CVE List - 2020 / January
Showing 301 - 400 of 1655 CVEs for January 2020 (Page 4 of 17)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2019-17014 | 2020-01-08 | If an image had not loaded correctly (such as when it is not actually an image), it could be dragged and dropped cross-domain, resulting in a cross-origin information leak. This... |
| CVE-2019-17015 | 2020-01-08 | During the initialization of a new content process, a pointer offset can be manipulated leading to memory corruption and a potentially exploitable crash in the parent process. *Note: this issue... |
| CVE-2019-17016 | 2020-01-08 | When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly rewrites a @namespace rule. This could allow for injection into certain types of... |
| CVE-2019-17017 | 2020-01-08 | Due to a missing case handling object types, a type confusion vulnerability could occur, resulting in a crash. We presume that with enough effort that it could be exploited to... |
| CVE-2019-17018 | 2020-01-08 | When in Private Browsing Mode on Windows 10, the Windows keyboard may retain word suggestions to improve the accuracy of the keyboard. This vulnerability affects Firefox < 72. |
| CVE-2019-17019 | 2020-01-08 | When Python was installed on Windows, a python file being served with the MIME type of text/plain could be executed by Python instead of being opened as a text file... |
| CVE-2019-17020 | 2020-01-08 | If an XML file is served with a Content Security Policy and the XML file includes an XSL stylesheet, the Content Security Policy will not be applied to the contents... |
| CVE-2019-17021 | 2020-01-08 | During the initialization of a new content process, a race condition occurs that can allow a content process to disclose heap addresses from the parent process. *Note: this issue only... |
| CVE-2019-17022 | 2020-01-08 | When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer does not escape < and > characters. Because the resulting string is pasted directly... |
| CVE-2019-17023 | 2020-01-08 | After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client... |
| CVE-2019-17024 | 2020-01-08 | Mozilla developers reported memory safety bugs present in Firefox 71 and Firefox ESR 68.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort... |
| CVE-2019-17025 | 2020-01-08 | Mozilla developers reported memory safety bugs present in Firefox 71. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could... |
| CVE-2019-9812 | 2020-01-08 | Given a compromised sandboxed content process due to a separate vulnerability, it is possible to escape that sandbox by loading accounts.firefox.com in that process and forcing a log-in to a... |
| CVE-2019-17001 | 2020-01-08 | A Content-Security-Policy that blocks in-line scripts could be bypassed using an object tag to execute JavaScript in the protected document (cross-site scripting). This is a separate bypass from CVE-2019-17000.*Note: This... |
| CVE-2011-5018 | 2020-01-08 | Koala Framework before 2011-11-21 has XSS via the request_uri parameter. |
| CVE-2011-5247 | 2020-01-08 | Snare for Linux before 1.7.0 has password disclosure because the rendered page contains the field RemotePassword. |
| CVE-2011-5250 | 2020-01-08 | Snare for Linux before 1.7.0 has CSRF in the web interface. |
| CVE-2011-5266 | 2020-01-08 | Imperva SecureSphere Web Application Firewall (WAF) before 12-august-2010 allows SQL injection filter bypass. |
| CVE-2020-6623 | 2020-01-08 | stb stb_truetype.h through 1.22 has an assertion failure in stbtt__cff_get_index. |
| CVE-2020-6622 | 2020-01-08 | stb stb_truetype.h through 1.22 has a heap-based buffer over-read in stbtt__buf_peek8. |
| CVE-2020-6621 | 2020-01-08 | stb stb_truetype.h through 1.22 has a heap-based buffer over-read in ttUSHORT. |
| CVE-2020-6620 | 2020-01-08 | stb stb_truetype.h through 1.22 has a heap-based buffer over-read in stbtt__buf_get8. |
| CVE-2020-6619 | 2020-01-08 | stb stb_truetype.h through 1.22 has an assertion failure in stbtt__buf_seek. |
| CVE-2020-6618 | 2020-01-08 | stb stb_truetype.h through 1.22 has a heap-based buffer over-read in stbtt__find_table. |
| CVE-2020-6617 | 2020-01-08 | stb stb_truetype.h through 1.22 has an assertion failure in stbtt__cff_int. |
| CVE-2019-11292 | 2020-01-08 | Pivotal Ops Manager logs query parameters in tomcat access file |
| CVE-2019-20180 | 2020-01-09 | The TablePress plugin 1.9.2 for WordPress allows tablepress[data] CSV injection by Editor users. Note: The vendor disputes this issue and argues that this responsibility lies with the application that opens... |
| CVE-2020-6624 | 2020-01-09 | jhead through 3.04 has a heap-based buffer over-read in process_DQT in jpgqguess.c. |
| CVE-2020-6625 | 2020-01-09 | jhead through 3.04 has a heap-based buffer over-read in Get32s when called from ProcessGpsInfo in gpsinfo.c. |
| CVE-2020-6631 | 2020-01-09 | An issue was discovered in GPAC version 0.8.0. There is a NULL pointer dereference in the function gf_m2ts_stream_process_pmt() in media_tools/m2ts_mux.c. |
| CVE-2020-6630 | 2020-01-09 | An issue was discovered in GPAC version 0.8.0. There is a NULL pointer dereference in the function gf_isom_get_media_data_size() in isomedia/isom_read.c. |
| CVE-2020-6629 | 2020-01-09 | Ming (aka libming) 0.4.8 has z NULL pointer dereference in the function decompileGETURL2() in decompile.c. |
| CVE-2020-6628 | 2020-01-09 | Ming (aka libming) 0.4.8 has a heap-based buffer over-read in the function decompile_SWITCH() in decompile.c. |
| CVE-2020-6632 | 2020-01-09 | In PrestaShop 1.7.6.2, XSS can occur during addition or removal of a QuickAccess link. This is related to AdminQuickAccessesController.php, themes/default/template/header.tpl, and themes/new-theme/js/header.js. |
| CVE-2020-5205 | 2020-01-09 | Session fixation attack in Pow (Hex package) |
| CVE-2019-19494 | 2020-01-09 | Broadcom based cable modems across multiple vendors are vulnerable to a buffer overflow, which allows a remote attacker to execute arbitrary code at the kernel level via JavaScript run in... |
| CVE-2020-5308 | 2020-01-09 | PHPGurukul Dairy Farm Shop Management System 1.0 is vulnerable to XSS, as demonstrated by the category and CategoryCode parameters in add-category.php, the CompanyName parameter in add-company.php, and the ProductName parameter... |
| CVE-2014-2686 | 2020-01-09 | Ansible prior to 1.5.4 mishandles the evaluation of some strings. |
| CVE-2014-2651 | 2020-01-09 | Unify OpenStage/OpenScape Desk Phone IP SIP before V3 R3.11.0 has an authentication bypass in the default mode of the Workpoint Interface |
| CVE-2014-2650 | 2020-01-09 | Unify OpenStage / OpenScape Desk Phone IP before V3 R3.11.0 SIP has an OS command injection vulnerability in the web based management interface |
| CVE-2014-3211 | 2020-01-09 | Publify before 8.0.1 is vulnerable to a Denial of Service attack |
| CVE-2014-3447 | 2020-01-09 | BSS Continuity CMS 4.2.22640.0 has a Remote Denial Of Service vulnerability |
| CVE-2014-3448 | 2020-01-09 | BSS Continuity CMS 4.2.22640.0 has a Remote Code Execution vulnerability due to unauthenticated file upload |
| CVE-2014-3449 | 2020-01-09 | BSS Continuity CMS 4.2.22640.0 has an Authentication Bypass vulnerability |
| CVE-2014-3753 | 2020-01-09 | AgileBits 1Password through 1.0.9.340 allows security feature bypass |
| CVE-2019-19332 | 2020-01-09 | An out-of-bounds memory write issue was found in the Linux Kernel, version 3.13 through 5.4, in the way the Linux kernel's KVM hypervisor handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request to get... |
| CVE-2019-20224 | 2020-01-09 | netflow_get_stats in functions_netflow.php in Pandora FMS 7.0NG allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the ip_src parameter in an index.php?operation/netflow/nf_live_view request. This issue has... |
| CVE-2019-14918 | 2020-01-09 | XSS in the DHCP lease-status table in Billion Smart Energy Router SG600R2 Firmware v3.02.rc6 allows an attacker to inject arbitrary HTML/JavaScript code to achieve client-side code execution via crafted DHCP... |
| CVE-2019-14919 | 2020-01-09 | An exposed Telnet Service on the Billion Smart Energy Router SG600R2 with firmware v3.02.rc6 allows a local network attacker to authenticate via hardcoded credentials into a shell, gaining root execution... |
| CVE-2019-14920 | 2020-01-09 | Billion Smart Energy Router SG600R2 Firmware v3.02.rc6 allows an authenticated attacker to gain root execution privileges over the device via a hidden etc_ro/web/adm/system_command.asp shell feature. |
| CVE-2020-1826 | 2020-01-09 | Huawei Honor Magic2 mobile phones with versions earlier than 10.0.0.175(C00E59R2P11) have an information leak vulnerability. Due to a module using weak encryption tool, an attacker with the root permission may... |
| CVE-2020-1787 | 2020-01-09 | HUAWEI Mate 20 smartphones versions earlier than 9.1.0.139(C00E133R3P1) have an improper authentication vulnerability. The system has a logic error under certain scenario, successful exploit could allow the attacker who gains... |
| CVE-2019-4651 | 2020-01-09 | IBM Jazz Reporting Service (JRS) 6.0.6.1 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete... |
| CVE-2020-1786 | 2020-01-09 | HUAWEI Mate 20 Pro smartphones versions earlier than 10.0.0.175(C00E69R3P8) have an improper authentication vulnerability. The software does not sufficiently validate the name of apk file in a special condition which... |
| CVE-2020-1810 | 2020-01-09 | There is a weak algorithm vulnerability in some Huawei products. The affected products use the RSA algorithm in the SSL key exchange algorithm which have been considered as a weak... |
| CVE-2020-6167 | 2020-01-09 | A flaw in the WordPress plugin, Minimal Coming Soon & Maintenance Mode through 2.10, allows a CSRF attack to enable maintenance mode, inject XSS, modify several important settings, or include... |
| CVE-2019-6332 | 2020-01-09 | A potential security vulnerability has been identified with certain HP InkJet printers. The vulnerability could be exploited to allow cross-site scripting (XSS). Affected products and versions include: HP DeskJet 2600... |
| CVE-2019-6331 | 2020-01-09 | An issue was found in Samsung Mobile Print (Android) versions prior to 4.08.007. A potential security vulnerability caused by incomplete obfuscation of application configuration information. |
| CVE-2019-6330 | 2020-01-09 | A potential security vulnerability has been identified in the software solution HP Access Control versions prior to 16.7. This vulnerability could potentially grant elevation of privilege. |
| CVE-2020-1925 | 2020-01-09 | Apache Olingo versions 4.0.0 to 4.7.0 provide the AsyncRequestWrapperImpl class which reads a URL from the Location header, and then sends a GET or DELETE request to this URL. It... |
| CVE-2019-6320 | 2020-01-09 | Certain HP DeskJet 3630 All-in-One Printers models F5S43A - F5S57A, K4T93A - K4T99C, K4U00B - K4U03B, and V3F21A - V3F22A (firmware version SWP1FN1912BR or higher) have a Cross-Site Request Forgery... |
| CVE-2019-6319 | 2020-01-09 | HP DeskJet 3630 All-in-One Printers models F5S43A - F5S57A, K4T93A - K4T99C, K4U00B - K4U03B, and V3F21A - V3F22A (firmware version SWP1FN1912BR or higher) have a Cross-Site Request Forgery (CSRF)... |
| CVE-2020-6750 | 2020-01-09 | GSocketClient in GNOME GLib through 2.62.4 may occasionally connect directly to a target address instead of connecting via a proxy server when configured to do so, because the proxy_addr field... |
| CVE-2016-5311 | 2020-01-09 | A Privilege Escalation vulnerability exists in Symantec Norton Antivirus, Norton AntiVirus with Backup, Norton Security, Norton Security with Backup, Norton Internet Security, Norton 360, Endpoint Protection Small Business Edition Cloud,... |
| CVE-2012-1258 | 2020-01-09 | cgi-bin/userprefs.cgi in Plixer International Scrutinizer NetFlow & sFlow Analyzer before 9.0.1.19899 does not validate user permissions, which allow remote attackers to add user accounts with administrator privileges via the newuser,... |
| CVE-2012-1259 | 2020-01-09 | Multiple SQL injection vulnerabilities in Plixer International Scrutinizer NetFlow & sFlow Analyzer 8.6.2.16204, and possibly other versions before 9.0.1.19899, allow remote attackers to execute arbitrary SQL commands via the (1)... |
| CVE-2012-1260 | 2020-01-09 | Cross-site scripting (XSS) vulnerability in cgi-bin/userprefs.cgi in Plixer International Scrutinizer NetFlow & sFlow Analyzer 8.6.2.16204, and possibly other versions before 9.0.1.19899, allows remote attackers to inject arbitrary web script or... |
| CVE-2012-1261 | 2020-01-09 | Cross-site scripting (XSS) vulnerability in cgi-bin/scrut_fa_exclusions.cgi in Plixer International Scrutinizer NetFlow and sFlow Analyzer 8.6.2.16204 and other versions before 9.0.1.19899 allows remote attackers to inject arbitrary web script or HTML... |
| CVE-2012-2724 | 2020-01-09 | The Simplenews module 6.x-1.x before 6.x-1.4, 6.x-2.x before 6.x-2.0-alpha4, and 7.x-1.x before 7.x-1.0-rc1 for Drupal reveals the email addresses of new mailing list subscribers when confirmation is required, which allows... |
| CVE-2020-6166 | 2020-01-09 | A flaw in the WordPress plugin, Minimal Coming Soon & Maintenance Mode through 2.15, allows authenticated users with basic access to export settings and change maintenance-mode themes. |
| CVE-2012-2714 | 2020-01-09 | The BrowserID (Mozilla Persona) module 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to hijack the authentication of arbitrary users via the audience identifier. |
| CVE-2020-6168 | 2020-01-09 | A flaw in the WordPress plugin, Minimal Coming Soon & Maintenance Mode through 2.10, allows authenticated users with basic access to enable and disable maintenance-mode settings (impacting the availability and... |
| CVE-2019-20372 | 2020-01-09 | NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being... |
| CVE-2019-18859 | 2020-01-09 | Digi AnywhereUSB 14 allows XSS via a link for the Digi Page. |
| CVE-2012-1915 | 2020-01-09 | EllisLab CodeIgniter 2.1.2 allows remote attackers to bypass the xss_clean() Filter and perform XSS attacks. |
| CVE-2012-2226 | 2020-01-09 | Invision Power Board before 3.3.1 fails to sanitize user-supplied input which could allow remote attackers to obtain sensitive information or execute arbitrary code by uploading a malicious file. |
| CVE-2012-3490 | 2020-01-09 | The (1) my_popenv_impl and (2) my_spawnv functions in src/condor_utils/my_popen.cpp and the (3) systemCommand function in condor_vm-gahp/vmgahp_common.cpp in Condor 7.6.x before 7.6.10 and 7.8.x before 7.8.4 does not properly check the... |
| CVE-2012-4434 | 2020-01-09 | fwknop before 2.0.3 allow remote authenticated users to cause a denial of service (server crash) or possibly execute arbitrary code. |
| CVE-2012-5558 | 2020-01-09 | Cross-site scripting (XSS) vulnerability in the Smiley module 6.x-1.x versions prior to 6.x-1.1 and Smileys module 6.x-1.x versions prior to 6.x-1.1 for Drupal allows remote authenticated users with the "administer... |
| CVE-2012-2142 | 2020-01-09 | The error function in Error.cc in poppler before 0.21.4 allows remote attackers to execute arbitrary commands via a PDF containing an escape sequence for a terminal emulator. |
| CVE-2010-3282 | 2020-01-09 | 389 Directory Server before 1.2.7.1 (aka Red Hat Directory Server 8.2) and HP-UX Directory Server before B.08.10.03, when audit logging is enabled, logs the Directory Manager password (nsslapd-rootpw) in cleartext... |
| CVE-2012-2931 | 2020-01-09 | PHP code injection in TinyWebGallery before 1.8.8 allows remote authenticated users with admin privileges to inject arbitrary code into the .htusers.php file. |
| CVE-2019-20182 | 2020-01-09 | The FooGallery plugin 1.8.12 for WordPress allow XSS via the post_title parameter. |
| CVE-2012-2950 | 2020-01-09 | Gateway Geomatics MapServer for Windows before 3.0.6 contains a Local File Include Vulnerability which allows remote attackers to execute local PHP code and obtain sensitive information. |
| CVE-2019-20184 | 2020-01-09 | KeePass 2.4.1 allows CSV injection in the title field of a CSV export. |
| CVE-2019-20181 | 2020-01-09 | The awesome-support plugin 5.8.0 for WordPress allows XSS via the post_title parameter. |
| CVE-2019-20183 | 2020-01-09 | uploadimage.php in Employee Records System 1.0 allows upload and execution of arbitrary PHP code because file-extension validation is only on the client side. The attacker can modify global.js to allow... |
| CVE-2019-20179 | 2020-01-09 | SOPlanning 1.45 has SQL injection via the user_list.php "by" parameter. |
| CVE-2019-20178 | 2020-01-09 | Advisto PEEL Shopping 9.2.1 has CSRF via administrer/utilisateurs.php to delete a user. |
| CVE-2012-3806 | 2020-01-09 | Samsung Kies before 2.5.0.12094_27_11 contains a NULL pointer dereference vulnerability which could allow remote attackers to perform a denial of service. |
| CVE-2012-3807 | 2020-01-09 | Samsung Kies before 2.5.0.12094_27_11 has arbitrary file execution. |
| CVE-2012-3808 | 2020-01-09 | Samsung Kies before 2.5.0.12094_27_11 has arbitrary file modification. |
| CVE-2012-3809 | 2020-01-09 | Samsung Kies before 2.5.0.12094_27_11 has arbitrary directory modification. |
| CVE-2012-3810 | 2020-01-09 | Samsung Kies before 2.5.0.12094_27_11 has registry modification. |
| CVE-2020-5504 | 2020-01-09 | In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username... |
| CVE-2020-6757 | 2020-01-09 | contentHostProperties.php in Rasilient PixelStor 5000 K:4.0.1580-20150629 (KDI Version) allows authenticated attackers to remotely execute code via the name parameter. |
| CVE-2020-6758 | 2020-01-09 | A cross-site scripting (XSS) vulnerability in Option/optionsAll.php in Rasilient PixelStor 5000 K:4.0.1580-20150629 (KDI Version) allows remote attackers to inject arbitrary web script or HTML via the ContentFrame parameter. |
| CVE-2020-6756 | 2020-01-09 | languageOptions.php in Rasilient PixelStor 5000 K:4.0.1580-20150629 (KDI Version) allows unauthenticated attackers to remotely execute code via the lang parameter. |
| CVE-2019-20373 | 2020-01-09 | LTSP LDM through 2.18.06 allows fat-client root access because the LDM_USERNAME variable may have an empty value if the user's shell lacks support for Bourne shell syntax. This is related... |
| CVE-2019-20374 | 2020-01-09 | A mutation cross-site scripting (XSS) issue in Typora through 0.9.9.31.2 on macOS and through 0.9.81 on Linux leads to Remote Code Execution through Mermaid code blocks. To exploit this vulnerability,... |