Covid-19 : Le Premier ministre annonce que la réouverture se fera par étapes

GIS –24 avril 2020 : Lors d’une
déclaration télévisée à la nation, le Premier ministre, M. Pravind Kumar
Jugnauth, a annoncé que le gouvernement élabore actuellement un plan bien
défini pour permettre une réouverture par étapes en vue de limiter la
possibilité d’une nouvelle vague du Covid-19 à Maurice.

 

Selon le Premier ministre, de nombreux facteurs doivent être pris en
considération dans le cadre de cet exercice complexe de réouverture, mais la
priorité du gouvernement demeure la protection de la santé des Mauriciens. Il a
fait ressortir que la décision réfléchie et responsable d’imposition de
couvre-feu sanitaire a été suivie par la population avec pour résultats la
diminution du nombre de cas de Covid-19 et la stabilisation de la propagation
de la maladie dans le pays.

 

Le Premier ministre a déclaré que la réouverture se fera dans la
transparence et dans un esprit démocratique, avec la collaboration des
partenaires sociaux, du secteur privé, des forces vives, des organisations non
gouvernementales et des services essentielles. « Le plus important dans
cette première étape du déconfinement sera le projet de loi, Covid-19 Bill »,
a indiqué M. Jugnauth. Dans cette optique, des travaux ont été entrepris au
niveau de l’Assemblée nationale en vue d’une reprise des débats parlementaires
sans risque sanitaire pour les membres de l’Assemblée.

 

Détaillant la première phase de réouverture, M. Jugnauth a affirmé que le
port du masque sera obligatoire dans les lieux publics. L’industrie textile et
les pharmacies s’assureront de la disponibilité des masques dont le prix sera
fixé par le gouvernement. En outre, le système de santé sera réadapté avec la
généralisation des fluclinics dans les centres de santé en vue de
prendre en charge les personnes qui se présentent avec des symptômes du
Covid-19.

 

Le chef du gouvernement a aussi signalé que le pays intensifiera les dépistagesdu
coronavirus auprès de la population dès demain. Quelque 35 000 personnes dont
les professionnels de santé, les membres des forces de l’ordre et les employés
de supermarché seront concernés dans un premier temps par ce programme de
dépistage. M. Jugnauth a saisi l’occasion pour remercier ces travailleurs en
première ligne.

 

Un autre aspect de la réouverture est l’interdiction de grands
rassemblements.Les citoyens continueront à faire leurs courses dans les
supermarchés selon l’ordre alphabétique déjà en vigueur. Les boulangers rouvriront
mais devront s’assurer que les règles de distanciation soient suivies par les
clients. Les établissements scolaires resteront fermés et le ministère de
l’Education, de l’Enseignement supérieur, de la Science et de la Technologiecommuniquera
bientôt sur les modalités à venir.

 

Rappelant que des dispositifs ont déjà été mis en place pour soutenir les
entreprises et prévenir des licenciements en ce temps de crise, M. Jugnauth a
parlé du plan de relance et d’investissements économiques sur lequel œuvrent le
ministère des Finances, de la Planification et du Développement économiqueset
la Banque de Maurice. Il s’est dit également attrister par la situation à Air
Mauritius, ajoutant suivre de près cet état de fait tout en ayant à cœur les
employés. La compagnie aérienne a dû se placer sous administration volontaire
pour éviter la failliteface aux conséquences de la crise mondiale et les
fermetures des espaces aériens et des frontières.

 

Finalement, le Premier ministre a insisté sur la nécessité de réussir la réouverture,
et empêcher une deuxième vague de contamination. « A cet effet, le
gouvernement ne compte pas se précipiter et prendra le temps qu’il faudra »,
a-t-il martelé. Il a demandé la participation de toute la population pour
passer avec succès la phase de réouverture et l’exhorte à la discipline et au
respect des mesures d’hygiène. Il a conclu en souhaitant aux Mauriciens de foi
musulmane un bon mois de Ramadan. 

 

#ResOuLakaz     #BeSafeMoris

 Government Information Service, Prime
Minister’s Office, Level 6, New Government Centre, Port Louis, Mauritius.
Email: 
gis@govmu.org  Website: http://gis.govmu.org  Mobile App: Search Gov​

Cabinet Decisions taken on ​24 APRIL 2020

 

CABINET DECISIONS    24 APRIL 2020
 
 
1.         Cabinet has taken note of the situation pertaining to the outbreak of COVID-19 and the measures taken to contain the pandemic, namely –
 
(a)       as at 23 April 2020, out of 12,835 tests carried out, 331 persons had been tested positive;
 
(b)       as at 23 April 2020, there were 53 patients in the Treatment Centres and the number of persons successfully treated was 266;
 
(c)        the screening of health workers, Police Officers, Prison Officers, prisoners, foreign workers and staff and inmates of Homes and Shelters was being carried out;
 
(d)       a repatriation plan is being worked out to airlift stranded Mauritians in a phased manner.  All returning passengers would be placed in quarantine; and
 
(e)       a number of patients who have been successfully treated, have volunteered to donate their plasma.
 
            Cabinet has taken note of actions taken by the Ministry of Health and Wellness for the procurement of medical and non-medical items to deal with the present COVID-19 situation, namely for the prevention, testing and treatment of persons infected with COVID-19.  The Ministry of Health and Wellness has also received donations of equipment and drugs, inter alia, from the Government of India, the Embassy of the United States of America, Jack Ma Foundation and the People’s Republic of China.
 
****
 
2.         Cabinet has agreed to the extension of the Wage Assistance Scheme to cover, during the COVID-19 curfew period, a charitable institution approved by the Director-General of the Mauritius Revenue Authority or registered under the Registration of Associations Act.
 
****
 
3.         Cabinet has agreed to the Ministry of Commerce and Consumer Protection controlling the price of certain identified essential food items and sanitary products under the Consumer Protection (Price and Supplies Control) Act and the Consumer Protection (Consumer Goods) (Maximum Mark-Up) Regulations 1998.  Since the imposition of the curfew, representations have been received by that Ministry regarding unfair and abusive practices by some traders, including the non-affixing of prices on items put for sale and charging of substantially higher than normal prices, especially for essential commodities. 
 
            The Schedule to the Consumer Protection (Price and Supplies Control) Act 1998 and the Consumer Protection (Consumer Goods) (Maximum Mark-Up) Regulations 1998 would be amended accordingly.
 
****
 
 
 
 
4.         Cabinet has taken note of the actions initiated by the Ministry of Tourism to revamp the tourism strategy to mitigate the socio-economic impact of the COVID-19 pandemic on the industry.  The United Nations World Tourism Organisation (UNWTO) has appealed to Governments to consider, in collaboration with the relevant stakeholders, a set of 23 recommendations, to support jobs and economies through Travel and Tourism.  In line with the UNWTO’s recommendations to, inter alia, incentivise job retention, sustain the self-employed, and protect the most vulnerable groups, Government has already put in place schemes to support the economic sectors, including the Travel and Tourism sector namely, the COVID-19 Wage Assistance Scheme, the Self-Employed Assistance Scheme and the Loan Support Scheme.  The Ministry of Tourism has already established a Joint Working Group, consisting of both public and private stakeholders, to brainstorm and propose a comprehensive recovery action plan to mitigate the impact of the COVID-19 pandemic on Travel and Tourism.
 
 
****
 

5.         Cabinet has taken note that the Minister of Finance, Economic Planning and Development would make –
 
            (a)       the Finance and Audit (COVID-19 Projects Development Fund) Regulations 2020; and
 
            (b)       the Finance and Audit (Amendment of Schedule) (No. 2) Regulations 2020.
 
            The Finance and Audit (COVID-19 Projects Development Fund) Regulations 2020 would provide for the setting up of a COVID-19 Projects Development Fund whose objects are to contribute to the financing of –
 
            (a)       projects specified in the Public Sector Investment Programme;
 
            (b)       such other projects, or such schemes or programmes, as the Minister may approve; and
 
            (c)        consultancy, preparatory or advisory services in relation to projects, schemes and programmes referred to above.
 
            A COVID-19 Projects Development Committee, under the chair of the Financial Secretary or his representative, would be set up to administer and manage the Fund.  The Finance and Audit (Amendment of Schedule) (No. 2) Regulations 2020 would amend the Schedule to the Finance and Audit Act so as to include the COVID-19 Projects Development Fund as a new item.
 
 
****
 

6.         Cabinet has taken note that the Minister of Finance, Economic Planning and Development would promulgate –
 
            (a)       the Companies (Amendment of Schedule) Regulations 2020. The Fifth Schedule of the Companies Act was amended in 2019 such that a notice of general meeting is sent 21 days before a meeting, instead of 14 days previously to give more time to shareholders; and
 
            (b)       the Insolvency (Administration) (Equal Treatment to Classes of Creditors) Regulations 2020.  Section 232 of The Insolvency Act was amended through the Business Facilitation (Miscellaneous Provisions) Act 2019 to ensure that creditors are categorised into classes for the purpose of voting in a reorganisation plan and creditors in each class vote independently.
 
            These regulations are being made, inter alia, to improve the performance of Mauritius in the context of World Bank Ease of Doing Business Report.
 
 
****
 
7.         Cabinet has taken note that the interim payment of an increase of 7.9 percent on the current Comprehensive Grant Formula to Private Secondary Schools would be extended for period January to October 2020, in the context of the review exercise.

 
 
******

Covid-19 : Des vols mis en place pour rapatrier les Mauriciens coincés à l’étranger

GIS –21 avril 2020 :
Les ressortissants Mauriciens bloqués en Afrique du Sud et à Paris
pourront rentrer au pays en fin de semaine. Le gouvernement profitera du vol
affrété pour récupérer le chargement de vaccins commandés en France dans le
cadre de la campagne nationale annuelle contre la grippe saisonnière pourra
mener ceux coincés à Paris. Un autre vol organ​isé pour permettre aux
sud-africains de rejoindre leur pays rapatriera les Mauriciens qui s’y trouvent.


Le
ministre des Affaires étrangères, de l’Intégration régionale et du Commerce
international, M. Nandcoomar Bodha, a fait cette annonce lors d’un point de
presse par visioconférence de son bureau à Port Louis en début de soirée. Plus
de 3 000 Mauriciens sont toujours à l’étranger à cause des restrictions
internationales suite à la pandémie du Covid-19. Le gouvernement avait pu, avant
la fermeture de l’aéroport, assurer le retour d’un millier de personnes de
Wuhan, Dubaï et Johannesburg.
 
« Nous
comprenons les sentiments pénibles de séparation de nos compatriotes, mais le
contexte international est compliqué dû aux fermetures des espaces aériens et
des frontières », a souligné M. Bodha. Il a déclaré que le gouvernement, à
travers les ambassades et chancelleries, encadre, soutient et informe au mieux
nos ressortissants. Plus de 1 000 appels et 3 500 courriels ont été échangés
entre les autorités et ces Mauriciens.
 
Les
conditions en Inde sont plus complexes, a, en outre, indiqué le ministre, car
les vols intérieurs n’y sont pas autorisés pour le moment, rendant difficile la
tâche de regrouper tous les Mauriciens. Toutefois, le gouvernement fait des
arrangements pour qu’un vol puisse aller à Mumbai vers le 9 mai en vue de
récupérer des médicaments, dont la chloroquine, ainsi que nos compatriotes. La
priorité sera donnée aux concitoyens ayant voyagé pour des raisons médicales,
aux personnes âgées et aux étudiants. La State Bank of Mauritius met à la
disposition de ces voyageurs un prêt de Rs 50 000 avec des intérêts à 3% pour
les aider dans leurs démarches.
 
Quant aux
Mauriciens, membres du personnel de bateaux de croisière, qui ne peuvent rentrer
au pays actuellement, M. Bodha a déclaré qu’ils sont pris en charge par leur
employeur selon leur contrat de travail. Il a affirmé que le gouvernement suit
de prèsles évolutions aux niveaux local et international, et prendra les
décisions qui s’imposent au moment venu pour la réouverture de nos frontières.
Il a dit espérer que la situation s’améliore au plus vite afin que nos
compatriotes puissent rentrer rapidement.
 
Multiplier
le nombre de tests de dépistage du Covid-19
Le
gouvernement veut augmenter sa capacité de dépistage afin d’aider ceux qui sont
en première ligne, notamment les professionnels de santé, à faire face au
Covid-19. Dans cette optique, a signalé M. Bodha, un vol est prévu vers Hong
Kong pour récupérer des tests rapides. Trois autres vols se rendront à Guangzhou
pour prendre des fournitures médicales.
 
Le
ministre a également insisté auprès des Mauriciens pour ne pas relâcher leurs
efforts malgré la stagnation de la courbe d’infection. Aucun cas positif de
coronavirus n’a été détecté sur le territoire durant les dernières 48 heures.
Les cas enregistrés restent à 328 dont 73 actifs pour 11 819 tests réalisés. M.
Bodha a demandé à la population de rester extrêmement vigilante, de respecter
les consignes de santé et de continuer le combat pour éviter à tout prix une
deuxième vague de l’épidémie dans le pays. 
 

Government
Information Service, Prime Minister’s Office, Level 6, New Government Centre,
Port Louis, Mauritius. Email: 
gis@govmu.org  Website: http://gis.govmu.org  Mobile
App: Search Gov

 

Covid-19 : Prolongement des mesures de soutien aux travailleurs et aux entreprises

GIS  –17 avril 2020 : Lors d’un point de presse qui s’est tenu au bâtiment du Trésor à
Port Louis en début de soirée, le ministre des Finances, de la Planification et
du Développement économiques, Dr Renganaden Padayachy, a annoncé que les
disposi​tifs de soutien pour les travailleurs formels et indépendants seront
prolongés de même que pour les grandes, petites, moyennes et micro- entreprises,
afin de les accompagner au mieux dans cette crise économique sévère due à la
pandémie de Covid-19.

 

Le décaissement des fonds, dans le
cadre de l’application prolongée du Wage Assistance Scheme et du Plan d’assistance
au secteur informel, se montera à Rs 4 milliards et Rs 500 millions,
respectivement. Pour le mois dernier, le Wage Assistance Scheme avait
bénéficié à 243 000 employés pour un montant total de quelque Rs 1,5 milliards.
Le Plan d’assistance au secteur informel a couté Rs 835 millions et a touché
163 000 travailleurs indépendants.

 

Wage Assistance Scheme

Ce plan a été mis en place pour
assurer que les employés du secteur formel reçoivent leur salaire. Le ministre a
appelé à la responsabilité et à la solidarité des entreprises. Il a ajouté que
deux conditions y sont attachées : les entreprises s’engagent à verser le
salaire de leurs employés, et ne procèderont à aucun licenciement. La Mauritius
Revenue Authority
(MRA) veillera à ce que ces conditions soient respectées.

 

Pour le mois d’avril, le
gouvernement paiera la totalité des salaires de ceux touchant jusqu’à Rs 25 000,
et contribuera cette même somme pour ceux dont les salaires sont dans la
fourchette de Rs 25 000 à Rs 50 000.

 

Cette mesure ne s’appliquera qu’en
partie pour Rodrigues et Agaléga, la période de confinement ayant pris fin le
15 avril. En conséquence, les travailleurs du secteur formel de ces deux îles
seront octroyés Rs 12 500.

 

Pour avoir droit à ce soutien, les
employeurs devront s’enregistrer, comme ils l’ont fait pour le mois de mars, auprès
de la MRA,
https://www.mra.mu/.

 

Plan d’assistance au
secteur informel

A propos du plan d’assistance au
secteur informel, Dr Padayachy a indiqué qu’une somme de Rs 2 550 sera versé uniquement aux
travailleurs indépendants de Maurice pour la période du 16 au 30 avril, Rodrigues
et Agaléga n’étant plus en confinement.

 

Plan de soutien aux
entreprises

La Banque de Maurice a revu son
taux d’intérêt à 1,5% pour le Special Relief Amount, qui est un élément
important de son plan de soutien.

 

En outre, sous ce programme, la State
Investment Corporation
pourra garantir jusqu’à 60% des prêts aux petites et
moyennes entreprises ayant un chiffre d’affaires de moins de Rs 50 millions, et
jusqu’à 50% pour les compagnies avec un chiffre d’affaires de plus de Rs 50
millions.

 

Relancer l’économie
après le confinement

Le grand argentier a également
annoncé que le ministère des Finances, de la Planification et du Développement
économiques, travaille sur un plan pour relancer l’investissement et l’économie
après la période de couvre-feu sanitaire. Rappelant que la crise du Covid-19
pèse lourdement sur l’économie mondiale aussi bien que locale, en raison du
confinement de la moitié de la planète qui est appelé à durer, il a affirmé,
qu’à cet effet, toutes les techniques conventionnelles et non-conventionnelles
ainsi que plusieurs options de financement sont à l’étude.

 

Citant les estimations faites par
le Fonds Monétaire International (FMI) en janvier 2020 qui prévoyaient une
croissance mondiale de 3,3% pour cette année, il a souligné que celles-ci ont
été révisées à une croissance négative de 3%, soit la pire récession que le
monde ait connue depuis la grande dépression de 1930.

 

Les perspectives pour Maurice,
selon Dr Padayachy, ne sont pas plus optimistes. Les prévisions du FMI pour
Maurice tablent sur une croissance négative de 6,8%. « Toutefois, en se
basant sur les données actuelles, mon ministère, l’Economic Development Board
et la Banque de Maurice anticipent une croissance négative entre 7% à 11%, et
une montée du chômage à 17,5% », a-t-il déclaré.

 

Point quotidien sur
l’évolution de la situation sanitaire liée au Covid-19

Maurice enregistre son cinquième
jour consécutif sans détection de cas positif.

 

Par contre, 27 nouvelles guérisons
ont été recensées portant le nombre de patients guéris à 108. Le pays compte donc
324 cas positifs, et 204 cas actifs.

 

Un total de 9755 tests a été
effectué par le laboratoire central de Candos à ce jour.

 

#ResOuLakaz     #BeSafeMoris

 

Government Information Service, Prime
Minister’s Office, Level 6, New Government Centre, Port Louis, Mauritius.
Email: 
gis@govmu.org  Website: http://gis.govmu.org  Mobile App: Search Gov

Covid-19 : Renforcement de l’arsenal légal pour mieux préparer l’après confinement

GIS – 16 avril 2020 : L’Attorney General et ministre de l’Agro-industrie et de ​la Sécurité
alimentaire, M. Maneesh Gobin, a annoncé que son bureau travaille actuellement
sur un projet de loi en vue de renforcer l’arsenal législatif pour permettre au
pays de faire face, dans les meilleures conditions possibles, à la levée du
couvre-feu sanitaire.

 

Le déconfinement se fera en plusieurs phases, a-t-il fait ressortir lors du
point de presse par visioconférence du Comité de communication sur le Covid-19
en début de soirée au bâtiment du Trésor à Port Louis. Le projet de loi prendra
en compte les failles qui ont été notées au cours de l’imposition du couvre-feu
sanitaire, et inclura les meilleures pratiques tirées de l’expérience et des
leçons des autres pays.

 

La participation de tous les ministères et départements à ce projet de loi
aidera aussi à couvrir un ensemble de domaines notamment les finances, la
fiscalité, les lois du travail, l’ordre public et la discipline. Le projet de
loi sera présenté à l’Assemblée nationale qui se réunira selon de nouvelles
modalités mises en place pour limiter les risques de contamination du
Covid-19. 

 

Le ministre, également responsable du secteur agricole, a tenu à préciser
que des supermarchés et des regroupements de petits et moyens commerces de
différents endroits du pays sont venus prendre livraison de 139 tonnes de
pommes de terre et 46 tonnes d’oignons à l’Agricultural Marketing Board aujourd’hui.
Les Mauriciens pourront continuer d’acheter ces légumes sans difficulté.

 

Le Premier ministre et tous ses collaborateurs testés
négatifs

Le deuxième test de dépistage pour le Premier ministre, Pravind Kumar
Jugnauth, ainsi que pour les autres membres des Comités de haut-niveau et de
communication sur le Covid-19,est négatif. Ils sont sortis de leur auto-isolement
aujourd’hui.

 

Le porte-parole, Dr Zouberr Joomaye, a déclaré que pour le quatrième jour
consécutif, aucun cas positif n’a été enregistré. Il a indiqué que c’était un
signe encourageant et que ce phénomène de stagnation semble commun auxîles de
l’océan Indien dont La Réunion, Les Seychelles et Madagascar. Ces pays, comme
Maurice, ont adopté des mesures exceptionnelles similaires comme la fermeture
des frontières aériennes et l’instauration du confinement.

 

Le nombre de cas positif à Maurice reste à 324 alors que 16 nouvelles
guérisons sont à signaler, portant les chiffres de patients guéris à 81. Les
cas actifs ont diminué pour atteindre 231. En additionnant les 277 tests de
dépistage réalisés par le laboratoire central de Candos aujourd’hui, la
quantité de test à ce jour s’élève à 9 180. Quant aux personnes en quatorzaine,
elles ne sont que 259, les membres du personnels médical formant le plus gros
contingent.

 

Néanmoins, Dr Joomaye a rappelé que la lutte contre le Covid-19 n’est pas
encore terminée car les centres de traitement comptent toujours des patients
hospitalisés. Ainsi, 39 malades sont à l’ENT, dont deux, sous respiration
artificielle; 23 à l’hôpital de Souillac ; 18 au centre de Pointe aux Piments ;
et 156 répartis dans trois hôtels dans la région nord du pays. Le porte-parole
a affirmé que les tests de dépistage de normes internationales par les
professionnels du laboratoire de Candos vont se poursuivre sur les patients
suspects de Covid-19, et toute variation anormale au niveau des services de
santé sera immédiatement détectée.

 

#ResOuLakaz     #BeSafeMoris

 

Government Information Service, Prime
Minister’s Office, Level 6, New Government Centre, Port Louis, Mauritius.
Email: 
gis@govmu.org  Website: http://gis.govmu.org  Mobile App: Search Gov​​

Covid-19 : Cinq autres patients guéris et un seul cas positif en 24 heures à Maurice

GIS  –11 avril 2020 : Sur la base des tests effectués durant les dernières 24 heures, un
seul cas positif de Covid-19 a été recensé alors que le nombre de guérisons
passe à 28, avec cinq nouvelles personnes qui ont été testées négatives lors du
deuxième dépistage, a annoncé le porte-parole du Comité national de
communication sur le Covid-19, Dr Zouberr Joomaye, en début de soirée. C’était au
cours du point de presse quotidien par visioconférence de sa résidence.

 

Voici les principaux points évoqués
:

v  A ce jour, le pays a enregistré 319 cas positifs de Covid-19, notamment 282
cas actifs, neuf décès et 28 patients guéris.

 

v  La situation dans les centres de traitement du Covid-19 sont comme
suit : 46 malades hospitalisés à l’ENT dont un seul désormais sous
respiration artificielle ; 22 à l’hôpital de Souillac ; 35 au centre
de Pointe aux Piments ; et 185 patients répartis dans trois hôtels dans la
région nord du pays.

 

v  Sept centres de quarantaine demeurent opérationnels avec 412 personnes en
quatorzaine.

 

v  L’approvisionnement en produits de première nécessité par ordre
alphabétique dans les supermarchés, superettes, et boutiques ne s’appliquera pas
pour ceux travaillant dans les services essentiels dont les forces de l’ordre et
la santé. Ils pourront faire leurs courses selon leur horaire de disponibilité.

 

v  Une amélioration a été notée au niveau des commerces avec une diminution
des fils d’attente et un suivi des consignes strictes de sécurité. La police
continue à assurer l’ordre et la discipline à travers le pays.

 

v  Il y a suffisamment de matériels de protection pour ceux qui sont en
première ligne et pour la population. Les vols quotidiens vers la République
populaire de Chine pour rapatrier les équipements médicaux se poursuivent. Le
secteur privé s’attèle aussi à la fabrication de masques.

 

v  Le ministère des Finances, de la Planification et du Développement
économiques revoit actuellement le Wage Assistance Scheme visant à
contribuer au salaire de base des employés du secteur formel ainsi que le plan
de soutien pour les travailleurs du secteur informel pour le mois d’avril. Les
informations seront communiquées en temps et lieu.

 

Un appel à la vigilance, à mettre
en pratique les gestes barrières, notamment le lavage des mains et la
distanciation sociales, de même qu’à rester à la maison a une nouvelle fois été
lancée à la population. Dr Joomaye demande aussi aux personnes âgées de prendre
les précautions nécessaires et de quitter leur domicile qu’en cas d’urgence.
 

 

#ResOuLakaz     #BeSafeMoris


Government Information Service, Prime
Minister’s Office, Level 6, New Government Centre, Port Louis, Mauritius.
Email: 
gis@govmu.org  Website: http://gis.govmu.org  Mobile App: Search Gov​

Covid-19 : 19 guérisons à Maurice

GIS –08 avril 2020 : Le Premier ministre, M. Pravind Kumar Jugnauth, a annoncé que depuis
dimanche dernier, la situation du Covid-19 à Maurice a pris une autre tournure
avec la guérison de patients contaminés, qui totalisent à ce jour 19 personnes,
dont 10 rentreront chez eux ce soir. Il a ajouté que des groupes de personnes
en quatorzaine ont aussi eu l’autorisation de quitter les centres de
quarantaine après avoir effectué les tests requis qui se sont avérés négatifs.

 

C’était lors d’une conférence de presse par visioconférence en début de
soirée au Bâtiment du Trésor à Port Louis. Le Premier ministre a de plus révélé
que le nombre de cas positifs de Covid-19 à Maurice est bien au-dessous des
prévisions de l’Organisation mondiale de la santé (OMS), et cela grâce aux
bonnes interventions mises en œuvre rapidement par le gouvernement qui ont
permis d’endiguer une propagation rapide du virus.

 

Le nombre de cas positifs à ce jour est 273. Alors que l’OMS avait
initialement prévu, après l’apparition des premiers cas,une évolution vers 479
cas positifs à la deuxième semaine, et 888 cas à la troisième semaine, les
chiffres réels sont de 169 et 268 cas,respectivement. M Jugnauth a jugé ces
données encourageantes et qu’elles reflètent l’efficacité des décisions prises
dont le confinement et l’imposition du couvre-feu sanitaire.

 

Le chef du gouvernement a affirmé que toutes les autorités du pays, y
compris les services de santé, font un suivi de l’évolution quotidienne de la
situation à Maurice et dans le monde de même que de l’état des
connaissances épidémiologiques. A cet effet, le pays a actuellement recours au
nouveau traitement de plasmaphérèse qui comprend la transfusion de plasma de
patients guéris du Covid-19 à ceux qui sont sévèrement atteints par la maladie.

 

Selon M. Jugnauth, la nécessité de prolonger ou lever le confinement ainsi
que le plan pour la levée du confinement, qui devrait se faire en plusieurs phases et
basée sur des normes sanitaires strictes, seront discutées au prochain Conseil
des ministres. La priorité, a-t-il souligné, demeure la santé publique et la
protection des Mauriciens, à qui il a réitéré que la seule prévention repose
sur les mesures de barrière qui ont pour objectif de réduire la propagation de
la maladie.

 

Le Premier ministre a en outre tenu à mettre en exergue que les réunions
quotidiennes des divers comités se font suivant toutes les précautions notamment
de pratiquer une bonne hygiène des mains, de maintenir une distance de
sécurité, de désinfecter les dossiers, et de porter des masques. « Des
tests de dépistage seront effectués si des personnes dans ces réunions ont été
contaminées par le coronavirus », a-t-il dit.

 

Concernant les professionnels de santé et les agents des forces de l’ordre,
le Premier ministre a fait ressortir qu’un plan est à l’étude pour leur
permettre de se ravitailler à un moment qui leur convient, car leur horaire de
travail ne leur permet pas d’adhérer au calendrier alphabétique mis en place
pour que la population puisse faire ses courses.« Ces personnes sont en
première ligne face au Covid-19, et nous devons leur fournir toutes les
facilités », a déclaré M. Jugnauth.

 

Halte à l’abus des commerçants

Condamnant les prix abusifs et la pénurie artificielle pratiqués par certains
commerçants, le Premier ministre a déclaré que les autorités iront jusqu’à
suspendre, si besoin est, les licences d’opération de ces établissements qui
profitent de la situation au détriment des Mauriciens. Il est à noter que le ministère
du Commerce et de la Protection des Consommateurs a dressé 336 contraventions
au cours des descentes dans 413 supermarchés, superettes et boutiques depuis
leur réouverture.

 

Soutien aux agriculteurs et personnes à risques

Le Premier ministre est également revenu sur les dispositions prises par le
gouvernement pour les agriculteurs afin qu’ils puissent opérer et vendre leurs
produits aux supermarchés. Il a indiqué qu’ils ont droit aux Rs 5 100 du plan
de soutien pareillement qu’aux travailleurs du secteur informel. Il a toutefois
déploré les nombreux vols de légumes dans les diverses plantations et assuré
que la police sera sans pitié à l’endroit de ceux qui ne respectent pas les
lois.

 

Concernant les personnes âgées, M. Jugnauth a répété qu’elles sont les plus
vulnérables face au coronavirus. Dans cette optique, le gouvernement a mis en
œuvre plusieurs dispositifs à leur intention. Ceux-ci incluent le paiement de
pension mensuel et la vaccination pour la grippe saisonnière à domicile. 

 

La relance économique après le confinement

Pour sa part, le ministre des Finances, de la Planification et du
Développement économiques, Dr Renganaden Padayachy, qui était présent à la
conférence de presse s’est appesanti sur la reprise économique. Un rapport sera
bientôt publié et portera sur l’impact économique du Covid-19, à la suite
duquel des initiatives de relance spécifiques seront appliquées.

 

Dr Padayachy s’est voulu rassurant en évoquant la sérénité retrouvée sur le
marché boursieravec une hausse cumulée de 7% depuis le début de la semaine, et
a mis en relief les dispositions inclues dans le plan de soutien à hauteur de
Rs 30 milliards, fruit d’une collaboration conjointe des acteurs des secteurs
public et privé.

 

M. Jugnauth a témoigné de la solidarité du peuple mauricien à la population
britannique, en particulier à leur Premier ministre, M. Boris Johnson, positif
au Covid-19 et placé en soins intensifs à l’hôpital Saint-Thomas.

 

Le chef du gouvernement a insisté que nul n’est à
l’abri et a exhorté les citoyens à ne pas relâcher les efforts de respect des
directives et à rester chez eux

 

#ResOuLakaz     #BeSafeMoris

 

 Government Information Service, Prime
Minister’s Office, Level 6, New Government Centre, Port Louis, Mauritius.
Email: 
gis@govmu.org  Website: http://gis.govmu.org  Mobile App: Search Gov​

​​

Covid-19 : Le MRIC lance un appel à propositions spécial pour des projets innovants accélérés

GIS  – 06 avril
2020 :
Le Mauritius
Research and Innovation Council (MRIC)
lance un appel à propositions
spécial pour des projets innovants accélérés visant à contrer les effets du
Covid-19. Les parties intéressées ont jusqu’au vendredi 17 avril 2020 à 14
heures pour soumettre leur proposition.

Cette initiative vise à développer et accélérer la production ainsi que l’adaptation
de techno​logies et de services qui aideront les autorités sanitaires dans leurs
travaux tout en contribuant au déploiement de mesures de protection face à
l’épidémie du Covid-19.

Le MRIC intensifie ses efforts sur le plan national pour soutenir le
gouvernement à contenir tous les risques du Covid-19. A cet effet, des fonds ont
été réservés pour encourager les entrepreneurs, les universitaires, les
chercheurs, les entreprises, et les start-up à mettre en œuvre des projets à
court et moyen termes qui peuvent contribuer à améliorer et accélérer les
efforts du gouvernement face aux défis de la pandémie.

Les principales priorités de cet appel à propositions spécial sont de
développer des contre-mesures innovantes et durables pour atténuer les impacts
directs et indirects du virus, ainsi que de stimuler la volonté des entreprises
à contribuer dans la lutte contre le Covid-19.

Les projets susceptibles d’être financés dans le cadre de cet appel spécial
peuvent s’appuyer sur les infrastructures, les capacités, et les réseaux
existants avec des partenaires locaux. Le soutien apporté dans le cadre de cet
appel à propositions spécial est ciblé sur deux fronts, à savoir, les produits
et services basés sur la technologie ; et les mesures sociales et politiques. Le
montant maximum par subvention, étalé sur 3 à 9 mois, est de Rs 2 millions et Rs
1 million respectivement.

L’appel à propositions spécial est ouvert aux citoyens de Maurice, de
Rodrigues et les autres îles du territoire mauricien. Les parties intéressées
peuvent consulter le site web suivant pour plus d’informations : www.mric.mu.

#ResOuLakaz     #BeSafeMoris


 Government Information Service, Prime
Minister’s Office, Level 6, New Government Centre, Port Louis, Mauritius.
Email: 
gis@govmu.org  Website: http://gis.govmu.org  Mobile App: Search Gov

Covid-19 : Le MRIC lance un appel à propositions spécial pour des projets innovants accélérés

GIS  – 06 avril
2020 :
Le Mauritius
Research and Innovation Council (MRIC)
lance un appel à propositions
spécial pour des projets innovants accélérés visant à contrer les effets du
Covid-19. Les parties intéressées ont jusqu’au vendredi 17 avril 2020 à 14
heures pour soumettre leur proposition.

Cette initiative vise à développer et accélérer la production ainsi que l’adaptation
de techno​logies et de services qui aideront les autorités sanitaires dans leurs
travaux tout en contribuant au déploiement de mesures de protection face à
l’épidémie du Covid-19.

Le MRIC intensifie ses efforts sur le plan national pour soutenir le
gouvernement à contenir tous les risques du Covid-19. A cet effet, des fonds ont
été réservés pour encourager les entrepreneurs, les universitaires, les
chercheurs, les entreprises, et les start-up à mettre en œuvre des projets à
court et moyen termes qui peuvent contribuer à améliorer et accélérer les
efforts du gouvernement face aux défis de la pandémie.

Les principales priorités de cet appel à propositions spécial sont de
développer des contre-mesures innovantes et durables pour atténuer les impacts
directs et indirects du virus, ainsi que de stimuler la volonté des entreprises
à contribuer dans la lutte contre le Covid-19.

Les projets susceptibles d’être financés dans le cadre de cet appel spécial
peuvent s’appuyer sur les infrastructures, les capacités, et les réseaux
existants avec des partenaires locaux. Le soutien apporté dans le cadre de cet
appel à propositions spécial est ciblé sur deux fronts, à savoir, les produits
et services basés sur la technologie ; et les mesures sociales et politiques. Le
montant maximum par subvention, étalé sur 3 à 9 mois, est de Rs 2 millions et Rs
1 million respectivement.

L’appel à propositions spécial est ouvert aux citoyens de Maurice, de
Rodrigues et les autres îles du territoire mauricien. Les parties intéressées
peuvent consulter le site web suivant pour plus d’informations : www.mric.mu.

#ResOuLakaz     #BeSafeMoris


 Government Information Service, Prime
Minister’s Office, Level 6, New Government Centre, Port Louis, Mauritius.
Email: 
gis@govmu.org  Website: http://gis.govmu.org  Mobile App: Search Gov

Vulnerability Summary for the Week of March 30, 2020

Original release date: April 6, 2020

The CISA Weekly Vulnerability Summary Bulletin is created using information from the NIST NVD. In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

 

High Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
accenture — mercury
 
An XXE issue exists in Accenture Mercury before 1.12.28 because of the platformlambda/core/serializers/SimpleXmlParser.java component. 2020-03-27 7.5 CVE-2020-10990
MISC
MISC
alienform2 — alienform2
 
Jon Hedley AlienForm2 (typically installed as af.cgi or alienform.cgi) 2.0.2 is vulnerable to Remote Command Execution via eval injection, a different issue than CVE-2002-0934. An unauthenticated, remote attacker can exploit this via a series of crafted requests. 2020-04-01 10 CVE-2020-10948
MISC
apache — http_server
 
In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server. 2020-04-01 7.5 CVE-2020-1934
CONFIRM
MLIST
MLIST
apple — macos_catalina
 
A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS Catalina 10.15.4. An application may be able to execute arbitrary code with system privileges. 2020-04-01 9.3 CVE-2020-3903
MISC
apple — macos_catalina
 
Multiple issues were addressed by updating to version 8.1.1850. This issue is fixed in macOS Catalina 10.15.4. Multiple issues in Vim. 2020-04-01 7.5 CVE-2020-9769
MISC

apple — macos_catalina_and_mojave_and_high_sierra

An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.3. A remote attacker may be able to leak memory. 2020-04-01 10 CVE-2020-3847
MISC

apple — macos_catalina_and_mojave_and_high_sierra

A memory corruption issue was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.4. A malicious application may be able to execute arbitrary code with kernel privileges. 2020-04-01 9.3 CVE-2020-3892
MISC

apple — macos_catalina_and_mojave_and_high_sierra

A memory corruption issue was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.4. A malicious application may be able to execute arbitrary code with kernel privileges. 2020-04-01 9.3 CVE-2020-3893
MISC

apple — macos_catalina_and_mojave_and_high_sierra

Multiple memory corruption issues were addressed with improved state management. This issue is fixed in macOS Catalina 10.15.4. A malicious application may be able to execute arbitrary code with kernel privileges. 2020-04-01 9.3 CVE-2020-3904
MISC

apple — macos_catalina_and_mojave_and_high_sierra

A memory corruption issue was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.3. A remote attacker may be able to cause unexpected application termination or arbitrary code execution. 2020-04-01 7.5 CVE-2020-3849
MISC

apple — macos_catalina_and_mojave_and_high_sierra

A memory corruption issue was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.4. A malicious application may be able to execute arbitrary code with kernel privileges. 2020-04-01 9.3 CVE-2020-3905
MISC

apple — macos_catalina_and_mojave_and_high_sierra

A memory corruption issue was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.3. A remote attacker may be able to cause unexpected application termination or arbitrary code execution. 2020-04-01 7.5 CVE-2020-3850
MISC

apple — macos_catalina_and_mojave_and_high_sierra

A memory corruption issue was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.3. A remote attacker may be able to cause unexpected application termination or arbitrary code execution. 2020-04-01 7.5 CVE-2020-3848
MISC
apple — multiple_products
 
A buffer overflow was addressed with improved bounds checking. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. Multiple issues in libxml2. 2020-04-01 7.5 CVE-2020-3911
MISC
MISC
MISC
MISC
MISC
MISC
MISC
apple — multiple_products
 
A buffer overflow was addressed with improved size validation. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. Multiple issues in libxml2. 2020-04-01 7.5 CVE-2020-3910
MISC
MISC
MISC
MISC
MISC
MISC
MISC
apple — multiple_products
 
A buffer overflow was addressed with improved bounds checking. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. Multiple issues in libxml2. 2020-04-01 7.5 CVE-2020-3909
MISC
MISC
MISC
MISC
MISC
MISC
MISC
apple — multiple_products
 
Multiple memory corruption issues were addressed with improved state management. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2. A malicious application may be able to execute arbitrary code with kernel privileges. 2020-04-01 9.3 CVE-2020-9785
MISC
MISC
MISC
MISC
apple — multiple_products
 
A use after free issue was addressed with improved memory management. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, watchOS 6.2. An application may be able to execute arbitrary code with system privileges. 2020-04-01 9.3 CVE-2020-9768
MISC
MISC
MISC
apple — multiple_products
 
A memory initialization issue was addressed with improved memory handling. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2. A malicious application may be able to execute arbitrary code with kernel privileges. 2020-04-01 9.3 CVE-2020-3919
MISC
MISC
MISC
MISC
apple — multiple_products
 
A memory corruption issue was addressed with improved memory handling. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, watchOS 6.2, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. Processing maliciously crafted web content may lead to arbitrary code execution. 2020-04-01 9.3 CVE-2020-3895
MISC
MISC
MISC
MISC
MISC
MISC
MISC
apple — multiple_products
 
A memory consumption issue was addressed with improved memory handling. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. A remote attacker may be able to cause arbitrary code execution. 2020-04-01 9.3 CVE-2020-3899
MISC
MISC
MISC
MISC
MISC
MISC
apple — multiple_products
 
A type confusion issue was addressed with improved memory handling. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, watchOS 6.2, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. A remote attacker may be able to cause arbitrary code execution. 2020-04-01 9.3 CVE-2020-3897
MISC
MISC
MISC
MISC
MISC
MISC
MISC

avast — avast_antivirus

An issue was discovered in Avast Antivirus before 20. The aswTask RPC endpoint for the TaskEx library in the Avast Service (AvastSvc.exe) allows attackers to bypass intended access restrictions on tasks from an untrusted process, when Self Defense is enabled. 2020-04-01 7.5 CVE-2020-10867
MISC
MISC
MISC
azkaban — azkaban
 
Azkaban through 3.84.0 allows XXE, related to validator/XmlValidatorManager.java and user/XmlUserManager.java. 2020-03-27 7.5 CVE-2020-10992
MISC
bubblewrap — bubblewrap
 
Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the `bwrap –userns2` option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. Note that this only affects the combination of bubblewrap in setuid mode (which is typically used when unprivileged user namespaces are not supported) and the support of unprivileged user namespaces. Known to be affected are: * Debian testing/unstable, if unprivileged user namespaces enabled (not default) * Debian buster-backports, if unprivileged user namespaces enabled (not default) * Arch if using `linux-hardened`, if unprivileged user namespaces enabled (not default) * Centos 7 flatpak COPR, if unprivileged user namespaces enabled (not default) This has been fixed in the 0.4.1 release, and all affected users should update. 2020-03-31 8.5 CVE-2020-5291
MISC
CONFIRM
buildah — buildah
 
A path traversal flaw was found in Buildah in versions before 1.14.5. This flaw allows an attacker to trick a user into building a malicious container image hosted on an HTTP(s) server and then write files to the user’s system anywhere that the user has permissions. 2020-03-31 9.3 CVE-2020-10696
MISC
CONFIRM
MISC
cacagoo — tv-288zd-2mp_devices
 
CACAGOO Cloud Storage Intelligent Camera TV-288ZD-2MP with firmware 3.4.2.0919 has weak authentication of TELNET access, leading to root privileges without any password required. 2020-04-02 10 CVE-2020-6852
MISC
MISC
dell — emc_idrac_devices
 
Dell EMC iDRAC7, iDRAC8 and iDRAC9 versions prior to 2.65.65.65, 2.70.70.70, 4.00.00.00 contain a stack-based buffer overflow vulnerability. An unauthenticated remote attacker may exploit this vulnerability to crash the affected process or execute arbitrary code on the system by sending specially crafted input data. 2020-03-31 10 CVE-2020-5344
MISC
effect — effect
 
effect through 1.0.4 is vulnerable to Command Injection. It allows execution of arbitrary command via the options argument. 2020-04-02 7.5 CVE-2020-7624
MISC
MISC
elastic — elasticsearch
 
Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges. 2020-03-31 7.5 CVE-2020-7009
N/A
CONFIRM
N/A
f5 — nginx_controller
 
In NGINX Controller versions prior to 3.2.0, an unauthenticated attacker with network access to the Controller API can create unprivileged user accounts. The user which is created is only able to upload a new license to the system but cannot view or modify any other components of the system. 2020-03-27 7.5 CVE-2020-5863
MISC
git-add-remote — git-add-remote
 
git-add-remote through 1.0.0 is vulnerable to Command Injection. It allows execution of arbitrary commands via the name argument. 2020-04-02 7.5 CVE-2020-7630
MISC
MISC
gitlab — gitlab
 
GitLab 8.10 and later through 12.9 is vulnerable to an SSRF in a project import note feature. 2020-03-27 7.5 CVE-2020-10956
CONFIRM
MISC
hiproxy — op-broswer
 
op-browser through 1.0.6 is vulnerable to Command Injection. It allows execution of arbitrary commands via the url function. 2020-04-02 7.5 CVE-2020-7625
MISC
MISC
ibm — spectrum_protect_plus
 
IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow a remote attacker to execute arbitrary commands on the system in the context of root user, caused by improper validation of user-supplied input. IBM X-Force ID: 174966. 2020-03-31 9 CVE-2020-4206
XF
CONFIRM
ibm — spectrum_protect_plus
 
IBM Spectrum Protect Plus 10.1.0 through 10.1.5 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 174975. 2020-03-31 7.5 CVE-2020-4208
XF
CONFIRM
ibm — spectrum_protect_plus_and_spectrum_scale
 
IBM Spectrum Scale and IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system. IBM X-Force ID: 175418. 2020-03-31 9 CVE-2020-4241
XF
CONFIRM
ibm — spectrum_protect_plus_and_spectrum_scale
 
IBM Spectrum Scale and IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system. IBM X-Force ID: 175419. 2020-03-31 9 CVE-2020-4242
XF
CONFIRM
install-package — install-package
 
install-package through 0.4.0 is vulnerable to Command Injection. It allows execution of arbitrary commands via the options argument. 2020-04-02 7.5 CVE-2020-7629
MISC
MISC
install-package — install-package
 
install-package through 1.1.6 is vulnerable to Command Injection. It allows execution of arbitrary commands via the device function. 2020-04-02 7.5 CVE-2020-7628
MISC
MISC
karma-mojo — karma-mojo
 
karma-mojo through 1.0.1 is vulnerable to Command Injection. It allows execution of arbitrary commands via the config argument. 2020-04-02 7.5 CVE-2020-7626
MISC
MISC
ksh — ksh
 
In ksh version 20120801, a flaw was found in the way it evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated attackers to provide one of those environment variables could allow them to exploit this issue remotely. 2020-04-02 7.2 CVE-2019-14868
CONFIRM
MISC
laminar_research — x-plane
 
X-Plane before 11.41 allows Arbitrary Memory Write via crafted network packets, which could cause a denial of service or arbitrary code execution. 2020-03-30 7.5 CVE-2019-19605
MISC
laminar_research — x-plane
 
X-Plane before 11.41 has multiple improper path validations that could allow reading and writing files from/to arbitrary paths (or a leak of OS credentials to a remote system) via crafted network packets. This could be used to execute arbitrary commands on the system. 2020-03-30 10 CVE-2019-19606
MISC
lenovo — multiple_notebooks
 
MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A buffer overflow vulnerability was reported, (fixed and publicly disclosed in 2015) in the Lenovo Service Engine (LSE), affecting various versions of BIOS for Lenovo Notebooks, that could allow a remote user to execute arbitrary code on the system. 2020-03-27 10 CVE-2015-5684
MISC
lenovo — multiple_products MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A local privilege escalation vulnerability was reported (fixed and publicly disclosed in 2015) in Lenovo System Update version 5.07.0008 and prior where the SUService.exe /type COMMAND type could allow a user to execute arbitrary code with elevated privileges. 2020-03-27 7.2 CVE-2015-7334
MISC
lenovo — multiple_products
 
MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A local privilege escalation vulnerability was reported (fixed and publicly disclosed in 2015) in Lenovo System Update version 5.07.0008 and prior where the SUService.exe /type INF and INF_BY_COMPATIBLE_ID command types could allow a user to execute arbitrary code with elevated privileges. 2020-03-27 7.2 CVE-2015-7333
MISC
lenovo — solution_center
 
MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A local privilege escalation vulnerability was discovered (fixed and publicly disclosed in 2015) in Lenovo Solution Center (LSC) prior to version 3.3.002 that could allow a user to execute arbitrary code with elevated privileges. 2020-03-27 7.2 CVE-2015-8534
MISC
lenovo — solution_center
 
MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A directory traversal vulnerability was discovered (fixed and publicly disclosed in 2015) in Lenovo Solution Center (LSC) prior to version 3.3.002 that could allow a user to execute arbitrary code with elevated privileges. 2020-03-27 7.2 CVE-2015-8535
MISC
march_networks — command_client
 
The connection initiation process in March Networks Command Client before 2.7.2 allows remote attackers to execute arbitrary code via crafted XAML objects. 2020-04-01 7.5 CVE-2019-9163
CONFIRM
mongodb — js-bson
 
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object’s _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type. 2020-03-30 7.5 CVE-2020-7610
MISC
mulesoft — apikit
 
Mulesoft APIkit through 1.3.0 allows XXE because of validation/RestXmlSchemaValidator.java 2020-03-27 7.5 CVE-2020-10991
MISC
node-key-sender — node-key-sender
 
node-key-sender through 1.0.11 is vulnerable to Command Injection. It allows execution of arbitrary commands via the ‘arrParams’ argument in the ‘execute()’ function. 2020-04-02 7.5 CVE-2020-7627
MISC
MISC
objectcomputing — micronaut
 
All versions of io.micronaut:micronaut-http-client before 1.2.11 and all versions from 1.3.0 before 1.3.2 are vulnerable to HTTP Request Header Injection due to not validating request headers passed to the client. 2020-03-30 7.5 CVE-2020-7611
MISC
MISC
MISC
odata4j — odata4j odata4j 0.7.0 allows ExecuteJPQLQueryCommand.java SQL injection. NOTE: this product is apparently discontinued. 2020-03-30 7.5 CVE-2016-11024
MISC
odata4j — odata4j
 
odata4j 0.7.0 allows ExecuteCountQueryCommand.java SQL injection. NOTE: this product is apparently discontinued. 2020-03-30 7.5 CVE-2016-11023
MISC
paessler — prtg_network_monitor
 
A webserver component in Paessler PRTG Network Monitor 19.2.50 to PRTG 20.1.56 allows unauthenticated remote command execution via a crafted POST request or the what parameter of the screenshot function in the Contact Support form. 2020-03-30 7.5 CVE-2020-10374
MISC
CONFIRM
pam-krb5 — pam-krb5
 
pam-krb5 before 4.9 has a buffer overflow that might cause remote code execution in situations involving supplemental prompting by a Kerberos library. It may overflow a buffer provided by the underlying Kerberos library by a single ‘\0’ byte if an attacker responds to a prompt with an answer of a carefully chosen length. The effect may range from heap corruption to stack corruption depending on the structure of the underlying Kerberos library, with unknown effects but possibly including code execution. This code path is not used for normal authentication, but only when the Kerberos library does supplemental prompting, such as with PKINIT or when using the non-standard no_prompt PAM configuration option. 2020-03-31 7.5 CVE-2020-10595
CONFIRM
CONFIRM
MLIST
UBUNTU
DEBIAN
sonatype — nexus_repository_manager Sonatype Nexus Repository before 3.21.2 allows Remote Code Execution. 2020-04-01 9 CVE-2020-10204
CONFIRM
sonatype — nexus_repository_manager Sonatype Nexus Repository before 3.21.2 allows JavaEL Injection (issue 1 of 2). 2020-04-01 9 CVE-2020-10199
CONFIRM
unisoon — ultralog_express
 
UltraLog Express device management interface does not properly filter user inputted string in some specific parameters, attackers can inject arbitrary SQL command. 2020-03-27 7.5 CVE-2020-3936
MISC

university_of_southern_california — innovation_in_integrated_informatics_lab_cereal

An issue was discovered in USC iLab cereal through 1.3.0. It employs caching of std::shared_ptr values, using the raw pointer address as a unique identifier. This becomes problematic if an std::shared_ptr variable goes out of scope and is freed, and a new std::shared_ptr is allocated at the same address. Serialization fidelity thereby becomes dependent upon memory layout. In short, serialized std::shared_ptr variables cannot always be expected to serialize back into their original values. This can have any number of consequences, depending on the context within which this manifests. 2020-03-30 7.5 CVE-2020-11105
MISC
vertiv — avocent_umg-400_devices
 
The web interface of the Vertiv Avocent UMG-4000 version 4.2.1.19 is vulnerable to command injection because the application incorrectly neutralizes code syntax before executing. Since all commands within the web application are executed as root, this could allow a remote attacker authenticated with an administrator account to execute arbitrary commands as root. 2020-03-30 9 CVE-2019-9507
MISC
MISC
wordpress — wordpress
 
An issue was discovered in the Login by Auth0 plugin before 4.0.0 for WordPress. It has numerous fields that can contain data that is pulled from different sources. One issue with this is that the data isn’t sanitized, and no input validation is performed, before the exporting of the user data. This can lead to (at least) CSV injection if a crafted Excel document is uploaded. 2020-04-01 7.5 CVE-2020-7947
MISC
CONFIRM
CONFIRM
MISC
wordpress — wordpress
 
LearnDash WordPress plugin version below 3.1.6 is vulnerable to Unauthenticated SQL Injection. 2020-04-01 7.5 CVE-2020-6009
MISC
wordpress — wordpress
 
LifterLMS WordPress plugin version below 3.37.15 is vulnerable to arbitrary file write leading to remote code execution 2020-03-31 7.5 CVE-2020-6008
MISC
yamaha — multiple_products
 
Yamaha LTE VoIP Router(NVR700W firmware Rev.15.00.15 and earlier), Yamaha Gigabit VoIP Router(NVR510 firmware Rev.15.01.14 and earlier), Yamaha Gigabit VPN Router(RTX810 firmware Rev.11.01.33 and earlier, RTX830 firmware Rev.15.02.09 and earlier, RTX1200 firmware Rev.10.01.76 and earlier, RTX1210 firmware Rev.14.01.33 and earlier, RTX3500 firmware Rev.14.00.26 and earlier, and RTX5000 firmware Rev.14.00.26 and earlier), Yamaha Broadband VoIP Router(NVR500 firmware Rev.11.00.38 and earlier), and Yamaha Firewall(FWX120 firmware Rev.11.03.27 and earlier) allow remote attackers to cause a denial of service via unspecified vectors. 2020-04-01 7.8 CVE-2020-5548
MISC
MISC
zoom — client_for_meetings Zoom Client for Meetings through 4.6.8 on macOS copies runwithroot to a user-writable temporary directory during installation, which allows a local process (with the user’s privileges) to obtain root access by replacing runwithroot. 2020-04-01 7.2 CVE-2020-11469
MISC
MISC

Back to top

 

Medium Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
abb — esoms For ABB eSOMS versions 4.0 to 6.0.3, the X-Content-Type-Options Header is missing in the HTTP response, potentially causing the response body to be interpreted and displayed as different content type other than declared. A possible attack scenario would be unauthorized code execution via text interpreted as JavaScript. 2020-04-02 4.3 CVE-2019-19089
CONFIRM
abb — esoms For ABB eSOMS versions 4.0 to 6.0.2, the X-Frame-Options header is not configured in HTTP response. This can potentially allow ‘ClickJacking’ attacks where an attacker can frame parts of the application on a malicious web site, revealing sensitive user information such as authentication credentials. 2020-04-02 4.3 CVE-2019-19001
CONFIRM
abb — esoms
 
Lack of input checks for SQL queries in ABB eSOMS versions 3.9 to 6.0.3 might allow an attacker SQL injection attacks against the backend database. 2020-04-02 6.5 CVE-2019-19094
CONFIRM
abb — esoms
 
For ABB eSOMS versions 4.0 to 6.0.2, the HTTPOnly flag is not set. This can allow Javascript to access the cookie contents, which in turn might enable Cross Site Scripting. 2020-04-02 4.3 CVE-2019-19003
CONFIRM
abb — esoms
 
ABB eSOMS versions 4.0 to 6.0.3 accept connections using medium strength ciphers. If a connection is enabled using such a cipher, an attacker might be able to eavesdrop and/or intercept the connection. 2020-04-02 4.3 CVE-2019-19097
CONFIRM
abb — esoms
 
eSOMS versions 4.0 to 6.0.3 do not enforce password complexity settings, potentially resulting in lower access security due to insecure user passwords. 2020-04-02 6.4 CVE-2019-19093
CONFIRM
abb — esoms
 
For ABB eSOMS 4.0 to 6.0.3, the Cache-Control and Pragma HTTP header(s) have not been properly configured within the application response. This can potentially allow browsers and proxies to cache sensitive information. 2020-04-02 6.4 CVE-2019-19000
CONFIRM
abb — esoms
 
For ABB eSOMS versions 4.0 to 6.0.3, HTTPS responses contain comments with sensitive information about the application. An attacker might use this detail information to specifically craft the attack. 2020-04-02 4 CVE-2019-19091
CONFIRM
advantech — webaccess
 
In Advantech WebAccess, Versions 8.4.2 and prior. A stack-based buffer overflow vulnerability caused by a lack of proper validation of the length of user-supplied data may allow remote code execution. 2020-03-27 6.5 CVE-2020-10607
MISC
advantech — webaccess
 
Advantech WebAccess 8.3.4 does not properly restrict an RPC call that allows unauthenticated, remote users to read files. An attacker can use this vulnerability to recover the administrator password. 2020-04-01 5 CVE-2019-3942
MISC
apache — dubbo
 
Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. This issue affected Apache Dubbo 2.7.0 to 2.7.4, 2.6.0 to 2.6.7, and all 2.5.x versions. 2020-04-01 6.8 CVE-2019-17564
MISC
apache — http_server
 
In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL. 2020-04-02 5.8 CVE-2020-1927
MLIST
MLIST
CONFIRM
MLIST
MLIST
apache — netbeans The “Apache NetBeans” autoupdate system does not validate SSL certificates and hostnames for https based downloads. This allows an attacker to intercept downloads of autoupdates and modify the download, potentially injecting malicious code. “Apache NetBeans” versions up to and including 11.2 are affected by this vulnerability. 2020-03-30 6.4 CVE-2019-17560
MISC
apache — netbeans
 
The “Apache NetBeans” autoupdate system does not fully validate code signatures. An attacker could modify the downloaded nbm and include additional code. “Apache NetBeans” versions up to and including 11.2 are affected by this vulnerability. 2020-03-30 5 CVE-2019-17561
MISC
apache — ofbiz Data sent with contentId to /control/stream is not sanitized, allowing XSS attacks in Apache OFBiz 16.11.01 to 16.11.07. 2020-04-01 4.3 CVE-2020-1943
MISC
apache — sling_cms
 
Scripts in Sling CMS before 0.16.0 do not property escape the Sling Selector from URLs when generating navigational elements for the administrative consoles and are vulnerable to reflected XSS attacks. 2020-04-01 4.3 CVE-2020-1949
MISC
apache — solr
 
In Apache Solr, the cluster can be partitioned into multiple collections and only a subset of nodes actually host any given collection. However, if a node receives a request for a collection it does not host, it proxies the request to a relevant node and serves the request. Solr bypasses all authorization settings for such requests. This affects all Solr versions prior to 7.7 that use the default authorization mechanism of Solr (RuleBasedAuthorizationPlugin). 2020-04-01 4 CVE-2018-11802
MISC
apple — ios_and_ipados A logic issue was addressed with improved state management. This issue is fixed in iOS 13.4 and iPadOS 13.4. An attacker in a privileged network position may be able to intercept Bluetooth traffic. 2020-04-01 4 CVE-2020-9770
MISC
apple — ios_and_ipados An issue existed in the selection of video file by Mail. The issue was fixed by selecting the latest version of a video. This issue is fixed in iOS 13.4 and iPadOS 13.4. Cropped videos may not be shared properly via Mail. 2020-04-01 5 CVE-2020-9777
MISC
apple — ios_and_ipados
 
A logic issue was addressed with improved restrictions. This issue is fixed in iOS 13.4 and iPadOS 13.4. A maliciously crafted page may interfere with other web contexts. 2020-04-01 4.3 CVE-2020-3888
MISC
apple — ios_and_ipados
 
The issue was addressed by clearing website permission prompts after navigation. This issue is fixed in iOS 13.4 and iPadOS 13.4. A user may grant website permissions to a site they didn’t intend to. 2020-04-01 5 CVE-2020-9781
MISC
apple — ios_and_ipados
 
The issue was addressed with improved deletion. This issue is fixed in iOS 13.4 and iPadOS 13.4. Deleted messages groups may still be suggested as an autocompletion. 2020-04-01 5 CVE-2020-3890
MISC
apple — ios_and_ipados
 
An issue existed in the handling of tabs displaying picture in picture video. The issue was corrected with improved state handling. This issue is fixed in iOS 13.4 and iPadOS 13.4. A user’s private browsing activity may be unexpectedly saved in Screen Time. 2020-04-01 5 CVE-2020-9775
MISC
apple — macos_catalina
 
This issue was addressed with a new entitlement. This issue is fixed in macOS Catalina 10.15.4. A malicious application may be able to access a user’s call history. 2020-04-01 4.3 CVE-2020-9776
MISC
apple — macos_high_sierra_and_catalina An injection issue was addressed with improved validation. This issue is fixed in macOS Catalina 10.15.4. A remote attacker may be able to cause arbitrary javascript code execution. 2020-04-01 4.3 CVE-2020-3884
MISC
apple — macos_mojave_and_catalina
 
A logic issue was addressed with improved restrictions. This issue is fixed in macOS Catalina 10.15.4. A maliciously crafted application may be able to bypass code signing enforcement. 2020-04-01 6.8 CVE-2020-3906
MISC

apple — macos_mojave_and_catalina_and_high_sierrra

An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.4. A local user may be able to cause unexpected system termination or read kernel memory. 2020-04-01 6.6 CVE-2020-3908
MISC

apple — macos_mojave_and_catalina_and_high_sierrra

An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.4. A local user may be able to cause unexpected system termination or read kernel memory. 2020-04-01 6.6 CVE-2020-3912
MISC

apple — macos_mojave_and_catalina_and_high_sierrra

An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.4. A local user may be able to cause unexpected system termination or read kernel memory. 2020-04-01 6.6 CVE-2020-3907
MISC
apple — multiple_devices
 
A use after free issue was addressed with improved memory management. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. Processing maliciously crafted web content may lead to code execution. 2020-04-01 6.8 CVE-2020-9783
MISC
MISC
MISC
MISC
MISC
MISC
apple — multiple_products A memory initialization issue was addressed with improved memory handling. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2. An application may be able to read restricted memory. 2020-04-01 4.3 CVE-2020-3914
MISC
MISC
MISC
MISC
apple — multiple_products A logic issue was addressed with improved restrictions. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. A download’s origin may be incorrectly associated. 2020-04-01 4.3 CVE-2020-3887
MISC
MISC
MISC
MISC
MISC
MISC
apple — multiple_products
 
The issue was addressed with improved handling of icon caches. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2. A malicious application may be able to identify what other applications a user has installed. 2020-04-01 4.3 CVE-2020-9773
MISC
MISC
MISC
MISC
apple — multiple_products
 
A permissions issue existed. This issue was addressed with improved permission validation. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, watchOS 6.2. A malicious application may be able to elevate privileges. 2020-04-01 6.8 CVE-2020-3913
MISC
MISC
MISC
apple — multiple_products
 
An input validation issue was addressed with improved input validation. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. Processing maliciously crafted web content may lead to a cross site scripting attack. 2020-04-01 4.3 CVE-2020-3902
MISC
MISC
MISC
MISC
MISC
MISC
apple — multiple_products
 
A memory corruption issue was addressed with improved memory handling. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, watchOS 6.2, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. Processing maliciously crafted web content may lead to arbitrary code execution. 2020-04-01 6.8 CVE-2020-3900
MISC
MISC
MISC
MISC
MISC
MISC
MISC
apple — multiple_products
 
An access issue was addressed with additional sandbox restrictions. This issue is fixed in iOS 13.4 and iPadOS 13.4, watchOS 6.2. Setting an alternate app icon may disclose a photo without needing permission to access photos. 2020-04-01 5 CVE-2020-3916
MISC
MISC

apple — multiple_products

 

A type confusion issue was addressed with improved memory handling. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, watchOS 6.2, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. Processing maliciously crafted web content may lead to arbitrary code execution. 2020-04-01 6.8 CVE-2020-3901
MISC
MISC
MISC
MISC
MISC
MISC
MISC
apple — safari
 
A logic issue was addressed with improved restrictions. This issue is fixed in Safari 13.1. A malicious iframe may use another website’s download settings. 2020-04-01 4.3 CVE-2020-9784
MISC
avast — avast_antivirus
 
An issue was discovered in Avast Antivirus before 20. The aswTask RPC endpoint for the TaskEx library in the Avast Service (AvastSvc.exe) allows attackers to make arbitrary changes to the Components section of the Stats.ini file via RPC from a Low Integrity process. 2020-04-01 5 CVE-2020-10865
MISC
MISC
MISC
avast — avast_antivirus
 
An issue was discovered in Avast Antivirus before 20. The aswTask RPC endpoint for the TaskEx library in the Avast Service (AvastSvc.exe) allows attackers to achieve Arbitrary File Deletion from Avast Program Path via RPC, when Self Defense is Enabled. 2020-04-01 6.4 CVE-2020-10861
MISC
MISC
MISC
avast — avast_antivirus
 
An issue was discovered in Avast Antivirus before 20. The aswTask RPC endpoint for the TaskEx library in the Avast Service (AvastSvc.exe) allows attackers to launch the Repair App RPC call from a Low Integrity process. 2020-04-01 5 CVE-2020-10868
MISC
MISC
MISC
avast — avast_antivirus
 
An issue was discovered in Avast Antivirus before 20. An Arbitrary Memory Address Overwrite vulnerability in the aswAvLog Log Library results in Denial of Service of the Avast Service (AvastSvc.exe). 2020-04-01 5 CVE-2020-10860
MISC
MISC
MISC
avast — avast_antivirus
 
An issue was discovered in Avast Antivirus before 20. The aswTask RPC endpoint for the TaskEx library in the Avast Service (AvastSvc.exe) allows attackers to trigger a shutdown via RPC from a Low Integrity process via TempShutDownMachine. 2020-04-01 5 CVE-2020-10863
MISC
MISC
MISC
avast — avast_antivirus
 
An issue was discovered in Avast Antivirus before 20. The aswTask RPC endpoint for the TaskEx library in the Avast Service (AvastSvc.exe) allows attackers to achieve Local Privilege Escalation (LPE) via RPC. 2020-04-01 4.6 CVE-2020-10862
MISC
MISC
MISC
avast — avast_antivirus
 
An issue was discovered in Avast Antivirus before 20. The aswTask RPC endpoint for the TaskEx library in the Avast Service (AvastSvc.exe) allows attackers to trigger a reboot via RPC from a Low Integrity process. 2020-04-01 5 CVE-2020-10864
MISC
MISC
MISC
avast — avast_antivirus
 
An issue was discovered in Avast Antivirus before 20. The aswTask RPC endpoint for the TaskEx library in the Avast Service (AvastSvc.exe) allows attackers to enumerate the network interfaces and access points from a Low Integrity process via RPC. 2020-04-01 5 CVE-2020-10866
MISC
MISC
MISC

cacagoo — cloud_storage_intelligent_camera_tv_288zd-2mp

The CACAGOO Cloud Storage Intelligent Camera TV-288ZD-2MP with firmware 3.4.2.0919 allows access to the RTSP service without a password. 2020-04-02 5 CVE-2020-9349
MISC
MISC
deskpro — deskpro
 
An issue was discovered in Deskpro before 2019.8.0. The /api/people endpoint failed to properly validate a user’s privilege, allowing an attacker to retrieve sensitive information about all users registered on the system. This includes their full name, privilege, email address, phone number, etc. 2020-04-01 4 CVE-2020-11464
MISC
MISC
MISC
deskpro — deskpro
 
An issue was discovered in Deskpro before 2019.8.0. The /api/tickets endpoint failed to properly validate a user’s privilege, allowing an attacker to retrieve arbitrary information about all helpdesk tickets stored in database with numerous filters. This leaked sensitive information to unauthorized parties. Additionally, it leaked ticket authentication code, making it possible to make changes to a ticket. 2020-04-01 4 CVE-2020-11466
MISC
MISC
MISC
deskpro — deskpro
 
An issue was discovered in Deskpro before 2019.8.0. The /api/email_accounts endpoint failed to properly validate a user’s privilege, allowing an attacker to retrieve cleartext credentials of all helpdesk email accounts, including incoming and outgoing email credentials. This enables an attacker to get full access to all emails sent or received by the system including password reset emails, making it possible to reset any user’s password. 2020-04-01 5 CVE-2020-11463
MISC
MISC
MISC
deskpro — deskpro
 
An issue was discovered in Deskpro before 2019.8.0. The /api/apps/* endpoints failed to properly validate a user’s privilege, allowing an attacker to control/install helpdesk applications and leak current applications’ configurations, including applications used as user sources (used for authentication). This enables an attacker to forge valid authentication models that resembles any user on the system. 2020-04-01 6.5 CVE-2020-11465
MISC
MISC
MISC
deskpro — deskpro
 
An issue was discovered in Deskpro before 2019.8.0. This product enables administrators to modify the helpdesk interface by editing /portal/api/style/edit-theme-set/template-sources theme templates, and uses TWIG as its template engine. While direct access to self and _self variables was not permitted, one could abuse the accessible variables in one’s context to reach a native unserialize function via the code parameter. There, on could pass a crafted payload to trigger a set of POP gadgets in order to achieve remote code execution. 2020-04-01 6.5 CVE-2020-11467
MISC
MISC
MISC
f5 — big-ip On BIG-IP 15.1.0.1, specially formatted HTTP/3 messages may cause TMM to produce a core file. 2020-03-27 5 CVE-2020-5859
MISC
f5 — big-ip On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.2.2, 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.5.2-11.6.5.1, undisclosed HTTP behavior may lead to a denial of service. 2020-03-27 5 CVE-2020-5857
MISC
f5 — big-ip On BIG-IP 15.1.0-15.1.0.1, 15.0.0-15.0.1.1, and 14.1.0-14.1.2.2, under certain conditions, TMM may crash or stop processing new traffic with the DPDK/ENA driver on AWS systems while sending traffic. This issue does not affect any other platforms, hardware or virtual, or any other cloud provider since the affected driver is specific to AWS. 2020-03-27 5 CVE-2020-5862
MISC
f5 — big-ip On BIG-IP 12.1.0-12.1.5, the TMM process may produce a core file in some cases when Ram Cache incorrectly optimizes stored data resulting in memory errors. 2020-03-27 5 CVE-2020-5861
MISC
f5 — big-ip
 
On BIG-IP 15.0.0-15.0.1.2, 14.1.0-14.1.2.2, 13.1.0-13.1.3.2, 12.1.0-12.1.5, and 11.5.2-11.6.5.1 and BIG-IQ 7.0.0, 6.0.0-6.1.0, and 5.2.0-5.4.0, users with non-administrator roles (for example, Guest or Resource Administrator) with tmsh shell access can execute arbitrary commands with elevated privilege via a crafted tmsh command. 2020-03-27 4.6 CVE-2020-5858
MISC
f5 — big-ip_and_big-iq
 
On BIG-IP 15.0.0-15.1.0.2, 14.1.0-14.1.2.3, 13.1.0-13.1.3.2, 12.1.0-12.1.5.1, and 11.5.2-11.6.5.1 and BIG-IQ 7.0.0, 6.0.0-6.1.0, and 5.2.0-5.4.0, in a High Availability (HA) network failover in Device Service Cluster (DSC), the failover service does not require a strong form of authentication and HA network failover traffic is not encrypted by Transport Layer Security (TLS). 2020-03-27 6.8 CVE-2020-5860
MISC
fasterxml — jackson-databind
 
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms). 2020-03-31 6.8 CVE-2020-11111
MISC
MISC
CONFIRM
fasterxml — jackson-databind
 
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa). 2020-03-31 6.8 CVE-2020-11113
MISC
MISC
CONFIRM
fasterxml — jackson-databind
 
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy). 2020-03-31 6.8 CVE-2020-11112
MISC
MISC
CONFIRM
fortinet — fortios
 
An external control of system vulnerability in FortiOS may allow an authenticated, regular user to change the routing settings of the device via connecting to the ZebOS component. 2020-04-02 6.5 CVE-2018-13371
MISC
gitlab — gitlab
 
GitLab through 12.9 is affected by a potential DoS in repository archive download. 2020-03-27 5 CVE-2020-10954
CONFIRM
MISC
gitlab — gitlab_community_and_enterprise_editions
 
GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images. 2020-03-27 5.8 CVE-2020-10952
CONFIRM
MISC
gitlab — gitlab_community_and_enterprise_editions
 
GitLab EE/CE 11.1 through 12.9 is vulnerable to parameter tampering on an upload feature that allows an unauthorized user to read content available under specific folders. 2020-03-27 4 CVE-2020-10955
CONFIRM
MISC
gitlab — gitlab_enterprise_edition
 
In GitLab EE 11.7 through 12.9, the NPM feature is vulnerable to a path traversal issue. 2020-03-27 5 CVE-2020-10953
CONFIRM
MISC
grandstream — ucm6200_series_devices
 
The UCM6200 series 1.0.20.22 and below stores unencrypted user passwords in an SQLite database. This could allow an attacker to retrieve all passwords and possibly gain elevated privileges. 2020-03-30 5 CVE-2020-5723
CONFIRM
grandstream — ucm6200_series_devices
 
The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the HTTP server’s websockify endpoint. A remote unauthenticated attacker can invoke the login action with a crafted username and, through the use of timing attacks, can discover user passwords. 2020-03-30 4.3 CVE-2020-5725
MISC
CONFIRM
grandstream — ucm6200_series_devices
 
The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the CTI server on port 8888. A remote unauthenticated attacker can invoke the challenge action with a crafted username and discover user passwords. 2020-03-30 5 CVE-2020-5726
MISC
CONFIRM
grandstream — ucm6200_series_devices
 
The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the HTTP server’s websockify endpoint. A remote unauthenticated attacker can invoke the challenge action with a crafted username and discover user passwords. 2020-03-30 5 CVE-2020-5724
CONFIRM
gstreamer — gst-rtsp-server An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability. 2020-03-27 5 CVE-2020-6095
MISC
MISC
haproxy — haproxy
 
In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution. 2020-04-02 6.5 CVE-2020-11100
SUSE
MISC
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
huawei — multiple_smartax_devices There is a buffer overflow vulnerability in some Huawei products. The vulnerability can be exploited by an attacker to perform remote code execution on the affected products when the affected product functions as an optical line terminal (OLT). Affected product versions include:SmartAX MA5600T versions V800R013C10, V800R015C00, V800R015C10, V800R017C00, V800R017C10, V800R018C00, V800R018C10; SmartAX MA5800 versions V100R017C00, V100R017C10, V100R018C00, V100R018C10, V100R019C10; SmartAX EA5800 versions V100R018C00, V100R018C10, V100R019C10. 2020-04-02 5.2 CVE-2020-9067
CONFIRM
ibm — process_federation_server
 
The IBM Process Federation Server 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0.2, and 19.0.0.3 Global Teams REST API does not properly shutdown the thread pools that it creates to retrieve Global Teams information from the federated systems. As a consequence, the Java Virtual Machine can’t recover the memory used by those thread pools, which leads to an OutOfMemory exception when the Process Federation Server Global Teams REST API is used extensively. IBM X-Force ID: 177596. 2020-04-02 4 CVE-2020-4325
XF
CONFIRM
ibm — spectrum_protect_plus
 
IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to overwrite or create arbitrary files on the system. IBM X-Force ID: 175417. 2020-03-31 6.4 CVE-2020-4240
XF
CONFIRM
ibm — spectrum_protect_plus
 
IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow a remote attacker to arbitrary delete a directory caused by improper validation of user-supplied input. IBM X-Force ID: 175026. 2020-03-31 6.4 CVE-2020-4214
XF
CONFIRM
ibm — tivoli_netcool_impact
 
IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.17 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 175412. 2020-03-31 5 CVE-2020-4239
XF
CONFIRM
ibm — tivoli_netcool_impact
 
IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.17 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 175411. 2020-03-31 6.8 CVE-2020-4238
XF
CONFIRM
ibm — tivoli_netcool_impact
 
IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.17 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 175410. 2020-03-31 6.8 CVE-2020-4237
XF
CONFIRM
ibm — tivoli_netcool_impact
 
IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.17 could allow an authenticated user to cause a denial of service due to improper content parsing in the project management module. IBM X-Force ID: 175409. 2020-03-31 4 CVE-2020-4236
XF
CONFIRM
ibm — websphere_application_server_liberty
 
IBM WebSphere Application Server – Liberty 17.0.0.3 through 20.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176670. 2020-04-02 4.3 CVE-2020-4304
XF
CONFIRM
ibm — websphere_application_server_liberty
 
IBM WebSphere Application Server – Liberty 17.0.0.3 through 20.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176668. 2020-04-02 4.3 CVE-2020-4303
XF
CONFIRM
intland_software — codebeamer codeBeamer before 9.5.0-RC3 does not properly restrict the ability to execute custom Java code and access the Java class loader via computed fields. 2020-04-02 4.3 CVE-2019-20635
MISC
kubernetes — api_server The Kubernetes API server component in versions prior to 1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via successful API requests. 2020-03-27 5 CVE-2020-8552
MISC
MISC
kubernetes — api_server
 
The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML. 2020-04-01 4 CVE-2019-11254
MISC
MISC
leantime — leantime
 
Leantime before versions 2.0.15 and 2.1-beta3 has a SQL Injection vulnerability. The impact is high. Malicious users/attackers can execute arbitrary SQL queries negatively affecting the confidentiality, integrity, and availability of the site. Attackers can exfiltrate data like the users’ and administrators’ password hashes, modify data, or drop tables. The unescaped parameter is “searchUsers” when sending a POST request to “/tickets/showKanban” with a valid session. In the code, the parameter is named “users” in class.tickets.php. This issue is fixed in versions 2.0.15 and 2.1.0 beta 3. 2020-03-31 6.5 CVE-2020-5292
MISC
MISC
CONFIRM
lenovo — lenovo_solution_center
 
MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A vulnerability was discovered (fixed and publicly disclosed in 2015) in Lenovo Solution Center (LSC) prior to version 3.3.002 that could allow cross-site request forgery. 2020-03-27 6.8 CVE-2015-8536
MISC
lenovo — multiple_devices
 
MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A race condition was reported (fixed and publicly disclosed in 2015) in Lenovo System Update version 5.07.0008 and prior that could allow a user to execute arbitrary code with elevated privileges. 2020-03-27 6.9 CVE-2015-7335
MISC
lenovo — multiple_devices
 
MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A vulnerability was reported (fixed and publicly disclosed in 2015) in Lenovo System Update version 5.07.0008 and prior that could allow the signature check of an update to be bypassed. 2020-03-27 5 CVE-2015-7336
MISC
limesurvey — limesurvey
 
LimeSurvey before 4.1.12+200324 contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileManager.php. 2020-04-01 5 CVE-2020-11455
MISC
limesurvey — limesurvey
 
LimeSurvey before 4.1.12+200324 has stored XSS in application/views/admin/surveysgroups/surveySettings.php and application/models/SurveysGroups.php (aka survey groups). 2020-04-01 4.3 CVE-2020-11456
MISC
microstrategy — web_services
 
The Upload Visualization plugin in the Microstrategy Web 10.4 admin panel allows an administrator to upload a ZIP archive containing files with arbitrary extensions and data. (This is also exploitable via SSRF.) 2020-04-02 6.5 CVE-2020-11451
MISC
FULLDISC
MISC
MISC
microstrategy — web_services
 
Microstrategy Web 10.4 is vulnerable to Server-Side Request Forgery in the Test Web Service functionality exposed through the path /MicroStrategyWS/. The functionality requires no authentication and, while it is not possible to pass parameters in the SSRF request, it is still possible to exploit it to conduct port scanning. An attacker could exploit this vulnerability to enumerate the resources allocated in the network (IP addresses and services exposed). 2020-04-02 5 CVE-2020-11453
MISC
FULLDISC
MISC
MISC
microstrategy — web_services
 
Microstrategy Web 10.4 exposes the JVM configuration, CPU architecture, installation folder, and other information through the URL /MicroStrategyWS/happyaxis.jsp. An attacker could use this vulnerability to learn more about the environment the application is running in. 2020-04-02 5 CVE-2020-11450
MISC
FULLDISC
MISC
MISC
microstrategy — web_services
 
Microstrategy Web 10.4 includes functionality to allow users to import files or data from external resources such as URLs or databases. By providing an external URL under attacker control, it’s possible to send requests to external resources (aka SSRF) or leak files from the local system using the file:// stream wrapper. 2020-04-02 4 CVE-2020-11452
MISC
FULLDISC
MISC
MISC
misp_project — misp
 
app/Model/feed.php in MISP before 2.4.124 allows administrators to choose arbitrary files that should be ingested by MISP. This does not cause a leak of the full contents of a file, but does cause a leaks of strings that match certain patterns. Among the data that can leak are passwords from database.php or GPG key passphrases from config.php. 2020-04-02 4 CVE-2020-11458
MISC
MISC
mongodb — js-bson
 
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure. 2020-03-31 5.5 CVE-2019-2391
CONFIRM
moodle — moodle
 
A vulnerability was found in Moodle versions 3.7 before 3.7.3, 3.6 before 3.6.7, 3.5 before 3.5.9 and earlier. OAuth 2 providers who do not verify users’ email address changes require additional verification during sign-up to reduce the risk of account compromise. 2020-03-31 6.4 CVE-2019-14880
CONFIRM
MISC
open_source_social_network — open_source_social_network An issue was discovered in Open Source Social Network (OSSN) through 5.3. A user-controlled file path with a weak cryptographic rand() can be used to read any file with the permissions of the webserver. This can lead to further compromise. The attacker must conduct a brute-force attack against the SiteKey to insert into a crafted URL for components/OssnComments/ossn_com.php and/or libraries/ossn.lib.upgrade.php. 2020-03-30 4.3 CVE-2020-10560
MISC
MISC
osmand — osmand
 
Osmand through 2.0.0 allow XXE because of binary/BinaryMapIndexReader.java. 2020-03-27 6.4 CVE-2020-10993
MISC

otrs — open_ticket_request_system_and_open_ticket_request_system_community_edition

An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may be able to predict other users session IDs, password reset tokens and automatically generated passwords. This issue affects ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS; 7.0.15 and prior versions. 2020-03-27 5.5 CVE-2020-1773
MISC

otrs — open_ticket_request_system_and_open_ticket_request_system_community_edition

In the login screens (in agent and customer interface), Username and Password fields use autocomplete, which might be considered as security issue. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. 2020-03-27 4 CVE-2020-1769
MISC

otrs — open_ticket_request_system_and_open_ticket_request_system_community_edition

It’s possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. This issue affects: ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. 2020-03-27 5 CVE-2020-1772
MISC

otrs — open_ticket_request_system_and_open_ticket_request_system_community_edition

Support bundle generated files could contain sensitive information that might be unwanted to be disclosed. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. 2020-03-27 4 CVE-2020-1770
MISC
phoenix_contact — pc_worx_srt Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation. 2020-03-27 4.6 CVE-2020-10939
CONFIRM
phoenix_contact — portico_server Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service. 2020-03-27 4.6 CVE-2020-10940
CONFIRM
php — php In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.34, while parsing EXIF data with exif_read_data() function, it is possible for malicious data to cause PHP to read one byte of uninitialized memory. This could potentially lead to information disclosure or crash. 2020-04-01 5.8 CVE-2020-7064
MISC
CONFIRM
php — php
 
In PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.34, while using mb_strtolower() function with UTF-32LE encoding, certain invalid strings could cause PHP to overwrite stack-allocated buffer. This could lead to memory corruption, crashes and potentially code execution. 2020-04-01 6.8 CVE-2020-7065
MISC
CONFIRM
php — php
 
In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.34, while using get_headers() with user-supplied URL, if the URL contains zero (\0) character, the URL will be silently truncated at it. This may cause some software to make incorrect assumptions about the target of the get_headers() and possibly send some information to a wrong server. 2020-04-01 4.3 CVE-2020-7066
MISC
CONFIRM
progress_software — telerik_ui_for_silverlight
 
An issue was discovered in Progress Telerik UI for Silverlight before 2020.1.330. The RadUploadHandler class in RadUpload for Silverlight expects a web request that provides the file location of the uploading file along with a few other parameters. The uploading file location should be inside the directory where the upload handler class is defined. Before 2020.1.330, a crafted web request could result in uploads to arbitrary locations. 2020-03-31 5 CVE-2020-11414
MISC
proofpoint — email_protection An issue was discovered in Proofpoint Email Protection through 2019-09-08. By collecting scores from Proofpoint email headers, it is possible to build a copy-cat Machine Learning Classification model and extract insights from this model. The insights gathered allow an attacker to craft emails that receive preferable scores, with a goal of delivering malicious emails. 2020-03-30 6.4 CVE-2019-20634
MISC
MISC
red_hat — ansible_engine
 
A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible’s nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues. 2020-03-31 4.6 CVE-2019-14905
REDHAT
REDHAT
CONFIRM
FEDORA
red_hat — openshift/apb-base
 
An insecure modification vulnerability in the /etc/passwd file was found in the container openshift/apb-base, affecting versions before the following 4.3.5, 4.2.21, 4.1.37, and 3.11.188-4. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges. 2020-04-02 4.4 CVE-2019-19348
CONFIRM
red_hat — openshift/mariadb-apb
 
An insecure modification vulnerability in the /etc/passwd file was found in the container openshift/mariadb-apb, affecting versions before the following 4.3.5, 4.2.21, 4.1.37, and 3.11.188-4 . An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges. 2020-04-02 4.4 CVE-2019-19346
CONFIRM
redpwn — redpwnctf
 
In RedpwnCTF before version 2.3, there is a session fixation vulnerability in exploitable through the `#token=$ssid` hash when making a request to the `/verify` endpoint. An attacker team could potentially steal flags by, for example, exploiting a stored XSS payload in a CTF challenge so that victim teams who solve the challenge are unknowingly (and against their will) signed into the attacker team's account. Then, the attacker can gain points / value off the backs of the victims. This is patched in version 2.3. 2020-04-01 4.3 CVE-2020-5290
MISC
CONFIRM
responsive_filemanager — responsive_filemanager An issue was discovered in Responsive Filemanager through 9.14.0. In the dialog.php page, the session variable $_SESSION[‘RF’][“view_type”] wasn’t sanitized if it was already set. This made stored XSS possible if one opens ajax_calls.php and uses the “view” action and places a payload in the type parameter, and then returns to the dialog.php page. This occurs because ajax_calls.php was also able to set the $_SESSION[‘RF’][“view_type”] variable, but there it wasn’t sanitized. 2020-03-30 4.3 CVE-2020-11106
MISC
sunnet_technology — ehrd Sunnet eHRD, a human training and development management system, improperly stores system files. Attackers can use a specific URL and capture confidential information. 2020-03-27 5 CVE-2020-10508
CONFIRM
MISC
sunnet_technology — ehrd Sunnet eHRD, a human training and development management system, contains vulnerability of Cross-Site Scripting (XSS), attackers can inject arbitrary command into the system and launch XSS attack. 2020-03-27 4.3 CVE-2020-10509
CONFIRM
MISC
sunnet_technology — ehrd
 
Sunnet eHRD, a human training and development management system, contains a vulnerability of Broken Access Control. After login, attackers can use a specific URL, access unauthorized functionality and data. 2020-03-27 4 CVE-2020-10510
CONFIRM
MISC
symfony — symfony
 
In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not contain a `Content-Type` header, affected versions of Symfony can fallback to the format defined in the `Accept` header of the request, leading to a possible mismatch between the response's content and `Content-Type` header. When the response is cached, this can prevent the use of the website by other users. This has been patched in versions 4.4.7 and 5.0.7. 2020-03-30 4 CVE-2020-5255
MISC
CONFIRM
MISC
symfony — symfony
 
In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control rule, it iterate overs each rule’s attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that should have been take into account in an unanimous strategy. The accessDecisionManager is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute. This issue is patched in versions 4.4.7 and 5.0.7. 2020-03-30 5.5 CVE-2020-5275
CONFIRM
CONFIRM
symfony — symfony
 
In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the `ErrorHandler` rendered it stacktrace. In addition, the stacktrace were displayed even in a non-debug configuration. The ErrorHandler now escape alls properties of the exception, and the stacktrace is only display in debug configuration. This issue is patched in symfony/http-foundation versions 4.4.5 and 5.0.5 2020-03-30 5.5 CVE-2020-5274
MISC
MISC
CONFIRM
technicolor — tc7337_devices
 
An issue was discovered on Technicolor TC7337 8.89.17 devices. An attacker can discover admin credentials in the backup file, aka backupsettings.conf. 2020-04-01 5 CVE-2020-11449
MISC
tikiwiki — groupware_and_cms
 
There is an Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in php webpages of Tiki-Wiki Groupware. Tiki-Wiki CMS all versions through 20.0 allows malicious users to cause the injection of malicious code fragments (scripts) into a legitimate web page. 2020-04-01 4.3 CVE-2020-8966
CONFIRM
CONFIRM
totemo — totemomail An insecure direct object reference in webmail in totemo totemomail 7.0.0 allows an authenticated remote user to read and modify mail folder names of other users via enumeration. 2020-03-27 5.5 CVE-2020-7918
MISC
MISC
toyota — model_year_2017_display_control_unit
 
Toyota 2017 Model Year DCU (Display Control Unit) allows an unauthenticated attacker within Bluetooth range to cause a denial of service attack and/or execute an arbitrary command. The affected DCUs are installed in Lexus (LC, LS, NX, RC, RC F), TOYOTA CAMRY, and TOYOTA SIENNA manufactured in the regions other than Japan from Oct. 2016 to Oct. 2019. An attacker with certain knowledge on the target vehicle control system may be able to send some diagnostic commands to ECUs with some limited availability impacts; the vendor states critical vehicle controls such as driving, turning, and stopping are not affected. 2020-03-30 5.4 CVE-2020-5551
MISC
MISC
ubiquiti — unifi_video_controller The UniFi Video Server (Windows) web interface configuration restore functionality at the “backup” and “wizard” endpoints does not implement sufficient privilege checks. Low privileged users, belonging to the PUBLIC_GROUP or CUSTOM_GROUP groups, can access these endpoints and overwrite the current application configuration. This can be abused for various purposes, including adding new administrative users. Affected Products: UniFi Video Controller v3.9.3 (for Windows 7/8/10 x64) and prior. Fixed in UniFi Video Controller v3.9.6 and newer. 2020-04-01 4 CVE-2020-8145
CONFIRM
ubiquiti — unifi_video_controller
 
In UniFi Video v3.10.1 (for Windows 7/8/10 x64) there is a Local Privileges Escalation to SYSTEM from arbitrary file deletion and DLL hijack vulnerabilities. The issue was fixed by adjusting the .tsExport folder when the controller is running on Windows and adjusting the SafeDllSearchMode in the windows registry when installing UniFi-Video controller. Affected Products: UniFi Video Controller v3.10.2 (for Windows 7/8/10 x64) and prior. Fixed in UniFi Video Controller v3.10.3 and newer. 2020-04-01 6.9 CVE-2020-8146
CONFIRM
ubiquiti — unifi_video_controller
 
The UniFi Video Server v3.9.3 and prior (for Windows 7/8/10 x64) web interface Firmware Update functionality, under certain circumstances, does not validate firmware download destinations to ensure they are within the intended destination directory tree. It accepts a request with a URL to firmware update information. If the version field contains ..\ character sequences, the destination file path to save the firmware can be manipulated to be outside the intended destination directory tree. Fixed in UniFi Video Controller v3.10.3 and newer. 2020-04-01 5.2 CVE-2020-8144
CONFIRM
unisoon — ultralog_express UltraLog Express device management software stores user’s information in cleartext. Any user can obtain accounts information through a specific page. 2020-03-27 5 CVE-2020-3921
MISC
unisoon — ultralog_express
 
UltraLog Express device management interface does not properly perform access authentication in some specific pages/functions. Any user can access the privileged page to manage accounts through specific system directory. 2020-03-27 5.5 CVE-2020-3920
MISC

university_of_southern_california — innovation_in_integrated_informatics_lab_cereal

An issue was discovered in USC iLab cereal through 1.3.0. Serialization of an (initialized) C/C++ long double variable into a BinaryArchive or PortableBinaryArchive leaks several bytes of stack or heap memory, from which sensitive information (such as memory layout or private keys) can be gleaned if the archive is distributed outside of a trusted context. 2020-03-30 5 CVE-2020-11104
MISC
vertiv — avocent_universal_management_gateway The web interface of the Vertiv Avocent UMG-4000 version 4.2.1.19 is vulnerable to stored XSS. A remote attacker authenticated with an administrator account could store a maliciously named file within the web application that would execute each time a user browsed to the page. 2020-03-30 6 CVE-2019-9508
MISC
MISC
vertiv — avocent_universal_management_gateway
 
The web interface of the Vertiv Avocent UMG-4000 version 4.2.1.19 is vulnerable to reflected XSS in an HTTP POST parameter. The web application does not neutralize user-controllable input before displaying to users in a web page, which could allow a remote attacker authenticated with a user account to execute arbitrary code. 2020-03-30 6.5 CVE-2019-9509
MISC
MISC
weberp — weberp
 
In webERP 4.15, the Import Bank Transactions function fails to sanitize the content of imported MT940 bank statement files, resulting in the execution of arbitrary SQL queries, aka SQL Injection. 2020-03-30 6.5 CVE-2019-7755
MISC
MISC
MISC
wordpress — wordpress A stored cross-site scripting (XSS) vulnerability exists in the Auth0 plugin before 4.0.0 for WordPress via the settings page. 2020-04-01 4.3 CVE-2020-5392
CONFIRM
MISC
CONFIRM
wordpress — wordpress The custom-searchable-data-entry-system (aka Custom Searchable Data Entry System) plugin through 1.7.1 for WordPress allows SQL Injection. NOTE: this product is discontinued. 2020-03-27 6.5 CVE-2020-10817
MISC
MISC
wordpress — wordpress
 
An issue was discovered in the Login by Auth0 plugin before 4.0.0 for WordPress. A user can perform an insecure direct object reference. 2020-04-01 6.5 CVE-2020-7948
MISC
CONFIRM
CONFIRM
MISC
wordpress — wordpress
 
Cross-site request forgery (CSRF) vulnerabilities exist in the Auth0 plugin before 4.0.0 for WordPress via the domain field. 2020-04-01 6.8 CVE-2020-5391
CONFIRM
MISC
CONFIRM
wordpress — wordpress
 
The Login by Auth0 plugin before 4.0.0 for WordPress allows stored XSS on multiple pages, a different issue than CVE-2020-5392. 2020-04-01 4.3 CVE-2020-6753
CONFIRM
MISC
CONFIRM
yahoo — elide
 
In Elide before 4.5.14, it is possible for an adversary to “guess and check” the value of a model field they do not have access to assuming they can read at least one other field in the model. The adversary can construct filter expressions for an inaccessible field to filter a collection. The presence or absence of models in the returned collection can be used to reconstruct the value of the inaccessible field. Resolved in Elide 4.5.14 and greater. 2020-03-30 4 CVE-2020-5289
MISC
MISC
CONFIRM
zeit — next.js
 
Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2. 2020-03-30 5 CVE-2020-5284
MISC
CONFIRM
zevenet — zen_load_balancer
 
Monitoring::Logs in Zen Load Balancer 3.10.1 allows remote authenticated admins to conduct absolute path traversal attacks, as demonstrated by a filelog=/etc/shadow request to index.cgi. 2020-04-02 4 CVE-2020-11491
MISC
MISC
zoho — manageengine_desktop_central Zoho ManageEngine Desktop Central allows unauthenticated users to access PDFGenerationServlet, leading to sensitive information disclosure. 2020-03-30 5 CVE-2020-8509
CONFIRM

Back to top

 

Low Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
abb — esoms
 
The Redis data structure component used in ABB eSOMS versions 6.0 to 6.0.2 stores credentials in clear text. If an attacker has file system access, this can potentially compromise the credentials’ confidentiality. 2020-04-02 3.6 CVE-2019-19096
CONFIRM
abb — esoms
 
Lack of adequate input/output validation for ABB eSOMS versions 4.0 to 6.0.2 might allow an attacker to attack such as stored cross-site scripting by storing malicious content in the database. 2020-04-02 3.5 CVE-2019-19095
CONFIRM
abb — esoms
 
For ABB eSOMS versions 4.0 to 6.0.2, the X-XSS-Protection HTTP response header is not set in responses from the web server. For older web browser not supporting Content Security Policy, this might increase the risk of Cross Site Scripting. 2020-04-02 3.5 CVE-2019-19002
CONFIRM
abb — esoms
 
For ABB eSOMS versions 4.0 to 6.0.2, the Secure Flag is not set in the HTTP response header. Unencrypted connections might access the cookie information, thus making it susceptible to eavesdropping. 2020-04-02 3.5 CVE-2019-19090
CONFIRM
abb — esoms
 
ABB eSOMS versions 4.0 to 6.0.3 use ASP.NET Viewstate without Message Authentication Code (MAC). Alterations to Viewstate might thus not be noticed. 2020-04-02 3.5 CVE-2019-19092
CONFIRM
apache — cxf
 
Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the ‘createMBServerConnectorFactory’ property of the default InstrumentationManagerImpl is not disabled, then it is vulnerable to a man-in-the-middle (MITM) style attack. An attacker on the same host can connect to the registry and rebind the entry to another server, thus acting as a proxy to the original. They are then able to gain access to all of the information that is sent and received over JMX. 2020-04-01 2.9 CVE-2020-1954
MISC
apache — druid
 
When LDAP authentication is enabled in Apache Druid 0.17.0, callers of Druid APIs with a valid set of LDAP credentials can bypass the credentialsValidator.userSearch filter barrier that determines if a valid LDAP user is allowed to authenticate with Druid. They are still subject to role-based authorization checks, if configured. Callers of Druid APIs can also retrieve any LDAP attribute values of users that exist on the LDAP server, so long as that information is visible to the Druid server. This information disclosure does not require the caller itself to be a valid LDAP user. 2020-04-01 3.5 CVE-2020-1958
MLIST
MLIST
MLIST
MLIST
MLIST
MISC
MLIST
MLIST

apple — ios_and_ipados

The issue was resolved by clearing application previews when content is deleted. This issue is fixed in iOS 13.4 and iPadOS 13.4. A local user may be able to view deleted content in the app switcher. 2020-04-01 2.1 CVE-2020-9780
MISC
apple — macos_catalina
 
A logic issue was addressed with improved state management. This issue is fixed in macOS Catalina 10.15.4. A local user may be able to view sensitive user information. 2020-04-01 2.1 CVE-2020-3881
MISC
apple — multiple_products
 
This issue was addressed with a new entitlement. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, watchOS 6.2. An application may be able to use an SSH client provided by private frameworks. 2020-04-01 2.1 CVE-2020-3917
MISC
MISC
MISC
apple — multiple_products
 
A logic issue was addressed with improved state management. This issue is fixed in iOS 13.4 and iPadOS 13.4, watchOS 6.2. A person with physical access to a locked iOS device may be able to respond to messages even when replies are disabled. 2020-04-01 2.1 CVE-2020-3891
MISC
MISC
apple — multiple_products
 
A race condition was addressed with additional validation. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. An application may be able to read restricted memory. 2020-04-01 2.6 CVE-2020-3894
MISC
MISC
MISC
MISC
MISC
MISC

bd — pyxis_medstation_es_system_and_pyxis_anesthesia_es_system

In BD Pyxis MedStation ES System v1.6.1 and Pyxis Anesthesia (PAS) ES System v1.6.1, a restricted desktop environment escape vulnerability exists in the kiosk mode functionality of affected devices. Specially crafted inputs could allow the user to escape the restricted environment, resulting in access to sensitive data. 2020-04-01 3.6 CVE-2020-10598
MISC
gradle — plugin_portal
 
All versions of com.gradle.plugin-publish before 0.11.0 are vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while running Gradle with the –info log level flag, the Gradle Logger logs an AWS pre-signed URL. If this build log is publicly visible (as it is in many popular public CI systems like TravisCI) this AWS pre-signed URL would allow a malicious actor to replace a recently uploaded plugin with their own. 2020-03-30 3.3 CVE-2020-7599
MISC
MISC
ibm — tivoli_netcool_impact
 
IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.17 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 175408. 2020-03-31 3.5 CVE-2020-4235
XF
CONFIRM
intland_software — codebeamer_alm
 
In Intland codeBeamer ALM 9.5 and earlier, there is stored XSS via the Trackers Title parameter. 2020-03-30 3.5 CVE-2019-19913
MISC
intland_software — codebeamer_alm
 
In Intland codeBeamer ALM 9.5 and earlier, a cross-site scripting (XSS) vulnerability in the Upload Flash File feature allows authenticated remote attackers to inject arbitrary scripts via an active script embedded in an SWF file. 2020-03-30 3.5 CVE-2019-19912
MISC
kubernetes — kubelet
 
The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250. 2020-03-27 3.3 CVE-2020-8551
MISC
MISC
microstrategy — web_services
 
Microstrategy Web 10.4 is vulnerable to Stored XSS in the HTML Container and Insert Text features in the window, allowing for the creation of a new dashboard. In order to exploit this vulnerability, a user needs to get access to a shared dashboard or have the ability to create a dashboard on the application. 2020-04-02 3.5 CVE-2020-11454
MISC
FULLDISC
MISC
MISC

otrs — open_ticket_request_system_and_open_ticket_request_system_community_edition

Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). When agent opens the link, JavaScript code is executed due to the missing parameter encoding. This issue affects: ((OTRS)) Community Edition: 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. 2020-03-27 3.5 CVE-2020-1771
MISC
pfsense — pfsense
 
pfSense before 2.4.5 has stored XSS in system_usermanager_addprivs.php in the WebGUI via the descr parameter (aka full name) of a user. 2020-04-01 3.5 CVE-2020-11457
MISC
MISC
pki-core — pki-core
 
A vulnerability was found in all pki-core 10.x.x version, where the Token Processing Service (TPS) did not properly sanitize several parameters stored for the tokens, possibly resulting in a Stored Cross Site Scripting (XSS) vulnerability. An attacker able to modify the parameters of any token could use this flaw to trick an authenticated user into executing arbitrary JavaScript code. 2020-03-31 3.5 CVE-2019-10180
CONFIRM
sonatype — nexus_repository_manager Sonatype Nexus Repository before 3.21.2 allows XSS. 2020-04-01 3.5 CVE-2020-10203
CONFIRM
versiant — lynx_customer_service_portal
 
Versiant LYNX Customer Service Portal (CSP), version 3.5.2, is vulnerable to stored cross-site scripting, which could allow a local, authenticated attacker to insert malicious JavaScript that is stored and displayed to the end user. This could lead to website redirects, session cookie hijacking, or information disclosure. 2020-03-30 3.5 CVE-2020-9055
MISC
CERT-VN
zoom — zoom_client_for_meetings
 
Zoom Client for Meetings through 4.6.8 on macOS has the disable-library-validation entitlement, which allows a local process (with the user’s privileges) to obtain unprompted microphone and camera access by loading a crafted library and thereby inheriting Zoom Client’s microphone and camera access. 2020-04-01 2.1 CVE-2020-11470
MISC
MISC
zyxel — xgs221–52hp_devices
 
In firmware version 4.50 of Zyxel XGS2210-52HP, multiple stored cross-site scripting (XSS) issues allows remote authenticated users to inject arbitrary web script via an rpSys.html Name or Location field. 2020-03-31 3.5 CVE-2019-13495
MISC

Back to top

 

Severity Not Yet Assigned

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
3xlogic — infinias_eidc32_devices
 
3xLOGIC Infinias eIDC32 2.213 devices with Web 1.107 allow Authentication Bypass via CMD.HTM?CMD= because authentication depends on the client side’s interpretation of the <KEY>MYKEY</KEY> substring. 2020-04-04 not yet calculated CVE-2020-11542
MISC
apple — macos_catalina
 
A logic issue was addressed with improved state management. This issue is fixed in macOS Catalina 10.15.4. A local user may be able to read arbitrary files. 2020-04-01 not yet calculated CVE-2020-3889
MISC
apple — multiple_products
 
This issue was addressed with improved checks. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2. An application may be able to use arbitrary entitlements. 2020-04-01 not yet calculated CVE-2020-3883
MISC
MISC
MISC
MISC
apple — multiple_products
 
A logic issue was addressed with improved restrictions. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. A file URL may be incorrectly processed. 2020-04-01 not yet calculated CVE-2020-3885
MISC
MISC
MISC
MISC
MISC
MISC
bit2spr — bit2spr
 
bit2spr 1992-06-07 has a stack-based buffer overflow (129-byte write) in conv_bitmap in bit2spr.c via a long line in a bitmap file. 2020-04-04 not yet calculated CVE-2020-11528
MISC
MISC
dell — emc_isilon_onefs
 
Dell EMC Isilon OneFS versions 8.2.2 and earlier contain a denial of service vulnerability. SmartConnect had an error condition that may be triggered to loop, using CPU and potentially preventing other SmartConnect DNS responses. 2020-04-04 not yet calculated CVE-2020-5347
MISC
dell — latitude_7202_rugged_tablet
 
Dell Latitude 7202 Rugged Tablet BIOS versions prior to A28 contain a UAF vulnerability in EFI_BOOT_SERVICES in system management mode. A local unauthenticated attacker may exploit this vulnerability by overwriting the EFI_BOOT_SERVICES structure to execute arbitrary code in system management mode. 2020-04-04 not yet calculated CVE-2020-5348
MISC
eclipse — che
 
A flaw was found in the Eclipse Che up to version 7.8.x, where it did not properly restrict access to workspace pods. An authenticated user can exploit this flaw to bypass JWT proxy and gain access to the workspace pods of another user. Successful exploitation requires knowledge of the service name and namespace of the target pod. 2020-04-03 not yet calculated CVE-2020-10689
CONFIRM
MISC
firmware_analysis_and_comparison_tool — firmware_analysis_and_comparison_tool
 
Firmware Analysis and Comparison Tool (FACT) 3 has Stored XSS when updating analysis details via a localhost web request, as demonstrated by mishandling of the tags and version fields in helperFunctions/mongo_task_conversion.py. 2020-04-02 not yet calculated CVE-2020-11499
MISC
MISC
get-git-data — get-git-data
 
get-git-data through 1.3.1 is vulnerable to Command Injection. It is possible to inject arbitrary commands as part of the arguments provided to get-git-data. 2020-04-02 not yet calculated CVE-2020-7619
MISC
MISC
gnu_glibc — gnu_glibc
 
An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the ‘num’ parameter results in a signed comparison vulnerability. If an attacker underflows the ‘num’ parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this memcpy() implementation allows for program execution to continue in scenarios where a segmentation fault or crash should have occurred. The dangers occur in that subsequent execution and iterations of this code will be executed with this corrupted data. 2020-04-01 not yet calculated CVE-2020-6096
MISC
gnutls — gnutls
 
GnuTLS 3.6.x before 3.6.13 uses incorrect cryptography for DTLS. The earliest affected version is 3.6.3 (2018-07-16) because of an error in a 2017-10-06 commit. The DTLS client always uses 32 ‘\0’ bytes instead of a random value, and thus contributes no randomness to a DTLS negotiation. This breaks the security guarantees of the DTLS protocol. 2020-04-03 not yet calculated CVE-2020-11501
MISC
MISC
DEBIAN
MISC
grav — grav
 
Common/Grav.php in Grav before 1.6.23 has an Open Redirect. 2020-04-04 not yet calculated CVE-2020-11529
MISC
MISC
hirschmann_automation_and_control — hios_and_hisecos
 
A buffer overflow vulnerability was found in some devices of Hirschmann Automation and Control HiOS and HiSecOS. The vulnerability is due to improper parsing of URL arguments. An attacker could exploit this vulnerability by specially crafting HTTP requests to overflow an internal buffer. The following devices using HiOS Version 07.0.02 and lower are affected: RSP, RSPE, RSPS, RSPL, MSP, EES, EES, EESX, GRS, OS, RED. The following devices using HiSecOS Version 03.2.00 and lower are affected: EAGLE20/30. 2020-04-03 not yet calculated CVE-2020-6994
MISC
ibm — spectrum_scale
 
IBM Spectrum Scale 4.2 and 5.0 could allow a local unprivileged attacker with intimate knowledge of the enviornment to execute commands as root using specially crafted input. IBM X-Force ID: 175977. 2020-04-03 not yet calculated CVE-2020-4273
XF
CONFIRM
ibm — strongloop_strong-nginx-controller strong-nginx-controller through 1.0.2 is vulnerable to Command Injection. It allows execution of arbitrary command as part of the ‘_nginxCmd()’ function. 2020-04-02 not yet calculated CVE-2020-7621
MISC
MISC
ini-parser — ini-parser
 
ini-parser through 0.0.2 is vulnerable to Prototype Pollution.The library could be tricked into adding or modifying properties of Object.prototype using a ‘__proto__’ payload. 2020-04-02 not yet calculated CVE-2020-7617
CONFIRM
CONFIRM
ivanti — workspace_control
 
Ivanti Workspace Control before 10.4.30.0, when SCCM integration is enabled, allows local users to obtain sensitive information (keying material). 2020-04-04 not yet calculated CVE-2020-11533
MISC
jscover — jscover
 
jscover through 1.0.0 is vulnerable to Command Injection. It allows execution of arbitrary command via the source argument. 2020-04-02 not yet calculated CVE-2020-7623
MISC
MISC
linux — linux_kernel
 
An issue was discovered in slc_bump in drivers/net/can/slcan.c in the Linux kernel through 5.6.2. It allows attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL, aka CID-b9258a2cece4. 2020-04-02 not yet calculated CVE-2020-11494
MISC
linux — linux_kernel
 
In the Linux kernel 5.5.0 and newer, the bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory. The vulnerability also affects the Linux 5.4 stable series, starting with v5.4.7, as the introducing commit was backported to that branch. This vulnerability was fixed in 5.6.1, 5.5.14, and 5.4.29. (issue is aka ZDI-CAN-10780) 2020-04-02 not yet calculated CVE-2020-8835
CONFIRM
CONFIRM
FEDORA
CONFIRM
UBUNTU
UBUNTU
CONFIRM
CONFIRM
mcafee — endpoint_security_for_windows
 
Improper access control vulnerability in ESConfigTool.exe in ENS for Windows all current versions allows a local administrator to alter the ENS configuration up to and including disabling all protection offered by ENS via insecurely implemented encryption of configuration for export and import. 2020-04-01 not yet calculated CVE-2020-7263
CONFIRM
mediawiki — mediawiki
 
In MediaWiki before 1.34.1, users can add various Cascading Style Sheets (CSS) classes (which can affect what content is shown or hidden in the user interface) to arbitrary DOM nodes via HTML content within a MediaWiki page. This occurs because jquery.makeCollapsible allows applying an event handler to any Cascading Style Sheets (CSS) selector. There is no known way to exploit this for cross-site scripting (XSS). 2020-04-03 not yet calculated CVE-2020-10960
CONFIRM
CONFIRM
mitsubishi — multiple_products
 
When MELSOFT transmission port (UDP/IP) of Mitsubishi Electric MELSEC iQ-R series (all versions), MELSEC iQ-F series (all versions), MELSEC Q series (all versions), MELSEC L series (all versions), and MELSEC F series (all versions) receives massive amount of data via unspecified vectors, resource consumption occurs and the port does not process the data properly. As a result, it may fall into a denial-of-service (DoS) condition. The vendor states this vulnerability only affects Ethernet communication functions. 2020-03-30 not yet calculated CVE-2020-5527
MISC
MISC
netgear — multiple_products
 
NETGEAR has released fixes for a pre-authentication command injection in request_handler.php security vulnerability on the following product models: WC7500, running firmware versions prior to 6.5.3.5; WC7520, running firmware versions prior to 2.5.0.46; WC7600v1, running firmware versions prior to 6.5.3.5; WC7600v2, running firmware versions prior to 6.5.3.5; and WC9500, running firmware versions prior to 6.5.3.5. 2020-04-01 not yet calculated CVE-2018-11106
CONFIRM
parrot — anafi_drone
 
Web server running on Parrot ANAFI can be crashed due to the SDK command “Common_CurrentDateTime” being sent to control service with larger than expected date length. 2020-04-01 not yet calculated CVE-2019-3945
MISC
parrot — anafi_drone
 
Parrot ANAFI is vulnerable to Wi-Fi deauthentication attack, allowing remote and unauthenticated attackers to disconnect drone from controller during mid-flight. 2020-04-01 not yet calculated CVE-2019-3944
MISC
pomelo-monitor — pomelo-monitor
 
pomelo-monitor through 0.3.7 is vulnerable to Command Injection.It allows injection of arbitrary commands as part of ‘pomelo-monitor’ params. 2020-04-02 not yet calculated CVE-2020-7620
MISC
MISC
revive_adserver — revive_adserver
 
An Open Redirect vulnerability was discovered in Revive Adserver version < 5.0.5 and reported by HackerOne user hoangn144. A remote attacker could trick logged-in users to open a specifically crafted link and have them redirected to any destination.The CSRF protection of the “/www/admin/*-modify.php” could be skipped if no meaningful parameter was sent. No action was performed, but the user was still redirected to the target page, specified via the “returnurl” GET parameter. 2020-04-03 not yet calculated CVE-2020-8143
MISC
MISC
revive_adserver — revive_adserver
 
A security restriction bypass vulnerability has been discovered in Revive Adserver version < 5.0.5 by HackerOne user hoangn144. Revive Adserver, like many other applications, requires the logged in user to type the current password in order to change the e-mail address or the password. It was however possible for anyone with access to a Revive Adserver admin user interface to bypass such check and change e-email address or password of the currently logged in user by altering the form payload.The attack requires physical access to the user interface of a logged in user. If the POST payload was altered by turning the “pwold” parameter into an array, Revive Adserver would fetch and authorise the operation even if no password was provided. 2020-04-03 not yet calculated CVE-2020-8142
MISC
MISC
slack — nebula
 
Slack Nebula through 1.1.0 contains a relative path vulnerability that allows a low-privileged attacker to execute code in the context of the root user via tun_darwin.go or tun_windows.go. A user can also use Nebula to execute arbitrary code in the user’s own context, e.g., for user-level persistence or to bypass security controls. NOTE: the vendor states that this “requires a high degree of access and other preconditions that are tough to achieve.” 2020-04-02 not yet calculated CVE-2020-11498
MISC
MISC
sonatype — nexus_repository_manager
 
Sonatype Nexus Repository Manager 3.x up to and including 3.21.2 has Incorrect Access Control. 2020-04-02 not yet calculated CVE-2020-11444
MISC
CONFIRM
starface — ucc_client
 
STARFACE UCC Client before 6.7.1.204 on WIndows allows binary planting to execute code with System rights, aka usd-2020-0006. 2020-04-02 not yet calculated CVE-2020-10515
MISC
CONFIRM
MISC

suse — linux_enterprise_server_12_autoyast2_and15_autoyast2

A Insufficient Verification of Data Authenticity vulnerability in autoyast2 of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allows remote attackers to MITM connections when deprecated and unused functionality of autoyast is used to create images. This issue affects: SUSE Linux Enterprise Server 12 autoyast2 version 4.1.9-3.9.1 and prior versions. SUSE Linux Enterprise Server 15 autoyast2 version 4.0.70-3.20.1 and prior versions. 2020-04-03 not yet calculated CVE-2019-18905
CONFIRM
suse — multiple_products
 
A Race Condition Enabling Link Following vulnerability in the packaging of texlive-filesystem of SUSE Linux Enterprise Module for Desktop Applications 15-SP1, SUSE Linux Enterprise Software Development Kit 12-SP4, SUSE Linux Enterprise Software Development Kit 12-SP5; openSUSE Leap 15.1 allows local users to corrupt files or potentially escalate privileges. This issue affects: SUSE Linux Enterprise Module for Desktop Applications 15-SP1 texlive-filesystem versions prior to 2017.135-9.5.1. SUSE Linux Enterprise Software Development Kit 12-SP4 texlive-filesystem versions prior to 2013.74-16.5.1. SUSE Linux Enterprise Software Development Kit 12-SP5 texlive-filesystem versions prior to 2013.74-16.5.1. openSUSE Leap 15.1 texlive-filesystem versions prior to 2017.135-lp151.8.3.1. 2020-04-02 not yet calculated CVE-2020-8016
CONFIRM
suse — multiple_products
 
A Race Condition Enabling Link Following vulnerability in the cron job shipped with texlive-filesystem of SUSE Linux Enterprise Module for Desktop Applications 15-SP1, SUSE Linux Enterprise Software Development Kit 12-SP4, SUSE Linux Enterprise Software Development Kit 12-SP5; openSUSE Leap 15.1 allows local users in group mktex to delete arbitrary files on the system This issue affects: SUSE Linux Enterprise Module for Desktop Applications 15-SP1 texlive-filesystem versions prior to 2017.135-9.5.1. SUSE Linux Enterprise Software Development Kit 12-SP4 texlive-filesystem versions prior to 2013.74-16.5.1. SUSE Linux Enterprise Software Development Kit 12-SP5 texlive-filesystem versions prior to 2013.74-16.5.1. openSUSE Leap 15.1 texlive-filesystem versions prior to 2017.135-lp151.8.3.1. 2020-04-02 not yet calculated CVE-2020-8017
CONFIRM
suse — multiple_products
 
A Uncontrolled Resource Consumption vulnerability in rmt of SUSE Linux Enterprise High Performance Computing 15-ESPOS, SUSE Linux Enterprise High Performance Computing 15-LTSS, SUSE Linux Enterprise Module for Public Cloud 15-SP1, SUSE Linux Enterprise Module for Server Applications 15, SUSE Linux Enterprise Module for Server Applications 15-SP1, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 15; openSUSE Leap 15.1 allows remote attackers to cause DoS against rmt by requesting migrations. This issue affects: SUSE Linux Enterprise High Performance Computing 15-ESPOS rmt-server versions prior to 2.5.2-3.26.1. SUSE Linux Enterprise High Performance Computing 15-LTSS rmt-server versions prior to 2.5.2-3.26.1. SUSE Linux Enterprise Module for Public Cloud 15-SP1 rmt-server versions prior to 2.5.2-3.9.1. SUSE Linux Enterprise Module for Server Applications 15 rmt-server versions prior to 2.5.2-3.26.1. SUSE Linux Enterprise Module for Server Applications 15-SP1 rmt-server versions prior to 2.5.2-3.9.1. SUSE Linux Enterprise Server 15-LTSS rmt-server versions prior to 2.5.2-3.26.1. SUSE Linux Enterprise Server for SAP 15 rmt-server versions prior to 2.5.2-3.26.1. openSUSE Leap 15.1 rmt-server versions prior to 2.5.2-lp151.2.9.1. 2020-04-03 not yet calculated CVE-2019-18904
CONFIRM

suse — openstack_cloud_and_openstack_cloud_crowbar

A Least Privilege Violation vulnerability in crowbar of SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud 9, SUSE OpenStack Cloud Crowbar 8, SUSE OpenStack Cloud Crowbar 9 allows root users on any crowbar managed node to cause become root on any other node. This issue affects: SUSE OpenStack Cloud 7 crowbar-core versions prior to 4.0+git.1578392992.fabfd186c-9.63.1, crowbar-. SUSE OpenStack Cloud 8 ardana-cinder versions prior to 8.0+git.1579279939.ee7da88-3.39.3, ardana-. SUSE OpenStack Cloud 9 ardana-ansible versions prior to 9.0+git.1581611758.f694f7d-3.16.1, ardana-. SUSE OpenStack Cloud Crowbar 8 crowbar-core versions prior to 5.0+git.1582968668.1a55c77c5-3.35.4, crowbar-. SUSE OpenStack Cloud Crowbar 9 crowbar-core versions prior to 6.0+git.1582892022.cbd70e833-3.19.3, crowbar-. 2020-04-03 not yet calculated CVE-2018-17954
CONFIRM
suse — opensuse_factory
 
A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of exim in openSUSE Factory allows local attackers to escalate from user mail to root. This issue affects: openSUSE Factory exim versions prior to 4.93.0.4-3.1. 2020-04-02 not yet calculated CVE-2020-8015
CONFIRM
sytemd — systemd
 
A heap use-after-free vulnerability was found in systemd before version v245-rc1, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages. 2020-03-31 not yet calculated CVE-2020-1712
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
testlink — testlink
 
A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in planUrgency.php via the urgency parameter. 2020-04-03 not yet calculated CVE-2020-8638
MISC
CONFIRM
testlink — testlink
 
An unrestricted file upload vulnerability in keywordsImport.php in TestLink 1.9.20 allows remote attackers to execute arbitrary code by uploading a file with an executable extension. This allows an authenticated attacker to upload a malicious file (containing PHP code to execute operating system commands) to a publicly accessible directory of the application. 2020-04-03 not yet calculated CVE-2020-8639
MISC
CONFIRM
testlink — testlink
 
A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in dragdroptreenodes.php via the node_id parameter. 2020-04-03 not yet calculated CVE-2020-8637
MISC
CONFIRM
tp-link — cloud_camera
 
TP-Link cloud cameras through 2020-02-09 allow remote attackers to bypass authentication and obtain sensitive information via vectors involving a Wi-Fi session with GPS enabled, aka CNVD-2020-04855. 2020-04-01 not yet calculated CVE-2020-11445
MISC
tp-link — multiple_devices
 
TP-Link NC200 through 2.1.8_Build_171109, NC210 through 1.0.9_Build_171214, NC220 through 1.3.0_Build_180105, NC230 through 1.3.0_Build_171205, NC250 through 1.3.0_Build_171205, NC260 through 1.5.1_Build_190805, and NC450 through 1.5.0_Build_181022 devices allow a remote NULL Pointer Dereference. 2020-04-01 not yet calculated CVE-2020-10231
MISC
MISC
tp-link — tl-wr841n_devices
 
A buffer overflow in the httpd daemon on TP-Link TL-WR841N V10 (firmware version 3.16.9) devices allows an authenticated remote attacker to execute arbitrary code via a GET request to the page for the configuration of the Wi-Fi network. 2020-04-02 not yet calculated CVE-2020-8423
MISC
MISC
utils-extend — utils-extend
 
Flaw in input validation in npm package utils-extend version 1.0.8 and earlier may allow prototype pollution attack that may result in remote code execution or denial of service of applications using utils-extend. 2020-04-03 not yet calculated CVE-2020-8147
MISC
viewvc — viewvc
 
ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS show_subdir_lastmod support. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the `show_subdir_lastmod` feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. This vulnerability is patched in versions 1.2.1 and 1.1.28. 2020-04-03 not yet calculated CVE-2020-5283
MISC
MISC
CONFIRM
visam — vbase_editor_and_vbase_web-remote_module VISAM VBASE Editor version 11.5.0.2 and VBASE Web-Remote Module may allow a vulnerable ActiveX component to be exploited resulting in a buffer overflow, which may lead to a denial-of-service condition and execution of arbitrary code. 2020-04-03 not yet calculated CVE-2020-10599
MISC
visam — vbase_editor_and_vbase_web-remote_module
 
VISAM VBASE Editor version 11.5.0.2 and VBASE Web-Remote Module may allow weak or insecure permissions on the VBASE directory resulting in elevation of privileges or malicious effects on the system the next time a privileged user runs the application. 2020-04-03 not yet calculated CVE-2020-7004
MISC
visam — vbase_editor_and_vbase_web-remote_module
 
VISAM VBASE Editor version 11.5.0.2 and VBASE Web-Remote Module may allow an unauthenticated attacker to discover the cryptographic key from the web server and gain information about the login and the encryption/decryption mechanism, which may be exploited to bypass authentication of the HTML5 HMI web interface. 2020-04-03 not yet calculated CVE-2020-7000
MISC
visam — vbase_editor_and_vbase_web-remote_module
 
VISAM VBASE Editor version 11.5.0.2 and VBASE Web-Remote Module may allow input passed in the URL that is not properly verified before use, which may allow an attacker to read arbitrary files from local resources. 2020-04-03 not yet calculated CVE-2020-7008
MISC
visam — vbase_editor_and_vbase_web-remote_module
 
VISAM VBASE Editor version 11.5.0.2 and VBASE Web-Remote Module allow weak hashing algorithm and insecure permissions which may allow a local attacker to bypass the password-protected mechanism through brute-force attacks, cracking techniques, or overwriting the password hash. 2020-04-03 not yet calculated CVE-2020-10601
MISC
wordpress — wordpress
 
includes/theme-functions.php in the OneTone theme through 3.0.6 for WordPress allows unauthenticated options changes. 2020-04-03 not yet calculated CVE-2019-17230
MISC
wordpress — wordpress
 
includes/theme-functions.php in the OneTone theme through 3.0.6 for WordPress has multiple stored XSS issues. 2020-04-03 not yet calculated CVE-2019-17231
MISC
xampp — xampp
 
An issue was discovered in XAMPP before 7.2.29, 7.3.x before 7.3.16 , and 7.4.x before 7.4.4 on Windows. An unprivileged user can change a .exe configuration in xampp-contol.ini for all users (including admins) to enable arbitrary command execution. 2020-04-02 not yet calculated CVE-2020-11107
CONFIRM
zevenet — zen_load_balancer
 
Manage::Certificates in Zen Load Balancer 3.10.1 allows remote authenticated admins to execute arbitrary OS commands via shell metacharacters in the index.cgi cert_issuer, cert_division, cert_organization, cert_locality, cert_state, cert_country, or cert_email parameter. 2020-04-02 not yet calculated CVE-2020-11490
MISC
MISC
zoho — manageengine_ad_self_service_plus
 
Zoho ManageEngine ADSelfService Plus before 5815 allows unauthenticated remote code execution. 2020-04-04 not yet calculated CVE-2020-11518
MISC
zoho — manageengine_op_manager
 
In Zoho ManageEngine OpManager before 12.4.181, an unauthenticated remote attacker can send a specially crafted URI to read arbitrary files. 2020-04-04 not yet calculated CVE-2020-11527
MISC
zoom — client_for_meetings
 
Zoom Client for Meetings through 4.6.9 uses the ECB mode of AES for video and audio encryption. Within a meeting, all participants use a single 128-bit key. 2020-04-03 not yet calculated CVE-2020-11500
MISC
MISC

Back to top

This product is provided subject to this Notification and this Privacy & Use policy.