How severe is CVE-2020-15228?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5 out of 10.

What type of vulnerability is CVE-2020-15228?

This is classified as CWE-20, which is a common weakness in software security.

CVE-2020-15228

MEDIUM Year: 2020

CVSS v3 Score

5.0

Medium

CVSS v2 Score

4.0

Medium

Weakness Type

CWE-20

View all →

Vulnerability Description

In the `@actions/core` npm module before version 1.2.6,`addPath` and `exportVariable` functions communicate with the Actions Runner over stdout by generating a string in a specific format. Workflows that log untrusted data to stdout may invoke these commands, resulting in the path or environment variables being modified without the intention of the workflow or action author. The runner will release an update that disables the `set-env` and `add-path` workflow commands in the near future. For now, users should upgrade to `@actions/core v1.2.6` or later, and replace any instance of the `set-env` or `add-path` commands in their workflows with the new Environment File Syntax. Workflows and actions using the old commands or older versions of the toolkit will start to warn, then error out during workflow execution.

CVE-2016-3230

MEDIUM

CVSS:5.0(Medium)

The Search component in Microsoft Windows 7, Windows Server 2008 R2 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to cause a denial...

CWE-202016

CVE-2016-3292

MEDIUM

CVSS:5.0(Medium)

Microsoft Internet Explorer 10 and 11 mishandles integrity settings and zone settings, which allows remote attackers to bypass a sandbox protection mechanism via a crafted web site, aka "Internet Expl...

CWE-202016

CVE-2016-8762

MEDIUM

CVSS:5.0(Medium)

The TrustZone driver in Huawei P9 phones with software Versions earlier than EVA-AL10C00B352 and P9 Lite with software VNS-L21C185B130 and earlier versions and P8 Lite with software ALE-L02C636B150 an...

CWE-202016

CVE-2017-12297

MEDIUM

CVSS:5.0(Medium)

A vulnerability in Cisco WebEx Meeting Center could allow an authenticated, remote attacker to initiate connections to arbitrary hosts, aka a "URL Redirection Vulnerability." The vulnerability is due ...

CWE-202017

CVE-2017-15185

MEDIUM

CVSS:5.0(Medium)

plugins/ogg.c in Libmp3splt 0.9.2 calls the libvorbis vorbis_block_clear function with uninitialized data upon detection of invalid input, which allows remote attackers to cause a denial of service (a...

CWE-202017

CVE-2017-6436

MEDIUM

CVSS:5.0(Medium)

The parse_string_node function in bplist.c in libimobiledevice libplist 1.12 allows local users to cause a denial of service (memory allocation error) via a crafted plist file.

CWE-202017

CVE-2020-15228

Vulnerability Description

Related Vulnerabilities

CVE-2016-3230

CVE-2016-3292

CVE-2016-8762

CVE-2017-12297

CVE-2017-15185

CVE-2017-6436