The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2020-7631 | diskusage-ng through 0.2.4 is vulnerable to Command Injection.It allows execution of arbitrary commands via the path argument. | HIGH | Apr 6, 2020 |
| CVE-2020-7630 | git-add-remote through 1.0.0 is vulnerable to Command Injection. It allows execution of arbitrary commands via the name argument. | HIGH | Apr 2, 2020 |
| CVE-2020-7629 | install-package through 0.4.0 is vulnerable to Command Injection. It allows execution of arbitrary commands via the options argument. | HIGH | Apr 2, 2020 |
| CVE-2020-7628 | umount through 1.1.6 is vulnerable to Command Injection. The argument device can be controlled by users without any sanitization. | HIGH | Apr 2, 2020 |
| CVE-2020-7627 | node-key-sender through 1.0.11 is vulnerable to Command Injection. It allows execution of arbitrary commands via the \'arrParams\' argument in the \'execute()\' function. | HIGH | Apr 2, 2020 |
| CVE-2020-7626 | karma-mojo through 1.0.1 is vulnerable to Command Injection. It allows execution of arbitrary commands via the config argument. | HIGH | Apr 2, 2020 |
| CVE-2020-7625 | op-browser through 1.0.6 is vulnerable to Command Injection. It allows execution of arbitrary commands via the url function. | HIGH | Apr 2, 2020 |
| CVE-2020-7624 | effect through 1.0.4 is vulnerable to Command Injection. It allows execution of arbitrary command via the options argument. | HIGH | Apr 2, 2020 |
| CVE-2020-7623 | jscover through 1.0.0 is vulnerable to Command Injection. It allows execution of arbitrary command via the source argument. | HIGH | Apr 2, 2020 |
| CVE-2020-7622 | This affects the package io.jooby:jooby-netty before 1.6.9, from 2.0.0 and before 2.2.1. The DefaultHttpHeaders is set to false which means it does not validates that the header isn\'t being abused for HTTP Response Splitting. | HIGH | Apr 6, 2020 |
| CVE-2020-7621 | strong-nginx-controller through 1.0.2 is vulnerable to Command Injection. It allows execution of arbitrary command as part of the \'_nginxCmd()\' function. | HIGH | Apr 2, 2020 |
| CVE-2020-7620 | pomelo-monitor through 0.3.7 is vulnerable to Command Injection.It allows injection of arbitrary commands as part of \'pomelo-monitor\' params. | HIGH | Apr 2, 2020 |
| CVE-2020-7619 | get-git-data through 1.3.1 is vulnerable to Command Injection. It is possible to inject arbitrary commands as part of the arguments provided to get-git-data. | HIGH | Apr 2, 2020 |
| CVE-2020-7618 | sds through 3.2.0 is vulnerable to Prototype Pollution.The library could be tricked into adding or modifying properties of the \'Object.prototype\' by abusing the \'set\' function located in \'js/set.js\'. | MEDIUM | Apr 7, 2020 |
| CVE-2020-7617 | ini-parser through 0.0.2 is vulnerable to Prototype Pollution.The library could be tricked into adding or modifying properties of Object.prototype using a \'__proto__\' payload. | HIGH | Apr 2, 2020 |
| CVE-2020-7616 | express-mock-middleware through 0.0.6 is vulnerable to Prototype Pollution. Exported functions by the package can be tricked into adding or modifying properties of the `Object.prototype`. Exploitation of this vulnerability requires creation of a new directory where an attack code can be placed which will then be exported by `express-mock-middleware`. As such, this is considered to be a low risk. | MEDIUM | Apr 7, 2020 |
| CVE-2020-7615 | fsa through 0.5.1 is vulnerable to Command Injection. The first argument of \'execGitCommand()\', located within \'lib/rep.js#63\' can be controlled by users without any sanitization to inject arbitrary commands. | MEDIUM | Apr 7, 2020 |
| CVE-2020-7614 | npm-programmatic through 0.0.12 is vulnerable to Command Injection.The packages and option properties are concatenated together without any validation and are used by the \'exec\' function directly. | HIGH | Apr 7, 2020 |
| CVE-2020-7613 | clamscan through 1.2.0 is vulnerable to Command Injection. It is possible to inject arbitrary commands as part of the `_is_clamav_binary` function located within `Index.js`. It should be noted that this vulnerability requires a pre-requisite that a folder should be created with the same command that will be chained to execute. This lowers the risk of this issue. | MEDIUM | Apr 7, 2020 |
| CVE-2020-7612 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none | -- | Nov 7, 2023 |
| CVE-2020-7611 | All versions of io.micronaut:micronaut-http-client before 1.2.11 and all versions from 1.3.0 before 1.3.2 are vulnerable to HTTP Request Header Injection due to not validating request headers passed to the client. | HIGH | Apr 2, 2020 |
| CVE-2020-7610 | All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object\'s _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type. | HIGH | Apr 1, 2020 |
| CVE-2020-7609 | node-rules including 3.0.0 and prior to 5.0.0 allows injection of arbitrary commands. The argument rules of function fromJSON() can be controlled by users without any sanitization. | HIGH | Apr 30, 2020 |
| CVE-2020-7608 | yargs-parser could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. | MEDIUM | Mar 19, 2020 |
| CVE-2020-7607 | gulp-styledocco through 0.0.3 allows execution of arbitrary commands. The argument \'options\' of the exports function in \'index.js\' can be controlled by users without any sanitization. | HIGH | Mar 17, 2020 |
| CVE-2020-7606 | docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within \'index.js\' of the package, the function \'exec(serviceName, cmd, fnStdout, fnStderr, fnExit)\' uses the variable \'serviceName\' which can be controlled by users without any sanitization. | HIGH | Mar 17, 2020 |
| CVE-2020-7605 | gulp-tape through 1.0.0 allows execution of arbitrary commands. It is possible to inject arbitrary commands as part of \'gulp-tape\' options. | HIGH | Mar 17, 2020 |
| CVE-2020-7604 | pulverizr through 0.7.0 allows execution of arbitrary commands. Within lib/job.js, the variable filename can be controlled by the attacker. This function uses the variable filename to construct the argument of the exec call without any sanitization. In order to successfully exploit this vulnerability, an attacker will need to create a new file with the same name as the attack command. | HIGH | Mar 18, 2020 |
| CVE-2020-7603 | closure-compiler-stream through 0.1.15 allows execution of arbitrary commands. The argument options of the exports function in index.js can be controlled by users without any sanitization. | HIGH | Mar 17, 2020 |
| CVE-2020-7602 | node-prompt-here through 1.0.1 allows execution of arbitrary commands. The runCommand() is called by getDevices() function in file linux/manager.js, which is required by the index. process.env.NM_CLI in the file linux/manager.js. This function is used to construct the argument of function execSync(), which can be controlled by users without any sanitization. | HIGH | Mar 17, 2020 |
| CVE-2020-7601 | gulp-scss-lint through 1.0.0 allows execution of arbitrary commands. It is possible to inject arbitrary commands to the exec function located in src/command.js via the provided options. | HIGH | Mar 17, 2020 |
| CVE-2020-7600 | querymen prior to 2.1.4 allows modification of object properties. The parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. This could be abused for Prototype Pollution attacks. | MEDIUM | Mar 12, 2020 |
| CVE-2020-7599 | All versions of com.gradle.plugin-publish before 0.11.0 are vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while running Gradle with the --info log level flag, the Gradle Logger logs an AWS pre-signed URL. If this build log is publicly visible (as it is in many popular public CI systems like TravisCI) this AWS pre-signed URL would allow a malicious actor to replace a recently uploaded plugin with their own. | LOW | Apr 2, 2020 |
| CVE-2020-7598 | minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a constructor or __proto__ payload. | HIGH | Mar 12, 2020 |
| CVE-2020-7597 | codecov-node npm module before 3.6.5 allows remote attackers to execute arbitrary commands.The value provided as part of the gcov-root argument is executed by the exec function within lib/codecov.js. This vulnerability exists due to an incomplete fix of CVE-2020-7596. | MEDIUM | Feb 20, 2020 |
| CVE-2020-7596 | Codecov npm module before 3.6.2 allows remote attackers to execute arbitrary commands via the gcov-args argument. | MEDIUM | Jan 28, 2020 |
| CVE-2020-7595 | xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. | MEDIUM | Feb 15, 2020 |
| CVE-2020-7594 | MultiTech Conduit MTCDT-LVW2-24XX 1.4.17-ocea-13592 devices allow remote authenticated administrators to execute arbitrary OS commands by navigating to the Debug Options page and entering shell metacharacters in the interface JSON field of the ping function. | HIGH | Jan 29, 2020 |
| CVE-2020-7593 | A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (V1.81.01 - V1.81.03), LOGO! 8 BM (incl. SIPLUS variants) (V1.82.01), LOGO! 8 BM (incl. SIPLUS variants) (V1.82.02). A buffer overflow vulnerability exists in the Web Server functionality of the device. A remote unauthenticated attacker could send a specially crafted HTTP request to cause a memory corruption, potentially resulting in remote code execution. | HIGH | Jul 15, 2020 |
| CVE-2020-7592 | A vulnerability has been identified in SIMATIC HMI Basic Panels 1st Generation (incl. SIPLUS variants) (All versions), SIMATIC HMI Basic Panels 2nd Generation (incl. SIPLUS variants) (All versions), SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions), SIMATIC HMI KTP700F Mobile Arctic (All versions), SIMATIC HMI Mobile Panels 2nd Generation (All versions), SIMATIC WinCC Runtime Advanced (All versions). Unencrypted communication between the configuration software and the respective device could allow an attacker to capture potential plain text communication and have access to sensitive information. | LOW | Jul 16, 2020 |
| CVE-2020-7591 | A vulnerability has been identified in SIPORT MP (All versions < 3.2.1). Vulnerable versions of the device could allow an authenticated attacker to impersonate other users of the system and perform (potentially administrative) actions on behalf of those users if the single sign-on feature (Allow logon without password) is enabled. | HIGH | Oct 15, 2020 |
| CVE-2020-7590 | A vulnerability has been identified in DCA Vantage Analyzer (All versions < V4.5 are affected by CVE-2020-7590. In addition, serial numbers < 40000 running software V4.4.0 are also affected by CVE-2020-15797). Affected devices use a hard-coded password to protect the onboard database. This could allow an attacker to read and or modify the onboard database. Successful exploitation requires direct physical access to the device. | MEDIUM | Oct 13, 2020 |
| CVE-2020-7589 | A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions). The vulnerability could lead to an attacker reading and modifying the device configuration and obtain project files from affected devices. The security vulnerability could be exploited by an unauthenticated attacker with network access to port 135/tcp. No user interaction is required to exploit this security vulnerability. The vulnerability impacts confidentiality, integrity, and availability of the device. At the time of advisory publication no public exploitation of this security vulnerability was known. | MEDIUM | Jun 10, 2020 |
| CVE-2020-7588 | A vulnerability has been identified in Opcenter Execution Discrete (All versions < V3.2), Opcenter Execution Foundation (All versions < V3.2), Opcenter Execution Process (All versions < V3.2), Opcenter Intelligence (All versions < V3.3), Opcenter Quality (All versions < V11.3), Opcenter RD&L (V8.0), SIMATIC IT LMS (All versions < V2.6), SIMATIC IT Production Suite (All versions < V8.0), SIMATIC Notifier Server for Windows (All versions), SIMATIC PCS neo (All versions < V3.0 SP1), SIMATIC STEP 7 (TIA Portal) V15 (All versions < V15.1 Update 5), SIMATIC STEP 7 (TIA Portal) V16 (All versions < V16 Update 2), SIMOCODE ES V15.1 (All versions < V15.1 Update 4), SIMOCODE ES V16 (All versions < V16 Update 1), Soft Starter ES V15.1 (All versions < V15.1 Update 3), Soft Starter ES V16 (All versions < V16 Update 1). Sending a specially crafted packet to the affected service could cause a partial remote denial-of-service, that would cause the service to restart itself. | MEDIUM | Jul 14, 2020 |
| CVE-2020-7587 | A vulnerability has been identified in Opcenter Execution Discrete (All versions < V3.2), Opcenter Execution Foundation (All versions < V3.2), Opcenter Execution Process (All versions < V3.2), Opcenter Intelligence (All versions < V3.3), Opcenter Quality (All versions < V11.3), Opcenter RD&L (V8.0), SIMATIC IT LMS (All versions < V2.6), SIMATIC IT Production Suite (All versions < V8.0), SIMATIC Notifier Server for Windows (All versions), SIMATIC PCS neo (All versions < V3.0 SP1), SIMATIC STEP 7 (TIA Portal) V15 (All versions < V15.1 Update 5), SIMATIC STEP 7 (TIA Portal) V16 (All versions < V16 Update 2), SIMOCODE ES V15.1 (All versions < V15.1 Update 4), SIMOCODE ES V16 (All versions < V16 Update 1), Soft Starter ES V15.1 (All versions < V15.1 Update 3), Soft Starter ES V16 (All versions < V16 Update 1). Sending multiple specially crafted packets to the affected service could cause a partial remote denial-of-service, that would cause the service to restart itself. On some cases the vulnerability could leak random information from the remote service. | MEDIUM | Jul 14, 2020 |
| CVE-2020-7586 | A vulnerability has been identified in SIMATIC PCS 7 V8.2 and earlier (All versions), SIMATIC PCS 7 V9.0 (All versions < V9.0 SP3), SIMATIC PDM (All versions < V9.2), SIMATIC STEP 7 V5.X (All versions < V5.6 SP2 HF3), SINAMICS STARTER (containing STEP 7 OEM version) (All versions < V5.4 HF2). A buffer overflow vulnerability could allow a local attacker to cause a Denial-of-Service situation. The security vulnerability could be exploited by an attacker with local access to the affected systems. Successful exploitation requires user privileges but no user interaction. The vulnerability could allow an attacker to compromise the availability of the system as well as to have access to confidential information. | MEDIUM | Jun 10, 2020 |
| CVE-2020-7585 | A vulnerability has been identified in SIMATIC PCS 7 V8.2 and earlier (All versions), SIMATIC PCS 7 V9.0 (All versions < V9.0 SP3), SIMATIC PDM (All versions < V9.2), SIMATIC STEP 7 V5.X (All versions < V5.6 SP2 HF3), SINAMICS STARTER (containing STEP 7 OEM version) (All versions < V5.4 HF2). A DLL Hijacking vulnerability could allow a local attacker to execute code with elevated privileges. The security vulnerability could be exploited by an attacker with local access to the affected systems. Successful exploitation requires user privileges but no user interaction. The vulnerability could allow an attacker to compromise the availability of the system as well as to have access to confidential information. | MEDIUM | Jun 10, 2020 |
| CVE-2020-7584 | A vulnerability has been identified in SIMATIC S7-200 SMART CPU family (All versions >= V2.2 < V2.5.1). Affected devices do not properly handle large numbers of new incomming connections and could crash under certain circumstances. An attacker may leverage this to cause a Denial-of-Service situation. | MEDIUM | Jul 17, 2020 |
| CVE-2020-7583 | A vulnerability has been identified in Automation License Manager 5 (All versions), Automation License Manager 6 (All versions < V6.0.8). The application does not properly validate the users\' privileges when executing some operations, which could allow a user with low permissions to arbitrary modify files that should be protected against writing. | MEDIUM | Aug 14, 2020 |
| CVE-2020-7581 | A vulnerability has been identified in Opcenter Execution Discrete (All versions < V3.2), Opcenter Execution Foundation (All versions < V3.2), Opcenter Execution Process (All versions < V3.2), Opcenter Intelligence (All versions < V3.3), Opcenter Quality (All versions < V11.3), Opcenter RD&L (V8.0), SIMATIC Notifier Server for Windows (All versions), SIMATIC PCS neo (All versions < V3.0 SP1), SIMATIC STEP 7 (TIA Portal) V15 (All versions < V15.1 Update 5), SIMATIC STEP 7 (TIA Portal) V16 (All versions < V16 Update 2), SIMOCODE ES V15.1 (All versions < V15.1 Update 4), SIMOCODE ES V16 (All versions < V16 Update 1), Soft Starter ES V15.1 (All versions < V15.1 Update 3), Soft Starter ES V16 (All versions < V16 Update 1). A component within the affected application calls a helper binary with SYSTEM privileges during startup while the call path is not quoted. This could allow a local attacker with administrative privileges to execute code with SYSTEM level privileges. | HIGH | Jul 14, 2020 |
