CVE List - 2020 / December
Showing 1001 - 1100 of 1538 CVEs for December 2020 (Page 11 of 16)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2020-4794 | 2020-12-21 | IBM Automation Workstream Services 19.0.3, 20.0.1, 20.0.2, IBM Business Automation Workflow 18.0, 19.0, and 20.0 and IBM Business Process Manager 8.6 could allow an authenticated user to obtain sensitive information... |
| CVE-2020-4870 | 2020-12-21 | IBM MQ 9.2 CD and LTS are vulnerable to a denial of service attack caused by an error processing connecting applications. IBM X-Force ID: 190833. |
| CVE-2020-26275 | 2020-12-21 | Open redirect vulnerability |
| CVE-2020-4840 | 2020-12-21 | IBM Security Secret Server 10.6 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially crafted Web site,... |
| CVE-2020-4841 | 2020-12-21 | IBM Security Secret Server 10.6 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this... |
| CVE-2020-4842 | 2020-12-21 | IBM Security Secret Server 10.6 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used... |
| CVE-2020-4843 | 2020-12-21 | IBM Security Secret Server 10.6 stores potentially sensitive information in config files that could be read by an authenticated user. IBM X-Force ID: 190048. |
| CVE-2020-21377 | 2020-12-21 | SQL injection vulnerability in yunyecms V2.0.1 via the selcart parameter. |
| CVE-2020-21378 | 2020-12-21 | SQL injection vulnerability in SeaCMS 10.1 (2020.02.08) via the id parameter in an edit action to admin_members_group.php. |
| CVE-2020-35604 | 2020-12-21 | An XXE attack can occur in Kronos WebTA 5.0.4 when SAML is used. |
| CVE-2020-35605 | 2020-12-21 | The Graphics Protocol feature in graphics.c in kitty before 0.19.3 allows remote attackers to execute arbitrary code because a filename containing special characters can be included in an error message. |
| CVE-2020-35606 | 2020-12-21 | Arbitrary command execution can occur in Webmin through 1.962. Any user authorized for the Package Updates module can execute arbitrary commands with root privileges via vectors involving %0A and %0C.... |
| CVE-2020-35151 | 2020-12-21 | The Online Marriage Registration System 1.0 post parameter "searchdata" in the user/search.php request is vulnerable to Time Based Sql Injection. |
| CVE-2018-7580 | 2020-12-21 | Philips Hue is vulnerable to a Denial of Service attack. Sending a SYN flood on port tcp/80 will freeze Philips Hue's hub and it will stop responding. The "hub" will... |
| CVE-2020-11717 | 2020-12-21 | An issue was discovered in Programi 014 31.01.2020. It has multiple SQL injection vulnerabilities. |
| CVE-2020-8995 | 2020-12-21 | Programi Bilanc Build 007 Release 014 31.01.2020 supplies a .exe file containing several hardcoded credentials to different servers that allow remote attackers to gain access to the complete infrastructure including... |
| CVE-2020-26277 | 2020-12-21 | Arbitrary read/write in DBdeployer |
| CVE-2020-29596 | 2020-12-21 | MiniWeb HTTP server 0.8.19 allows remote attackers to cause a denial of service (daemon crash) via a long name for the first parameter in a POST request. |
| CVE-2020-26281 | 2020-12-21 | request smuggling in async-h1 |
| CVE-2020-35626 | 2020-12-21 | An issue was discovered in the PushToWatch extension for MediaWiki through 1.35.1. The primary form did not implement an anti-CSRF token and therefore was completely vulnerable to CSRF attacks against... |
| CVE-2020-35625 | 2020-12-21 | An issue was discovered in the Widgets extension for MediaWiki through 1.35.1. Any user with the ability to edit pages within the Widgets namespace could call any static function within... |
| CVE-2020-35624 | 2020-12-21 | An issue was discovered in the SecurePoll extension for MediaWiki through 1.35.1. The non-admin vote list contains a full vote timestamp, which may provide unintended clues about how a voting... |
| CVE-2020-35623 | 2020-12-21 | An issue was discovered in the CasAuth extension for MediaWiki through 1.35.1. Due to improper username validation, it allowed user impersonation with trivial manipulations of certain characters within a given... |
| CVE-2020-35622 | 2020-12-21 | An issue was discovered in the GlobalUsage extension for MediaWiki through 1.35.1. SpecialGlobalUsage.php calls WikiMap::makeForeignLink unsafely. The $page variable within the formatItem function was not being properly escaped, allowing for... |
| CVE-2020-26284 | 2020-12-21 | Hugo can execute a binary from the current directory on Windows |
| CVE-2020-29583 | 2020-12-22 | Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This... |
| CVE-2020-28460 | 2020-12-22 | Prototype Pollution |
| CVE-2020-28448 | 2020-12-22 | Prototype Pollution |
| CVE-2018-15632 | 2020-12-22 | Improper input validation in database creation logic in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to initialize an empty database on which they... |
| CVE-2018-15633 | 2020-12-22 | Cross-site scripting (XSS) issue in "document" module in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to inject arbitrary web script in the browser... |
| CVE-2018-15634 | 2020-12-22 | Cross-site scripting (XSS) issue in attachment management in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote attackers to inject arbitrary web script in the browser... |
| CVE-2018-15638 | 2020-12-22 | Cross-site scripting (XSS) issue in mail module in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote attackers to inject arbitrary web script in the browser... |
| CVE-2018-15641 | 2020-12-22 | Cross-site scripting (XSS) issue in web module in Odoo Community 11.0 through 14.0 and Odoo Enterprise 11.0 through 14.0, allows remote authenticated internal users to inject arbitrary web script in... |
| CVE-2018-15645 | 2020-12-22 | Improper access control in message routing in Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier allows remote authenticated users to create arbitrary records via crafted payloads, which... |
| CVE-2019-11781 | 2020-12-22 | Improper input validation in portal component in Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier, allows remote attackers to trick victims into modifying their account via crafted... |
| CVE-2019-11782 | 2020-12-22 | Improper access control in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users with access to contact management to modify user accounts, leading to... |
| CVE-2019-11783 | 2020-12-22 | Improper access control in mail module (channel partners) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to subscribe to arbitrary mail channels... |
| CVE-2019-11784 | 2020-12-22 | Improper access control in mail module (notifications) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to obtain access to arbitrary messages in... |
| CVE-2019-11785 | 2020-12-22 | Improper access control in mail module (followers) in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to obtain access to messages posted on... |
| CVE-2019-11786 | 2020-12-22 | Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to modify translated terms, which may lead to arbitrary content modification... |
| CVE-2020-29396 | 2020-12-22 | A sandboxing issue in Odoo Community 11.0 through 13.0 and Odoo Enterprise 11.0 through 13.0, when running with Python 3.6 or later, allows remote authenticated users to execute arbitrary code,... |
| CVE-2020-25106 | 2020-12-22 | Nanosystems SupRemo 4.1.3.2348 allows attackers to obtain LocalSystem access because File Manager can be used to rename Supremo.exe and then upload a Trojan horse with the Supremo.exe filename. |
| CVE-2020-13557 | 2020-12-22 | A use after free vulnerability exists in the JavaScript engine of Foxit Software’s Foxit PDF Reader, version 10.1.0.37527. A specially crafted PDF document can trigger reuse of previously free memory... |
| CVE-2020-13560 | 2020-12-22 | A use after free vulnerability exists in the JavaScript engine of Foxit Software’s Foxit PDF Reader, version 10.1.0.37527. A specially crafted PDF document can trigger reuse of previously free memory... |
| CVE-2020-13570 | 2020-12-22 | A use-after-free vulnerability exists in the JavaScript engine of Foxit Software’s PDF Reader, version 10.1.0.37527. A specially crafted PDF document can trigger the reuse of previously free memory which can... |
| CVE-2020-24578 | 2020-12-22 | An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55. It has a misconfigured FTP service that allows a malicious network user to access system folders and... |
| CVE-2020-24579 | 2020-12-22 | An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55. An unauthenticated attacker could bypass authentication to access authenticated pages and functionality. |
| CVE-2020-24580 | 2020-12-22 | An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55. Lack of authentication functionality allows an attacker to assign a static IP address that was once used... |
| CVE-2020-24581 | 2020-12-22 | An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55. It contains an execute_cmd.cgi feature (that is not reachable via the web user interface) that lets an... |
| CVE-2020-13547 | 2020-12-22 | A type confusion vulnerability exists in the JavaScript engine of Foxit Software’s Foxit PDF Reader, version 10.1.0.37527. A specially crafted PDF document can trigger an improper use of an object,... |
| CVE-2020-35608 | 2020-12-22 | A code execution vulnerability exists in the normal world’s signed code execution functionality of Microsoft Azure Sphere 20.07. A specially crafted AF_PACKET socket can cause a process to create an... |
| CVE-2020-35609 | 2020-12-22 | A denial-of-service vulnerability exists in the asynchronous ioctl functionality of Microsoft Azure Sphere 20.05. A sequence of specially crafted ioctl calls can cause a denial of service. An attacker can... |
| CVE-2020-14231 | 2020-12-22 | A vulnerability in the input parameter handling of HCL Client Application Access v9 could potentially be exploited by an authenticated attacker resulting in a stack buffer overflow. This could allow... |
| CVE-2020-14270 | 2020-12-22 | HCL Domino v9, v10, v11 is susceptible to an Information Disclosure vulnerability in XPages due to improper error handling of user input. An unauthenticated attacker could exploit this vulnerability to... |
| CVE-2020-25066 | 2020-12-22 | A heap-based buffer overflow in the Treck HTTP Server component before 6.0.1.68 allows remote attackers to cause a denial of service (crash/reset) or to possibly execute arbitrary code. |
| CVE-2020-27336 | 2020-12-22 | An issue was discovered in Treck IPv6 before 6.0.1.68. Improper input validation in the IPv6 component when handling a packet sent by an unauthenticated remote attacker could result in an... |
| CVE-2020-27337 | 2020-12-22 | An issue was discovered in Treck IPv6 before 6.0.1.68. Improper Input Validation in the IPv6 component allows an unauthenticated remote attacker to cause an Out of Bounds Write, and possibly... |
| CVE-2020-27338 | 2020-12-22 | An issue was discovered in Treck IPv6 before 6.0.1.68. Improper Input Validation in the DHCPv6 client component allows an unauthenticated remote attacker to cause an Out of Bounds Read, and... |
| CVE-2020-24678 | 2020-12-22 | Potential Privilege Escalation in Symphony Plus |
| CVE-2020-24676 | 2020-12-22 | Insecure Windows Services in Symphony Plus |
| CVE-2020-24677 | 2020-12-22 | Insecure Web Service in Symphony Plus |
| CVE-2020-24679 | 2020-12-22 | Denial of Service attack on Symphony Plus |
| CVE-2020-24680 | 2020-12-22 | Improper Credential Storage in Symphony Plus |
| CVE-2020-24683 | 2020-12-22 | Authentication Bypass in Symphony Plus |
| CVE-2020-24674 | 2020-12-22 | Improper Authorization in Symphony Plus |
| CVE-2020-24673 | 2020-12-22 | SQL Injection in Symphony Plus |
| CVE-2020-24675 | 2020-12-22 | Weak Authentication in Symphony Plus |
| CVE-2020-14874 | 2020-12-22 | Vulnerability in the Oracle Cloud Infrastructure Identity and Access Management product of Oracle Cloud Services. Easily exploitable vulnerability allows high privileged attacker with network access to compromise Oracle Cloud Infrastructure... |
| CVE-2020-28641 | 2020-12-22 | In Malwarebytes Free 4.1.0.56, a symbolic link may be used delete an arbitrary file on the system by exploiting the local quarantine system. |
| CVE-2020-35665 | 2020-12-23 | An unauthenticated command-execution vulnerability exists in TerraMaster TOS through 4.2.06 via shell metacharacters in the Event parameter in include/makecvs.php during CSV creation. |
| CVE-2020-35656 | 2020-12-23 | Jaws through 1.8.0 allows remote authenticated administrators to execute arbitrary code via crafted use of admin.php?reqGadget=Components&reqAction=InstallGadget&comp=FileBrowser and admin.php?reqGadget=FileBrowser&reqAction=Files to upload a .php file. NOTE: this is unrelated to the JAWS... |
| CVE-2020-35657 | 2020-12-23 | Jaws through 1.8.0 allows remote authenticated administrators to execute arbitrary code via crafted use of UploadTheme to upload a theme ZIP archive containing a .php file that is able to... |
| CVE-2020-35658 | 2020-12-23 | SpamTitan before 7.09 allows attackers to tamper with backups, because backups are not encrypted. |
| CVE-2020-25190 | 2020-12-23 | MOXA NPort IAW5000A-I/O Series |
| CVE-2020-25194 | 2020-12-23 | MOXA NPort IAW5000A-I/O Series |
| CVE-2020-25198 | 2020-12-23 | MOXA NPort IAW5000A-I/O Series |
| CVE-2020-25192 | 2020-12-23 | MOXA NPort IAW5000A-I/O Series |
| CVE-2020-25153 | 2020-12-23 | MOXA NPort IAW5000A-I/O Series |
| CVE-2020-25196 | 2020-12-23 | MOXA NPort IAW5000A-I/O Series |
| CVE-2020-35136 | 2020-12-23 | Dolibarr 12.0.3 is vulnerable to authenticated Remote Code Execution. An attacker who has the access the admin dashboard can manipulate the backup function by inserting a payload into the filename... |
| CVE-2020-35584 | 2020-12-23 | In Solstice Pod before 3.0.3, the web services allow users to connect to them over unencrypted channels via the Browser Look-in feature. An attacker suitably positioned to view a legitimate... |
| CVE-2020-35585 | 2020-12-23 | In Solstice Pod before 3.3.0 (or Open4.3), the screen key can be enumerated using brute-force attacks via the /lookin/info Solstice Open Control API because there are only 1.7 million possibilities. |
| CVE-2020-35586 | 2020-12-23 | In Solstice Pod before 3.3.0 (or Open4.3), the Administrator password can be enumerated using brute-force attacks via the /Config/service/initModel?password= Solstice Open Control API because there is no complexity requirement (e.g.,... |
| CVE-2020-29550 | 2020-12-23 | An issue was discovered in URVE Build 24.03.2020. The password of an integration user account (used for the connection of the MS Office 365 Integration Service) is stored in cleartext... |
| CVE-2020-6159 | 2020-12-23 | URLs using “javascript:” have the protocol removed when pasted into the address bar to protect users from cross-site scripting (XSS) attacks, but in certain circumstances this removal was not performed.... |
| CVE-2020-29552 | 2020-12-23 | An issue was discovered in URVE Build 24.03.2020. By using the _internal/pc/vpro.php?mac=0&ip=0&operation=0&usr=0&pass=0%3bpowershell+-c+" substring, it is possible to execute a Powershell command and redirect its output to a file under the... |
| CVE-2020-35587 | 2020-12-23 | In Solstice Pod before 3.0.3, the firmware can easily be decompiled/disassembled. The decompiled/disassembled files contain non-obfuscated code. NOTE: it is unclear whether lack of obfuscation is directly associated with a... |
| CVE-2020-35650 | 2020-12-23 | Multiple cross-site scripting (XSS) vulnerabilities in Uncanny Groups for LearnDash before v3.7 allow authenticated remote attackers to inject arbitrary JavaScript or HTML via the ulgm_code_redeem POST Parameter in user-code-redemption.php, the... |
| CVE-2020-29551 | 2020-12-23 | An issue was discovered in URVE Build 24.03.2020. Using the _internal/pc/shutdown.php path, it is possible to shutdown the system. Among others, the following files and scripts are also accessible: _internal/pc/abort.php,... |
| CVE-2020-9439 | 2020-12-23 | Multiple cross-site scripting (XSS) vulnerabilities in Uncanny Owl Tin Canny LearnDash Reporting before 3.4.4 allows authenticated remote attackers to inject arbitrary web script or HTML via the search_key GET Parameter... |
| CVE-2020-11718 | 2020-12-23 | An issue was discovered in Programi Bilanc build 007 release 014 31.01.2020 and below. Its software-update packages are downloaded via cleartext HTTP. |
| CVE-2020-11720 | 2020-12-23 | An issue was discovered in Programi Bilanc build 007 release 014 31.01.2020 and possibly below. During the installation, it sets up administrative access by default with the account admin and... |
| CVE-2020-11719 | 2020-12-23 | An issue was discovered in Programi Bilanc build 007 release 014 31.01.2020 and possibly below. It relies on broken encryption with a weak and guessable static encryption key. |
| CVE-2020-4642 | 2020-12-23 | IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow local attacker to cause a denial of service inside the "DB2... |
| CVE-2018-1000891 | 2020-12-23 | Bitcoin SV before 0.1.1 allows uncontrolled resource consumption when receiving messages with invalid checksums. |
| CVE-2018-1000892 | 2020-12-23 | Bitcoin SV before 0.1.1 allows uncontrolled resource consumption when receiving sendheaders messages. |
| CVE-2018-1000893 | 2020-12-23 | Bitcoin SV before 0.1.1 allows uncontrolled resource consumption when deserializing transactions. |
| CVE-2020-13968 | 2020-12-23 | CRK Business Platform <= 2019.1 allows can inject SQL statements against the DB on any path using the 'strSessao' parameter. |
| CVE-2020-13969 | 2020-12-23 | CRK Business Platform <= 2019.1 allows reflected XSS via erro.aspx on 'CRK', 'IDContratante', 'Erro', or 'Mod' parameter. This is path-independent. |
| CVE-2020-27397 | 2020-12-23 | Marital - Online Matrimonial Project In PHP version 1.0 suffers from an authenticated file upload vulnerability allowing remote attackers to gain remote code execution (RCE) on the Hosting web server... |