CVE List - 2020 / February
Showing 1101 - 1200 of 1397 CVEs for February 2020 (Page 12 of 14)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2020-9015 | 2020-02-20 | Arista DCS-7050QX-32S-R 4.20.9M, DCS-7050CX3-32S-R 4.20.11M, and DCS-7280SRAM-48C6-R 4.22.0.1F devices (and possibly other products) allow attackers to bypass intended TACACS+ shell restrictions via a | character. NOTE: the vendor reports that... |
| CVE-2020-9320 | 2020-02-20 | Avira AV Engine before 8.3.54.138 allows virus-detection bypass via a crafted ISO archive. This affects versions before 8.3.54.138 of Antivirus for Endpoint, Antivirus for Small Business, Exchange Security (Gateway), Internet... |
| CVE-2019-16298 | 2020-02-20 | An issue was discovered in Open Network Operating System (ONOS) 1.14. In the virtual broadband network gateway application (org.onosproject.virtualbng), the host event listener does not handle the following event types:... |
| CVE-2019-16299 | 2020-02-20 | An issue was discovered in Open Network Operating System (ONOS) 1.14. In the mobility application (org.onosproject.mobility), the host event listener does not handle the following event types: HOST_ADDED, HOST_REMOVED, HOST_UPDATED.... |
| CVE-2019-16300 | 2020-02-20 | An issue was discovered in Open Network Operating System (ONOS) 1.14. In the access control application (org.onosproject.acl), the host event listener does not handle the following event types: HOST_REMOVED. In... |
| CVE-2019-16301 | 2020-02-20 | An issue was discovered in Open Network Operating System (ONOS) 1.14. In the virtual tenant network application (org.onosproject.vtn), the host event listener does not handle the following event types: HOST_MOVED.... |
| CVE-2019-16302 | 2020-02-20 | An issue was discovered in Open Network Operating System (ONOS) 1.14. In the Ethernet VPN application (org.onosproject.evpnopenflow), the host event listener does not handle the following event types: HOST_MOVED, HOST_UPDATED.... |
| CVE-2020-9003 | 2020-02-20 | A stored XSS vulnerability exists in the Modula Image Gallery plugin before 2.2.5 for WordPress. Successful exploitation of this vulnerability would allow an authenticated low-privileged user to inject arbitrary JavaScript... |
| CVE-2020-8990 | 2020-02-20 | Western Digital My Cloud Home before 3.6.0 and ibi before 3.6.0 allow Session Fixation. |
| CVE-2020-8960 | 2020-02-20 | Western Digital mycloud.com before Web Version 2.2.0-134 allows XSS. |
| CVE-2019-14688 | 2020-02-20 | Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be... |
| CVE-2019-19694 | 2020-02-20 | The Trend Micro Security 2019 (15.0.0.1163 and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key... |
| CVE-2020-8601 | 2020-02-20 | Trend Micro Vulnerability Protection 2.0 is affected by a vulnerability that could allow an attack to use the product installer to load other DLL files located in the same directory. |
| CVE-2020-5242 | 2020-02-20 | openHAB exec add-ons allow remote arbitrary command execution |
| CVE-2020-5243 | 2020-02-20 | Denial of Service in uap-core when processing crafted User-Agent strings |
| CVE-2016-4606 | 2020-02-21 | Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security... |
| CVE-2014-7914 | 2020-02-21 | btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets... |
| CVE-2020-5524 | 2020-02-21 | Aterm series (Aterm WF1200C firmware Ver1.2.1 and earlier, Aterm WG1200CR firmware Ver1.2.1 and earlier, Aterm WG2600HS firmware Ver1.3.2 and earlier) allows an attacker on the same network segment to execute... |
| CVE-2020-5525 | 2020-02-21 | Aterm series (Aterm WF1200C firmware Ver1.2.1 and earlier, Aterm WG1200CR firmware Ver1.2.1 and earlier, Aterm WG2600HS firmware Ver1.3.2 and earlier) allows an authenticated attacker on the same network segment to... |
| CVE-2020-5533 | 2020-02-21 | Cross-site scripting vulnerability in Aterm WG2600HS firmware Ver1.3.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
| CVE-2020-5534 | 2020-02-21 | Aterm WG2600HS firmware Ver1.3.2 and earlier allows an authenticated attacker on the same network segment to execute arbitrary OS commands with root privileges via unspecified vectors. |
| CVE-2019-19452 | 2020-02-21 | A buffer overflow was found in Patriot Viper RGB through 1.1 when processing IoControlCode 0x80102040. Local attackers (including low integrity processes) can exploit this to gain NT AUTHORITY\SYSTEM privileges. |
| CVE-2020-5324 | 2020-02-21 | Dell Client Consumer and Commercial Platforms contain an Arbitrary File Overwrite Vulnerability. The vulnerability is limited to the Dell Firmware Update Utility during the time window while being executed by... |
| CVE-2020-5326 | 2020-02-21 | Affected Dell Client platforms contain a BIOS Setup configuration authentication bypass vulnerability in the pre-boot Intel Rapid Storage Response Technology (iRST) Manager menu. An attacker with physical access to the... |
| CVE-2019-19866 | 2020-02-21 | Atos Unify OpenScape UC Web Client V9 before version V9 R4.31.0 and V10 before version V10 R0.6.0 allows remote attackers to obtain sensitive information. By iterating the value of conferenceId... |
| CVE-2019-19865 | 2020-02-21 | Atos Unify OpenScape UC Application V9 before version V9 R4.31.0 and V10 before version V10 R0.6.0 allows XSS. An attacker could exploit this by convincing an authenticated user to inject... |
| CVE-2020-6841 | 2020-02-21 | D-Link DCH-M225 1.05b01 and earlier devices allow remote attackers to execute arbitrary OS commands via shell metacharacters in the spotifyConnect.php userName parameter. |
| CVE-2013-3551 | 2020-02-21 | Kernel/Modules/AgentTicketPhone.pm in Open Ticket Request System (OTRS) 3.0.x before 3.0.20, 3.1.x before 3.1.16, and 3.2.x before 3.2.7, and OTRS ITSM 3.0.x before 3.0.8, 3.1.x before 3.1.9, and 3.2.x before 3.2.5... |
| CVE-2012-0063 | 2020-02-21 | Insecure plugin update mechanism in tucan through 0.3.10 could allow remote attackers to perform man-in-the-middle attacks and execute arbitrary code ith the permissions of the user running tucan. |
| CVE-2013-4088 | 2020-02-21 | Kernel/Modules/AgentTicketWatcher.pm in Open Ticket Request System (OTRS) 3.0.x before 3.0.21, 3.1.x before 3.1.17, and 3.2.x before 3.2.8 does not properly restrict tickets, which allows remote attackers with a valid agent... |
| CVE-2020-6842 | 2020-02-21 | D-Link DCH-M225 1.05b01 and earlier devices allow remote authenticated admins to execute arbitrary OS commands via shell metacharacters in the media renderer name. |
| CVE-2012-6277 | 2020-02-21 | Multiple unspecified vulnerabilities in Autonomy KeyView IDOL before 10.16, as used in Symantec Mail Security for Microsoft Exchange before 6.5.8, Symantec Mail Security for Domino before 8.1.1, Symantec Messaging Gateway... |
| CVE-2013-3587 | 2020-02-21 | The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to... |
| CVE-2012-0828 | 2020-02-21 | Heap-based buffer overflow in Xchat-WDK before 1499-4 (2012-01-18) xchat 2.8.6 on Maemo architecture could allow remote attackers to cause a denial of service (xchat client crash) or execute arbitrary code... |
| CVE-2012-0844 | 2020-02-21 | Information-disclosure vulnerability in Netsurf through 2.8 due to a world-readable cookie jar. |
| CVE-2012-1093 | 2020-02-21 | The init script in the Debian x11-common package before 1:7.6+12 is vulnerable to a symlink attack that can lead to a privilege escalation during package installation. |
| CVE-2020-7907 | 2020-02-21 | In the JetBrains Scala plugin before 2019.2.1, some artefact dependencies were resolved over unencrypted connections. |
| CVE-2019-18846 | 2020-02-21 | OX App Suite through 7.10.2 allows SSRF. |
| CVE-2020-9327 | 2020-02-21 | In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations. |
| CVE-2020-9329 | 2020-02-21 | Gogs through 0.11.91 allows attackers to violate the admin-specified repo-creation policy due to an internal/db/repo.go race condition. |
| CVE-2020-9330 | 2020-02-21 | Certain Xerox WorkCentre printers before 073.xxx.000.02300 do not require the user to reenter or validate LDAP bind credentials when changing the LDAP connector IP address. A malicious actor who gains... |
| CVE-2020-8813 | 2020-02-22 | graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege. |
| CVE-2020-8860 | 2020-02-22 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samsung Galaxy S10 Firmware G973FXXS3ASJA, O(8.x), P(9.0), Q(10.0) devices with Exynos chipsets. User interaction is required to... |
| CVE-2020-8861 | 2020-02-22 | This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-1330 1.10B01 BETA Wi-Fi range extenders. Authentication is not required to exploit this vulnerability. The specific flaw... |
| CVE-2020-8862 | 2020-02-22 | This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-2610 Firmware v2.01RC067 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within... |
| CVE-2020-9039 | 2020-02-22 | Couchbase Server 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0 through 4.6.5, 5.0.0, 5.1.1, 5.5.0 and 5.5.1 have Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).The /settings... |
| CVE-2020-9339 | 2020-02-22 | SOPlanning 1.45 allows XSS via the Name or Comment to status.php. |
| CVE-2020-9338 | 2020-02-22 | SOPlanning 1.45 allows XSS via the "Your SoPlanning url" field. |
| CVE-2020-9336 | 2020-02-22 | fauzantrif eLection 2.0 has XSS via the Admin Dashboard -> Settings -> Election -> "message if election is closed" field. |
| CVE-2020-9340 | 2020-02-22 | fauzantrif eLection 2.0 has SQL Injection via the admin/ajax/op_kandidat.php id parameter. |
| CVE-2020-9341 | 2020-02-22 | CandidATS 2.1.0 is vulnerable to CSRF that allows for an administrator account to be added via the index.php?m=settings&a=addUser URI. |
| CVE-2020-9342 | 2020-02-22 | The F-Secure AV parsing engine before 2020-02-05 allows virus-detection bypass via crafted Compression Method data in a GZIP archive. This affects versions before 17.0.605.474 (on Linux) of Cloud Protection For... |
| CVE-2020-9351 | 2020-02-23 | An issue was discovered in SmartClient 12.0. If an unauthenticated attacker makes a POST request to /tools/developerConsoleOperations.jsp or /isomorphic/IDACall with malformed XML data in the _transaction parameter, the server replies... |
| CVE-2020-9352 | 2020-02-23 | An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in... |
| CVE-2020-9353 | 2020-02-23 | An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) loadFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL is affected by unauthenticated Local File... |
| CVE-2020-9350 | 2020-02-23 | Graph Builder in SAS Visual Analytics 8.5 allows XSS via a graph template that is accessed directly. |
| CVE-2020-9354 | 2020-02-23 | An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) saveFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL allows an unauthenticated attacker to overwrite... |
| CVE-2020-9355 | 2020-02-23 | danfruehauf NetworkManager-ssh before 1.2.11 allows privilege escalation because extra options are mishandled. |
| CVE-2019-3670 | 2020-02-24 | Remote Code Execution vulnerability |
| CVE-2019-15299 | 2020-02-24 | An issue was discovered in Centreon Web through 19.04.3. When a user changes his password on his profile page, the contact_autologin_key field in the database becomes blank when it should... |
| CVE-2019-20044 | 2020-02-24 | In Zsh before 5.8, attackers able to execute commands can regain privileges dropped by the --no-PRIVILEGED option. Zsh fails to overwrite the saved uid, so the original privileges can be... |
| CVE-2015-9542 | 2020-02-24 | add_password in pam_radius_auth.c in pam_radius 1.4.0 does not correctly check the length of the input password, and is vulnerable to a stack-based buffer overflow during memcpy(). An attacker could send... |
| CVE-2020-5188 | 2020-02-24 | DNN (formerly DotNetNuke) through 9.4.4 has Insecure Permissions. |
| CVE-2020-5187 | 2020-02-24 | DNN (formerly DotNetNuke) through 9.4.4 allows Path Traversal (issue 2 of 2). |
| CVE-2020-5186 | 2020-02-24 | DNN (formerly DotNetNuke) through 9.4.4 allows XSS (issue 1 of 2). |
| CVE-2019-20481 | 2020-02-24 | In MIELE XGW 3000 ZigBee Gateway before 2.4.0, the Password Change Function does not require knowledge of the old password. This can be exploited in conjunction with CVE-2019-20480. |
| CVE-2019-20480 | 2020-02-24 | In MIELE XGW 3000 ZigBee Gateway before 2.4.0, a malicious website visited by an authenticated admin user or a malicious mail is allowed to make arbitrary changes in the "admin... |
| CVE-2019-18183 | 2020-02-24 | pacman before 5.2 is vulnerable to arbitrary command injection in lib/libalpm/sync.c in the apply_deltas() function. This can be exploited when unsigned databases are used. To exploit the vulnerability, the user... |
| CVE-2019-18182 | 2020-02-24 | pacman before 5.2 is vulnerable to arbitrary command injection in conf.c in the download_with_xfercommand() function. This can be exploited when unsigned databases are used. To exploit the vulnerability, the user... |
| CVE-2020-8131 | 2020-02-24 | Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to... |
| CVE-2020-8130 | 2020-02-24 | There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character `|`. |
| CVE-2020-9363 | 2020-02-24 | The Sophos AV parsing engine before 2020-01-14 allows virus-detection bypass via a crafted ZIP archive. This affects Endpoint Protection, Cloud Optix, Mobile, Intercept X Endpoint, Intercept X for Server, and... |
| CVE-2020-9362 | 2020-02-24 | The Quick Heal AV parsing engine (November 2019) allows virus-detection bypass via a crafted GPFLAG in a ZIP archive. This affects Total Security, Home Security, Total Security Multi-Device, Internet Security,... |
| CVE-2019-4595 | 2020-02-24 | IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a... |
| CVE-2019-4703 | 2020-02-24 | IBM Spectrum Protect Plus 10.1.0 and 10.5.0, when protecting Microsoft SQL or Microsoft Exchange, could allow an attacker with intimate knowledge of the system to obtain highly sensitive information. |
| CVE-2019-4745 | 2020-02-24 | IBM Maximo Asset Management 7.6.1.0 could allow a remote attacker to disclose sensitive information to an authenticated user due to disclosing path information in the URL. IBM X-Force ID: 172883. |
| CVE-2020-4210 | 2020-02-24 | IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attacker to execute arbitrary code on the system. By using a specially crafted HTTP command, an attacker could exploit... |
| CVE-2020-4211 | 2020-02-24 | IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attacker to execute arbitrary code on the system. By using a specially crafted HTTP command, an attacker could exploit... |
| CVE-2020-4212 | 2020-02-24 | IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attacker to execute arbitrary code on the system. By using a specially crafted HTTP command, an attacker could exploit... |
| CVE-2020-4213 | 2020-02-24 | IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attacker to execute arbitrary code on the system. By using a specially crafted HTTP command, an attacker could exploit... |
| CVE-2020-4222 | 2020-02-24 | IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attacker to execute arbitrary code on the system. By using a specially crafted HTTP command, an attacker could exploit... |
| CVE-2020-9365 | 2020-02-24 | An issue was discovered in Pure-FTPd 1.0.49. An out-of-bounds (OOB) read has been detected in the pure_strcmp function in utils.c. |
| CVE-2020-9366 | 2020-02-24 | A buffer overflow was found in the way GNU Screen before 4.8.0 treated the special escape OSC 49. Specially crafted output, or a special program, could corrupt memory and crash... |
| CVE-2012-0785 | 2020-02-24 | Hash collision attack vulnerability in Jenkins before 1.447, Jenkins LTS before 1.424.2, and Jenkins Enterprise by CloudBees 1.424.x before 1.424.2.1 and 1.400.x before 1.400.0.11 could allow remote attackers to cause... |
| CVE-2016-11020 | 2020-02-24 | Kunena before 5.0.4 does not restrict avatar file extensions to gif, jpeg, jpg, and png. This can lead to XSS and remote code execution. |
| CVE-2020-5244 | 2020-02-24 | Private data exposure via REST API in BuddyPress |
| CVE-2020-9369 | 2020-02-24 | Sympa 6.2.38 through 6.2.52 allows remote attackers to cause a denial of service (disk consumption from temporary files, and a flood of notifications to listmasters) via a series of requests... |
| CVE-2020-5245 | 2020-02-24 | Remote Code Execution (RCE) vulnerability in dropwizard-validation |
| CVE-2019-10798 | 2020-02-24 | rdf-graph-array through 0.3.0-rc6 manipulation of JavaScript objects resutling in Prototype Pollution. The rdf.Graph.prototype.add method could be tricked into adding or modifying properties of Object.prototype. |
| CVE-2019-10796 | 2020-02-24 | rpi through 0.0.3 allows execution of arbritary commands. The variable pinNumbver in function GPIO within src/lib/gpio.js is used as part of the arguement of exec function without any sanitization. |
| CVE-2019-10799 | 2020-02-24 | compile-sass prior to 1.0.5 allows execution of arbritary commands. The function "setupCleanupOnExit(cssPath)" within "dist/index.js" is executed as part of the "rm" command without any sanitization. |
| CVE-2018-13313 | 2020-02-24 | Admin Password returned in password.htm |
| CVE-2018-14705 | 2020-02-24 | Lack of Authentication/Authorization on Administrative Web Pages |
| CVE-2019-12510 | 2020-02-24 | Auth Bypass Via X-Forwarded-For Header in SOAP API |
| CVE-2019-12511 | 2020-02-24 | Root Command Injection via MAC Address in SOAP API |
| CVE-2019-12512 | 2020-02-24 | Stored XSS via X-Forwarded-For Header During Incorrect Login |
| CVE-2019-12513 | 2020-02-24 | Stored XSS via DHCP Discover Request Hostname |
| CVE-2019-17228 | 2020-02-24 | includes/options.php in the motors-car-dealership-classified-listings (aka Motors - Car Dealer & Classified Ads) plugin through 1.4.0 for WordPress allows unauthenticated options changes. |
| CVE-2019-17229 | 2020-02-24 | includes/options.php in the motors-car-dealership-classified-listings (aka Motors - Car Dealer & Classified Ads) plugin through 1.4.0 for WordPress has multiple stored XSS issues. |
| CVE-2020-9374 | 2020-02-24 | On TP-Link TL-WR849N 0.9.1 4.16 devices, a remote command execution vulnerability in the diagnostics area can be exploited when an attacker sends specific shell metacharacters to the panel's traceroute feature. |