CVE List - 2020 / November
Showing 701 - 800 of 1246 CVEs for November 2020 (Page 8 of 13)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2020-25155 | 2020-11-13 | The affected product transmits unencrypted sensitive information, which may allow an attacker to access this information on the NIO 50 (all versions). |
| CVE-2020-25151 | 2020-11-13 | The affected product does not properly validate input, which may allow an attacker to execute a denial-of-service attack on the NIO 50 (all versions). |
| CVE-2020-26222 | 2020-11-13 | Remote code execution in dependabot-core |
| CVE-2020-26223 | 2020-11-13 | Authorization bypass in Spree |
| CVE-2020-26230 | 2020-11-13 | Deanonymization of COVID-19 positive users of Radar COVID |
| CVE-2020-7962 | 2020-11-13 | An issue was discovered in One Identity Password Manager 5.8. An attacker could enumerate valid answers for a user. It is possible for an attacker to detect a valid answer... |
| CVE-2020-6157 | 2020-11-13 | Opera Touch for iOS before version 2.4.5 is vulnerable to an address bar spoofing attack. The vulnerability allows a malicious page to trick the browser into showing an address of... |
| CVE-2020-27217 | 2020-11-13 | In Eclipse Hono version 1.3.0 and 1.4.0 the AMQP protocol adapter does not verify the size of AMQP messages received from devices. In particular, a device may send messages that... |
| CVE-2020-13638 | 2020-11-13 | lib/crud/userprocess.php in rConfig 3.9.x before 3.9.7 has an authentication bypass, leading to administrator account creation. This issue has been fixed in 3.9.7. |
| CVE-2020-5796 | 2020-11-13 | Improper preservation of permissions in Nagios XI 5.7.4 allows a local, low-privileged, authenticated user to weaken the permissions of files, resulting in low-privileged users being able to write to and... |
| CVE-2020-0599 | 2020-11-13 | Improper access control in the PMC for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access. |
| CVE-2020-12338 | 2020-11-13 | Insufficient control flow management in the Open WebRTC Toolkit before version 4.3.1 may allow an unauthenticated user to potentially enable escalation of privilege via network access. |
| CVE-2020-12313 | 2020-11-13 | Insufficient control flow management in some Intel(R) PROSet/Wireless WiFi products before version 21.110 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access. |
| CVE-2020-28638 | 2020-11-13 | ask_password in Tomb 2.0 through 2.7 returns a warning when pinentry-curses is used and $DISPLAY is non-empty, causing affected users' files to be encrypted with "tomb {W] Detected DISPLAY, but... |
| CVE-2020-15481 | 2020-11-13 | An issue was discovered in PassMark BurnInTest v9.1 Build 1008, OSForensics v7.1 Build 1012, and PerformanceTest v10.0 Build 1008. The kernel driver exposes IOCTL functionality that allows low-privilege users to... |
| CVE-2020-7772 | 2020-11-15 | Prototype Pollution |
| CVE-2020-28268 | 2020-11-15 | Prototype pollution vulnerability in 'controlled-merge' versions 1.0.0 through 1.2.0 allows attacker to cause a denial of service and may lead to remote code execution. |
| CVE-2019-19562 | 2020-11-15 | An authentication bypass in the debug interface in Mercedes-Benz HERMES 2.1 allows an attacker with physical access to device hardware to obtain system information. |
| CVE-2019-19556 | 2020-11-15 | An authentication bypass in the debug interface in Mercedes-Benz HERMES 1 allows an attacker with physical access to device hardware to obtain system information. |
| CVE-2019-19560 | 2020-11-15 | An authentication bypass in the debug interface in Mercedes-Benz HERMES 1.5 allows an attacker with physical access to device hardware to obtain system information. |
| CVE-2019-19563 | 2020-11-15 | A misconfiguration in the debug interface in Mercedes-Benz HERMES 2.1 allows an attacker with direct physical access to device hardware to obtain cellular modem information. |
| CVE-2019-19557 | 2020-11-15 | A misconfiguration in the debug interface in Mercedes-Benz HERMES 1 allows an attacker with direct physical access to device hardware to obtain cellular modem information. |
| CVE-2019-19561 | 2020-11-15 | A misconfiguration in the debug interface in Mercedes-Benz HERMES 1.5 allows an attacker with direct physical access to device hardware to obtain cellular modem information. |
| CVE-2020-8271 | 2020-11-16 | Unauthenticated remote code execution with root privileges in Citrix SD-WAN Center versions before 11.2.2, 11.1.2b and 10.2.8 |
| CVE-2020-8272 | 2020-11-16 | Authentication Bypass resulting in exposure of SD-WAN functionality in Citrix SD-WAN Center versions before 11.2.2, 11.1.2b and 10.2.8 |
| CVE-2020-8273 | 2020-11-16 | Privilege escalation of an authenticated user to root in Citrix SD-WAN center versions before 11.2.2, 11.1.2b and 10.2.8. |
| CVE-2020-8269 | 2020-11-16 | An unprivileged Windows user on the VDA can perform arbitrary command execution as SYSTEM in CVAD versions before 2009, 1912 LTSR CU1 hotfixes CTX285870 and CTX286120, 7.15 LTSR CU6 hotfix... |
| CVE-2020-8270 | 2020-11-16 | An unprivileged Windows user on the VDA or an SMB user can perform arbitrary command execution as SYSTEM in CVAD versions before 2009, 1912 LTSR CU1 hotfixes CTX285871 and CTX285872,... |
| CVE-2020-8152 | 2020-11-16 | Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the public key to decrypt them later on. |
| CVE-2020-8259 | 2020-11-16 | Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the encryption keys. |
| CVE-2020-25694 | 2020-11-16 | A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If a client application that creates additional database connections only... |
| CVE-2020-25695 | 2020-11-16 | A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at... |
| CVE-2020-5666 | 2020-11-16 | Uncontrolled resource consumption vulnerability in MELSEC iQ-R Series CPU Modules (R00/01/02CPU Firmware versions from '05' to '19' and R04/08/16/32/120(EN)CPU Firmware versions from '35' to '51') allows a remote attacker to... |
| CVE-2020-2492 | 2020-11-16 | If exploited, the command injection vulnerability could allow remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. QTS versions prior to 4.4.3.1421 on build 20200907. |
| CVE-2020-2490 | 2020-11-16 | If exploited, the command injection vulnerability could allow remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. QTS versions prior to 4.4.3.1421 on build 20200907. |
| CVE-2020-28642 | 2020-11-16 | In InfiniteWP Admin Panel before 3.1.12.3, resetPasswordSendMail generates a weak password-reset code, which makes it easier for remote attackers to conduct admin Account Takeover attacks. |
| CVE-2020-28648 | 2020-11-16 | Improper input validation in the Auto-Discovery component of Nagios XI before 5.7.5 allows an authenticated attacker to execute remote code. |
| CVE-2020-28650 | 2020-11-16 | The WPBakery plugin before 6.4.1 for WordPress allows XSS because it calls kses_remove_filters to disable the standard WordPress XSS protection mechanism for the Author and Contributor roles. |
| CVE-2020-28649 | 2020-11-16 | The orbisius-child-theme-creator plugin before 1.5.2 for WordPress allows CSRF via orbisius_ctc_theme_editor_manage_file. |
| CVE-2020-28656 | 2020-11-16 | The update functionality of the Discover Media infotainment system in Volkswagen Polo 2019 vehicles allows physically proximate attackers to execute arbitrary code because some unsigned parts of a metainfo file... |
| CVE-2020-5659 | 2020-11-16 | SQL injection vulnerability in the XooNIps 3.49 and earlier allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors. |
| CVE-2020-5662 | 2020-11-16 | Reflected cross-site scripting vulnerability in XooNIps 3.49 and earlier allows remote authenticated attackers to inject arbitrary script via unspecified vectors. |
| CVE-2020-5663 | 2020-11-16 | Stored cross-site scripting vulnerability in XooNIps 3.49 and earlier allows remote authenticated attackers to inject arbitrary script via unspecified vectors. |
| CVE-2020-5664 | 2020-11-16 | Deserialization of untrusted data vulnerability in XooNIps 3.49 and earlier allows remote attackers to execute arbitrary code via unspecified vectors. |
| CVE-2020-8897 | 2020-11-16 | Robustness weakness in AWS KMS and Encryption SDKs |
| CVE-2020-7765 | 2020-11-16 | Prototype Pollution |
| CVE-2020-7773 | 2020-11-16 | Cross-site Scripting (XSS) |
| CVE-2020-25210 | 2020-11-16 | In JetBrains YouTrack before 2020.3.7955, an attacker could access workflow rules without appropriate access grants. |
| CVE-2020-27459 | 2020-11-16 | Chronoforeum 2.0.11 allows Stored XSS vulnerabilities when inserting a crafted payload into a post. If any user sees the post, the inserted XSS code is executed. |
| CVE-2020-24366 | 2020-11-16 | Sensitive information could be disclosed in the JetBrains YouTrack application before 2020.2.0 for Android via application backups. |
| CVE-2020-25209 | 2020-11-16 | In JetBrains YouTrack before 2020.3.6638, improper access control for some subresources leads to information disclosure via the REST API. |
| CVE-2020-27626 | 2020-11-16 | JetBrains YouTrack before 2020.3.5333 was vulnerable to SSRF. |
| CVE-2020-27625 | 2020-11-16 | In JetBrains YouTrack before 2020.3.888, notifications might have mentioned inaccessible issues. |
| CVE-2020-27624 | 2020-11-16 | JetBrains YouTrack before 2020.3.888 was vulnerable to SSRF. |
| CVE-2020-25013 | 2020-11-16 | JetBrains ToolBox before version 1.18 is vulnerable to a Denial of Service attack via a browser protocol handler. |
| CVE-2020-25207 | 2020-11-16 | JetBrains ToolBox before version 1.18 is vulnerable to Remote Code Execution via a browser protocol handler. |
| CVE-2020-27629 | 2020-11-16 | In JetBrains TeamCity before 2020.1.5, secure dependency parameters could be not masked in depending builds when there are no internal artifacts. |
| CVE-2020-27628 | 2020-11-16 | In JetBrains TeamCity before 2020.1.5, the Guest user had access to audit records. |
| CVE-2020-27627 | 2020-11-16 | JetBrains TeamCity before 2020.1.2 was vulnerable to URL injection. |
| CVE-2020-26129 | 2020-11-16 | In JetBrains Ktor before 1.4.1, HTTP request smuggling was possible. |
| CVE-2020-27622 | 2020-11-16 | In JetBrains IntelliJ IDEA before 2020.2, the built-in web server could expose information about the IDE version. |
| CVE-2020-27623 | 2020-11-16 | JetBrains IdeaVim before version 0.58 might have caused an information leak in limited circumstances. |
| CVE-2020-27191 | 2020-11-16 | LionWiki before 3.2.12 allows an unauthenticated user to read files as the web server user via crafted string in the index.php f1 variable, aka Local File Inclusion. NOTE: This vulnerability... |
| CVE-2020-13772 | 2020-11-16 | In /ldclient/ldprov.cgi in Ivanti Endpoint Manager through 2020.1.1, an attacker is able to disclose information about the server operating system, local pathnames, and environment variables with no authentication required. |
| CVE-2020-13769 | 2020-11-16 | LDMS/alert_log.aspx in Ivanti Endpoint Manager through 2020.1 allows SQL Injection via a /remotecontrolauth/api/device request. |
| CVE-2020-13773 | 2020-11-16 | Ivanti Endpoint Manager through 2020.1.1 allows XSS via /LDMS/frm_splitfrm.aspx, /LDMS/licensecheck.aspx, /LDMS/frm_splitcollapse.aspx, /LDMS/alert_log.aspx, /LDMS/ServerList.aspx, /LDMS/frm_coremainfrm.aspx, /LDMS/frm_findfrm.aspx, /LDMS/frm_taskfrm.aspx, and /LDMS/query_browsecomp.aspx. |
| CVE-2020-25952 | 2020-11-16 | SQL injection vulnerability in PHPGurukul User Registration & Login and User Management System With admin panel 2.1 allows remote attackers to execute arbitrary SQL commands and bypass authentication. |
| CVE-2020-27423 | 2020-11-16 | Anuko Time Tracker v1.19.23.5311 lacks rate limit on the password reset module which allows attacker to perform Denial of Service attack on any legitimate user's mailbox |
| CVE-2020-27422 | 2020-11-16 | In Anuko Time Tracker v1.19.23.5311, the password reset link emailed to the user doesn't expire once used, allowing an attacker to use the same link to takeover the account. |
| CVE-2020-4475 | 2020-11-16 | IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5 and 6.0.0.0 through 6.0.3.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned... |
| CVE-2020-4476 | 2020-11-16 | IBM Sterling File Gateway 2.2.0.0 through 2.2.6.5 and 6.0.0.0 through 6.0.3.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the... |
| CVE-2020-4566 | 2020-11-16 | IBM Sterling B2B Integrator Standard Edition 5.2.6.0 through 5.2.6.5 and 6.0.0.0 through 6.0.3.2 stores potentially highly sensitive information in log files that could be read by an authenticated user. IBM... |
| CVE-2020-4647 | 2020-11-16 | IBM Sterling File Gateway 2.2.0.0 through 2.2.6.5 and 6.0.0.0 through 6.0.3.2 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker... |
| CVE-2020-4655 | 2020-11-16 | IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.2 and 5.2.0.0 through 5.2.6.5 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow... |
| CVE-2020-4665 | 2020-11-16 | IBM Sterling File Gateway 2.2.0.0 through 2.2.6.5 and 6.0.0.0 through 6.0.3.2 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the... |
| CVE-2020-4671 | 2020-11-16 | IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.2 and 5.2.0.0 through 5.2.6.5 stores potentially sensitive information in log files that could be read by an authenticatedl user. IBM X-Force... |
| CVE-2020-4672 | 2020-11-16 | IBM Business Automation Workflow 20.0.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading... |
| CVE-2020-4692 | 2020-11-16 | IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.2 and 5.2.0.0 through 5.2.6.5 could allow an authenticated user to obtain sensitive information from the Dashboard UI. IBM X-Force ID: 186780. |
| CVE-2020-4700 | 2020-11-16 | IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.2 and 5.2.0.0 through 5.2.6.5 could allow an authenticated user belonging to a specific user group to create a user or group... |
| CVE-2020-4705 | 2020-11-16 | IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.2 and 5.2.0.0 through 5.2.6.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web... |
| CVE-2020-4763 | 2020-11-16 | IBM Sterling File Gateway 6.0.0.0 through 6.0.3.2 and 2.2.0.0 through 2.2.6.5 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the... |
| CVE-2020-28723 | 2020-11-16 | Memory leak in IPv6Param::setAddress in CloudAvid PParam 1.3.1. |
| CVE-2020-27988 | 2020-11-16 | Nagios XI before 5.7.5 is vulnerable to XSS in Manage Users (Username field). |
| CVE-2020-27989 | 2020-11-16 | Nagios XI before 5.7.5 is vulnerable to XSS in Dashboard Tools (Edit Dashboard). |
| CVE-2020-27990 | 2020-11-16 | Nagios XI before 5.7.5 is vulnerable to XSS in the Deployment tool (add agent). |
| CVE-2020-27991 | 2020-11-16 | Nagios XI before 5.7.5 is vulnerable to XSS in Account Information (Email field). |
| CVE-2020-23490 | 2020-11-16 | There was a local file disclosure vulnerability in AVideo < 8.9 via the proxy streaming. An unauthenticated attacker can exploit this issue to read an arbitrary file on the server.... |
| CVE-2020-23489 | 2020-11-16 | The import.json.php file before 8.9 for Avideo is vulnerable to a File Deletion vulnerability. This allows the deletion of configuration.php, which leads to certain privilege checks not being in place,... |
| CVE-2020-28692 | 2020-11-16 | In Gila CMS 1.16.0, an attacker can upload a shell to tmp directy and abuse .htaccess through the logs function for executing PHP files. |
| CVE-2020-26508 | 2020-11-16 | The WebTools component on Canon Oce ColorWave 3500 5.1.1.0 devices allows attackers to retrieve stored SMB credentials via the export feature, even though these are intentionally inaccessible in the UI. |
| CVE-2020-26509 | 2020-11-16 | Airleader Master and Easy <= 6.21 devices have default credentials that can be used for a denial of service. |
| CVE-2020-26510 | 2020-11-16 | Airleader Master <= 6.21 devices have default credentials that can be used to access the exposed Tomcat Manager for deployment of a new .war file, with resultant remote code execution. |
| CVE-2020-28693 | 2020-11-16 | An unrestricted file upload issue in HorizontCMS 1.0.0-beta allows an authenticated remote attacker to upload PHP code through a zip file by uploading a theme, and executing the PHP file... |
| CVE-2020-27486 | 2020-11-16 | Garmin Forerunner 235 before 8.20 is affected by: Buffer Overflow. The component is: ConnectIQ TVM. The attack vector is: To exploit the vulnerability, the attacker must upload a malicious ConnectIQ... |
| CVE-2020-27485 | 2020-11-16 | Garmin Forerunner 235 before 8.20 is affected by: Array index error. The component is: ConnectIQ TVM. The attack vector is: To exploit the vulnerability, the attacker must upload a malicious... |
| CVE-2020-27484 | 2020-11-16 | Garmin Forerunner 235 before 8.20 is affected by: Integer Overflow. The component is: ConnectIQ TVM. The attack vector is: To exploit the vulnerability, the attacker must upload a malicious ConnectIQ... |
| CVE-2020-27483 | 2020-11-16 | Garmin Forerunner 235 before 8.20 is affected by: Array index error. The component is: ConnectIQ TVM. The attack vector is: To exploit the vulnerability, the attacker must upload a malicious... |
| CVE-2020-26217 | 2020-11-16 | Remote Code Execution in XStream |
| CVE-2020-26224 | 2020-11-16 | Improper Access Control in PrestaShop |
| CVE-2020-26225 | 2020-11-16 | Reflected XSS in PrestaShop Product Comments |