CVE List - 2020 / November
Showing 301 - 400 of 1246 CVEs for November 2020 (Page 4 of 13)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2020-28349 | 2020-11-09 | An inaccurate frame deduplication process in ChirpStack Network Server 3.9.0 allows a malicious gateway to perform uplink Denial of Service via malformed frequency attributes in CollectAndCallOnceCollect in internal/uplink/collect.go. NOTE: the... |
| CVE-2020-28351 | 2020-11-09 | The conferencing component on Mitel ShoreTel 19.46.1802.0 devices could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack (via the PATH_INFO to index.php) due to insufficient validation... |
| CVE-2020-15297 | 2020-11-09 | Insufficient validation in the Bitdefender Update Server and BEST Relay components of Bitdefender Endpoint Security Tools versions prior to 6.6.20.294 allows an unprivileged attacker to bypass the in-place mitigations and... |
| CVE-2020-24353 | 2020-11-09 | Pega Platform before 8.4.0 has a XSS issue via stream rule parameters used in the request header. |
| CVE-2020-8276 | 2020-11-09 | The implementation of Brave Desktop's privacy-preserving analytics system (P3A) between 1.1 and 1.18.35 logged the timestamp of when the user last opened an incognito window, including Tor windows. The intended... |
| CVE-2020-8268 | 2020-11-09 | Prototype pollution vulnerability in json8-merge-patch npm package < 1.0.3 may allow attackers to inject or modify methods and properties of the global object constructor. |
| CVE-2020-8150 | 2020-11-09 | A cryptographic issue in Nextcloud Server 19.0.1 allowed an attacker to downgrade the encryption scheme and break the integrity of encrypted files. |
| CVE-2020-8133 | 2020-11-09 | A wrong generation of the passphrase for the encrypted block in Nextcloud Server 19.0.1 allowed an attacker to overwrite blocks in a file. |
| CVE-2020-25655 | 2020-11-09 | An issue was discovered in ManagedClusterView API, that could allow secrets to be disclosed to users without the correct permissions. Views created for an admin user would be made available... |
| CVE-2020-9300 | 2020-11-09 | The Access Control issues include allowing a regular user to view a restricted incident, user role escalation to admin, users adding themselves as a participant in a restricted incident, and... |
| CVE-2020-9299 | 2020-11-09 | There were XSS vulnerabilities discovered and reported in the Dispatch application, affecting name and description parameters of Incident Priority, Incident Type, Tag Type, and Incident Filter. This vulnerability can be... |
| CVE-2020-14366 | 2020-11-09 | A vulnerability was found in keycloak, where path traversal using URL-encoded path segments in the request is possible because the resources endpoint applies a transformation of the url path to... |
| CVE-2020-23136 | 2020-11-09 | Microweber v1.1.18 is affected by no session expiry after log-out. |
| CVE-2020-23138 | 2020-11-09 | An unrestricted file upload vulnerability was discovered in the Microweber 1.1.18 admin account page. An attacker can upload PHP code or any extension (eg- .exe) to the web server by... |
| CVE-2020-23139 | 2020-11-09 | Microweber 1.1.18 is affected by broken authentication and session management. Local session hijacking may occur, which could result in unauthorized access to system data or functionality, or a complete system... |
| CVE-2020-23140 | 2020-11-09 | Microweber 1.1.18 is affected by insufficient session expiration. When changing passwords, both sessions for when a user changes email and old sessions in any other browser or device, the session... |
| CVE-2020-26542 | 2020-11-09 | An issue was discovered in the MongoDB Simple LDAP plugin through 2020-10-02 for Percona Server when using the SimpleLDAP authentication in conjunction with Microsoft’s Active Directory, Percona has discovered a... |
| CVE-2020-27982 | 2020-11-09 | IceWarp 11.4.5.0 allows XSS via the language parameter. |
| CVE-2020-28364 | 2020-11-09 | A stored cross-site scripting (XSS) vulnerability affects the Web UI in Locust before 1.3.2, if the installation violates the usage expectations by exposing this UI to outside users. |
| CVE-2020-27977 | 2020-11-09 | CapaSystems CapaInstaller before 6.0.101 does not properly assign, modify, or check privileges for an actor who attempts to edit registry values, allowing an attacker to escalate privileges. |
| CVE-2020-4650 | 2020-11-09 | IBM Maximo Spatial Asset Management 7.6.0.3, 7.6.0.4, 7.6.0.5, and 7.6.1.0 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID:... |
| CVE-2020-4651 | 2020-11-09 | IBM Maximo Spatial Asset Management 7.6.0.3, 7.6.0.4, 7.6.0.5, and 7.6.1.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a... |
| CVE-2020-4759 | 2020-11-09 | IBM FileNet Content Manager 5.5.4 and 5.5.5 is potentially vulnerable to CVS Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file... |
| CVE-2020-28371 | 2020-11-09 | An issue was discovered in ReadyTalk Avian 1.2.0 before 2020-10-27. The FileOutputStream.write() method in FileOutputStream.java has a boundary check to prevent out-of-bounds memory read/write operations. However, an integer overflow leads... |
| CVE-2020-26168 | 2020-11-09 | The LDAP authentication method in LdapLoginModule in Hazelcast IMDG Enterprise 4.x before 4.0.3, and Jet Enterprise 4.x through 4.2, doesn't verify properly the password in some system-user-dn scenarios. As a... |
| CVE-2020-28373 | 2020-11-09 | upnpd on certain NETGEAR devices allows remote (LAN) attackers to execute arbitrary code via a stack-based buffer overflow. This affects R6400v2 V1.0.4.102_10.0.75, R6400 V1.0.1.62_1.0.41, R7000P V1.3.2.126_10.1.66, XR300 V1.0.3.50_10.3.36, R8000 V1.0.4.62,... |
| CVE-2020-14188 | 2020-11-09 | The preprocessArgs function in the Atlassian gajira-create GitHub Action before version 2.0.1 allows remote attackers to execute arbitrary code in the context of a GitHub runner by creating a specially... |
| CVE-2020-14189 | 2020-11-09 | The execute function in in the Atlassian gajira-comment GitHub Action before version 2.0.2 allows remote attackers to execute arbitrary code in the context of a GitHub runner by creating a... |
| CVE-2020-27016 | 2020-11-09 | Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to a cross-site request forgery (CSRF) vulnerability which could allow an attacker to modify policy rules by tricking an... |
| CVE-2020-27017 | 2020-11-09 | Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to an XML External Entity Processing (XXE) vulnerability which could allow an authenticated administrator to read arbitrary local files.... |
| CVE-2020-27018 | 2020-11-09 | Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to a server side request forgery vulnerability which could allow an authenticated attacker to abuse the product's web server... |
| CVE-2020-27019 | 2020-11-09 | Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to an information disclosure vulnerability which could allow an attacker to access a specific database and key. |
| CVE-2020-27693 | 2020-11-09 | Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 stores administrative passwords using a hash that is considered outdated. |
| CVE-2020-27694 | 2020-11-09 | Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 has updated a specific critical library that may vulnerable to attack. |
| CVE-2020-13927 | 2020-11-10 | The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11... |
| CVE-2020-16125 | 2020-11-10 | gdm3 would start gnome-initial-setup if it cannot contact accountservice |
| CVE-2020-0439 | 2020-11-10 | In generatePackageInfo of PackageManagerService.java, there is a possible permissions bypass due to an incorrect permission check. This could lead to local escalation of privilege that allows instant apps access to... |
| CVE-2020-0442 | 2020-11-10 | In Message and toBundle of Notification.java, there is a possible UI slowdown or crash due to improper input validation. This could lead to remote denial of service if a malicious... |
| CVE-2020-0443 | 2020-11-10 | In LocaleList of LocaleList.java, there is a possible forced reboot due to an uncaught exception. This could lead to local denial of service requiring factory reset to restore with User... |
| CVE-2020-0418 | 2020-11-10 | In getPermissionInfosForGroup of Utils.java, there is a logic error. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions:... |
| CVE-2020-0448 | 2020-11-10 | In getPhoneAccountsForPackage of TelecomServiceImpl.java, there is a possible way to access a tracking identifier due to a missing permission check. This could lead to local information disclosure of the identifier,... |
| CVE-2020-0409 | 2020-11-10 | In create of FileMap.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges... |
| CVE-2020-0450 | 2020-11-10 | In rw_i93_sm_format of rw_i93.cc, there is a possible out of bounds read due to uninitialized data. This could lead to remote information disclosure over NFC with no additional execution privileges... |
| CVE-2020-0441 | 2020-11-10 | In Message and toBundle of Notification.java, there is a possible resource exhaustion due to improper input validation. This could lead to remote denial of service requiring a device reset to... |
| CVE-2020-0451 | 2020-11-10 | In sbrDecoder_AssignQmfChannels2SbrChannels of sbrdecoder.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges... |
| CVE-2020-0452 | 2020-11-10 | In exif_entry_get_value of exif-entry.c, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution if a third party app used... |
| CVE-2020-0453 | 2020-11-10 | In updateNotification of BeamTransferManager.java, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed. User interaction is... |
| CVE-2020-0424 | 2020-11-10 | In send_vc of res_send.cpp, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with no additional execution privileges... |
| CVE-2020-0454 | 2020-11-10 | In callCallbackForRequest of ConnectivityService.java, there is a possible permission bypass due to a missing permission check. This could lead to local information disclosure of the current SSID with User execution... |
| CVE-2020-0438 | 2020-11-10 | In the AIBinder_Class constructor of ibinder.cpp, there is a possible arbitrary code execution due to uninitialized data. This could lead to local escalation of privilege if a process were using... |
| CVE-2020-0449 | 2020-11-10 | In btm_sec_disconnected of btm_sec.cc, there is a possible memory corruption due to a use after free. This could lead to remote code execution in the Bluetooth server with no additional... |
| CVE-2020-0437 | 2020-11-10 | In CellBroadcastReceiver's intent handlers, there is a possible denial of service due to a missing permission check. This could lead to local denial of service of emergency alerts with no... |
| CVE-2020-0447 | 2020-11-10 | There is a possible out of bounds write due to a missing bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-168251617 |
| CVE-2020-0445 | 2020-11-10 | There is a possible out of bounds write due to a missing bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-168264527 |
| CVE-2020-0446 | 2020-11-10 | There is a possible out of bounds write due to a missing bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-168264528 |
| CVE-2020-24384 | 2020-11-10 | A10 Networks ACOS and aGalaxy management Graphical User Interfaces (GUIs) have an unauthenticated Remote Code Execution (RCE) vulnerability that could be used to compromise affected ACOS systems. ACOS versions 3.2.x... |
| CVE-2020-5388 | 2020-11-10 | Dell Inspiron 15 7579 2-in-1 BIOS versions prior to 1.31.0 contain an Improper SMM communication buffer verification vulnerability. A local authenticated malicious user may potentially exploit this vulnerability by using... |
| CVE-2020-4568 | 2020-11-10 | IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, and 4.0 stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 184157. |
| CVE-2020-4704 | 2020-11-10 | IBM Content Navigator 3.0CD is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading... |
| CVE-2020-4760 | 2020-11-10 | IBM Content Navigator 3.0CD is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to... |
| CVE-2020-12485 | 2020-11-10 | The frame touch module does not make validity judgments on parameter lengths when processing specific parameters,which caused out of the boundary when memory access.The vulnerability eventually leads to a local... |
| CVE-2020-7766 | 2020-11-10 | Prototype Pollution |
| CVE-2020-28267 | 2020-11-10 | Prototype pollution vulnerability in '@strikeentco/set' version 1.0.0 allows attacker to cause a denial of service and may lead to remote code execution. |
| CVE-2020-26809 | 2020-11-10 | SAP Commerce Cloud, versions- 1808,1811,1905,2005, allows an attacker to bypass existing authentication and permission checks via the '/medias' endpoint hence gaining access to Secure Media folders. This folder could contain... |
| CVE-2020-6316 | 2020-11-10 | SAP ERP and SAP S/4 HANA allows an authenticated user to see cost records to objects to which he has no authorization in PS reporting, leading to Missing Authorization check. |
| CVE-2020-26811 | 2020-11-10 | SAP Commerce Cloud (Accelerator Payment Mock), versions - 1808, 1811, 1905, 2005, allows an unauthenticated attacker to submit a crafted request over a network to a particular SAP Commerce module... |
| CVE-2020-26808 | 2020-11-10 | SAP AS ABAP(DMIS), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA(DMIS), versions - 101, 102, 103, 104, 105, allows an authenticated attacker to inject... |
| CVE-2020-26815 | 2020-11-10 | SAP Fiori Launchpad (News tile Application), versions - 750,751,752,753,754,755, allows an unauthorized attacker to send a crafted request to a vulnerable web application. It is usually used to target internal... |
| CVE-2020-26819 | 2020-11-10 | SAP NetWeaver AS ABAP (Web Dynpro), versions - 731, 740, 750, 751, 752, 753, 754, 755, 782, allows an authenticated user to access Web Dynpro components, that allows them to... |
| CVE-2020-26820 | 2020-11-10 | SAP NetWeaver AS JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker who is authenticated as an administrator to use the administrator console, to expose unauthenticated access to... |
| CVE-2020-26814 | 2020-11-10 | SAP Process Integration (PGP Module - Business-to-Business Add On), version - 1.0, allows an attacker to read PGP Keys under certain conditions in the PGP Module of Business-to-Business Add-On, these... |
| CVE-2020-26822 | 2020-11-10 | SAP Solution Manager (JAVA stack), version - 7.20, allows an unauthenticated attacker to compromise the system because of missing authorization checks in the Outside Discovery Configuration Service, this has an... |
| CVE-2020-26817 | 2020-11-10 | SAP 3D Visual Enterprise Viewer, version - 9, allows an user to open manipulated HPGL file received from untrusted sources which results in crashing of the application and becoming temporarily... |
| CVE-2020-26824 | 2020-11-10 | SAP Solution Manager (JAVA stack), version - 7.20, allows an unauthenticated attacker to compromise the system because of missing authorization checks in the Upgrade Legacy Ports Service, this has an... |
| CVE-2020-26818 | 2020-11-10 | SAP NetWeaver AS ABAP (Web Dynpro), versions - 731, 740, 750, 751, 752, 753, 754, 755, 782, allows an authenticated user to access Web Dynpro components, which reveals sensitive system... |
| CVE-2020-26821 | 2020-11-10 | SAP Solution Manager (JAVA stack), version - 7.20, allows an unauthenticated attacker to compromise the system because of missing authorization checks in the SVG Converter Service, this has an impact... |
| CVE-2020-26823 | 2020-11-10 | SAP Solution Manager (JAVA stack), version - 7.20, allows an unauthenticated attacker to compromise the system because of missing authorization checks in the Upgrade Diagnostics Agent Connection Service, this has... |
| CVE-2020-26810 | 2020-11-10 | SAP Commerce Cloud (Accelerator Payment Mock), versions - 1808, 1811, 1905, 2005, allows an unauthenticated attacker to submit a crafted request over a network to a particular SAP Commerce module... |
| CVE-2020-26807 | 2020-11-10 | SAP ERP Client for E-Bilanz, version - 1.0, installation sets Incorrect default filesystem permissions are set in its installation folder which allows anyone to modify the files in the folder. |
| CVE-2020-25074 | 2020-11-10 | The cache action in action/cache.py in MoinMoin through 1.9.10 allows directory traversal through a crafted HTTP request. An attacker who can upload attachments to the wiki can use this to... |
| CVE-2020-27403 | 2020-11-10 | A vulnerability in the TCL Android Smart TV series V8-R851T02-LF1 V295 and below and V8-T658T01-LF1 V373 and below by TCL Technology Group Corporation allows an attacker on the adjacent network... |
| CVE-2020-27146 | 2020-11-10 | TIBCO iProcess Workspace Browser CSRF |
| CVE-2020-28055 | 2020-11-10 | A vulnerability in the TCL Android Smart TV series V8-R851T02-LF1 V295 and below and V8-T658T01-LF1 V373 and below by TCL Technology Group Corporation allows a local unprivileged attacker, such as... |
| CVE-2020-28368 | 2020-11-10 | Xen through 4.14.x allows guest OS administrators to obtain sensitive information (such as AES keys from outside the guest) via a side-channel attack on a power/energy monitoring interface, aka a... |
| CVE-2020-23968 | 2020-11-10 | Ilex International Sign&go Workstation Security Suite 7.1 allows elevation of privileges via a symlink attack on ProgramData\Ilex\S&G\Logs\000-sngWSService1.log. |
| CVE-2019-7357 | 2020-11-10 | Subrion CMS 4.2.1 has CSRF in panel/modules/plugins/. The attacker can remotely activate/deactivate the plugins. |
| CVE-2020-24063 | 2020-11-10 | The Canto plugin 1.3.0 for WordPress allows includes/lib/download.php?subdomain= SSRF. |
| CVE-2020-28409 | 2020-11-10 | The server in Dundas BI through 8.0.0.1001 allows XSS via addition of a Component (e.g., a button) when events such as click, hover, etc. occur. |
| CVE-2020-28408 | 2020-11-10 | The server in Dundas BI through 8.0.0.1001 allows XSS via an HTML label when creating or editing a dashboard. |
| CVE-2020-24367 | 2020-11-10 | Incorrect file permissions in BlueStacks 4 through 4.230 on Windows allow a local attacker to escalate privileges by modifying a file that is later executed by a higher-privileged user. |
| CVE-2020-25267 | 2020-11-10 | An XSS issue exists in the question-pool file-upload preview feature in ILIAS 6.4. |
| CVE-2020-25268 | 2020-11-10 | Remote Code Execution can occur via the external news feed in ILIAS 6.4 because of incorrect parameter sanitization for Magpie RSS data. |
| CVE-2020-17049 | 2020-11-11 | Kerberos KDC Security Feature Bypass Vulnerability |
| CVE-2020-16126 | 2020-11-11 | accountsservice drops ruid, allows unprivileged users to send it signals |
| CVE-2020-16127 | 2020-11-11 | accountsservice .pam_environment infinite loop |
| CVE-2020-16970 | 2020-11-11 | Azure Sphere Unsigned Code Execution Vulnerability |
| CVE-2020-16979 | 2020-11-11 | Microsoft SharePoint Information Disclosure Vulnerability |
| CVE-2020-16981 | 2020-11-11 | Azure Sphere Elevation of Privilege Vulnerability |
| CVE-2020-16982 | 2020-11-11 | Azure Sphere Unsigned Code Execution Vulnerability |
| CVE-2020-16983 | 2020-11-11 | Azure Sphere Tampering Vulnerability |