LiveActive security incident?Get immediate response
CVE archive

March 2020

Browse CVE records published in March 2020, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 1453 matching CVEs · Page 4 of 30.

Low · CVSS 2.4

CVE-2020-1770: Information disclosure in support bundle files

Support bundle generated files could contain sensitive information that might be unwanted to be disclosed. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.

Published Mar 27, 2020 · Updated Sep 17, 2024

Medium · CVSS 6.5

CVE-2020-5404: Authentication Leak On Redirect With Reactor Netty HttpClient

The HttpClient from Reactor Netty, versions 0.9.x prior to 0.9.5, and versions 0.8.x prior to 0.8.16, may be used incorrectly, leading to a credentials leak during a redirect to a different domain. In order for this to happen, the HttpClient must have been explicitly configured to follow redirects.

Published Mar 3, 2020 · Updated Sep 17, 2024

High · CVSS 7.8

CVE-2020-6785: Uncontrolled Search Path Element in Bosch BVMS and BVMS Viewer

Loading a DLL through an Uncontrolled Search Path Element in Bosch BVMS and BVMS Viewer in versions 10.1.0, 10.0.1, 10.0.0 and 9.0.0 and older potentially allows an attacker to execute arbitrary code on a victim's system. This affects both the installer as well as the installed application. This also affects Bosch DIVAR IP 7000 R2, Bosch DIVAR IP all-in-one 5000 and Bosch DIVAR IP all-in-one 7000 with installers and installed BVMS versions prior to BVMS 10.1.1.

Published Mar 25, 2021 · Updated Sep 17, 2024

High · CVSS 8.1

CVE-2020-29030: Insufficient CSRF guards

Cross-Site Request Forgery (CSRF) vulnerability in web GUI of Secomea GateManager allows an attacker to execute malicious code. This issue affects: Secomea GateManager All versions prior to 9.4.

Published Mar 5, 2021 · Updated Sep 17, 2024

High · CVSS 8.1

CVE-2020-1979: PAN-OS: A format string vulnerability in PAN-OS log daemon (logd) on Panorama allows local privilege escalation

A format string vulnerability in the PAN-OS log daemon (logd) on Panorama allows a network based attacker with knowledge of registered firewall devices and access to Panorama management interfaces to execute arbitrary code, bypassing the restricted shell and escalating privileges. This issue affects only PAN-OS 8.1 versions earlier than PAN-OS 8.1.13 on Panorama. This issue does not affect PAN-OS 7.1, PAN-OS 9.0, or later PAN-OS versions.

Published Mar 11, 2020 · Updated Sep 17, 2024

Medium · CVSS 6.3

CVE-2020-29028: Reflected XSS issues

Cross-site Scripting (XSS) vulnerability in web GUI of Secomea GateManager allows an attacker to inject arbitrary javascript code. This issue affects: Secomea GateManager all versions prior to 9.4.

Published Mar 5, 2021 · Updated Sep 17, 2024

Medium · CVSS 4.8

CVE-2020-5339: RSA Authentication Manager versions prior to 8.4 P10 contain a stored cross-site scripting vulnerability in...

RSA Authentication Manager versions prior to 8.4 P10 contain a stored cross-site scripting vulnerability in the Security Console. A malicious RSA Authentication Manager Security Console administrator with advanced privileges could exploit this vulnerability to store arbitrary HTML or JavaScript code through the Security Console web interface. When other Security Console administrators open the affected report page, the injected scripts could potentially be executed in their browser.

Published Mar 25, 2020 · Updated Sep 17, 2024

Critical · CVSS 9.8

CVE-2020-3922: ArmorX LisoMail - SQL Injection

LisoMail, by ArmorX, allows SQL Injections, attackers can access the database without authentication via a URL parameter manipulation.

Published Mar 18, 2020 · Updated Sep 17, 2024

High · CVSS 7.8

CVE-2020-6788: Uncontrolled Search Path Element in Bosch Configuration Manager Installer

Loading a DLL through an Uncontrolled Search Path Element in the Bosch Configuration Manager installer up to and including version 7.21.0078 potentially allows an attacker to execute arbitrary code on a victim's system. A prerequisite is that the victim is tricked into placing a malicious DLL in the same directory where the installer is started from.

Published Mar 25, 2021 · Updated Sep 16, 2024

High · CVSS 7.5

CVE-2020-4217: The IBM Spectrum Scale 4.2 and 5.0 file system component is affected by a denial of service security vulner...

The IBM Spectrum Scale 4.2 and 5.0 file system component is affected by a denial of service security vulnerability. An attacker can force the Spectrum Scale mmfsd/mmsdrserv daemons to unexpectedly exit, impacting the functionality of the Spectrum Scale cluster and the availability of file systems managed by Spectrum Scale. IBM X-Force ID: 175067.

Published Mar 9, 2020 · Updated Sep 16, 2024

High · CVSS 7.3

CVE-2020-1773: Session / Password / Password token leak

An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may be able to predict other users session IDs, password reset tokens and automatically generated passwords. This issue affects ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS; 7.0.15 and prior versions.

Published Mar 27, 2020 · Updated Sep 16, 2024

Medium · CVSS 6.5

CVE-2020-1772: Information Disclosure

It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. This issue affects: ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.

Published Mar 27, 2020 · Updated Sep 16, 2024

High · CVSS 8.1

CVE-2020-28502: Arbitrary Code Injection

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

Published Mar 5, 2021 · Updated Sep 16, 2024

Critical · CVSS 10

CVE-2020-3936: Unisoon UltraLog Express - SQL Injection

UltraLog Express device management interface does not properly filter user inputted string in some specific parameters, attackers can inject arbitrary SQL command.

Published Mar 27, 2020 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2020-5405: Directory Traversal with spring-cloud-config-server

Spring Cloud Config, versions 2.2.x prior to 2.2.2, versions 2.1.x prior to 2.1.7, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.

Published Mar 5, 2020 · Updated Sep 16, 2024

Critical · CVSS 9.8

CVE-2020-12775: Hicos citizen certificate client-side component - Command Injection

Hicos citizen certificate client-side component does not filter special characters for command parameters in specific web URLs. An unauthenticated remote attacker can exploit this vulnerability to perform command injection attack to execute arbitrary system command, disrupt system or terminate service.

Published Mar 1, 2022 · Updated Sep 16, 2024

Critical · CVSS 9.9

CVE-2020-9408: TIBCO Spotfire Server Script Trust Problem Exposes Remote Code Execution Vulnerability

The Spotfire library component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace and TIBCO Spotfire Server contains a vulnerability that theoretically allows an attacker with write permissions to the Spotfire Library, but not "Script Author" group permission, to modify attributes of files and objects saved to the library such that the system treats them as trusted. This could allow an attacker to cause the Spotfire Web Player, Analyst clients, and TERR Service into executing arbitrary code with the privileges of the system account that started those processes. Affected releases are TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace: versions 10.8.0 and below and TIBCO Spotfire Server: versions 7.11.9 and below, versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, and 10.3.6, versions 10.4.0, 10.5.0, 10.6.0, 10.6.1, 10.7.0, and 10.8.0.

Published Mar 11, 2020 · Updated Sep 16, 2024

High · CVSS 7.5

CVE-2020-10508: Sunnet eHRD - Sensitive Data Exposure

Sunnet eHRD, a human training and development management system, improperly stores system files. Attackers can use a specific URL and capture confidential information.

Published Mar 27, 2020 · Updated Sep 16, 2024

Medium · CVSS 5.4

CVE-2020-4975: IBM Engineering products are vulnerable to cross-site scripting.

IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 192435.

Published Mar 4, 2021 · Updated Sep 16, 2024

High · CVSS 8.1

CVE-2020-5327: Dell Security Management Server versions prior to 10.2.10 contain a Java RMI Deserialization of Untrusted D...

Dell Security Management Server versions prior to 10.2.10 contain a Java RMI Deserialization of Untrusted Data vulnerability. When the server is exposed to the internet and Windows Firewall is disabled, a remote unauthenticated attacker may exploit this vulnerability by sending a crafted RMI request to execute arbitrary code on the target host.

Published Mar 6, 2020 · Updated Sep 16, 2024

Medium · CVSS 6.5

CVE-2020-12527: Improper Access Validation in products of MB connect line and Helmholz

An issue was discovered in MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2. Improper access validation allows a logged in user to shutdown or reboot devices in his account without having corresponding permissions.

Published Mar 2, 2021 · Updated Sep 16, 2024

High · CVSS 7.7

CVE-2020-7254: Privilege escalation in Advanced Threat Defense

Privilege Escalation vulnerability in the command line interface in McAfee Advanced Threat Defense (ATD) 4.x prior to 4.8.2 allows local users to execute arbitrary code via improper access controls on the sudo command.

Published Mar 12, 2020 · Updated Sep 16, 2024