Working VB LOW Table
Released
Mar 30, 2020
Document ID
SB20-090
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
Vulnerability Severity:
Low Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| N/A -- N/A | An issue was discovered on Samsung mobile devices with P(9.0) (Exynos chipsets) software. The Wi-Fi kernel drivers have an out-of-bounds Read. The Samsung IDs are SVE-2019-15692, SVE-2019-15693 (December 2019). | 2020-03-24 | 3.6 | CVE-2019-20531 CONFIRM |
| N/A -- N/A | An issue was discovered on Samsung mobile devices with O(8.0) and P(9.0) (Exynos8890 chipsets) software. A use-after-free occurs in the MALI GPU driver. The Samsung ID is SVE-2019-13921-1 (May 2019). | 2020-03-24 | 3.6 | CVE-2019-20600 CONFIRM |
| N/A -- N/A | The Telegram application through 5.12 for Android, when Show Popup is enabled, might allow physically proximate attackers to bypass intended restrictions on message reading and message replying. This might be interpreted as a bypass of the passcode feature. | 2020-03-24 | 3.6 | CVE-2020-10570 MISC |
| N/A -- N/A | An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) (Exynos 9610 chipsets) software. There is a kernel pointer leak in the vipx driver. The Samsung ID is SVE-2019-16293 (February 2020). | 2020-03-24 | 3.6 | CVE-2020-10840 CONFIRM |
| N/A -- N/A | There is an improper integrity checking vulnerability on some huawei products. The software of the affected product has an improper integrity check which may allow an attacker with high privilege to make malicious modifications.Affected product versions include:HEGE-560 versions 1.0.1.21(SP3);HEGE-570 versions 1.0.1.22(SP3);OSCA-550 versions 1.0.1.21(SP3);OSCA-550A versions 1.0.1.21(SP3);OSCA-550AX versions 1.0.1.21(SP3);OSCA-550X versions 1.0.1.21(SP3). | 2020-03-20 | 3.6 | CVE-2020-1879 MISC |
| N/A -- N/A | OnCommand System Manager versions 9.3 prior to 9.3P18 and 9.4 prior to 9.4P2 are susceptible to a cross site scripting vulnerability that could allow an authenticated attacker to inject arbitrary scripts into the SNMP Community Names label field. | 2020-03-24 | 3.5 | CVE-2019-17276 MISC |
| N/A -- N/A | IBM Jazz for Service Management 3.13 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 172123. | 2020-03-23 | 3.5 | CVE-2019-4718 XF CONFIRM |
| N/A -- N/A | A stored cross-site scripting (XSS) vulnerability exists in the WPForms Contact Form (aka wpforms-lite) plugin before 1.5.9 for WordPress. | 2020-03-24 | 3.5 | CVE-2020-10385 MISC MISC MISC MISC MISC |
| N/A -- N/A | The Filemanager in CMS Made Simple 2.2.13 has stored XSS via a .pxd file, as demonstrated by m1_files[] to admin/moduleinterface.php. | 2020-03-20 | 3.5 | CVE-2020-10681 MISC |
| N/A -- N/A | openITCOCKPIT before 3.7.3 has unnecessary files (such as Lodash files) under the web root, which leads to XSS. | 2020-03-25 | 3.5 | CVE-2020-10790 MISC MISC CONFIRM |
| N/A -- N/A | In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack through retrieving and displaying results (in tbl_get_field.php and libraries/classes/Display/Results.php). The attacker must be able to insert crafted data into certain database tables, which when retrieved (for instance, through the Browse tab) can trigger the XSS attack. | 2020-03-22 | 3.5 | CVE-2020-10803 SUSE MLIST MISC |
| N/A -- N/A | Nagios XI 5.6.11 allows XSS via the includes/components/ldap_ad_integration/ username parameter. | 2020-03-22 | 3.5 | CVE-2020-10819 MISC |
| N/A -- N/A | Nagios XI 5.6.11 allows XSS via the includes/components/ldap_ad_integration/ password parameter. | 2020-03-22 | 3.5 | CVE-2020-10820 MISC |
| N/A -- N/A | Nagios XI 5.6.11 allows XSS via the account/main.php theme parameter. | 2020-03-22 | 3.5 | CVE-2020-10821 MISC |
| N/A -- N/A | A flaw was found in the all pki-core 10.x.x versions, where Token Processing Service (TPS) where it did not properly sanitize Profile IDs, enabling a Stored Cross-Site Scripting (XSS) vulnerability when the profile ID is printed. An attacker with sufficient permissions could trick an authenticated victim into executing a specially crafted Javascript code. | 2020-03-20 | 3.5 | CVE-2020-1696 CONFIRM |
| N/A -- N/A | Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not set Content-Security-Policy headers for files uploaded as file parameters to a build, resulting in a stored XSS vulnerability. | 2020-03-25 | 3.5 | CVE-2020-2162 MLIST CONFIRM |
| N/A -- N/A | Jenkins 2.227 and earlier, LTS 2.204.5 and earlier improperly processes HTML content of list view column headers, resulting in a stored XSS vulnerability exploitable by users able to control column headers. | 2020-03-25 | 3.5 | CVE-2020-2163 MLIST CONFIRM |
| N/A -- N/A | Jenkins RapidDeploy Plugin 4.2 and earlier does not escape package names in the table of packages obtained from a remote server, resulting in a stored XSS vulnerability. | 2020-03-25 | 3.5 | CVE-2020-2170 MLIST CONFIRM |
| N/A -- N/A | PrestaShop module ps_facetedsearch versions before 3.5.0 has a reflected XSS with `url_name` parameter. The problem is fixed in 3.5.0 | 2020-03-25 | 3.5 | CVE-2020-5277 MISC CONFIRM |
| N/A -- N/A | Piwigo 2.10.1 has stored XSS via the file parameter in a /ws.php request because of the pwg.images.setInfo function. | 2020-03-26 | 3.5 | CVE-2020-9467 CONFIRM |
| N/A -- N/A | A stored XSS vulnerability was discovered in Micro Focus Vibe, affecting all Vibe version prior to 4.0.7. The vulnerability could allows a remote attacker to craft and store malicious content into Vibe such that when the content is viewed by another user of the system, attacker controlled JavaScript will execute in the security context of the target user’s browser. | 2020-03-25 | 3.5 | CVE-2020-9520 FULLDISC MISC |
| N/A -- N/A | An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (Broadcom Wi-Fi chipsets) software. A denial-of-service attack can leverage a shared interface between Broadcom Bluetooth and Broadcom Wi-Fi. The Samsung ID is SVE-2019-15350 (November 2019). | 2020-03-24 | 3.3 | CVE-2019-20546 CONFIRM |
| N/A -- N/A | The remote keyless system on Honda HR-V 2017 vehicles sends the same RF signal for each door-open request, which might allow a replay attack. | 2020-03-23 | 3.3 | CVE-2019-20626 MISC |
| N/A -- N/A | An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (released in China or India) software. The S Secure app can launch masked apps without a password. The Samsung ID is SVE-2019-13996 (December 2019). | 2020-03-24 | 2.1 | CVE-2019-20533 CONFIRM |
| N/A -- N/A | An issue was discovered on Samsung mobile devices with P(9.0) software. Attackers can view home-screen wallpaper by adjusting the brightness of a locked screen. The Samsung ID is SVE-2019-15540 (December 2019). | 2020-03-24 | 2.1 | CVE-2019-20534 CONFIRM |
| N/A -- N/A | An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) software. A connection to a new Bluetooth devices can be established from the lock screen. The Samsung ID is SVE-2019-15533 (December 2019). | 2020-03-24 | 2.1 | CVE-2019-20535 CONFIRM |
| N/A -- N/A | An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (Exynos chipsets) software. There is a buffer over-read and possible information leak in the core touch screen driver. The Samsung ID is SVE-2019-14942 (November 2019). | 2020-03-24 | 2.1 | CVE-2019-20540 CONFIRM |
| N/A -- N/A | An issue was discovered on Samsung mobile devices with P(9.0) software. Attackers can bypass Factory Reset Protection (FRP) via SamsungPay mini. The Samsung ID is SVE-2019-15090 (November 2019). | 2020-03-24 | 2.1 | CVE-2019-20543 CONFIRM |
| N/A -- N/A | An issue was discovered on Samsung mobile devices with O(8.x) (released in China and India) software. The S Secure app can access the content of a locked app without a password. The Samsung ID is SVE-2019-13805 (October 2019). | 2020-03-24 | 2.1 | CVE-2019-20550 CONFIRM |
| N/A -- N/A | An issue was discovered on Samsung mobile devices with O(8.x) software. Attackers can bypass Factory Reset Protection (FRP) via an external keyboard. The Samsung ID is SVE-2019-15164 (October 2019). | 2020-03-24 | 2.1 | CVE-2019-20554 CONFIRM |
| N/A -- N/A | An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software. Attackers can bypass Factory Reset Protection (FRP) via a SIM card by blocking the PUK code. The Samsung ID is SVE-2019-15262 (October 2019). | 2020-03-24 | 2.1 | CVE-2019-20557 CONFIRM |
| N/A -- N/A | An issue was discovered on Samsung mobile devices with P(9.0) software. Gallery allows viewing of photos on the lock screen. The Samsung ID is SVE-2019-15055 (October 2019). | 2020-03-24 | 2.1 | CVE-2019-20559 CONFIRM |
| N/A -- N/A | An issue was discovered on Samsung mobile devices with P(9.0) software. Attackers can bypass Factory Reset Protection (FRP) via the status bar. The Samsung ID is SVE-2019-15089 (September 2019). | 2020-03-24 | 2.1 | CVE-2019-20569 CONFIRM |
| N/A -- N/A | An issue was discovered on Samsung mobile devices with P(9.0) software. Quick Panel allows enabling or disabling the Bluetooth stack without authentication. The Samsung ID is SVE-2019-14545 (July 2019). | 2020-03-24 | 2.1 | CVE-2019-20595 CONFIRM |
| N/A -- N/A | An issue was discovered on Samsung mobile devices with O(8.x) software. Bixby leaks the keyboard's learned words, and the clipboard contents, via the lock screen. The Samsung IDs are SVE-2018-12896, SVE-2018-12897 (May 2019). | 2020-03-24 | 2.1 | CVE-2019-20598 CONFIRM |
| N/A -- N/A | An issue was discovered on Samsung mobile devices with N(7.x) and O(8.x) software. Attackers can bypass Factory Reset Protection (FRP) via SVoice T&C. The Samsung ID is SVE-2018-13547 (March 2019). | 2020-03-24 | 2.1 | CVE-2019-20615 CONFIRM |
| N/A -- N/A | An issue was discovered on Samsung mobile devices with N(7.1) and O(8.x) (Exynos chipsets) software. The ion debugfs driver allows information disclosure. The Samsung ID is SVE-2018-13427 (February 2019). | 2020-03-24 | 2.1 | CVE-2019-20625 CONFIRM |
| N/A -- N/A | An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software. Attackers can view notifications by entering many PINs in Lockdown mode. The Samsung ID is SVE-2019-16590 (March 2020). | 2020-03-24 | 2.1 | CVE-2020-10830 CONFIRM |
| N/A -- N/A | An issue was discovered on Samsung mobile devices with P(9.0) software. Attackers can bypass Factory Reset Protection (FRP) via AppTray. The Samsung ID is SVE-2019-16192 (January 2020). | 2020-03-24 | 2.1 | CVE-2020-10855 CONFIRM |
| N/A -- N/A | Zim through 0.72.1 creates temporary directories with predictable names. A malicious user could predict and create Zim's temporary directories and prevent other users from being able to start Zim, resulting in a denial of service. | 2020-03-23 | 2.1 | CVE-2020-10870 MISC |
| N/A -- N/A | There is an improper authentication vulnerability in several smartphones. The applock does not perform a sufficient authentication in certain scenarios, successful exploit could allow the attacker to gain certain data of the application which is locked. Affected product versions include:HUAWEI Mate 20 versions Versions earlier than 10.0.0.188(C00E74R3P8);HUAWEI Mate 30 Pro versions Versions earlier than 10.0.0.203(C00E202R7P2). | 2020-03-20 | 2.1 | CVE-2020-1793 MISC |
| N/A -- N/A | There is an improper authentication vulnerability in several smartphones. The applock does not perform a sufficient authentication in certain scenarios, successful exploit could allow the attacker to gain certain data of the application which is locked. Affected product versions include:HUAWEI Mate 20 versions Versions earlier than 10.0.0.188(C00E74R3P8);HUAWEI Mate 30 Pro versions Versions earlier than 10.0.0.203(C00E202R7P2). | 2020-03-20 | 2.1 | CVE-2020-1794 MISC |
| N/A -- N/A | There is a logic error vulnerability in several smartphones. The software does not properly restrict certain operation when the Digital Balance function is on. Successful exploit could allow the attacker to bypass the Digital Balance limit after a series of operations.Affected product versions include:HUAWEI Mate 20 versions Versions earlier than 10.0.0.188(C00E74R3P8);HUAWEI Mate 30 Pro versions Versions earlier than 10.0.0.203(C00E202R7P2). | 2020-03-20 | 2.1 | CVE-2020-1795 MISC |
| N/A -- N/A | There is a double free vulnerability in some Huawei products. A local attacker with low privilege may perform some operations to exploit the vulnerability. Due to doubly freeing memory, successful exploit may cause some service abnormal. Affected product versions include:CampusInsight versions V100R019C00;ManageOne versions 6.5.RC2.B050. | 2020-03-20 | 2.1 | CVE-2020-1862 MISC |
| N/A -- N/A | Huawei smartphone OxfordS-AN00A with versions earlier than 10.0.1.152D(C735E152R3P3),versions earlier than 10.0.1.160(C00E160R4P1) have an improper authentication vulnerability. Authentication to target component is improper when device performs an operation. Attackers exploit this vulnerability to obtain some information by loading malicious application, leading to information leak. | 2020-03-20 | 2.1 | CVE-2020-1878 MISC |
| N/A -- N/A | This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 15.1.1-47117. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the xHCI component. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the hypervisor. Was ZDI-CAN-9428. | 2020-03-23 | 2.1 | CVE-2020-8872 MISC |
| N/A -- N/A | This vulnerability allows local attackers to disclose information on affected installations of Parallels Desktop 15.1.2-47123. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the IOCTL handler. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the kernel. Was ZDI-CAN-10029. | 2020-03-23 | 2.1 | CVE-2020-8876 MISC |
| N/A -- N/A | An issue was discovered on Samsung mobile devices with N(7.1), O(8.x), and P(9.0) software. Gallery has uninitialized memory disclosure. The Samsung ID is SVE-2018-13060 (February 2019). | 2020-03-24 | 1.9 | CVE-2019-20623 CONFIRM |
| N/A -- N/A | An issue was discovered on Samsung mobile devices with P(9.x) and Q(10.x) software. Attackers can enable the OEM unlock feature on a KG-enrolled devices, leading to potentially unwanted binaries being downloaded. The Samsung ID is SVE-2019-16554 (February 2020). | 2020-03-24 | 1.9 | CVE-2020-10846 CONFIRM |
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.