of Trend Micro InterScan Web Security Virtual Appliance. |
|
418 |
CVE-2020-8605 |
78 |
|
Exec Code |
2020-05-27 |
2022-06-02 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to execute arbitrary code on affected installations. Authentication is required to exploit this vulnerability. |
|
419 |
CVE-2020-8604 |
22 |
|
Dir. Trav. |
2020-05-27 |
2022-04-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to disclose sensitive informatoin on affected installations. |
|
420 |
CVE-2020-8603 |
79 |
|
XSS |
2020-05-27 |
2020-05-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A cross-site scripting vulnerability (XSS) in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow a remote attacker to tamper with the web interface of affected installations. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. |
|
421 |
CVE-2020-8572 |
200 |
|
+Info |
2020-05-21 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Element OS prior to version 12.0 and Element HealthTools prior to version 2020.04.01.04 are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information. |
|
422 |
CVE-2020-8434 |
384 |
|
|
2020-05-19 |
2020-05-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Jenzabar JICS (aka Internet Campus Solution) before 9.0.1 Patch 3, 9.1 before 9.1.2 Patch 2, and 9.2 before 9.2.2 Patch 8 has session cookies that are a deterministic function of the username. There is a hard-coded password to supply a PBKDF feeding into AES to encrypt a username and base64 encode it to a client-side cookie for persistent session authentication. By knowing the key and algorithm, an attacker can select any username, encrypt it, base64 encode it, and save it in their browser with the correct JICSLoginCookie cookie format to impersonate any real user in the JICS database without the need for authenticating (or verifying with MFA if implemented). |
|
423 |
CVE-2020-8330 |
20 |
|
DoS |
2020-05-28 |
2021-07-21 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
A denial of service vulnerability was reported in the firmware prior to version 1.01 used in Lenovo Printer LJ4010DN that could be triggered by a remote user sending a crafted packet to the device, preventing subsequent print jobs until the printer is rebooted. |
|
424 |
CVE-2020-8329 |
20 |
|
DoS |
2020-05-28 |
2021-07-21 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
A denial of service vulnerability was reported in the firmware prior to version 1.01 used in Lenovo Printer LJ4010DN that could be triggered by a remote user sending a crafted packet to the device, causing an error to be displayed and preventing printer from functioning until the printer is rebooted. |
|
425 |
CVE-2020-8171 |
78 |
|
Exec Code |
2020-05-26 |
2020-05-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
We have recently released new version of AirMax AirOS firmware v6.3.0 for TI, XW and XM boards that fixes vulnerabilities found on AirMax AirOS v6.2.0 and prior TI, XW and XM boards, according to the description below:There are certain end-points containing functionalities that are vulnerable to command injection. It is possible to craft an input string that passes the filter check but still contains commands, resulting in remote code execution.Mitigation:Update to the latest AirMax AirOS firmware version available at the AirMax download page. |
|
426 |
CVE-2020-8170 |
79 |
|
XSS |
2020-05-26 |
2020-05-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
We have recently released new version of AirMax AirOS firmware v6.3.0 for TI, XW and XM boards that fixes vulnerabilities found on AirMax AirOS v6.2.0 and prior TI, XW and XM boards, according to the description below:Multiple end-points with parameters vulnerable to reflected cross site scripting (XSS), allowing attackers to abuse the user' session information and/or account takeover of the admin user.Mitigation:Update to the latest AirMax AirOS firmware version available at the AirMax download page. |
|
427 |
CVE-2020-8168 |
352 |
|
CSRF |
2020-05-26 |
2020-05-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
We have recently released new version of AirMax AirOS firmware v6.3.0 for TI, XW and XM boards that fixes vulnerabilities found on AirMax AirOS v6.2.0 and prior TI, XW and XM boards, according to the description below:Attackers can abuse multiple end-points not protected against cross-site request forgery (CSRF), as a result authenticated users can be persuaded to visit malicious web pages, which allows attackers to perform arbitrary actions, such as downgrade the device's firmware to older versions, modify configuration, upload arbitrary firmware, exfiltrate files and tokens.Mitigation:Update to the latest AirMax AirOS firmware version available at the AirMax download page. |
|
428 |
CVE-2020-8159 |
22 |
|
Exec Code Dir. Trav. |
2020-05-12 |
2022-04-05 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
There is a vulnerability in actionpack_page-caching gem < v1.2.1 that allows an attacker to write arbitrary files to a web server, potentially resulting in remote code execution if the attacker can write unescaped ERB to a view. |
|
429 |
CVE-2020-8157 |
|
|
|
2020-05-02 |
2020-05-07 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
UniFi Cloud Key firmware <= v1.1.10 for Cloud Key gen2 and Cloud Key gen2 Plus contains a vulnerability that allows unrestricted root access through the serial interface (UART). |
|
430 |
CVE-2020-8156 |
295 |
|
|
2020-05-12 |
2022-05-24 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
A missing verification of the TLS host in Nextcloud Mail 1.1.3 allowed a man in the middle attack. |
|
431 |
CVE-2020-8155 |
79 |
|
XSS |
2020-05-12 |
2020-10-19 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An outdated 3rd party library in the Files PDF viewer for Nextcloud Server 18.0.2 caused a Cross-site scripting vulnerability when opening a malicious PDF. |
|
432 |
CVE-2020-8154 |
639 |
|
|
2020-05-12 |
2020-10-19 |
6.8 |
None |
Remote |
Low |
??? |
None |
None |
Complete |
|
An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint. |
|
433 |
CVE-2020-8153 |
732 |
|
|
2020-05-12 |
2022-05-24 |
5.5 |
None |
Remote |
Low |
??? |
None |
Partial |
Partial |
|
Improper access control in Groupfolders app 4.0.3 allowed to delete hidden directories when when renaming an accessible item to the same name. |
|
434 |
CVE-2020-8151 |
863 |
|
+Info |
2020-05-12 |
2021-10-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
There is a possible information disclosure issue in Active Resource <v5.1.1 that could allow an attacker to create specially crafted requests to access data in an unexpected way and possibly leak information. |
|
435 |
CVE-2020-8149 |
94 |
|
Exec Code |
2020-05-15 |
2020-05-19 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Lack of output sanitization allowed an attack to execute arbitrary shell commands via the logkitty npm package before version 0.7.1. |
|
436 |
CVE-2020-8100 |
20 |
|
DoS |
2020-05-15 |
2020-05-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Improper Input Validation vulnerability in the cevakrnl.rv0 module as used in the Bitdefender Engines allows an attacker to trigger a denial of service while scanning a specially-crafted sample. This issue affects: Bitdefender Bitdefender Engines versions prior to 7.84063. |
|
437 |
CVE-2020-8035 |
79 |
|
XSS |
2020-05-18 |
2020-06-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The image view functionality in Horde Groupware Webmail Edition before 5.2.22 is affected by a stored Cross-Site Scripting (XSS) vulnerability via an SVG image upload containing a JavaScript payload. An attacker can obtain access to a victim's webmail account by making them visit a malicious URL. |
|
438 |
CVE-2020-8034 |
79 |
|
XSS |
2020-05-18 |
2020-05-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Gollem before 3.0.13, as used in Horde Groupware Webmail Edition 5.2.22 and other products, is affected by a reflected Cross-Site Scripting (XSS) vulnerability via the HTTP GET dir parameter in the browser functionality, affecting breadcrumb output. An attacker can obtain access to a victim's webmail account by making them visit a malicious URL. |
|
439 |
CVE-2020-8033 |
79 |
|
XSS |
2020-05-05 |
2020-05-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Ruckus R500 3.4.2.0.384 devices allow XSS via the index.asp Device Name field. |
|
440 |
CVE-2020-8021 |
269 |
|
|
2020-05-19 |
2021-03-15 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
a Improper Access Control vulnerability in of Open Build Service allows remote attackers to read files of an OBS package where the sourceaccess/access is disabled This issue affects: Open Build Service versions prior to 2.10.5. |
|
441 |
CVE-2020-8020 |
79 |
|
XSS |
2020-05-13 |
2021-03-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A Improper Neutralization of Input During Web Page Generation vulnerability in open-build-service allows remote attackers to store arbitrary JS code to cause XSS. This issue affects: openSUSE open-build-service versions prior to 7cc32c8e2ff7290698e101d9a80a9dc29a5500fb. |
|
442 |
CVE-2020-8018 |
276 |
|
|
2020-05-04 |
2020-05-12 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
A Incorrect Default Permissions vulnerability in the SLES15-SP1-CHOST-BYOS and SLES15-SP1-CAP-Deployment-BYOS images of SUSE Linux Enterprise Server 15 SP1 allows local attackers with the UID 1000 to escalate to root due to a /etc directory owned by the user This issue affects: SUSE Linux Enterprise Server 15 SP1 SLES15-SP1-CAP-Deployment-BYOS version 1.0.1 and prior versions; SLES15-SP1-CHOST-BYOS versions prior to 1.0.3 and prior versions; |
|
443 |
CVE-2020-7983 |
352 |
|
CSRF |
2020-05-05 |
2020-05-07 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
A CSRF issue in login.asp on Ruckus R500 3.4.2.0.384 devices allows remote attackers to access the panel or conduct SSRF attacks. |
|
444 |
CVE-2020-7921 |
863 |
|
Bypass |
2020-05-06 |
2020-07-07 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This issue affects: MongoDB Inc. MongoDB Server 4.2 versions prior to 4.2.3; 4.0 versions prior to 4.0.15; 4.3 versions prior to 4.3.3; 3.6 versions prior to 3.6.18. |
|
445 |
CVE-2020-7813 |
494 |
|
Exec Code |
2020-05-22 |
2020-05-27 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Ezhttptrans.ocx ActiveX Control in Kaoni ezHTTPTrans 1.0.0.70 and prior versions contain a vulnerability that could allow remote attacker to download and execute arbitrary file by setting the arguments to the activex method. This can be leveraged for code execution. |
|
446 |
CVE-2020-7812 |
494 |
|
Exec Code |
2020-05-28 |
2020-05-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Ezhttptrans.ocx ActiveX Control in Kaoni ezHTTPTrans 1.0.0.70 and prior versions contain a vulnerability that could allow remote attacker to download arbitrary file by setting the arguments to the activex method. This can be leveraged for code execution by rebooting the victim’s PC. |
|
447 |
CVE-2020-7809 |
79 |
|
XSS |
2020-05-15 |
2020-05-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
ALSong 3.46 and earlier version contain a Document Object Model (DOM) based cross-site scripting vulnerability caused by improper validation of user input. A remote attacker could exploit this vulnerability by tricking the victim to open ALSong Album(sab) file. |
|
448 |
CVE-2020-7808 |
88 |
|
|
2020-05-21 |
2020-05-22 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
In RAONWIZ K Upload v2018.0.2.51 and prior, automatic update processing without integrity check on update module(web.js) allows an attacker to modify arguments which causes downloading a random DLL and injection on it. |
|
449 |
CVE-2020-7806 |
494 |
|
Exec Code |
2020-05-06 |
2020-05-12 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Tobesoft Xplatform 9.2.2.250 and earlier version have an arbitrary code execution vulnerability by using method supported by Xplatform ActiveX Control. It allows attacker to cause remote code execution. |
|
450 |
CVE-2020-7805 |
78 |
|
Exec Code |
2020-05-07 |
2020-05-14 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
An issue was discovered on KT Slim egg IML500 (R7283, R8112, R8424) and IML520 (R8112, R8368, R8411) wifi device. This issue is a command injection allowing attackers to execute arbitrary OS commands. |
