The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2019-2089 | In app uninstallation, there is a possible set of permissions that may not be removed from a shared app ID. This could lead to a local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android Versions: Android-10 Android ID: A-116608833 | MEDIUM | Mar 17, 2020 |
| CVE-2020-10218 | A Blind SQL Injection issue was discovered in Sapplica Sentrifugo 3.2 via the index.php/holidaygroups/add id parameter because of the HolidaydatesController.php addAction function. | MEDIUM | Mar 17, 2020 |
| CVE-2020-10089 | GitLab 8.11 through 12.8.1 allows a Denial of Service when using several features to recursively request eachother, | MEDIUM | Mar 17, 2020 |
| CVE-2019-19610 | An issue was discovered in Halvotec RaQuest 10.23.10801.0. It allows session fixation. Fixed in Release 24.2020.20608.0. | MEDIUM | Mar 17, 2020 |
| CVE-2020-8141 | The dot package v1.1.2 uses Function() to compile templates. This can be exploited by the attacker if they can control the given template or if they can control the value set on Object.prototype. | MEDIUM | Mar 17, 2020 |
| CVE-2019-19538 | In Sangoma FreePBX 13 through 15 and sysadmin (aka System Admin) 13.0.92 through 15.0.13.6 modules have a Remote Command Execution vulnerability that results in Privilege Escalation. | MEDIUM | Mar 17, 2020 |
| CVE-2020-10080 | GitLab 8.3 through 12.8.1 allows Information Disclosure. It was possible for certain non-members to access the Contribution Analytics page of a private group. | MEDIUM | Mar 17, 2020 |
| CVE-2020-10577 | An issue was discovered in Janus through 0.9.1. janus.c has multiple concurrent threads that misuse the source property of a session, leading to a race condition when claiming sessions. | MEDIUM | Mar 17, 2020 |
| CVE-2019-20407 | The ConfigureBambooRelease resource in Jira Software and Jira Software Data Center before version 8.6.1 allows authenticated remote attackers to view release version information in projects that they do not have access to through an missing authorisation check. | MEDIUM | Mar 17, 2020 |
| CVE-2020-10081 | GitLab before 12.8.2 has Incorrect Access Control. It was internally discovered that the LFS import process could potentially be used to incorrectly access LFS objects not owned by the user. | MEDIUM | Mar 17, 2020 |
| CVE-2020-9290 | An Unsafe Search Path vulnerability in FortiClient for Windows online installer 6.2.3 and below may allow a local attacker with control over the directory in which FortiClientOnlineInstaller.exe and FortiClientVPNOnlineInstaller.exe resides to execute arbitrary code on the system via uploading malicious Filter Library DLL files in that directory. | MEDIUM | Mar 17, 2020 |
| CVE-2020-10083 | GitLab 12.7 through 12.8.1 has Insecure Permissions. Under certain conditions involving groups, project authorization changes were not being applied. | MEDIUM | Mar 17, 2020 |
| CVE-2019-2058 | In libAACdec, there is a possible out of bounds read. This could lead to remote information disclosure, with no additional execution privileges needed. User interaction is needed for exploitation.Product: Android Versions: Android-10 Android ID: A-136089102 | MEDIUM | Mar 17, 2020 |
| CVE-2020-7982 | An issue was discovered in OpenWrt 18.06.0 to 18.06.6 and 19.07.0, and LEDE 17.01.0 to 17.01.7. A bug in the fork of the opkg package manager before 2020-01-25 prevents correct parsing of embedded checksums in the signed repository index, allowing a man-in-the-middle attacker to inject arbitrary package payloads (which are installed without verification). | MEDIUM | Mar 17, 2020 |
| CVE-2019-11074 | A Write to Arbitrary Location in Disk vulnerability exists in PRTG Network Monitor 19.1.49 and below that allows attackers to place files in arbitrary locations with SYSTEM privileges (although not controlling the contents of such files) due to insufficient sanitisation when passing arguments to the phantomjs.exe binary. In order to exploit the vulnerability, remote authenticated administrators need to create a new HTTP Full Web Page Sensor and set specific settings when executing the sensor. | HIGH | Mar 17, 2020 |
| CVE-2020-0088 | In parseTrackFragmentRun of MPEG4Extractor.cpp, there is possible resource exhaustion due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-124389881 | MEDIUM | Mar 17, 2020 |
| CVE-2018-21037 | Subrion CMS 4.1.5 (and possibly earlier versions) allow CSRF to change the administrator password via the panel/members/edit/1 URI. | MEDIUM | Mar 17, 2020 |
| CVE-2020-7607 | gulp-styledocco through 0.0.3 allows execution of arbitrary commands. The argument \'options\' of the exports function in \'index.js\' can be controlled by users without any sanitization. | HIGH | Mar 17, 2020 |
| CVE-2020-9287 | An Unsafe Search Path vulnerability in FortiClient EMS online installer 6.2.1 and below may allow a local attacker with control over the directory in which FortiClientEMSOnlineInstaller.exe resides to execute arbitrary code on the system via uploading malicious Filter Library DLL files in that directory. | MEDIUM | Mar 17, 2020 |
| CVE-2020-10076 | GitLab 12.1 through 12.8.1 allows XSS. A stored cross-site scripting vulnerability was discovered when displaying merge requests. | MEDIUM | Mar 17, 2020 |
| CVE-2019-15608 | The package integrity validation in yarn < 1.19.0 contains a TOCTOU vulnerability where the hash is computed before writing a package to cache. It\'s not computed again when reading from the cache. This may lead to a cache pollution attack. | MEDIUM | Mar 17, 2020 |
| CVE-2019-4656 | IBM MQ and IBM MQ Appliance 7.1, 7.5, 8.0, 9.0 LTS, 9.1 LTS, and 9.1 CD is vulnerable to a denial of service attack that would allow an authenticated user to crash the queue and require a restart due to an error processing error messages. IBM X-Force ID: 170967. | MEDIUM | Mar 17, 2020 |
| CVE-2020-10588 | v2rayL 2.1.3 allows local users to achieve root access because /etc/v2rayL/add.sh and /etc/v2rayL/remove.sh are owned by a low-privileged user but execute as root via Sudo. | HIGH | Mar 17, 2020 |
| CVE-2020-10578 | An arbitrary file read vulnerability exists in system/controller/backend/template.php in QCMS v3.0.1. | MEDIUM | Mar 17, 2020 |
| CVE-2020-10085 | GitLab 12.3.5 through 12.8.1 allows Information Disclosure. A particular view was exposing merge private merge request titles. | MEDIUM | Mar 17, 2020 |
| CVE-2019-20191 | Oxygen XML Editor 21.1.1 allows XXE to read any file. | MEDIUM | Mar 17, 2020 |
| CVE-2020-10078 | GitLab 12.1 through 12.8.1 allows XSS. The merge request submission form was determined to have a stored cross-site scripting vulnerability. | MEDIUM | Mar 17, 2020 |
| CVE-2019-2216 | In overlay notifications, there is a possible hidden notification due to improper input validation. This could lead to a local escalation of privilege because the user is not notified of an overlaying app, with User execution privileges needed. User interaction is needed for exploitation.Product: Android Versions: Android-10 Android ID: A-38390530 | MEDIUM | Mar 17, 2020 |
| CVE-2020-10086 | GitLab 10.4 through 12.8.1 allows Directory Traversal. A particular endpoint was vulnerable to a directory traversal vulnerability, leading to arbitrary file read. | MEDIUM | Mar 17, 2020 |
| CVE-2020-10082 | GitLab 12.2 through 12.8.1 allows Denial of Service. A denial of service vulnerability impacting the designs for public issues was discovered. | MEDIUM | Mar 17, 2020 |
| CVE-2019-4619 | IBM MQ and IBM MQ Appliance 7.1, 7.5, 8.0, 9.0 LTS, 9.1 LTS, and 9.1 CD could allow a local attacker to obtain sensitive information by inclusion of sensitive data within trace. IBM X-Force ID: 168862. | LOW | Mar 17, 2020 |
| CVE-2020-7603 | closure-compiler-stream through 0.1.15 allows execution of arbitrary commands. The argument options of the exports function in index.js can be controlled by users without any sanitization. | HIGH | Mar 17, 2020 |
| CVE-2020-6175 | Citrix SD-WAN 10.2.x before 10.2.6 and 11.0.x before 11.0.3 has Missing SSL Certificate Validation. | MEDIUM | Mar 17, 2020 |
| CVE-2020-7601 | gulp-scss-lint through 1.0.0 allows execution of arbitrary commands. It is possible to inject arbitrary commands to the exec function located in src/command.js via the provided options. | HIGH | Mar 17, 2020 |
| CVE-2020-0086 | In readCString of Parcel.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to arbitrary code execution if IntSan were not enabled, which it is by default. No additional execution privileges are required. User interaction is not needed for exploitation. Product: Android Versions: Android-10 Android ID: A-131859347 | MEDIUM | Mar 17, 2020 |
| CVE-2020-7606 | docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within \'index.js\' of the package, the function \'exec(serviceName, cmd, fnStdout, fnStderr, fnExit)\' uses the variable \'serviceName\' which can be controlled by users without any sanitization. | HIGH | Mar 17, 2020 |
| CVE-2019-2088 | In StatsService, there is a possible out of bounds read. This could lead to local information disclosure if UBSAN were not enabled, with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-10 Android ID: A-143895055 | LOW | Mar 17, 2020 |
| CVE-2019-4719 | IBM MQ and IBM MQ Appliance 7.1, 7.5, 8.0, 9.0 LTS, 9.1 LTS, and 9.1 CD could allow a local attacker to obtain sensitive information by inclusion of sensitive data within runmqras data. | LOW | Mar 17, 2020 |
| CVE-2020-10088 | GitLab 12.5 through 12.8.1 has Insecure Permissions. Depending on particular group settings, it was possible for invited groups to be given the incorrect permission level. | MEDIUM | Mar 17, 2020 |
| CVE-2020-7602 | node-prompt-here through 1.0.1 allows execution of arbitrary commands. The runCommand() is called by getDevices() function in file linux/manager.js, which is required by the index. process.env.NM_CLI in the file linux/manager.js. This function is used to construct the argument of function execSync(), which can be controlled by users without any sanitization. | HIGH | Mar 17, 2020 |
| CVE-2020-7248 | libubox in OpenWrt before 18.06.7 and 19.x before 19.07.1 has a tagged binary data JSON serialization vulnerability that may cause a stack based buffer overflow. | MEDIUM | Mar 17, 2020 |
| CVE-2019-13170 | Some Xerox printers (such as the Phaser 3320 V53.006.16.000) did not implement any mechanism to avoid CSRF attacks. Successful exploitation of this vulnerability can lead to the takeover of a local account on the device. | MEDIUM | Mar 17, 2020 |
| CVE-2019-20105 | The EditApplinkServlet resource in the Atlassian Application Links plugin before version 5.4.20, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.1, and from version 7.1.0 before version 7.1.3 allows remote attackers who have obtained access to administrator\'s session to access the EditApplinkServlet resource without needing to re-authenticate to pass WebSudo in products that support WebSudo through an improper access control vulnerability. | MEDIUM | Mar 17, 2020 |
| CVE-2020-10576 | An issue was discovered in Janus through 0.9.1. plugins/janus_voicemail.c in the VoiceMail plugin has a race condition that could cause a server crash. | MEDIUM | Mar 17, 2020 |
| CVE-2020-3950 | VMware Fusion (11.x before 11.5.2), VMware Remote Console for Mac (11.x and prior before 11.0.1) and Horizon Client for Mac (5.x and prior before 5.4.0) contain a privilege escalation vulnerability due to improper use of setuid binaries. Successful exploitation of this issue may allow attackers with normal user privileges to escalate their privileges to root on the system where Fusion, VMRC or Horizon Client is installed. | HIGH | Mar 17, 2020 |
| CVE-2020-10084 | GitLab EE 11.6 through 12.8.1 allows Information Disclosure. Sending a specially crafted request to the vulnerability_feedback endpoint could result in the exposure of a private project namespace | MEDIUM | Mar 17, 2020 |
| CVE-2019-9473 | In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-10 Android ID: A-115363533 | MEDIUM | Mar 17, 2020 |
| CVE-2019-20326 | A heap-based buffer overflow in _cairo_image_surface_create_from_jpeg() in extensions/cairo_io/cairo-image-surface-jpeg.c in GNOME gThumb before 3.8.3 and Linux Mint Pix before 2.4.5 allows attackers to cause a crash and potentially execute arbitrary code via a crafted JPEG file. | MEDIUM | Mar 17, 2020 |
| CVE-2019-19612 | An issue was discovered in Halvotec RaQuest 10.23.10801.0. Several features of the application allow stored Cross-site Scripting (XSS). Fixed in Release 24.2020.20608.0. | LOW | Mar 17, 2020 |
| CVE-2020-7605 | gulp-tape through 1.0.0 allows execution of arbitrary commands. It is possible to inject arbitrary commands as part of \'gulp-tape\' options. | HIGH | Mar 17, 2020 |
