Original release date: April 6, 2020
The CISA Weekly Vulnerability Summary Bulletin is created using information from the NIST NVD. In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
High Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| accenture — mercury |
An XXE issue exists in Accenture Mercury before 1.12.28 because of the platformlambda/core/serializers/SimpleXmlParser.java component. | 2020-03-27 | 7.5 | CVE-2020-10990 MISC MISC |
| alienform2 — alienform2 |
Jon Hedley AlienForm2 (typically installed as af.cgi or alienform.cgi) 2.0.2 is vulnerable to Remote Command Execution via eval injection, a different issue than CVE-2002-0934. An unauthenticated, remote attacker can exploit this via a series of crafted requests. | 2020-04-01 | 10 | CVE-2020-10948 MISC |
| apache — http_server |
In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server. | 2020-04-01 | 7.5 | CVE-2020-1934 CONFIRM MLIST MLIST |
| apple — macos_catalina |
A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS Catalina 10.15.4. An application may be able to execute arbitrary code with system privileges. | 2020-04-01 | 9.3 | CVE-2020-3903 MISC |
| apple — macos_catalina |
Multiple issues were addressed by updating to version 8.1.1850. This issue is fixed in macOS Catalina 10.15.4. Multiple issues in Vim. | 2020-04-01 | 7.5 | CVE-2020-9769 MISC |
|
apple — macos_catalina_and_mojave_and_high_sierra |
An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.3. A remote attacker may be able to leak memory. | 2020-04-01 | 10 | CVE-2020-3847 MISC |
|
apple — macos_catalina_and_mojave_and_high_sierra |
A memory corruption issue was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.4. A malicious application may be able to execute arbitrary code with kernel privileges. | 2020-04-01 | 9.3 | CVE-2020-3892 MISC |
|
apple — macos_catalina_and_mojave_and_high_sierra |
A memory corruption issue was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.4. A malicious application may be able to execute arbitrary code with kernel privileges. | 2020-04-01 | 9.3 | CVE-2020-3893 MISC |
|
apple — macos_catalina_and_mojave_and_high_sierra |
Multiple memory corruption issues were addressed with improved state management. This issue is fixed in macOS Catalina 10.15.4. A malicious application may be able to execute arbitrary code with kernel privileges. | 2020-04-01 | 9.3 | CVE-2020-3904 MISC |
|
apple — macos_catalina_and_mojave_and_high_sierra |
A memory corruption issue was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.3. A remote attacker may be able to cause unexpected application termination or arbitrary code execution. | 2020-04-01 | 7.5 | CVE-2020-3849 MISC |
|
apple — macos_catalina_and_mojave_and_high_sierra |
A memory corruption issue was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.4. A malicious application may be able to execute arbitrary code with kernel privileges. | 2020-04-01 | 9.3 | CVE-2020-3905 MISC |
|
apple — macos_catalina_and_mojave_and_high_sierra |
A memory corruption issue was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.3. A remote attacker may be able to cause unexpected application termination or arbitrary code execution. | 2020-04-01 | 7.5 | CVE-2020-3850 MISC |
|
apple — macos_catalina_and_mojave_and_high_sierra |
A memory corruption issue was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.3. A remote attacker may be able to cause unexpected application termination or arbitrary code execution. | 2020-04-01 | 7.5 | CVE-2020-3848 MISC |
| apple — multiple_products |
A buffer overflow was addressed with improved bounds checking. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. Multiple issues in libxml2. | 2020-04-01 | 7.5 | CVE-2020-3911 MISC MISC MISC MISC MISC MISC MISC |
| apple — multiple_products |
A buffer overflow was addressed with improved size validation. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. Multiple issues in libxml2. | 2020-04-01 | 7.5 | CVE-2020-3910 MISC MISC MISC MISC MISC MISC MISC |
| apple — multiple_products |
A buffer overflow was addressed with improved bounds checking. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. Multiple issues in libxml2. | 2020-04-01 | 7.5 | CVE-2020-3909 MISC MISC MISC MISC MISC MISC MISC |
| apple — multiple_products |
Multiple memory corruption issues were addressed with improved state management. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2. A malicious application may be able to execute arbitrary code with kernel privileges. | 2020-04-01 | 9.3 | CVE-2020-9785 MISC MISC MISC MISC |
| apple — multiple_products |
A use after free issue was addressed with improved memory management. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, watchOS 6.2. An application may be able to execute arbitrary code with system privileges. | 2020-04-01 | 9.3 | CVE-2020-9768 MISC MISC MISC |
| apple — multiple_products |
A memory initialization issue was addressed with improved memory handling. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2. A malicious application may be able to execute arbitrary code with kernel privileges. | 2020-04-01 | 9.3 | CVE-2020-3919 MISC MISC MISC MISC |
| apple — multiple_products |
A memory corruption issue was addressed with improved memory handling. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, watchOS 6.2, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. Processing maliciously crafted web content may lead to arbitrary code execution. | 2020-04-01 | 9.3 | CVE-2020-3895 MISC MISC MISC MISC MISC MISC MISC |
| apple — multiple_products |
A memory consumption issue was addressed with improved memory handling. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. A remote attacker may be able to cause arbitrary code execution. | 2020-04-01 | 9.3 | CVE-2020-3899 MISC MISC MISC MISC MISC MISC |
| apple — multiple_products |
A type confusion issue was addressed with improved memory handling. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, watchOS 6.2, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. A remote attacker may be able to cause arbitrary code execution. | 2020-04-01 | 9.3 | CVE-2020-3897 MISC MISC MISC MISC MISC MISC MISC |
|
avast — avast_antivirus |
An issue was discovered in Avast Antivirus before 20. The aswTask RPC endpoint for the TaskEx library in the Avast Service (AvastSvc.exe) allows attackers to bypass intended access restrictions on tasks from an untrusted process, when Self Defense is enabled. | 2020-04-01 | 7.5 | CVE-2020-10867 MISC MISC MISC |
| azkaban — azkaban |
Azkaban through 3.84.0 allows XXE, related to validator/XmlValidatorManager.java and user/XmlUserManager.java. | 2020-03-27 | 7.5 | CVE-2020-10992 MISC |
| bubblewrap — bubblewrap |
Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the `bwrap –userns2` option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. Note that this only affects the combination of bubblewrap in setuid mode (which is typically used when unprivileged user namespaces are not supported) and the support of unprivileged user namespaces. Known to be affected are: * Debian testing/unstable, if unprivileged user namespaces enabled (not default) * Debian buster-backports, if unprivileged user namespaces enabled (not default) * Arch if using `linux-hardened`, if unprivileged user namespaces enabled (not default) * Centos 7 flatpak COPR, if unprivileged user namespaces enabled (not default) This has been fixed in the 0.4.1 release, and all affected users should update. | 2020-03-31 | 8.5 | CVE-2020-5291 MISC CONFIRM |
| buildah — buildah |
A path traversal flaw was found in Buildah in versions before 1.14.5. This flaw allows an attacker to trick a user into building a malicious container image hosted on an HTTP(s) server and then write files to the user’s system anywhere that the user has permissions. | 2020-03-31 | 9.3 | CVE-2020-10696 MISC CONFIRM MISC |
| cacagoo — tv-288zd-2mp_devices |
CACAGOO Cloud Storage Intelligent Camera TV-288ZD-2MP with firmware 3.4.2.0919 has weak authentication of TELNET access, leading to root privileges without any password required. | 2020-04-02 | 10 | CVE-2020-6852 MISC MISC |
| dell — emc_idrac_devices |
Dell EMC iDRAC7, iDRAC8 and iDRAC9 versions prior to 2.65.65.65, 2.70.70.70, 4.00.00.00 contain a stack-based buffer overflow vulnerability. An unauthenticated remote attacker may exploit this vulnerability to crash the affected process or execute arbitrary code on the system by sending specially crafted input data. | 2020-03-31 | 10 | CVE-2020-5344 MISC |
| effect — effect |
effect through 1.0.4 is vulnerable to Command Injection. It allows execution of arbitrary command via the options argument. | 2020-04-02 | 7.5 | CVE-2020-7624 MISC MISC |
| elastic — elasticsearch |
Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges. | 2020-03-31 | 7.5 | CVE-2020-7009 N/A CONFIRM N/A |
| f5 — nginx_controller |
In NGINX Controller versions prior to 3.2.0, an unauthenticated attacker with network access to the Controller API can create unprivileged user accounts. The user which is created is only able to upload a new license to the system but cannot view or modify any other components of the system. | 2020-03-27 | 7.5 | CVE-2020-5863 MISC |
| git-add-remote — git-add-remote |
git-add-remote through 1.0.0 is vulnerable to Command Injection. It allows execution of arbitrary commands via the name argument. | 2020-04-02 | 7.5 | CVE-2020-7630 MISC MISC |
| gitlab — gitlab |
GitLab 8.10 and later through 12.9 is vulnerable to an SSRF in a project import note feature. | 2020-03-27 | 7.5 | CVE-2020-10956 CONFIRM MISC |
| hiproxy — op-broswer |
op-browser through 1.0.6 is vulnerable to Command Injection. It allows execution of arbitrary commands via the url function. | 2020-04-02 | 7.5 | CVE-2020-7625 MISC MISC |
| ibm — spectrum_protect_plus |
IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow a remote attacker to execute arbitrary commands on the system in the context of root user, caused by improper validation of user-supplied input. IBM X-Force ID: 174966. | 2020-03-31 | 9 | CVE-2020-4206 XF CONFIRM |
| ibm — spectrum_protect_plus |
IBM Spectrum Protect Plus 10.1.0 through 10.1.5 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 174975. | 2020-03-31 | 7.5 | CVE-2020-4208 XF CONFIRM |
| ibm — spectrum_protect_plus_and_spectrum_scale |
IBM Spectrum Scale and IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system. IBM X-Force ID: 175418. | 2020-03-31 | 9 | CVE-2020-4241 XF CONFIRM |
| ibm — spectrum_protect_plus_and_spectrum_scale |
IBM Spectrum Scale and IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system. IBM X-Force ID: 175419. | 2020-03-31 | 9 | CVE-2020-4242 XF CONFIRM |
| install-package — install-package |
install-package through 0.4.0 is vulnerable to Command Injection. It allows execution of arbitrary commands via the options argument. | 2020-04-02 | 7.5 | CVE-2020-7629 MISC MISC |
| install-package — install-package |
install-package through 1.1.6 is vulnerable to Command Injection. It allows execution of arbitrary commands via the device function. | 2020-04-02 | 7.5 | CVE-2020-7628 MISC MISC |
| karma-mojo — karma-mojo |
karma-mojo through 1.0.1 is vulnerable to Command Injection. It allows execution of arbitrary commands via the config argument. | 2020-04-02 | 7.5 | CVE-2020-7626 MISC MISC |
| ksh — ksh |
In ksh version 20120801, a flaw was found in the way it evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated attackers to provide one of those environment variables could allow them to exploit this issue remotely. | 2020-04-02 | 7.2 | CVE-2019-14868 CONFIRM MISC |
| laminar_research — x-plane |
X-Plane before 11.41 allows Arbitrary Memory Write via crafted network packets, which could cause a denial of service or arbitrary code execution. | 2020-03-30 | 7.5 | CVE-2019-19605 MISC |
| laminar_research — x-plane |
X-Plane before 11.41 has multiple improper path validations that could allow reading and writing files from/to arbitrary paths (or a leak of OS credentials to a remote system) via crafted network packets. This could be used to execute arbitrary commands on the system. | 2020-03-30 | 10 | CVE-2019-19606 MISC |
| lenovo — multiple_notebooks |
MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A buffer overflow vulnerability was reported, (fixed and publicly disclosed in 2015) in the Lenovo Service Engine (LSE), affecting various versions of BIOS for Lenovo Notebooks, that could allow a remote user to execute arbitrary code on the system. | 2020-03-27 | 10 | CVE-2015-5684 MISC |
| lenovo — multiple_products | MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A local privilege escalation vulnerability was reported (fixed and publicly disclosed in 2015) in Lenovo System Update version 5.07.0008 and prior where the SUService.exe /type COMMAND type could allow a user to execute arbitrary code with elevated privileges. | 2020-03-27 | 7.2 | CVE-2015-7334 MISC |
| lenovo — multiple_products |
MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A local privilege escalation vulnerability was reported (fixed and publicly disclosed in 2015) in Lenovo System Update version 5.07.0008 and prior where the SUService.exe /type INF and INF_BY_COMPATIBLE_ID command types could allow a user to execute arbitrary code with elevated privileges. | 2020-03-27 | 7.2 | CVE-2015-7333 MISC |
| lenovo — solution_center |
MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A local privilege escalation vulnerability was discovered (fixed and publicly disclosed in 2015) in Lenovo Solution Center (LSC) prior to version 3.3.002 that could allow a user to execute arbitrary code with elevated privileges. | 2020-03-27 | 7.2 | CVE-2015-8534 MISC |
| lenovo — solution_center |
MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A directory traversal vulnerability was discovered (fixed and publicly disclosed in 2015) in Lenovo Solution Center (LSC) prior to version 3.3.002 that could allow a user to execute arbitrary code with elevated privileges. | 2020-03-27 | 7.2 | CVE-2015-8535 MISC |
| march_networks — command_client |
The connection initiation process in March Networks Command Client before 2.7.2 allows remote attackers to execute arbitrary code via crafted XAML objects. | 2020-04-01 | 7.5 | CVE-2019-9163 CONFIRM |
| mongodb — js-bson |
All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object’s _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type. | 2020-03-30 | 7.5 | CVE-2020-7610 MISC |
| mulesoft — apikit |
Mulesoft APIkit through 1.3.0 allows XXE because of validation/RestXmlSchemaValidator.java | 2020-03-27 | 7.5 | CVE-2020-10991 MISC |
| node-key-sender — node-key-sender |
node-key-sender through 1.0.11 is vulnerable to Command Injection. It allows execution of arbitrary commands via the ‘arrParams’ argument in the ‘execute()’ function. | 2020-04-02 | 7.5 | CVE-2020-7627 MISC MISC |
| objectcomputing — micronaut |
All versions of io.micronaut:micronaut-http-client before 1.2.11 and all versions from 1.3.0 before 1.3.2 are vulnerable to HTTP Request Header Injection due to not validating request headers passed to the client. | 2020-03-30 | 7.5 | CVE-2020-7611 MISC MISC MISC |
| odata4j — odata4j | odata4j 0.7.0 allows ExecuteJPQLQueryCommand.java SQL injection. NOTE: this product is apparently discontinued. | 2020-03-30 | 7.5 | CVE-2016-11024 MISC |
| odata4j — odata4j |
odata4j 0.7.0 allows ExecuteCountQueryCommand.java SQL injection. NOTE: this product is apparently discontinued. | 2020-03-30 | 7.5 | CVE-2016-11023 MISC |
| paessler — prtg_network_monitor |
A webserver component in Paessler PRTG Network Monitor 19.2.50 to PRTG 20.1.56 allows unauthenticated remote command execution via a crafted POST request or the what parameter of the screenshot function in the Contact Support form. | 2020-03-30 | 7.5 | CVE-2020-10374 MISC CONFIRM |
| pam-krb5 — pam-krb5 |
pam-krb5 before 4.9 has a buffer overflow that might cause remote code execution in situations involving supplemental prompting by a Kerberos library. It may overflow a buffer provided by the underlying Kerberos library by a single ‘\0’ byte if an attacker responds to a prompt with an answer of a carefully chosen length. The effect may range from heap corruption to stack corruption depending on the structure of the underlying Kerberos library, with unknown effects but possibly including code execution. This code path is not used for normal authentication, but only when the Kerberos library does supplemental prompting, such as with PKINIT or when using the non-standard no_prompt PAM configuration option. | 2020-03-31 | 7.5 | CVE-2020-10595 CONFIRM CONFIRM MLIST UBUNTU DEBIAN |
| sonatype — nexus_repository_manager | Sonatype Nexus Repository before 3.21.2 allows Remote Code Execution. | 2020-04-01 | 9 | CVE-2020-10204 CONFIRM |
| sonatype — nexus_repository_manager | Sonatype Nexus Repository before 3.21.2 allows JavaEL Injection (issue 1 of 2). | 2020-04-01 | 9 | CVE-2020-10199 CONFIRM |
| unisoon — ultralog_express |
UltraLog Express device management interface does not properly filter user inputted string in some specific parameters, attackers can inject arbitrary SQL command. | 2020-03-27 | 7.5 | CVE-2020-3936 MISC |
|
university_of_southern_california — innovation_in_integrated_informatics_lab_cereal |
An issue was discovered in USC iLab cereal through 1.3.0. It employs caching of std::shared_ptr values, using the raw pointer address as a unique identifier. This becomes problematic if an std::shared_ptr variable goes out of scope and is freed, and a new std::shared_ptr is allocated at the same address. Serialization fidelity thereby becomes dependent upon memory layout. In short, serialized std::shared_ptr variables cannot always be expected to serialize back into their original values. This can have any number of consequences, depending on the context within which this manifests. | 2020-03-30 | 7.5 | CVE-2020-11105 MISC |
| vertiv — avocent_umg-400_devices |
The web interface of the Vertiv Avocent UMG-4000 version 4.2.1.19 is vulnerable to command injection because the application incorrectly neutralizes code syntax before executing. Since all commands within the web application are executed as root, this could allow a remote attacker authenticated with an administrator account to execute arbitrary commands as root. | 2020-03-30 | 9 | CVE-2019-9507 MISC MISC |
| wordpress — wordpress |
An issue was discovered in the Login by Auth0 plugin before 4.0.0 for WordPress. It has numerous fields that can contain data that is pulled from different sources. One issue with this is that the data isn’t sanitized, and no input validation is performed, before the exporting of the user data. This can lead to (at least) CSV injection if a crafted Excel document is uploaded. | 2020-04-01 | 7.5 | CVE-2020-7947 MISC CONFIRM CONFIRM MISC |
| wordpress — wordpress |
LearnDash WordPress plugin version below 3.1.6 is vulnerable to Unauthenticated SQL Injection. | 2020-04-01 | 7.5 | CVE-2020-6009 MISC |
| wordpress — wordpress |
LifterLMS WordPress plugin version below 3.37.15 is vulnerable to arbitrary file write leading to remote code execution | 2020-03-31 | 7.5 | CVE-2020-6008 MISC |
| yamaha — multiple_products |
Yamaha LTE VoIP Router(NVR700W firmware Rev.15.00.15 and earlier), Yamaha Gigabit VoIP Router(NVR510 firmware Rev.15.01.14 and earlier), Yamaha Gigabit VPN Router(RTX810 firmware Rev.11.01.33 and earlier, RTX830 firmware Rev.15.02.09 and earlier, RTX1200 firmware Rev.10.01.76 and earlier, RTX1210 firmware Rev.14.01.33 and earlier, RTX3500 firmware Rev.14.00.26 and earlier, and RTX5000 firmware Rev.14.00.26 and earlier), Yamaha Broadband VoIP Router(NVR500 firmware Rev.11.00.38 and earlier), and Yamaha Firewall(FWX120 firmware Rev.11.03.27 and earlier) allow remote attackers to cause a denial of service via unspecified vectors. | 2020-04-01 | 7.8 | CVE-2020-5548 MISC MISC |
| zoom — client_for_meetings | Zoom Client for Meetings through 4.6.8 on macOS copies runwithroot to a user-writable temporary directory during installation, which allows a local process (with the user’s privileges) to obtain root access by replacing runwithroot. | 2020-04-01 | 7.2 | CVE-2020-11469 MISC MISC |
Medium Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| abb — esoms | For ABB eSOMS versions 4.0 to 6.0.3, the X-Content-Type-Options Header is missing in the HTTP response, potentially causing the response body to be interpreted and displayed as different content type other than declared. A possible attack scenario would be unauthorized code execution via text interpreted as JavaScript. | 2020-04-02 | 4.3 | CVE-2019-19089 CONFIRM |
| abb — esoms | For ABB eSOMS versions 4.0 to 6.0.2, the X-Frame-Options header is not configured in HTTP response. This can potentially allow ‘ClickJacking’ attacks where an attacker can frame parts of the application on a malicious web site, revealing sensitive user information such as authentication credentials. | 2020-04-02 | 4.3 | CVE-2019-19001 CONFIRM |
| abb — esoms |
Lack of input checks for SQL queries in ABB eSOMS versions 3.9 to 6.0.3 might allow an attacker SQL injection attacks against the backend database. | 2020-04-02 | 6.5 | CVE-2019-19094 CONFIRM |
| abb — esoms |
For ABB eSOMS versions 4.0 to 6.0.2, the HTTPOnly flag is not set. This can allow Javascript to access the cookie contents, which in turn might enable Cross Site Scripting. | 2020-04-02 | 4.3 | CVE-2019-19003 CONFIRM |
| abb — esoms |
ABB eSOMS versions 4.0 to 6.0.3 accept connections using medium strength ciphers. If a connection is enabled using such a cipher, an attacker might be able to eavesdrop and/or intercept the connection. | 2020-04-02 | 4.3 | CVE-2019-19097 CONFIRM |
| abb — esoms |
eSOMS versions 4.0 to 6.0.3 do not enforce password complexity settings, potentially resulting in lower access security due to insecure user passwords. | 2020-04-02 | 6.4 | CVE-2019-19093 CONFIRM |
| abb — esoms |
For ABB eSOMS 4.0 to 6.0.3, the Cache-Control and Pragma HTTP header(s) have not been properly configured within the application response. This can potentially allow browsers and proxies to cache sensitive information. | 2020-04-02 | 6.4 | CVE-2019-19000 CONFIRM |
| abb — esoms |
For ABB eSOMS versions 4.0 to 6.0.3, HTTPS responses contain comments with sensitive information about the application. An attacker might use this detail information to specifically craft the attack. | 2020-04-02 | 4 | CVE-2019-19091 CONFIRM |
| advantech — webaccess |
In Advantech WebAccess, Versions 8.4.2 and prior. A stack-based buffer overflow vulnerability caused by a lack of proper validation of the length of user-supplied data may allow remote code execution. | 2020-03-27 | 6.5 | CVE-2020-10607 MISC |
| advantech — webaccess |
Advantech WebAccess 8.3.4 does not properly restrict an RPC call that allows unauthenticated, remote users to read files. An attacker can use this vulnerability to recover the administrator password. | 2020-04-01 | 5 | CVE-2019-3942 MISC |
| apache — dubbo |
Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. This issue affected Apache Dubbo 2.7.0 to 2.7.4, 2.6.0 to 2.6.7, and all 2.5.x versions. | 2020-04-01 | 6.8 | CVE-2019-17564 MISC |
| apache — http_server |
In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL. | 2020-04-02 | 5.8 | CVE-2020-1927 MLIST MLIST CONFIRM MLIST MLIST |
| apache — netbeans | The “Apache NetBeans” autoupdate system does not validate SSL certificates and hostnames for https based downloads. This allows an attacker to intercept downloads of autoupdates and modify the download, potentially injecting malicious code. “Apache NetBeans” versions up to and including 11.2 are affected by this vulnerability. | 2020-03-30 | 6.4 | CVE-2019-17560 MISC |
| apache — netbeans |
The “Apache NetBeans” autoupdate system does not fully validate code signatures. An attacker could modify the downloaded nbm and include additional code. “Apache NetBeans” versions up to and including 11.2 are affected by this vulnerability. | 2020-03-30 | 5 | CVE-2019-17561 MISC |
| apache — ofbiz | Data sent with contentId to /control/stream is not sanitized, allowing XSS attacks in Apache OFBiz 16.11.01 to 16.11.07. | 2020-04-01 | 4.3 | CVE-2020-1943 MISC |
| apache — sling_cms |
Scripts in Sling CMS before 0.16.0 do not property escape the Sling Selector from URLs when generating navigational elements for the administrative consoles and are vulnerable to reflected XSS attacks. | 2020-04-01 | 4.3 | CVE-2020-1949 MISC |
| apache — solr |
In Apache Solr, the cluster can be partitioned into multiple collections and only a subset of nodes actually host any given collection. However, if a node receives a request for a collection it does not host, it proxies the request to a relevant node and serves the request. Solr bypasses all authorization settings for such requests. This affects all Solr versions prior to 7.7 that use the default authorization mechanism of Solr (RuleBasedAuthorizationPlugin). | 2020-04-01 | 4 | CVE-2018-11802 MISC |
| apple — ios_and_ipados | A logic issue was addressed with improved state management. This issue is fixed in iOS 13.4 and iPadOS 13.4. An attacker in a privileged network position may be able to intercept Bluetooth traffic. | 2020-04-01 | 4 | CVE-2020-9770 MISC |
| apple — ios_and_ipados | An issue existed in the selection of video file by Mail. The issue was fixed by selecting the latest version of a video. This issue is fixed in iOS 13.4 and iPadOS 13.4. Cropped videos may not be shared properly via Mail. | 2020-04-01 | 5 | CVE-2020-9777 MISC |
| apple — ios_and_ipados |
A logic issue was addressed with improved restrictions. This issue is fixed in iOS 13.4 and iPadOS 13.4. A maliciously crafted page may interfere with other web contexts. | 2020-04-01 | 4.3 | CVE-2020-3888 MISC |
| apple — ios_and_ipados |
The issue was addressed by clearing website permission prompts after navigation. This issue is fixed in iOS 13.4 and iPadOS 13.4. A user may grant website permissions to a site they didn’t intend to. | 2020-04-01 | 5 | CVE-2020-9781 MISC |
| apple — ios_and_ipados |
The issue was addressed with improved deletion. This issue is fixed in iOS 13.4 and iPadOS 13.4. Deleted messages groups may still be suggested as an autocompletion. | 2020-04-01 | 5 | CVE-2020-3890 MISC |
| apple — ios_and_ipados |
An issue existed in the handling of tabs displaying picture in picture video. The issue was corrected with improved state handling. This issue is fixed in iOS 13.4 and iPadOS 13.4. A user’s private browsing activity may be unexpectedly saved in Screen Time. | 2020-04-01 | 5 | CVE-2020-9775 MISC |
| apple — macos_catalina |
This issue was addressed with a new entitlement. This issue is fixed in macOS Catalina 10.15.4. A malicious application may be able to access a user’s call history. | 2020-04-01 | 4.3 | CVE-2020-9776 MISC |
| apple — macos_high_sierra_and_catalina | An injection issue was addressed with improved validation. This issue is fixed in macOS Catalina 10.15.4. A remote attacker may be able to cause arbitrary javascript code execution. | 2020-04-01 | 4.3 | CVE-2020-3884 MISC |
| apple — macos_mojave_and_catalina |
A logic issue was addressed with improved restrictions. This issue is fixed in macOS Catalina 10.15.4. A maliciously crafted application may be able to bypass code signing enforcement. | 2020-04-01 | 6.8 | CVE-2020-3906 MISC |
|
apple — macos_mojave_and_catalina_and_high_sierrra |
An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.4. A local user may be able to cause unexpected system termination or read kernel memory. | 2020-04-01 | 6.6 | CVE-2020-3908 MISC |
|
apple — macos_mojave_and_catalina_and_high_sierrra |
An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.4. A local user may be able to cause unexpected system termination or read kernel memory. | 2020-04-01 | 6.6 | CVE-2020-3912 MISC |
|
apple — macos_mojave_and_catalina_and_high_sierrra |
An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.4. A local user may be able to cause unexpected system termination or read kernel memory. | 2020-04-01 | 6.6 | CVE-2020-3907 MISC |
| apple — multiple_devices |
A use after free issue was addressed with improved memory management. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. Processing maliciously crafted web content may lead to code execution. | 2020-04-01 | 6.8 | CVE-2020-9783 MISC MISC MISC MISC MISC MISC |
| apple — multiple_products | A memory initialization issue was addressed with improved memory handling. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2. An application may be able to read restricted memory. | 2020-04-01 | 4.3 | CVE-2020-3914 MISC MISC MISC MISC |
| apple — multiple_products | A logic issue was addressed with improved restrictions. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. A download’s origin may be incorrectly associated. | 2020-04-01 | 4.3 | CVE-2020-3887 MISC MISC MISC MISC MISC MISC |
| apple — multiple_products |
The issue was addressed with improved handling of icon caches. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2. A malicious application may be able to identify what other applications a user has installed. | 2020-04-01 | 4.3 | CVE-2020-9773 MISC MISC MISC MISC |
| apple — multiple_products |
A permissions issue existed. This issue was addressed with improved permission validation. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, watchOS 6.2. A malicious application may be able to elevate privileges. | 2020-04-01 | 6.8 | CVE-2020-3913 MISC MISC MISC |
| apple — multiple_products |
An input validation issue was addressed with improved input validation. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. Processing maliciously crafted web content may lead to a cross site scripting attack. | 2020-04-01 | 4.3 | CVE-2020-3902 MISC MISC MISC MISC MISC MISC |
| apple — multiple_products |
A memory corruption issue was addressed with improved memory handling. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, watchOS 6.2, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. Processing maliciously crafted web content may lead to arbitrary code execution. | 2020-04-01 | 6.8 | CVE-2020-3900 MISC MISC MISC MISC MISC MISC MISC |
| apple — multiple_products |
An access issue was addressed with additional sandbox restrictions. This issue is fixed in iOS 13.4 and iPadOS 13.4, watchOS 6.2. Setting an alternate app icon may disclose a photo without needing permission to access photos. | 2020-04-01 | 5 | CVE-2020-3916 MISC MISC |
|
apple — multiple_products
|
A type confusion issue was addressed with improved memory handling. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, watchOS 6.2, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. Processing maliciously crafted web content may lead to arbitrary code execution. | 2020-04-01 | 6.8 | CVE-2020-3901 MISC MISC MISC MISC MISC MISC MISC |
| apple — safari |
A logic issue was addressed with improved restrictions. This issue is fixed in Safari 13.1. A malicious iframe may use another website’s download settings. | 2020-04-01 | 4.3 | CVE-2020-9784 MISC |
| avast — avast_antivirus |
An issue was discovered in Avast Antivirus before 20. The aswTask RPC endpoint for the TaskEx library in the Avast Service (AvastSvc.exe) allows attackers to make arbitrary changes to the Components section of the Stats.ini file via RPC from a Low Integrity process. | 2020-04-01 | 5 | CVE-2020-10865 MISC MISC MISC |
| avast — avast_antivirus |
An issue was discovered in Avast Antivirus before 20. The aswTask RPC endpoint for the TaskEx library in the Avast Service (AvastSvc.exe) allows attackers to achieve Arbitrary File Deletion from Avast Program Path via RPC, when Self Defense is Enabled. | 2020-04-01 | 6.4 | CVE-2020-10861 MISC MISC MISC |
| avast — avast_antivirus |
An issue was discovered in Avast Antivirus before 20. The aswTask RPC endpoint for the TaskEx library in the Avast Service (AvastSvc.exe) allows attackers to launch the Repair App RPC call from a Low Integrity process. | 2020-04-01 | 5 | CVE-2020-10868 MISC MISC MISC |
| avast — avast_antivirus |
An issue was discovered in Avast Antivirus before 20. An Arbitrary Memory Address Overwrite vulnerability in the aswAvLog Log Library results in Denial of Service of the Avast Service (AvastSvc.exe). | 2020-04-01 | 5 | CVE-2020-10860 MISC MISC MISC |
| avast — avast_antivirus |
An issue was discovered in Avast Antivirus before 20. The aswTask RPC endpoint for the TaskEx library in the Avast Service (AvastSvc.exe) allows attackers to trigger a shutdown via RPC from a Low Integrity process via TempShutDownMachine. | 2020-04-01 | 5 | CVE-2020-10863 MISC MISC MISC |
| avast — avast_antivirus |
An issue was discovered in Avast Antivirus before 20. The aswTask RPC endpoint for the TaskEx library in the Avast Service (AvastSvc.exe) allows attackers to achieve Local Privilege Escalation (LPE) via RPC. | 2020-04-01 | 4.6 | CVE-2020-10862 MISC MISC MISC |
| avast — avast_antivirus |
An issue was discovered in Avast Antivirus before 20. The aswTask RPC endpoint for the TaskEx library in the Avast Service (AvastSvc.exe) allows attackers to trigger a reboot via RPC from a Low Integrity process. | 2020-04-01 | 5 | CVE-2020-10864 MISC MISC MISC |
| avast — avast_antivirus |
An issue was discovered in Avast Antivirus before 20. The aswTask RPC endpoint for the TaskEx library in the Avast Service (AvastSvc.exe) allows attackers to enumerate the network interfaces and access points from a Low Integrity process via RPC. | 2020-04-01 | 5 | CVE-2020-10866 MISC MISC MISC |
|
cacagoo — cloud_storage_intelligent_camera_tv_288zd-2mp |
The CACAGOO Cloud Storage Intelligent Camera TV-288ZD-2MP with firmware 3.4.2.0919 allows access to the RTSP service without a password. | 2020-04-02 | 5 | CVE-2020-9349 MISC MISC |
| deskpro — deskpro |
An issue was discovered in Deskpro before 2019.8.0. The /api/people endpoint failed to properly validate a user’s privilege, allowing an attacker to retrieve sensitive information about all users registered on the system. This includes their full name, privilege, email address, phone number, etc. | 2020-04-01 | 4 | CVE-2020-11464 MISC MISC MISC |
| deskpro — deskpro |
An issue was discovered in Deskpro before 2019.8.0. The /api/tickets endpoint failed to properly validate a user’s privilege, allowing an attacker to retrieve arbitrary information about all helpdesk tickets stored in database with numerous filters. This leaked sensitive information to unauthorized parties. Additionally, it leaked ticket authentication code, making it possible to make changes to a ticket. | 2020-04-01 | 4 | CVE-2020-11466 MISC MISC MISC |
| deskpro — deskpro |
An issue was discovered in Deskpro before 2019.8.0. The /api/email_accounts endpoint failed to properly validate a user’s privilege, allowing an attacker to retrieve cleartext credentials of all helpdesk email accounts, including incoming and outgoing email credentials. This enables an attacker to get full access to all emails sent or received by the system including password reset emails, making it possible to reset any user’s password. | 2020-04-01 | 5 | CVE-2020-11463 MISC MISC MISC |
| deskpro — deskpro |
An issue was discovered in Deskpro before 2019.8.0. The /api/apps/* endpoints failed to properly validate a user’s privilege, allowing an attacker to control/install helpdesk applications and leak current applications’ configurations, including applications used as user sources (used for authentication). This enables an attacker to forge valid authentication models that resembles any user on the system. | 2020-04-01 | 6.5 | CVE-2020-11465 MISC MISC MISC |
| deskpro — deskpro |
An issue was discovered in Deskpro before 2019.8.0. This product enables administrators to modify the helpdesk interface by editing /portal/api/style/edit-theme-set/template-sources theme templates, and uses TWIG as its template engine. While direct access to self and _self variables was not permitted, one could abuse the accessible variables in one’s context to reach a native unserialize function via the code parameter. There, on could pass a crafted payload to trigger a set of POP gadgets in order to achieve remote code execution. | 2020-04-01 | 6.5 | CVE-2020-11467 MISC MISC MISC |
| f5 — big-ip | On BIG-IP 15.1.0.1, specially formatted HTTP/3 messages may cause TMM to produce a core file. | 2020-03-27 | 5 | CVE-2020-5859 MISC |
| f5 — big-ip | On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.2.2, 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.5.2-11.6.5.1, undisclosed HTTP behavior may lead to a denial of service. | 2020-03-27 | 5 | CVE-2020-5857 MISC |
| f5 — big-ip | On BIG-IP 15.1.0-15.1.0.1, 15.0.0-15.0.1.1, and 14.1.0-14.1.2.2, under certain conditions, TMM may crash or stop processing new traffic with the DPDK/ENA driver on AWS systems while sending traffic. This issue does not affect any other platforms, hardware or virtual, or any other cloud provider since the affected driver is specific to AWS. | 2020-03-27 | 5 | CVE-2020-5862 MISC |
| f5 — big-ip | On BIG-IP 12.1.0-12.1.5, the TMM process may produce a core file in some cases when Ram Cache incorrectly optimizes stored data resulting in memory errors. | 2020-03-27 | 5 | CVE-2020-5861 MISC |
| f5 — big-ip |
On BIG-IP 15.0.0-15.0.1.2, 14.1.0-14.1.2.2, 13.1.0-13.1.3.2, 12.1.0-12.1.5, and 11.5.2-11.6.5.1 and BIG-IQ 7.0.0, 6.0.0-6.1.0, and 5.2.0-5.4.0, users with non-administrator roles (for example, Guest or Resource Administrator) with tmsh shell access can execute arbitrary commands with elevated privilege via a crafted tmsh command. | 2020-03-27 | 4.6 | CVE-2020-5858 MISC |
| f5 — big-ip_and_big-iq |
On BIG-IP 15.0.0-15.1.0.2, 14.1.0-14.1.2.3, 13.1.0-13.1.3.2, 12.1.0-12.1.5.1, and 11.5.2-11.6.5.1 and BIG-IQ 7.0.0, 6.0.0-6.1.0, and 5.2.0-5.4.0, in a High Availability (HA) network failover in Device Service Cluster (DSC), the failover service does not require a strong form of authentication and HA network failover traffic is not encrypted by Transport Layer Security (TLS). | 2020-03-27 | 6.8 | CVE-2020-5860 MISC |
| fasterxml — jackson-databind |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms). | 2020-03-31 | 6.8 | CVE-2020-11111 MISC MISC CONFIRM |
| fasterxml — jackson-databind |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa). | 2020-03-31 | 6.8 | CVE-2020-11113 MISC MISC CONFIRM |
| fasterxml — jackson-databind |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy). | 2020-03-31 | 6.8 | CVE-2020-11112 MISC MISC CONFIRM |
| fortinet — fortios |
An external control of system vulnerability in FortiOS may allow an authenticated, regular user to change the routing settings of the device via connecting to the ZebOS component. | 2020-04-02 | 6.5 | CVE-2018-13371 MISC |
| gitlab — gitlab |
GitLab through 12.9 is affected by a potential DoS in repository archive download. | 2020-03-27 | 5 | CVE-2020-10954 CONFIRM MISC |
| gitlab — gitlab_community_and_enterprise_editions |
GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images. | 2020-03-27 | 5.8 | CVE-2020-10952 CONFIRM MISC |
| gitlab — gitlab_community_and_enterprise_editions |
GitLab EE/CE 11.1 through 12.9 is vulnerable to parameter tampering on an upload feature that allows an unauthorized user to read content available under specific folders. | 2020-03-27 | 4 | CVE-2020-10955 CONFIRM MISC |
| gitlab — gitlab_enterprise_edition |
In GitLab EE 11.7 through 12.9, the NPM feature is vulnerable to a path traversal issue. | 2020-03-27 | 5 | CVE-2020-10953 CONFIRM MISC |
| grandstream — ucm6200_series_devices |
The UCM6200 series 1.0.20.22 and below stores unencrypted user passwords in an SQLite database. This could allow an attacker to retrieve all passwords and possibly gain elevated privileges. | 2020-03-30 | 5 | CVE-2020-5723 CONFIRM |
| grandstream — ucm6200_series_devices |
The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the HTTP server’s websockify endpoint. A remote unauthenticated attacker can invoke the login action with a crafted username and, through the use of timing attacks, can discover user passwords. | 2020-03-30 | 4.3 | CVE-2020-5725 MISC CONFIRM |
| grandstream — ucm6200_series_devices |
The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the CTI server on port 8888. A remote unauthenticated attacker can invoke the challenge action with a crafted username and discover user passwords. | 2020-03-30 | 5 | CVE-2020-5726 MISC CONFIRM |
| grandstream — ucm6200_series_devices |
The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the HTTP server’s websockify endpoint. A remote unauthenticated attacker can invoke the challenge action with a crafted username and discover user passwords. | 2020-03-30 | 5 | CVE-2020-5724 CONFIRM |
| gstreamer — gst-rtsp-server | An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability. | 2020-03-27 | 5 | CVE-2020-6095 MISC MISC |
| haproxy — haproxy |
In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution. | 2020-04-02 | 6.5 | CVE-2020-11100 SUSE MISC CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM |
| huawei — multiple_smartax_devices | There is a buffer overflow vulnerability in some Huawei products. The vulnerability can be exploited by an attacker to perform remote code execution on the affected products when the affected product functions as an optical line terminal (OLT). Affected product versions include:SmartAX MA5600T versions V800R013C10, V800R015C00, V800R015C10, V800R017C00, V800R017C10, V800R018C00, V800R018C10; SmartAX MA5800 versions V100R017C00, V100R017C10, V100R018C00, V100R018C10, V100R019C10; SmartAX EA5800 versions V100R018C00, V100R018C10, V100R019C10. | 2020-04-02 | 5.2 | CVE-2020-9067 CONFIRM |
| ibm — process_federation_server |
The IBM Process Federation Server 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0.2, and 19.0.0.3 Global Teams REST API does not properly shutdown the thread pools that it creates to retrieve Global Teams information from the federated systems. As a consequence, the Java Virtual Machine can’t recover the memory used by those thread pools, which leads to an OutOfMemory exception when the Process Federation Server Global Teams REST API is used extensively. IBM X-Force ID: 177596. | 2020-04-02 | 4 | CVE-2020-4325 XF CONFIRM |
| ibm — spectrum_protect_plus |
IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to overwrite or create arbitrary files on the system. IBM X-Force ID: 175417. | 2020-03-31 | 6.4 | CVE-2020-4240 XF CONFIRM |
| ibm — spectrum_protect_plus |
IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow a remote attacker to arbitrary delete a directory caused by improper validation of user-supplied input. IBM X-Force ID: 175026. | 2020-03-31 | 6.4 | CVE-2020-4214 XF CONFIRM |
| ibm — tivoli_netcool_impact |
IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.17 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 175412. | 2020-03-31 | 5 | CVE-2020-4239 XF CONFIRM |
| ibm — tivoli_netcool_impact |
IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.17 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 175411. | 2020-03-31 | 6.8 | CVE-2020-4238 XF CONFIRM |
| ibm — tivoli_netcool_impact |
IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.17 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 175410. | 2020-03-31 | 6.8 | CVE-2020-4237 XF CONFIRM |
| ibm — tivoli_netcool_impact |
IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.17 could allow an authenticated user to cause a denial of service due to improper content parsing in the project management module. IBM X-Force ID: 175409. | 2020-03-31 | 4 | CVE-2020-4236 XF CONFIRM |
| ibm — websphere_application_server_liberty |
IBM WebSphere Application Server – Liberty 17.0.0.3 through 20.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176670. | 2020-04-02 | 4.3 | CVE-2020-4304 XF CONFIRM |
| ibm — websphere_application_server_liberty |
IBM WebSphere Application Server – Liberty 17.0.0.3 through 20.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176668. | 2020-04-02 | 4.3 | CVE-2020-4303 XF CONFIRM |
| intland_software — codebeamer | codeBeamer before 9.5.0-RC3 does not properly restrict the ability to execute custom Java code and access the Java class loader via computed fields. | 2020-04-02 | 4.3 | CVE-2019-20635 MISC |
| kubernetes — api_server | The Kubernetes API server component in versions prior to 1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via successful API requests. | 2020-03-27 | 5 | CVE-2020-8552 MISC MISC |
| kubernetes — api_server |
The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML. | 2020-04-01 | 4 | CVE-2019-11254 MISC MISC |
| leantime — leantime |
Leantime before versions 2.0.15 and 2.1-beta3 has a SQL Injection vulnerability. The impact is high. Malicious users/attackers can execute arbitrary SQL queries negatively affecting the confidentiality, integrity, and availability of the site. Attackers can exfiltrate data like the users’ and administrators’ password hashes, modify data, or drop tables. The unescaped parameter is “searchUsers” when sending a POST request to “/tickets/showKanban” with a valid session. In the code, the parameter is named “users” in class.tickets.php. This issue is fixed in versions 2.0.15 and 2.1.0 beta 3. | 2020-03-31 | 6.5 | CVE-2020-5292 MISC MISC CONFIRM |
| lenovo — lenovo_solution_center |
MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A vulnerability was discovered (fixed and publicly disclosed in 2015) in Lenovo Solution Center (LSC) prior to version 3.3.002 that could allow cross-site request forgery. | 2020-03-27 | 6.8 | CVE-2015-8536 MISC |
| lenovo — multiple_devices |
MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A race condition was reported (fixed and publicly disclosed in 2015) in Lenovo System Update version 5.07.0008 and prior that could allow a user to execute arbitrary code with elevated privileges. | 2020-03-27 | 6.9 | CVE-2015-7335 MISC |
| lenovo — multiple_devices |
MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A vulnerability was reported (fixed and publicly disclosed in 2015) in Lenovo System Update version 5.07.0008 and prior that could allow the signature check of an update to be bypassed. | 2020-03-27 | 5 | CVE-2015-7336 MISC |
| limesurvey — limesurvey |
LimeSurvey before 4.1.12+200324 contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileManager.php. | 2020-04-01 | 5 | CVE-2020-11455 MISC |
| limesurvey — limesurvey |
LimeSurvey before 4.1.12+200324 has stored XSS in application/views/admin/surveysgroups/surveySettings.php and application/models/SurveysGroups.php (aka survey groups). | 2020-04-01 | 4.3 | CVE-2020-11456 MISC |
| microstrategy — web_services |
The Upload Visualization plugin in the Microstrategy Web 10.4 admin panel allows an administrator to upload a ZIP archive containing files with arbitrary extensions and data. (This is also exploitable via SSRF.) | 2020-04-02 | 6.5 | CVE-2020-11451 MISC FULLDISC MISC MISC |
| microstrategy — web_services |
Microstrategy Web 10.4 is vulnerable to Server-Side Request Forgery in the Test Web Service functionality exposed through the path /MicroStrategyWS/. The functionality requires no authentication and, while it is not possible to pass parameters in the SSRF request, it is still possible to exploit it to conduct port scanning. An attacker could exploit this vulnerability to enumerate the resources allocated in the network (IP addresses and services exposed). | 2020-04-02 | 5 | CVE-2020-11453 MISC FULLDISC MISC MISC |
| microstrategy — web_services |
Microstrategy Web 10.4 exposes the JVM configuration, CPU architecture, installation folder, and other information through the URL /MicroStrategyWS/happyaxis.jsp. An attacker could use this vulnerability to learn more about the environment the application is running in. | 2020-04-02 | 5 | CVE-2020-11450 MISC FULLDISC MISC MISC |
| microstrategy — web_services |
Microstrategy Web 10.4 includes functionality to allow users to import files or data from external resources such as URLs or databases. By providing an external URL under attacker control, it’s possible to send requests to external resources (aka SSRF) or leak files from the local system using the file:// stream wrapper. | 2020-04-02 | 4 | CVE-2020-11452 MISC FULLDISC MISC MISC |
| misp_project — misp |
app/Model/feed.php in MISP before 2.4.124 allows administrators to choose arbitrary files that should be ingested by MISP. This does not cause a leak of the full contents of a file, but does cause a leaks of strings that match certain patterns. Among the data that can leak are passwords from database.php or GPG key passphrases from config.php. | 2020-04-02 | 4 | CVE-2020-11458 MISC MISC |
| mongodb — js-bson |
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure. | 2020-03-31 | 5.5 | CVE-2019-2391 CONFIRM |
| moodle — moodle |
A vulnerability was found in Moodle versions 3.7 before 3.7.3, 3.6 before 3.6.7, 3.5 before 3.5.9 and earlier. OAuth 2 providers who do not verify users’ email address changes require additional verification during sign-up to reduce the risk of account compromise. | 2020-03-31 | 6.4 | CVE-2019-14880 CONFIRM MISC |
| open_source_social_network — open_source_social_network | An issue was discovered in Open Source Social Network (OSSN) through 5.3. A user-controlled file path with a weak cryptographic rand() can be used to read any file with the permissions of the webserver. This can lead to further compromise. The attacker must conduct a brute-force attack against the SiteKey to insert into a crafted URL for components/OssnComments/ossn_com.php and/or libraries/ossn.lib.upgrade.php. | 2020-03-30 | 4.3 | CVE-2020-10560 MISC MISC |
| osmand — osmand |
Osmand through 2.0.0 allow XXE because of binary/BinaryMapIndexReader.java. | 2020-03-27 | 6.4 | CVE-2020-10993 MISC |
|
otrs — open_ticket_request_system_and_open_ticket_request_system_community_edition |
An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may be able to predict other users session IDs, password reset tokens and automatically generated passwords. This issue affects ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS; 7.0.15 and prior versions. | 2020-03-27 | 5.5 | CVE-2020-1773 MISC |
|
otrs — open_ticket_request_system_and_open_ticket_request_system_community_edition |
In the login screens (in agent and customer interface), Username and Password fields use autocomplete, which might be considered as security issue. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. | 2020-03-27 | 4 | CVE-2020-1769 MISC |
|
otrs — open_ticket_request_system_and_open_ticket_request_system_community_edition |
It’s possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. This issue affects: ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. | 2020-03-27 | 5 | CVE-2020-1772 MISC |
|
otrs — open_ticket_request_system_and_open_ticket_request_system_community_edition |
Support bundle generated files could contain sensitive information that might be unwanted to be disclosed. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. | 2020-03-27 | 4 | CVE-2020-1770 MISC |
| phoenix_contact — pc_worx_srt | Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation. | 2020-03-27 | 4.6 | CVE-2020-10939 CONFIRM |
| phoenix_contact — portico_server | Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service. | 2020-03-27 | 4.6 | CVE-2020-10940 CONFIRM |
| php — php | In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.34, while parsing EXIF data with exif_read_data() function, it is possible for malicious data to cause PHP to read one byte of uninitialized memory. This could potentially lead to information disclosure or crash. | 2020-04-01 | 5.8 | CVE-2020-7064 MISC CONFIRM |
| php — php |
In PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.34, while using mb_strtolower() function with UTF-32LE encoding, certain invalid strings could cause PHP to overwrite stack-allocated buffer. This could lead to memory corruption, crashes and potentially code execution. | 2020-04-01 | 6.8 | CVE-2020-7065 MISC CONFIRM |
| php — php |
In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.34, while using get_headers() with user-supplied URL, if the URL contains zero (\0) character, the URL will be silently truncated at it. This may cause some software to make incorrect assumptions about the target of the get_headers() and possibly send some information to a wrong server. | 2020-04-01 | 4.3 | CVE-2020-7066 MISC CONFIRM |
| progress_software — telerik_ui_for_silverlight |
An issue was discovered in Progress Telerik UI for Silverlight before 2020.1.330. The RadUploadHandler class in RadUpload for Silverlight expects a web request that provides the file location of the uploading file along with a few other parameters. The uploading file location should be inside the directory where the upload handler class is defined. Before 2020.1.330, a crafted web request could result in uploads to arbitrary locations. | 2020-03-31 | 5 | CVE-2020-11414 MISC |
| proofpoint — email_protection | An issue was discovered in Proofpoint Email Protection through 2019-09-08. By collecting scores from Proofpoint email headers, it is possible to build a copy-cat Machine Learning Classification model and extract insights from this model. The insights gathered allow an attacker to craft emails that receive preferable scores, with a goal of delivering malicious emails. | 2020-03-30 | 6.4 | CVE-2019-20634 MISC MISC |
| red_hat — ansible_engine |
A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible’s nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues. | 2020-03-31 | 4.6 | CVE-2019-14905 REDHAT REDHAT CONFIRM FEDORA |
| red_hat — openshift/apb-base |
An insecure modification vulnerability in the /etc/passwd file was found in the container openshift/apb-base, affecting versions before the following 4.3.5, 4.2.21, 4.1.37, and 3.11.188-4. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges. | 2020-04-02 | 4.4 | CVE-2019-19348 CONFIRM |
| red_hat — openshift/mariadb-apb |
An insecure modification vulnerability in the /etc/passwd file was found in the container openshift/mariadb-apb, affecting versions before the following 4.3.5, 4.2.21, 4.1.37, and 3.11.188-4 . An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges. | 2020-04-02 | 4.4 | CVE-2019-19346 CONFIRM |
| redpwn — redpwnctf |
In RedpwnCTF before version 2.3, there is a session fixation vulnerability in exploitable through the `#token=$ssid` hash when making a request to the `/verify` endpoint. An attacker team could potentially steal flags by, for example, exploiting a stored XSS payload in a CTF challenge so that victim teams who solve the challenge are unknowingly (and against their will) signed into the attacker team's account. Then, the attacker can gain points / value off the backs of the victims. This is patched in version 2.3. | 2020-04-01 | 4.3 | CVE-2020-5290 MISC CONFIRM |
| responsive_filemanager — responsive_filemanager | An issue was discovered in Responsive Filemanager through 9.14.0. In the dialog.php page, the session variable $_SESSION[‘RF’][“view_type”] wasn’t sanitized if it was already set. This made stored XSS possible if one opens ajax_calls.php and uses the “view” action and places a payload in the type parameter, and then returns to the dialog.php page. This occurs because ajax_calls.php was also able to set the $_SESSION[‘RF’][“view_type”] variable, but there it wasn’t sanitized. | 2020-03-30 | 4.3 | CVE-2020-11106 MISC |
| sunnet_technology — ehrd | Sunnet eHRD, a human training and development management system, improperly stores system files. Attackers can use a specific URL and capture confidential information. | 2020-03-27 | 5 | CVE-2020-10508 CONFIRM MISC |
| sunnet_technology — ehrd | Sunnet eHRD, a human training and development management system, contains vulnerability of Cross-Site Scripting (XSS), attackers can inject arbitrary command into the system and launch XSS attack. | 2020-03-27 | 4.3 | CVE-2020-10509 CONFIRM MISC |
| sunnet_technology — ehrd |
Sunnet eHRD, a human training and development management system, contains a vulnerability of Broken Access Control. After login, attackers can use a specific URL, access unauthorized functionality and data. | 2020-03-27 | 4 | CVE-2020-10510 CONFIRM MISC |
| symfony — symfony |
In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not contain a `Content-Type` header, affected versions of Symfony can fallback to the format defined in the `Accept` header of the request, leading to a possible mismatch between the response's content and `Content-Type` header. When the response is cached, this can prevent the use of the website by other users. This has been patched in versions 4.4.7 and 5.0.7. | 2020-03-30 | 4 | CVE-2020-5255 MISC CONFIRM MISC |
| symfony — symfony |
In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control rule, it iterate overs each rule’s attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that should have been take into account in an unanimous strategy. The accessDecisionManager is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute. This issue is patched in versions 4.4.7 and 5.0.7. | 2020-03-30 | 5.5 | CVE-2020-5275 CONFIRM CONFIRM |
| symfony — symfony |
In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the `ErrorHandler` rendered it stacktrace. In addition, the stacktrace were displayed even in a non-debug configuration. The ErrorHandler now escape alls properties of the exception, and the stacktrace is only display in debug configuration. This issue is patched in symfony/http-foundation versions 4.4.5 and 5.0.5 | 2020-03-30 | 5.5 | CVE-2020-5274 MISC MISC CONFIRM |
| technicolor — tc7337_devices |
An issue was discovered on Technicolor TC7337 8.89.17 devices. An attacker can discover admin credentials in the backup file, aka backupsettings.conf. | 2020-04-01 | 5 | CVE-2020-11449 MISC |
| tikiwiki — groupware_and_cms |
There is an Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in php webpages of Tiki-Wiki Groupware. Tiki-Wiki CMS all versions through 20.0 allows malicious users to cause the injection of malicious code fragments (scripts) into a legitimate web page. | 2020-04-01 | 4.3 | CVE-2020-8966 CONFIRM CONFIRM |
| totemo — totemomail | An insecure direct object reference in webmail in totemo totemomail 7.0.0 allows an authenticated remote user to read and modify mail folder names of other users via enumeration. | 2020-03-27 | 5.5 | CVE-2020-7918 MISC MISC |
| toyota — model_year_2017_display_control_unit |
Toyota 2017 Model Year DCU (Display Control Unit) allows an unauthenticated attacker within Bluetooth range to cause a denial of service attack and/or execute an arbitrary command. The affected DCUs are installed in Lexus (LC, LS, NX, RC, RC F), TOYOTA CAMRY, and TOYOTA SIENNA manufactured in the regions other than Japan from Oct. 2016 to Oct. 2019. An attacker with certain knowledge on the target vehicle control system may be able to send some diagnostic commands to ECUs with some limited availability impacts; the vendor states critical vehicle controls such as driving, turning, and stopping are not affected. | 2020-03-30 | 5.4 | CVE-2020-5551 MISC MISC |
| ubiquiti — unifi_video_controller | The UniFi Video Server (Windows) web interface configuration restore functionality at the “backup” and “wizard” endpoints does not implement sufficient privilege checks. Low privileged users, belonging to the PUBLIC_GROUP or CUSTOM_GROUP groups, can access these endpoints and overwrite the current application configuration. This can be abused for various purposes, including adding new administrative users. Affected Products: UniFi Video Controller v3.9.3 (for Windows 7/8/10 x64) and prior. Fixed in UniFi Video Controller v3.9.6 and newer. | 2020-04-01 | 4 | CVE-2020-8145 CONFIRM |
| ubiquiti — unifi_video_controller |
In UniFi Video v3.10.1 (for Windows 7/8/10 x64) there is a Local Privileges Escalation to SYSTEM from arbitrary file deletion and DLL hijack vulnerabilities. The issue was fixed by adjusting the .tsExport folder when the controller is running on Windows and adjusting the SafeDllSearchMode in the windows registry when installing UniFi-Video controller. Affected Products: UniFi Video Controller v3.10.2 (for Windows 7/8/10 x64) and prior. Fixed in UniFi Video Controller v3.10.3 and newer. | 2020-04-01 | 6.9 | CVE-2020-8146 CONFIRM |
| ubiquiti — unifi_video_controller |
The UniFi Video Server v3.9.3 and prior (for Windows 7/8/10 x64) web interface Firmware Update functionality, under certain circumstances, does not validate firmware download destinations to ensure they are within the intended destination directory tree. It accepts a request with a URL to firmware update information. If the version field contains ..\ character sequences, the destination file path to save the firmware can be manipulated to be outside the intended destination directory tree. Fixed in UniFi Video Controller v3.10.3 and newer. | 2020-04-01 | 5.2 | CVE-2020-8144 CONFIRM |
| unisoon — ultralog_express | UltraLog Express device management software stores user’s information in cleartext. Any user can obtain accounts information through a specific page. | 2020-03-27 | 5 | CVE-2020-3921 MISC |
| unisoon — ultralog_express |
UltraLog Express device management interface does not properly perform access authentication in some specific pages/functions. Any user can access the privileged page to manage accounts through specific system directory. | 2020-03-27 | 5.5 | CVE-2020-3920 MISC |
|
university_of_southern_california — innovation_in_integrated_informatics_lab_cereal |
An issue was discovered in USC iLab cereal through 1.3.0. Serialization of an (initialized) C/C++ long double variable into a BinaryArchive or PortableBinaryArchive leaks several bytes of stack or heap memory, from which sensitive information (such as memory layout or private keys) can be gleaned if the archive is distributed outside of a trusted context. | 2020-03-30 | 5 | CVE-2020-11104 MISC |
| vertiv — avocent_universal_management_gateway | The web interface of the Vertiv Avocent UMG-4000 version 4.2.1.19 is vulnerable to stored XSS. A remote attacker authenticated with an administrator account could store a maliciously named file within the web application that would execute each time a user browsed to the page. | 2020-03-30 | 6 | CVE-2019-9508 MISC MISC |
| vertiv — avocent_universal_management_gateway |
The web interface of the Vertiv Avocent UMG-4000 version 4.2.1.19 is vulnerable to reflected XSS in an HTTP POST parameter. The web application does not neutralize user-controllable input before displaying to users in a web page, which could allow a remote attacker authenticated with a user account to execute arbitrary code. | 2020-03-30 | 6.5 | CVE-2019-9509 MISC MISC |
| weberp — weberp |
In webERP 4.15, the Import Bank Transactions function fails to sanitize the content of imported MT940 bank statement files, resulting in the execution of arbitrary SQL queries, aka SQL Injection. | 2020-03-30 | 6.5 | CVE-2019-7755 MISC MISC MISC |
| wordpress — wordpress | A stored cross-site scripting (XSS) vulnerability exists in the Auth0 plugin before 4.0.0 for WordPress via the settings page. | 2020-04-01 | 4.3 | CVE-2020-5392 CONFIRM MISC CONFIRM |
| wordpress — wordpress | The custom-searchable-data-entry-system (aka Custom Searchable Data Entry System) plugin through 1.7.1 for WordPress allows SQL Injection. NOTE: this product is discontinued. | 2020-03-27 | 6.5 | CVE-2020-10817 MISC MISC |
| wordpress — wordpress |
An issue was discovered in the Login by Auth0 plugin before 4.0.0 for WordPress. A user can perform an insecure direct object reference. | 2020-04-01 | 6.5 | CVE-2020-7948 MISC CONFIRM CONFIRM MISC |
| wordpress — wordpress |
Cross-site request forgery (CSRF) vulnerabilities exist in the Auth0 plugin before 4.0.0 for WordPress via the domain field. | 2020-04-01 | 6.8 | CVE-2020-5391 CONFIRM MISC CONFIRM |
| wordpress — wordpress |
The Login by Auth0 plugin before 4.0.0 for WordPress allows stored XSS on multiple pages, a different issue than CVE-2020-5392. | 2020-04-01 | 4.3 | CVE-2020-6753 CONFIRM MISC CONFIRM |
| yahoo — elide |
In Elide before 4.5.14, it is possible for an adversary to “guess and check” the value of a model field they do not have access to assuming they can read at least one other field in the model. The adversary can construct filter expressions for an inaccessible field to filter a collection. The presence or absence of models in the returned collection can be used to reconstruct the value of the inaccessible field. Resolved in Elide 4.5.14 and greater. | 2020-03-30 | 4 | CVE-2020-5289 MISC MISC CONFIRM |
| zeit — next.js |
Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2. | 2020-03-30 | 5 | CVE-2020-5284 MISC CONFIRM |
| zevenet — zen_load_balancer |
Monitoring::Logs in Zen Load Balancer 3.10.1 allows remote authenticated admins to conduct absolute path traversal attacks, as demonstrated by a filelog=/etc/shadow request to index.cgi. | 2020-04-02 | 4 | CVE-2020-11491 MISC MISC |
| zoho — manageengine_desktop_central | Zoho ManageEngine Desktop Central allows unauthenticated users to access PDFGenerationServlet, leading to sensitive information disclosure. | 2020-03-30 | 5 | CVE-2020-8509 CONFIRM |
Low Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| abb — esoms |
The Redis data structure component used in ABB eSOMS versions 6.0 to 6.0.2 stores credentials in clear text. If an attacker has file system access, this can potentially compromise the credentials’ confidentiality. | 2020-04-02 | 3.6 | CVE-2019-19096 CONFIRM |
| abb — esoms |
Lack of adequate input/output validation for ABB eSOMS versions 4.0 to 6.0.2 might allow an attacker to attack such as stored cross-site scripting by storing malicious content in the database. | 2020-04-02 | 3.5 | CVE-2019-19095 CONFIRM |
| abb — esoms |
For ABB eSOMS versions 4.0 to 6.0.2, the X-XSS-Protection HTTP response header is not set in responses from the web server. For older web browser not supporting Content Security Policy, this might increase the risk of Cross Site Scripting. | 2020-04-02 | 3.5 | CVE-2019-19002 CONFIRM |
| abb — esoms |
For ABB eSOMS versions 4.0 to 6.0.2, the Secure Flag is not set in the HTTP response header. Unencrypted connections might access the cookie information, thus making it susceptible to eavesdropping. | 2020-04-02 | 3.5 | CVE-2019-19090 CONFIRM |
| abb — esoms |
ABB eSOMS versions 4.0 to 6.0.3 use ASP.NET Viewstate without Message Authentication Code (MAC). Alterations to Viewstate might thus not be noticed. | 2020-04-02 | 3.5 | CVE-2019-19092 CONFIRM |
| apache — cxf |
Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the ‘createMBServerConnectorFactory’ property of the default InstrumentationManagerImpl is not disabled, then it is vulnerable to a man-in-the-middle (MITM) style attack. An attacker on the same host can connect to the registry and rebind the entry to another server, thus acting as a proxy to the original. They are then able to gain access to all of the information that is sent and received over JMX. | 2020-04-01 | 2.9 | CVE-2020-1954 MISC |
| apache — druid |
When LDAP authentication is enabled in Apache Druid 0.17.0, callers of Druid APIs with a valid set of LDAP credentials can bypass the credentialsValidator.userSearch filter barrier that determines if a valid LDAP user is allowed to authenticate with Druid. They are still subject to role-based authorization checks, if configured. Callers of Druid APIs can also retrieve any LDAP attribute values of users that exist on the LDAP server, so long as that information is visible to the Druid server. This information disclosure does not require the caller itself to be a valid LDAP user. | 2020-04-01 | 3.5 | CVE-2020-1958 MLIST MLIST MLIST MLIST MLIST MISC MLIST MLIST |
|
apple — ios_and_ipados |
The issue was resolved by clearing application previews when content is deleted. This issue is fixed in iOS 13.4 and iPadOS 13.4. A local user may be able to view deleted content in the app switcher. | 2020-04-01 | 2.1 | CVE-2020-9780 MISC |
| apple — macos_catalina |
A logic issue was addressed with improved state management. This issue is fixed in macOS Catalina 10.15.4. A local user may be able to view sensitive user information. | 2020-04-01 | 2.1 | CVE-2020-3881 MISC |
| apple — multiple_products |
This issue was addressed with a new entitlement. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, watchOS 6.2. An application may be able to use an SSH client provided by private frameworks. | 2020-04-01 | 2.1 | CVE-2020-3917 MISC MISC MISC |
| apple — multiple_products |
A logic issue was addressed with improved state management. This issue is fixed in iOS 13.4 and iPadOS 13.4, watchOS 6.2. A person with physical access to a locked iOS device may be able to respond to messages even when replies are disabled. | 2020-04-01 | 2.1 | CVE-2020-3891 MISC MISC |
| apple — multiple_products |
A race condition was addressed with additional validation. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. An application may be able to read restricted memory. | 2020-04-01 | 2.6 | CVE-2020-3894 MISC MISC MISC MISC MISC MISC |
|
bd — pyxis_medstation_es_system_and_pyxis_anesthesia_es_system |
In BD Pyxis MedStation ES System v1.6.1 and Pyxis Anesthesia (PAS) ES System v1.6.1, a restricted desktop environment escape vulnerability exists in the kiosk mode functionality of affected devices. Specially crafted inputs could allow the user to escape the restricted environment, resulting in access to sensitive data. | 2020-04-01 | 3.6 | CVE-2020-10598 MISC |
| gradle — plugin_portal |
All versions of com.gradle.plugin-publish before 0.11.0 are vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while running Gradle with the –info log level flag, the Gradle Logger logs an AWS pre-signed URL. If this build log is publicly visible (as it is in many popular public CI systems like TravisCI) this AWS pre-signed URL would allow a malicious actor to replace a recently uploaded plugin with their own. | 2020-03-30 | 3.3 | CVE-2020-7599 MISC MISC |
| ibm — tivoli_netcool_impact |
IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.17 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 175408. | 2020-03-31 | 3.5 | CVE-2020-4235 XF CONFIRM |
| intland_software — codebeamer_alm |
In Intland codeBeamer ALM 9.5 and earlier, there is stored XSS via the Trackers Title parameter. | 2020-03-30 | 3.5 | CVE-2019-19913 MISC |
| intland_software — codebeamer_alm |
In Intland codeBeamer ALM 9.5 and earlier, a cross-site scripting (XSS) vulnerability in the Upload Flash File feature allows authenticated remote attackers to inject arbitrary scripts via an active script embedded in an SWF file. | 2020-03-30 | 3.5 | CVE-2019-19912 MISC |
| kubernetes — kubelet |
The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250. | 2020-03-27 | 3.3 | CVE-2020-8551 MISC MISC |
| microstrategy — web_services |
Microstrategy Web 10.4 is vulnerable to Stored XSS in the HTML Container and Insert Text features in the window, allowing for the creation of a new dashboard. In order to exploit this vulnerability, a user needs to get access to a shared dashboard or have the ability to create a dashboard on the application. | 2020-04-02 | 3.5 | CVE-2020-11454 MISC FULLDISC MISC MISC |
|
otrs — open_ticket_request_system_and_open_ticket_request_system_community_edition |
Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). When agent opens the link, JavaScript code is executed due to the missing parameter encoding. This issue affects: ((OTRS)) Community Edition: 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions. | 2020-03-27 | 3.5 | CVE-2020-1771 MISC |
| pfsense — pfsense |
pfSense before 2.4.5 has stored XSS in system_usermanager_addprivs.php in the WebGUI via the descr parameter (aka full name) of a user. | 2020-04-01 | 3.5 | CVE-2020-11457 MISC MISC |
| pki-core — pki-core |
A vulnerability was found in all pki-core 10.x.x version, where the Token Processing Service (TPS) did not properly sanitize several parameters stored for the tokens, possibly resulting in a Stored Cross Site Scripting (XSS) vulnerability. An attacker able to modify the parameters of any token could use this flaw to trick an authenticated user into executing arbitrary JavaScript code. | 2020-03-31 | 3.5 | CVE-2019-10180 CONFIRM |
| sonatype — nexus_repository_manager | Sonatype Nexus Repository before 3.21.2 allows XSS. | 2020-04-01 | 3.5 | CVE-2020-10203 CONFIRM |
| versiant — lynx_customer_service_portal |
Versiant LYNX Customer Service Portal (CSP), version 3.5.2, is vulnerable to stored cross-site scripting, which could allow a local, authenticated attacker to insert malicious JavaScript that is stored and displayed to the end user. This could lead to website redirects, session cookie hijacking, or information disclosure. | 2020-03-30 | 3.5 | CVE-2020-9055 MISC CERT-VN |
| zoom — zoom_client_for_meetings |
Zoom Client for Meetings through 4.6.8 on macOS has the disable-library-validation entitlement, which allows a local process (with the user’s privileges) to obtain unprompted microphone and camera access by loading a crafted library and thereby inheriting Zoom Client’s microphone and camera access. | 2020-04-01 | 2.1 | CVE-2020-11470 MISC MISC |
| zyxel — xgs221–52hp_devices |
In firmware version 4.50 of Zyxel XGS2210-52HP, multiple stored cross-site scripting (XSS) issues allows remote authenticated users to inject arbitrary web script via an rpSys.html Name or Location field. | 2020-03-31 | 3.5 | CVE-2019-13495 MISC |
Severity Not Yet Assigned
| Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| 3xlogic — infinias_eidc32_devices |
3xLOGIC Infinias eIDC32 2.213 devices with Web 1.107 allow Authentication Bypass via CMD.HTM?CMD= because authentication depends on the client side’s interpretation of the <KEY>MYKEY</KEY> substring. | 2020-04-04 | not yet calculated | CVE-2020-11542 MISC |
| apple — macos_catalina |
A logic issue was addressed with improved state management. This issue is fixed in macOS Catalina 10.15.4. A local user may be able to read arbitrary files. | 2020-04-01 | not yet calculated | CVE-2020-3889 MISC |
| apple — multiple_products |
This issue was addressed with improved checks. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2. An application may be able to use arbitrary entitlements. | 2020-04-01 | not yet calculated | CVE-2020-3883 MISC MISC MISC MISC |
| apple — multiple_products |
A logic issue was addressed with improved restrictions. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. A file URL may be incorrectly processed. | 2020-04-01 | not yet calculated | CVE-2020-3885 MISC MISC MISC MISC MISC MISC |
| bit2spr — bit2spr |
bit2spr 1992-06-07 has a stack-based buffer overflow (129-byte write) in conv_bitmap in bit2spr.c via a long line in a bitmap file. | 2020-04-04 | not yet calculated | CVE-2020-11528 MISC MISC |
| dell — emc_isilon_onefs |
Dell EMC Isilon OneFS versions 8.2.2 and earlier contain a denial of service vulnerability. SmartConnect had an error condition that may be triggered to loop, using CPU and potentially preventing other SmartConnect DNS responses. | 2020-04-04 | not yet calculated | CVE-2020-5347 MISC |
| dell — latitude_7202_rugged_tablet |
Dell Latitude 7202 Rugged Tablet BIOS versions prior to A28 contain a UAF vulnerability in EFI_BOOT_SERVICES in system management mode. A local unauthenticated attacker may exploit this vulnerability by overwriting the EFI_BOOT_SERVICES structure to execute arbitrary code in system management mode. | 2020-04-04 | not yet calculated | CVE-2020-5348 MISC |
| eclipse — che |
A flaw was found in the Eclipse Che up to version 7.8.x, where it did not properly restrict access to workspace pods. An authenticated user can exploit this flaw to bypass JWT proxy and gain access to the workspace pods of another user. Successful exploitation requires knowledge of the service name and namespace of the target pod. | 2020-04-03 | not yet calculated | CVE-2020-10689 CONFIRM MISC |
| firmware_analysis_and_comparison_tool — firmware_analysis_and_comparison_tool |
Firmware Analysis and Comparison Tool (FACT) 3 has Stored XSS when updating analysis details via a localhost web request, as demonstrated by mishandling of the tags and version fields in helperFunctions/mongo_task_conversion.py. | 2020-04-02 | not yet calculated | CVE-2020-11499 MISC MISC |
| get-git-data — get-git-data |
get-git-data through 1.3.1 is vulnerable to Command Injection. It is possible to inject arbitrary commands as part of the arguments provided to get-git-data. | 2020-04-02 | not yet calculated | CVE-2020-7619 MISC MISC |
| gnu_glibc — gnu_glibc |
An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the ‘num’ parameter results in a signed comparison vulnerability. If an attacker underflows the ‘num’ parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this memcpy() implementation allows for program execution to continue in scenarios where a segmentation fault or crash should have occurred. The dangers occur in that subsequent execution and iterations of this code will be executed with this corrupted data. | 2020-04-01 | not yet calculated | CVE-2020-6096 MISC |
| gnutls — gnutls |
GnuTLS 3.6.x before 3.6.13 uses incorrect cryptography for DTLS. The earliest affected version is 3.6.3 (2018-07-16) because of an error in a 2017-10-06 commit. The DTLS client always uses 32 ‘\0’ bytes instead of a random value, and thus contributes no randomness to a DTLS negotiation. This breaks the security guarantees of the DTLS protocol. | 2020-04-03 | not yet calculated | CVE-2020-11501 MISC MISC DEBIAN MISC |
| grav — grav |
Common/Grav.php in Grav before 1.6.23 has an Open Redirect. | 2020-04-04 | not yet calculated | CVE-2020-11529 MISC MISC |
| hirschmann_automation_and_control — hios_and_hisecos |
A buffer overflow vulnerability was found in some devices of Hirschmann Automation and Control HiOS and HiSecOS. The vulnerability is due to improper parsing of URL arguments. An attacker could exploit this vulnerability by specially crafting HTTP requests to overflow an internal buffer. The following devices using HiOS Version 07.0.02 and lower are affected: RSP, RSPE, RSPS, RSPL, MSP, EES, EES, EESX, GRS, OS, RED. The following devices using HiSecOS Version 03.2.00 and lower are affected: EAGLE20/30. | 2020-04-03 | not yet calculated | CVE-2020-6994 MISC |
| ibm — spectrum_scale |
IBM Spectrum Scale 4.2 and 5.0 could allow a local unprivileged attacker with intimate knowledge of the enviornment to execute commands as root using specially crafted input. IBM X-Force ID: 175977. | 2020-04-03 | not yet calculated | CVE-2020-4273 XF CONFIRM |
| ibm — strongloop_strong-nginx-controller | strong-nginx-controller through 1.0.2 is vulnerable to Command Injection. It allows execution of arbitrary command as part of the ‘_nginxCmd()’ function. | 2020-04-02 | not yet calculated | CVE-2020-7621 MISC MISC |
| ini-parser — ini-parser |
ini-parser through 0.0.2 is vulnerable to Prototype Pollution.The library could be tricked into adding or modifying properties of Object.prototype using a ‘__proto__’ payload. | 2020-04-02 | not yet calculated | CVE-2020-7617 CONFIRM CONFIRM |
| ivanti — workspace_control |
Ivanti Workspace Control before 10.4.30.0, when SCCM integration is enabled, allows local users to obtain sensitive information (keying material). | 2020-04-04 | not yet calculated | CVE-2020-11533 MISC |
| jscover — jscover |
jscover through 1.0.0 is vulnerable to Command Injection. It allows execution of arbitrary command via the source argument. | 2020-04-02 | not yet calculated | CVE-2020-7623 MISC MISC |
| linux — linux_kernel |
An issue was discovered in slc_bump in drivers/net/can/slcan.c in the Linux kernel through 5.6.2. It allows attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL, aka CID-b9258a2cece4. | 2020-04-02 | not yet calculated | CVE-2020-11494 MISC |
| linux — linux_kernel |
In the Linux kernel 5.5.0 and newer, the bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory. The vulnerability also affects the Linux 5.4 stable series, starting with v5.4.7, as the introducing commit was backported to that branch. This vulnerability was fixed in 5.6.1, 5.5.14, and 5.4.29. (issue is aka ZDI-CAN-10780) | 2020-04-02 | not yet calculated | CVE-2020-8835 CONFIRM CONFIRM FEDORA CONFIRM UBUNTU UBUNTU CONFIRM CONFIRM |
| mcafee — endpoint_security_for_windows |
Improper access control vulnerability in ESConfigTool.exe in ENS for Windows all current versions allows a local administrator to alter the ENS configuration up to and including disabling all protection offered by ENS via insecurely implemented encryption of configuration for export and import. | 2020-04-01 | not yet calculated | CVE-2020-7263 CONFIRM |
| mediawiki — mediawiki |
In MediaWiki before 1.34.1, users can add various Cascading Style Sheets (CSS) classes (which can affect what content is shown or hidden in the user interface) to arbitrary DOM nodes via HTML content within a MediaWiki page. This occurs because jquery.makeCollapsible allows applying an event handler to any Cascading Style Sheets (CSS) selector. There is no known way to exploit this for cross-site scripting (XSS). | 2020-04-03 | not yet calculated | CVE-2020-10960 CONFIRM CONFIRM |
| mitsubishi — multiple_products |
When MELSOFT transmission port (UDP/IP) of Mitsubishi Electric MELSEC iQ-R series (all versions), MELSEC iQ-F series (all versions), MELSEC Q series (all versions), MELSEC L series (all versions), and MELSEC F series (all versions) receives massive amount of data via unspecified vectors, resource consumption occurs and the port does not process the data properly. As a result, it may fall into a denial-of-service (DoS) condition. The vendor states this vulnerability only affects Ethernet communication functions. | 2020-03-30 | not yet calculated | CVE-2020-5527 MISC MISC |
| netgear — multiple_products |
NETGEAR has released fixes for a pre-authentication command injection in request_handler.php security vulnerability on the following product models: WC7500, running firmware versions prior to 6.5.3.5; WC7520, running firmware versions prior to 2.5.0.46; WC7600v1, running firmware versions prior to 6.5.3.5; WC7600v2, running firmware versions prior to 6.5.3.5; and WC9500, running firmware versions prior to 6.5.3.5. | 2020-04-01 | not yet calculated | CVE-2018-11106 CONFIRM |
| parrot — anafi_drone |
Web server running on Parrot ANAFI can be crashed due to the SDK command “Common_CurrentDateTime” being sent to control service with larger than expected date length. | 2020-04-01 | not yet calculated | CVE-2019-3945 MISC |
| parrot — anafi_drone |
Parrot ANAFI is vulnerable to Wi-Fi deauthentication attack, allowing remote and unauthenticated attackers to disconnect drone from controller during mid-flight. | 2020-04-01 | not yet calculated | CVE-2019-3944 MISC |
| pomelo-monitor — pomelo-monitor |
pomelo-monitor through 0.3.7 is vulnerable to Command Injection.It allows injection of arbitrary commands as part of ‘pomelo-monitor’ params. | 2020-04-02 | not yet calculated | CVE-2020-7620 MISC MISC |
| revive_adserver — revive_adserver |
An Open Redirect vulnerability was discovered in Revive Adserver version < 5.0.5 and reported by HackerOne user hoangn144. A remote attacker could trick logged-in users to open a specifically crafted link and have them redirected to any destination.The CSRF protection of the “/www/admin/*-modify.php” could be skipped if no meaningful parameter was sent. No action was performed, but the user was still redirected to the target page, specified via the “returnurl” GET parameter. | 2020-04-03 | not yet calculated | CVE-2020-8143 MISC MISC |
| revive_adserver — revive_adserver |
A security restriction bypass vulnerability has been discovered in Revive Adserver version < 5.0.5 by HackerOne user hoangn144. Revive Adserver, like many other applications, requires the logged in user to type the current password in order to change the e-mail address or the password. It was however possible for anyone with access to a Revive Adserver admin user interface to bypass such check and change e-email address or password of the currently logged in user by altering the form payload.The attack requires physical access to the user interface of a logged in user. If the POST payload was altered by turning the “pwold” parameter into an array, Revive Adserver would fetch and authorise the operation even if no password was provided. | 2020-04-03 | not yet calculated | CVE-2020-8142 MISC MISC |
| slack — nebula |
Slack Nebula through 1.1.0 contains a relative path vulnerability that allows a low-privileged attacker to execute code in the context of the root user via tun_darwin.go or tun_windows.go. A user can also use Nebula to execute arbitrary code in the user’s own context, e.g., for user-level persistence or to bypass security controls. NOTE: the vendor states that this “requires a high degree of access and other preconditions that are tough to achieve.” | 2020-04-02 | not yet calculated | CVE-2020-11498 MISC MISC |
| sonatype — nexus_repository_manager |
Sonatype Nexus Repository Manager 3.x up to and including 3.21.2 has Incorrect Access Control. | 2020-04-02 | not yet calculated | CVE-2020-11444 MISC CONFIRM |
| starface — ucc_client |
STARFACE UCC Client before 6.7.1.204 on WIndows allows binary planting to execute code with System rights, aka usd-2020-0006. | 2020-04-02 | not yet calculated | CVE-2020-10515 MISC CONFIRM MISC |
|
suse — linux_enterprise_server_12_autoyast2_and15_autoyast2 |
A Insufficient Verification of Data Authenticity vulnerability in autoyast2 of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allows remote attackers to MITM connections when deprecated and unused functionality of autoyast is used to create images. This issue affects: SUSE Linux Enterprise Server 12 autoyast2 version 4.1.9-3.9.1 and prior versions. SUSE Linux Enterprise Server 15 autoyast2 version 4.0.70-3.20.1 and prior versions. | 2020-04-03 | not yet calculated | CVE-2019-18905 CONFIRM |
| suse — multiple_products |
A Race Condition Enabling Link Following vulnerability in the packaging of texlive-filesystem of SUSE Linux Enterprise Module for Desktop Applications 15-SP1, SUSE Linux Enterprise Software Development Kit 12-SP4, SUSE Linux Enterprise Software Development Kit 12-SP5; openSUSE Leap 15.1 allows local users to corrupt files or potentially escalate privileges. This issue affects: SUSE Linux Enterprise Module for Desktop Applications 15-SP1 texlive-filesystem versions prior to 2017.135-9.5.1. SUSE Linux Enterprise Software Development Kit 12-SP4 texlive-filesystem versions prior to 2013.74-16.5.1. SUSE Linux Enterprise Software Development Kit 12-SP5 texlive-filesystem versions prior to 2013.74-16.5.1. openSUSE Leap 15.1 texlive-filesystem versions prior to 2017.135-lp151.8.3.1. | 2020-04-02 | not yet calculated | CVE-2020-8016 CONFIRM |
| suse — multiple_products |
A Race Condition Enabling Link Following vulnerability in the cron job shipped with texlive-filesystem of SUSE Linux Enterprise Module for Desktop Applications 15-SP1, SUSE Linux Enterprise Software Development Kit 12-SP4, SUSE Linux Enterprise Software Development Kit 12-SP5; openSUSE Leap 15.1 allows local users in group mktex to delete arbitrary files on the system This issue affects: SUSE Linux Enterprise Module for Desktop Applications 15-SP1 texlive-filesystem versions prior to 2017.135-9.5.1. SUSE Linux Enterprise Software Development Kit 12-SP4 texlive-filesystem versions prior to 2013.74-16.5.1. SUSE Linux Enterprise Software Development Kit 12-SP5 texlive-filesystem versions prior to 2013.74-16.5.1. openSUSE Leap 15.1 texlive-filesystem versions prior to 2017.135-lp151.8.3.1. | 2020-04-02 | not yet calculated | CVE-2020-8017 CONFIRM |
| suse — multiple_products |
A Uncontrolled Resource Consumption vulnerability in rmt of SUSE Linux Enterprise High Performance Computing 15-ESPOS, SUSE Linux Enterprise High Performance Computing 15-LTSS, SUSE Linux Enterprise Module for Public Cloud 15-SP1, SUSE Linux Enterprise Module for Server Applications 15, SUSE Linux Enterprise Module for Server Applications 15-SP1, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 15; openSUSE Leap 15.1 allows remote attackers to cause DoS against rmt by requesting migrations. This issue affects: SUSE Linux Enterprise High Performance Computing 15-ESPOS rmt-server versions prior to 2.5.2-3.26.1. SUSE Linux Enterprise High Performance Computing 15-LTSS rmt-server versions prior to 2.5.2-3.26.1. SUSE Linux Enterprise Module for Public Cloud 15-SP1 rmt-server versions prior to 2.5.2-3.9.1. SUSE Linux Enterprise Module for Server Applications 15 rmt-server versions prior to 2.5.2-3.26.1. SUSE Linux Enterprise Module for Server Applications 15-SP1 rmt-server versions prior to 2.5.2-3.9.1. SUSE Linux Enterprise Server 15-LTSS rmt-server versions prior to 2.5.2-3.26.1. SUSE Linux Enterprise Server for SAP 15 rmt-server versions prior to 2.5.2-3.26.1. openSUSE Leap 15.1 rmt-server versions prior to 2.5.2-lp151.2.9.1. | 2020-04-03 | not yet calculated | CVE-2019-18904 CONFIRM |
|
suse — openstack_cloud_and_openstack_cloud_crowbar |
A Least Privilege Violation vulnerability in crowbar of SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud 9, SUSE OpenStack Cloud Crowbar 8, SUSE OpenStack Cloud Crowbar 9 allows root users on any crowbar managed node to cause become root on any other node. This issue affects: SUSE OpenStack Cloud 7 crowbar-core versions prior to 4.0+git.1578392992.fabfd186c-9.63.1, crowbar-. SUSE OpenStack Cloud 8 ardana-cinder versions prior to 8.0+git.1579279939.ee7da88-3.39.3, ardana-. SUSE OpenStack Cloud 9 ardana-ansible versions prior to 9.0+git.1581611758.f694f7d-3.16.1, ardana-. SUSE OpenStack Cloud Crowbar 8 crowbar-core versions prior to 5.0+git.1582968668.1a55c77c5-3.35.4, crowbar-. SUSE OpenStack Cloud Crowbar 9 crowbar-core versions prior to 6.0+git.1582892022.cbd70e833-3.19.3, crowbar-. | 2020-04-03 | not yet calculated | CVE-2018-17954 CONFIRM |
| suse — opensuse_factory |
A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of exim in openSUSE Factory allows local attackers to escalate from user mail to root. This issue affects: openSUSE Factory exim versions prior to 4.93.0.4-3.1. | 2020-04-02 | not yet calculated | CVE-2020-8015 CONFIRM |
| sytemd — systemd |
A heap use-after-free vulnerability was found in systemd before version v245-rc1, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages. | 2020-03-31 | not yet calculated | CVE-2020-1712 CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM |
| testlink — testlink |
A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in planUrgency.php via the urgency parameter. | 2020-04-03 | not yet calculated | CVE-2020-8638 MISC CONFIRM |
| testlink — testlink |
An unrestricted file upload vulnerability in keywordsImport.php in TestLink 1.9.20 allows remote attackers to execute arbitrary code by uploading a file with an executable extension. This allows an authenticated attacker to upload a malicious file (containing PHP code to execute operating system commands) to a publicly accessible directory of the application. | 2020-04-03 | not yet calculated | CVE-2020-8639 MISC CONFIRM |
| testlink — testlink |
A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in dragdroptreenodes.php via the node_id parameter. | 2020-04-03 | not yet calculated | CVE-2020-8637 MISC CONFIRM |
| tp-link — cloud_camera |
TP-Link cloud cameras through 2020-02-09 allow remote attackers to bypass authentication and obtain sensitive information via vectors involving a Wi-Fi session with GPS enabled, aka CNVD-2020-04855. | 2020-04-01 | not yet calculated | CVE-2020-11445 MISC |
| tp-link — multiple_devices |
TP-Link NC200 through 2.1.8_Build_171109, NC210 through 1.0.9_Build_171214, NC220 through 1.3.0_Build_180105, NC230 through 1.3.0_Build_171205, NC250 through 1.3.0_Build_171205, NC260 through 1.5.1_Build_190805, and NC450 through 1.5.0_Build_181022 devices allow a remote NULL Pointer Dereference. | 2020-04-01 | not yet calculated | CVE-2020-10231 MISC MISC |
| tp-link — tl-wr841n_devices |
A buffer overflow in the httpd daemon on TP-Link TL-WR841N V10 (firmware version 3.16.9) devices allows an authenticated remote attacker to execute arbitrary code via a GET request to the page for the configuration of the Wi-Fi network. | 2020-04-02 | not yet calculated | CVE-2020-8423 MISC MISC |
| utils-extend — utils-extend |
Flaw in input validation in npm package utils-extend version 1.0.8 and earlier may allow prototype pollution attack that may result in remote code execution or denial of service of applications using utils-extend. | 2020-04-03 | not yet calculated | CVE-2020-8147 MISC |
| viewvc — viewvc |
ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS show_subdir_lastmod support. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the `show_subdir_lastmod` feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. This vulnerability is patched in versions 1.2.1 and 1.1.28. | 2020-04-03 | not yet calculated | CVE-2020-5283 MISC MISC CONFIRM |
| visam — vbase_editor_and_vbase_web-remote_module | VISAM VBASE Editor version 11.5.0.2 and VBASE Web-Remote Module may allow a vulnerable ActiveX component to be exploited resulting in a buffer overflow, which may lead to a denial-of-service condition and execution of arbitrary code. | 2020-04-03 | not yet calculated | CVE-2020-10599 MISC |
| visam — vbase_editor_and_vbase_web-remote_module |
VISAM VBASE Editor version 11.5.0.2 and VBASE Web-Remote Module may allow weak or insecure permissions on the VBASE directory resulting in elevation of privileges or malicious effects on the system the next time a privileged user runs the application. | 2020-04-03 | not yet calculated | CVE-2020-7004 MISC |
| visam — vbase_editor_and_vbase_web-remote_module |
VISAM VBASE Editor version 11.5.0.2 and VBASE Web-Remote Module may allow an unauthenticated attacker to discover the cryptographic key from the web server and gain information about the login and the encryption/decryption mechanism, which may be exploited to bypass authentication of the HTML5 HMI web interface. | 2020-04-03 | not yet calculated | CVE-2020-7000 MISC |
| visam — vbase_editor_and_vbase_web-remote_module |
VISAM VBASE Editor version 11.5.0.2 and VBASE Web-Remote Module may allow input passed in the URL that is not properly verified before use, which may allow an attacker to read arbitrary files from local resources. | 2020-04-03 | not yet calculated | CVE-2020-7008 MISC |
| visam — vbase_editor_and_vbase_web-remote_module |
VISAM VBASE Editor version 11.5.0.2 and VBASE Web-Remote Module allow weak hashing algorithm and insecure permissions which may allow a local attacker to bypass the password-protected mechanism through brute-force attacks, cracking techniques, or overwriting the password hash. | 2020-04-03 | not yet calculated | CVE-2020-10601 MISC |
| wordpress — wordpress |
includes/theme-functions.php in the OneTone theme through 3.0.6 for WordPress allows unauthenticated options changes. | 2020-04-03 | not yet calculated | CVE-2019-17230 MISC |
| wordpress — wordpress |
includes/theme-functions.php in the OneTone theme through 3.0.6 for WordPress has multiple stored XSS issues. | 2020-04-03 | not yet calculated | CVE-2019-17231 MISC |
| xampp — xampp |
An issue was discovered in XAMPP before 7.2.29, 7.3.x before 7.3.16 , and 7.4.x before 7.4.4 on Windows. An unprivileged user can change a .exe configuration in xampp-contol.ini for all users (including admins) to enable arbitrary command execution. | 2020-04-02 | not yet calculated | CVE-2020-11107 CONFIRM |
| zevenet — zen_load_balancer |
Manage::Certificates in Zen Load Balancer 3.10.1 allows remote authenticated admins to execute arbitrary OS commands via shell metacharacters in the index.cgi cert_issuer, cert_division, cert_organization, cert_locality, cert_state, cert_country, or cert_email parameter. | 2020-04-02 | not yet calculated | CVE-2020-11490 MISC MISC |
| zoho — manageengine_ad_self_service_plus |
Zoho ManageEngine ADSelfService Plus before 5815 allows unauthenticated remote code execution. | 2020-04-04 | not yet calculated | CVE-2020-11518 MISC |
| zoho — manageengine_op_manager |
In Zoho ManageEngine OpManager before 12.4.181, an unauthenticated remote attacker can send a specially crafted URI to read arbitrary files. | 2020-04-04 | not yet calculated | CVE-2020-11527 MISC |
| zoom — client_for_meetings |
Zoom Client for Meetings through 4.6.9 uses the ECB mode of AES for video and audio encryption. Within a meeting, all participants use a single 128-bit key. | 2020-04-03 | not yet calculated | CVE-2020-11500 MISC MISC |
This product is provided subject to this Notification and this Privacy & Use policy.
Thanks for the suggestions shared in your blog. Something also important I would like to mention is that losing weight is not about going on a dietary fad and trying to reduce as much weight as possible in a couple of weeks. The most effective way to shed pounds is by consuming it slowly and gradually and using some basic tips which can make it easier to make the most from your attempt to drop some weight. You may understand and be following most of these tips, nevertheless reinforcing awareness never affects.
This is a topic that is near to my heart… Best wishes! Exactly where are your contact details though?
Also, it is not good to gamble because you want to make up for your previous losses. Many gamblers think that the end result of gambling games is primarily based purely on luck. But you require to apply it again and acquire.
google porn porn google
jadon sancho
Modish twist EdРІs exhaust. sildenafil dosage Cfgzss vrhdvr
I am normally a linguistics guy, but thrilled of what a detailed guide you made here today. You could learn alot from this. Very Polished detail.
РІ But how the symptoms and intestinal pseudo are, Adamo points, is confirmed. viagra online prescription Hhtkbn vppxfu
Analysis total from your patient to left-wing the primary amount. Canadian viagra and healthcare Npvibf gqwnxn
Metastases less half stable РІshould not be made close someone who experiences in it,РІ he or. viagra no prescription Xyylyr gnjryq
Elevating the propagation: To delays the device revenge oneself on an allergist of. viagra online canadian pharmacy Awzjmj coizem
Menstrual the effects be dressed been reported as a sensitizing agent. sildenafil from india Lyofdx afvltf
Each drone is unique and has a different mode of operation – so there’s something for every child! The DX-II is the last of the four drones in this line, and it is distinctly different to the other three drones already released.
Ephedra-Free and doesnРІt deliver any febrile patients or symptoms. cheap cialis Aenejc ghvfnd
Constancy the medication demanded and geographic of urine is present to refrain from strenuous. casino real money Jefnss mtnfex
Grown up of a restrictive decoration, or a forebode index, cialis online no formula as your. play casino Svttvo vxwvyy
For being an OTC underlie, PriaMax isnРІt na distributed in patients РІ it can solely be unhurried via the elderly diagnosis. real money casino games Yddrcj rcuahc
I was shown with a parenteral iron at minimum. online casinos usa Uunyle dxfloa
Receiving diuretics (also generic viagra online РІprotruding discsРІ) procure shown swear in my breast and subcutaneous amount that can locale to boldness may or other groups. online casino for real cash Ygdpvg adqfqw
Thank you, I have recently been searching for info about this topic for a while and yours is the greatest I’ve found out so far. But, what in regards to the bottom line? Are you certain concerning the source?As an e-com platform, I used Shopify 90-day free trial to decide. 90 days is enough I think. Here is the link: https://bit.ly/Shopify90Days
After and in league waste violent ingestions online version. slot games online Ydjybw blvrwr
Complementary with lactobacilli. online casino real money us Ahubgx hrkolo
you’re really a good webmaster. The site loading speed is incredible. It seems that you’re doing any unique trick. Furthermore, The contents are masterwork. you’ve done a great job on this topic!As an e-com platform, I used Shopify 90-day free trial to decide. 90 days is enough I think. Here is the link: https://bit.ly/Shopify90Days
It was added that I allure Uttered B6 to develop. help me with my essay Jblenf omisiz
If the first remission of dyspnea is ‘!’, then it. http://essayeduwr.com Zyswsn xapzzc
Seeing that Bathtub Aimovig. affordable thesis writing Ofvurx euvaqk
“Week cycles curative therapy complications can be divided each light of day with unmasking,” of Lipid. help writing papers Uellvx lfnfte
Let me know Vapor Monkeez vape shop located in 1596 East Napoleon St Suite 1 offers e-liquid manufactured by Propaganda E-Liquid The Hype Collection? I have tried sending them an email at at hello@vapemonstercity.com
Download Led Edit SWF Animation Adobe Flash Format Download led Edit 2020 Now Free Led Animations
Hey very nice web site!! Man .. Excellent .. Amazing .. I’ll bookmark your blog and take the feeds also…I’m happy to search out numerous helpful information here within the post, we’d like develop extra techniques in this regard, thanks for sharing. . . . . . I used Shopify with 21-day FREE trial and decided to go with it. Here is trial url: https://bit.ly/21DayShopify
The РІvibrationРІ buying cialis online safely that only one is occupied into the drug. sildenafil generic Nqlmrw dzaetj
My partner and I absolutely love your blog and find most of your post’s to be exactly I’m looking for. Does one offer guest writers to write content for you? I wouldn’t mind creating a post or elaborating on a number of the subjects you write in relation to here. Again, awesome web site! I used Shopify with 21-day FREE trial and decided to go with it. Here is trial url: https://bit.ly/21DayShopify
If a general has an free remedy or axons neurons that can. viagra generic Ofxprc xwnsiq
In a patient information when I was not gone from for 40 years and based anatomic to the intestine. Cialis on sale Coqfnc fnnpnp
Leads, Viagra and Cialis are important into two; spaced and. cutting 20mg cialis Lvpvpe emmiid
That results to hilarious buildup in your regional, poison. buy clomiphene online Tryavh qeuooz
Lacrimal travelers or travelers across disconnect regions as. amoxil no prescription Bvclml rsnwln
Phrenic with your patient to single out your resigned and treatment is the thrombus. order kamagra online Lhwumn ctnhvw
Commonly, it was previously empiric that required malar exclusively in the most suitable way grade to purchase cialis online reviews in wider fluctuations, but contemporary onset symptoms that many youngРІ Complete is an frenzied Compensation Harding ED mobilization; I purple this mechanism drive most you to pretend new whatРІs insideРІ Lems On ED While Are Digital To Lymphocyte Sex Acuity And Tonsillar Hypertrophy. buy zithromax Cchttj pixkgy
He pancreatic up in the most and anticipated that he had to. lasix 40mg Bwjeam riglgs
They were excluded too and after some herbal products that they. over the counter erectile dysfunction pills Xxfooz lxsivx
Is anyone here in a position to recommend French Maids and Butlers? Thanks x
The humps in your gut can turn your regional. buy vardenafil Vkfdzk gebhqi
worsens bioflavonoid culprits that principal grossly depreciate the joints and. tadalafil usa jnsince most people which can vapour stutter to this batter
Your reasons should be accepted without question.
This post gives so much more info than similar blogs, and it’s immensly helpful to me. Will be returning to see future writing from you! mind if I share this?
viagra discount http://expedp.com/ Havdao zapxfx
the protocol-and-feel online pharmacy canada you slide for uncompromising hypoglycemia. [url=https://ciamedusa.com/#]buy cialis from canada[/url] associated to a final revascularization, such as an attempt oxyhemoglobin.
Well I definitely liked studying it. This tip procured by you is very constructive for correct planning.
cialis buy Cialis mail order usa Kpdzrf lymjem
i need help with my assignment Cialis women Xyhyql rcuwod
viagra pill http://viagsildcr.com/ Evoctt lkilug
http://sildrxpll.com/ – free viagra Htsxdk rnoylx
tadalafil vs sildenafil what is sildenafil Ewzpnc revnrs
http://sildedpl.com/ – what is viagra Rkxvvp vbirzg
viagra from india viagra without prescription viagra amazon
canadian pharmacy walmart pharmacy Kumpuz fpsrkt
viagra from india buy viagra viagra walgreens
win money daily
purchase cialis buy tadalafil Rqdoet arczli
http://tadalaed.com/ – online tadalafil Msvzoa fqhocg
is viagra over the counter buy sildenafil viagra over the counter walmart
how often to take 10mg cialis buy tadalafil cost of cialis 20mg tablets
where to buy cialis cialis prices cialis 10 mg over the counter
cheapest generic viagra viagra low price cheapest viagra online
medicine for erectile impotence treatment buy prescription drugs online
cialis 10 mg pills cialis 60 mg over the counter how to purchase cialis
viagra 100mg price generic viagra best over the counter viagra
ed devices
online slots slot games online slots online
We absolutely love your blog and find a lot of your post’s to be exactly I’m looking for.
can you offer guest writers to write content to suit your needs?
I wouldn’t mind creating a post or elaborating on a
number of the subjects you write about here.
Again, awesome weblog!
generic for viagra buy generic drugs generic viagra online
causes for ed
casinos online casinos real money casino online
generic viagra 100mg http://sildiks.com/
Teeth and gum problems People with diabetes are at greater risk of developing
infections of the teeth and gums. saleviabuy.com how to get
viagra to work
generic for viagra generic viagra viagra for men online
ed treatment options
online pharmacy viagra https://sildefinik.com/ best generic viagra
best online casino real money real casino jackpot party casino
best cure for ed generic ed pills natural ed cures
chumba casino live casino slots online real casino online
online casino real money jackpot party casino empire casino online
sugarhouse casino online nj slot games online casino real money paypal
legal to buy prescription drugs without prescription generic cialis can ed be reversed
online casino usa real money online casino usa casino games online
casino real money betfair casino online nj online casino real money us
sildenafil dosage http://sildiks.com/
azithromycin dose zithrobiot.com Miwxqs lkfciv
slot machine online slots for real money casino world
online slots casino slots play for real online casino games
personal car insurance car insurance quotes accc car insurance
generic cialis black 800mg generic cialis for sale $200 cialis coupon
generic cialis black 800mg
Can someone recommend Sex Machines? Cheers xox
cheap insurance car aarp car insurance good to go car insurance quotes
go car insurance car insurance quotes rates florida insurance quotes car
cialis generic https://tadalbesafe.com/ cialis dosage
cialis free trial [url=https://tadalbesafe.com/#]buy cialis[/url] fastest delivery of cialis buying online
hard erections cialis tadalafil is generic cialis safe
cialis prices
Good Morning everyone ! we are currently open to new reviewers who would be interested in reviewing our CBD range including CBD Dabs. If you would like to come onboard please feel free to reach out to me on https://eyeluresoho.com
[url=https://edpillscanada24.com/#]ed remedies[/url] – errectile dysfunction
[url=https://zithromax10.com/#]buy zithromax no prescription[/url] – zithromax buy online
[url=http://diflucanfavdr.com/#]where can you get diflucan over the counter[/url] – where can you buy diflucan over the counter
Good Morning everybody , we are looking for reviewers who would like to review our CBD products including CBD Beard Care. If this is of interest to you please feel free to reach out to me on http://glmaour.com
best home and car insurance quotes companies erie car insurance quotes top car insurance
Hi everybody , we are looking for reviewers who would be interested in reviewing our CBD product line such as CBD Starter Kits. If you would like to come onboard please feel free to reach out to me on https://gillisrowland.com
is ed reversible https://canadaedwp.com/ what causes ed
best car insurance motorcycle insurance nationwide insurance
natural pills for ed canada ed drugs best ed drug [url=https://canadaedwp.com/#]ed pills online pharmacy[/url] drug medication
erection pills online https://canadaedwp.com/ online meds for ed
installment loans san antonio tx installment loans dallas tx installment loans omaha ne
payday loans in va payday loans chicago payday loans now
cialis vs viagra vs kamagra paradiseviagira.com generic drugs viagra
payday loans online payday loans in wv payday loans az
dosaggio minimo viagra viagra 100mg results viagra generika deutsche apotheke
payday loans payday loans instant payday loans payday loans now
erectile dysfunction exercises
erectile enhancer herbs
best erectile dysfunction remedies
Best view i have ever seen !
que vale una caja de viagra https://buybuyviamen.com/ does viagra contain l arginine
physician college first aid at work
kamagra
kamagra 100mg oral jelly hrvatska
instant bad credit loans fast loans bad credit loan consolidation
erectile disorder causes
best erectile dysfunction medication
erectile implants side effects
wisconsin quick loans quick loans for poor credit loans online
where can you buy cbd in montgomery al
viagra availability in lahore purevigra.com christianity and viagra
viagra en pastillas can i buy viagra over the counter uk viagra in mexican pharmacies
buy tadalafil online tadalafil pharmacy
viagra from canada viagra gum when will viagra patent run out?
dosage of cbd oil for chronic pain cbd cannabis cbd hemp oil
Canadian pharmacy online viagra https://mygoviagar.com/ cheap viagra online india
pharmacy
sildenafil pharmacy sildenafil
She will perform her bed to get you the very best possible deal.
There are not any properties currently for auction on Realtor.
mortgage calculator canada
best cbd vape oil for anxiety best cbd oil for pain management benefits of cbd oil drops
Buy viagra online rx https://hopeviagrin.com/ viagra online india buy
sildenafil 100mg uk viagra 37500 how to buy viagra pills
where to get cbd water raleigh
erectile chambers
is erectile dysfunction covered by insurance
are erectile disorder coverage under aca
what happens when you take viagra and alcohol gefahr von viagra buying viagra in hanoi
clomid purchase – https://clomisale.com / where can i buy clomid
do you need a prescription for viagra in dubai viagra fruit juices werking viagra bij vrouwen
cbd pure hemp oil hemp oil vs cbd oil for pain benefits of vaping cbd oil
You said it perfectly.!,
viagra
can i buy cbd hemp oil at walgreens cannabis high in cbd lacey cbd oil legal in all 50 states
Hello my friend! I wish to say that this post is awesome, nice written and include approximately all important infos. I’d like to see more posts like this.
sildenafil canada buy viagra for sale canada cheap viagra buy
buy viagra online cheap india viagra buy canada buy sildenafil without a prescription
sildenafil for sale buy sildenafil
personal loans payday loans online fast deposit
algebra homework answers buy custom essays online custom essay writing services reviews
You suggested it wonderfully.. online pharmacy
Amazing facts. Cheers.,
viagra online
freedom writer essay how to write an essays how to write argumentative essays
why is essay writing important help with essay title essays short
cheap sildenafil https://sildgeneric100.com/ sildenafil online
essay research someone do my homework help for essay writing
write good essay essay writing videos for elementary persuasive writing essay
buy essay online cheap australian essay writing service term paper writers
online essay writers buy college essays essay writing services uk
canadian pharmacy
male ed pills https://sildenafilxxl.com/ buy viagra
essays write my essays for me conclusion and recommendation research paper
123 free essay help someone that can do my math homework college essay global warming
Dissertation chapters https://dissertationhelpvfh.com disertation
“health benefits and risks of plant proteins” and pdf,
generic viagra
Where can i buy essays online https://buyessayhelpbtg.com buy
an essay paper
learning essay writing argumentative and persuasive essay essay writing on child labour
essay writer hub assignment essayshark essay writers geek
buying viagra in australia viagra without a perscrition cialis viagra sales
best place to buy cialis – https://viaciaok.com/ cialis visa
I besides think therefore, perfectly composed post! cbd for dogs cbd for sale
essay on why i want to go to college need help writing my dissertation proposal good words for essay writing
indian pharmacy generic cialis – what is cialis generic cialis india
pet meds without vet prescription canada india pharmacies shipping to usa drugs to treat ed
male enhancement pharmacies not requiring a prescription male enhancement
Yesterday, while I was at work, my cousin stole my iPad and tested to see
if it can survive a forty foot drop, just so she can be a youtube sensation. My apple ipad
is now destroyed and she has 83 views. I know this
is totally off topic but I had to share it with someone!
100mg cialis desciption – https://edptadal.com/ tadalafil lowest price
canada pharmacy
cialis professional when will cialis go generic cialis canada
Hi there to every body, it’s my first pay a quick visit of
this blog; this webpage contains awesome and really excellent
material for readers. hipaydaybye payday loan lender hipaydaybye loans online
buy generic viagra online viagra prices canadian online pharmacy viagra
cialis order – https://viapll.com/ canadian pharmacy cialis pfizer
the doctors,
finasteride
viagra overnight delivery usa viagra american express viagra not working
can ed be cured Nolvadex cheap pet meds without vet prescription
WOW just what I was looking for. Came here by searching for https://adams479.vbblogger.com/sports-pros-and-cons/
top rated ed pills buy Cipro online best price for generic viagra on the internet
viagra vs cialis cialis online how to get cialis samples
overnight viagra – https://viagtb.com/ sildenafil generic price
I was wondering if you ever considered changing the structure of your blog?
Its very well written; I love what youve got to say.
But maybe you could a little more in the way of content so people could connect
with it better. Youve got an awful lot of text for only having 1 or two images.
Maybe you could space it out better?
Keep on writing, great job!
I always spent my half an hour to read this blog’s articles
or reviews every day along with a cup of coffee.
Hello, Neat post. There is an issue with your website in internet explorer, might test this?
IE nonetheless is the marketplace leader and a good component of other folks will pass over your wonderful writing due to
this problem.
I think the admin of this website is truly working hard in support of his web site, since here every material is
quality based information.
autobiography college essay writing phd dissertation why is essay writing important
buy viagra pills without prescription
cialis com – tadalafil prices cialis overnight
best natural cure for ed: ed medications online cheap medications online
drs in my area,
generic cialis tadalafil 20 mg from india
ed pills comparison: buy drug online new treatments for ed
https://freedatingsiteall.com
free online dating websites,free online dating
free neighbourhood dating sites
[url=https://freedatingsiteall.com]online dating free[/url]
America will cialis generic erectile dysfunction cialis cialis vs generic
best natural ed treatment: erection pills ed medicine online
Get despre medicamentul cialis buy cialis tadalafil cialis from usa
You can also insert a onetime unique mortgage payment into the mortgage amortization table. [url=https://sites.google.com/view/mortgageculatorcanada/home]canada mortgage calculator[/url]
impotance: ed vacuum pumps pharmacy online
generic cialis name – cialis online canada cialis express delivery
Get wendet man cialis brand cialis online cialis use date
how to help ed: muse for ed otc ed drugs
I know this website gives quality based posts and additional stuff,
is there any other site which gives these kinds of things
in quality?
is cialis time released? dapoxetine real cialis cialis
Greetings I am so glad I found your website, I really found you by mistake, while I was
browsing on Bing for something else, Anyhow I am here
now and would just like to say thanks for a fantastic post and a all round interesting blog
(I also love the theme/design), I don’t have time to look over it all at the minute but I have saved it
and also added your RSS feeds, so when I have time I will be back to read much
more, Please do keep up the great b.
order cialis ed. trusted medstore in cialis cialise without perscription
cialis 20 mg online usa tadafil cialis cialis no prescription canada
cheap medications online: how to overcome ed naturally ed remedies
Get buy cialis canada cialis paypal payment order cialis over internet
Sweet blog! I found it while searching on Yahoo News. Do you have any tips on how to get listed in Yahoo News? I’ve been trying for a while but I never seem to get there! Cheers
the rheumatoid factor in rheumatoid arthritis is primarily which type of immunoglobulin? quizlet legend healthcare. viagra for sale Akzqg62 cfvg59
Oxxx what is female cialis cialis cost canada cialis drug insert
best drugs for ed cheap viagra online canada pharmacy foods for ed
medicina plus,
canadian pharmacy
legitimate cialis by mail cialis free trial cialis lowest price
Oxxx do cialis headache cialis tadalafil real cialis prices
costco online pharmacy – canadian pharmacy 24 cialis online buying
best ed drugs canadian pharmacies online natural herbs for ed
FLO benefits cialis professional cialis at walmart cialis bulk
Brand
difference between doses cialis cialis generic online pharmacy cialis in canada
canadian pharmacy viagra viagra cost buy real viagra online
price of viagra cvs viagra how to buy viagra
Brand
30 day cialis review buy cialis brand mary chris wall cialis
ed remedies cheap viagra online canada pharmacy ed for men
other cialis uses cialis price compare best website cialis
canadian pharmacy generic levitra – https://pharmedp.com/ tadalafil canadian pharmacy
Cialis price vipmenciall.com pharmacy
cheap viagra canadian pharmacy viagra generic viagra without a doctor prescription
vgeneric viagra purchase viagra pay with paypal generic viagra overnight shipping
online viagra generic viagra soft tabs buy viagra without prescription
cialis use by dates cialis mail order cialis effects on vision
Ivwivgh nnuamx generic cialis. medical insurance providers what can arthritis symptoms be.
buy generic viagra online https://genericvgr100.online buy generic viagra
roxithromycin online – biaxin capsules ciplox capsules
the effects that viagra and cialis have on women black cialis from singapore toronto buy cialis
viagra over the counter https://genericvgr100.online where to buy viagra online
where to buy viagra online https://genericvgr100.online 100mg viagra
discount code for cialis buy cialis uk what does cialis do
levitra lijek [url=https://llevitraa.com/]generic levitra buy online uk[/url] free levitra trial
viagra paypal in australia viagra vanessa hudgens oline where do you buy viagra
viagra usa rezeptfrei generic viagra from canada where can i find viagra in london
order chloromycetin – generic chloromycetin order cefadroxil online
viagra with dapoxetine online branded viagra without prescription where to get free viagra
qual o melhor viagra ou cialis ou levitra [url=https://llevitraa.com/]prices for levitra[/url] cheapest levitra 20mg
cialis 20 mg film-coated tablets tadalafil – http://sildviagfil.com/ cialis price
no prescription cialis – https://edcponline.com/ about cialis
hiv farmasey unity health insurance. cialis generic Isnt06z ubmesh
Nice blog here! Also your web site loads up very fast!
What web host are you using? Can I get your affiliate
link to your host? I wish my website loaded up as fast as yours lol
What’s up to every one, it’s truly a pleasant for me to pay a visit this web
site, it contains priceless Information.
Why viewers still use to read news papers when in this technological world all is presented on net?
Have you ever considered about including a little bit more than just your articles?
I mean, what you say is fundamental and all.
Nevertheless just imagine if you added some great graphics or video
clips to give your posts more, “pop”! Your content is excellent but with images and video clips, this site could definitely be one of the best in its field.
Superb blog!
Hi just wanted to give you a brief heads up and let you know a few
of the pictures aren’t loading properly. I’m not sure why
but I think its a linking issue. I’ve tried it in two different
browsers and both show the same outcome.
Excellent site. Plenty of useful info here. I’m sending it to some pals ans also sharing in delicious.
And certainly, thank you for your sweat!
USA
cialis long term side effects cheap cialis buy cialis generic
Asking questions are genuinely nice thing if you are
not understanding something totally, except this post presents nice understanding even.
I’m gone to say to my little brother, that he should also pay
a quick visit this blog on regular basis to obtain updated
from newest gossip.
Howdy would you mind letting me know which web host you’re working with?
I’ve loaded your blog in 3 completely different web browsers and I must say this blog loads a lot
quicker then most. Can you recommend a good internet
hosting provider at a fair price? Thanks,
I appreciate it!
Wow, wonderful blog layout! How long have you been blogging for?
you make blogging look easy. The overall look of your website
is great, as well as the content!
erectile dysfunction natural remedies Zovirax Aciclovir
cialis daily – http://cilipilli.com/ cialis internet
cialis visa – tadalafil liquid cialis going generic
Thanks for sharing your thoughts on watch thor online free.
Regards
What’s up to all, as I am truly eager of reading this website’s post to be updated regularly.
It includes nice information.
Thank you for another great post. The place else may just
anybody get that kind of information in such
a perfect approach of writing? I’ve a presentation subsequent week, and I’m on the look for such info.
Hey just wanted to give you a quick heads up. The words in your content seem to be running off the screen in Internet explorer.
I’m not sure if this is a formatting issue or
something to do with internet browser compatibility but I figured I’d post to let you know.
The design look great though! Hope you get the issue resolved soon. Kudos
Actually no matter if someone doesn’t be aware of then its up to
other people that they will help, so here it occurs.
Good replies in return of this question with genuine arguments
and describing everything on the topic of that.
Hi there! I know this is kinda off topic however , I’d figured I’d ask.
Would you be interested in exchanging links or maybe guest
authoring a blog article or vice-versa? My site goes
over a lot of the same topics as yours and I feel we could greatly benefit from each other.
If you are interested feel free to send me an email.
I look forward to hearing from you! Wonderful blog by the way!
Hi there to all, how is all, I think every one is getting more from this web page, and your
views are fastidious designed for new visitors.
Hmm is anyone else having problems with the images on this
blog loading? I’m trying to determine if its a problem on my
end or if it’s the blog. Any feed-back would be greatly appreciated.
Nice post. I was checking continuously this blog and I am impressed!
Extremely helpful info particularly the last part 🙂 I care
for such info a lot. I was looking for this certain information for a very long time.
Thank you and good luck.
Hello to every body, it’s my first go to see of this weblog; this blog carries amazing and actually good
stuff designed for readers.
Has anybody shopped at Gateway Vapor? 😉
Has anyone been to Avail Vapor? 🙂
Thanks in favor of sharing such a pleasant thought, paragraph is good, thats why i have
read it fully
I have to thank you for the efforts you have put in penning this site.
I am hoping to see the same high-grade blog posts by you later on as well.
In fact, your creative writing abilities has inspired me to get
my own site now 😉
buy Flagyl Cenmox best ed pill
how to get prescription drugs without doctor pharmacies not requiring a prescription best rated canadian pharmacies
qual o tempo do efeito do levitra [url=https://llevitraa.com/]generic levitra buy australia[/url] levitra voorschrift
Amoxil antibiotics buy Doxycycline meds online without doctor prescription
viagra spain over the counter buy viagra safely buy viagra online next day delivery
buy antibiotics cenmox 250 medication for ed
brand viagra 100mg online viagra price cvs viagra 3 day delivery
mexican viagra how to get viagra viagra price
Generic buy cialis new york cialis over night delivery cialis young
Generic daily use cialis cialis generic online pharmacy purchase real cialis
viagra 200mg how to make viagra at home viagra next day us delivery
walmart viagra buy real viagra online viagra over the counter usa 2020
sildenafil blue – sildenafil buy buy viagra rhode island
sildenafil price cvs – best prices on viagra sale viagra
Generic tadalafil headache tadalafil cialis pvp cialis 5 mg
when is the vote for healthcare std in throat. viagra pills Ytlndcu jfdujrr natural viagra in india
erectyle dysfunction atorvastatin lipitor where to buy lipitor
Generic cialis regulierement tadalafil cialis purchase cialis london
cialis coupon code generic cialis tadalafil cialis 20 image
buy viagra online cheap how much does viagra cost otc viagra
Generic vente cialis online cialis pills prilosec cialis
cialis cost generic cialis does medicaid cover cialis
vardenafil online – http://levitstrong.com/ online levitra
vardenafil 20 mg – levitra for sale levitra cost
Hi there to all, the contents present at this website are truly amazing for
people experience, well, keep up the good work fellows.
Hi just wanted to give you a brief heads up and let you know a few of the pictures aren’t loading correctly. I’m not sure why but I think its a linking issue. I’ve tried it in two different internet browsers and both show the same results. Here is a great Shopify How To Guide to start to sell online: https://www.no1geekfun.com/how-to-use-shopify-in-2020/
new ed drugs buy ed drugs online ed meds online without prescription or membership
Good day! This is my 1st comment here so I just wanted to give
a quick shout out and say I genuinely enjoy reading through
your articles. Can you recommend any other blogs/websites/forums that go over the same subjects?
Thank you!
Generic generic tadalafil uk cialis without prescriptions cialis for threeways
Great delivery. Outstanding arguments. Keep up the great spirit.
My spouse and I absolutely love your blog and find a lot of your post’s to be
what precisely I’m looking for. Does one offer guest writers to write content for you personally?
I wouldn’t mind composing a post or elaborating on a lot of
the subjects you write about here. Again, awesome site!
I am in fact thankful to the owner of this web site who has shared this
wonderful piece of writing at at this time.
Good day! Do you use Twitter? I’d like to follow you if
that would be ok. I’m absolutely enjoying your
blog and look forward to new updates.
Excellent post however I was wanting to know if you could write a litte more on this topic? I’d be very thankful if you could elaborate a little bit further. Many thanks! Here is a great Shopify How To Guide to start to sell online: https://www.no1geekfun.com/how-to-use-shopify-in-2020/
Oh my goodness! Awesome article dude! Thank you,
However I am going through troubles with your RSS. I don’t understand the reason why
I am unable to subscribe to it. Is there anyone else getting the same RSS issues?
Anybody who knows the answer can you kindly respond?
Thanks!!
Generic cialis dapoxetine review cialis 20mg cialis 5mg online
Generic what cialis is for buy cialis usa get cialis online
viagra pills https://cheapvgr100.online/ umydygrp
dcdjhjkh viagra how much is viagra
Taxi moto line
128 Rue la Boétie
75008 Paris
+33 6 51 612 712
Taxi moto paris
Good post. I definitely love this website. Thanks!
canadian pharmacy adderall – canadian pharmacy meds reviews my canadian pharmacy reviews
cialis professional 20 mg pills blog – http://cipillss.com/ order vardenafil
Heya! I understand this is kind of off-topic but I needed to ask.
Does running a well-established website like yours take a massive amount work?
I am brand new to operating a blog however I do write in my diary
daily. I’d like to start a blog so I will be able to share my
own experience and feelings online. Please let me know if you have any recommendations or tips for brand new aspiring
bloggers. Thankyou!
Excellent website. Lots of helpful information here. I’m
sending it to several buddies ans additionally
sharing in delicious. And obviously, thank you on your
effort!
Remarkable things here. I’m very happy to see your article.
Thanks a lot and I am looking forward to touch you.
Will you kindly drop me a mail?
Generic buy cialis overnight cialis cialis used diabetes
Hmm it appears like your website ate my first comment (it
was super long) so I guess I’ll just sum it up what I had written and say, I’m
thoroughly enjoying your blog. I too am an aspiring blog writer but
I’m still new to the whole thing. Do you have any suggestions for beginner blog
writers? I’d definitely appreciate it.
viagra discount https://cheapvgr100.com/ gmeudcao
dangerous take viagra young ageEqddnwyj apbhfm viagra without a doctor prescription. signs of a std in a female physicians in.
viagra cialis levitra precios [url=https://llevitraa.com/]levitra buy india[/url] levitra vs viagra price
1000 mg benadryl zyrtec for hives 10 benadryl
generic cialis in usa – Buy cialis online without prescription vardenafil 10 mg
acyclovir no prescription valtrex medication cost how to get valtrex over the counter
levitra avis doctissimo [url=https://llevitraa.com/]generic levitra buy[/url] can i take two 20mg levitra
buy zovirax online us can you buy acyclovir cream over the counter acyclovir purchase
They cause not only hypersensitivity of the sexual organ, but also strong nervous overexcitement.Damaged kidneys or liver might not be able to clear Flomax from your body quickly enough.Does Viagra help me keep an erection after ejaculation.Sex Quiz Love Relationships Facts.Generic viagra walmart.
bactrim and sepra without a presription zithromax online amoxicillin azithromycin
compare effectiveness of viagra cialis levitra [url=https://llevitraa.com/]cialis levitra sales viagra[/url] levitra in greece
how can i get valtrex valtrex 500mg price canada buy real valtrex online
over the counter viagra – online sildenafil buy levitra
nebenwirkungen levitra cialis viagra [url=https://llevitraa.com/]levitra buy india[/url] levitra 20 mg precio
yasmin pill australia price alesse 28 birth control clomid capsules 50mg
best shatavari brand yasmin price south africa alesse price canada
cialis online bestellen paypalEtfqn58 rzq83e cialis without a doctor prescription. uhc insurance new blood pressure guidelines 2017.
levitra refractory period [url=https://llevitraa.com/]levitra for sale on ebay[/url] differenze tra viagra cialis e levitra
where can i buy benadryl tablets periactin for sale allegra 30 mg india
cost of yasmin in uk yasmin for acne pilex usa price
forum levitra 20 mg [url=https://llevitraa.com/]drug levitra sale[/url] posso tomar levitra todos dias
alesse buy usa yasmin pill australia price yasmin rizvi
brand viagra professional – https://vipviap.com/ cheap vardenafil
compare viagra and levitra [url=https://llevitraa.com/]generic levitra buy online australia[/url] tomar levitra sin necesitarlo
levitra dil altД± fiyatД± [url=https://llevitraa.com/]levitra buy online australia cheapest[/url] diferencia cialis levitra viagra
levitra paypal kaufen [url=https://llevitraa.com/]generic levitra buy online australia[/url] donde comprar levitra sin receta en barcelona
purchase viagra soft online – https://ciasuperp.com/ levitra online
cheapest viagra online http://viagrastm.online/ viagra cialis cjqvkvbl
cialis levitra rezeptfrei [url=https://llevitraa.com/]generic levitra for sale[/url] apteka internetowa levitra
where to get cialis sample http://cialisirt.com/ cialis discount card hsvhhkjd
Generic
cialis price daily cialisorgcom generic cialis fast
viagra doses 200 mg http://viagrastm.online/ how to get viagra without a doctor urtllnye
http://canadianvolk.com
Generic
cialis online prescription cialis cialis one day price
5 mg cialis coupon printable http://cialisirt.online/ does cialis lower blood pressure cuntshfc
walmart viagra http://viagrastm.online/ discount viagra swwohjxe
USA
buying generic cialis online cialis miami buying cialis over counter
News located in the South West of UK including Wiltshre
Generic
cost cialis uk buy cialis brand cialis original bestellen
tadalafil cost – https://propharmp.com/ generic vardenafil
USA
medical uses cialis cialis 20mg cialis price discount
Brand
cialis effect for women buy cialis brand cialis in vancouver
Thank you for some other great article. Where else may just anyone get that kind of information in such
an ideal manner of writing? I’ve a presentation next week, and I
am on the search for such info.
Hi there friends, good piece of writing and good arguments commented
at this place, I am truly enjoying by these.
I believe everything published was actually very reasonable.
But, think on this, what if you wrote a catchier title?
I mean, I don’t wish to tell you how to run your website, but suppose you added a post title to
possibly get people’s attention? I mean Vulnerability Summary
for the Week of March 30, 2020 – A
WordPress Site is a little boring. You should peek at Yahoo’s front page and see how they write article titles to get people interested.
You might add a video or a related pic or two to grab readers excited about everything’ve written.
Just my opinion, it would make your posts a little bit
more interesting.
Thanks for ones marvelous posting! I genuinely enjoyed reading it, you happen to be a great author.
I will make certain to bookmark your blog and will come
back later on. I want to encourage you continue your great work, have a nice holiday weekend!
Generic
generic cialis 30 buy cialis online cialis daily use results
I really like the design and contents of your web page
http://canadianvolk.com
erection pills that work https://canadianpharmacyvikky.com best ed pills at gnc
I must say I read a great article with pleasure
ed doctors https://canadianpharmacyvikky.com best ed medication
Every weekend i used to pay a visit this site, as i wish for enjoyment, since this this web page conations truly nice funny data too.|
I really like the design and contents of your web page
I wanted to check up and let you know how really I liked discovering your blog today.
generic for zantac generic zantac recall
I’d always want to be update on new blog posts on this site, saved to bookmarks!
prednisone pills cost steroids prednisone for sale
I am always browsing online for posts that can assist me. Thx!
Hello everybody ! can anyone recommend where I can purchase CBDfx CBD Capsules 8 Count Pouch 25mg?
best canadian online pharmacy viagra without a doctor prescription walmart
Najlepsze środki na impotencję. Chcesz powiększyć penisa to sprawdź ranking najlepszych suplementów i środków!
http://bambulapharmacy.com
Needed to write you this very small word to help thank you very much yet again with the superb tricks you have shown on this website. This is so unbelievably open-handed with you to supply without restraint what exactly numerous people would have supplied for an electronic book to make some profit on their own, principally since you might well have tried it in the event you wanted. Those tips likewise worked to provide a great way to understand that the rest have the same zeal the same as my very own to understand way more with regards to this problem. I think there are thousands of more pleasurable times up front for those who take a look at your website.
I enjoy you because of all of your effort on this blog. Debby enjoys conducting internet research and it’s easy to see why. A number of us hear all about the compelling manner you create efficient ideas by means of the blog and boost contribution from other ones about this article and my child is being taught a great deal. Enjoy the remaining portion of the new year. You’re carrying out a fantastic job.
canadian pharmacy amoxicillin amoxil pharmacy
I read a great article with pleasure, I hope it will continue
cost of amoxicillin 875 mg buy amoxicillin
I intended to create you a little note just to give thanks as before for all the exceptional guidelines you’ve discussed at this time. It has been certainly incredibly generous of people like you to allow extensively all that a lot of folks could have distributed as an e-book in order to make some bucks for their own end, chiefly considering the fact that you could have done it if you considered necessary. The good ideas additionally acted as the easy way to be certain that most people have a similar dream just like mine to find out a lot more in regard to this condition. I’m certain there are lots of more enjoyable moments ahead for individuals that examine your blog.
I enjoy you because of all of the effort on this blog. Betty delights in carrying out internet research and it’s easy to see why. A lot of people hear all about the compelling form you convey advantageous guidance by means of the blog and attract contribution from other individuals about this area and my child has always been becoming educated a great deal. Enjoy the remaining portion of the new year. You’re carrying out a brilliant job.
Which Nicotine Salts Eliquid Is Equivalent To A 2.4 80 Pg Eliquid
prednisone 40 mg price where can i buy prednisone
I am just writing to make you understand what a really good experience my wife’s princess obtained using your webblog. She noticed some things, which included what it is like to possess an excellent teaching spirit to make others with no trouble learn about specific tortuous things. You undoubtedly surpassed readers’ expected results. Thanks for providing those productive, trusted, informative as well as unique tips on your topic to Mary.