Working VB SEVERITY NOT ASSIGNED Table
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
Severity Not Yet Assigned
Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
---|---|---|---|---|
lenovo -- bios | MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A buffer overflow vulnerability was reported, (fixed and publicly disclosed in 2015) in the Lenovo Service Engine (LSE), affecting various versions of BIOS for Lenovo Notebooks, that could allow a remote user to execute arbitrary code on the system. | 2020-03-27 | not yet calculated | CVE-2015-5684 MISC |
lenovo -- system_update | MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A local privilege escalation vulnerability was reported (fixed and publicly disclosed in 2015) in Lenovo System Update version 5.07.0008 and prior where the SUService.exe /type INF and INF_BY_COMPATIBLE_ID command types could allow a user to execute arbitrary code with elevated privileges. | 2020-03-27 | not yet calculated | CVE-2015-7333 MISC |
lenovo -- system_update | MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A local privilege escalation vulnerability was reported (fixed and publicly disclosed in 2015) in Lenovo System Update version 5.07.0008 and prior where the SUService.exe /type COMMAND type could allow a user to execute arbitrary code with elevated privileges. | 2020-03-27 | not yet calculated | CVE-2015-7334 MISC |
lenovo -- system_update | MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A race condition was reported (fixed and publicly disclosed in 2015) in Lenovo System Update version 5.07.0008 and prior that could allow a user to execute arbitrary code with elevated privileges. | 2020-03-27 | not yet calculated | CVE-2015-7335 MISC |
lenovo -- system_update | MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A vulnerability was reported (fixed and publicly disclosed in 2015) in Lenovo System Update version 5.07.0008 and prior that could allow the signature check of an update to be bypassed. | 2020-03-27 | not yet calculated | CVE-2015-7336 MISC |
lenovo -- solution_center | MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A local privilege escalation vulnerability was discovered (fixed and publicly disclosed in 2015) in Lenovo Solution Center (LSC) prior to version 3.3.002 that could allow a user to execute arbitrary code with elevated privileges. | 2020-03-27 | not yet calculated | CVE-2015-8534 MISC |
lenovo -- solution_center | MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A directory traversal vulnerability was discovered (fixed and publicly disclosed in 2015) in Lenovo Solution Center (LSC) prior to version 3.3.002 that could allow a user to execute arbitrary code with elevated privileges. | 2020-03-27 | not yet calculated | CVE-2015-8535 MISC |
lenovo -- solution_center | MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A vulnerability was discovered (fixed and publicly disclosed in 2015) in Lenovo Solution Center (LSC) prior to version 3.3.002 that could allow cross-site request forgery. | 2020-03-27 | not yet calculated | CVE-2015-8536 MISC |
canonical -- ubuntu | python-apt only checks the MD5 sums of downloaded files in `Version.fetch_binary()` and `Version.fetch_source()` of apt/package.py in version 1.9.0ubuntu1 and earlier. This allows a man-in-the-middle attack which could potentially be used to install altered packages and has been fixed in versions 1.9.0ubuntu1.2, 1.6.5ubuntu0.1, 1.1.0~beta1ubuntu0.16.04.7, 0.9.3.5ubuntu3+esm2, and 0.8.3ubuntu7.5. | 2020-03-26 | not yet calculated | CVE-2019-15795 UBUNTU UBUNTU |
canonical -- ubuntu | Python-apt doesn't check if hashes are signed in `Version.fetch_binary()` and `Version.fetch_source()` of apt/package.py or in `_fetch_archives()` of apt/cache.py in version 1.9.3ubuntu2 and earlier. This allows downloads from unsigned repositories which shouldn't be allowed and has been fixed in verisions 1.9.5, 1.9.0ubuntu1.2, 1.6.5ubuntu0.1, 1.1.0~beta1ubuntu0.16.04.7, 0.9.3.5ubuntu3+esm2, and 0.8.3ubuntu7.5. | 2020-03-26 | not yet calculated | CVE-2019-15796 UBUNTU UBUNTU |
canonical -- ubuntu | Harris Ormed Self Service before 2019.1.4 allows an authenticated user to view W-2 forms belonging to other users via an arbitrary empNo value to the ORMEDMIS/Data/PY/T4W2Service.svc/RetrieveW2EntriesForEmployee URI, thus exposing sensitive information including employee tax information, social security numbers, home addresses, and more. | 2020-03-25 | not yet calculated | CVE-2019-18626 MISC |
tribal_group -- sits:vision | An authentication bypass vulnerability is present in the standalone SITS:Vision 9.7.0 component of Tribal SITS in its default configuration, related to unencrypted communications sent by the client each time it is launched. This occurs because the Uniface TLS Driver is not enabled by default. This vulnerability allows attackers to gain access to credentials or execute arbitrary SQL queries on the SITS backend as long as they have access to the client executable or can intercept traffic from a user who does. | 2020-03-25 | not yet calculated | CVE-2019-19127 MISC FULLDISC |
samsung -- multiple_mobile_devices | An issue was discovered on Samsung mobile devices with P(9.0) software. The MemorySaver Content Provider allows SQL injection. The Samsung ID is SVE-2019-14365 (August 2019). | 2020-03-24 | not yet calculated | CVE-2019-20576 CONFIRM |
samsung -- multiple_mobile_devices | An issue was discovered on Samsung mobile devices with P(9.0) (Exynos chipsets) software. The MALI GPU Driver allows a kernel panic. The Samsung ID is SVE-2019-14372 (August 2019). | 2020-03-24 | not yet calculated | CVE-2019-20577 CONFIRM |
samsung -- multiple_mobile_devices | An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software. Gallery allows attackers to enable Location information sharing from the lock screen. The Samsung ID is SVE-2019-14462 (August 2019). | 2020-03-24 | not yet calculated | CVE-2019-20579 CONFIRM |
samsung -- multiple_mobile_devices | An issue was discovered on Samsung mobile devices with P(9.0) software. The Motion photo player allows attackers to bypass the Secure Folder feature to view images. The Samsung ID is SVE-2019-14653 (August 2019). | 2020-03-24 | not yet calculated | CVE-2019-20580 CONFIRM |
samsung -- multiple_mobile_devices | An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) (with TEEGRIS) software. There is type confusion in the SEM Trustlet, leading to arbitrary code execution. The Samsung ID is SVE-2019-14891 (August 2019). | 2020-03-24 | not yet calculated | CVE-2019-20588 CONFIRM |
samsung -- multiple_mobile_devices | An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) (with TEEGRIS) software. There is type confusion in the SKPM Trustlet, leading to arbitrary code execution. The Samsung ID is SVE-2019-14892 (August 2019). | 2020-03-24 | not yet calculated | CVE-2019-20589 CONFIRM |
samsung -- multiple_mobile_devices | An issue was discovered on Samsung mobile devices with O(8.x) (Qualcomm chipsets) software. There is an integer underflow in the Secure Storage Trustlet. The Samsung ID is SVE-2019-13952 (July 2019). | 2020-03-24 | not yet calculated | CVE-2019-20590 CONFIRM |
samsung -- multiple_mobile_devices | An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software. There is local SQL injection in the Gear VR Service Content Provider. The Samsung ID is SVE-2019-14058 (July 2019). | 2020-03-24 | not yet calculated | CVE-2019-20591 CONFIRM |
samsung -- multiple_mobile_devices | An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software. There is local SQL injection in the Story Video Editor Content Provider. The Samsung ID is SVE-2019-14062 (July 2019). | 2020-03-24 | not yet calculated | CVE-2019-20592 CONFIRM |
samsung -- multiple_mobile_devices | An issue was discovered on Samsung mobile devices with N(7.x) and O(8.x) software. Gallery leaks Private Mode thumbnails. The Samsung ID is SVE-2019-14208 (July 2019). | 2020-03-24 | not yet calculated | CVE-2019-20593 CONFIRM |
samsung -- multiple_mobile_devices | An issue was discovered on Samsung mobile devices with O(8.x) software. Attackers can disable Gallery permanently. The Samsung ID is SVE-2019-14031 (May 2019). | 2020-03-24 | not yet calculated | CVE-2019-20604 CONFIRM |
samsung -- multiple_mobile_devices | An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (Exynos chipsets) software. A heap overflow occurs for baseband in the Shannon modem. The Samsung ID is SVE-2019-14071 (May 2019). | 2020-03-24 | not yet calculated | CVE-2019-20605 CONFIRM |
samsung -- multiple_mobile_devices | An issue was discovered on Samsung mobile devices with any (before May 2019) software. A phishing attack against OMACP can change the network and internet settings. The Samsung ID is SVE-2019-14073 (May 2019). | 2020-03-24 | not yet calculated | CVE-2019-20606 CONFIRM |
samsung -- multiple_mobile_devices | An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) (MSM8996, MSM8998, Exynos7420, Exynos7870, Exynos8890, and Exynos8895 chipsets) software. A heap overflow in the keymaster Trustlet allows attackers to write to TEE memory, and achieve arbitrary code execution. The Samsung ID is SVE-2019-14126 (May 2019). | 2020-03-24 | not yet calculated | CVE-2019-20607 CONFIRM |
samsung -- multiple_mobile_devices | An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software. An attacker can use Emergency mode to disable features. The Samsung IDs are SVE-2018-13164, SVE-2018-13165 (April 2019). | 2020-03-24 | not yet calculated | CVE-2019-20608 CONFIRM |
samsung -- multiple_mobile_devices | An issue was discovered on Samsung mobile devices with P(9.0) software. Attackers can use Smartwatch to view Secure Folder notification content. The Samsung ID is SVE-2019-13899 (April 2019). | 2020-03-24 | not yet calculated | CVE-2019-20609 CONFIRM |
samsung -- multiple_mobile_devices | An issue was discovered on Samsung mobile devices with N(7.X) and O(8.X) (Exynos 7570, 7870, 7880, 7885, 8890, 8895, and 9810 chipsets) software. A double-fetch vulnerability in Trustlet allows arbitrary TEE code execution. The Samsung ID is SVE-2019-13910 (April 2019). | 2020-03-24 | not yet calculated | CVE-2019-20610 CONFIRM |
samsung -- multiple_mobile_devices | An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), Go(8.1), P(9.0), and Go(9.0) (Exynos chipsets) software. A baseband stack overflow leads to arbitrary code execution. The Samsung ID is SVE-2019-13963 (April 2019). | 2020-03-24 | not yet calculated | CVE-2019-20611 CONFIRM |
samsung -- multiple_mobile_devices | An issue was discovered on Samsung mobile devices with N(7.x) and O(8.x) software. There is time-based SQL injection in Contacts. The Samsung ID is SVE-2018-13452 (March 2019). | 2020-03-24 | not yet calculated | CVE-2019-20613 CONFIRM |
gnu -- gnu | GNU patch through 2.7.6 contains a free(p_line[p_end]) Double Free vulnerability in the function another_hunk in pch.c that can cause a denial of service via a crafted patch file. NOTE: this issue exists because of an incomplete fix for CVE-2018-6952. | 2020-03-25 | not yet calculated | CVE-2019-20633 MISC |
3s-smart_software_solutions -- codesys_gatewayservice | An exploitable memory corruption vulnerability exists in the Name Service Client functionality of 3S-Smart Software Solutions CODESYS GatewayService 3.5.13.20. A specially crafted packet can cause a large memcpy, resulting in an access violation and termination of the process. An attacker can send a packet to a device running the GatewayService.exe to trigger this vulnerability. | 2020-03-26 | not yet calculated | CVE-2019-5105 MISC |
fireeye -- winring0x64.sys | An issue was discovered in WinRing0x64.sys in Moo0 System Monitor 1.83. The vulnerable driver exposes a wrmsr instruction via IOCTL 0x9C402088 and does not properly filter the Model Specific Register (MSR). Allowing arbitrary MSR writes can lead to Ring-0 code execution and escalation of privileges. | 2020-03-25 | not yet calculated | CVE-2019-7240 MISC |
fireeye -- kernel.sys | An issue was discovered in kerneld.sys in AIDA64 before 5.99. The vulnerable driver exposes a wrmsr instruction via IOCTL 0x80112084 and does not properly filter the Model Specific Register (MSR). Allowing arbitrary MSR writes can lead to Ring-0 code execution and escalation of privileges. | 2020-03-25 | not yet calculated | CVE-2019-7244 MISC |
fireeye -- gpu-z.sys | An issue was discovered in GPU-Z.sys in TechPowerUp GPU-Z before 2.23.0. The vulnerable driver exposes a wrmsr instruction via an IOCTL and does not properly filter the Model Specific Register (MSR). Allowing arbitrary MSR writes can lead to Ring-0 code execution and escalation of privileges. | 2020-03-25 | not yet calculated | CVE-2019-7245 MISC |
fireeye -- gdrv.sys | An issue was discovered in gdrv.sys in Gigabyte APP Center before 19.0227.1. The vulnerable driver exposes a wrmsr instruction via IOCTL 0xC3502580 and does not properly filter the target Model Specific Register (MSR). Allowing arbitrary MSR writes can lead to Ring-0 code execution and escalation of privileges. | 2020-03-25 | not yet calculated | CVE-2019-7630 MISC |
tenable -- codesys_v3 | CODESYS V3 web server before 3.5.15.40, as used in CODESYS Control runtime systems, has a buffer overflow. | 2020-03-26 | not yet calculated | CVE-2020-10245 CONFIRM MISC |
sunnet -- sunnet_ehrd | Sunnet eHRD, a human training and development management system, improperly stores system files. Attackers can use a specific URL and capture confidential information. | 2020-03-27 | not yet calculated | CVE-2020-10508 MISC |
sunnet -- sunnet_ehrd | Sunnet eHRD, a human training and development management system, contains vulnerability of Cross-Site Scripting (XSS), attackers can inject arbitrary command into the system and launch XSS attack. | 2020-03-27 | not yet calculated | CVE-2020-10509 MISC |
sunnet -- sunnet_ehrd | Sunnet eHRD, a human training and development management system, contains a vulnerability of Broken Access Control. After login, attackers can use a specific URL, access unauthorized functionality and data. | 2020-03-27 | not yet calculated | CVE-2020-10510 MISC |
advantech -- webaccess | In Advantech WebAccess, Versions 8.4.2 and prior. A stack-based buffer overflow vulnerability caused by a lack of proper validation of the length of user-supplied data may allow remote code execution. | 2020-03-27 | not yet calculated | CVE-2020-10607 MISC |
asus -- asus_device_activation | DevActSvc.exe in ASUS Device Activation before 1.0.7.0 for Windows 10 notebooks and PCs could lead to unsigned code execution with no additional restrictions when a user puts an application at a particular path with a particular file name. | 2020-03-25 | not yet calculated | CVE-2020-10649 MISC MISC MISC MISC |
hashicorp -- hashicorp_vault_and_vault_enterprise | HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership inadvertently include Groups the Entity no longer has permissions to. Fixed in 1.3.4. | 2020-03-23 | not yet calculated | CVE-2020-10660 CONFIRM MISC |
ansible -- ansible_engine | A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection. | 2020-03-24 | not yet calculated | CVE-2020-10684 CONFIRM |
openitcockpit -- openitcockpit | openITCOCKPIT before 3.7.3 uses the 1fea123e07f730f76e661bced33a94152378611e API key rather than generating a random API Key for WebSocket connections. | 2020-03-25 | not yet calculated | CVE-2020-10788 MISC CONFIRM |
wordpress -- wordpress | The custom-searchable-data-entry-system (aka Custom Searchable Data Entry System) plugin through 1.7.1 for WordPress allows SQL Injection. NOTE: this product is discontinued. | 2020-03-27 | not yet calculated | CVE-2020-10817 MISC MISC |
draytek -- multiple_devices | A stack-based buffer overflow in /cgi-bin/activate.cgi through var parameter on Draytek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1 allows remote attackers to achieve code execution via a remote HTTP request (issue 1 of 3). | 2020-03-26 | not yet calculated | CVE-2020-10823 MISC |
draytek -- multiple_devices | A stack-based buffer overflow in /cgi-bin/activate.cgi through ticket parameter on Draytek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1 allows remote attackers to achieve code execution via a remote HTTP request (issue 2 of 3). | 2020-03-26 | not yet calculated | CVE-2020-10824 MISC |
draytek -- multiple_devices | A stack-based buffer overflow in /cgi-bin/activate.cgi while base64 decoding ticket parameter on Draytek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1 allows remote attackers to achieve code execution via a remote HTTP request (issue 3 of 3). | 2020-03-26 | not yet calculated | CVE-2020-10825 MISC |
draytek -- multiple_devices | /cgi-bin/activate.cgi on Draytek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1 allows remote attackers to achieve command injection via a remote HTTP request in DEBUG mode. | 2020-03-26 | not yet calculated | CVE-2020-10826 MISC |
draytek -- multiple_devices | A stack-based buffer overflow in apmd on Draytek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1 allows remote attackers to achieve code execution via a remote HTTP request. | 2020-03-26 | not yet calculated | CVE-2020-10827 MISC |
draytek -- multiple_devices | A stack-based buffer overflow in cvmd on Draytek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1 allows remote attackers to achieve code execution via a remote HTTP request. | 2020-03-26 | not yet calculated | CVE-2020-10828 MISC |
samsung -- multiple_mobile_devices | An issue was discovered on Samsung mobile devices with P(9.0) (Galaxy S8 and Note8) software. Facial recognition can be spoofed. The Samsung ID is SVE-2019-16614 (February 2020). | 2020-03-24 | not yet calculated | CVE-2020-10847 CONFIRM |
openwrt -- luci | ** DISPUTED ** In OpenWrt LuCI git-20.x, remote unauthenticated attackers can retrieve the list of installed packages and services. NOTE: the vendor disputes the significance of this report because, for instances reachable by an unauthenticated actor, the same information is available in other (more complex) ways, and there is no plan to restrict the information further. | 2020-03-23 | not yet calculated | CVE-2020-10871 MISC MISC MISC |
tp-link -- archer_a7_firmware | This vulnerability allows remote attackers to execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of DNS responses. A crafted DNS message can trigger an overflow of a fixed-length, stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the root user. Was ZDI-CAN-9660. | 2020-03-25 | not yet calculated | CVE-2020-10881 MISC |
tp-link -- archer_a7_firmware | This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the tdpServer service, which listens on UDP port 20002 by default. When parsing the slave_mac parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the root user. Was ZDI-CAN-9650. | 2020-03-25 | not yet calculated | CVE-2020-10882 MISC |
tp-link -- archer_a7_firmware | This vulnerability allows local attackers to escalate privileges on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the file system. The issue lies in the lack of proper permissions set on the file system. An attacker can leverage this vulnerability to escalate privileges. Was ZDI-CAN-9651. | 2020-03-25 | not yet calculated | CVE-2020-10883 MISC |
tp-link -- archer_a7_firmware | This vulnerability allows network-adjacent attackers execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the tdpServer service, which listens on UDP port 20002 by default. This issue results from the use of hard-coded encryption key. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of root. Was ZDI-CAN-9652. | 2020-03-25 | not yet calculated | CVE-2020-10884 MISC |
tp-link -- archer_a7_firmware | This vulnerability allows remote attackers to execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of DNS responses. The issue results from the lack of proper validation of DNS reponses prior to further processing. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the root user. Was ZDI-CAN-9661. | 2020-03-25 | not yet calculated | CVE-2020-10885 MISC |
tp-link -- archer_a7_firmware | This vulnerability allows remote attackers to execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the tmpServer service, which listens on TCP port 20002. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9662. | 2020-03-25 | not yet calculated | CVE-2020-10886 MISC |
tp-link -- archer_a7_firmware | This vulnerability allows a firewall bypass on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of IPv6 connections. The issue results from the lack of proper filtering of IPv6 SSH connections. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of root. Was ZDI-CAN-9663. | 2020-03-25 | not yet calculated | CVE-2020-10887 MISC |
tp-link -- archer_a7_firmware | This vulnerability allows remote attackers to bypass authentication on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of SSH port forwarding requests during initial setup. The issue results from the lack of proper authentication prior to establishing SSH port forwarding rules. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from the WAN interface. Was ZDI-CAN-9664. | 2020-03-25 | not yet calculated | CVE-2020-10888 MISC |
phoenix -- contact_pc_worx_srt | Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation. | 2020-03-27 | not yet calculated | CVE-2020-10939 CONFIRM |
phoenix -- contact_portico_server | Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service. | 2020-03-27 | not yet calculated | CVE-2020-10940 CONFIRM |
gitlab -- gitlab_enterprise_and_community_edition | GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images. | 2020-03-27 | not yet calculated | CVE-2020-10952 CONFIRM MISC |
gitlab -- gitlab_enterprise_edition | In GitLab EE 11.7 through 12.9, the NPM feature is vulnerable to a path traversal issue. | 2020-03-27 | not yet calculated | CVE-2020-10953 CONFIRM MISC |
gitlab -- gitlab | GitLab through 12.9 is affected by a potential DoS in repository archive download. | 2020-03-27 | not yet calculated | CVE-2020-10954 CONFIRM MISC |
gitlab -- gitLab_enterprise_and_community_edition | GitLab EE/CE 11.1 through 12.9 is vulnerable to parameter tampering on an upload feature that allows an unauthorized user to read content available under specific folders. | 2020-03-27 | not yet calculated | CVE-2020-10955 CONFIRM MISC |
gitlab -- gitlab | GitLab 8.10 and later through 12.9 is vulnerable to an SSRF in a project import note feature. | 2020-03-27 | not yet calculated | CVE-2020-10956 CONFIRM MISC |
teradici -- pcoip_mangement_console | Teradici PCoIP Management Console 20.01.0 and 19.11.1 is vulnerable to unauthenticated password resets via login/resetadminpassword of the default admin account. This vulnerability only exists when the default admin account is not disabled. It is fixed in 20.01.1 and 19.11.2. | 2020-03-25 | not yet calculated | CVE-2020-10965 MISC MISC |
vesta_and_hestia_control_panel -- vesta_and_hestia_control_panel | In the Password Reset Module in VESTA Control Panel through 0.9.8-25 and Hestia Control Panel before 1.1.1, Host header manipulation leads to account takeover because the victim receives a reset URL containing an attacker-controlled server name. | 2020-03-25 | not yet calculated | CVE-2020-10966 MISC CONFIRM MISC |
fasterxml -- jackson-databind | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy). | 2020-03-26 | not yet calculated | CVE-2020-10968 MISC MISC |
fasterxml -- jackson-databind | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane. | 2020-03-26 | not yet calculated | CVE-2020-10969 MISC MISC |
accenture -- mercury | An XXE issue exists in Accenture Mercury before 1.12.28 because of the platformlambda/core/serializers/SimpleXmlParser.java component. | 2020-03-27 | not yet calculated | CVE-2020-10990 MISC MISC |
mulesoft -- apikit | Mulesoft APIkit through 1.3.0 allows XXE because of validation/RestXmlSchemaValidator.java | 2020-03-27 | not yet calculated | CVE-2020-10991 MISC |
azkaban -- azkaban | Azkaban through 3.84.0 allows XXE, related to validator/XmlValidatorManager.java and user/XmlUserManager.java. | 2020-03-27 | not yet calculated | CVE-2020-10992 MISC |
osmand -- osmand | Osmand through 2.0.0 allow XXE because of binary/BinaryMapIndexReader.java. | 2020-03-27 | not yet calculated | CVE-2020-10993 MISC |
the_fedora_project -- pyyaml_library | A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor. | 2020-03-24 | not yet calculated | CVE-2020-1747 CONFIRM MISC FEDORA FEDORA FEDORA |
kiali -- kiali | A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration. | 2020-03-26 | not yet calculated | CVE-2020-1764 CONFIRM MISC |
otrs -- open_ticket_request_system | In the login screens (in agent and customer interface), Username and Password fields use autocomplete, which might be considered as security issue. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. | 2020-03-27 | not yet calculated | CVE-2020-1769 MISC |
otrs -- open_ticket_request_system
| Support bundle generated files could contain sensitive information that might be unwanted to be disclosed. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. | 2020-03-27 | not yet calculated | CVE-2020-1770 MISC |
otrs -- open_ticket_request_system
| Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). When agent opens the link, JavaScript code is executed due to the missing parameter encoding. This issue affects: ((OTRS)) Community Edition: 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. | 2020-03-27 | not yet calculated | CVE-2020-1771 MISC |
otrs -- open_ticket_request_system
| It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. This issue affects: ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. | 2020-03-27 | not yet calculated | CVE-2020-1772 MISC |
otrs -- open_ticket_request_system
| It's possible that an authenticated user guess other session IDs based on its own. Also it's possible to guess a password reset token or an automated password generated. This issue affects ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS; 7.0.15 and prior versions. | 2020-03-27 | not yet calculated | CVE-2020-1773 MISC |
huawei -- multiple_smartphone_devices | HUAWEI smartphones P30 with versions earlier than 10.0.0.185(C00E85R1P11) have an improper access control vulnerability. The software incorrectly restricts access to a function interface from an unauthorized actor, the attacker tricks the user into installing a crafted application, successful exploit could allow the attacker do certain unauthenticated operations. | 2020-03-26 | not yet calculated | CVE-2020-1800 MISC |
apache -- shiro | Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. | 2020-03-25 | not yet calculated | CVE-2020-1957 MISC MLIST |
jenkins -- jenkins | Jenkins 2.227 and earlier, LTS 2.204.5 and earlier uses different representations of request URL paths, which allows attackers to craft URLs that allow bypassing CSRF protection of any target URL. | 2020-03-25 | not yet calculated | CVE-2020-2160 MLIST CONFIRM |
jenkins -- jenkins | Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are shown in the form validation for label expressions on job configuration pages, resulting in a stored XSS vulnerability exploitable by users able to define node labels. | 2020-03-25 | not yet calculated | CVE-2020-2161 MLIST CONFIRM |
jenkins -- jenkins | Jenkins Pipeline: AWS Steps Plugin 1.40 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. | 2020-03-25 | not yet calculated | CVE-2020-2166 MLIST CONFIRM |
jenkins -- jenkins | Jenkins OpenShift Pipeline Plugin 1.0.56 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. | 2020-03-25 | not yet calculated | CVE-2020-2167 MLIST CONFIRM |
N/A -- N/A | Jenkins Azure Container Service Plugin 1.0.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. | 2020-03-25 | not yet calculated | CVE-2020-2168 MLIST CONFIRM |
N/A -- N/A | Jenkins RapidDeploy Plugin 4.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | 2020-03-25 | not yet calculated | CVE-2020-2171 MLIST CONFIRM |
N/A -- N/A | ColdFusion versions ColdFusion 2016, and ColdFusion 2018 have a remote file read vulnerability. Successful exploitation could lead to arbitrary file read from the coldfusion install directory. | 2020-03-25 | not yet calculated | CVE-2020-3761 CONFIRM |
N/A -- N/A | Adobe Genuine Integrity Service versions Version 6.4 and earlier have an insecure file permissions vulnerability. Successful exploitation could lead to privilege escalation. | 2020-03-25 | not yet calculated | CVE-2020-3766 CONFIRM |
N/A -- N/A | ColdFusion versions ColdFusion 2016, and ColdFusion 2018 have a file inclusion vulnerability. Successful exploitation could lead to arbitrary code execution of files located in the webroot or its subdirectory. | 2020-03-25 | not yet calculated | CVE-2020-3794 CONFIRM |
N/A -- N/A | UltraLog Express device management interface does not properly perform access authentication in some specific pages/functions. Any user can access the privileged page to manage accounts through specific system directory. | 2020-03-27 | not yet calculated | CVE-2020-3920 MISC |
N/A -- N/A | UltraLog Express device management software stores user’s information in cleartext. Any user can obtain accounts information through a specific page. | 2020-03-27 | not yet calculated | CVE-2020-3921 MISC |
N/A -- N/A | UltraLog Express device management interface does not properly filter user inputted string in some specific parameters, attackers can inject arbitrary SQL command. | 2020-03-27 | not yet calculated | CVE-2020-3936 MISC |
N/A -- N/A | IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is vulnerable to a privilege escalation vulnerability when using token-based authentication in an admin request over the SOAP connector. X-Force ID: 175984. | 2020-03-26 | not yet calculated | CVE-2020-4276 XF CONFIRM |
N/A -- N/A | A vulnerability in the SonicWall SMA1000 HTTP Extraweb server allows an unauthenticated remote attacker to cause HTTP server crash which leads to Denial of Service. This vulnerability affected SMA1000 Version 12.1.0-06411 and earlier. | 2020-03-26 | not yet calculated | CVE-2020-5129 CONFIRM |
N/A -- N/A | The command-line "safety" package for Python has a potential security issue. There are two Python characteristics that allow malicious code to “poison-pill” command-line Safety package detection routines by disguising, or obfuscating, other malicious or non-secure packages. This vulnerability is considered to be of low severity because the attack makes use of an existing Python condition, not the Safety tool itself. This can happen if: You are running Safety in a Python environment that you don’t trust. You are running Safety from the same Python environment where you have your dependencies installed. Dependency packages are being installed arbitrarily or without proper verification. Users can mitigate this issue by doing any of the following: Perform a static analysis by installing Docker and running the Safety Docker image: $ docker run --rm -it pyupio/safety check -r requirements.txt Run Safety against a static dependencies list, such as the requirements.txt file, in a separate, clean Python environment. Run Safety from a Continuous Integration pipeline. Use PyUp.io, which runs Safety in a controlled environment and checks Python for dependencies without any need to install them. Use PyUp's Online Requirements Checker. | 2020-03-23 | not yet calculated | CVE-2020-5252 CONFIRM CONFIRM CONFIRM |
N/A -- N/A | http4s before versions 0.18.26, 0.20.20, and 0.21.2 has a local file inclusion vulnerability. This vulnerability applies to all users of org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService and org.http4s.server.staticcontent.WebjarService. URI normalization is applied incorrectly. Requests whose path info contain ../ or // can expose resources outside of the configured location. This issue is patched in versions 0.18.26, 0.20.20, and 0.21.2. Note that 0.19.0 is a deprecated release and has never been supported. | 2020-03-25 | not yet calculated | CVE-2020-5280 MISC MISC MISC CONFIRM |
N/A -- N/A | In Perun before version 3.9.1, VO or group manager can modify configuration of the LDAP extSource to retrieve all from Perun LDAP. Issue is fixed in version 3.9.1 by sanitisation of the input. | 2020-03-25 | not yet calculated | CVE-2020-5281 MISC MISC CONFIRM |
N/A -- N/A | In Nick Chan Bot before version 1.0.0-beta there is a vulnerability in the `npm` command which is part of this software package. This allows arbitrary shell execution,which can compromise the bot This is patched in version 1.0.0-beta | 2020-03-25 | not yet calculated | CVE-2020-5282 MISC CONFIRM |
N/A -- N/A | RSA Authentication Manager versions prior to 8.4 P10 contain a stored cross-site scripting vulnerability in the Security Console. A malicious RSA Authentication Manager Security Console administrator with advanced privileges could exploit this vulnerability to store arbitrary HTML or JavaScript code through the Security Console web interface. When other Security Console administrators open the affected report page, the injected scripts could potentially be executed in their browser. | 2020-03-26 | not yet calculated | CVE-2020-5339 MISC |
N/A -- N/A | RSA Authentication Manager versions prior to 8.4 P10 contain a stored cross-site scripting vulnerability in the Security Console. A malicious RSA Authentication Manager Security Console administrator with advanced privileges could exploit this vulnerability to store arbitrary HTML or JavaScript code through the Security Console web interface. When other Security Console administrators attempt to change the default security domain mapping, the injected scripts could potentially be executed in their browser. | 2020-03-26 | not yet calculated | CVE-2020-5340 MISC |
N/A -- N/A | On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.2.2, 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.5.2-11.6.5.1, undisclosed HTTP behavior may lead to a denial of service. | 2020-03-27 | not yet calculated | CVE-2020-5857 MISC |
N/A -- N/A | On BIG-IP 15.0.0-15.0.1.2, 14.1.0-14.1.2.2, 13.1.0-13.1.3.2, 12.1.0-12.1.5, and 11.5.2-11.6.5.1 and BIG-IQ 7.0.0, 6.0.0-6.1.0, and 5.2.0-5.4.0, users with non-administrator roles (for example, Guest or Resource Administrator) with tmsh shell access can execute arbitrary commands with elevated privilege via a crafted tmsh command. | 2020-03-27 | not yet calculated | CVE-2020-5858 MISC |
N/A -- N/A | On BIG-IP 15.1.0.1, specially formatted HTTP/3 messages may cause TMM to produce a core file. | 2020-03-27 | not yet calculated | CVE-2020-5859 MISC |
N/A -- N/A | On BIG-IP 15.0.0-15.1.0.2, 14.1.0-14.1.2.3, 13.1.0-13.1.3.2, 12.1.0-12.1.5.1, and 11.5.2-11.6.5.1 and BIG-IQ 7.0.0, 6.0.0-6.1.0, and 5.2.0-5.4.0, in a High Availability (HA) network failover in Device Service Cluster (DSC), the failover service does not require a strong form of authentication and HA network failover traffic is not encrypted by Transport Layer Security (TLS). | 2020-03-27 | not yet calculated | CVE-2020-5860 MISC |
N/A -- N/A | On BIG-IP 12.1.0-12.1.5, the TMM process may produce a core file in some cases when Ram Cache incorrectly optimizes stored data resulting in memory errors. | 2020-03-27 | not yet calculated | CVE-2020-5861 MISC |
N/A -- N/A | On BIG-IP 15.1.0-15.1.0.1, 15.0.0-15.0.1.1, and 14.1.0-14.1.2.2, under certain conditions, TMM may crash or stop processing new traffic with the DPDK/ENA driver on AWS systems while sending traffic. This issue does not affect any other platforms, hardware or virtual, or any other cloud provider since the affected driver is specific to AWS. | 2020-03-27 | not yet calculated | CVE-2020-5862 MISC |
N/A -- N/A | In NGINX Controller versions prior to 3.2.0, an unauthenticated attacker with network access to the Controller API can create unprivileged user accounts. The user which is created is only able to upload a new license to the system but cannot view or modify any other components of the system. | 2020-03-27 | not yet calculated | CVE-2020-5863 MISC |
N/A -- N/A | An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability. | 2020-03-27 | not yet calculated | CVE-2020-6095 MISC |
N/A -- N/A | When a Web Extension had the all-urls permission and made a fetch request with a mode set to 'same-origin', it was possible for the Web Extension to read local files. This vulnerability affects Firefox < 74. | 2020-03-25 | not yet calculated | CVE-2020-6809 MISC MISC |
N/A -- N/A | After a website had entered fullscreen mode, it could have used a previously opened popup to obscure the notification that indicates the browser is in fullscreen mode. Combined with spoofing the browser chrome, this could have led to confusing the user about the current origin of the page and credential theft or other attacks. This vulnerability affects Firefox < 74. | 2020-03-25 | not yet calculated | CVE-2020-6810 MISC MISC |
N/A -- N/A | The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as Curl' feature and pasted the command into a terminal, it could have resulted in command injection and arbitrary command execution. This vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6. | 2020-03-25 | not yet calculated | CVE-2020-6811 MISC MISC MISC MISC |
N/A -- N/A | The first time AirPods are connected to an iPhone, they become named after the user's name by default (e.g. Jane Doe's AirPods.) Websites with camera or microphone permission are able to enumerate device names, disclosing the user's name. To resolve this issue, Firefox added a special case that renames devices containing the substring 'AirPods' to simply 'AirPods'. This vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6. | 2020-03-25 | not yet calculated | CVE-2020-6812 MISC MISC MISC MISC |
N/A -- N/A | When protecting CSS blocks with the nonce feature of Content Security Policy, the @import statement in the CSS block could allow an attacker to inject arbitrary styles, bypassing the intent of the Content Security Policy. This vulnerability affects Firefox < 74. | 2020-03-25 | not yet calculated | CVE-2020-6813 MISC MISC |
N/A -- N/A | Mozilla developers reported memory safety bugs present in Firefox and Thunderbird 68.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6. | 2020-03-25 | not yet calculated | CVE-2020-6814 MISC MISC MISC MISC |
N/A -- N/A | Mozilla developers reported memory safety and script safety bugs present in Firefox 73. Some of these bugs showed evidence of memory corruption or escalation of privilege and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 74. | 2020-03-25 | not yet calculated | CVE-2020-6815 MISC MISC |
N/A -- N/A | In Moxa EDS-G516E Series firmware, Version 5.2 or lower, some of the parameters in the setting pages do not ensure text is the correct size for its buffer. | 2020-03-26 | not yet calculated | CVE-2020-6999 MISC |
N/A -- N/A | DLL Side Loading vulnerability in the installer for McAfee Application and Change Control (MACC) prior to 8.3 allows local users to execute arbitrary code via execution from a compromised folder. | 2020-03-26 | not yet calculated | CVE-2020-7260 CONFIRM |
N/A -- N/A | An insecure direct object reference in webmail in totemo totemomail 7.0.0 allows an authenticated remote user to read and modify mail folder names of other users via enumeration. | 2020-03-27 | not yet calculated | CVE-2020-7918 MISC MISC |
N/A -- N/A | In Continuous Delivery for Puppet Enterprise (CD4PE) before 3.4.0, changes to resources or classes containing Sensitive parameters can result in the Sensitive parameters ending up in the impact analysis report. | 2020-03-26 | not yet calculated | CVE-2020-7944 MISC |
N/A -- N/A | The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250. | 2020-03-27 | not yet calculated | CVE-2020-8551 MISC MISC |
N/A -- N/A | The Kubernetes API server component in versions prior to 1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via successful API requests. | 2020-03-27 | not yet calculated | CVE-2020-8552 MISC MISC |
N/A -- N/A | A URL parsing issue in goog.uri of the Google Closure Library versions up to and including v20200224 allows an attacker to send malicious URLs to be parsed by the library and return the wrong authority. Mitigation: update your library to version v20200315. | 2020-03-26 | not yet calculated | CVE-2020-8910 CONFIRM CONFIRM |
N/A -- N/A | An improper HTML sanitization in Dart versions up to and including 2.7.1 and dev versions 2.8.0-dev.16.0, allows an attacker leveraging DOM Clobbering techniques to skip the sanitization and inject custom html/javascript (XSS). Mitigation: update your Dart SDK to 2.7.2, and 2.8.0-dev.17.0 for the dev version. If you cannot update, we recommend you review the way you use the affected APIs, and pay special attention to cases where user-provided data is used to populate DOM nodes. Consider using Element.innerText or Node.text to populate DOM elements. | 2020-03-26 | not yet calculated | CVE-2020-8923 CONFIRM |
N/A -- N/A | Huawei smart phone Taurus-AL00B with versions earlier than 10.0.0.203(C00E201R7P2) have a use-after-free (UAF) vulnerability. An authenticated, local attacker may perform specific operations to exploit this vulnerability. Successful exploitation may tamper with the information to affect the availability. | 2020-03-26 | not yet calculated | CVE-2020-9065 MISC |
N/A -- N/A | Huawei smartphones OxfordP-AN10B with versions earlier than 10.0.1.169(C00E166R4P1) have an improper authentication vulnerability. The Application doesn't perform proper authentication when user performs certain operations. An attacker can trick user into installing a malicious plug-in to exploit this vulnerability. Successful exploit could allow the attacker to bypass the authentication to perform unauthorized operations. | 2020-03-26 | not yet calculated | CVE-2020-9066 MISC |
N/A -- N/A | TP-Link Archer C50 V3 devices before Build 200318 Rel. 62209 allows remote attackers to cause a denial of service via a crafted HTTP Header containing an unexpected Referer field. | 2020-03-25 | not yet calculated | CVE-2020-9375 MISC MISC CONFIRM |
N/A -- N/A | The Community plugin 2.9.e-beta for Piwigo allows users to set image information on images in albums for which they do not have permission, by manipulating the image_id parameter. | 2020-03-26 | not yet calculated | CVE-2020-9468 MISC MISC |
N/A -- N/A | An SQL injection vulnerability was discovered in Micro Focus Service Manager Automation (SMA), affecting versions 2019.08, 2019.05, 2019.02, 2018.08, 2018.05, 2018.02. The vulnerability could allow for the improper neutralization of special elements in SQL commands and may lead to the product being vulnerable to SQL injection. | 2020-03-26 | not yet calculated | CVE-2020-9521 MISC |
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.