Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-7584 | 1 Siemens | 4 Simatic S7-200 Smart Sr Cpu, Simatic S7-200 Smart Sr Cpu Firmware, Simatic S7-200 Smart St Cpu and 1 more | 2020-07-17 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability has been identified in SIMATIC S7-200 SMART CPU family (All versions >= V2.2 < V2.5.1). Affected devices do not properly handle large numbers of new incomming connections and could crash under certain circumstances. An attacker may leverage this to cause a Denial-of-Service situation. | |||||
| CVE-2014-8826 | 1 Apple | 1 Mac Os X | 2020-07-17 | 5.0 MEDIUM | N/A |
| LaunchServices in Apple OS X before 10.10.2 does not properly handle file-type metadata, which allows attackers to bypass the Gatekeeper protection mechanism via a crafted JAR archive. | |||||
| CVE-2020-7577 | 1 Siemens | 1 Opcenter Execution Core | 2020-07-17 | 5.5 MEDIUM | 8.1 HIGH |
| A vulnerability has been identified in Camstar Enterprise Platform (All versions), Opcenter Execution Core (All versions < V8.2). Through the use of several vulnerable fields of the application, an authenticated user could perform an SQL Injection attack by passing a modified SQL query downstream to the back-end server. The exploit of this vulnerability could be used to read, and potentially modify application data to which the user has access to. | |||||
| CVE-2020-7578 | 1 Siemens | 1 Opcenter Execution Core | 2020-07-17 | 5.5 MEDIUM | 8.1 HIGH |
| A vulnerability has been identified in Camstar Enterprise Platform (All versions), Opcenter Execution Core (All versions < V8.2). Authenticated users could have access to resources they normally would not have. This vulnerability could allow an attacker to view internal information and perform unauthorized changes. | |||||
| CVE-2020-2971 | 1 Oracle | 1 Application Express | 2020-07-17 | 4.9 MEDIUM | 5.4 MEDIUM |
| Vulnerability in the Oracle Application Express component of Oracle Database Server. Supported versions that are affected are 5.1-19.2. Easily exploitable vulnerability allows low privileged attacker having SQL Workshop privilege with network access via HTTP to compromise Oracle Application Express. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Express, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Express accessible data as well as unauthorized read access to a subset of Oracle Application Express accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). | |||||
| CVE-2020-5333 | 1 Rsa | 1 Archer | 2020-07-17 | 4.0 MEDIUM | 4.3 MEDIUM |
| RSA Archer, versions prior to 6.7 P3 (6.7.0.3), contain an authorization bypass vulnerability in the REST API. A remote authenticated malicious Archer user could potentially exploit this vulnerability to view unauthorized information. | |||||
| CVE-2020-1469 | 1 Microsoft | 1 Bond | 2020-07-17 | 5.0 MEDIUM | 7.5 HIGH |
| A denial of service vulnerability exists when the .NET implementation of Bond improperly parses input, aka 'Bond Denial of Service Vulnerability'. | |||||
| CVE-2020-8181 | 1 Nextcloud | 1 Contacts | 2020-07-17 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing file type check in Nextcloud Contacts 3.2.0 allowed a malicious user to upload any file as avatars. | |||||
| CVE-2020-5764 | 1 Mxplayer | 1 Mx Player | 2020-07-17 | 5.8 MEDIUM | 8.8 HIGH |
| MX Player Android App versions prior to v1.24.5, are vulnerable to a directory traversal vulnerability when user is using the MX Transfer feature in "Receive" mode. An attacker can exploit this by connecting to the MX Transfer session as a "sender" and sending a MessageType of "FILE_LIST" with a "name" field containing directory traversal characters (../). This will result in the file being transferred to the victim's phone, but being saved outside of the intended "/sdcard/MXshare" directory. In some instances, an attacker can achieve remote code execution by writing ".odex" and ".vdex" files in the "oat" directory of the MX Player application. | |||||
| CVE-2020-14605 | 1 Oracle | 1 Financial Services Analytical Applications Infrastructure | 2020-07-17 | 4.0 MEDIUM | 6.5 MEDIUM |
| Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Infrastructure). Supported versions that are affected are 8.0.6-8.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Financial Services Analytical Applications Infrastructure accessible data. CVSS 3.1 Base Score 6.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N). | |||||
| CVE-2020-14606 | 1 Oracle | 1 Sd-wan Edge | 2020-07-17 | 10.0 HIGH | 10.0 CRITICAL |
| Vulnerability in the Oracle SD-WAN Edge product of Oracle Communications Applications (component: User Interface). Supported versions that are affected are 8.2 and 9.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle SD-WAN Edge. While the vulnerability is in Oracle SD-WAN Edge, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle SD-WAN Edge. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). | |||||
| CVE-2020-11955 | 1 Rittal | 9 Cmc Iii Pu 7030.000, Cmc Iii Pu 7030.000 Firmware, Cmciii-pu-9333e0fb and 6 more | 2020-07-17 | 9.0 HIGH | 8.8 HIGH |
| An issue was discovered on Rittal PDU-3C002DEC through 5.15.70 and CMCIII-PU-9333E0FB through 3.15.70 devices. There are insecure permissions. | |||||
| CVE-2020-11437 | 1 Librehealth | 1 Librehealth Ehr | 2020-07-17 | 4.0 MEDIUM | 4.3 MEDIUM |
| LibreHealth EMR v2.0.0 is affected by SQL injection allowing low-privilege authenticated users to enumerate the database. | |||||
| CVE-2020-11438 | 1 Librehealth | 1 Librehealth Ehr | 2020-07-17 | 6.8 MEDIUM | 8.8 HIGH |
| LibreHealth EMR v2.0.0 is affected by systemic CSRF. | |||||
| CVE-2020-11436 | 1 Librehealth | 1 Librehealth Ehr | 2020-07-17 | 6.0 MEDIUM | 9.0 CRITICAL |
| LibreHealth EMR v2.0.0 is vulnerable to XSS that results in the ability to force arbitrary actions on behalf of other users including administrators. | |||||
| CVE-2020-11953 | 1 Rittal | 9 Cmc Iii Pu 7030.000, Cmc Iii Pu 7030.000 Firmware, Cmciii-pu-9333e0fb and 6 more | 2020-07-17 | 9.0 HIGH | 8.8 HIGH |
| An issue was discovered on Rittal PDU-3C002DEC through 5.15.40 and CMCIII-PU-9333E0FB through 3.15.70_4 devices. Attackers can execute code. | |||||
| CVE-2020-11951 | 1 Rittal | 9 Cmc Iii Pu 7030.000, Cmc Iii Pu 7030.000 Firmware, Cmciii-pu-9333e0fb and 6 more | 2020-07-17 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered on Rittal PDU-3C002DEC through 5.17.10 and CMCIII-PU-9333E0FB through 3.17.10 devices. There is a Backdoor root account. | |||||
| CVE-2018-1067 | 1 Redhat | 4 Enterprise Linux, Jboss Enterprise Application Platform, Undertow and 1 more | 2020-07-17 | 5.8 MEDIUM | 6.1 MEDIUM |
| In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also response splitting, due to insufficient sanitization and validation of user input before the input is used as part of an HTTP header value. | |||||
| CVE-2020-4305 | 1 Ibm | 2 Infosphere Information Server, Infosphere Information Server On Cloud | 2020-07-17 | 9.3 HIGH | 8.8 HIGH |
| IBM InfoSphere Information Server 11.3, 11.5, and 11.7 could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 176677. | |||||
| CVE-2020-4173 | 2 Ibm, Linux | 3 Infosphere Guardium Activity Monitor, Security Guardium Insights, Linux Kernel | 2020-07-17 | 4.3 MEDIUM | 4.3 MEDIUM |
| IBM Guardium Activity Insights 10.6 and 11.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 174682. | |||||
| CVE-2019-12784 | 1 Verint | 1 Impact 360 | 2020-07-16 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Verint Impact 360 15.1. At wfo/control/signin, the login form can accept submissions from external websites. In conjunction with CVE-2019-12783, this can be used by attackers to "crowdsource" bruteforce login attempts on the target site, allowing them to guess and potentially compromise valid credentials without ever sending any traffic from their own machine to the target site. | |||||
| CVE-2019-12783 | 1 Verint | 1 Impact 360 | 2020-07-16 | 5.8 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Verint Impact 360 15.1. At wfo/control/signin, the rd parameter can accept a URL, to which users will be redirected after a successful login. In conjunction with CVE-2019-12784, this can be used by attackers to "crowdsource" bruteforce login attempts on the target site, allowing them to guess and potentially compromise valid credentials without ever sending any traffic from their own machine to the target site. | |||||
| CVE-2019-12773 | 1 Verint | 1 Impact 360 | 2020-07-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Verint Impact 360 15.1. At wfo/help/help_popup.jsp, the helpURL parameter can be changed to embed arbitrary content inside of an iFrame. Attackers may use this in conjunction with social engineering to embed malicious scripts or phishing pages on a site where this product is installed, given the attacker can convince a victim to visit a crafted link. | |||||
| CVE-2020-5246 | 1 Traccar | 1 Traccar | 2020-07-16 | 4.0 MEDIUM | 6.5 MEDIUM |
| Traccar GPS Tracking System before version 4.9 has a LDAP injection vulnerability. It occurs when user input is being used in LDAP search filter. By providing specially crafted input, an attacker can modify the logic of the LDAP query and get admin privileges. The issue only impacts instances with LDAP configuration and where users can craft their own names. This has been patched in version 4.9. | |||||
| CVE-2020-13131 | 1 Yubico | 3 Libykpiv, Piv Tool Manager, Yubikey Smart Card Minidriver | 2020-07-16 | 1.9 LOW | 4.3 MEDIUM |
| An issue was discovered in Yubico libykpiv before 2.1.0. lib/util.c in this library (which is included in yubico-piv-tool) does not properly check embedded length fields during device communication. A malicious PIV token can misreport the returned length fields during RSA key generation. This will cause stack memory to be copied into heap allocated memory that gets returned to the caller. The leaked memory could include PINs, passwords, key material, and other sensitive information depending on the integration. During further processing by the caller, this information could leak across trust boundaries. Note that RSA key generation is triggered by the host and cannot directly be triggered by the token. | |||||
| CVE-2020-3931 | 1 Geovision | 12 Gv-as1010, Gv-as1010 Firmware, Gv-as210 and 9 more | 2020-07-16 | 7.5 HIGH | 9.8 CRITICAL |
| Buffer overflow exists in Geovision Door Access Control device family, an unauthenticated remote attacker can execute arbitrary command. | |||||
| CVE-2020-8916 | 1 Openthread | 1 Wpantund | 2020-07-16 | 2.1 LOW | 5.5 MEDIUM |
| A memory leak in Openthread's wpantund versions up to commit 0e5d1601febb869f583e944785e5685c6c747be7, when used in an environment where wpanctl is directly interfacing with the control driver (eg: debug environments) can allow an attacker to crash the service (DoS). We recommend updating, or to restrict access in your debug environments. | |||||
| CVE-2020-15008 | 1 Connectwise | 1 Connectwise Automate | 2020-07-16 | 6.0 MEDIUM | 7.5 HIGH |
| A SQLi exists in the probe code of all Connectwise Automate versions before 2020.7 or 2019.12. A SQL Injection in the probe implementation to save data to a custom table exists due to inadequate server side validation. As the code creates dynamic SQL for the insert statement and utilizes the user supplied table name with little validation, the table name can be modified to allow arbitrary update commands to be run. Usage of other SQL injection techniques such as timing attacks, it is possible to perform full data extraction as well. Patched in 2020.7 and in a hotfix for 2019.12. | |||||
| CVE-2020-2203 | 1 Jenkins | 1 Fortify On Demand | 2020-07-16 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Fortify on Demand Plugin 5.0.1 and earlier allows attackers to connect to the globally configured Fortify on Demand endpoint using attacker-specified credentials IDs. | |||||
| CVE-2018-13467 | 1 Epnex | 1 Epiphanycoin | 2020-07-16 | 5.0 MEDIUM | 7.5 HIGH |
| The mintToken function of a smart contract implementation for EpiphanyCoin, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. | |||||
| CVE-2018-13471 | 1 Beyondcash | 1 Beyondcashtoken | 2020-07-16 | 5.0 MEDIUM | 7.5 HIGH |
| The mintToken function of a smart contract implementation for BeyondCashToken, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. | |||||
| CVE-2018-13478 | 1 Airbridge | 1 Dmptoken | 2020-07-16 | 5.0 MEDIUM | 7.5 HIGH |
| The mintToken function of a smart contract implementation for DMPToken, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. | |||||
| CVE-2018-13481 | 1 Triumland | 1 Triumland | 2020-07-16 | 5.0 MEDIUM | 7.5 HIGH |
| The mintToken function of a smart contract implementation for TRIUM, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. | |||||
| CVE-2018-13533 | 1 Aluxdigital | 1 Aluxtoken | 2020-07-16 | 5.0 MEDIUM | 7.5 HIGH |
| The mintToken function of a smart contract implementation for ALUXToken, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. | |||||
| CVE-2018-13477 | 1 Cte | 1 Ctesale | 2020-07-16 | 5.0 MEDIUM | 7.5 HIGH |
| The mintToken function of a smart contract implementation for CTESale, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. | |||||
| CVE-2020-14546 | 1 Oracle | 1 Hyperion Financial Close Management | 2020-07-16 | 2.1 LOW | 4.2 MEDIUM |
| Vulnerability in the Hyperion Financial Close Management product of Oracle Hyperion (component: Close Manager). The supported version that is affected is 11.1.2.4. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Hyperion Financial Close Management. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Hyperion Financial Close Management accessible data. CVSS 3.1 Base Score 4.2 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N). | |||||
| CVE-2020-14613 | 1 Oracle | 1 Webcenter Sites | 2020-07-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: Advanced User Interface). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Sites, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebCenter Sites accessible data as well as unauthorized read access to a subset of Oracle WebCenter Sites accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | |||||
| CVE-2020-14610 | 1 Oracle | 1 Applications Framework | 2020-07-16 | 3.5 LOW | 7.6 HIGH |
| Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite (component: Attachments / File Upload). The supported version that is affected is 12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Applications Framework. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Applications Framework, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Applications Framework accessible data as well as unauthorized update, insert or delete access to some of Oracle Applications Framework accessible data. CVSS 3.1 Base Score 7.6 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N). | |||||
| CVE-2020-14615 | 1 Oracle | 1 Financial Services Analytical Applications Infrastructure | 2020-07-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Infrastructure). Supported versions that are affected are 8.0.6-8.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Financial Services Analytical Applications Infrastructure, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Financial Services Analytical Applications Infrastructure accessible data as well as unauthorized read access to a subset of Oracle Financial Services Analytical Applications Infrastructure accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | |||||
| CVE-2020-14607 | 1 Oracle | 1 Fusion Middleware Mapviewer | 2020-07-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Vulnerability in the Oracle Fusion Middleware MapViewer product of Oracle Fusion Middleware (component: Tile Server). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Fusion Middleware MapViewer. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Fusion Middleware MapViewer, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Fusion Middleware MapViewer accessible data as well as unauthorized read access to a subset of Oracle Fusion Middleware MapViewer accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | |||||
| CVE-2020-14609 | 1 Oracle | 1 Business Intelligence | 2020-07-16 | 7.5 HIGH | 8.6 HIGH |
| Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Web Answers). Supported versions that are affected are 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Business Intelligence Enterprise Edition. CVSS 3.1 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L). | |||||
| CVE-2020-13444 | 1 Liferay | 1 Liferay Portal | 2020-07-16 | 4.0 MEDIUM | 6.5 MEDIUM |
| Liferay Portal 7.x before 7.3.2, and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 5 does not sanitize the information returned by the DDMDataProvider API, which allows remote authenticated users to obtain the password to REST Data Providers. | |||||
| CVE-2020-14616 | 1 Oracle | 1 Food And Beverage Applications | 2020-07-16 | 4.0 MEDIUM | 2.7 LOW |
| Vulnerability in the Oracle Hospitality Reporting and Analytics product of Oracle Food and Beverage Applications (component: Reporting). The supported version that is affected is 9.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Hospitality Reporting and Analytics. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Hospitality Reporting and Analytics accessible data. CVSS 3.1 Base Score 2.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N). | |||||
| CVE-2020-14611 | 1 Oracle | 1 Webcenter Portal | 2020-07-16 | 7.5 HIGH | 8.6 HIGH |
| Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Composer). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Portal. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebCenter Portal accessible data as well as unauthorized read access to a subset of Oracle WebCenter Portal accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebCenter Portal. CVSS 3.1 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L). | |||||
| CVE-2020-14612 | 1 Oracle | 1 Peoplesoft Enterprise Human Capital Management Candidate Gateway | 2020-07-16 | 5.5 MEDIUM | 5.4 MEDIUM |
| Vulnerability in the PeopleSoft Enterprise HRMS product of Oracle PeopleSoft (component: Time and Labor). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise HRMS. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise HRMS accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise HRMS accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). | |||||
| CVE-2020-15069 | 1 Sophos | 2 Xg Firewall, Xg Firewall Firmware | 2020-07-16 | 7.5 HIGH | 9.8 CRITICAL |
| Sophos XG Firewall 17.x through v17.5 MR12 allows a Buffer Overflow and remote code execution via the HTTP/S Bookmarks feature for clientless access. Hotfix HF062020.1 was published for all firewalls running v17.x. | |||||
| CVE-2020-12048 | 1 Baxter | 2 Phoenix X36, Phoenix X36 Firmware | 2020-07-16 | 5.0 MEDIUM | 7.5 HIGH |
| Phoenix Hemodialysis Delivery System SW 3.36 and 3.40, The Phoenix Hemodialysis device does not support data-in-transit encryption (e.g., TLS/SSL) when transmitting treatment and prescription data on the network between the Phoenix system and the Exalis dialysis data management tool. An attacker with access to the network could observe sensitive treatment and prescription data sent between the Phoenix system and the Exalis tool. | |||||
| CVE-2020-1943 | 1 Apache | 1 Ofbiz | 2020-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Data sent with contentId to /control/stream is not sanitized, allowing XSS attacks in Apache OFBiz 16.11.01 to 16.11.07. | |||||
| CVE-2020-1326 | 1 Microsoft | 1 Azure Devops Server | 2020-07-15 | 3.5 LOW | 5.4 MEDIUM |
| A Cross-site Scripting (XSS) vulnerability exists when Azure DevOps Server does not properly sanitize user provided input, aka 'Azure DevOps Server Cross-site Scripting Vulnerability'. | |||||
| CVE-2020-10988 | 1 Tenda | 2 Ac15, Ac15 Firmware | 2020-07-15 | 10.0 HIGH | 9.8 CRITICAL |
| A hard-coded telnet credential in the tenda_login binary of Tenda AC15 AC1900 version 15.03.05.19 allows unauthenticated remote attackers to start a telnetd service on the device. | |||||