Topics

Sort by:
Attacker Value
High

CVE-2020-1048: Windows Print Spooler Elevation of Privilege Vulnerability

Disclosure Date: May 21, 2020 (last updated May 27, 2020)
An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application. The update addresses the vulnerability by correcting how the Windows Print Spooler Component writes to the file system.
Attack Vector: Local Utility Class: Privilege Escalation
4
Attacker Value
Low

CVE-2020-0605

Disclosure Date: January 14, 2020 (last updated March 10, 2020)
A remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file.An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user, aka '.NET Framework Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0606.
Attack Vector: Network
0
Attacker Value
Very Low

CVE-2017-9554

Disclosure Date: July 24, 2017 (last updated May 30, 2020)
An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames via unspecified vectors.
Attack Vector: Network
0
Attacker Value
High

CVE-2020-8616: NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities

Disclosure Date: May 19, 2020 (last updated June 01, 2020)
A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral. This has at least two potential effects: The performance of the recursing server can potentially be degraded by the additional work required to perform these fetches, and The attacker can exploit this behavior to use the recursing server as a reflector in a reflection attack with a high amplification factor.
Attack Vector: Network Utility Class: Other
1
Attacker Value
High

CVE-2020-3956: VMware Cloud Director Code Injection Vulnerability

Disclosure Date: May 20, 2020 (last updated May 22, 2020)
VMware Cloud Director 10.0.x before 10.0.0.2, 9.7.0.x before 9.7.0.5, 9.5.0.x before 9.5.0.6, and 9.1.0.x before 9.1.0.4 do not properly handle input leading to a code injection vulnerability. An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution. This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access.
Attack Vector: Network
0
Attacker Value
Moderate

CVE-2020-13166

Disclosure Date: May 19, 2020 (last updated May 30, 2020)
The management tool in MyLittleAdmin 3.8 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers' installations) in web.config, and can be used to send serialized ASP code.
Attack Vector: Network
0
Attacker Value
Very High

CVE-2019-1414

Disclosure Date: January 24, 2020 (last updated March 10, 2020)
An elevation of privilege vulnerability exists in Visual Studio Code when it exposes a debug listener to users of a local computer, aka 'Visual Studio Code Elevation of Privilege Vulnerability'.
Attack Vector: Local
0
Attacker Value
Very High

CVE-2020-3259

Disclosure Date: May 06, 2020 (last updated May 13, 2020)
A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to retrieve memory contents on an affected device, which could lead to the disclosure of confidential information. The vulnerability is due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. An attacker could exploit this vulnerability by sending a crafted GET request to the web services interface. A successful exploit could allow the attacker to retrieve memory contents, which could lead to the disclosure of confidential information. Note: This vulnerability affects only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section.
Attack Vector: Network
3
Attacker Value
Very High

CVE-2020-11651

Disclosure Date: April 30, 2020 (last updated May 30, 2020)
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.
Attack Vector: Network Utility Class: RCE
0
Attacker Value
Moderate

CVE-2020-8644

Disclosure Date: February 05, 2020 (last updated May 30, 2020)
PlaySMS before 1.4.3 does not sanitize inputs from a malicious string.
Attack Vector: Network
0