Virus and Security Alerts

CVE-2020-4621 (data_risk_manager)

2020-09-22 14:15:13
IBM Data Risk Manager (iDNA) 2.0.6 could allow an authenticated user to escalate their privileges to administrator due to insufficient authorization checks. IBM X-Force ID: 184981.
National Vulnerability Database
CVE-2020-4619 (data_risk_manager)

2020-09-22 14:15:13
IBM Data Risk Manager (iDNA) 2.0.6 stores user credentials in plain in clear text which can be read by an authenticated user. IBM X-Force ID: 184976.
National Vulnerability Database
CVE-2020-4622 (data_risk_manager)

2020-09-22 14:15:13
IBM Data Risk Manager (iDNA) 2.0.6 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
National Vulnerability Database
CVE-2020-4620 (data_risk_manager)

2020-09-22 14:15:13
IBM Data Risk Manager (iDNA) 2.0.6 could allow a remote authenticated attacker to upload arbitrary files, caused by the improper validation of file extensions. By sending a specially-crafted HTTP request,
National Vulnerability Database
CVE-2020-4611 (data_risk_manager)

2020-09-22 14:15:12
IBM Data Risk Manager (iDNA) 2.0.6 could allow an authenticated user to bypass security and execute actions reserved for admins. IBM X-Force ID: 184922.
National Vulnerability Database
CVE-2020-4612 (data_risk_manager)

2020-09-22 14:15:12
IBM Data Risk Manager (iDNA) 2.0.6 could allow an authenticated user to obtain sensitive information using a specially crafted HTTP request. IBM X-Force ID: 184924.
National Vulnerability Database
CVE-2020-4616 (data_risk_manager)

2020-09-22 14:15:12
IBM Data Risk Manager (iDNA) 2.0.6 could disclose sensitive username information to an attacker using a specially crafted HTTP request. IBM X-Force ID: 184929.
National Vulnerability Database
CVE-2020-4617 (data_risk_manager)

2020-09-22 14:15:12
IBM Data Risk Manager (iDNA) 2.0.6 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 184930.
National Vulnerability Database
CVE-2020-4613 (data_risk_manager)

2020-09-22 14:15:12
IBM Data Risk Manager (iDNA) 2.0.6 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 184925.
National Vulnerability Database
CVE-2020-4618 (data_risk_manager)

2020-09-22 14:15:12
IBM Data Risk Manager (iDNA) 2.0.6 could allow a privileged user to cause a denial of service due to improper input validation. IBM X-Force ID: 184937.
National Vulnerability Database
CVE-2020-4615 (data_risk_manager)

2020-09-22 14:15:12
IBM Data Risk Manager (iDNA) 2.0.6 is vulnerable to cross-site scripting.
National Vulnerability Database
CVE-2020-4614 (data_risk_manager)

2020-09-22 14:15:12
IBM Data Risk Manager (iDNA) 2.0.6 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt sensitive information. IBM X-Force ID: 184927.
National Vulnerability Database
CVE-2020-25794 (rust)

2020-09-19 21:15:12
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, clone can have a memory-safety issue upon a panic.
National Vulnerability Database
CVE-2020-25792 (rust)

2020-09-19 21:15:12
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with pair().
National Vulnerability Database
CVE-2020-25791 (rust)

2020-09-19 21:15:12
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with unit().
National Vulnerability Database
CVE-2020-0350 (android)

2020-09-18 16:15:17
In NFC, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges and a Firmware compromise needed.
National Vulnerability Database
CVE-2020-0347 (android)

2020-09-18 16:15:17
In iptables, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0348 (android)

2020-09-18 16:15:17
In NFC, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure over NFC with System execution privileges needed. User interaction is not needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0365 (android)

2020-09-18 16:15:17
In netd, there is a possible out of bounds read due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0335 (android)

2020-09-18 16:15:17
In NFC, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges and a Firmware compromise needed.
National Vulnerability Database
CVE-2020-0349 (android)

2020-09-18 16:15:17
In NFC, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0334 (android)

2020-09-18 16:15:17
In NFC, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges and a Firmware compromise needed.
National Vulnerability Database
CVE-2020-0309 (android)

2020-09-18 16:15:16
In the Bluetooth server, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System privileges and a Firmware compromise needed.
National Vulnerability Database
CVE-2020-0310 (android)

2020-09-18 16:15:16
In Settings, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0304 (android)

2020-09-18 16:15:16
In Settings, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0327 (android)

2020-09-18 16:15:16
In core networking, there is a missing permission check. This could lead to local information disclosure of app network usage with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions:
National Vulnerability Database
CVE-2020-0319 (android)

2020-09-18 16:15:16
In NFC, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges and a Firmware compromise needed.
National Vulnerability Database
CVE-2020-0331 (android)

2020-09-18 16:15:16
In Settings, there is a possible permissions bypass. This could lead to local information disclosure of the device's IMEI with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions:
National Vulnerability Database
CVE-2020-0316 (android)

2020-09-18 16:15:16
In Telephony, there is a missing permission check. This could lead to local information disclosure of radio data with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions:
National Vulnerability Database
CVE-2020-0300 (android)

2020-09-18 16:15:16
In NFC, there is a possible out of bounds read due to uninitialized data. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0302 (android)

2020-09-18 16:15:16
In Settings, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0325 (android)

2020-09-18 16:15:16
In NFC, there is a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-145079309
National Vulnerability Database
CVE-2020-0315 (android)

2020-09-18 16:15:16
In Zen Mode, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0307 (android)

2020-09-18 16:15:16
In Settings, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0326 (android)

2020-09-18 16:15:16
In NFC, there is a possible out of bounds write due to uninitialized data. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions:
National Vulnerability Database
CVE-2020-0313 (android)

2020-09-18 16:15:16
In NotificationManagerService, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed.
National Vulnerability Database
CVE-2020-0299 (android)

2020-09-18 16:15:16
In Bluetooth, there is a possible spoofing of bluetooth device metadata due to a missing permission check. This could lead to local escalation of privilege with User execution privileges needed.
National Vulnerability Database
CVE-2020-0311 (android)

2020-09-18 16:15:16
In InputManagerService, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0276 (android)

2020-09-18 16:15:15
In Telephony, there is a possible permission bypass due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0291 (android)

2020-09-18 16:15:15
In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges and a compromised Firmware needed.
National Vulnerability Database
CVE-2020-0273 (android)

2020-09-18 16:15:15
In hwservicemanager, there is a possible out of bounds write due to freeing a wild pointer. This could lead to local escalation of privilege with no additional execution privileges needed.
National Vulnerability Database
CVE-2020-0284 (android)

2020-09-18 16:15:15
In Telephony, there is a possible permission bypass due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0281 (android)

2020-09-18 16:15:15
In NFC, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure. System execution privileges, a Firmware compromise, and User interaction is needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0292 (android)

2020-09-18 16:15:15
In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges and a compromised Firmware needed.
National Vulnerability Database
CVE-2020-0286 (android)

2020-09-18 16:15:15
In Bluetooth AVRCP, there is a possible leak of audio metadata due to residual data. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0295 (android)

2020-09-18 16:15:15
In Telecom, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0294 (android)

2020-09-18 16:15:15
In the wallpaper manager, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0272 (android)

2020-09-18 16:15:15
In libhwbinder, there is a possible information disclosure due to uninitialized data. This could lead to local information disclosure with System execution privileges required. User interaction is not needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0282 (android)

2020-09-18 16:15:15
In NFC, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure. System execution privileges, a Firmware compromise, and User interaction are needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0298 (android)

2020-09-18 16:15:15
In Bluetooth, there is a possible control over Bluetooth enabled state due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed.
National Vulnerability Database
CVE-2020-0285 (android)

2020-09-18 16:15:15
In Telephony, there is a possible permission bypass due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0269 (android)

2020-09-18 16:15:14
In Android Auto Settings, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0265 (android)

2020-09-18 16:15:14
In Telephony, there are possible leaks of sensitive data due to missing permission checks. This could lead to local information disclosure with no additional execution privileges needed.
National Vulnerability Database
CVE-2020-0263 (android)

2020-09-18 16:15:14
In the Accessibility service, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed.
National Vulnerability Database
CVE-2020-0271 (android)

2020-09-18 16:15:14
In the Settings app, there is an insecure default value. This could lead to local escalation of privilege and tapjacking with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions:
National Vulnerability Database
CVE-2020-15773 (enterprise)

2020-09-18 15:15:13
An issue was discovered in Gradle Enterprise before 2020.2.4. Because of unrestricted cross-origin requests to read-only data in the Export API,
National Vulnerability Database
CVE-2020-15770 (enterprise)

2020-09-18 14:15:12
An issue was discovered in Gradle Enterprise 2018.5. There is a lack of lock-out after excessive failed login attempts. This allows a remote attacker to conduct brute-force guessing of a local user's password.
National Vulnerability Database
CVE-2020-15768 (enterprise, enterprise_cache_node)

2020-09-18 14:15:12
An issue was discovered in Gradle Enterprise 2017.3 - 2020.2.4 and Gradle Enterprise Build Cache Node 1.0 - 9.2.
National Vulnerability Database
CVE-2020-15774 (enterprise)

2020-09-18 14:15:12
An issue was discovered in Gradle Enterprise 2018.5 - 2020.2.4. Because of implicitly remembered user-login information, physically proximate attackers can use a user session after browser closure.
National Vulnerability Database
CVE-2020-15776 (enterprise)

2020-09-18 14:15:12
An issue was discovered in Gradle Enterprise 2018.2 - 2020.2.4. CSRF mitigation can be bypassed because the anti-CSRF token is in a cleartext cookie.
National Vulnerability Database
CVE-2020-15772 (enterprise)

2020-09-18 14:15:12
An issue was discovered in Gradle Enterprise 2018.5 - 2020.2.4. There is XXE with resultant SSRF via an uploaded SAML IDP configuration.
National Vulnerability Database
CVE-2020-15771 (enterprise, enterprise_cache_node)

2020-09-18 14:15:12
An issue was discovered in Gradle Enterprise 2018.2 and Gradle Enterprise Build Cache Node 4.1. CSRF mitigation can be bypassed because cross-site transmission of a cookie (containing a CSRF token) can occur.
National Vulnerability Database
CVE-2020-15767 (enterprise)

2020-09-18 14:15:12
An issue was discovered in Gradle Enterprise before 2020.2.5.
National Vulnerability Database
CVE-2020-15769 (enterprise)

2020-09-18 14:15:12
An issue was discovered in Gradle Enterprise 2020.2 - 2020.2.4. An XSS issue exists via the request URL.
National Vulnerability Database
CVE-2020-15775 (enterprise)

2020-09-18 14:15:12
An issue was discovered in Gradle Enterprise 2017.1 - 2020.2.4. Unrestricted access to a high-level system-usage summary allows an attacker to obtain project names and usage metrics.
National Vulnerability Database
CVE-2020-0373 (android)

2020-09-17 21:15:17
In SoundTriggerHwService, there is a possible out of bounds read due to a race condition. This could lead to local information disclosure with no additional execution privileges needed.
National Vulnerability Database
CVE-2020-0375 (android)

2020-09-17 21:15:17
In Telephony, there is a possible permission bypass due to a missing permission check. This could lead to local escalation of privilege and the setting of supported EUICC countries with no additional execution privileges needed.
National Vulnerability Database
CVE-2020-0426 (android)

2020-09-17 21:15:17
In SyncManager, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0425 (android)

2020-09-17 21:15:17
There is a possible way to view notifications even when the "Lockdown" feature is on. This could lead to local information disclosure with no additional execution privileges needed.
National Vulnerability Database
CVE-2020-0372 (android)

2020-09-17 21:15:16
In ActivityManager, there is a possible access to protected data due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed.
National Vulnerability Database
CVE-2020-0359 (android)

2020-09-17 21:15:16
In GLESRenderEngine, there is a possible out of bounds read due to a buffer overflow. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0357 (android)

2020-09-17 21:15:16
In SurfaceFlinger, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the graphics server with no additional execution privileges needed.
National Vulnerability Database
CVE-2020-0344 (android)

2020-09-17 21:15:15
In MediaProvider, there is a possible permissions bypass due to SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0353 (android)

2020-09-17 21:15:15
In libmp4extractor, there is a possible resource exhaustion due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0337 (android)

2020-09-17 21:15:15
In MediaProvider, there is a possible bypass of a permissions check due to a confused deputy. This could lead to local information disclosure, with User execution privileges needed. User interaction is not needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0351 (android)

2020-09-17 21:15:15
In libstagefright, there is possible CPU exhaustion due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0338 (android)

2020-09-17 21:15:15
In AccountManager, there is a possible bypass of a permissions check due to a confused deputy. This could lead to local information disclosure, with no additional execution privileges needed.
National Vulnerability Database
CVE-2020-0346 (android)

2020-09-17 21:15:15
In Mediaserver, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege if integer sanitization were not enabled (which it is by default),
National Vulnerability Database
CVE-2020-0352 (android)

2020-09-17 21:15:15
In MediaProvider, there is a possible permissions bypass due to SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0355 (android)

2020-09-17 21:15:15
In libFraunhoferAAC, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed.
National Vulnerability Database
CVE-2020-0336 (android)

2020-09-17 21:15:15
In SurfaceFlinger, there is possible memory corruption due to type confusion. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0333 (android)

2020-09-17 21:15:15
In UrlQuerySanitizer, there is a possible improper input validation. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions:
National Vulnerability Database
CVE-2020-0340 (android)

2020-09-17 21:15:15
In libcodec2_soft_mp3dec, there is a possible information disclosure due to uninitialized data. This could lead to remote information disclosure with no additional execution privileges needed.
National Vulnerability Database
CVE-2020-0343 (android)

2020-09-17 21:15:15
In NetworkStatsService, there is a possible access to protected data due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed.
National Vulnerability Database
CVE-2020-0341 (android)

2020-09-17 21:15:15
In DisplayManager, there is a possible permission bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed.
National Vulnerability Database
CVE-2020-0317 (android)

2020-09-17 21:15:14
In UsageStatsManager, there is a possible access to protected data due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed.
National Vulnerability Database
CVE-2020-0328 (android)

2020-09-17 21:15:14
In the camera, there is a possible out of bounds read due to an integer overflow. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0323 (android)

2020-09-17 21:15:14
In libavb, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0314 (android)

2020-09-17 21:15:14
In AudioService, there are missing permission checks. This could lead to local information disclosure of audio configuration with no additional execution privileges needed. User interaction is not needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0320 (android)

2020-09-17 21:15:14
In libstagefright, there is a possible resource exhaustion due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0322 (android)

2020-09-17 21:15:14
In apexd, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0312 (android)

2020-09-17 21:15:14
In Battery Saver, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0329 (android)

2020-09-17 21:15:14
In the OMX encoder, there is a possible out of bounds read due to invalid input validation. This could lead to local information disclosure with no additional execution privileges needed.
National Vulnerability Database
CVE-2020-0308 (android)

2020-09-17 21:15:14
In Window Manager, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0321 (android)

2020-09-17 21:15:14
In the mp3 extractor, there is a possible out of bounds write due to uninitialized data. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0279 (android)

2020-09-17 21:15:13
In the AAC parser, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0296 (android)

2020-09-17 21:15:13
In ADB server and USB server, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed.
National Vulnerability Database
CVE-2020-0297 (android)

2020-09-17 21:15:13
In devicepolicy service, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0290 (android)

2020-09-17 21:15:13
In PackageManager, there is a missing permission check. This could lead to local information disclosure across users with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions:
National Vulnerability Database
CVE-2020-0277 (android)

2020-09-17 21:15:13
In NetworkPolicyManagerService, there is a possible permissions bypass due to a missing permission check.
National Vulnerability Database
CVE-2020-0288 (android)

2020-09-17 21:15:13
In PackageManager, there is a missing permission check. This could lead to local information disclosure across user boundaries with no additional execution privileges needed. User interaction is not needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0293 (android)

2020-09-17 21:15:13
In Java network APIs, there is possible access to sensitive network state due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed.
National Vulnerability Database
CVE-2020-0301 (android)

2020-09-17 21:15:13
In libstagefright, there is a possible resource exhaustion due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0289 (android)

2020-09-17 21:15:13
In PackageManager, there is a missing permission check. This could lead to local information disclosure across users with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions:
National Vulnerability Database
CVE-2020-0274 (android)

2020-09-17 21:15:13
In the OMX parser, there is a possible information disclosure due to a returned raw pointer. This could lead to local information disclosure with no additional execution privileges needed.
National Vulnerability Database
CVE-2020-0130 (android)

2020-09-17 21:15:12
In screencap, there is a possible command injection due to improper input validation. This could lead to local escalation of privilege in a system process with User execution privileges needed.
National Vulnerability Database
CVE-2020-0125 (android)

2020-09-17 21:15:12
In mediadrm, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product:
National Vulnerability Database
CVE-2020-0427 (android)

2020-09-17 19:15:12
In create_pinctrl of core.c, there is a possible out of bounds read due to a use after free. This could lead to local information disclosure with no additional execution privileges needed.
National Vulnerability Database
CVE-2019-20919 (dbi)

2020-09-17 18:15:12
An issue was discovered in the DBI module before 1.643 for Perl. The hv_fetch() documentation requires checking for NULL and the code does that. But, shortly thereafter, it calls SvOK(profile), causing a NULL pointer dereference.
National Vulnerability Database
CVE-2020-0404 (android)

2020-09-17 16:15:14
In uvc_scan_chain_forward of uvc_driver.c, there is a possible linked list corruption due to an unusual root cause. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed.
National Vulnerability Database
CVE-2020-0407 (android)

2020-09-17 16:15:14
In various functions in fscrypt_ice.c and related files in some implementations of f2fs encryption that use encryption hardware which only supports 32-bit IVs (Initialization Vectors),
National Vulnerability Database
CVE-2020-0390 (android)

2020-09-17 16:15:13
In the app zygote SE Policy, there is a possible permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions:
National Vulnerability Database
CVE-2020-0389 (android)

2020-09-17 16:15:13
In createSaveNotification of RecordingService.java, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed.
National Vulnerability Database
CVE-2020-0393 (android)

2020-09-17 16:15:13
In decrypt and decrypt_1_2 of CryptoPlugin.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed.
National Vulnerability Database
CVE-2020-0396 (android)

2020-09-17 16:15:13
In various places in Telephony, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed.
National Vulnerability Database
CVE-2020-0399 (android)

2020-09-17 16:15:13
In showLimitedSimFunctionWarningNotification of NotificationMgr.java, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed.
National Vulnerability Database
CVE-2020-0401 (android)

2020-09-17 16:15:13
In setInstallerPackageName of PackageManagerService.java, there is a missing permission check. This could lead to local escalation of privilege and granting spurious permissions with no additional execution privileges needed.
National Vulnerability Database
CVE-2020-0395 (android)

2020-09-17 16:15:13
In showNotification of EmergencyCallbackModeService.java, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed.
National Vulnerability Database
CVE-2020-0397 (android)

2020-09-17 16:15:13
In getNotificationBuilder of CarrierServiceStateTracker.java, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed.
National Vulnerability Database
CVE-2020-0382 (android)

2020-09-17 16:15:12
In RunInternal of dumpstate.cpp, there is a possible user consent bypass due to an uncaught exception. This could lead to local information disclosure of bug report data with System execution privileges needed.
National Vulnerability Database
CVE-2020-13944 (airflow)

2020-09-17 14:15:12
In Apache Airflow < 1.10.12, the "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit.
National Vulnerability Database
CVE-2020-14181 (jira, jira_software_data_center)

2020-09-17 01:15:11
Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the /ViewUserHover.jspa endpoint. The affected versions are before version 7.13.6,
National Vulnerability Database
CVE-2020-24377 (freebox_delta_firmware, freebox_mini_firmware, freebox_one_firmware, freebox_pop_firmware, freebox_revolution_firmware)

2020-09-16 20:15:14
A DNS rebinding vulnerability in the Freebox OS web interface in Freebox Server before 4.2.3.
National Vulnerability Database
CVE-2020-24376 (freebox_delta_firmware, freebox_mini_firmware, freebox_one_firmware, freebox_pop_firmware, freebox_revolution_firmware)

2020-09-16 20:15:14
A DNS rebinding vulnerability in the UPnP IGD implementations in Freebox Server before 4.2.3.
National Vulnerability Database
CVE-2020-24374 (freebox_hd_firmware)

2020-09-16 20:15:14
A DNS rebinding vulnerability in Freebox HD before 1.5.29.
National Vulnerability Database
CVE-2020-14519 (codemeter)

2020-09-16 20:15:13
This vulnerability allows an attacker to use the internal WebSockets API for CodeMeter (All versions prior to 7.00 are affected, including Version 7.0 or newer with the affected WebSockets API still enabled.
National Vulnerability Database
CVE-2020-24373 (freebox_delta_firmware, freebox_mini_firmware, freebox_one_firmware, freebox_pop_firmware, freebox_revolution_firmware)

2020-09-16 20:15:13
A CSRF vulnerability in the UPnP MediaServer implementation in Freebox Server before 4.2.3.
National Vulnerability Database
CVE-2020-14509 (codemeter)

2020-09-16 20:15:13
Multiple memory corruption vulnerabilities exist in CodeMeter (All versions prior to 7.10) where the packet parser mechanism does not verify length fields. An attacker could send specially crafted packets to exploit these vulnerabilities.
National Vulnerability Database
CVE-2020-20406 (elementor_page_builder)

2020-09-16 20:15:13
A stored XSS vulnerability exists in the Custom Link Attributes control Affect function in Elementor Page Builder 2.9.2 and earlier versions. It is caused by inadequate filtering on the link custom attributes.
National Vulnerability Database
CVE-2020-14517 (codemeter)

2020-09-16 20:15:13
Protocol encryption can be easily broken for CodeMeter (All versions prior to 6.90 are affected, including Version 6.90 or newer only if CodeMeter Runtime is running as server) and the server accepts external connections,
National Vulnerability Database
CVE-2020-14515 (codemeter)

2020-09-16 20:15:13
CodeMeter (All versions prior to 6.90 when using CmActLicense update files with CmActLicense Firm Code) has an issue in the license-file signature checking mechanism, which allows attackers to build arbitrary license files,
National Vulnerability Database
CVE-2020-16233 (codemeter)

2020-09-16 20:15:13
An attacker could send a specially crafted packet that could have CodeMeter (All versions prior to 7.10) send back packets containing data from the heap.
National Vulnerability Database
CVE-2020-14513 (codemeter)

2020-09-16 20:15:13
CodeMeter (All versions prior to 6.81) and the software using it may crash while processing a specifically crafted license file due to unverified length fields.
National Vulnerability Database
CVE-2020-6781 (smart_home)

2020-09-16 19:15:14
Improper certificate validation for certain connections in the Bosch Smart Home System App for iOS prior to version 9.17.1 potentially allows to intercept video contents by performing a man-in-the-middle attack.
National Vulnerability Database
CVE-2020-6146 (nitro_pro)

2020-09-16 19:15:14
An exploitable code execution vulnerability exists in the rendering functionality of Nitro Pro 13.13.2.242 and 13.16.2.300. When drawing the contents of a page and selecting the stroke color from an 'ICCBased' colorspace,
National Vulnerability Database
CVE-2020-13259 (secflow-1v_firmware)

2020-09-16 19:15:13
A vulnerability in the web-based management interface of RAD SecFlow-1v os-image SF_0290_2.3.01.26 could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system.
National Vulnerability Database
CVE-2020-10718 (jboss_fuse, wildfly)

2020-09-16 19:15:13
A flaw was found in Wildfly before wildfly-embedded-13.0.0.Final, where the embedded managed process API has an exposed setting of the Thread Context Classloader (TCCL). This setting is exposed as a public method,
National Vulnerability Database
CVE-2020-1694 (keycloak)

2020-09-16 19:15:13
A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions.
National Vulnerability Database
CVE-2020-14306 (istio-operator)

2020-09-16 18:15:13
An incorrect access control flaw was found in the operator, openshift-service-mesh/istio-rhel8-operator all versions through 1.1.3.
National Vulnerability Database
CVE-2020-7532 (scadapack_x70_security_administrator)

2020-09-16 16:15:15
A CWE-502 Deserialization of Untrusted Data vulnerability exists in SCADAPack x70 Security Administrator (V1.2.0 and prior) which could allow arbitrary code execution when an attacker builds a custom .SDB file containing a malicious seriali
National Vulnerability Database
CVE-2020-7530 (scadapack_7x_remote_connect)

2020-09-16 16:15:15
A CWE-285 Improper Authorization vulnerability exists in SCADAPack 7x Remote Connect (V3.6.3.574 and prior) which allows improper access to executable code folders.
National Vulnerability Database
CVE-2020-7528 (scadapack_7x_remote_connect)

2020-09-16 16:15:15
A CWE-502 Deserialization of Untrusted Data vulnerability exists in SCADAPack 7x Remote Connect (V3.6.3.574 and prior) which could allow arbitrary code execution when an attacker builds a custom .PRJ file containing a malicious serialized b
National Vulnerability Database
CVE-2020-7531 (scadapack_7x_remote_connect)

2020-09-16 16:15:15
A CWE-284 Improper Access Control vulnerability exists in SCADAPack 7x Remote Connect (V3.6.3.574 and prior) which allows an attacker to place executables in a specific folder and run code whenever RemoteConnect is executed by the user.
National Vulnerability Database
CVE-2020-7529 (scadapack_7x_remote_connect)

2020-09-16 16:15:15
A CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Transversal') vulnerability exists in SCADAPack 7x Remote Connect (V3.6.3.574 and prior) which allows an attacker to place content in any unprotected folder on the
National Vulnerability Database
CVE-2020-10733 (postgresql)

2020-09-16 15:15:12
The Windows installer for PostgreSQL 9.5 - 12 invokes system-provided executables that do not have fully-qualified paths.
National Vulnerability Database
CVE-2020-14382 (cryptsetup, enterprise_linux, ubuntu_linux)

2020-09-16 15:15:12
A vulnerability was found in upstream release cryptsetup-2.2.0 where, there's a bug in LUKS2 format validation code, that is effectively invoked on every device/image presenting itself as LUKS2 container.
National Vulnerability Database
CVE-2020-7733 (ua-parser-js)

2020-09-16 14:15:15
The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.
National Vulnerability Database
CVE-2020-2273 (elastest)

2020-09-16 14:15:14
A cross-site request forgery (CSRF) vulnerability in Jenkins ElasTest Plugin 1.2.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials.
National Vulnerability Database
CVE-2020-2277 (storable_configs)

2020-09-16 14:15:14
Jenkins Storable Configs Plugin 1.0 and earlier allows users with Job/Read permission to read arbitrary files on the Jenkins controller.
National Vulnerability Database
CVE-2020-2271 (locked_files_report)

2020-09-16 14:15:14
Jenkins Locked Files Report Plugin 1.6 and earlier does not escape locked files' names in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
National Vulnerability Database
CVE-2020-2267 (mongodb)

2020-09-16 14:15:14
A missing permission check in Jenkins MongoDB Plugin 1.3 and earlier allows attackers with Overall/Read permission to gain access to some metadata of any arbitrary files on the Jenkins controller.
National Vulnerability Database
CVE-2020-2268 (mongodb)

2020-09-16 14:15:14
A cross-site request forgery (CSRF) vulnerability in Jenkins MongoDB Plugin 1.3 and earlier allows attackers to gain access to some metadata of any arbitrary files on the Jenkins controller.
National Vulnerability Database
CVE-2020-2272 (elastest)

2020-09-16 14:15:14
A missing permission check in Jenkins ElasTest Plugin 1.2.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.
National Vulnerability Database
CVE-2020-2269 (chosen-views-tabbar)

2020-09-16 14:15:14
Jenkins chosen-views-tabbar Plugin 1.2 and earlier does not escape view names in the dropdown to select views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to configure views.
National Vulnerability Database
CVE-2020-2275 (copy_data_to_workspace)

2020-09-16 14:15:14
Jenkins Copy data to workspace Plugin 1.0 and earlier does not limit which directories can be copied from the Jenkins controller to job workspaces,
National Vulnerability Database
CVE-2020-2274 (elastest)

2020-09-16 14:15:14
Jenkins ElasTest Plugin 1.2.1 and earlier stores its server password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
National Vulnerability Database
CVE-2020-2276 (selection_tasks)

2020-09-16 14:15:14
Jenkins Selection tasks Plugin 1.0 and earlier executes a user-specified program on the Jenkins controller,
National Vulnerability Database
CVE-2020-2270 (clearcase_release)

2020-09-16 14:15:14
Jenkins ClearCase Release Plugin 0.3 and earlier does not escape the composite baseline in badge tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
National Vulnerability Database
CVE-2020-2278 (storable_configs)

2020-09-16 14:15:14
Jenkins Storable Configs Plugin 1.0 and earlier does not restrict the user-specified file name,
National Vulnerability Database
CVE-2020-2264 (custom_job_icon)

2020-09-16 14:15:13
Jenkins Custom Job Icon Plugin 0.2 and earlier does not escape the job descriptions in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
National Vulnerability Database
CVE-2020-2256 (pipeline_maven_integration)

2020-09-16 14:15:13
Jenkins Pipeline Maven Integration Plugin 3.9.2 and earlier does not escape the upstream job's display name shown as part of a build cause,
National Vulnerability Database
CVE-2020-2265 (coverage/complexity_scatter_plot)

2020-09-16 14:15:13
Jenkins Coverage/Complexity Scatter Plot Plugin 1.1.1 and earlier does not escape the method information in tooltips,
National Vulnerability Database
CVE-2020-2258 (health_advisor_by_cloudbees)

2020-09-16 14:15:13
Jenkins Health Advisor by CloudBees Plugin 3.2.0 and earlier does not correctly perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to view that HTTP endpoint.
National Vulnerability Database
CVE-2020-2259 (computer_queue)

2020-09-16 14:15:13
Jenkins computer-queue-plugin Plugin 1.5 and earlier does not escape the agent name in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.
National Vulnerability Database
CVE-2020-2255 (blue_ocean)

2020-09-16 14:15:13
A missing permission check in Jenkins Blue Ocean Plugin 1.23.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.
National Vulnerability Database
CVE-2020-2252 (mailer)

2020-09-16 14:15:13
Jenkins Mailer Plugin 1.32 and earlier does not perform hostname validation when connecting to the configured SMTP server.
National Vulnerability Database
CVE-2020-2263 (radiator_view)

2020-09-16 14:15:13
Jenkins Radiator View Plugin 1.29 and earlier does not escape the full name of the jobs in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
National Vulnerability Database
CVE-2020-2254 (blue_ocean)

2020-09-16 14:15:13
Jenkins Blue Ocean Plugin 1.23.2 and earlier provides an undocumented feature flag that, when enabled, allows an attacker with Job/Configure or Job/Create permission to read arbitrary files on the Jenkins controller file system.
National Vulnerability Database
CVE-2020-2253 (email_extension)

2020-09-16 14:15:13
Jenkins Email Extension Plugin 2.75 and earlier does not perform hostname validation when connecting to the configured SMTP server.
National Vulnerability Database
CVE-2020-2261 (perfecto)

2020-09-16 14:15:13
Jenkins Perfecto Plugin 1.17 and earlier executes a command on the Jenkins controller, allowing attackers with Job/Configure permission to run arbitrary commands on the Jenkins controller
National Vulnerability Database
CVE-2020-2266 (description_column)

2020-09-16 14:15:13
Jenkins Description Column Plugin 1.3 and earlier does not escape the job description in the column tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
National Vulnerability Database
CVE-2020-2260 (perfecto)

2020-09-16 14:15:13
A missing permission check in Jenkins Perfecto Plugin 1.17 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified credentials.
National Vulnerability Database
CVE-2020-2262 (android_lint)

2020-09-16 14:15:13
Jenkins Android Lint Plugin 2.6 and earlier does not escape the annotation message in tooltips,
National Vulnerability Database
CVE-2020-2257 (validating_string_parameter)

2020-09-16 14:15:13
Jenkins Validating String Parameter Plugin 2.4 and earlier does not escape various user-controlled fields, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
National Vulnerability Database
CVE-2020-25412 (gnuplot)

2020-09-16 14:15:12
gnuplot 5.4 is affected by a segmentation fault in com_line () at command.c, which may result in context-dependent arbitrary code execution.
National Vulnerability Database
CVE-2020-14315 (bsdiff)

2020-09-16 14:15:12
A memory corruption vulnerability is present in bspatch as shipped in Colin Percivalâ€™s bsdiff tools version 4.3.
National Vulnerability Database
CVE-2020-14393 (database_interface, leap)

2020-09-16 14:15:12
A buffer overflow was found in perl-DBI < 1.643 in DBI.xs. A local attacker who is able to supply a string longer than 300 characters could cause an out-of-bounds write, affecting the availability of the service or integrity of data.
National Vulnerability Database
CVE-2020-14386 (linux_kernel)

2020-09-16 13:15:11
A flaw was found in the Linux kernel before 5.9-rc4. Memory corruption can be exploited to gain root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity.
National Vulnerability Database
CVE-2020-25559 (gnuplot)

2020-09-16 13:15:11
gnuplot 5.5 is affected by double free when executing print_set_output. This may result in context-dependent arbitrary code execution.
National Vulnerability Database
CVE-2020-14392 (database_interface, leap, ubuntu_linux)

2020-09-16 13:15:11
An untrusted pointer dereference flaw was found in Perl-DBI < 1.643. A local attacker who is able to manipulate calls to dbd_db_login6_sv() could cause memory corruption, affecting the service's availability.
National Vulnerability Database
CVE-2020-10781 (linux_kernel)

2020-09-16 13:15:10
A flaw was found in the Linux Kernel before 5.8-rc6 in the ZRAM kernel module, where a user with a local account and the ability to read the /sys/class/zram-control/hot_add file can create ZRAM device nodes in the /dev/ directory.
National Vulnerability Database