CVE List - 2020 / January
Showing 1401 - 1500 of 1655 CVEs for January 2020 (Page 15 of 17)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2019-15582 | 2020-01-28 | An IDOR was discovered in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a maintainer to add any private group... |
| CVE-2019-5466 | 2020-01-28 | An IDOR was discovered in GitLab CE/EE 11.5 and later that allowed new merge requests endpoint to disclose label names. |
| CVE-2019-15581 | 2020-01-28 | An IDOR exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a project owner or maintainer to see the... |
| CVE-2019-5468 | 2020-01-28 | An privilege escalation issue was discovered in Gitlab versions < 12.1.2, < 12.0.4, and < 11.11.6 when Mattermost slash commands are used with a blocked account. |
| CVE-2019-15579 | 2020-01-28 | An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) where the assignee(s) of a confidential issue in a... |
| CVE-2019-15578 | 2020-01-28 | An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE). The path of a private project, that used to... |
| CVE-2019-5470 | 2020-01-28 | An information disclosure issue was discovered GitLab versions < 12.1.2, < 12.0.4, and < 11.11.6 in the security dashboard which could result in disclosure of vulnerability feedback information. |
| CVE-2019-5472 | 2020-01-28 | An authorization issue was discovered in Gitlab versions < 12.1.2, < 12.0.4, and < 11.11.6 that prevented owners and maintainer to delete epic comments. |
| CVE-2020-7997 | 2020-01-28 | ASUS WRT-AC66U 3 RT 3.0.0.4.372_67 devices allow XSS via the Client Name field to the Parental Control feature. |
| CVE-2020-7998 | 2020-01-28 | An arbitrary file upload vulnerability has been discovered in the Super File Explorer app 1.0.1 for iOS. The vulnerability is located in the developer path that is accessible and hidden... |
| CVE-2020-5523 | 2020-01-28 | Android App 'MyPallete' and some of the Android banking applications based on 'MyPallete' do not verify X.509 certificates from servers, and also do not properly validate certificates with host-mismatch, which... |
| CVE-2020-7799 | 2020-01-28 | An issue was discovered in FusionAuth before 1.11.0. An authenticated user, allowed to edit e-mail templates (Home -> Settings -> Email Templates) or themes (Home -> Settings -> Themes), can... |
| CVE-2020-7934 | 2020-01-28 | In LifeRay Portal CE 7.1.0 through 7.2.1 GA2, the First Name, Middle Name, and Last Name fields for user accounts in MyAccountPortlet are all vulnerable to a persistent XSS issue.... |
| CVE-2019-17096 | 2020-01-28 | Bitdefender BOX 2 bootstrap get_image_size command injection vulnerability |
| CVE-2014-3445 | 2020-01-28 | backup.php in HandsomeWeb SOS Webpages before 1.1.12 does not require knowledge of the cleartext password, which allows remote attackers to bypass authentication by leveraging knowledge of the administrator password hash. |
| CVE-2014-2581 | 2020-01-28 | Smb4K before 1.1.1 allows remote attackers to obtain credentials via vectors related to the cuid option in the "Additional options" line edit. |
| CVE-2013-1437 | 2020-01-28 | Eval injection vulnerability in the Module-Metadata module before 1.000015 for Perl allows remote attackers to execute arbitrary Perl code via the $Version value. |
| CVE-2013-1895 | 2020-01-28 | The py-bcrypt module before 0.3 for Python does not properly handle concurrent memory access, which allows attackers to bypass authentication via multiple authentication requests, which trigger the password hash to... |
| CVE-2012-6114 | 2020-01-28 | The git-changelog utility in git-extras 1.7.0 allows local users to overwrite arbitrary files via a symlink attack on (1) /tmp/changelog or (2) /tmp/.git-effort. |
| CVE-2013-2571 | 2020-01-28 | Iris 3.8 before build 1548, as used in Xpient point of sale (POS) systems, allows remote attackers to execute arbitrary commands via a crafted request to TCP port 7510, as... |
| CVE-2013-6455 | 2020-01-28 | The CentralAuth extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain usernames via vectors related to writing the names to the DOM... |
| CVE-2013-6451 | 2020-01-28 | Cross-site scripting (XSS) vulnerability in MediaWiki 1.19.9 before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via unspecified CSS values. |
| CVE-2014-3230 | 2020-01-28 | The libwww-perl LWP::Protocol::https module 6.04 through 6.06 for Perl, when using IO::Socket::SSL as the SSL socket class, allows attackers to disable server certificate validation via the (1) HTTPS_CA_DIR or (2)... |
| CVE-2013-4583 | 2020-01-28 | The parse_cmd function in lib/gitlab_shell.rb in GitLab 5.0 before 5.4.2, Community Edition before 6.2.4, and Enterprise Edition before 6.2.1 and gitlab-shell before 1.7.8 allows remote authenticated users to gain privileges... |
| CVE-2013-4582 | 2020-01-28 | The (1) create_branch, (2) create_tag, (3) import_project, and (4) fork_project functions in lib/gitlab_projects.rb in GitLab 5.0 before 5.4.2, Community Edition before 6.2.4, Enterprise Edition before 6.2.1 and gitlab-shell before 1.7.8... |
| CVE-2014-2914 | 2020-01-28 | fish (aka fish-shell) 2.0.0 before 2.1.1 does not restrict access to the configuration service (aka fish_config), which allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by... |
| CVE-2014-3856 | 2020-01-28 | The funced function in fish (aka fish-shell) 1.23.0 before 2.1.1 does not properly create temporary files, which allows local users to gain privileges via a temporary file with a predictable... |
| CVE-2014-2906 | 2020-01-28 | The psub function in fish (aka fish-shell) 1.16.0 before 2.1.1 does not properly create temporary files, which allows local users to execute arbitrary commands via a temporary file with a... |
| CVE-2014-2896 | 2020-01-28 | The DoAlert function in the (1) TLS and (2) DTLS implementations in wolfSSL CyaSSL before 2.9.4 allows remote attackers to have unspecified impact and vectors, which trigger memory corruption or... |
| CVE-2014-2897 | 2020-01-28 | The SSL 3 HMAC functionality in wolfSSL CyaSSL 2.5.0 before 2.9.4 does not check the padding length when verification fails, which allows remote attackers to have unspecified impact via a... |
| CVE-2014-2898 | 2020-01-28 | wolfSSL CyaSSL before 2.9.4 allows remote attackers to have unspecified impact via multiple calls to the CyaSSL_read function which triggers an out-of-bounds read when an error occurs, related to not... |
| CVE-2013-0294 | 2020-01-28 | packet.py in pyrad before 2.1 uses weak random numbers to generate RADIUS authenticators and hash passwords, which makes it easier for remote attackers to obtain sensitive information via a brute... |
| CVE-2013-2060 | 2020-01-28 | The download_from_url function in OpenShift Origin allows remote attackers to execute arbitrary commands via shell metacharacters in the URL of a request to download a cart. |
| CVE-2013-4865 | 2020-01-28 | Cross-site request forgery (CSRF) vulnerability in upgrade_step2.sh in MiCasaVerde VeraLite with firmware 1.5.408 allows remote attackers to hijack the authentication of users for requests that install arbitrary firmware via the... |
| CVE-2013-4864 | 2020-01-28 | MiCasaVerde VeraLite with firmware 1.5.408 allows remote attackers to send HTTP requests to intranet servers via the url parameter to cgi-bin/cmh/proxy.sh, related to a Server-Side Request Forgery (SSRF) issue. |
| CVE-2013-4863 | 2020-01-28 | The HomeAutomationGateway service in MiCasaVerde VeraLite with firmware 1.5.408 allows (1) remote attackers to execute arbitrary Lua code via a RunLua action in a request to upnp/control/hag on port 49451... |
| CVE-2013-4862 | 2020-01-28 | MiCasaVerde VeraLite with firmware 1.5.408 does not properly restrict access, which allows remote authenticated users to (1) update the firmware via the squashfs parameter to upgrade_step2.sh or (2) obtain hashed... |
| CVE-2013-4861 | 2020-01-28 | Directory traversal vulnerability in cgi-bin/cmh/get_file.sh in MiCasaVerde VeraLite with firmware 1.5.408 allows remote authenticated users to read arbirary files via a .. (dot dot) in the filename parameter. |
| CVE-2020-8086 | 2020-01-28 | The mod_auth_ldap and mod_auth_ldap2 Community Modules through 2020-01-27 for Prosody incompletely verify the XMPP address passed to the is_admin() function. This grants remote entities admin-only functionality if their username matches... |
| CVE-2012-6610 | 2020-01-28 | Polycom HDX Video End Points before 3.0.4 and UC APL before 2.7.1.J allows remote authenticated users to execute arbitrary commands as demonstrated by a ; (semicolon) to the ping command... |
| CVE-2012-6609 | 2020-01-28 | Directory traversal vulnerability in a_getlog.cgi in Polycom HDX Video End Points before 3.0.4 and UC APL before 2.7.1.J allows remote attackers to read arbitrary files via a .. (dot dot)... |
| CVE-2015-7851 | 2020-01-28 | Directory traversal vulnerability in the save_config function in ntpd in ntp_control.c in NTP before 4.2.8p4, when used on systems that do not use '\' or '/' characters for directory separation... |
| CVE-2020-1940 | 2020-01-28 | The optional initial password change and password expiration features present in Apache Jackrabbit Oak 1.2.0 to 1.22.0 are prone to a sensitive information disclosure vulnerability. The code mandates the changed... |
| CVE-2020-8112 | 2020-01-28 | opj_t1_clbl_decode_processor in openjp2/t1.c in OpenJPEG 2.3.1 through 2020-01-28 has a heap-based buffer overflow in the qmfbid==1 case, a different issue than CVE-2020-6851. |
| CVE-2020-5210 | 2020-01-28 | NetHack command line -w option parsing is subject to a buffer overflow |
| CVE-2020-5209 | 2020-01-28 | NetHack command line parsing of options starting with -de and -i is subject to a buffer overflow |
| CVE-2020-5214 | 2020-01-28 | NetHack error recovery after syntax error in configuration file is subject to a buffer overflow |
| CVE-2020-5213 | 2020-01-28 | NetHack SYMBOL configuration file option is subject to a buffer overflow |
| CVE-2020-5212 | 2020-01-28 | NetHack MENUCOLOR configuration file option is subject to a buffer overflow |
| CVE-2020-5211 | 2020-01-28 | NetHack AUTOCOMPLETE configuration file option is subject to a buffer overflow |
| CVE-2019-17338 | 2020-01-28 | TIBCO Patterns - Search Exposes Cross Site Scripting Vulnerabilities |
| CVE-2015-8012 | 2020-01-28 | lldpd before 0.8.0 allows remote attackers to cause a denial of service (assertion failure and daemon crash) via a malformed packet. |
| CVE-2015-8011 | 2020-01-28 | Buffer overflow in the lldp_decode function in daemon/protocols/lldp.c in lldpd before 0.8.0 allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via vectors... |
| CVE-2019-4568 | 2020-01-28 | IBM MQ and IBM MQ Appliance 8.0 and 9.0 LTS could allow a remote attacker with intimate knowledge of the server to cause a denial of service when receiving data... |
| CVE-2019-4614 | 2020-01-28 | IBM MQ and IBM MQ Appliance 8.0 and 9.0 LTS client connecting to a Queue Manager could cause a SIGSEGV denial of service caused by converting an invalid message. IBM... |
| CVE-2019-4620 | 2020-01-28 | IBM MQ Appliance 8.0 and 9.0 LTS could allow a local attacker to bypass security restrictions caused by improper validation of environment variables. IBM X-Force ID: 168863. |
| CVE-2019-4631 | 2020-01-28 | IBM Security Secret Server 10.7 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a... |
| CVE-2019-4632 | 2020-01-28 | IBM Security Secret Server 10.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading... |
| CVE-2019-4633 | 2020-01-28 | IBM Security Secret Server 10.7 could allow an attacker to obtain sensitive information due to an overly permissive CORS policy. IBM X-Force ID: 170007. |
| CVE-2019-4635 | 2020-01-28 | IBM Security Secret Server 10.7 could allow a privileged user to perform unauthorized command injection due to imporoper input neutralization of special elements. IBM X-Force ID: 170011. |
| CVE-2019-4636 | 2020-01-28 | IBM Security Secret Server 10.7 could disclose sensitive information to an authenticated user from generated error messages. IBM X-Force ID: 170013. |
| CVE-2019-4637 | 2020-01-28 | IBM Security Secret Server 10.7 uses incomplete blacklisting for input validation which allows attackers to bypass application controls resulting in direct impact to the system and data integrity. IBM X-Force... |
| CVE-2019-4638 | 2020-01-28 | IBM Security Secret Server 10.7 does not set the secure attribute on authorization tokens or session cookies. This could allow an attacker to obtain sensitive information using man in the... |
| CVE-2019-4639 | 2020-01-28 | IBM Security Secret Server 10.7 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 170045. |
| CVE-2019-4679 | 2020-01-28 | IBM Content Navigator 3.0CD could allow an authenticated user to gain information about the hosting operating system and version that could be used in further attacks against the system. IBM... |
| CVE-2019-4707 | 2020-01-28 | IBM Security Access Manager Appliance 9.0.7.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive... |
| CVE-2020-4207 | 2020-01-28 | IBM Watson IoT Message Gateway 2.0.0.x, 5.0.0.0, 5.0.0.1, and 5.0.0.2 is vulnerable to a buffer overflow, caused by improper bounds checking when handling a failed HTTP request with specific content... |
| CVE-2020-8315 | 2020-01-28 | In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1, an insecure dependency load upon launch on Windows 7 may result in an attacker's copy of api-ms-win-core-path-l1-1-0.dll... |
| CVE-2015-5483 | 2020-01-28 | Multiple cross-site request forgery (CSRF) vulnerabilities in the Private Only plugin 3.5.1 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) add users, (2)... |
| CVE-2014-8490 | 2020-01-28 | Cross-site scripting (XSS) vulnerability in TennisConnect COMPONENTS 9.927 allows remote attackers to inject arbitrary web script or HTML via the pid parameter to index.cfm. |
| CVE-2013-2714 | 2020-01-28 | Cross-site Scripting (XSS) in WordPress podPress Plugin 8.8.10.13 could allow remote attackers to inject arbitrary web script or html via the 'playerID' parameter. |
| CVE-2013-2748 | 2020-01-28 | Belkin Wemo Switch before WeMo_US_2.00.2176.PVT could allow remote attackers to upload arbitrary files onto the system. |
| CVE-2013-1599 | 2020-01-28 | A Command Injection vulnerability exists in the /var/www/cgi-bin/rtpd.cgi script in D-Link IP Cameras DCS-3411/3430 firmware 1.02, DCS-5605/5635 1.01, DCS-1100L/1130L 1.04, DCS-1100/1130 1.03, DCS-1100/1130 1.04_US, DCS-2102/2121 1.05_RU, DCS-3410 1.02, DCS-5230 1.02,... |
| CVE-2013-2764 | 2020-01-28 | Secure Entry Server before 4.7.0 contains a URI Redirection vulnerability which could allow remote attackers to conduct phishing attacks due to HSP_AbsoluteRedirects being disabled by default. |
| CVE-2013-3071 | 2020-01-28 | NETGEAR Centria WNDR4700 devices with firmware 1.0.0.34 allow authentication bypass. |
| CVE-2013-3074 | 2020-01-28 | NetGear WNDR4700 Media Server devices with firmware 1.0.0.34 allow remote attackers to cause a denial of service (device crash). |
| CVE-2013-3093 | 2020-01-28 | ASUS RT-N56U devices allow CSRF. |
| CVE-2013-1600 | 2020-01-28 | An Authentication Bypass vulnerability exists in upnp/asf-mp4.asf when streaming live video in D-Link TESCO DCS-2121 1.05_TESCO, TESCO DCS-2102 1.05_TESCO, DCS-2121 1.06_FR, 1.06, and 1.05_RU, DCS-2102 1.06_FR. 1.06, and 1.05_RU, which... |
| CVE-2020-8417 | 2020-01-28 | The Code Snippets plugin before 2.14.0 for WordPress allows CSRF because of the lack of a Referer check on the import menu. |
| CVE-2013-3212 | 2020-01-28 | vtiger CRM 5.4.0 and earlier contain local file-include vulnerabilities in 'customerportal.php' which allows remote attackers to view files and execute local script code. |
| CVE-2013-3214 | 2020-01-28 | vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'. |
| CVE-2013-1601 | 2020-01-28 | An Information Disclosure vulnerability exists due to a failure to restrict access on the lums.cgi script when processing a live video stream in D-LINK An Information Disclosure vulnerability exists due... |
| CVE-2020-8420 | 2020-01-28 | An issue was discovered in Joomla! before 3.9.15. A missing CSRF token check in the LESS compiler of com_templates causes a CSRF vulnerability. |
| CVE-2020-8421 | 2020-01-28 | An issue was discovered in Joomla! before 3.9.15. Inadequate escaping of usernames allows XSS attacks in com_actionlogs. |
| CVE-2020-8419 | 2020-01-28 | An issue was discovered in Joomla! before 3.9.15. Missing token checks in the batch actions of various components cause CSRF vulnerabilities. |
| CVE-2013-1602 | 2020-01-28 | An Information Disclosure vulnerability exists due to insufficient validation of authentication cookies for the RTSP session in D-Link DCS-5635 1.01, DCS-1100L 1.04, DCS-1130L 1.04, DCS-1100 1.03/1.04_US, DCS-1130 1.03/1.04_US , DCS-2102... |
| CVE-2020-5215 | 2020-01-28 | Segmentation faultin TensorFlow when converting a Python string to tf.float16 |
| CVE-2013-1603 | 2020-01-28 | An Authentication vulnerability exists in D-LINK WCS-1100 1.02, TESCO DCS-2121 1.05_TESCO, TESCO DCS-2102 1.05_TESCO, DCS-7510 1.00, DCS-7410 1.00, DCS-6410 1.00, DCS-5635 1.01, DCS-5605 1.01, DCS-5230L 1.02, DCS-5230 1.02, DCS-3430 1.02,... |
| CVE-2020-8425 | 2020-01-28 | Cups Easy (Purchase & Inventory) 1.0 is vulnerable to CSRF that leads to admin account deletion via userdelete.php. |
| CVE-2020-8424 | 2020-01-28 | Cups Easy (Purchase & Inventory) 1.0 is vulnerable to CSRF that leads to admin account takeover via passwordmychange.php. |
| CVE-2020-8426 | 2020-01-28 | The Elementor plugin before 2.8.5 for WordPress suffers from a reflected XSS vulnerability on the elementor-system-info page. These can be exploited by targeting an authenticated user. |
| CVE-2020-5227 | 2020-01-28 | Feedgen Vulnerable to XML Denial of Service Attacks |
| CVE-2020-8428 | 2020-01-28 | fs/namei.c in the Linux kernel before 5.5 has a may_create_in_sticky use-after-free, which allows local users to cause a denial of service (OOPS) or possibly obtain sensitive information from kernel memory,... |
| CVE-2019-20215 | 2020-01-29 | D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers to execute arbitrary OS commands via a urn: to the M-SEARCH method in ssdpcgi() in /htdocs/cgibin, because HTTP_ST is mishandled.... |
| CVE-2019-20216 | 2020-01-29 | D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers to execute arbitrary OS commands via the urn: to the M-SEARCH method in ssdpcgi() in /htdocs/cgibin, because REMOTE_PORT is mishandled.... |
| CVE-2019-20217 | 2020-01-29 | D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers to execute arbitrary OS commands via the urn: to the M-SEARCH method in ssdpcgi() in /htdocs/cgibin, because SERVER_ID is mishandled.... |
| CVE-2020-7965 | 2020-01-29 | flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even... |
| CVE-2012-4383 | 2020-01-29 | contao prior to 2.11.4 has a sql injection vulnerability |
| CVE-2012-5776 | 2020-01-29 | Dokeos 2.1.1 has multiple XSS issues involving "extra_" parameters in main/auth/profile.php. |
| CVE-2013-0161 | 2020-01-29 | Havalite CMS 1.1.7 has a stored XSS vulnerability |