National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

There are 131,366 matching records.
Displaying matches 381 through 400.
Vuln ID Summary CVSS Severity
CVE-2020-7252

Unquoted service executable path in DXL Broker in McAfee Data eXchange Layer (DXL) Framework 6.0.0 and earlier allows local users to cause a denial of service and malicious file execution via carefully crafted and named executable files.

Published: February 17, 2020; 02:15:16 AM -05:00
(not available)
CVE-2020-5531

Mitsubishi Electric MELSEC C Controller Module and MELIPC Series MI5000 MELSEC-Q Series C Controller Module(Q24DHCCPU-V, Q24DHCCPU-VG User Ethernet port (CH1, CH2): First 5 digits of serial number 21121 or before), MELSEC iQ-R Series C Controller Module / C Intelligent Function Module(R12CCPU-V Ethernet port (CH1, CH2): First 2 digits of serial number 11 or before, and RD55UP06-V Ethernet port: First 2 digits of serial number 08 or before), and MELIPC Series MI5000(MI5122-VW Ethernet port (CH1): First 2 digits of serial number 03 or before, or the firmware version 03 or before) allow remote attackers to cause a denial of service and/or malware being executed via unspecified vectors.

Published: February 17, 2020; 02:15:16 AM -05:00
(not available)
CVE-2020-9033

Symmetricom SyncServer S100 2.90.70.3, S200 1.30, S250 1.25, S300 2.65.0, and S350 2.80.1 devices allow Directory Traversal via the FileName parameter to authlog.php.

Published: February 16, 2020; 11:15:11 PM -05:00
V3.1: 6.5 MEDIUM
    V2: 6.4 MEDIUM
CVE-2020-9032

Symmetricom SyncServer S100 2.90.70.3, S200 1.30, S250 1.25, S300 2.65.0, and S350 2.80.1 devices allow Directory Traversal via the FileName parameter to kernlog.php.

Published: February 16, 2020; 11:15:11 PM -05:00
V3.1: 6.5 MEDIUM
    V2: 6.4 MEDIUM
CVE-2020-9031

Symmetricom SyncServer S100 2.90.70.3, S200 1.30, S250 1.25, S300 2.65.0, and S350 2.80.1 devices allow Directory Traversal via the FileName parameter to daemonlog.php.

Published: February 16, 2020; 11:15:11 PM -05:00
V3.1: 6.5 MEDIUM
    V2: 6.4 MEDIUM
CVE-2020-9030

Symmetricom SyncServer S100 2.90.70.3, S200 1.30, S250 1.25, S300 2.65.0, and S350 2.80.1 devices allow Directory Traversal via the FileName parameter to the syslog.php.

Published: February 16, 2020; 11:15:11 PM -05:00
V3.1: 6.5 MEDIUM
    V2: 6.4 MEDIUM
CVE-2020-9029

Symmetricom SyncServer S100 2.90.70.3, S200 1.30, S250 1.25, S300 2.65.0, and S350 2.80.1 devices allow Directory Traversal via the FileName parameter to messagelog.php.

Published: February 16, 2020; 11:15:11 PM -05:00
V3.1: 6.5 MEDIUM
    V2: 6.4 MEDIUM
CVE-2020-9028

Symmetricom SyncServer S100 2.90.70.3, S200 1.30, S250 1.25, S300 2.65.0, and S350 2.80.1 devices allow stored XSS via the newUserName parameter on the "User Creation, Deletion and Password Maintenance" screen (when creating a new user).

Published: February 16, 2020; 11:15:11 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2020-9027

ELTEX NTP-RG-1402G 1v10 3.25.3.32 devices allow OS command injection via the TRACE field of the resource ping.cmd. The NTP-2 device is also affected.

Published: February 16, 2020; 11:15:11 PM -05:00
V3.1: 9.8 CRITICAL
    V2: 10.0 HIGH
CVE-2020-9026

ELTEX NTP-RG-1402G 1v10 3.25.3.32 devices allow OS command injection via the PING field of the resource ping.cmd. The NTP-2 device is also affected.

Published: February 16, 2020; 11:15:11 PM -05:00
V3.1: 9.8 CRITICAL
    V2: 10.0 HIGH
CVE-2020-9025

Iteris Vantage Velocity Field Unit 2.4.2 devices have multiple stored XSS issues in all parameters of the Start Data Viewer feature of the /cgi-bin/loaddata.py script.

Published: February 16, 2020; 11:15:11 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2020-9024

Iteris Vantage Velocity Field Unit 2.3.1 and 2.4.2 devices have world-writable permissions for the /root/cleardata.pl (executed as root by crond) and /root/loadperl.sh (executed as root at boot time) scripts.

Published: February 16, 2020; 11:15:11 PM -05:00
V3.1: 9.8 CRITICAL
    V2: 10.0 HIGH
CVE-2020-9023

Iteris Vantage Velocity Field Unit 2.3.1 and 2.4.2 devices have two users that are not documented and are configured with weak passwords (User bluetooth, password bluetooth; User eclipse, password eclipse). Also, bluetooth is the root password.

Published: February 16, 2020; 11:15:10 PM -05:00
V3.1: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2020-9022

An issue was discovered on Xirrus XR520, XR620, XR2436, and XH2-120 devices. The cgi-bin/ViewPage.cgi user parameter allows XSS.

Published: February 16, 2020; 11:15:10 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2020-9021

Post Oak AWAM Bluetooth Field Device 7400v2.08.21.2018, 7800SD.2015.1.16, 2011.3, 7400v2.02.01.2019, and 7800SD.2012.12.5 is vulnerable to injections of operating system commands through timeconfig.py via shell metacharacters in the htmlNtpServer parameter.

Published: February 16, 2020; 11:15:10 PM -05:00
V3.1: 9.8 CRITICAL
    V2: 10.0 HIGH
CVE-2020-9020

Iteris Vantage Velocity Field Unit 2.3.1, 2.4.2, and 3.0 devices allow the injection of OS commands into cgi-bin/timeconfig.py via shell metacharacters in the NTP Server field.

Published: February 16, 2020; 11:15:10 PM -05:00
V3.1: 9.8 CRITICAL
    V2: 10.0 HIGH
CVE-2020-9034

Symmetricom SyncServer S100 2.90.70.3, S200 1.30, S250 1.25, S300 2.65.0, and S350 2.80.1 devices mishandle session validation, leading to unauthenticated creation, modification, or elimination of users.

Published: February 16, 2020; 10:15:10 PM -05:00
V3.1: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2020-9016

Dolibarr 11.0 allows XSS via the joinfiles, topic, or code parameter, or the HTTP Referer header.

Published: February 16, 2020; 05:15:10 PM -05:00
V3.1: 5.4 MEDIUM
    V2: 3.5 LOW
CVE-2020-9013

Arvato Skillpipe 3.0 allows attackers to bypass intended print restrictions by deleting <div id="watermark"> from the HTML source code.

Published: February 16, 2020; 04:15:10 PM -05:00
V3.1: 4.3 MEDIUM
    V2: 4.0 MEDIUM
CVE-2020-9012

A cross-site scripting (XSS) vulnerability in the Import People functionality in Gluu Identity Configuration 4.0 allows remote attackers to inject arbitrary web script or HTML via the filename parameter.

Published: February 16, 2020; 03:15:10 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM