CVE List - 2020 / November
Showing 801 - 900 of 1246 CVEs for November 2020 (Page 9 of 13)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2020-14389 | 2020-11-17 | It was found that Keycloak before version 12.0.0 would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of... |
| CVE-2020-26406 | 2020-11-17 | Certain SAST CiConfiguration information could be viewed by unauthorized users in GitLab EE starting with 13.3. This information was exposed through GraphQL to non-members of public projects with repository visibility... |
| CVE-2020-13358 | 2020-11-17 | A vulnerability in the internal Kubernetes agent api in GitLab CE/EE version 13.3 and above allows unauthorized access to private projects. Affected versions are: >=13.4, <13.4.5,>=13.3, <13.3.9,>=13.5, <13.5.2. |
| CVE-2020-13353 | 2020-11-17 | When importing repos via URL, one time use git credentials were persisted beyond the expected time window in Gitaly 1.79.0 or above. |
| CVE-2020-13352 | 2020-11-17 | Private group info is leaked leaked in GitLab CE/EE version 10.2 and above, when the project is moved from private to public group. Affected versions are: >=10.2, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2. |
| CVE-2020-13354 | 2020-11-17 | A potential DOS vulnerability was discovered in GitLab CE/EE starting with version 12.6. The container registry name check could cause exponential number of backtracks for certain user supplied values resulting... |
| CVE-2020-25834 | 2020-11-17 | Cross-Site Scripting vulnerability on Micro Focus ArcSight Logger product, affecting version 7.1. The vulnerability could be remotely exploited resulting in Cross-Site Scripting (XSS). |
| CVE-2020-11860 | 2020-11-17 | Cross-Site Scripting vulnerability on Micro Focus ArcSight Logger product, affecting all version prior to 7.1.1. The vulnerability could be remotely exploited resulting in Cross-Site Scripting (XSS) |
| CVE-2020-11851 | 2020-11-17 | Arbitrary code execution vulnerability on Micro Focus ArcSight Logger product, affecting all version prior to 7.1.1. The vulnerability could be remotely exploited resulting in the execution of arbitrary code. |
| CVE-2020-25832 | 2020-11-17 | Reflected Cross Site scripting vulnerability on Micro Focus Filr product, affecting version 4.2.1. The vulnerability could be exploited to perform Reflected XSS attack. |
| CVE-2020-25705 | 2020-11-17 | A flaw in ICMP packets in the Linux kernel may allow an attacker to quickly scan open UDP ports. This flaw allows an off-path remote attacker to effectively bypass source... |
| CVE-2020-25833 | 2020-11-17 | Persistent cross-Site Scripting vulnerability on Micro Focus IDOL product, affecting all version prior to version 12.7. The vulnerability could be exploited to perform Persistent XSS attack. |
| CVE-2020-10776 | 2020-11-17 | A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site... |
| CVE-2020-15349 | 2020-11-17 | BinaryNights ForkLift 3.x before 3.4 has a local privilege escalation vulnerability because the privileged helper tool implements an XPC interface that allows file operations to any process (copy, move, delete)... |
| CVE-2020-27192 | 2020-11-17 | BinaryNights ForkLift 3.4 was compiled with the com.apple.security.cs.disable-library-validation flag enabled which allowed a local attacker to inject code into ForkLift. This would allow the attacker to run malicious code with... |
| CVE-2020-27125 | 2020-11-17 | Cisco Security Manager Static Credential Vulnerability |
| CVE-2020-27131 | 2020-11-17 | Cisco Security Manager Java Deserialization Vulnerabilities |
| CVE-2020-27130 | 2020-11-17 | Cisco Security Manager Path Traversal Vulnerability |
| CVE-2020-7774 | 2020-11-17 | Prototype Pollution |
| CVE-2020-7841 | 2020-11-17 | TOBESOFT XPLATFORM arbitrary hta file execution vulnerability |
| CVE-2020-28647 | 2020-11-17 | In Progress MOVEit Transfer before 2020.1, a malicious user could craft and store a payload within the application. If a victim within the MOVEit Transfer instance interacts with the stored... |
| CVE-2020-28688 | 2020-11-17 | The add artwork functionality in ARTWORKS GALLERY IN PHP, CSS, JAVASCRIPT, AND MYSQL 1.0 allows remote attackers to upload arbitrary files. |
| CVE-2020-28687 | 2020-11-17 | The edit profile functionality in ARTWORKS GALLERY IN PHP, CSS, JAVASCRIPT, AND MYSQL 1.0 allows remote attackers to upload arbitrary files. |
| CVE-2020-25746 | 2020-11-17 | QED ResourceXpress Qubi3 devices before 1.40.9 could allow a local attacker (with physical access to the device) to obtain sensitive information via the debug interface (keystrokes over a USB cable),... |
| CVE-2020-27558 | 2020-11-17 | Use of an undocumented user in BASETech GE-131 BT-1837836 firmware 20180921 allows remote attackers to view the video stream. |
| CVE-2020-27557 | 2020-11-17 | Unprotected Storage of Credentials vulnerability in BASETech GE-131 BT-1837836 firmware 20180921 allows local users to gain access to the video streaming username and password via SQLite files containing plain text... |
| CVE-2020-27556 | 2020-11-17 | A predictable device ID in BASETech GE-131 BT-1837836 firmware 20180921 allows unauthenticated remote attackers to connect to the device. |
| CVE-2020-27555 | 2020-11-17 | Use of default credentials for the telnet server in BASETech GE-131 BT-1837836 firmware 20180921 allows remote attackers to execute arbitrary system commands as the root user. |
| CVE-2020-25798 | 2020-11-17 | A stored cross-site scripting (XSS) vulnerability in LimeSurvey before and including 3.21.1 allows authenticated users with correct permissions to inject arbitrary web script or HTML via parameter ParticipantAttributeNamesDropdown of the... |
| CVE-2020-27554 | 2020-11-17 | Cleartext Transmission of Sensitive Information vulnerability in BASETech GE-131 BT-1837836 firmware 20180921 exists which could leak sensitive information transmitted between the mobile app and the camera device. |
| CVE-2020-27553 | 2020-11-17 | In BASETech GE-131 BT-1837836 firmware 20180921, the web-server on the system is configured with the option “DocumentRoot /etc“. This allows an attacker with network access to the web-server to download... |
| CVE-2020-21665 | 2020-11-17 | In fastadmin V1.0.0.20191212_beta, when a user with administrator rights has logged in, a malicious parameter can be passed for SQL injection in URL /admin/ajax/weigh. |
| CVE-2020-13958 | 2020-11-17 | A vulnerability in Apache OpenOffice scripting events allows an attacker to construct documents containing hyperlinks pointing to an executable on the target users file system. These hyperlinks can be triggered... |
| CVE-2020-13351 | 2020-11-17 | Insufficient permission checks in scheduled pipeline API in GitLab CE/EE 13.0+ allows an attacker to read variable names and values for scheduled pipelines on projects visible to the attacker. Affected... |
| CVE-2020-26701 | 2020-11-17 | Cross-site scripting (XSS) vulnerability in Dashboards section in Kaa IoT Platform v1.2.0 allows remote attackers to inject malicious web scripts or HTML Injection payloads via the Description parameter. |
| CVE-2020-13350 | 2020-11-17 | CSRF in runner administration page in all versions of GitLab CE/EE allows an attacker who's able to target GitLab instance administrators to pause/resume runners. Affected versions are >=13.5.0, <13.5.2,>=13.4.0, <13.4.5,<13.3.9. |
| CVE-2020-25400 | 2020-11-17 | Cross domain policies in Taskcafe Project Management tool before version 0.1.0 and 0.1.1 allows remote attackers to access sensitive data such as access token. |
| CVE-2020-13348 | 2020-11-17 | An issue has been discovered in GitLab EE affecting all versions starting from 10.2. Required CODEOWNERS approval could be bypassed by targeting a branch without the CODEOWNERS file. Affected versions... |
| CVE-2020-13349 | 2020-11-17 | An issue has been discovered in GitLab EE affecting all versions starting from 8.12. A regular expression related to a file path resulted in the Advanced Search feature susceptible to... |
| CVE-2020-26405 | 2020-11-17 | Path traversal vulnerability in package upload functionality in GitLab CE/EE starting from 12.8 allows an attacker to save packages in arbitrary locations. Affected versions are >=12.8, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2. |
| CVE-2020-28138 | 2020-11-17 | SourceCodester Online Clothing Store 1.0 is affected by a SQL Injection via the txtUserName parameter to login.php. |
| CVE-2020-28139 | 2020-11-17 | SourceCodester Online Clothing Store 1.0 is affected by a cross-site scripting (XSS) vulnerability via a Offer Detail field in offer.php. |
| CVE-2020-28140 | 2020-11-17 | SourceCodester Online Clothing Store 1.0 is affected by an arbitrary file upload via the image upload feature of Products.php. |
| CVE-2020-28133 | 2020-11-17 | An issue was discovered in SourceCodester Simple Grocery Store Sales And Inventory System 1.0. There was authentication bypass in web login functionality allows an attacker to gain client privileges via... |
| CVE-2020-28136 | 2020-11-17 | An Arbitrary File Upload is discovered in SourceCodester Tourism Management System 1.0 allows the user to conduct remote code execution via admin/create-package.php vulnerable page. |
| CVE-2020-25988 | 2020-11-17 | UPNP Service listening on port 5555 in Genexis Platinum 4410 Router V2.1 (P4410-V2–1.34H) has an action 'X_GetAccess' which leaks the credentials of 'admin', provided that the attacker is network adjacent. |
| CVE-2020-25890 | 2020-11-17 | The web application of Kyocera printer (ECOSYS M2640IDW) is affected by Stored XSS vulnerability, discovered in the addition a new contact in "Machine Address Book". Successful exploitation of this vulnerability... |
| CVE-2020-28129 | 2020-11-17 | Stored Cross-site scripting (XSS) vulnerability in SourceCodester Gym Management System 1.0 allows users to inject and store arbitrary JavaScript code in index.php?page=packages via vulnerable fields 'Package Name' and 'Description'. |
| CVE-2020-28130 | 2020-11-17 | An Arbitrary File Upload in the Upload Image component in SourceCodester Online Library Management System 1.0 allows the user to conduct remote code execution via admin/borrower/index.php?view=add because .php files can... |
| CVE-2020-26548 | 2020-11-17 | An issue was discovered in Aviatrix Controller before R5.4.1290. There is an insecure sudo rule: a user exists that can execute all commands as any user on the system. |
| CVE-2020-26549 | 2020-11-17 | An issue was discovered in Aviatrix Controller before R5.4.1290. The htaccess protection mechanism to prevent requests to directories can be bypassed for file downloading. |
| CVE-2020-26550 | 2020-11-17 | An issue was discovered in Aviatrix Controller before R5.3.1151. An encrypted file containing credentials to unrelated systems is protected by a three-character key. |
| CVE-2020-26551 | 2020-11-17 | An issue was discovered in Aviatrix Controller before R5.3.1151. Encrypted key values are stored in a readable file. |
| CVE-2020-26216 | 2020-11-17 | Cross-Site Scripting in TYPO3 Fluid |
| CVE-2020-26552 | 2020-11-17 | An issue was discovered in Aviatrix Controller before R6.0.2483. Multiple executable files, that implement API endpoints, do not require a valid session ID for access. |
| CVE-2020-26553 | 2020-11-17 | An issue was discovered in Aviatrix Controller before R6.0.2483. Several APIs contain functions that allow arbitrary files to be uploaded to the web tree. |
| CVE-2020-28914 | 2020-11-17 | An improper file permissions vulnerability affects Kata Containers prior to 1.11.5. When using a Kubernetes hostPath volume and mounting either a file or directory into a container as readonly, the... |
| CVE-2020-28092 | 2020-11-17 | PESCMS Team 2.3.2 has multiple reflected XSS via the id parameter:?g=Team&m=Task&a=my&status=3&id=,?g=Team&m=Task&a=my&status=0&id=,?g=Team&m=Task&a=my&status=1&id=,?g=Team&m=Task&a=my&status=10&id= |
| CVE-2020-28183 | 2020-11-17 | SQL injection vulnerability in SourceCodester Water Billing System 1.0 via the username and password parameters to process.php. |
| CVE-2020-28366 | 2020-11-18 | Arbitrary code execution in go command with cgo in cmd/go and cmd/cgo |
| CVE-2020-28367 | 2020-11-18 | Arbitrary code execution via the go command with cgo in cmd/go |
| CVE-2020-28915 | 2020-11-18 | A buffer over-read (at the framebuffer layer) in the fbcon code in the Linux kernel before 5.8.15 could be used by local attackers to read kernel memory, aka CID-6735b4632def. |
| CVE-2020-28917 | 2020-11-18 | An issue was discovered in the view_statistics (aka View frontend statistics) extension before 2.0.1 for TYPO3. It saves all GET and POST data of TYPO3 frontend requests to the database.... |
| CVE-2020-24723 | 2020-11-18 | Cross Site Scripting (XSS) vulnerability in the Registration page of the admin panel in PHPGurukul User Registration & Login and User Management System With admin panel 2.1. |
| CVE-2020-28361 | 2020-11-18 | Kamailio before 5.4.0, as used in Sip Express Router (SER) in Sippy Softswitch 4.5 through 5.2 and other products, allows a bypass of a header-removal protection mechanism via whitespace characters.... |
| CVE-2020-7563 | 2020-11-18 | A CWE-787: Out-of-bounds Write vulnerability exists in the Web Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy offers and their Communication Modules (see notification for details) which could... |
| CVE-2020-7564 | 2020-11-18 | A CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability exists in the Web Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy offers and their... |
| CVE-2020-7562 | 2020-11-18 | A CWE-125: Out-of-Bounds Read vulnerability exists in the Web Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy offers and their Communication Modules (see notification for details) which could... |
| CVE-2020-6016 | 2020-11-18 | Valve's Game Networking Sockets prior to version v1.2.0 improperly handles unreliable segments with negative offsets in function SNP_ReceiveUnreliableSegment(), leading to a Heap-Based Buffer Underflow and a free() of memory not... |
| CVE-2020-28724 | 2020-11-18 | Open redirect vulnerability in werkzeug before 0.11.6 via a double slash in the URL. |
| CVE-2020-26884 | 2020-11-18 | RSA Archer 6.8 through 6.8.0.3 and 6.9 contains a URL injection vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability by tricking a victim application user into executing malicious... |
| CVE-2020-28005 | 2020-11-18 | httpd on TP-Link TL-WPA4220 devices (hardware versions 2 through 4) allows remote authenticated users to trigger a buffer overflow (causing a denial of service) by sending a POST request to... |
| CVE-2020-24297 | 2020-11-18 | httpd on TP-Link TL-WPA4220 devices (versions 2 through 4) allows remote authenticated users to execute arbitrary OS commands by sending crafted POST requests to the endpoint /admin/powerline. Fixed version: TL-WPA4220(EU)_V4_201023 |
| CVE-2020-25406 | 2020-11-18 | app\admin\controller\sys\Uploads.php in lemocms 1.8.x allows users to upload files to upload executable files. |
| CVE-2020-28362 | 2020-11-18 | Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service. |
| CVE-2020-28091 | 2020-11-18 | cxuucms v3 has a SQL injection vulnerability, which can lead to the leakage of all database data via the keywords parameter via search.php. |
| CVE-2020-26933 | 2020-11-18 | Trusted Computing Group (TCG) Trusted Platform Module Library Family 2.0 Library Specification Revisions 1.38 through 1.59 has Incorrect Access Control during a non-orderly TPM shut-down that uses USE_DA_USED. Improper initialization... |
| CVE-2020-26554 | 2020-11-18 | REDDOXX MailDepot 2033 (aka 2.3.3022) allows XSS via an incoming HTML e-mail message. |
| CVE-2020-4592 | 2020-11-18 | IBM MQ Appliance 9.1.CD and LTS could allow an authenticated user, under nondefault configuration to cause a data corruption attack due to an error when using segmented messages. |
| CVE-2020-26068 | 2020-11-18 | Cisco Telepresence CE Software and RoomOS Software Unauthorized Token Generation Vulnerability |
| CVE-2020-26072 | 2020-11-18 | Cisco IoT Field Network Director SOAP API Authorization Bypass Vulnerability |
| CVE-2020-26075 | 2020-11-18 | Cisco IoT Field Network REST API Insufficient Input Validation Vulnerability |
| CVE-2020-26076 | 2020-11-18 | Cisco IoT Field Network Director Information Disclosure Vulnerability |
| CVE-2020-26077 | 2020-11-18 | Cisco IoT Field Network Director Improper Access Control Vulnerability |
| CVE-2020-26078 | 2020-11-18 | Cisco IoT Field Network Director File Overwrite Vulnerability |
| CVE-2020-26079 | 2020-11-18 | Cisco IoT Field Network Director Unprotected Storage of Credentials Vulnerability |
| CVE-2020-26080 | 2020-11-18 | Cisco IoT Field Network Director Improper Domain Access Control Vulnerability |
| CVE-2020-26081 | 2020-11-18 | Cisco IoT Field Network Director Cross-Site Scripting Vulnerabilities |
| CVE-2020-27126 | 2020-11-18 | Cisco Webex Meetings API Cross-Site Scripting Vulnerability |
| CVE-2020-3367 | 2020-11-18 | Cisco Secure Web Appliance Privilege Escalation Vulnerability |
| CVE-2020-3392 | 2020-11-18 | Cisco IoT Field Network Director Missing API Authentication Vulnerability |
| CVE-2020-3419 | 2020-11-18 | Cisco Webex Meetings and Cisco Webex Meetings Server Ghost Join Vulnerability |
| CVE-2020-3441 | 2020-11-18 | Cisco Webex Meetings and Cisco Webex Meetings Server Information Disclosure Vulnerability |
| CVE-2020-3470 | 2020-11-18 | Cisco Integrated Management Controller Multiple Remote Code Execution Vulnerabilities |
| CVE-2020-3471 | 2020-11-18 | Cisco Webex Meetings and Cisco Webex Meetings Server Unauthorized Audio Information Exposure Vulnerability |
| CVE-2020-3482 | 2020-11-18 | Cisco Expressway Software Unauthorized Access Information Disclosure Vulnerability |
| CVE-2020-3531 | 2020-11-18 | Cisco IoT Field Network Director Unauthenticated REST API Vulnerability |
| CVE-2020-3586 | 2020-11-18 | Cisco DNA Spaces Connector Command Injection Vulnerability |
| CVE-2020-26097 | 2020-11-18 | The firmware of the PLANET Technology Corp NVR-915 and NVR-1615 before 2020-10-28 embeds default credentials for root access via telnet. By exposing telnet on the Internet, remote root access on... |
| CVE-2020-27695 | 2020-11-18 | Trend Micro Security 2020 (Consumer) contains a vulnerability in the installer package that could be exploited by placing a malicious DLL in a local directory which can lead to obtaining... |