LiveActive security incident?Get immediate response
CVE archive

March 2020

Browse CVE records published in March 2020, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 1453 matching CVEs · Page 5 of 30.

Medium · CVSS 4.9

CVE-2020-8356: An internal product security audit of LXCO, prior to version 1.2.2, discovered that optional passwords, if...

An internal product security audit of LXCO, prior to version 1.2.2, discovered that optional passwords, if specified, for the Syslog and SMTP forwarders are written to an internal LXCO log file in clear text. Affected logs are captured in the First Failure Data Capture (FFDC) service log. The FFDC service log is only generated when requested by a privileged LXCO user and it is only accessible to the privileged LXCO user that requested the file.

Published Mar 9, 2021 · Updated Sep 16, 2024

High · CVSS 7.8

CVE-2020-6771: Uncontrolled Search Path Element in Bosch IP Helper

Loading a DLL through an Uncontrolled Search Path Element in Bosch IP Helper up to and including version 1.00.0008 potentially allows an attacker to execute arbitrary code on a victim's system. A prerequisite is that the victim is tricked into placing a malicious DLL in the same application directory as the portable IP Helper application.

Published Mar 25, 2021 · Updated Sep 16, 2024

Medium · CVSS 6.1

CVE-2020-10509: Sunnet eHRD - Cross-Site Scripting

Sunnet eHRD, a human training and development management system, contains vulnerability of Cross-Site Scripting (XSS), attackers can inject arbitrary command into the system and launch XSS attack.

Published Mar 27, 2020 · Updated Sep 16, 2024

High · CVSS 8.3

CVE-2020-6650: Arbitrary code execution through “Update Manager” Class

UPS companion software v1.05 & Prior is affected by ‘Eval Injection’ vulnerability. The software does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call e.g.”eval” in “Update Manager” class when software attempts to see if there are updates available. This results in arbitrary code execution on the machine where software is installed.

Published Mar 23, 2020 · Updated Sep 16, 2024

Medium · CVSS 6.5

CVE-2020-7929: Specially crafted regex query can cause DoS

A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex. This issue affects MongoDB Server v3.6 versions prior to 3.6.21 and MongoDB Server v4.0 versions prior to 4.0.20.

Published Mar 1, 2021 · Updated Sep 16, 2024

Medium · CVSS 6.4

CVE-2020-4856: IBM Engineering products are vulnerable to stored cross-site scripting.

IBM Engineering products are vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 190459.

Published Mar 4, 2021 · Updated Sep 16, 2024

High · CVSS 7.8

CVE-2020-6789: Uncontrolled Search Path Element in Bosch Monitor Wall Installer

Loading a DLL through an Uncontrolled Search Path Element in the Bosch Monitor Wall installer up to and including version 10.00.0164 potentially allows an attacker to execute arbitrary code on a victim's system. A prerequisite is that the victim is tricked into placing a malicious DLL in the same directory where the installer is started from.

Published Mar 25, 2021 · Updated Sep 16, 2024

Critical · CVSS 9.1

CVE-2020-29020: Reject Remote Management via Cellular UPLINK2

Improper Access Control vulnerability in web service of Secomea SiteManager allows remote attacker to access the web UI from the internet using the configured credentials. This issue affects: Secomea SiteManager All versions prior to 9.4.620527004 on Hardware.

Published Mar 5, 2021 · Updated Sep 16, 2024

High · CVSS 7.5

CVE-2020-28466: Denial of Service (DoS)

This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened risk. Any remote execution flaw or equivalent seriousness, or denial-of-service by unauthenticated users, will lead to prompt releases by the NATS maintainers. Fixes for denial of service issues with no threat of remote execution, when limited to account holders, are likely to just be committed to the main development branch with no special attention. Those who are running such services are encouraged to build regularly from git.

Published Mar 7, 2021 · Updated Sep 16, 2024

Medium · CVSS 6.4

CVE-2020-4863: IBM Engineering products are vulnerable to stored cross-site scripting.

IBM Engineering products are vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 190566.

Published Mar 4, 2021 · Updated Sep 16, 2024

High · CVSS 8.1

CVE-2020-10510: Sunnet eHRD - Broken Access Control

Sunnet eHRD, a human training and development management system, contains a vulnerability of Broken Access Control. After login, attackers can use a specific URL, access unauthorized functionality and data.

Published Mar 27, 2020 · Updated Sep 16, 2024

High · CVSS 7.8

CVE-2020-6786: Uncontrolled Search Path Element in Bosch Video Recording Manager Installer

Loading a DLL through an Uncontrolled Search Path Element in the Bosch Video Recording Manager installer up to and including version 3.82.0055 for 3.82, up to and including version 3.81.0064 for 3.81 and 3.71 and older potentially allows an attacker to execute arbitrary code on a victim's system. A prerequisite is that the victim is tricked into placing a malicious DLL in the same directory where the installer is started from.

Published Mar 25, 2021 · Updated Sep 16, 2024

Low · CVSS 2.2

CVE-2020-8013: permissions: chkstat sets unintended setuid/capabilities for mrsh and wodim

A UNIX Symbolic Link (Symlink) Following vulnerability in chkstat of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15, SUSE Linux Enterprise Server 11 set permissions intended for specific binaries on other binaries because it erroneously followed symlinks. The symlinks can't be controlled by attackers on default systems, so exploitation is difficult. This issue affects: SUSE Linux Enterprise Server 12 permissions versions prior to 2015.09.28.1626-17.27.1. SUSE Linux Enterprise Server 15 permissions versions prior to 20181116-9.23.1. SUSE Linux Enterprise Server 11 permissions versions prior to 2013.1.7-0.6.12.1.

Published Mar 2, 2020 · Updated Sep 16, 2024

Low · CVSS 3.9

CVE-2020-9055: Versiant Lynx Customer Service Portal version 3.5.2 is vulnerable to stored cross-site scripting, which may allow an attacker to execute arbitrary JavaScript

Versiant LYNX Customer Service Portal (CSP), version 3.5.2, is vulnerable to stored cross-site scripting, which could allow a local, authenticated attacker to insert malicious JavaScript that is stored and displayed to the end user. This could lead to website redirects, session cookie hijacking, or information disclosure.

Published Mar 30, 2020 · Updated Sep 16, 2024

High · CVSS 8.4

CVE-2020-29032: Add integrity check of GateManager firmware

Upload of Code Without Integrity Check vulnerability in firmware archive of Secomea GateManager allows authenticated attacker to execute malicious code on server. This issue affects: Secomea GateManager all versions prior to 9.4.621054022

Published Mar 5, 2021 · Updated Sep 16, 2024

High · CVSS 7.8

CVE-2020-1980: PAN-OS: Shell injection vulnerability in PAN-OS CLI allows execution of shell commands

A shell command injection vulnerability in the PAN-OS CLI allows a local authenticated user to escape the restricted shell and escalate privileges. This issue affects only PAN-OS 8.1 versions earlier than PAN-OS 8.1.13. This issue does not affect PAN-OS 7.1, PAN-OS 9.0, or later PAN-OS versions. This issue is fixed in PAN-OS 8.1.13, and all later versions.

Published Mar 11, 2020 · Updated Sep 16, 2024

High · CVSS 7.8

CVE-2020-6787: Uncontrolled Search Path Element in Bosch Video Client installer

Loading a DLL through an Uncontrolled Search Path Element in the Bosch Video Client installer up to and including version 1.7.6.079 potentially allows an attacker to execute arbitrary code on a victim's system. A prerequisite is that the victim is tricked into placing a malicious DLL in the same directory where the installer is started from.

Published Mar 25, 2021 · Updated Sep 16, 2024

Medium · CVSS 4

CVE-2020-36828: DiscuzX install_function.php show_next_step cross site scripting

A vulnerability was found in DiscuzX up to 3.4-20200818. It has been classified as problematic. Affected is the function show_next_step of the file upload/install/include/install_function.php. The manipulation of the argument uchidden leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 3.4-20210119 is able to address this issue. The name of the patch is 4a9673624f46f7609486778ded9653733020c567. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-258612.

Published Mar 31, 2024 · Updated Aug 4, 2024

Medium · CVSS 5.5

CVE-2020-36664: Artesãos SEOTools SEOMeta.php setTitle redirect

A vulnerability has been found in Artesãos SEOTools up to 0.17.1 and classified as problematic. This vulnerability affects the function setTitle of the file SEOMeta.php. The manipulation of the argument title leads to open redirect. Upgrading to version 0.17.2 is able to address this issue. The name of the patch is ca27cd0edf917e0bc805227013859b8b5a1f01fb. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-222232.

Published Mar 4, 2023 · Updated Aug 4, 2024

Medium · CVSS 5.5

CVE-2020-36665: Artesãos SEOTools TwitterCards.php eachValue redirect

A vulnerability was found in Artesãos SEOTools up to 0.17.1 and classified as critical. This issue affects the function eachValue of the file TwitterCards.php. The manipulation of the argument value leads to open redirect. Upgrading to version 0.17.2 is able to address this issue. The identifier of the patch is ca27cd0edf917e0bc805227013859b8b5a1f01fb. It is recommended to upgrade the affected component. The identifier VDB-222233 was assigned to this vulnerability.

Published Mar 4, 2023 · Updated Aug 4, 2024

Medium · CVSS 5.5

CVE-2020-36663: Artesãos SEOTools OpenGraph.php makeTag redirect

A vulnerability, which was classified as problematic, was found in Artesãos SEOTools up to 0.17.1. This affects the function makeTag of the file OpenGraph.php. The manipulation of the argument value leads to open redirect. Upgrading to version 0.17.2 is able to address this issue. The patch is named ca27cd0edf917e0bc805227013859b8b5a1f01fb. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-222231.

Published Mar 4, 2023 · Updated Aug 4, 2024

Critical · CVSS 9.6

CVE-2020-36283: HID OMNIKEY 5427 and OMNIKEY 5127 readers are vulnerable to CSRF when using the EEM driver (Ethernet Emulat...

HID OMNIKEY 5427 and OMNIKEY 5127 readers are vulnerable to CSRF when using the EEM driver (Ethernet Emulation Mode). By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to upload a configuration file to the device. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.

Published Mar 24, 2021 · Updated Aug 4, 2024