CVE List - 2020 / October
Showing 1401 - 1500 of 1594 CVEs for October 2020 (Page 15 of 16)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2019-8836 | 2020-10-27 | A memory corruption issue was addressed with improved memory handling. This issue is fixed in watchOS 6.1.2, iOS 13.3.1 and iPadOS 13.3.1, tvOS 13.3.1. An application may be able to... |
| CVE-2019-8851 | 2020-10-27 | A logic issue was addressed with improved state management. This issue is fixed in macOS Catalina 10.15.2, Security Update 2019-002 Mojave, and Security Update 2019-007 High Sierra. A Mac may... |
| CVE-2020-25765 | 2020-10-27 | Addressed remote code execution vulnerability in reg_device.php due to insufficient validation of user input.in Western Digital My Cloud Devices prior to 5.4.1140. |
| CVE-2019-8847 | 2020-10-27 | A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS Catalina 10.15.2, Security Update 2019-002 Mojave, and Security Update 2019-007 High Sierra. An application... |
| CVE-2019-8852 | 2020-10-27 | A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS Catalina 10.15.2, Security Update 2019-002 Mojave, and Security Update 2019-007 High Sierra. An application... |
| CVE-2019-8848 | 2020-10-27 | This issue was addressed with improved checks. This issue is fixed in tvOS 13.3, watchOS 6.1.1, iCloud for Windows 10.9, macOS Catalina 10.15.2, Security Update 2019-002 Mojave, and Security Update... |
| CVE-2019-8856 | 2020-10-27 | An API issue existed in the handling of outgoing phone calls initiated with Siri. This issue was addressed with improved state handling. This issue is fixed in iOS 13.3 and... |
| CVE-2019-8857 | 2020-10-27 | The issue was addressed with improved validation when an iCloud Link is created. This issue is fixed in iOS 13.3 and iPadOS 13.3. Live Photo audio and video data may... |
| CVE-2019-8850 | 2020-10-27 | An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15, iOS 13.1 and iPadOS 13.1, tvOS 13, macOS Catalina 10.15.1, Security Update 2019-001,... |
| CVE-2019-8846 | 2020-10-27 | A use after free issue was addressed with improved memory management. This issue is fixed in tvOS 13.3, iCloud for Windows 10.9, iOS 13.3 and iPadOS 13.3, Safari 13.0.4, iTunes... |
| CVE-2019-8853 | 2020-10-27 | A validation issue was addressed with improved input sanitization. This issue is fixed in macOS Catalina 10.15.4, Security Update 2020-002 Mojave, Security Update 2020-002 High Sierra, macOS Catalina 10.15.2, Security... |
| CVE-2019-8901 | 2020-10-27 | This issue was addressed by verifying host keys when connecting to a previously-known SSH server. This issue is fixed in iOS 13.1 and iPadOS 13.1. An attacker in a privileged... |
| CVE-2019-8898 | 2020-10-27 | An information disclosure issue existed in the handling of the Storage Access API. This issue was addressed with improved logic. This issue is fixed in iOS 13.3 and iPadOS 13.3,... |
| CVE-2020-3852 | 2020-10-27 | A logic issue was addressed with improved validation. This issue is fixed in Safari 13.0.5. A URL scheme may be incorrectly ignored when determining multimedia permission for a website. |
| CVE-2019-8854 | 2020-10-27 | A user privacy issue was addressed by removing the broadcast MAC address. This issue is fixed in macOS Catalina 10.15, watchOS 6, iOS 13, tvOS 13. A device may be... |
| CVE-2019-8855 | 2020-10-27 | An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Catalina 10.15. A malicious application may be able to access restricted files. |
| CVE-2020-3864 | 2020-10-27 | A logic issue was addressed with improved validation. This issue is fixed in iCloud for Windows 7.17, iTunes 12.10.4 for Windows, iCloud for Windows 10.9.2, tvOS 13.3.1, Safari 13.0.5, iOS... |
| CVE-2019-8858 | 2020-10-27 | A logic issue was addressed with improved state management. This issue is fixed in macOS Catalina 10.15.1, Security Update 2019-001, and Security Update 2019-006. A user who shares their screen... |
| CVE-2020-9774 | 2020-10-27 | An issue existed with Siri Suggestions access to encrypted data. The issue was fixed by limiting access to encrypted data. This issue is fixed in macOS Catalina 10.15.3, Security Update... |
| CVE-2020-3855 | 2020-10-27 | An access issue was addressed with improved access restrictions. This issue is fixed in macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra. A malicious application may... |
| CVE-2020-27892 | 2020-10-27 | The Zigbee protocol implementation on Texas Instruments CC2538 devices with Z-Stack 3.0.1 does not properly process a ZCL Discover Commands Received Response message or a ZCL Discover Commands Generated Response... |
| CVE-2020-27891 | 2020-10-27 | The Zigbee protocol implementation on Texas Instruments CC2538 devices with Z-Stack 3.0.1 does not properly process a ZCL Read Reporting Configuration Response message. It crashes in zclHandleExternal(). |
| CVE-2020-27890 | 2020-10-27 | The Zigbee protocol implementation on Texas Instruments CC2538 devices with Z-Stack 3.0.1 does not properly process a ZCL Write Attributes No Response message. It crashes in zclParseInWriteCmd() and does not... |
| CVE-2020-3851 | 2020-10-27 | A use after free issue was addressed with improved memory management. This issue is fixed in macOS Catalina 10.15.4, Security Update 2020-002 Mojave, Security Update 2020-002 High Sierra, macOS Catalina... |
| CVE-2020-9786 | 2020-10-27 | This issue was addressed with improved checks This issue is fixed in macOS Catalina 10.15.4, Security Update 2020-002 Mojave, Security Update 2020-002 High Sierra. An application may be able to... |
| CVE-2020-9860 | 2020-10-27 | A custom URL scheme handling issue was addressed with improved input validation. This issue is fixed in Safari 13.0.5. Processing a maliciously crafted URL may lead to arbitrary javascript code... |
| CVE-2020-9866 | 2020-10-27 | A buffer overflow was addressed with improved bounds checking. This issue is fixed in macOS Catalina 10.15.6, Security Update 2020-004 Mojave, Security Update 2020-004 High Sierra. A buffer overflow may... |
| CVE-2020-3863 | 2020-10-27 | A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra. An application may... |
| CVE-2020-9961 | 2020-10-27 | An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.7, Security Update 2020-005 High Sierra, Security Update 2020-005 Mojave. Processing a maliciously crafted... |
| CVE-2020-9782 | 2020-10-27 | A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Catalina 10.15.2, Security Update 2019-002 Mojave, and Security Update... |
| CVE-2020-3880 | 2020-10-27 | An out-of-bounds read was addressed with improved input validation. This issue is fixed in watchOS 6.1.2, iOS 13.3.1 and iPadOS 13.3.1, tvOS 13.3.1, macOS Catalina 10.15.3, Security Update 2020-001 Mojave,... |
| CVE-2020-9857 | 2020-10-27 | An issue existed in the parsing of URLs. This issue was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.5, Security Update 2020-003 Mojave, Security Update... |
| CVE-2020-9979 | 2020-10-27 | A trust issue was addressed by removing a legacy API. This issue is fixed in iOS 14.0 and iPadOS 14.0, tvOS 14.0. An attacker may be able to misuse a... |
| CVE-2020-9932 | 2020-10-27 | A memory corruption issue was addressed with improved validation. This issue is fixed in Safari 13.0.1, iOS 13.1 and iPadOS 13.1, tvOS 13. Processing maliciously crafted web content may lead... |
| CVE-2020-9941 | 2020-10-27 | This issue was addressed with improved checks. This issue is fixed in macOS Catalina 10.15.7, Security Update 2020-005 High Sierra, Security Update 2020-005 Mojave. A remote attacker may be able... |
| CVE-2020-9973 | 2020-10-27 | An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in macOS Catalina 10.15.7, Security Update 2020-005 High Sierra, Security Update 2020-005 Mojave, iOS 14.0 and iPadOS... |
| CVE-2020-9982 | 2020-10-27 | This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in Apple Music 3.4.0 for Android. A malicious application may be able to leak a... |
| CVE-2019-8531 | 2020-10-27 | A validation issue existed in Trust Anchor Management. This issue was addressed with improved validation. This issue is fixed in watchOS 5.2, macOS Mojave 10.14.4, Security Update 2019-002 High Sierra,... |
| CVE-2019-8664 | 2020-10-27 | An input validation issue was addressed with improved input validation. This issue is fixed in iOS 12.3, watchOS 5.2.1. Processing a maliciously crafted message may lead to a denial of... |
| CVE-2019-8796 | 2020-10-27 | A logic issue was addressed with improved validation. This issue is fixed in macOS Catalina 10.15.1, Security Update 2019-001, and Security Update 2019-006, iOS 12.4.3, watchOS 6.1, iOS 13.2 and... |
| CVE-2020-16140 | 2020-10-27 | The search functionality of the Greenmart theme 2.4.2 for WordPress is vulnerable to XSS. |
| CVE-2020-26130 | 2020-10-28 | Issues were discovered in Open TFTP Server multithreaded 1.66 and Open TFTP Server single port 1.66. Due to insufficient access restrictions in the default installation directory, an attacker can elevate... |
| CVE-2020-26131 | 2020-10-28 | Issues were discovered in Open DHCP Server (Regular) 1.75 and Open DHCP Server (LDAP Based) 0.1Beta. Due to insufficient access restrictions in the default installation directory, an attacker can elevate... |
| CVE-2020-26132 | 2020-10-28 | An issue was discovered in Home DNS Server 0.10. Due to insufficient access restrictions in the default installation directory, an attacker can elevate privileges by replacing the HomeDNSServer.exe binary. |
| CVE-2020-26133 | 2020-10-28 | An issue was discovered in Dual DHCP DNS Server 7.40. Due to insufficient access restrictions in the default installation directory, an attacker can elevate privileges by replacing the DualServer.exe binary. |
| CVE-2020-6829 | 2020-10-28 | When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which leaked partial information about the nonce used during signature generation. Given an electro-magnetic trace of a... |
| CVE-2020-27956 | 2020-10-28 | An Arbitrary File Upload in the Upload Image component in SourceCodester Car Rental Management System 1.0 allows the user to conduct remote code execution via admin/index.php?page=manage_car because .php files can... |
| CVE-2020-27957 | 2020-10-28 | The RandomGameUnit extension for MediaWiki through 1.35 was not properly escaping various title-related data. When certain varieties of games were created within MediaWiki, their names or titles could be manipulated... |
| CVE-2020-5144 | 2020-10-28 | SonicWall Global VPN client version 4.10.4.0314 and earlier allows unprivileged windows user to elevate privileges to SYSTEM through loaded process hijacking vulnerability. |
| CVE-2020-5145 | 2020-10-28 | SonicWall Global VPN client version 4.10.4.0314 and earlier have an insecure library loading (DLL hijacking) vulnerability. Successful exploitation could lead to remote code execution in the target system. |
| CVE-2020-8248 | 2020-10-28 | A vulnerability in the Pulse Secure Desktop Client (Linux) < 9.1R9 could allow local attackers to escalate privilege. |
| CVE-2020-8249 | 2020-10-28 | A vulnerability in the Pulse Secure Desktop Client (Linux) < 9.1R9 could allow local attackers to perform buffer overflow. |
| CVE-2020-8250 | 2020-10-28 | A vulnerability in the Pulse Secure Desktop Client (Linux) < 9.1R9 could allow local attackers to escalate privilege. |
| CVE-2020-8240 | 2020-10-28 | A vulnerability in the Pulse Secure Desktop Client < 9.1R9 allows a restricted user on an endpoint machine can use system-level privileges if the Embedded Browser is configured with Credential... |
| CVE-2020-8254 | 2020-10-28 | A vulnerability in the Pulse Secure Desktop Client < 9.1R9 has Remote Code Execution (RCE) if users can be convinced to connect to a malicious server. This vulnerability only affects... |
| CVE-2020-8239 | 2020-10-28 | A vulnerability in the Pulse Secure Desktop Client < 9.1R9 is vulnerable to the client registry privilege escalation attack. This fix also requires Server Side Upgrade due to Standalone Host... |
| CVE-2020-8255 | 2020-10-28 | A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary file reading vulnerability is fixed using encrypted URL blacklisting... |
| CVE-2020-8241 | 2020-10-28 | A vulnerability in the Pulse Secure Desktop Client < 9.1R9 could allow the attacker to perform a MITM Attack if end users are convinced to connect to a malicious server. |
| CVE-2020-8260 | 2020-10-28 | A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction. |
| CVE-2020-8261 | 2020-10-28 | A vulnerability in the Pulse Connect Secure / Pulse Policy Secure < 9.1R9 is vulnerable to arbitrary cookie injection. |
| CVE-2020-8262 | 2020-10-28 | A vulnerability in the Pulse Connect Secure / Pulse Policy Secure below 9.1R9 could allow attackers to conduct Cross-Site Scripting (XSS) and Open Redirection for authenticated user web interface. |
| CVE-2020-8263 | 2020-10-28 | A vulnerability in the authenticated user web interface of Pulse Connect Secure < 9.1R9 could allow attackers to conduct Cross-Site Scripting (XSS) through the CGI file. |
| CVE-2020-24303 | 2020-10-28 | Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource. |
| CVE-2020-22552 | 2020-10-28 | The Snap7 server component in version 1.4.1, when an attacker sends a crafted packet with COTP protocol the last-data-unit flag set to No and S7 writes a var function, the... |
| CVE-2020-27976 | 2020-10-28 | osCommerce Phoenix CE before 1.0.5.4 allows OS command injection remotely. Within admin/mail.php, a from POST parameter can be passed to the application. This affects the PHP mail function, and the... |
| CVE-2020-27975 | 2020-10-28 | osCommerce Phoenix CE before 1.0.5.4 allows admin/define_language.php CSRF. |
| CVE-2020-27974 | 2020-10-28 | NeoPost Mail Accounting Software Pro 5.0.6 allows php/Commun/FUS_SCM_BlockStart.php?code= XSS. |
| CVE-2020-27978 | 2020-10-28 | Shibboleth Identify Provider 3.x before 3.4.6 has a denial of service flaw. A remote unauthenticated attacker can cause a login flow to trigger Java heap exhaustion due to the creation... |
| CVE-2020-4767 | 2020-10-28 | IBM Sterling Connect Direct for Microsoft Windows 4.7, 4.8, 6.0, and 6.1 could allow a remote attacker to cause a denial of service, caused by a buffer over-read. Bysending a... |
| CVE-2020-4782 | 2020-10-28 | IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot... |
| CVE-2020-15278 | 2020-10-28 | Unauthorized privilege escalation in Mod module |
| CVE-2020-16257 | 2020-10-28 | Winston 1.5.4 devices are vulnerable to command injection via the API. |
| CVE-2020-16256 | 2020-10-28 | The API on Winston 1.5.4 devices is vulnerable to CSRF. |
| CVE-2020-16261 | 2020-10-28 | Winston 1.5.4 devices allow a U-Boot interrupt, resulting in local root access. |
| CVE-2020-16262 | 2020-10-28 | Winston 1.5.4 devices have a local www-data user that is overly permissioned, resulting in root privilege escalation. |
| CVE-2020-16263 | 2020-10-28 | Winston 1.5.4 devices have a CORS configuration that trusts arbitrary origins. This allows requests to be made and viewed by arbitrary origins. |
| CVE-2020-16260 | 2020-10-28 | Winston 1.5.4 devices do not enforce authorization. This is exploitable from the intranet, and can be combined with other vulnerabilities for remote exploitation. |
| CVE-2020-16258 | 2020-10-28 | Winston 1.5.4 devices make use of a Monit service (not managed during the normal user process) which is configured with default credentials. |
| CVE-2020-16259 | 2020-10-28 | Winston 1.5.4 devices have an SSH user account with access from bastion hosts. This is undocumented in device documents and is not announced to the user. |
| CVE-2020-25966 | 2020-10-28 | Sectona Spectra before 3.4.0 has a vulnerable SOAP API endpoint that leaks sensitive information about the configured assets without proper authentication. This could be used by unauthorized parties to get... |
| CVE-2018-19943 | 2020-10-28 | If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code. QNAP has already fixed these issues in the following QTS versions. QTS 4.4.2.1270 build 20200410 and... |
| CVE-2018-19949 | 2020-10-28 | If exploited, this command injection vulnerability could allow remote attackers to run arbitrary commands. QNAP has already fixed the issue in the following QTS versions. QTS 4.4.2.1231 on build 20200302;... |
| CVE-2018-19953 | 2020-10-28 | If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code. QNAP has already fixed the issue in the following QTS versions. QTS 4.4.2.1231 on build 20200302;... |
| CVE-2020-27740 | 2020-10-28 | Citadel WebCit through 926 allows unauthenticated remote attackers to enumerate valid users within the platform. NOTE: this was reported to the vendor in a publicly archived "Multiple Security Vulnerabilities in... |
| CVE-2020-27741 | 2020-10-28 | Multiple cross-site scripting (XSS) vulnerabilities in Citadel WebCit through 926 allow remote attackers to inject arbitrary web script or HTML via multiple pages and parameters. NOTE: this was reported to... |
| CVE-2020-27742 | 2020-10-28 | An Insecure Direct Object Reference vulnerability in Citadel WebCit through 926 allows authenticated remote attackers to read someone else's emails via the msg_confirm_move template. NOTE: this was reported to the... |
| CVE-2020-27739 | 2020-10-28 | A Weak Session Management vulnerability in Citadel WebCit through 926 allows unauthenticated remote attackers to hijack recently logged-in users' sessions. NOTE: this was reported to the vendor in a publicly... |
| CVE-2020-27980 | 2020-10-28 | Genexis Platinum-4410 P4410-V2-1.28 devices allow stored XSS in the WLAN SSID parameter. This could allow an attacker to perform malicious actions in which the XSS popup will affect all privileged... |
| CVE-2020-25204 | 2020-10-28 | The God Kings application 0.60.1 for Android exposes a broadcast receiver to other apps called com.innogames.core.frontend.notifications.receivers.LocalNotificationBroadcastReceiver. The purpose of this broadcast receiver is to show an in-game push notification to... |
| CVE-2020-24990 | 2020-10-28 | An issue was discovered in QSC Q-SYS Core Manager 8.2.1. By utilizing the TFTP service running on UDP port 69, a remote attacker can perform a directory traversal and obtain... |
| CVE-2020-24708 | 2020-10-28 | Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the Host field on the send profile form. |
| CVE-2020-24709 | 2020-10-28 | Cross Site Scripting (XSS) vulnerability in Gophish through 0.10.1 via a crafted landing page or email template. |
| CVE-2020-24712 | 2020-10-28 | Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the IMAP Host field on the account settings page. |
| CVE-2020-24710 | 2020-10-28 | Gophish before 0.11.0 allows SSRF attacks. |
| CVE-2020-24711 | 2020-10-28 | The Reset button on the Account Settings page in Gophish before 0.11.0 allows attackers to cause a denial of service via a clickjacking attack |
| CVE-2020-24713 | 2020-10-28 | Gophish through 0.10.1 does not invalidate the gophish cookie upon logout. |
| CVE-2020-24707 | 2020-10-28 | Gophish before 0.11.0 allows the creation of CSV sheets that contain malicious content. |
| CVE-2020-25374 | 2020-10-28 | CyberArk Privileged Session Manager (PSM) 10.9.0.15 allows attackers to discover internal pathnames by reading an error popup message after two hours of idle time. |
| CVE-2020-27986 | 2020-10-28 | SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP, SVN, and GitLab credentials via the api/settings/values URI. NOTE: reportedly, the vendor's position for SMTP and SVN is "it is the... |
| CVE-2020-14323 | 2020-10-29 | A null pointer dereference flaw was found in samba's Winbind service in versions before 4.11.15, before 4.12.9 and before 4.13.1. A local user could use this flaw to crash the... |