CVE List - 2020 / February
Showing 1 - 100 of 1397 CVEs for February 2020 (Page 1 of 14)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2019-20446 | 2020-02-02 | In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern... |
| CVE-2020-8516 | 2020-02-02 | The daemon in Tor through 0.4.1.8 and 0.4.2.x through 0.4.2.6 does not verify that a rendezvous node is known before attempting to connect to it, which might make it easier... |
| CVE-2020-8514 | 2020-02-02 | An issue was discovered in Rumpus 8.2.10 on macOS. By crafting a directory name, it is possible to activate JavaScript in the context of the web application after invoking the... |
| CVE-2020-8508 | 2020-02-03 | nsak64.sys in Norman Malware Cleaner 2.08.08 allows users to call arbitrary kernel functions because the passing of function pointers between user and kernel mode is mishandled. |
| CVE-2020-3925 | 2020-02-03 | ServiSign Windows Versions- Remote Code Execution via LoadLibrary |
| CVE-2020-3926 | 2020-02-03 | ServiSign Windows Versions- Arbitrary File Access |
| CVE-2020-3927 | 2020-02-03 | ServiSign Windows Versions- Arbitrary File Deletion |
| CVE-2020-7471 | 2020-02-03 | Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads... |
| CVE-2019-18193 | 2020-02-03 | In Unisys Stealth (core) 3.4.108.0, 3.4.209.x, 4.0.027.x and 4.0.114, key material inadvertently logged under certain conditions. Fixed included in 3.4.109, 4.0.027.13, 4.0.125 and 5.0.013.0. |
| CVE-2014-8328 | 2020-02-03 | The default configuration in the Dynamic Content Elements (dce) extension before 0.11.5 for TYPO3 allows remote attackers to obtain sensitive installation environment information by reading the update check request. |
| CVE-2013-2621 | 2020-02-03 | Open Redirection Vulnerability in the redir.php script in Telaen before 1.3.1 allows remote attackers to redirect victims to arbitrary websites via a crafted URL. |
| CVE-2020-7993 | 2020-02-03 | Prototype 1.6.0.1 allows remote authenticated users to forge ticket creation (on behalf of other user accounts) via a modified email ID field. |
| CVE-2013-2622 | 2020-02-03 | Cross-site Scripting (XSS) in UebiMiau 2.7.11 and earlier allows remote attackers to inject arbitrary web script or HTML via the "selected_theme" parameter in error.php. |
| CVE-2013-2623 | 2020-02-03 | Cross-site Scripting (XSS) in Telaen before 1.3.1 allows remote attackers to inject arbitrary web script or HTML via the "f_email" parameter in index.php. |
| CVE-2013-2624 | 2020-02-03 | Telean before 1.3.1 contains a full path disclosure vulnerability which could allow remote attackers to obtain sensitive information through a specially crafted URL request. |
| CVE-2013-2631 | 2020-02-03 | TinyWebGallery (TWG) 1.8.9 and earlier contains a full path disclosure vulnerability which allows remote attackers to obtain sensitive information through the parameters "twg_browserx" and "twg_browsery" in the page image.php. |
| CVE-2019-19119 | 2020-02-03 | An issue was discovered in PRTG 7.x through 19.4.53. Due to insufficient access control on local registry keys for the Core Server Service, a non-administrative user on the local machine... |
| CVE-2020-8510 | 2020-02-03 | An issue was discovered in phpABook 0.9 Intermediate. On the login page, if one sets a userInfo cookie with the value of admin+1+en (user+perms+lang), one can login as any user... |
| CVE-2020-8545 | 2020-02-03 | Global.py in AIL framework 2.8 allows path traversal. |
| CVE-2019-11251 | 2020-02-03 | kubectl cp allows symlink directory traversal |
| CVE-2020-8547 | 2020-02-03 | phpList 3.5.0 allows type juggling for admin login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical... |
| CVE-2019-16893 | 2020-02-03 | The Web Management of TP-Link TP-SG105E V4 1.0.0 Build 20181120 devices allows an unauthenticated attacker to reboot the device via a reboot.cgi request. |
| CVE-2020-8548 | 2020-02-03 | massCode 1.0.0-alpha.6 allows XSS via crafted Markdown text, with resultant remote code execution (because nodeIntegration in webPreferences is true). |
| CVE-2013-2646 | 2020-02-03 | TP-LINK TL-WR1043ND V1_120405 devices contain an unspecified denial of service vulnerability. |
| CVE-2013-2672 | 2020-02-03 | Brother MFC-9970CDW devices with firmware 0D allow cleartext submission of passwords. |
| CVE-2020-8549 | 2020-02-03 | Stored XSS in the Strong Testimonials plugin before 2.40.1 for WordPress can result in an attacker performing malicious actions such as stealing session tokens. |
| CVE-2019-4732 | 2020-02-03 | IBM SDK, Java Technology Edition Version 7.0.0.0 through 7.0.10.55, 7.1.0.0 through 7.1.4.55, and 8.0.0.0 through 8.0.6.0 could allow a local authenticated attacker to execute arbitrary code on the system, caused... |
| CVE-2020-4224 | 2020-02-03 | IBM StoredIQ 7.6.0.17 through 7.6.0.20 could disclose sensitive information to a local user due to data in certain directories not being encrypted when it contained symbolic links. IBM X-Force ID:... |
| CVE-2020-5182 | 2020-02-03 | The J-BusinessDirectory extension before 5.2.9 for Joomla! allows Reverse Tabnabbing. In some configurations, the link to the business website can be entered by any user. If it doesn't contain rel="noopener"... |
| CVE-2013-2673 | 2020-02-03 | Brother MFC-9970CDW 1.10 firmware L devices contain a security bypass vulnerability which allows physically proximate attackers to gain unauthorized access. |
| CVE-2016-4676 | 2020-02-03 | A Cross-origin vulnerability exists in WebKit in Apple Safari before 10.0.1 when processing location attributes, which could let a remote malicious user obtain sensitive information. |
| CVE-2019-20174 | 2020-02-03 | Auth0 Lock before 11.21.0 allows XSS when additionalSignUpFields is used with an untrusted placeholder. |
| CVE-2013-2674 | 2020-02-03 | Brother MFC-9970CDW 1.10 firmware L devices contain an information disclosure vulnerability which allows remote attackers to view sensitive information from referrer logs due to inadequate handling of HTTP referrer headers. |
| CVE-2019-18567 | 2020-02-03 | Bromium client - out of bound read results in race condition causing Kernel memory leaks or denial of service |
| CVE-2020-8592 | 2020-02-03 | eG Manager 7.1.2 allows SQL Injection via the user parameter to com.eg.LoginHelperServlet (aka the Forgot Password feature). |
| CVE-2020-8591 | 2020-02-03 | eG Manager 7.1.2 allows authentication bypass via a com.egurkha.EgLoginServlet?uname=admin&upass=&accessKey=eGm0n1t0r request. |
| CVE-2019-9501 | 2020-02-03 | Broadcom wl driver is vulnerable to heap buffer overflow |
| CVE-2019-9502 | 2020-02-03 | Broadcom wl driver is vulnerable to heap buffer overflow |
| CVE-2020-8597 | 2020-02-03 | eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the eap_request and eap_response functions. |
| CVE-2020-5235 | 2020-02-04 | Out-of-memory condition in Nanopb is potentially exploitable |
| CVE-2020-5236 | 2020-02-04 | Catastrophic backtracking in regex allows Denial of Service in Waitress |
| CVE-2020-3937 | 2020-02-04 | SysJust Syuan-Gu-Da-Shih-SQL injection |
| CVE-2020-3938 | 2020-02-04 | SysJust Syuan-Gu-Da-Shih -Request-Forgery |
| CVE-2020-3939 | 2020-02-04 | SysJust Syuan-Gu-Da-Shih -Cross-Site Scripting(XSS) |
| CVE-2011-4937 | 2020-02-04 | Joomla! 1.7.1 has core information disclosure due to inadequate error checking. |
| CVE-2011-3629 | 2020-02-04 | Joomla! core 1.7.1 allows information disclosure due to weak encryption |
| CVE-2012-5618 | 2020-02-04 | Ushahidi before 2.6.1 has insufficient entropy for forgot-password tokens. |
| CVE-2011-4912 | 2020-02-04 | Joomla! com_mailto 1.5.x through 1.5.13 has an automated mail timeout bypass. |
| CVE-2012-5686 | 2020-02-04 | ZPanel 10.0.1 has insufficient entropy for its password reset process. |
| CVE-2013-1422 | 2020-02-04 | webcalendar before 1.2.7 shows the reason for a failed login (e.g., "no such user"). |
| CVE-2013-7051 | 2020-02-04 | D-Link DIR-100 4.03B07: cli.cgi security bypass due to failure to check authentication parameters |
| CVE-2013-7052 | 2020-02-04 | D-Link DIR-100 4.03B07: security bypass via an error in the cliget.cgi script |
| CVE-2013-7053 | 2020-02-04 | D-Link DIR-100 4.03B07: cli.cgi CSRF |
| CVE-2013-7054 | 2020-02-04 | D-Link DIR-100 4.03B07: cli.cgi XSS |
| CVE-2013-7055 | 2020-02-04 | D-Link DIR-100 4.03B07 has PPTP and poe information disclosure |
| CVE-2013-2676 | 2020-02-04 | Brother MFC-9970CDW 1.10 firmware L devices contain an information disclosure vulnerability which allows remote attackers to view private IP addresses and other sensitive information. |
| CVE-2019-9674 | 2020-02-04 | Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb. |
| CVE-2019-19968 | 2020-02-04 | PandoraFMS 742 suffers from multiple XSS vulnerabilities, affecting the Agent Management, Report Builder, and Graph Builder components. An authenticated user can inject dangerous content into a data store that is... |
| CVE-2013-2678 | 2020-02-04 | Cisco Linksys E4200 1.0.05 Build 7 routers contain a Local File Include Vulnerability which could allow remote attackers to obtain sensitive information or execute arbitrary code by sending a crafted... |
| CVE-2019-19273 | 2020-02-04 | On Samsung mobile devices with O(8.0) and P(9.0) software and an Exynos 8895 chipset, RKP (aka the Samsung Hypervisor EL2 implementation) allows arbitrary memory write operations. The Samsung ID is... |
| CVE-2019-4451 | 2020-02-04 | IBM Security Identity Manager 6.0.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading... |
| CVE-2019-4540 | 2020-02-04 | IBM Security Directory Server 6.4.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 165813. |
| CVE-2019-4541 | 2020-02-04 | IBM Security Directory Server 6.4.0 uses incomplete blacklisting for input validation which allows attackers to bypass application controls resulting in direct impact to the system and data integrity. IBM X-Force... |
| CVE-2019-4548 | 2020-02-04 | IBM Security Directory Server 6.4.0 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote... |
| CVE-2019-4550 | 2020-02-04 | IBM Security Directory Server 6.4.0 is deployed with active debugging code that can create unintended entry points. IBM X-Force ID: 165952. |
| CVE-2019-4551 | 2020-02-04 | IBM Security Directory Server 6.4.0 does not perform an authentication check for a critical resource or functionality allowing anonymous users access to protected areas. IBM X-Force ID: 165953. |
| CVE-2019-4562 | 2020-02-04 | IBM Security Directory Server 6.4.0 stores sensitive information in URLs. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referer header or... |
| CVE-2019-4674 | 2020-02-04 | IBM Security Identity Manager 7.0.1 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to... |
| CVE-2019-4675 | 2020-02-04 | IBM Security Identity Manager 7.0.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption... |
| CVE-2020-4163 | 2020-02-04 | IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0, under specialized conditions, could allow an authenticated user to create a maliciously crafted file name which would be misinterpreted as jsp... |
| CVE-2020-7221 | 2020-02-04 | mysql_install_db in MariaDB 10.4.7 through 10.4.11 allows privilege escalation from the mysql user account to root because chown and chmod are performed unsafely, as demonstrated by a symlink attack on... |
| CVE-2019-10784 | 2020-02-04 | phppgadmin through 7.12.1 allows sensitive actions to be performed without validating that the request originated from the application. One such area, "database.php" does not verify the source of an HTTP... |
| CVE-2020-8615 | 2020-02-04 | A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for WordPress can result in an attacker approving themselves as an instructor and performing other malicious actions (such as blocking... |
| CVE-2020-8124 | 2020-02-04 | Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks. |
| CVE-2020-8125 | 2020-02-04 | Flaw in input validation in npm package klona version 1.1.0 and earlier may allow prototype pollution attack that may result in remote code execution or denial of service of applications... |
| CVE-2019-15610 | 2020-02-04 | Improper authorization in the Circles app 0.17.7 causes retaining access when an email address was removed from a circle. |
| CVE-2019-15611 | 2020-02-04 | Violation of Secure Design Principles in the iOS App 2.23.0 causes the app to leak its login and token to other Nextcloud services when search e.g. for federated users or... |
| CVE-2019-15612 | 2020-02-04 | A bug in Nextcloud Server 15.0.2 causes pending 2FA logins to not be correctly expired when the password of the user is reset. |
| CVE-2019-15613 | 2020-02-04 | A bug in Nextcloud Server 17.0.1 causes the workflow rules to depend their behaviour on the file extension when checking file mimetypes. |
| CVE-2019-15614 | 2020-02-04 | Missing sanitization in the iOS App 2.24.4 causes an XSS when opening malicious HTML files. |
| CVE-2019-15615 | 2020-02-04 | A wrong check for the system time in the Android App 3.9.0 causes a bypass of the lock protection when changing the time of the system to the past. |
| CVE-2019-15616 | 2020-02-04 | Dangling remote share attempts in Nextcloud 16 allow a DNS pollution when running long. |
| CVE-2019-15617 | 2020-02-04 | A missing check in Nextcloud Server 17.0.0 allowed an attacker to set up a new second factor when trying to login. |
| CVE-2019-15618 | 2020-02-04 | Missing escaping of HTML in the Updater of Nextcloud 15.0.5 allowed a reflected XSS when starting the updater from a malicious location. |
| CVE-2019-15619 | 2020-02-04 | Improper neutralization of file names, conversation names and board names in Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3 and Nextcloud Deck 0.6.5 causes an XSS when linking them with each others... |
| CVE-2019-15620 | 2020-02-04 | Improper access control in Nextcloud Talk 6.0.3 leaks the existance and the name of private conversations when linked them to another shared item via the projects feature. |
| CVE-2019-15621 | 2020-02-04 | Improper permissions preservation in Nextcloud Server 16.0.1 causes sharees to be able to reshare with write permissions when sharing the mount point of a share they received, as a public... |
| CVE-2019-15622 | 2020-02-04 | Not strictly enough sanitization in the Nextcloud Android app 3.6.0 allowed an attacker to get content information from protected tables when using custom queries. |
| CVE-2019-15623 | 2020-02-04 | Exposure of Private Information in Nextcloud Server 16.0.1 causes the server to send it's domain and user IDs to the Nextcloud Lookup Server without any further data when the Lookup... |
| CVE-2019-15624 | 2020-02-04 | Improper Input Validation in Nextcloud Server 15.0.7 allows group admins to create users with IDs of system folders. |
| CVE-2020-8115 | 2020-02-04 | A reflected XSS vulnerability has been discovered in the publicly accessible afr.php delivery script of Revive Adserver <= 5.0.3 by Jacopo Tediosi. There are currently no known exploits: the session... |
| CVE-2020-8116 | 2020-02-04 | Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects. |
| CVE-2020-8117 | 2020-02-04 | Improper preservation of permissions in Nextcloud Server 14.0.3 causes the event details to be leaked when sharing a non-public event. |
| CVE-2020-8118 | 2020-02-04 | An authenticated server-side request forgery in Nextcloud server 16.0.1 allowed to detect local and remote services when adding a new subscription in the calendar application. |
| CVE-2020-8119 | 2020-02-04 | Improper authorization in Nextcloud server 17.0.0 causes leaking of previews and files when a file-drop share link is opened via the gallery app. |
| CVE-2020-8120 | 2020-02-04 | A reflected Cross-Site Scripting vulnerability in Nextcloud Server 16.0.1 was discovered in the svg generation. |
| CVE-2020-8121 | 2020-02-04 | A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. |
| CVE-2020-8122 | 2020-02-04 | A missing check in Nextcloud Server 14.0.3 could give recipient the possibility to extend the expiration date of a share they received. |
| CVE-2020-8123 | 2020-02-04 | A denial of service exists in strapi v3.0.0-beta.18.3 and earlier that can be abused in the admin console using admin rights can lead to arbitrary restart of the application. |
| CVE-2015-3611 | 2020-02-04 | A Command Injection vulnerability exists in FortiManager 5.2.1 and earlier and FortiManager 5.0.10 and earlier via unspecified vectors, which could let a malicious user run systems commands when executing a... |