Security Bulletin 15 Apr 2020

Published on 15 Apr 2020

Updated on 07 May 2020

SingCERT's Security Bulletin summarises the list of vulnerabilities collated from the National Institute of Standards and Technology (NIST)'s National Vulnerability Database (NVD) in the past week.

The vulnerabilities are tabled based on severity, in accordance to their CVSSv3 base scores:


Criticalvulnerabilities with a base score of 9.0 to 10.0
Highvulnerabilities with a base score of 7.0 to 8.9
Mediumvulnerabilities with a base score of 4.0 to 6.9
Lowvulnerabilities with a base score of 0.1 to 3.9
Nonevulnerabilities with a base score of 0.0

For those vulnerabilities without assigned CVSS scores, please visit NVD for the updated CVSS vulnerability entries.

CRITICAL VULNERABILITIES
CVE NumberDescriptionBase ScoreReference
CVE-2020-9499Some Dahua products have buffer overflow vulnerabilities. After the successful login of the legal account, the attacker sends a specific DDNS test command, which may cause the device to go down.9.8https://www.dahuasecurity.com/support/cybersecurity/details/727
CVE-2020-8961An issue was discovered in Avira Free-Antivirus before 15.0.2004.1825. The Self-Protection feature does not prohibit a write operation from an external process. Thus, code injection can be used to turn off this feature. After that, one can construct an event that will modify a file at a specific location, and pass this event to the driver, thereby defeating the anti-virus functionality.9.8https://support.avira.com/hc/en-us/articles/360000109798-Avira-Antivirus-for-Windows
CVE-2020-6974Honeywell Notifier Web Server (NWS) Version 3.50 is vulnerable to a path traversal attack, which allows an attacker to bypass access to restricted directories. Honeywell has released a firmware update to address the problem.9.8https://www.us-cert.gov/ics/advisories/icsa-20-051-03
CVE-2020-5282In Nick Chan Bot before version 1.0.0-beta there is a vulnerability in the `npm` command which is part of this software package. This allows arbitrary shell execution,which can compromise the bot This is patched in version 1.0.0-beta9.8https://github.com/Assfugil/nickchanbot/commit/d7dc87523fc8bb6babbf8d636c339193b236a3ba
CVE-2020-3952Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls.9.8https://www.vmware.com/security/advisories/VMSA-2020-0006
CVE-2020-1992A format string vulnerability in the Varrcvr daemon of PAN-OS on PA-7000 Series devices with a Log Forwarding Card (LFC) allows remote attackers to crash the daemon creating a denial of service condition or potentially execute code with root privileges. This issue affects Palo Alto Networks PAN-OS 9.0 versions before 9.0.7; PAN-OS 9.1 versions before 9.1.2 on PA-7000 Series devices with an LFC installed and configured. This issue requires WildFire services to be configured and enabled. This issue does not affect PAN-OS 8.1 and earlier releases. This issue does not affect any other PA Series firewalls.9.8https://security.paloaltonetworks.com/CVE-2020-1992
CVE-2020-1747A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.9.8http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html
CVE-2020-1615The factory configuration for vMX installations, as shipped, includes default credentials for the root account. Without proper modification of these default credentials by the administrator, an attacker could exploit these credentials and access the vMX instance without authorization. This issue affects Juniper Networks Junos OS: 17.1 versions prior to 17.1R2-S11, 17.1R3-S2 on vMX; 17.2 versions prior to 17.2R3-S3 on vMX; 17.3 versions prior to 17.3R2-S5, 17.3R3-S7 on vMX; 17.4 versions prior to 17.4R2-S9, 17.4R3 on vMX; 18.1 versions prior to 18.1R3-S9 on vMX; 18.2 versions prior to 18.2R2-S7, 18.2R3-S3 on vMX; 18.2X75 versions prior to 18.2X75-D420, 18.2X75-D60 on vMX; 18.3 versions prior to 18.3R1-S7, 18.3R2-S3, 18.3R3-S1 on vMX; 18.4 versions prior to 18.4R1-S5, 18.4R2-S3, 18.4R3 on vMX; 19.1 versions prior to 19.1R1-S4, 19.1R2, 19.1R3 on vMX; 19.2 versions prior to 19.2R1-S3, 19.2R2 on vMX; 19.3 versions prior to 19.3R1-S1, 19.3R2 on vMX.9.8https://kb.juniper.net/JSA10998
CVE-2020-11722Dungeon Crawl Stone Soup (aka DCSS or crawl) before 0.25 allows remote attackers to execute arbitrary code via Lua bytecode embedded in an uploaded .crawlrc file.9.8https://dpmendenhall.blogspot.com/2020/03/dungeon-crawl-stone-soup.html
CVE-2020-11710An issue was discovered in docker-kong (for Kong) through 2.0.3. The admin API port may be accessible on interfaces other than 127.0.0.1.9.8https://github.com/Kong/docker-kong/commit/dfa095cadf7e8309155be51982d8720daf32e31c
CVE-2020-11708An issue was discovered in ProVide (formerly zFTPServer) through 13.1. Privilege escalation can occur via the /ajax/SetUserInfo messages parameter because of the EXECUTE() feature, which is for executing programs when certain events are triggered.9.8https://github.com/belong2yourself/vulnerabilities/tree/master/ProVide/Web%20Admin%20Interface%20-%20Privilege%20Escalation%20via%20EXECUTE()
CVE-2020-11705An issue was discovered in ProVide (formerly zFTPServer) through 13.1. /ajax/ImportCertificate allows an attacker to load an arbitrary certificate in .pfx format or overwrite arbitrary files via the fileName parameter.9.8https://github.com/belong2yourself/vulnerabilities/tree/master/ProVide/Web%20Admin%20Interface%20-%20Authenticated%20Arbitrary%20File%20Overwrite
CVE-2020-11673An issue was discovered in the Responsive Poll through 1.3.4 for Wordpress. It allows an unauthenticated user to manipulate polls, e.g., delete, clone, or view a hidden poll. This is due to the usage of the callback wp_ajax_nopriv function in Includes/Total-Soft-Poll-Ajax.php for sensitive operations.9.8https://gist.github.com/pak0s/05a0e517aeff4b1422d1a93f59718459
CVE-2020-11656In SQLite through 3.31.1, the ALTER TABLE implementation has a use-after-free, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.9.8https://www.sqlite.org/src/info/d09f8c3621d5f7f8
CVE-2020-11630An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2. In several sections of code, the verification of serialized objects sent between nodes (connected via the Peers protocol) allows insecure objects to be deserialized.9.8https://support.primekey.com/news/posts/ejbca-security-advisory-deserialization-bug
CVE-2020-11612The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.9.8https://github.com/netty/netty/compare/netty-4.1.45.Final...netty-4.1.46.Final
CVE-2020-11603An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) (incorporating TEEGRIS) software. Type confusion in the MLDAP Trustlet allows arbitrary code execution. The Samsung ID is SVE-2020-16599 (April 2020).9.8https://security.samsungmobile.com/securityUpdate.smsb
CVE-2020-11600An issue was discovered on Samsung mobile devices with Q(10.0) software. There is arbitrary code execution in the Fingerprint Trustlet via a memory overwrite. The Samsung IDs are SVE-2019-16587, SVE-2019-16588, SVE-2019-16589 (April 2020).9.8http://security.samsungmobile.com/securityUpdate.smsb
CVE-2020-11543OpsRamp Gateway 3.0.0 has a backdoor account vadmin with the password 9vt@f3Vt that allows root SSH access to the server.9.8https://www.criticalstart.com/hard-coded-administrator-password-discovered-in-opsramp/
CVE-2020-10980GitLab EE/CE 8.0.rc1 to 12.9 is vulnerable to a blind SSRF in the FogBugz integration.9.8https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/
CVE-2020-10631An attacker could use a specially crafted URL to delete or read files outside the WebAccess/NMS's (versions prior to 3.0.2) control.9.8https://www.us-cert.gov/ics/advisories/icsa-20-098-01
CVE-2020-10625WebAccess/NMS (versions prior to 3.0.2) allows an unauthenticated remote user to create a new admin account.9.8https://www.us-cert.gov/ics/advisories/icsa-20-098-01
CVE-2020-10621Multiple issues exist that allow files to be uploaded and executed on the WebAccess/NMS (versions prior to 3.0.2).9.8https://www.us-cert.gov/ics/advisories/icsa-20-098-01
CVE-2020-11604An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) (incorporating TEEGRIS) software. There is an Out-of-bounds read in the MLDAP Trustlet. The Samsung ID is SVE-2019-16565 (April 2020).9.1https://security.samsungmobile.com/securityUpdate.smsb
CVE-2020-11580An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06. The applet in tncc.jar, executed on macOS, Linux, and Solaris clients when a Host Checker policy is enforced, accepts an arbitrary SSL certificate.9.1https://git.lsd.cat/g/pulse-host-checker-rce
CVE-2020-11501GnuTLS 3.6.x before 3.6.13 uses incorrect cryptography for DTLS. The earliest affected version is 3.6.3 (2018-07-16) because of an error in a 2017-10-06 commit. The DTLS client always uses 32 '\\0' bytes instead of a random value, and thus contributes no randomness to a DTLS negotiation. This breaks the security guarantees of the DTLS protocol.9.1http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00015.html
CVE-2020-10619An attacker could use a specially crafted URL to delete files outside the WebAccess/NMS's (versions prior to 3.0.2) control.9.1https://www.us-cert.gov/ics/advisories/icsa-20-098-01

OTHER VULNERABILITIES
CVE NumberDescriptionBase ScoreReference
CVE-2020-8828As of v1.5.0, the default admin password is set to the argocd-server pod name. For insiders with access to the cluster or logs, this issue could be abused for privilege escalation, as Argo has privileged roles. A malicious insider is the most realistic threat, but pod names are not meant to be kept secret and could wind up just about anywhere.8.8https://argoproj.github.io/argo-cd/security_considerations/
CVE-2020-7009Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges.8.8https://discuss.elastic.co/t/elastic-stack-6-8-8-and-7-6-2-security-update/225920
CVE-2020-6430Type Confusion in V8 in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.8.8https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_7.html
CVE-2020-6423Use after free in audio in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.8.8https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_7.html
CVE-2020-5735Amcrest cameras and NVR are vulnerable to a stack-based buffer overflow over port 37777. An authenticated remote attacker can abuse this issue to crash the device and possibly execute arbitrary code.8.8http://packetstormsecurity.com/files/157164/Amcrest-Dahua-NVR-Camera-IP2M-841-Denial-Of-Service.html
CVE-2020-5549Cross-site request forgery (CSRF) vulnerability in EasyBlocks IPv6 Ver. 2.0.1 and earlier and Enterprise Ver. 2.0.1 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.8.8https://jvn.jp/en/jp/JVN89224521/index.html
CVE-2020-4362IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is vulnerable to a privilege escalation vulnerability when using token-based authentication in an admin request over the SOAP connector. IBM X-Force ID: 178929.8.8https://exchange.xforce.ibmcloud.com/vulnerabilities/178929
CVE-2020-3883This issue was addressed with improved checks. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2. An application may be able to use arbitrary entitlements.8.8https://support.apple.com/HT211100
CVE-2020-11707An issue was discovered in ProVide (formerly zFTPServer) through 13.1. It doesn't enforce permission over Windows Symlinks or Junctions. As a result, a low-privileged user (non-admin) can craft a Junction Link in a directory he has full control of, breaking out of the sandbox.8.8https://github.com/belong2yourself/vulnerabilities/tree/master/ProVide/Sandbox%20Escape%20via%20Symlink%20or%20Junction
CVE-2020-11706An issue was discovered in ProVide (formerly zFTPServer) through 13.1. The Admin Interface allows CSRF for actions such as: Change any username and password, admin ones included; Create/Delete users; Enable/Disable Services; Set a rogue update proxy; and Shutdown the server.8.8https://github.com/belong2yourself/vulnerabilities/tree/master/ProVide/Web%20Admin%20Interface%20-%20Cross-Site-Request-Forgery
CVE-2020-11701An issue was discovered in ProVide (formerly zFTPServer) through 13.1. CSRF exists in the User Web Interface, as demonstrated by granting filesystem access to the public for uploading and deleting files and directories.8.8https://github.com/belong2yourself/vulnerabilities/tree/master/ProVide/Web%20User%20Interface%20-%20Cross-Site%20Request%20Forgery
CVE-2020-11627An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2. A Cross Site Request Forgery (CSRF) issue has been found in the CA UI.8.8https://support.primekey.com/news/primekey-announcements
CVE-2020-11610An issue was discovered in xdLocalStorage through 2.0.5. The postData() function in xdLocalStoragePostMessageApi.js specifies the wildcard (*) as the targetOrigin when calling the postMessage() function on the parent object. Therefore any domain can load the application hosting the "magical iframe" and receive the messages that the "magical iframe" sends.8.8https://github.com/ofirdagan/cross-domain-local-storage
CVE-2020-11582An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06. The applet in tncc.jar, executed on macOS, Linux, and Solaris clients when a Host Checker policy is enforced, launches a TCP server that accepts local connections on a random port. This can be reached by local HTTP clients, because up to 25 invalid lines are ignored, and because DNS rebinding can occur. (This server accepts, for example, a setcookie command that might be relevant to CVE-2020-11581 exploitation.)8.8https://git.lsd.cat/g/pulse-host-checker-rce
CVE-2020-11561In NCH Express Invoice 7.25, an authenticated low-privilege user can enter a crafted URL to access higher-privileged functionalities such as the "Add New Item" screen.8.8https://tejaspingulkar.blogspot.com
CVE-2020-11553An issue was discovered in Castle Rock SNMPc Online 12.10.10 before 2020-01-28. There is pervasive CSRF.8.8https://medium.com/tsscyber/noc-noc-whos-there-your-nms-is-pwned-1826174e0dee
CVE-2020-11107An issue was discovered in XAMPP before 7.2.29, 7.3.x before 7.3.16 , and 7.4.x before 7.4.4 on Windows. An unprivileged user can change a .exe configuration in xampp-contol.ini for all users (including admins) to enable arbitrary command execution.8.8https://www.apachefriends.org/blog/new_xampp_20200401.html
CVE-2020-11002dropwizard-validation before versions 2.0.3 and 1.3.21 has a remote code execution vulnerability. A server-side template injection was identified in the self-validating feature enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. If you are using a self-validating bean an upgrade to Dropwizard 1.3.21/2.0.3 or later is strongly recommended. The changes introduced in Dropwizard 1.3.19 and 2.0.2 for CVE-2020-5245 unfortunately did not fix the underlying issue completely. The issue has been fixed in dropwizard-validation 1.3.21 and 2.0.3 or later. We strongly recommend upgrading to one of these versions.8.8https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-hibernateconstraintvalidatorcontext
CVE-2020-10603WebAccess/NMS (versions prior to 3.0.2) does not properly sanitize user input and may allow an attacker to inject system commands remotely.8.8https://www.us-cert.gov/ics/advisories/icsa-20-098-01
CVE-2020-5550Session fixation vulnerability in EasyBlocks IPv6 Ver. 2.0.1 and earlier, and Enterprise Ver. 2.0.1 and earlier allows remote attackers to impersonate a registered user and log in the management console, that may result in information alteration/disclosure via unspecified vectors.8.1https://jvn.jp/en/jp/JVN89224521/index.html
CVE-2020-5275In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that should have been take into account in an unanimous strategy. The accessDecisionManager is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute. This issue is patched in versions 4.4.7 and 5.0.7.8.1https://github.com/symfony/symfony/commit/c935e4a3fba6cc2ab463a6ca382858068d63cebf
CVE-2020-11581An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06. The applet in tncc.jar, executed on macOS, Linux, and Solaris clients when a Host Checker policy is enforced, allows a man-in-the-middle attacker to perform OS command injection attacks (against a client) via shell metacharacters to the doCustomRemediateInstructions method, because Runtime.getRuntime().exec() is used.8.1https://git.lsd.cat/g/pulse-host-checker-rce
CVE-2020-8015A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of exim in openSUSE Factory allows local attackers to escalate from user mail to root. This issue affects: openSUSE Factory exim versions prior to 4.93.0.4-3.1.7.8http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00010.html
CVE-2020-1989An incorrect privilege assignment vulnerability when writing application-specific files in the Palo Alto Networks Global Protect Agent for Linux on ARM platform allows a local authenticated user to gain root privileges on the system. This issue affects Palo Alto Networks Global Protect Agent for Linux 5.0 versions before 5.0.8; 5.1 versions before 5.1.1.7.8https://security.paloaltonetworks.com/CVE-2020-1989
CVE-2020-1985Incorrect Default Permissions on C:\\Programdata\\Secdo\\Logs folder in Secdo allows local authenticated users to overwrite system files and gain escalated privileges. This issue affects all versions Secdo for Windows.7.8https://security.paloaltonetworks.com/CVE-2020-1985
CVE-2020-1984Secdo tries to execute a script at a hardcoded path if present, which allows a local authenticated user with 'create folders or append data' access to the root of the OS disk (C:\\) to gain system privileges if the path does not already exist or is writable. This issue affects all versions of Secdo for Windows.7.8https://security.paloaltonetworks.com/CVE-2020-1984
CVE-2020-1895A large heap overflow could occur in Instagram for Android when attempting to upload an image with specially crafted dimensions. This affects versions prior to 128.0.0.26.128.7.8https://www.facebook.com/security/advisories/cve-2020-1895
CVE-2020-1885Writing to an unprivileged file from a privileged OVRRedir.exe process in Oculus Desktop before 1.44.0.32849 on Windows allows local users to write to arbitrary files and consequently gain privileges via vectors involving a hard link to a log file.7.8https://www.facebook.com/security/advisories/cve-2020-1885
CVE-2020-1712A heap use-after-free vulnerability was found in systemd before version v245-rc1, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages.7.8https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1712
CVE-2020-11725snd_ctl_elem_add in sound/core/control.c in the Linux kernel through 5.6.3 has a count=info->owner typo, which is mishandled in the private_size*count multiplication.7.8https://github.com/torvalds/linux/blob/3b2549a3740efb8af0150415737067d87e466c5b/sound/core/control.c#L1434-L1474
CVE-2020-11560NCH Express Invoice 7.25 allows local users to discover the cleartext password by reading the configuration file.7.8https://tejaspingulkar.blogspot.com/2020/03/cve-cve-2020-11560-title-clear-text.html
CVE-2020-10646Fuji Electric V-Server Lite all versions prior to 4.0.9.0 contains a heap based buffer overflow. The buffer allocated to read data, when parsing VPR files, is too small.7.8https://www.us-cert.gov/ics/advisories/icsa-20-098-04
CVE-2020-10551QQBrowser before 10.5.3870.400 installs a Windows service TsService.exe. This file is writable by anyone belonging to the NT AUTHORITY\\Authenticated Users group, which includes all local and remote users. This can be abused by local attackers to escalate privileges to NT AUTHORITY\\SYSTEM by writing a malicious executable to the location of TsService.7.8https://github.com/seqred-s-a/CVE-2020-10551
CVE-2020-9500Some products of Dahua have Denial of Service vulnerabilities. After the successful login of the legal account, the attacker sends a specific log query command, which may cause the device to go down.7.5https://www.dahuasecurity.com/support/cybersecurity/details/727
CVE-2020-8827As of v1.5.0, the Argo API does not implement anti-automation measures such as rate limiting, account lockouts, or other anti-bruteforce measures. Attackers can submit an unlimited number of authentication attempts without consequence.7.5https://argoproj.github.io/argo-cd/operator-manual/user-management/#disable-admin-user
CVE-2020-8826As of v1.5.0, the Argo web interface authentication system issued immutable tokens. Authentication tokens, once issued, were usable forever without expiration—there was no refresh or forced re-authentication.7.5https://argoproj.github.io/argo-cd/security_considerations/
CVE-2020-8552The Kubernetes API server component in versions prior to 1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via successful API requests.7.5https://github.com/kubernetes/kubernetes/issues/89378
CVE-2020-5398In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input.7.5https://lists.apache.org/thread.html/rc05acaacad089613e9642f939b3a44f7199b5537493945c3e045287f@%3Cdev.geode.apache.org%3E
CVE-2020-5330Dell EMC Networking X-Series firmware versions 3.0.1.2 and older, Dell EMC Networking PC5500 firmware versions 4.1.0.22 and older and Dell EMC PowerEdge VRTX Switch Modules firmware versions 2.0.0.77 and older contain an information disclosure vulnerability. A remote unauthenticated attacker could exploit this vulnerability to retrieve sensitive data by sending a specially crafted request to the affected endpoints.7.5https://www.dell.com/support/article/en-us/sln320366/dsa-2020-042-dell-emc-networking-security-update-for-an-information-disclosure-vulnerability?lang=en
CVE-2020-5247In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2019-16254, which fixed this vulnerability for the WEBrick Ruby web server. This has been fixed in versions 4.3.2 and 3.12.3 by checking all headers for line endings and rejecting headers with those characters.7.5https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
CVE-2020-1730A flaw was found in libssh versions before 0.8.9 and before 0.9.4 in the way it handled AES-CTR (or DES ciphers if enabled) ciphers. The server or client could crash when the connection hasn't been fully initialized and the system tries to cleanup the ciphers when closing the connection. The biggest threat from this vulnerability is system availability.7.5https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1730
CVE-2020-1639When an attacker sends a specific crafted Ethernet Operation, Administration, and Maintenance (Ethernet OAM) packet to a target device, it may improperly handle the incoming malformed data and fail to sanitize this incoming data resulting in an overflow condition. This overflow condition in Juniper Networks Junos OS allows an attacker to cause a Denial of Service (DoS) condition by coring the CFM daemon. Continued receipt of these packets may cause an extended Denial of Service condition. This issue affects: Juniper Networks Junos OS 12.3 versions prior to 12.3R12-S15; 12.3X48 versions prior to 12.3X48-D95 on SRX Series; 14.1X50 versions prior to 14.1X50-D145; 14.1X53 versions prior to 14.1X53-D47; 15.1 versions prior to 15.1R2; 15.1X49 versions prior to 15.1X49-D170 on SRX Series; 15.1X53 versions prior to 15.1X53-D67.7.5https://kb.juniper.net/
CVE-2020-1634On High-End SRX Series devices, in specific configurations and when specific networking events or operator actions occur, an SPC receiving genuine multicast traffic may core. Subsequently, all FPCs in a chassis may reset causing a Denial of Service. This issue affects both IPv4 and IPv6. This issue affects: Juniper Networks Junos OS 12.3X48 version 12.3X48-D80 and later versions prior to 12.3X48-D95 on High-End SRX Series. This issue does not affect Branch SRX Series devices.7.5https://kb.juniper.net/JSA11014
CVE-2020-1627A vulnerability in Juniper Networks Junos OS on vMX and MX150 devices may allow an attacker to cause a Denial of Service (DoS) by sending specific packets requiring special processing in microcode that the flow cache can't handle, causing the riot forwarding daemon to crash. By continuously sending the same specific packets, an attacker can repeatedly crash the riot process causing a sustained Denial of Service. Flow cache is specific to vMX based products and the MX150, and is enabled by default in performance mode. This issue can only be triggered by traffic destined to the device. Transit traffic will not cause the riot daemon to crash. When the issue occurs, a core dump and riot log file entry are generated. For example: /var/crash/core.J-UKERN.mpc0.1557255993.3864.gz /home/pfe/RIOT logs: fpc0 riot[1888]: PANIC in lu_reorder_send_packet_postproc(): fpc0 riot[6655]: PANIC in lu_reorder_send_packet_postproc(): This issue affects Juniper Networks Junos OS: 18.1 versions prior to 18.1R3 on vMX and MX150; 18.2 versions prior to 18.2R3 on vMX and MX150; 18.2X75 versions prior to 18.2X75-D60 on vMX and MX150; 18.3 versions prior to 18.3R3 on vMX and MX150; 18.4 versions prior to 18.4R2 on vMX and MX150; 19.1 versions prior to 19.1R2 on vMX and MX150. This issue does not affect Junos OS versions prior to 18.1R1.7.5https://kb.juniper.net/JSA11006
CVE-2020-1617This issue occurs on Juniper Networks Junos OS devices which do not support Advanced Forwarding Interface (AFI) / Advanced Forwarding Toolkit (AFT). Devices using AFI and AFT are not exploitable to this issue. An improper initialization of memory in the packet forwarding architecture in Juniper Networks Junos OS non-AFI/AFT platforms which may lead to a Denial of Service (DoS) vulnerability being exploited when a genuine packet is received and inspected by non-AFT/AFI sFlow and when the device is also configured with firewall policers. This first genuine packet received and inspected by sampled flow (sFlow) through a specific firewall policer will cause the device to reboot. After the reboot has completed, if the device receives and sFlow inspects another genuine packet seen through a specific firewall policer, the device will generate a core file and reboot. Continued inspection of these genuine packets will create an extended Denial of Service (DoS) condition. Depending on the method for service restoration, e.g. hard boot or soft reboot, a core file may or may not be generated the next time the packet is received and inspected by sFlow. This issue affects: Juniper Networks Junos OS 17.4 versions prior to 17.4R2-S9, 17.4R3 on PTX1000 and PTX10000 Series, QFX10000 Series; 18.1 versions prior to 18.1R3-S9 on PTX1000 and PTX10000 Series, QFX10000 Series; 18.2X75 versions prior to 18.2X75-D12, 18.2X75-D30 on PTX1000 and PTX10000 Series, QFX10000 Series; 18.2 versions prior to 18.2R3 on PTX1000 and PTX10000 Series, QFX10000 Series; 18.3 versions prior to 18.3R3 on PTX1000 and PTX10000 Series, QFX10000 Series. This issue is not applicable to Junos OS versions before 17.4R1. This issue is not applicable to Junos OS Evolved or Junos OS with Advanced Forwarding Toolkit (AFT) forwarding implementations which use a different implementation of sFlow. The following example information is unrelated to this issue and is provided solely to assist you with determining if you have AFT or not. Example: A Junos OS device which supports the use of EVPN signaled VPWS with Flexible Cross Connect uses the AFT implementation. Since this configuration requires support and use of the AFT implementation to support this configuration, the device is not vulnerable to this issue as the sFlow implementation is different using the AFT architecture. For further details about AFT visit the AFI / AFT are in the links below. If you are uncertain if you use the AFI/AFT implementation or not, there are configuration examples in the links below which you may use to determine if you are vulnerable to this issue or not. If the commands work, you are. If not, you are not. You may also use the Feature Explorer to determine if AFI/AFT is supported or not. If you are still uncertain, please contact your support resources.7.5https://github.com/Juniper/AFI
CVE-2020-1613A vulnerability in the BGP FlowSpec implementation may cause a Juniper Networks Junos OS device to terminate an established BGP session upon receiving a specific BGP FlowSpec advertisement. The BGP NOTIFICATION message that terminates an established BGP session is sent toward the peer device that originally sent the specific BGP FlowSpec advertisement. This specific BGP FlowSpec advertisement received from a BGP peer might get propagated from a Junos OS device running the fixed release to another device that is vulnerable causing BGP session termination downstream. This issue affects IPv4 and IPv6 BGP FlowSpec deployment. This issue affects Juniper Networks Junos OS: 12.3; 12.3X48 on SRX Series; 14.1X53 on EX and QFX Series; 15.1 versions prior to 15.1R7-S5; 15.1F versions prior to 15.1F6-S13; 15.1X49 versions prior to 15.1X49-D180 on SRX Series; 15.1X53 versions prior to 15.1X53-D238 on QFX5200/QFX5110; 15.1X53 versions prior to 15.1X53-D497 on NFX Series; 15.1X53 versions prior to 15.1X53-D592 on EX2300/EX3400; 16.1 versions prior to 16.1R7-S7; 17.1 versions prior to 17.1R2-S12, 17.1R3; 17.2 versions prior to 17.2R2-S7, 17.2R3; 17.2X75 versions prior to 17.2X75-D102, 17.2X75-D110, 17.2X75-D44; 17.3 versions prior to 17.3R2-S5, 17.3R3-S5; 17.4 versions prior to 17.4R1-S8, 17.4R2; 18.1 versions prior to 18.1R2-S4, 18.1R3; 18.2X75 versions prior to 18.2X75-D20.7.5https://kb.juniper.net/JSA10996
CVE-2020-11732The Media Library Assistant plugin before 2.82 for Wordpress suffers from a Local File Inclusion vulnerability in mla_gallery link=download.7.5https://wordpress.org/plugins/media-library-assistant/#developers
CVE-2020-11724An issue was discovered in OpenResty before 1.15.8.4. ngx_http_lua_subrequest.c allows HTTP request smuggling, as demonstrated by the ngx.location.capture API.7.5https://github.com/openresty/openresty/blob/4e8b4c395f842a078e429c80dd063b2323999957/patches/ngx_http_lua-0.10.15-fix_location_capture_content_length_chunked.patch
CVE-2020-11713wolfSSL 4.3.0 has mulmod code in wc_ecc_mulmod_ex in ecc.c that does not properly resist timing side-channel attacks.7.5https://github.com/wolfSSL/wolfssl/pull/2894/
CVE-2020-11709cpp-httplib through 0.5.8 does not filter \\r\\n in parameters passed into the set_redirect and set_header functions, which creates possibilities for CRLF injection and HTTP response splitting in some specific contexts.7.5https://gist.github.com/shouc/a9330df817128bc4c4132abf3de09495
CVE-2020-11703An issue was discovered in ProVide (formerly zFTPServer) through 13.1. /ajax/GetInheritedProperties allows HTTP Response Splitting via the language parameter.7.5https://github.com/belong2yourself/vulnerabilities/tree/master/ProVide/Web%20User%20Interface%20-%20HTTP%20Response%20Splitting
CVE-2020-11694In JetBrains PyCharm 2019.2.5 and 2019.3 on Windows, Apple Notarization Service credentials were included. This is fixed in 2019.2.6 and 2019.3.3.7.5https://gist.github.com/rubyroobs/5d273895512df5b86d5e7e1a703c8028
CVE-2020-11669An issue was discovered in the Linux kernel before 5.2 on the powerpc platform. arch/powerpc/kernel/idle_book3s.S does not have save/restore functionality for PNV_POWERSAVE_AMR, PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR, aka CID-53a712bae5dd.7.5https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.2
CVE-2020-11668In the Linux kernel before 5.6.1, drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink camera USB driver) mishandles invalid descriptors, aka CID-a246b4d54770.7.5https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.6.1
CVE-2020-11655SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled.7.5https://www3.sqlite.org/cgi/src/info/4a302b42c7bf5e11
CVE-2020-11653An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x and 6.2.x before 6.2.3, and 6.3.x before 6.3.2. It occurs when communication with a TLS termination proxy uses PROXY version 2. There can be an assertion failure and daemon restart, which causes a performance loss.7.5https://varnish-cache.org/security/VSV00005.html#vsv00005
CVE-2020-11650An issue was discovered in iXsystems FreeNAS (and TrueNAS) 11.2 before 11.2-u8 and 11.3 before 11.3-U1. It allows a denial of service. The login authentication component has no limits on the length of an authentication message or the rate at which such messages are sent.7.5https://jira.ixsystems.com/browse/NAS-104748
CVE-2020-11647In Wireshark 3.2.0 to 3.2.2, 3.0.0 to 3.0.9, and 2.6.0 to 2.6.15, the BACapp dissector could crash. This was addressed in epan/dissectors/packet-bacapp.c by limiting the amount of recursion.7.5https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16474
CVE-2020-11605An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. There is sensitive information exposure from dumpstate in NFC logs. The Samsung ID is SVE-2019-16359 (April 2020).7.5https://security.samsungmobile.com/securityUpdate.smsb
CVE-2020-11557An issue was discovered in Castle Rock SNMPc Online 12.10.10 before 2020-01-28. It includes the username and password values in cleartext within each request's cookie value.7.5https://medium.com/tsscyber/noc-noc-whos-there-your-nms-is-pwned-1826174e0dee
CVE-2020-11555An issue was discovered in Castle Rock SNMPc Online 12.10.10 before 2020-01-28. It allows remote attackers to obtain sensitive credential information from backup files.7.5https://medium.com/tsscyber/noc-noc-whos-there-your-nms-is-pwned-1826174e0dee
CVE-2020-11554An issue was discovered in Castle Rock SNMPc Online 12.10.10 before 2020-01-28. It allows remote attackers to obtain sensitive information via info.php4.7.5https://medium.com/tsscyber/noc-noc-whos-there-your-nms-is-pwned-1826174e0dee
CVE-2020-10976GitLab EE/CE 8.17 to 12.9 is vulnerable to information leakage when querying a merge request widget.7.5https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/
CVE-2020-10629WebAccess/NMS (versions prior to 3.0.2) does not sanitize XML input. Specially crafted XML input could allow an attacker to read sensitive files.7.5https://www.us-cert.gov/ics/advisories/icsa-20-098-01
CVE-2020-10617There are multiple ways an unauthenticated attacker could perform SQL injection on WebAccess/NMS (versions prior to 3.0.2) to gain access to sensitive information.7.5https://www.us-cert.gov/ics/advisories/icsa-20-098-01
CVE-2020-10366LogicalDoc before 8.3.3 allows /servlet.gupld Directory Traversal, a different vulnerability than CVE-2020-9423 and CVE-2020-10365.7.5https://sourceforge.net/p/logicaldoc/code/HEAD/tree/community/logicaldoc/trunk/ReleaseNotes.txt
CVE-2020-10231TP-Link NC200 through 2.1.8_Build_171109, NC210 through 1.0.9_Build_171214, NC220 through 1.3.0_Build_180105, NC230 through 1.3.0_Build_171205, NC250 through 1.3.0_Build_171205, NC260 through 1.5.1_Build_190805, and NC450 through 1.5.0_Build_181022 devices allow a remote NULL Pointer Dereference.7.5http://packetstormsecurity.com/files/157048/TP-LINK-Cloud-Cameras-NCXXX-Remote-NULL-Pointer-Dereference.html
CVE-2020-6765D-Link DSL-GS225 J1 AU_1.0.4 devices allow an admin to execute OS commands by placing shell metacharacters after a supported CLI command, as demonstrated by ping -c1 127.0.0.1; cat/etc/passwd. The CLI is reachable by TELNET.7.2https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10165
CVE-2020-1990A stack-based buffer overflow vulnerability in the management server component of PAN-OS allows an authenticated user to upload a corrupted PAN-OS configuration and potentially execute code with root privileges. This issue affects Palo Alto Networks PAN-OS 8.1 versions before 8.1.13; 9.0 versions before 9.0.7. This issue does not affect PAN-OS 7.1.7.2https://security.paloaltonetworks.com/CVE-2020-1990
CVE-2020-11629An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2. The External Command Certificate Validator, which allows administrators to upload external linters to validate certificates, is supposed to save uploaded test certificates to the server. An attacker who has gained access to the CA UI could exploit this to upload malicious scripts to the server. (Risks associated with this issue alone are negligible unless a malicious user already has gained access to the CA UI through other means, as a trusted user is already trusted to upload scripts by virtue of having access to the validator.)7.2https://support.primekey.com/news/primekey-announcements
CVE-2020-1991An insecure temporary file vulnerability in Palo Alto Networks Traps allows a local authenticated Windows user to escalate privileges or overwrite system files. This issue affects Palo Alto Networks Traps 5.0 versions before 5.0.8; 6.1 versions before 6.1.4 on Windows. This issue does not affect Cortex XDR 7.0. This issue does not affect Traps for Linux or MacOS.7.1https://security.paloaltonetworks.com/CVE-2020-1991
CVE-2020-2732A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest.6.8https://bugzilla.redhat.com/show_bug.cgi?id=1805135
CVE-2020-1759A vulnerability was found in Red Hat Ceph Storage 4 and Red Hat Openshift Container Storage 4.2 where, A nonce reuse vulnerability was discovered in the secure mode of the messenger v2 protocol, which can allow an attacker to forge auth tags and potentially manipulate the data by leveraging the reuse of a nonce in a session. Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks.6.8https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1759
CVE-2020-1618On Juniper Networks EX and QFX Series, an authentication bypass vulnerability may allow a user connected to the console port to login as root without any password. This issue might only occur in certain scenarios: • At the first reboot after performing device factory reset using the command “request system zeroize”; or • A temporary moment during the first reboot after the software upgrade when the device configured in Virtual Chassis mode. This issue affects Juniper Networks Junos OS on EX and QFX Series: 14.1X53 versions prior to 14.1X53-D53; 15.1 versions prior to 15.1R7-S4; 15.1X53 versions prior to 15.1X53-D593; 16.1 versions prior to 16.1R7-S4; 17.1 versions prior to 17.1R2-S11, 17.1R3-S1; 17.2 versions prior to 17.2R3-S3; 17.3 versions prior to 17.3R2-S5, 17.3R3-S6; 17.4 versions prior to 17.4R2-S9, 17.4R3; 18.1 versions prior to 18.1R3-S8; 18.2 versions prior to 18.2R2; 18.3 versions prior to 18.3R1-S7, 18.3R2. This issue does not affect Juniper Networks Junos OS 12.3.6.8https://kb.juniper.net/JSA11001
CVE-2020-10263An issue was discovered on XIAOMI XIAOAI speaker Pro LX06 1.52.4. Attackers can get root shell by accessing the UART interface and then they can (i) read Wi-Fi SSID or password, (ii) read the dialogue text files between users and XIAOMI XIAOAI speaker Pro LX06, (iii) use Text-To-Speech tools pretend XIAOMI speakers' voice achieve social engineering attacks, (iv) eavesdrop on users and record what XIAOMI XIAOAI speaker Pro LX06 hears, (v) modify system files, (vi) use commands to send any IR code through IR emitter on XIAOMI XIAOAI Speaker Pro LX06, (vii) stop voice assistant service, (viii) enable the XIAOMI XIAOAI Speaker Pro’ SSH or TELNET service as a backdoor, (IX) tamper with the router configuration of the router in the local area networks.6.8https://github.com/Jian-Xian/CVE-POC/blob/master/CVE-2020-10263.md
CVE-2020-10262An issue was discovered on XIAOMI XIAOAI speaker Pro LX06 1.58.10. Attackers can activate the failsafe mode during the boot process, and use the mi_console command cascaded by the SN code shown on the product to get the root shell password, and then the attacker can (i) read Wi-Fi SSID or password, (ii) read the dialogue text files between users and XIAOMI XIAOAI speaker Pro LX06, (iii) use Text-To-Speech tools pretend XIAOMI speakers' voice achieve social engineering attacks, (iv) eavesdrop on users and record what XIAOMI XIAOAI speaker Pro LX06 hears, (v) modify system files, (vi) use commands to send any IR code through IR emitter on XIAOMI XIAOAI Speaker Pro (LX06), (vii) stop voice assistant service, (viii) enable the XIAOMI XIAOAI Speaker Pro’s SSH or TELNET service as a backdoor, (IX) tamper with the router configuration of the router in the local area networks.6.8https://github.com/Jian-Xian/CVE-POC/blob/master/CVE-2020-10262.md
CVE-2020-7263Improper access control vulnerability in ESConfigTool.exe in ENS for Windows all current versions allows a local administrator to alter the ENS configuration up to and including disabling all protection offered by ENS via insecurely implemented encryption of configuration for export and import.6.7https://kc.mcafee.com/corporate/index?page=content&id=SB10314
CVE-2020-1988An unquoted search path vulnerability in the Windows release of Global Protect Agent allows an authenticated local user with file creation privileges on the root of the OS disk (C:\\) or to Program Files directory to gain system privileges. This issue affects Palo Alto Networks GlobalProtect Agent 5.0 versions before 5.0.5; 4.1 versions before 4.1.13 on Windows;6.7https://security.paloaltonetworks.com/CVE-2020-1988
CVE-2020-1619A privilege escalation vulnerability in Juniper Networks QFX10K Series, EX9200 Series, MX Series, and PTX Series with Next-Generation Routing Engine (NG-RE), allows a local authenticated high privileged user to access the underlying WRL host. This issue only affects QFX10K Series with NG-RE, EX9200 Series with NG-RE, MX Series with NG-RE and PTX Series with NG-RE; which uses vmhost. This issue affects Juniper Networks Junos OS: 16.1 versions prior to 16.1R7-S6; 16.2 versions prior to 16.2R2-S11; 17.1 versions prior to 17.1R2-S11, 17.1R3; 17.2 versions prior to 17.2R1-S9, 17.2R3-S3; 17.3 versions prior to 17.3R2-S5, 17.3R3-S7; 17.4 versions prior to 17.4R2-S7, 17.4R3; 18.1 versions prior to 18.1R3-S4; 18.2 versions prior to 18.2R3; 18.2X75 versions prior to 18.2X75-D50; 18.3 versions prior to 18.3R2; 18.4 versions prior to 18.4R2. To identify whether the device has NG-RE with vmhost, customer can run the following command: > show vmhost status Compute cluster: rainier-re-cc Compute Node: rainier-re-cn, Online If the "show vmhost status" is not supported, then the device does not have NG-RE with vmhost.6.7https://kb.juniper.net/JSA11002
CVE-2020-9514An issue was discovered in the IMPress for IDX Broker plugin before 2.6.2 for WordPress. wrappers.php allows a logged-in user (with the Subscriber role) to permanently delete arbitrary posts and pages, create new posts with arbitrary subjects, and modify the subjects of existing posts and pages (via create_dynamic_page and delete_dynamic_page).6.5https://wordpress.org/plugins/idx-broker-platinum/#developers
CVE-2020-9286An improper authorization vulnerability in FortiADC may allow a remote authenticated user with low privileges to perform certain actions such as rebooting the system.6.5https://fortiguard.com/psirt/FG-IR-20-013
CVE-2020-8551The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.6.5https://github.com/kubernetes/kubernetes/issues/89377
CVE-2020-7922X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Operator to generate their X.509 certificates are unaffected.6.5https://github.com/mongodb/mongodb-enterprise-kubernetes/releases/tag/1.2.5
CVE-2020-5736Amcrest cameras and NVR are vulnerable to a null pointer dereference over port 37777. An authenticated remote attacker can abuse this issue to crash the device.6.5https://www.tenable.com/security/research/tra-2020-20
CVE-2020-5406VMware Tanzu Application Service for VMs, 2.6.x versions prior to 2.6.18, 2.7.x versions prior to 2.7.11, and 2.8.x versions prior to 2.8.5, includes a version of PCF Autoscaling that writes database connection properties to its log, including database username and password. A malicious user with access to those logs may gain unauthorized access to the database being used by Autoscaling.6.5https://tanzu.vmware.com/security/cve-2020-5406
CVE-2020-5302MH-WikiBot (an IRC Bot for interacting with the Miraheze API), had a bug that allowed any unprivileged user to access the steward commands on the IRC interface by impersonating the Nickname used by a privileged user as no check was made to see if they were logged in. The issue has been fixed in commit 23d9d5b0a59667a5d6816fdabb960b537a5f9ed1.6.5https://github.com/examknow/MH-WikiBot/compare/2eac90d...1a62da1
CVE-2020-5249In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2020-5247, which fixed this vulnerability but only for regular responses. This has been fixed in 4.3.3 and 3.12.4.6.5https://github.com/puma/puma/commit/c22712fc93284a45a93f9ad7023888f3a65524f3
CVE-2020-1637A vulnerability in Juniper Networks SRX Series device configured as a Junos OS Enforcer device may allow a user to access network resources that are not permitted by a UAC policy. This issue might occur when the IP address range configured in the Infranet Controller (IC) is configured as an IP address range instead of an IP address/netmask. See the Workaround section for more detail. The Junos OS Enforcer CLI settings are disabled by default. This issue affects Juniper Networks Junos OS on SRX Series: 12.3X48 versions prior to 12.3X48-D100; 15.1X49 versions prior to 15.1X49-D210; 17.3 versions prior to 17.3R2-S5, 17.3R3-S8; 17.4 versions prior to 17.4R2-S9, 17.4R3-S1; 18.1 versions prior to 18.1R3-S10; 18.2 versions prior to 18.2R2-S7, 18.2R3-S3; 18.3 versions prior to 18.3R1-S7, 18.3R3-S2; 18.4 versions prior to 18.4R1-S6, 18.4R2-S4, 18.4R3-S1; 19.1 versions prior to 19.1R1-S4, 19.1R2-S1, 19.1R3; 19.2 versions prior to 19.2R1-S3, 19.2R2; 19.3 versions prior to 19.3R2-S1, 19.3R3; 19.4 versions prior to 19.4R1-S1, 19.4R2.6.5https://kb.juniper.net/JSA11018
CVE-2020-1633Due to a new NDP proxy feature for EVPN leaf nodes introduced in Junos OS 17.4, crafted NDPv6 packets could transit a Junos device configured as a Broadband Network Gateway (BNG) and reach the EVPN leaf node, causing a stale MAC address entry. This could cause legitimate traffic to be discarded, leading to a Denial of Service (DoS) condition. This issue only affects Junos OS 17.4 and later releases. Prior releases do not support this feature and are unaffected by this vulnerability. This issue only affects IPv6. IPv4 ARP proxy is unaffected by this vulnerability. This issue affects Juniper Networks Junos OS: 17.4 versions prior to 17.4R2-S9, 17.4R3 on MX Series; 18.1 versions prior to 18.1R3-S9 on MX Series; 18.2 versions prior to 18.2R2-S7, 18.2R3-S3 on MX Series; 18.2X75 versions prior to 18.2X75-D33, 18.2X75-D411, 18.2X75-D420, 18.2X75-D60 on MX Series; 18.3 versions prior to 18.3R1-S7, 18.3R2-S3, 18.3R3 on MX Series; 18.4 versions prior to 18.4R1-S5, 18.4R2-S2, 18.4R3 on MX Series; 19.1 versions prior to 19.1R1-S4, 19.1R2 on MX Series; 19.2 versions prior to 19.2R1-S3, 19.2R2 on MX Series.6.5https://kb.juniper.net/JSA11012
CVE-2020-1625The kernel memory usage represented as "temp" via 'show system virtual-memory' may constantly increase when Integrated Routing and Bridging (IRB) is configured with multiple underlay physical interfaces, and one interface flaps. This memory leak can affect running daemons (processes), leading to an extended Denial of Service (DoS) condition. Usage of "temp" virtual memory, shown here by a constantly increasing value of outstanding Requests, can be monitored by executing the 'show system virtual-memory' command as shown below: user@junos> show system virtual-memory |match "fpc|type|temp" fpc0: -------------------------------------------------------------------------- Type InUse MemUse HighUse Requests Size(s) temp 2023 431K - 10551 16,32,64,128,256,512,1024,2048,4096,65536,262144,1048576,2097152,4194304,8388608 fpc1: -------------------------------------------------------------------------- Type InUse MemUse HighUse Requests Size(s) temp 2020 431K - 6460 16,32,64,128,256,512,1024,2048,4096,65536,262144,1048576,2097152,4194304,8388608 user@junos> show system virtual-memory |match "fpc|type|temp" fpc0: -------------------------------------------------------------------------- Type InUse MemUse HighUse Requests Size(s) temp 2023 431K - 16101 16,32,64,128,256,512,1024,2048,4096,65536,262144,1048576,2097152,4194304,8388608 fpc1: -------------------------------------------------------------------------- Type InUse MemUse HighUse Requests Size(s) temp 2020 431K - 6665 16,32,64,128,256,512,1024,2048,4096,65536,262144,1048576,2097152,4194304,8388608 user@junos> show system virtual-memory |match "fpc|type|temp" fpc0: -------------------------------------------------------------------------- Type InUse MemUse HighUse Requests Size(s) temp 2023 431K - 21867 16,32,64,128,256,512,1024,2048,4096,65536,262144,1048576,2097152,4194304,8388608 fpc1: -------------------------------------------------------------------------- Type InUse MemUse HighUse Requests Size(s) temp 2020 431K - 6858 16,32,64,128,256,512,1024,2048,4096,65536,262144,1048576,2097152,4194304,8388608 This issue affects Juniper Networks Junos OS: 16.1 versions prior to 16.1R7-S6; 17.1 versions prior to 17.1R2-S11, 17.1R3-S1; 17.2 versions prior to 17.2R2-S8, 17.2R3-S3; 17.2X75 versions prior to 17.2X75-D44; 17.3 versions prior to 17.3R2-S5, 17.3R3-S6; 17.4 versions prior to 17.4R2-S5, 17.4R3; 18.1 versions prior to 18.1R3-S7; 18.2 versions prior to 18.2R2-S5, 18.2R3; 18.2X75 versions prior to 18.2X75-D33, 18.2X75-D411, 18.2X75-D420, 18.2X75-D60; 18.3 versions prior to 18.3R1-S5, 18.3R2-S3, 18.3R3; 18.4 versions prior to 18.4R2-S2, 18.4R3; 19.1 versions prior to 19.1R1-S3, 19.1R2; 19.2 versions prior to 19.2R1-S3, 19.2R2. This issue does not affect Juniper Networks Junos OS 12.3 and 15.1.6.5https://kb.juniper.net/JSA11004
CVE-2020-11721load_png in loader.c in libsixel.a in libsixel 1.8.6 has an uninitialized pointer leading to an invalid call to free, which can cause a denial of service.6.5https://github.com/saitoha/libsixel/issues/134
CVE-2020-11631An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2. An error state can be generated in the CA UI by a malicious user. This, in turn, allows exploitation of other bugs. This follow-on exploitation can lead to privilege escalation and remote code execution. (This is exploitable only when at least one accessible port lacks a requirement for client certificate authentication. These ports are 8442 or 8080 in a standard installation.)6.5https://support.primekey.com/news/primekey-announcements
CVE-2020-11000GreenBrowser before version 1.2 has a vulnerability where apps that rely on URL Parsing to verify that a given URL is pointing to a trust server may be susceptible to many different ways to get URL parsing and verification wrong, which allows an attacker to circumvent the access control. This problem has been patched in version 1.2.6.5https://github.com/luchua-bc/GreenBrowser/commit/5e257e0db4f2a08cf05f00756e5961ee873e481b
CVE-2020-10623Multiple vulnerabilities could allow an attacker with low privileges to perform SQL injection on WebAccess/NMS (versions prior to 3.0.2) to gain access to sensitive information.6.5https://www.us-cert.gov/ics/advisories/icsa-20-098-01
CVE-2020-8430Stormshield Network Security 310 3.7.10 devices have an auth/lang.html?rurl= Open Redirect vulnerability on the captive portal. For example, the attacker can use rurl=//example.com instead of rurl=https://example.com in the query string.6.1https://advisories.stormshield.eu/2020-001/
CVE-2020-5233OAuth2 Proxy before 5.0 has an open redirect vulnerability. Authentication tokens could be silently harvested by an attacker. This has been patched in version 5.0.6.1https://github.com/pusher/oauth2_proxy/commit/a316f8a06f3c0ca2b5fc5fa18a91781b313607b2
CVE-2020-11734cgi-bin/go in CyberSolutions CyberMail 5 or later allows XSS via the ACTION parameter.6.1https://gist.github.com/tonykuo76/d2480727faeb768a97800db3058dceed
CVE-2020-11731The Media Library Assistant plugin before 2.82 for Wordpress suffers from multiple XSS vulnerabilities in all Settings/Media Library Assistant tabs, which allow remote authenticated users to execute arbitrary JavaScript.6.1https://wordpress.org/plugins/media-library-assistant/#developers
CVE-2020-11712Open Upload through 0.4.3 allows XSS via index.php?action=u and the filename field.6.1https://github.com/jenaye/cve/blob/master/readme.MD
CVE-2020-11704An issue was discovered in ProVide (formerly zFTPServer) through 13.1. The Admin Web Interface has Multiple Stored and Reflected XSS. GetInheritedProperties is Reflected via the groups parameter. GetUserInfo is Reflected via POST data. SetUserInfo is Stored via the general parameter.6.1https://github.com/belong2yourself/vulnerabilities/tree/master/ProVide/Web%20Admin%20Interface%20-%20Multiple%20Cross-Site-Scripting
CVE-2020-11702An issue was discovered in ProVide (formerly zFTPServer) through 13.1. The User Web Interface has Multiple Stored and Reflected XSS issues. Collaborate is Reflected via the filename parameter. Collaborate is Stored via the displayname parameter. Deletemultiple is Reflected via the files parameter. Share is Reflected via the target parameter. Share is Stored via the displayname parameter. Waitedit is Reflected via the Host header.6.1https://github.com/belong2yourself/vulnerabilities/tree/master/ProVide/Web%20User%20Interface%20-%20Multiple%20Cross-Site-Scripting
CVE-2020-11626An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2. Two Cross Side Scripting (XSS) vulnerabilities have been found in the Public Web and the Certificate/CRL download servlets.6.1https://support.primekey.com/news/primekey-announcements
CVE-2020-11611An issue was discovered in xdLocalStorage through 2.0.5. The buildMessage() function in xdLocalStorage.js specifies the wildcard (*) as the targetOrigin when calling the postMessage() function on the iframe object. Therefore any domain that is currently loaded within the iframe can receive the messages that the client sends.6.1https://github.com/ofirdagan/cross-domain-local-storage
CVE-2020-11509An XSS vulnerability in the WP Lead Plus X plugin through 0.98 for WordPress allows remote attackers to upload page templates containing arbitrary JavaScript via the c37_wpl_import_template admin-post action (which will execute in an administrator's browser if the template is used to create a page).6.1https://www.wordfence.com/blog/2020/04/critical-vulnerabilities-in-the-wp-lead-plus-x-wordpress-plugin/
CVE-2020-10633A non-persistent XSS (cross-site scripting) vulnerability exists in eWON Flexy and Cosy (all firmware versions prior to 14.1s0). An attacker could send a specially crafted URL to initiate a password change for the device. The target must introduce the credentials to the gateway before the attack can be successful.6.1https://www.us-cert.gov/ics/advisories/icsa-20-098-03
CVE-2020-1629A race condition vulnerability on Juniper Network Junos OS devices may cause the routing protocol daemon (RPD) process to crash and restart while processing a BGP NOTIFICATION message. This issue affects Juniper Networks Junos OS: 16.1 versions prior to 16.1R7-S6; 16.2 versions prior to 16.2R2-S11; 17.1 versions prior to 17.1R2-S11, 17.1R3-S1; 17.2 versions prior to 17.2R1-S9, 17.2R3-S3; 17.2 version 17.2R2 and later versions; 17.2X75 versions prior to 17.2X75-D105, 17.2X75-D110; 17.3 versions prior to 17.3R2-S5, 17.3R3-S6; 17.4 versions prior to 17.4R2-S7, 17.4R3; 18.1 versions prior to 18.1R3-S8; 18.2 versions prior to 18.2R3-S3; 18.2X75 versions prior to 18.2X75-D410, 18.2X75-D420, 18.2X75-D50, 18.2X75-D60; 18.3 versions prior to 18.3R1-S5, 18.3R2-S2, 18.3R3; 18.4 versions prior to 18.4R2-S2, 18.4R3; 19.1 versions prior to 19.1R1-S2, 19.1R2; 19.2 versions prior to 19.2R1-S4, 19.2R2. This issue does not affect Juniper Networks Junos OS prior to version 16.1R1.5.9https://kb.juniper.net/JSA11009
CVE-2020-8832The fix for the Linux kernel in Ubuntu 18.04 LTS for CVE-2019-14615 ("The Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors.") was discovered to be incomplete, meaning that in versions of the kernel before 4.15.0-91.92, an attacker could use this vulnerability to expose sensitive information.5.5https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1862840
CVE-2020-1986Improper input validation vulnerability in Secdo allows an authenticated local user with 'create folders or append data' access to the root of the OS disk (C:\\) to cause a system crash on every login. This issue affects all versions Secdo for Windows.5.5https://security.paloaltonetworks.com/CVE-2020-1986
CVE-2020-1801There is an improper authentication vulnerability in several smartphones. Certain function interface in the system does not sufficiently validate the caller's identity in certain share scenario, successful exploit could cause information disclosure. Affected product versions include:Mate 30 Pro versions Versions earlier than 10.0.0.205(C00E202R7P2);Mate 30 versions Versions earlier than 10.0.0.205(C00E201R7P2).5.5https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200408-01-smartphone-en
CVE-2020-1630A privilege escalation vulnerability in Juniper Networks Junos OS devices configured with dual Routing Engines (RE), Virtual Chassis (VC) or high-availability cluster may allow a local authenticated low-privileged user with access to the shell to perform unauthorized configuration modification. This issue does not affect Junos OS device with single RE or stand-alone configuration. This issue affects Juniper Networks Junos OS 12.3 versions prior to 12.3R12-S14; 12.3X48 versions prior to 12.3X48-D86, 12.3X48-D90; 14.1X53 versions prior to 14.1X53-D51; 15.1 versions prior to 15.1R7-S6; 15.1X49 versions prior to 15.1X49-D181, 15.1X49-D190; 15.1X53 versions prior to 15.1X53-D592; 16.1 versions prior to 16.1R4-S13, 16.1R7-S6; 16.2 versions prior to 16.2R2-S10; 17.1 versions prior to 17.1R2-S11, 17.1R3-S1; 17.2 versions prior to 17.2R1-S9, 17.2R3-S3; 17.3 versions prior to 17.3R3-S6; 17.4 versions prior to 17.4R2-S6, 17.4R3; 18.1 versions prior to 18.1R3-S7; 18.2 versions prior to 18.2R2-S5, 18.2R3-S1; 18.2 versions prior to 18.2X75-D12, 18.2X75-D33, 18.2X75-D420, 18.2X75-D60, 18.2X75-D411; 18.3 versions prior to 18.3R1-S5, 18.3R2-S1, 18.3R3; 18.4 versions prior to 18.4R1-S4, 18.4R2-S1, 18.4R3; 19.1 versions prior to 19.1R1-S2, 19.1R2; 19.2 versions prior to 19.2R1-S1, 19.2R2.5.5https://kb.juniper.net/JSA11010
CVE-2020-1624A local, authenticated user with shell can obtain the hashed values of login passwords and shared secrets via raw objmon configuration files. This issue affects all versions of Junos OS Evolved prior to 19.1R1.5.5https://kb.juniper.net/JSA11003
CVE-2020-1623A local, authenticated user with shell can view sensitive configuration information via the ev.ops configuration file. This issue affects all versions of Junos OS Evolved prior to 19.2R1.5.5https://kb.juniper.net/JSA11003
CVE-2020-1622A local, authenticated user with shell can obtain the hashed values of login passwords and shared secrets via the EvoSharedObjStore. This issue affects all versions of Junos OS Evolved prior to 19.1R1.5.5https://kb.juniper.net/JSA11003
CVE-2020-1621A local, authenticated user with shell can obtain the hashed values of login passwords via configd traces. This issue affects all versions of Junos OS Evolved prior to 19.3R1.5.5https://kb.juniper.net/JSA11003
CVE-2020-1620A local, authenticated user with shell can obtain the hashed values of login passwords via configd streamer log. This issue affects all versions of Junos OS Evolved prior to 19.3R1.5.5https://kb.juniper.net/JSA11003
CVE-2020-11609An issue was discovered in the stv06xx subsystem in the Linux kernel before 5.6.1. drivers/media/usb/gspca/stv06xx/stv06xx.c and drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c mishandle invalid descriptors, as demonstrated by a NULL pointer dereference, aka CID-485b06aadb93.5.5https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.6.1
CVE-2020-11608An issue was discovered in the Linux kernel before 5.6.1. drivers/media/usb/gspca/ov519.c allows NULL pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs when there are zero endpoints, aka CID-998912346c0d.5.5https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.6.1
CVE-2020-11601An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software. There is unauthorized access to applications in the Secure Folder via floating icons. The Samsung ID is SVE-2019-16195 (April 2020).5.5https://security.samsungmobile.com/securityUpdate.smsb
CVE-2020-10977GitLab EE/CE 8.5 to 12.9 is vulnerable to a an path traversal when moving an issue between projects.5.5https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/
CVE-2020-10814A buffer overflow vulnerability in Code::Blocks 17.12 allows an attacker to execute arbitrary code via a crafted project file.5.5https://sourceforge.net/p/codeblocks/code/HEAD/tree/trunk/ChangeLog
CVE-2020-9056Periscope BuySpeed version 14.5 is vulnerable to stored cross-site scripting, which could allow a local, authenticated attacker to store arbitrary JavaScript within the application. This JavaScript is subsequently displayed by the application without sanitization and is executed in the browser of the user, which could possibly cause website redirection, session hijacking, or information disclosure. This vulnerability has been patched in BuySpeed version 15.3.5.4https://kb.cert.org/vuls/id/660597/
CVE-2020-6647An improper neutralization of input vulnerability in the dashboard of FortiADC may allow an authenticated attacker to perform a cross site scripting attack (XSS) via the name parameter.5.4https://fortiguard.com/psirt/FG-IR-20-012
CVE-2020-4290IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could allow any authenticated user to spoof the configuration owner of any other user which disclose sensitive information or allow for unauthorized access. IBM X-Force ID: 176333.5.4https://exchange.xforce.ibmcloud.com/vulnerabilities/176333
CVE-2020-4252IBM DOORS Next Generation (DNG/RRC) 6.0.2. 6.0.6, and 6.0.61 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 175490.5.4https://exchange.xforce.ibmcloud.com/vulnerabilities/175490
CVE-2020-11714eten PSG-6528VM 1.1 devices allow XSS via System Contact or System Location.5.4https://github.com/leona4040/PSG-6528VM-xss/blob/master/README.md
CVE-2020-11556An issue was discovered in Castle Rock SNMPc Online 12.10.10 before 2020-01-28. There are multiple persistent (stored) and reflected XSS vulnerabilities.5.4https://medium.com/tsscyber/noc-noc-whos-there-your-nms-is-pwned-1826174e0dee
CVE-2020-11516Stored XSS in the Contact Form 7 Datepicker plugin through 2.6.0 for WordPress allows authenticated attackers with minimal permissions to save arbitrary JavaScript to the plugin's settings via the unprotected wp_ajax_cf7dp_save_settings AJAX action and the ui_theme parameter. If an administrator creates or modifies a contact form, the JavaScript will be executed in their browser, which can then be used to create new administrative users or perform other actions using the administrator's session.5.4https://www.wordfence.com/blog/2020/04/high-severity-vulnerability-leads-to-closure-of-plugin-with-over-100000-installations/
CVE-2020-11512Stored XSS in the IMPress for IDX Broker WordPress plugin before 2.6.2 allows authenticated attackers with minimal (subscriber-level) permissions to save arbitrary JavaScript in the plugin's settings panel via the idx_update_recaptcha_key AJAX action and a crafted idx_recaptcha_site_key parameter, which would then be executed in the browser of any administrator visiting the panel. This could be used to create new administrator-level accounts.5.4https://wordpress.org/plugins/idx-broker-platinum/#developers
CVE-2020-11508An XSS vulnerability in the WP Lead Plus X plugin through 0.98 for WordPress allows logged-in users with minimal permissions to create or replace existing pages with a malicious page containing arbitrary JavaScript via the wp_ajax_core37_lp_save_page (aka core37_lp_save_page) AJAX action.5.4https://www.wordfence.com/blog/2020/04/critical-vulnerabilities-in-the-wp-lead-plus-x-wordpress-plugin/
CVE-2020-8148UniFi Cloud Key firmware < 1.1.6 contains a vulnerability that enables an attacker being able to change a device hostname by sending a malicious API request. This affects Cloud Key gen2 and Cloud Key gen2 Plus.5.3https://community.ui.com/releases/Security-advisory-bulletin-007-007/eb639fa0-68ad-4bf5-9663-3b760eb2f93a
CVE-2020-4289IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. IBM X-Force ID: 176332.5.3https://exchange.xforce.ibmcloud.com/vulnerabilities/176332
CVE-2020-4284IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could disclose sensitive information to an unauthorized user due to insufficient timeout functionality in the Web UI. IBM X-Force ID: 176207.5.3https://exchange.xforce.ibmcloud.com/vulnerabilities/176207
CVE-2020-1628Juniper Networks Junos OS uses the 128.0.0.0/2 subnet for internal communications between the RE and PFEs. It was discovered that packets utilizing these IP addresses may egress an EX4300 switch, leaking configuration information such as heartbeats, kernel versions, etc. out to the Internet, leading to an information exposure vulnerability. This issue affects Juniper Networks Junos OS: 14.1X53 versions prior to 14.1X53-D53 on EX4300; 15.1 versions prior to 15.1R7-S6 on EX4300; 15.1X49 versions prior to 15.1X49-D200, 15.1X49-D210 on EX4300; 16.1 versions prior to 16.1R7-S7 on EX4300; 17.1 versions prior to 17.1R2-S11, 17.1R3-S2 on EX4300; 17.2 versions prior to 17.2R3-S3 on EX4300; 17.3 versions prior to 17.3R2-S5, 17.3R3-S7 on EX4300; 17.4 versions prior to 17.4R2-S9, 17.4R3 on EX4300; 18.1 versions prior to 18.1R3-S8 on EX4300; 18.2 versions prior to 18.2R3-S2 on EX4300; 18.3 versions prior to 18.3R2-S3, 18.3R3, 18.3R3-S1 on EX4300; 18.4 versions prior to 18.4R1-S5, 18.4R2-S3, 18.4R3 on EX4300; 19.1 versions prior to 19.1R1-S4, 19.1R2 on EX4300; 19.2 versions prior to 19.2R1-S4, 19.2R2 on EX4300; 19.3 versions prior to 19.3R1-S1, 19.3R2 on EX4300.5.3https://kb.juniper.net/JSA11008
CVE-2020-11628An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2. It is intended to support restriction of available remote protocols (CMP, ACME, REST, etc.) through the system configuration. These restrictions can be bypassed by modifying the URI string from a client. (EJBCA's internal access control restrictions are still in place, and each respective protocol must be configured to allow for enrollment.)5.3https://support.primekey.com/news/posts/ejbca-security-advisory-protocol-access-control-bypass
CVE-2020-11607An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software. Notification exposure occurs in Lockdown mode because of the Edge Lighting application. The Samsung ID is SVE-2020-16680 (April 2020).5.3https://security.samsungmobile.com/securityUpdate.smsb
CVE-2020-11576Fixed in v1.5.1, Argo version v1.5.0 was vulnerable to a user-enumeration vulnerability which allowed attackers to determine the usernames of valid (non-SSO) accounts within Argo.5.3https://github.com/argoproj/argo-cd/commit/35a7350b7444bcaf53ee0bb11b9d8e3ae4b717a1
CVE-2020-11445TP-Link cloud cameras through 2020-02-09 allow remote attackers to bypass authentication and obtain sensitive information via vectors involving a Wi-Fi session with GPS enabled, aka CNVD-2020-04855.5.3https://www.cnvd.org.cn/flaw/show/1916613
CVE-2020-10978GitLab EE/CE 8.11 to 12.9 is leaking information on Issues opened in a public project and then moved to a private project through Web-UI and GraphQL API.5.3https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/
CVE-2020-5263auth0.js (NPM package auth0-js) greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification, the application risks password exposure. This is fixed in version 9.12.34.9https://github.com/auth0/auth0.js/commit/355ca749b229fb93142f0b3978399b248d710828
CVE-2020-1802There is an insufficient integrity validation vulnerability in several products. The device does not sufficiently validate the integrity of certain file in certain loading processes, successful exploit could allow the attacker to load a crafted file to the device through USB.Affected product versions include:OSCA-550 versions 1.0.1.23(SP2);OSCA-550A versions 1.0.1.23(SP2);OSCA-550AX versions 1.0.1.23(SP2);OSCA-550X versions 1.0.1.23(SP2).4.6https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200408-01-osca-en
CVE-2020-1978TechSupport files generated on Palo Alto Networks VM Series firewalls for Microsoft Azure platform configured with high availability (HA) inadvertently collect Azure dashboard service account credentials. These credentials are equivalent to the credentials associated with the Contributor role in Azure. A user with the credentials will be able to manage all the Azure resources in the subscription except for granting access to other resources. These credentials do not allow login access to the VMs themselves. This issue affects VM Series Plugin versions before 1.0.9 for PAN-OS 9.0. This issue does not affect VM Series in non-HA configurations or on other cloud platforms. It does not affect hardware firewall appliances. Since becoming aware of the issue, Palo Alto Networks has safely deleted all the tech support files with the credentials. We now filter and remove these credentials from all TechSupport files sent to us. The TechSupport files uploaded to Palo Alto Networks systems were only accessible by authorized personnel with valid Palo Alto Networks credentials. We do not have any evidence of malicious access or use of these credentials.4.4https://security.paloaltonetworks.com/CVE-2020-1978
CVE-2020-5255In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not contain a `Content-Type` header, affected versions of Symfony can fallback to the format defined in the `Accept` header of the request, leading to a possible mismatch between the response&#39;s content and `Content-Type` header. When the response is cached, this can prevent the use of the website by other users. This has been patched in versions 4.4.7 and 5.0.7.4.3https://github.com/symfony/symfony/commit/dca343442e6a954f96a2609e7b4e9c21ed6d74e6
CVE-2020-4291IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could disclose sensitive information to an unauthorized user due to insufficient timeout functionality in the Web UI. IBM X-Force ID: 176334.4.3https://exchange.xforce.ibmcloud.com/vulnerabilities/176334
CVE-2020-4282IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could allow an authenticated user to perform unauthorized actions by bypassing illegal character restrictions. X-Force ID: 176205.4.3https://exchange.xforce.ibmcloud.com/vulnerabilities/176205
CVE-2020-3885A logic issue was addressed with improved restrictions. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. A file URL may be incorrectly processed.4.3https://support.apple.com/HT211101
CVE-2020-11585There is an information disclosure issue in DNN (formerly DotNetNuke) 9.5 within the built-in Activity-Feed/Messaging/Userid/ Message Center module. A registered user is able to enumerate any file in the Admin File Manager (other than ones contained in a secure folder) by sending themselves a message with the file attached, e.g., by using an arbitrary small integer value in the fileIds parameter.4.3https://neff.blog/2020/04/04/dotnetnuke-9-5-file-path-information-disclosure/
<link invalid>
CVE-2020-10981GitLab EE/CE 9.0 to 12.9 allows a maintainer to modify other maintainers' pipeline trigger descriptions within the same project.4.3https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/
CVE-2020-10979GitLab EE/CE 11.10 to 12.9 is leaking information on restricted CI pipelines metrics to unauthorized users.4.3https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/
CVE-2020-10975GitLab EE/CE 10.8 to 12.9 is leaking metadata and comments on vulnerabilities to unauthorized users on the vulnerability feedback page.4.3https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/
CVE-2020-5303Tendermint before versions 0.33.3, 0.32.10, and 0.31.12 has a denial-of-service vulnerability. Tendermint does not limit the number of P2P connection requests. For each p2p connection, it allocates XXX bytes. Even though this memory is garbage collected once the connection is terminated (due to duplicate IP or reaching a maximum number of inbound peers), temporary memory spikes can lead to OOM (Out-Of-Memory) exceptions. Additionally, Tendermint does not reclaim `activeID` of a peer after it's removed in Mempool reactor. This does not happen all the time. It only happens when a connection fails (for any reason) before the Peer is created and added to all reactors. RemovePeer is therefore called before `AddPeer`, which leads to always growing memory (`activeIDs` map). The activeIDs map has a maximum size of 65535 and the node will panic if this map reaches the maximum. An attacker can create a lot of connection attempts (exploiting above denial of service), which ultimately will lead to the node panicking. These issues are patched in Tendermint 0.33.3 and 0.32.10. ### For more information If you have any questions or comments about this advisory Open an issue in tendermint/tendermint Email us at [security@tendermint.com](mailto:security@tendermint.com) More information can be found here. ### Credits - Ethan Buchman (@ebuchman) for writing a test case for Denial of Service 2 and Tess Rinearson (@tessr) for fixing it - Anton Kaliaev (@melekes) for fixing Denial of Service 13.7https://github.com/tendermint/tendermint/commit/e2d6859afd7dba4cf97c7f7d412e7d8fc908d1cd
CVE-2020-1987An information exposure vulnerability in the logging component of Palo Alto Networks Global Protect Agent allows a local authenticated user to read VPN cookie information when the troubleshooting logging level is set to "Dump". This issue affects Palo Alto Networks Global Protect Agent 5.0 versions prior to 5.0.9; 5.1 versions prior to 5.1.1.3.3https://security.paloaltonetworks.com/CVE-2020-1987
CVE-2020-4164IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could expose sensitive information from applicatino errors which could be used in further attacks against the system. IBM X-Force ID: 174400.2.7https://exchange.xforce.ibmcloud.com/vulnerabilities/174400
CVE-2020-11606An issue was discovered on Samsung mobile devices with Q(10.0) software. Information about application preview (in the Secure Folder) leaks on a locked device. The Samsung ID is SVE-2019-16463 (April 2020).2.4https://security.samsungmobile.com/securityUpdate.smsb
CVE-2020-11602An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software. Google Assistant leaks clipboard contents on a locked device. The Samsung ID is SVE-2019-16558 (April 2020).2.4https://security.samsungmobile.com/securityUpdate.smsb
CVE-2020-9478An issue was discovered in Rubrik 5.0.3-2296. An OS command injection vulnerability allows an authenticated attacker to remotely execute arbitrary code on Rubrik-managed systems.https://www.rubrik.com
CVE-2020-8834KVM in the Linux kernel on Power8 processors has a conflicting use of HSTATE_HOST_R1 to store r1 state in kvmppc_hv_entry plus in kvmppc_{save,restore}_tm, leading to a stack corruption. Because of this, an attacker with the ability run code in kernel space of a guest VM can cause the host kernel to panic. There were two commits that, according to the reporter, introduced the vulnerability: f024ee098476 ("KVM: PPC: Book3S HV: Pull out TM state save/restore into separate procedures") 87a11bb6a7f7 ("KVM: PPC: Book3S HV: Work around XER[SO] bug in fake suspend mode") The former landed in 4.8, the latter in 4.17. This was fixed without realizing the impact in 4.18 with the following three commits, though it's believed the first is the only strictly necessary commit: 6f597c6b63b6 ("KVM: PPC: Book3S PR: Add guest MSR parameter for kvmppc_save_tm()/kvmppc_restore_tm()") 7b0e827c6970 ("KVM: PPC: Book3S HV: Factor fake-suspend handling out of kvmppc_save/restore_tm") 009c872a8bc4 ("KVM: PPC: Book3S PR: Move kvmppc_save_tm/kvmppc_restore_tm to separate file")https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1867717
CVE-2020-6456Insufficient validation of untrusted input in clipboard in Google Chrome prior to 81.0.4044.92 allowed a local attacker to bypass site isolation via crafted clipboard contents.https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_7.html
CVE-2020-6455Out of bounds read in WebSQL in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_7.html
CVE-2020-6454Use after free in extensions in Google Chrome prior to 81.0.4044.92 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_7.html
CVE-2020-6452Heap buffer overflow in media in Google Chrome prior to 80.0.3987.162 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.https://chromereleases.googleblog.com/2020/03/stable-channel-update-for-desktop_31.html
CVE-2020-6451Use after free in WebAudio in Google Chrome prior to 80.0.3987.162 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.https://chromereleases.googleblog.com/2020/03/stable-channel-update-for-desktop_31.html
CVE-2020-6450Use after free in WebAudio in Google Chrome prior to 80.0.3987.162 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.https://chromereleases.googleblog.com/2020/03/stable-channel-update-for-desktop_31.html
CVE-2020-6448Use after free in V8 in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_7.html
CVE-2020-6447Inappropriate implementation in developer tools in Google Chrome prior to 81.0.4044.92 allowed a remote attacker who had convinced the user to use devtools to potentially exploit heap corruption via a crafted HTML page.https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_7.html
CVE-2020-6446Insufficient policy enforcement in trusted types in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to bypass content security policy via a crafted HTML page.https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_7.html
CVE-2020-6445Insufficient policy enforcement in trusted types in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to bypass content security policy via a crafted HTML page.https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_7.html
CVE-2020-6444Uninitialized use in WebRTC in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_7.html
CVE-2020-6443Insufficient data validation in developer tools in Google Chrome prior to 81.0.4044.92 allowed a remote attacker who had convinced the user to use devtools to execute arbitrary code via a crafted HTML page.https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_7.html
CVE-2020-6442Inappropriate implementation in cache in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to leak cross-origin data via a crafted HTML page.https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_7.html
CVE-2020-6441Insufficient policy enforcement in omnibox in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to bypass security UI via a crafted HTML page.https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_7.html
CVE-2020-6440Inappropriate implementation in extensions in Google Chrome prior to 81.0.4044.92 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information via a crafted Chrome Extension.https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_7.html
CVE-2020-6439Insufficient policy enforcement in navigations in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to bypass security UI via a crafted HTML page.https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_7.html
CVE-2020-6438Insufficient policy enforcement in extensions in Google Chrome prior to 81.0.4044.92 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension.https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_7.html
CVE-2020-6437Inappropriate implementation in WebView in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to spoof security UI via a crafted application.https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_7.html
CVE-2020-6436Use after free in window management in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_7.html
CVE-2020-6435Insufficient policy enforcement in extensions in Google Chrome prior to 81.0.4044.92 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page.https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_7.html
CVE-2020-6434Use after free in devtools in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_7.html
CVE-2020-6433Insufficient policy enforcement in extensions in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_7.html
CVE-2020-6432Insufficient policy enforcement in navigations in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_7.html
CVE-2020-6431Insufficient policy enforcement in full screen in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to spoof security UI via a crafted HTML page.https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_7.html
CVE-2020-3126vulnerability within the Multimedia Viewer feature of Cisco Webex Meetings could allow an authenticated, remote attacker to bypass security protections. The vulnerability is due to missing security warning dialog boxes when a room host views shared multimedia files. An authenticated, remote attacker could exploit this vulnerability by using the host role to share files within the Multimedia sharing feature and convincing a former room host to view that file. A warning dialog normally appears cautioning users before the file is displayed; however, the former host would not see that warning dialog, and any shared multimedia would be rendered within the user's browser. The attacker could leverage this behavior to conduct additional attacks by including malicious files within a targeted room host's browser window.https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs24436
CVE-2020-1638The FPC (Flexible PIC Concentrator) of Juniper Networks Junos OS and Junos OS Evolved may restart after processing a specific IPv4 packet. Only packets destined to the device itself, successfully reaching the RE through existing edge and control plane filtering, will be able to cause the FPC restart. When this issue occurs, all traffic via the FPC will be dropped. By continuously sending this specific IPv4 packet, an attacker can repeatedly crash the FPC, causing an extended Denial of Service (DoS) condition. This issue can only occur when processing a specific IPv4 packet. IPv6 packets cannot trigger this issue. This issue affects: Juniper Networks Junos OS on MX Series with MPC10E or MPC11E and PTX10001: 19.2 versions prior to 19.2R1-S4, 19.2R2; 19.3 versions prior to 19.3R2-S2, 19.3R3; 19.4 versions prior to 19.4R1-S1, 19.4R2. Juniper Networks Junos OS Evolved on on QFX5220, and PTX10003 series: 19.2-EVO versions; 19.3-EVO versions; 19.4-EVO versions prior to 19.4R2-EVO. This issue does not affect Junos OS versions prior to 19.2R1. This issue does not affect Junos OS Evolved versions prior to 19.2R1-EVO.https://kb.juniper.net/JSA11019
CVE-2020-1626A vulnerability in Juniper Networks Junos OS Evolved may allow an attacker to cause a Denial of Service (DoS) by sending a high rate of specific packets to the device, resulting in a pfemand process crash. The pfemand process is responsible for packet forwarding on the device. By continuously sending the packet flood, an attacker can repeatedly crash the pfemand process causing a sustained Denial of Service. This issue can only be triggered by traffic sent to the device. Transit traffic does not cause this issue. This issue affects all version of Junos OS Evolved prior to 19.1R1-EVO.https://kb.juniper.net/JSA11005
CVE-2020-1616Due to insufficient server-side login attempt limit enforcement, a vulnerability in the SSH login service of Juniper Networks Juniper Advanced Threat Prevention (JATP) Series and Virtual JATP (vJATP) devices allows an unauthenticated, remote attacker to perform multiple login attempts in excess of the configured login attempt limit. Successful exploitation will allow the attacker to perform brute-force password attacks on the SSH service. This issue affects: Juniper Networks JATP and vJATP versions prior to 5.0.6.0.https://kb.juniper.net/JSA10999
CVE-2020-1614A Use of Hard-coded Credentials vulnerability exists in the NFX250 Series for the vSRX Virtual Network Function (VNF) instance, which allows an attacker to take control of the vSRX VNF instance if they have the ability to access an administrative service (e.g. SSH) on the VNF, either locally, or through the network. This issue only affects the NFX250 Series vSRX VNF. No other products or platforms are affected. This issue is only applicable to environments where the vSRX VNF root password has not been configured. This issue affects the Juniper Networks NFX250 Network Services Platform vSRX VNF instance on versions prior to 19.2R1.https://kb.juniper.net/JSA10997
CVE-2020-11738The Snap Creek Duplicator plugin before 1.3.28 for WordPress (and Duplicator Pro before 3.8.7.1) allows Directory Traversal via ../ in the file parameter to duplicator_download or duplicator_init.https://snapcreek.com/duplicator/docs/changelog/?lite
CVE-2020-11736fr-archive-libarchive.c in GNOME file-roller through 3.36.1 allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location.https://gitlab.gnome.org/GNOME/file-roller/-/commit/21dfcdbfe258984db89fb65243a1a888924e45a0
CVE-2020-11620FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).https://github.com/FasterXML/jackson-databind/issues/2682
CVE-2020-11619FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).https://github.com/FasterXML/jackson-databind/issues/2680
CVE-2020-10642In Rockwell Automation RSLinx Classic versions 4.1.00 and prior, an authenticated local attacker could modify a registry key, which could lead to the execution of malicious code using system privileges when opening RSLinx Classic.https://www.us-cert.gov/ics/advisories/icsa-20-100-01