LiveActive security incident?Get immediate response
CVE archive

April 2020

Browse CVE records published in April 2020, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 1821 matching CVEs · Page 3 of 37.

Medium · CVSS 5.4

CVE-2020-0978: A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly saniti...

A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2020-0923, CVE-2020-0924, CVE-2020-0925, CVE-2020-0926, CVE-2020-0927, CVE-2020-0930, CVE-2020-0933, CVE-2020-0954, CVE-2020-0973.

Published Apr 15, 2020 · Updated Feb 28, 2025

High · CVSS 8.6

CVE-2020-17354: LilyPond before 2.24 allows attackers to bypass the -dsafe protection mechanism via output-def-lookup or ou...

LilyPond before 2.24 allows attackers to bypass the -dsafe protection mechanism via output-def-lookup or output-def-scope, as demonstrated by dangerous Scheme code in a .ly file that causes arbitrary code execution during conversion to a different file format. NOTE: in 2.24 and later versions, safe mode is removed, and the product no longer tries to block code execution when external files are used.

Published Apr 15, 2023 · Updated Feb 6, 2025

Critical · CVSS 9.8

CVE-2020-29007: The Score extension through 0.3.0 for MediaWiki has a remote code execution vulnerability due to improper s...

The Score extension through 0.3.0 for MediaWiki has a remote code execution vulnerability due to improper sandboxing of the GNU LilyPond executable. This allows any user with an ability to edit articles (potentially including unauthenticated anonymous users) to execute arbitrary Scheme or shell code by using crafted {{Image data to generate musical scores containing malicious code.

Published Apr 15, 2023 · Updated Feb 6, 2025

Medium · CVSS 5.3

CVE-2020-4729: IBM Safer Payments denial of service

IBM Counter Fraud Management for Safer Payments 5.7.0.00 through 5.7.0.10, 6.0.0.00 through 6.0.0.07, 6.1.0.00 through 6.1.0.05, and 6.2.0.00 through 6.2.1.00 could allow an authenticated attacker under special circumstances to send multiple specially crafted API requests that could cause the application to crash. IBM X-Force ID: 188052.

Published Apr 28, 2023 · Updated Jan 30, 2025

Medium · CVSS 6.1

CVE-2020-11037: Potential Observable Timing Discrepancy in Wagtail

In Wagtail before versions 2.7.3 and 2.8.2, a potential timing attack exists on pages or documents that have been protected with a shared password through Wagtail's "Privacy" controls. This password check is performed through a character-by-character string comparison, and so an attacker who is able to measure the time taken by this check to a high degree of accuracy could potentially use timing differences to gain knowledge of the password. This is [understood to be feasible on a local network, but not on the public internet](https://groups.google.com/d/msg/django-developers/iAaq0pvHXuA/fpUuwjK3i2wJ). Privacy settings that restrict access to pages/documents on a per-user or per-group basis (as opposed to a shared password) are unaffected by this vulnerability. This has been patched in 2.7.3, 2.8.2, 2.9.

Published Apr 30, 2020 · Updated Nov 19, 2024

Medium · CVSS 5.8

CVE-2020-11001: Possible XSS attack in Wagtail

In Wagtail before versions 2.8.1 and 2.7.2, a cross-site scripting (XSS) vulnerability exists on the page revision comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft a page revision history that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 2.7.2 (for the LTS 2.7 branch) and Wagtail 2.8.1 (for the current 2.8 branch).

Published Apr 14, 2020 · Updated Nov 19, 2024

Medium · CVSS 5.1

CVE-2020-25243: A vulnerability has been identified in LOGO!

A vulnerability has been identified in LOGO! Soft Comfort (All versions < V8.4). A zip slip vulnerability could be triggered while importing a compromised project file to the affected software. Chained with other vulnerabilities this vulnerability could ultimately lead to a system takeover by an attacker.

Published Apr 22, 2021 · Updated Nov 19, 2024

Unknown · CVSS Not scored

CVE-2020-10569: SysAid On-Premise 20.1.11, by default, allows the AJP protocol port, which is vulnerable to a GhostCat attack.

SysAid On-Premise 20.1.11, by default, allows the AJP protocol port, which is vulnerable to a GhostCat attack. Additionally, it allows unauthenticated access to upload files, which can be used to execute commands on the system by chaining it with a GhostCat attack. NOTE: This may be a duplicate of CVE-2020-1938

Published Apr 21, 2020 · Updated Nov 18, 2024

Low · CVSS 3

CVE-2020-3126: Cisco Webex Meetings Multimedia Viewer Vulnerability

vulnerability within the Multimedia Viewer feature of Cisco Webex Meetings could allow an authenticated, remote attacker to bypass security protections. The vulnerability is due to missing security warning dialog boxes when a room host views shared multimedia files. An authenticated, remote attacker could exploit this vulnerability by using the host role to share files within the Multimedia sharing feature and convincing a former room host to view that file. A warning dialog normally appears cautioning users before the file is displayed; however, the former host would not see that warning dialog, and any shared multimedia would be rendered within the user's browser. The attacker could leverage this behavior to conduct additional attacks by including malicious files within a targeted room host's browser window.

Published Apr 13, 2020 · Updated Nov 15, 2024

High · CVSS 7.5

CVE-2020-3162: Cisco IoT Field Network Director Denial of Service Vulnerability

A vulnerability in the Constrained Application Protocol (CoAP) implementation of Cisco IoT Field Network Director could allow an unauthenticated remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to insufficient input validation of incoming CoAP traffic. An attacker could exploit this vulnerability by sending a malformed CoAP packet to an affected device. A successful exploit could allow the attacker to force the CoAP server to stop, interrupting communication to the IoT endpoints.

Published Apr 15, 2020 · Updated Nov 15, 2024

High · CVSS 7.5

CVE-2020-3177: Cisco Unified Communications Manager Path Traversal Vulnerability

A vulnerability in the Tool for Auto-Registered Phones Support (TAPS) of Cisco Unified Communications Manager (UCM) and Cisco Unified Communications Manager Session Management Edition (SME) could allow an unauthenticated, remote attacker to conduct directory traversal attacks on an affected device. The vulnerability is due to insufficient validation of user-supplied input to the TAPS interface of the affected device. An attacker could exploit this vulnerability by sending a crafted request to the TAPS interface. A successful exploit could allow the attacker to read arbitrary files in the system.

Published Apr 15, 2020 · Updated Nov 15, 2024