CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In May 2020 (CVSS score >= 4)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
401 CVE-2020-7809 79 XSS 2020-05-15 2020-05-19
4.3
None Remote Medium Not required None Partial None
ALSong 3.46 and earlier version contain a Document Object Model (DOM) based cross-site scripting vulnerability caused by improper validation of user input. A remote attacker could exploit this vulnerability by tricking the victim to open ALSong Album(sab) file.
402 CVE-2020-7808 88 2020-05-21 2020-05-22
7.5
None Remote Low Not required Partial Partial Partial
In RAONWIZ K Upload v2018.0.2.51 and prior, automatic update processing without integrity check on update module(web.js) allows an attacker to modify arguments which causes downloading a random DLL and injection on it.
403 CVE-2020-7806 494 Exec Code 2020-05-06 2020-05-12
7.5
None Remote Low Not required Partial Partial Partial
Tobesoft Xplatform 9.2.2.250 and earlier version have an arbitrary code execution vulnerability by using method supported by Xplatform ActiveX Control. It allows attacker to cause remote code execution.
404 CVE-2020-7805 78 Exec Code 2020-05-07 2020-05-14
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered on KT Slim egg IML500 (R7283, R8112, R8424) and IML520 (R8112, R8368, R8411) wifi device. This issue is a command injection allowing attackers to execute arbitrary OS commands.
405 CVE-2020-7803 Exec Code 2020-05-07 2020-08-06
6.8
None Remote Medium Not required Partial Partial Partial
IMGTech Co,Ltd ZInsX.ocx ActiveX Control in Zoneplayer 2.0.1.3, version 2.0.1.4 and prior versions on Windows. File Donwload vulnerability in ZInsX.ocx of IMGTech Co,Ltd Zoneplayer allows attacker to cause arbitrary code execution.
406 CVE-2020-7658 444 2020-05-22 2020-05-28
4.3
None Remote Medium Not required None Partial None
meinheld prior to 1.0.2 is vulnerable to HTTP Request Smuggling. HTTP pipelining issues and request smuggling attacks might be possible due to incorrect Content-Length and Transfer encoding header parsing.
407 CVE-2020-7656 79 XSS 2020-05-19 2020-05-28
4.3
None Remote Medium Not required None Partial None
jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.
408 CVE-2020-7655 444 2020-05-21 2020-05-21
4.3
None Remote Medium Not required None Partial None
netius prior to 1.17.58 is vulnerable to HTTP Request Smuggling. HTTP pipelining issues and request smuggling attacks might be possible due to incorrect Transfer encoding header parsing which could allow for CL:TE or TE:TE attacks.
409 CVE-2020-7654 200 +Info 2020-05-29 2021-07-21
4.3
None Remote Medium Not required Partial None None
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.
410 CVE-2020-7653 200 +Info 2020-05-29 2021-07-21
4.0
None Remote Low ??? Partial None None
All versions of snyk-broker before 4.80.0 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users with access to Snyk's internal network by creating symlinks to match whitelisted paths.
411 CVE-2020-7652 22 Dir. Trav. 2020-05-29 2020-06-02
4.0
None Remote Low ??? Partial None None
All versions of snyk-broker before 4.80.0 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users with access to Snyk's internal network via directory traversal.
412 CVE-2020-7651 200 +Info 2020-05-29 2021-07-21
4.0
None Remote Low ??? Partial None None
All versions of snyk-broker before 4.79.0 are vulnerable to Arbitrary File Read. It allows partial file reads for users who have access to Snyk's internal network via patch history from GitHub Commits API.
413 CVE-2020-7650 200 +Info 2020-05-29 2021-07-21
4.0
None Remote Low ??? Partial None None
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
414 CVE-2020-7648 200 +Info 2020-05-29 2021-07-21
4.0
None Remote Low ??? Partial None None
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
415 CVE-2020-7647 22 Dir. Trav. 2020-05-11 2020-05-14
5.0
None Remote Low Not required Partial None None
All versions before 1.6.7 and all versions after 2.0.0 inclusive and before 2.8.2 of io.jooby:jooby and org.jooby:jooby are vulnerable to Directory Traversal via two separate vectors.
416 CVE-2020-7646 78 2020-05-07 2020-06-09
7.5
None Remote Low Not required Partial Partial Partial
curlrequest through 1.0.1 allows reading any file by populating the file parameter with user input.
417 CVE-2020-7645 78 Exec Code 2020-05-02 2022-06-08
7.5
None Remote Low Not required Partial Partial Partial
All versions of chrome-launcher allow execution of arbitrary commands, by controlling the $HOME environment variable in Linux operating systems.
418 CVE-2020-7473 22 Dir. Trav. 2020-05-07 2020-05-12
5.0
None Remote Low Not required Partial None None
In certain situations, all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of May 2020, allow unauthenticated attackers to access the documents and folders of ShareFile users. NOTE: unlike most CVEs, exploitability depends on the product version that was in use when a particular setup step was performed, NOT the product version that is in use during a current assessment of a CVE consumer's product inventory. Specifically, the vulnerability can be exploited if a storage zone was created by one of these product versions: 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, or earlier. This CVE differs from CVE-2020-8982 and CVE-2020-8983 but has essentially the same risk.
419 CVE-2020-7454 20 2020-05-13 2022-04-26
7.5
None Remote Low Not required Partial Partial Partial
In FreeBSD 12.1-STABLE before r360971, 12.1-RELEASE before p5, 11.4-STABLE before r360971, 11.4-BETA1 before p1 and 11.3-RELEASE before p9, libalias does not properly validate packet length resulting in modules causing an out of bounds read/write condition if no checking was built into the module.
420 CVE-2020-7351 78 Exec Code 2020-05-01 2022-04-18
9.0
None Remote Low ??? Complete Complete Complete
An OS Command Injection vulnerability in the endpoint_devicemap.php component of Fonality Trixbox Community Edition allows an attacker to execute commands on the underlying operating system as the "asterisk" user. Note that Trixbox Community Edition has been unsupported by the vendor since 2012. This issue affects: Fonality Trixbox Community Edition, versions 1.2.0 through 2.8.0.4. Versions 1.0 and 1.1 are unaffected.
421 CVE-2020-7291 269 2020-05-08 2021-09-08
4.6
None Local Low Not required Partial Partial Partial
Privilege Escalation vulnerability in McAfee Active Response (MAR) for Mac prior to 2.4.3 Hotfix 1 allows a malicious script or program to perform functions that the local executing user has not been granted access to.
422 CVE-2020-7290 269 2020-05-08 2020-05-11
4.6
None Local Low Not required Partial Partial Partial
Privilege Escalation vulnerability in McAfee Active Response (MAR) for Linux prior to 2.4.3 Hotfix 1 allows a malicious script or program to perform functions that the local executing user has not been granted access to.
423 CVE-2020-7289 269 2020-05-08 2020-05-11
4.6
None Local Low Not required Partial Partial Partial
Privilege Escalation vulnerability in McAfee Active Response (MAR) for Windows prior to 2.4.3 Hotfix 1 allows a malicious script or program to perform functions that the local executing user has not been granted access to.
424 CVE-2020-7288 269 2020-05-08 2021-09-08
4.6
None Local Low Not required Partial Partial Partial
Privilege Escalation vulnerability in McAfee Exploit Detection and Response (EDR) for Mac prior to 3.1.0 Hotfix 1 allows a malicious script or program to perform functions that the local executing user has not been granted access to.
425 CVE-2020-7287 269 2020-05-08 2020-05-11
4.6
None Local Low Not required Partial Partial Partial
Privilege Escalation vulnerability in McAfee Exploit Detection and Response (EDR) for Linux prior to 3.1.0 Hotfix 1 allows a malicious script or program to perform functions that the local executing user has not been granted access to.
426 CVE-2020-7286 269 2020-05-08 2020-05-12
4.6
None Local Low Not required Partial Partial Partial
Privilege Escalation vulnerability in McAfee Exploit Detection and Response (EDR) for Windows prior to 3.1.0 Hotfix 1 allows a malicious script or program to perform functions that the local executing user has not been granted access to.
427 CVE-2020-7285 269 2020-05-08 2020-05-15
4.6
None Local Low Not required Partial Partial Partial
Privilege Escalation vulnerability in McAfee MVISION Endpoint prior to 20.5.0.94 allows a malicious script or program to perform functions that the local executing user has not been granted access to.
428 CVE-2020-7139 200 +Info 2020-05-19 2021-07-21
5.5
None Remote Low ??? Partial Partial None
Potential remote access security vulnerabilities have been identified with HPE Nimble Storage systems that could be exploited by an attacker to access and modify sensitive information on the system. The following NimbleOS versions, and all subsequent releases, contain a software fix for this vulnerability: 3.9.3.0 4.5.6.0 5.0.9.0 5.1.4.100
429 CVE-2020-7138 20 Exec Code +Priv 2020-05-19 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
Potential remote code execution security vulnerabilities have been identified with HPE Nimble Storage systems that could be exploited by an attacker to gain elevated privileges on the array. The following NimbleOS versions, and all subsequent releases, contain a software fix for this vulnerability: 3.9.3.0 4.5.6.0 5.0.9.0 5.1.4.100
430 CVE-2020-7137 20 2020-05-19 2020-05-21
4.6
None Local Low Not required Partial Partial Partial
A validation issue in HPE Superdome Flex's RMC component may allow local elevation of privilege. Apply HPE Superdome Flex Server version 3.25.46 or later to resolve this issue.
431 CVE-2020-6956 79 XSS 2020-05-19 2020-05-19
4.3
None Remote Medium Not required None Partial None
PCS DEXICON 3.4.1 allows XSS via the loginName parameter in login_action.jsp.
432 CVE-2020-6937 400 DoS 2020-05-29 2021-07-21
5.0
None Remote Low Not required None None Partial
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
433 CVE-2020-6831 120 Overflow Mem. Corr. 2020-05-26 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
A buffer overflow could occur when parsing and validating SCTP chunks in WebRTC. This could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0.
434 CVE-2020-6830 200 +Info 2020-05-26 2020-05-28
5.0
None Remote Low Not required Partial None None
For native-to-JS bridging, the app requires a unique token to be passed that ensures non-app code can't call the bridging functions. That token was being used for JS-to-native also, but it isn't needed in this case, and its usage was also leaking this token. This vulnerability affects Firefox for iOS < 25.
435 CVE-2020-6774 668 2020-05-27 2020-05-29
7.2
None Local Low Not required Complete Complete Complete
Improper Access Control in the Kiosk Mode functionality of Bosch Recording Station allows a local unauthenticated attacker to escape from the Kiosk Mode and access the underlying operating system.
436 CVE-2020-6652 269 2020-05-07 2020-05-12
4.6
None Local Low Not required Partial Partial Partial
Incorrect Privilege Assignment vulnerability in Eaton's Intelligent Power Manager (IPM) v1.67 & prior allow non-admin users to upload the system configuration files by sending specially crafted requests. This can result in non-admin users manipulating the system configurations via uploading the configurations with incorrect parameters.
437 CVE-2020-6651 20 Exec Code 2020-05-07 2020-05-12
6.0
None Remote Medium ??? Partial Partial Partial
Improper Input Validation in Eaton's Intelligent Power Manager (IPM) v 1.67 & prior on file name during configuration file import functionality allows attackers to perform command injection or code execution via specially crafted file names while uploading the configuration file in the application.
438 CVE-2020-6491 2020-05-21 2020-07-08
4.3
None Remote Medium Not required None Partial None
Insufficient data validation in site information in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to spoof security UI via a crafted domain name.
439 CVE-2020-6490 668 2020-05-21 2021-01-27
4.3
None Remote Medium Not required Partial None None
Insufficient data validation in loader in Google Chrome prior to 83.0.4103.61 allowed a remote attacker who had been able to write to disk to leak cross-origin data via a crafted HTML page.
440 CVE-2020-6489 200 +Info 2020-05-21 2021-01-27
4.3
None Remote Medium Not required Partial None None
Inappropriate implementation in developer tools in Google Chrome prior to 83.0.4103.61 allowed a remote attacker who had convinced the user to take certain actions in developer tools to obtain potentially sensitive information from disk via a crafted HTML page.
441 CVE-2020-6488 276 Bypass 2020-05-21 2020-07-08
4.3
None Remote Medium Not required None Partial None
Insufficient policy enforcement in downloads in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
442 CVE-2020-6487 276 Bypass 2020-05-21 2021-01-27
4.3
None Remote Medium Not required None Partial None
Insufficient policy enforcement in downloads in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
443 CVE-2020-6486 Bypass 2020-05-21 2021-01-27
4.3
None Remote Medium Not required None Partial None
Insufficient policy enforcement in navigations in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
444 CVE-2020-6485 20 Bypass 2020-05-21 2020-07-08
4.3
None Remote Medium Not required None Partial None
Insufficient data validation in media router in Google Chrome prior to 83.0.4103.61 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page.
445 CVE-2020-6484 276 Bypass 2020-05-21 2020-07-08
4.3
None Remote Medium Not required None Partial None
Insufficient data validation in ChromeDriver in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to bypass navigation restrictions via a crafted request.
446 CVE-2020-6483 276 Bypass 2020-05-21 2021-01-27
4.3
None Remote Medium Not required None Partial None
Insufficient policy enforcement in payments in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
447 CVE-2020-6482 276 Bypass 2020-05-21 2021-01-28
4.3
None Remote Medium Not required None Partial None
Insufficient policy enforcement in developer tools in Google Chrome prior to 83.0.4103.61 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension.
448 CVE-2020-6481 2020-05-21 2021-01-28
4.3
None Remote Medium Not required None Partial None
Insufficient policy enforcement in URL formatting in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to perform domain spoofing via a crafted domain name.
449 CVE-2020-6480 276 Bypass 2020-05-21 2021-01-28
4.3
None Remote Medium Not required None Partial None
Insufficient policy enforcement in enterprise in Google Chrome prior to 83.0.4103.61 allowed a local attacker to bypass navigation restrictions via UI actions.
450 CVE-2020-6479 2020-05-21 2020-07-08
4.3
None Remote Medium Not required None Partial None
Inappropriate implementation in sharing in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to spoof security UI via a crafted HTML page.
Total number of vulnerabilities : 866   Page : 1 2 3 4 5 6 7 8 9 (This Page)10 11 12 13 14 15 16 17 18
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.