CVE List - 2020 / August
Showing 701 - 800 of 1160 CVEs for August 2020 (Page 8 of 12)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2020-15149 | 2020-08-19 | Account takeover in NodeBB |
| CVE-2020-15151 | 2020-08-19 | Observable Timing Discrepancy in OpenMage LTS |
| CVE-2020-17456 | 2020-08-19 | SEOWON INTECH SLC-130 And SLR-120S devices allow Remote Code Execution via the ipAddr parameter to the system_log.cgi page. |
| CVE-2020-15861 | 2020-08-19 | Net-SNMP through 5.7.3 allows Escalation of Privileges because of UNIX symbolic link (symlink) following. |
| CVE-2020-15532 | 2020-08-19 | Silicon Labs Bluetooth Low Energy SDK before 2.13.3 has a buffer overflow via packet data. This is an over-the-air denial of service vulnerability in Bluetooth LE in EFR32 SoCs and... |
| CVE-2020-15531 | 2020-08-19 | Silicon Labs Bluetooth Low Energy SDK before 2.13.3 has a buffer overflow via packet data. This is an over-the-air remote code execution vulnerability in Bluetooth LE in EFR32 SoCs and... |
| CVE-2020-13826 | 2020-08-19 | A CSV injection (aka Excel Macro Injection or Formula Injection) issue in i-doit 1.14.2 allows an attacker to execute arbitrary commands via a Title parameter that is mishandled in a... |
| CVE-2020-13825 | 2020-08-19 | A cross-site scripting (XSS) vulnerability in i-doit 1.14.2 allows remote attackers to inject arbitrary web script or HTML via the viewMode, tvMode, tvType, objID, catgID, objTypeID, or editMode parameter. |
| CVE-2020-15146 | 2020-08-19 | Remote Code Execution in SyliusResourceBundle |
| CVE-2020-15143 | 2020-08-19 | Remote Code Execution in SyliusResourceBundle |
| CVE-2020-15629 | 2020-08-19 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Studio Photo 3.6.6.922. User interaction is required to exploit this vulnerability in that the target must... |
| CVE-2020-15630 | 2020-08-19 | This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Studio Photo 3.6.6.922. User interaction is required to exploit this vulnerability in that the target must... |
| CVE-2020-15634 | 2020-08-19 | This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6700 routers with firmware 1.0.4.84_10.0.58. Authentication is not required to exploit this vulnerability. The specific flaw... |
| CVE-2020-15635 | 2020-08-19 | This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6700 V1.0.4.84_10.0.58 routers with firmware 1.0.4.84_10.0.58. Authentication is not required to exploit this vulnerability. The specific... |
| CVE-2020-15636 | 2020-08-19 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR R6400, R6700, R7000, R7850, R7900, R8000, RS400, and XR300 routers with firmware 1.0.4.84_10.0.58. Authentication is not... |
| CVE-2020-15637 | 2020-08-19 | This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit PhantomPDF 9.7.1.29511. User interaction is required to exploit this vulnerability in that the target must visit... |
| CVE-2020-15638 | 2020-08-19 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.7.2.29539. User interaction is required to exploit this vulnerability in that the target must visit... |
| CVE-2020-8869 | 2020-08-19 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Studio Photo 3.6.6.916. User interaction is required to exploit this vulnerability in that the target must... |
| CVE-2020-8870 | 2020-08-19 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Studio Photo 3.6.6.916. User interaction is required to exploit this vulnerability in that the target must... |
| CVE-2020-15119 | 2020-08-19 | DOM-based XSS in auth0-lock |
| CVE-2020-10289 | 2020-08-20 | RVD#2401: Use of unsafe yaml load, ./src/actionlib/tools/library.py:132 |
| CVE-2020-10283 | 2020-08-20 | RVD#3317: MAVLink version handshaking allows for an attacker to bypass authentication |
| CVE-2019-20150 | 2020-08-20 | In TreasuryXpress 19191105, a logged-in user can discover saved credentials, even though the UI hides them. Using functionality within the application and a malicious host, it is possible to force... |
| CVE-2019-20151 | 2020-08-20 | An XSS issue was discovered in TreasuryXpress 19191105. Due to the lack of filtering and sanitization of user input, malicious JavaScript can be executed by the application's administrator(s). A malicious... |
| CVE-2019-20152 | 2020-08-20 | An XSS issue was discovered in TreasuryXpress 19191105. Due to the lack of filtering and sanitization of user input, malicious JavaScript can be executed throughout the application. A malicious payload... |
| CVE-2020-23936 | 2020-08-20 | PHPGurukul Vehicle Parking Management System 1.0 is vulnerable to Authentication Bypass via "Username: admin'# && Password: (Write Something)". |
| CVE-2020-23935 | 2020-08-20 | Kabir Alhasan Student Management System 1.0 is vulnerable to Authentication Bypass via "Username: admin'# && Password: (Write Something)". |
| CVE-2020-16279 | 2020-08-20 | The Kommbox component in Rangee GmbH RangeeOS 8.0.4 is vulnerable to Remote Code Execution due to untrusted user supplied input being passed to the command line without sanitization. |
| CVE-2020-16280 | 2020-08-20 | Multiple Rangee GmbH RangeeOS 8.0.4 modules store credentials in plaintext including credentials of users for several external facing administrative services, domain joined users, and local administrators. To exploit the vulnerability... |
| CVE-2020-16281 | 2020-08-20 | The Kommbox component in Rangee GmbH RangeeOS 8.0.4 could allow a local authenticated attacker to escape from the restricted environment and execute arbitrary code due to unrestricted context menus being... |
| CVE-2020-16282 | 2020-08-20 | In the default configuration of Rangee GmbH RangeeOS 8.0.4, all components are executed in the context of the privileged root user. This may allow a local attacker to break out... |
| CVE-2020-4548 | 2020-08-20 | IBM Content Navigator 3.0.7 and 3.0.8 is vulnerable to improper input validation. A malicious administrator could bypass the user interface and send requests to the IBM Content Navigator server with... |
| CVE-2020-4687 | 2020-08-20 | IBM Content Navigator 3.0.7 and 3.0.8 could allow an authenticated user to view cached content of another user that they should not have access to. IBM X-Force ID: 186679. |
| CVE-2020-24359 | 2020-08-20 | HashiCorp vault-ssh-helper up to and including version 0.1.6 incorrectly accepted Vault-issued SSH OTPs for the subnet in which a host's network interface was located, rather than the specific IP address... |
| CVE-2020-12619 | 2020-08-20 | MailMate before 1.11 automatically imported S/MIME certificates and thereby silently replaced existing ones. This allowed a man-in-the-middle attacker to obtain an email-validated S/MIME certificate from a trusted CA and replace... |
| CVE-2020-12618 | 2020-08-20 | eM Client before 7.2.33412.0 automatically imported S/MIME certificates and thereby silently replaced existing ones. This allowed a man-in-the-middle attacker to obtain an email-validated S/MIME certificate from a trusted CA and... |
| CVE-2020-15858 | 2020-08-21 | Some devices of Thales DIS (formerly Gemalto, formerly Cinterion) allow Directory Traversal by physically proximate attackers. The directory path access check of the internal flash file system can be circumvented.... |
| CVE-2020-24567 | 2020-08-21 | voidtools Everything before 1.4.1 Beta Nightly 2020-08-18 allows privilege escalation via a Trojan horse urlmon.dll file in the installation directory. NOTE: this is only relevant if low-privileged users can write... |
| CVE-2020-24571 | 2020-08-21 | NexusQA NexusDB before 4.50.23 allows the reading of files via ../ directory traversal. |
| CVE-2020-24574 | 2020-08-21 | The client (aka GalaxyClientService.exe) in GOG GALAXY through 2.0.41 (as of 12:58 AM Eastern, 9/26/21) allows local privilege escalation from any authenticated user to SYSTEM by instructing the Windows service... |
| CVE-2020-15070 | 2020-08-21 | Zulip Server 2.x before 2.1.7 allows eval injection if a privileged attacker were able to write directly to the postgres database, and chose to write a crafted custom profile field... |
| CVE-2020-14215 | 2020-08-21 | Zulip Server before 2.1.5 has Incorrect Access Control because 0198_preregistrationuser_invited_as adds the administrator role to invitations. |
| CVE-2020-14194 | 2020-08-21 | Zulip Server before 2.1.5 allows reverse tabnapping via a topic header link. |
| CVE-2020-12759 | 2020-08-21 | Zulip Server before 2.1.5 allows reflected XSS via the Dropbox webhook. |
| CVE-2020-7310 | 2020-08-21 | Privilege Escalation vulnerability in McAfee Total Protection (MTP) trial installer |
| CVE-2020-7710 | 2020-08-21 | Sandbox Escape |
| CVE-2020-14518 | 2020-08-21 | Philips DreamMapper Insertion of Sensitive Information into Log File |
| CVE-2020-16237 | 2020-08-21 | Philips SureSigns VS4 Improper Input Validation |
| CVE-2020-16241 | 2020-08-21 | Philips SureSigns VS4 Improper Access Control |
| CVE-2020-16239 | 2020-08-21 | Philips SureSigns VS4 Improper Authentication |
| CVE-2020-5774 | 2020-08-21 | Nessus versions 8.11.0 and earlier were found to maintain sessions longer than the permitted period in certain scenarios. The lack of proper session expiration could allow attackers with local access... |
| CVE-2020-3976 | 2020-08-21 | VMware ESXi and vCenter Server contain a partial denial of service vulnerability in their respective authentication services. VMware has evaluated the severity of this issue to be in the Moderate... |
| CVE-2020-24585 | 2020-08-21 | An issue was discovered in the DTLS handshake implementation in wolfSSL before 4.5.0. Clear DTLS application_data messages in epoch 0 do not produce an out-of-order error. Instead, these messages are... |
| CVE-2020-12457 | 2020-08-21 | An issue was discovered in wolfSSL before 4.5.0. It mishandles the change_cipher_spec (CCS) message processing logic for TLS 1.3. If an attacker sends ChangeCipherSpec messages in a crafted way involving... |
| CVE-2020-9104 | 2020-08-21 | HUAWEI P30 smartphones with Versions earlier than 10.1.0.123(C431E22R2P5),Versions earlier than 10.1.0.123(C432E22R2P5),Versions earlier than 10.1.0.126(C10E7R5P1),Versions earlier than 10.1.0.126(C185E4R7P1),Versions earlier than 10.1.0.126(C461E7R3P1),Versions earlier than 10.1.0.126(C605E19R1P3),Versions earlier than 10.1.0.126(C636E7R3P4),Versions earlier than 10.1.0.128(C635E3R2P4),Versions earlier... |
| CVE-2020-15309 | 2020-08-21 | An issue was discovered in wolfSSL before 4.5.0, when single precision is not employed. Local attackers can conduct a cache-timing attack against public key operations. These attackers may already have... |
| CVE-2020-9096 | 2020-08-21 | HUAWEI P30 Pro smartphones with Versions earlier than 10.1.0.160(C00E160R2P8) have an out of bound read vulnerability. Some functions are lack of verification when they process some messages sent from other... |
| CVE-2020-9095 | 2020-08-21 | HUAWEI P30 Pro smartphone with Versions earlier than 10.1.0.160(C00E160R2P8) has an integer overflow vulnerability. Some functions are lack of verification when they process some messages sent from other module. Attackers... |
| CVE-2020-9246 | 2020-08-21 | FusionCompute 8.0.0 has an information leak vulnerability. A module does not launch strict access control and information protection. Attackers with low privilege can get some extra information. This can lead... |
| CVE-2020-24051 | 2020-08-21 | The Moog EXO Series EXVF5C-2 and EXVP7C2-3 units support the ONVIF interoperability IP-based physical security protocol, which requires authentication for some of its operations. It was found that the authentication... |
| CVE-2020-7923 | 2020-08-21 | Specific GeoQuery can cause DoS against MongoDB Server |
| CVE-2020-24052 | 2020-08-21 | Several XML External Entity (XXE) vulnerabilities in the Moog EXO Series EXVF5C-2 and EXVP7C2-3 units allow remote unauthenticated users to read arbitrary files via a crafted Document Type Definition (DTD)... |
| CVE-2020-24053 | 2020-08-21 | Moog EXO Series EXVF5C-2 and EXVP7C2-3 units have a hardcoded credentials vulnerability. This could cause a confidentiality issue when using the FTP, Telnet, or SSH protocols. |
| CVE-2020-24054 | 2020-08-21 | The administration console of the Moog EXO Series EXVF5C-2 and EXVP7C2-3 units features a 'statusbroadcast' command that can spawn a given process repeatedly at a certain time interval as 'root'.... |
| CVE-2020-24055 | 2020-08-21 | Verint 5620PTZ Verint_FW_0_42 and Verint 4320 V4320_FW_0_23, and V4320_FW_0_31 units feature an autodiscovery service implemented in the binary executable '/usr/sbin/DM' that listens on port TCP 6666. The service is vulnerable... |
| CVE-2020-24056 | 2020-08-21 | A hardcoded credentials vulnerability exists in Verint 5620PTZ Verint_FW_0_42, Verint 4320 V4320_FW_0_23, V4320_FW_0_31, and Verint S5120FD Verint_FW_0_42units. This could cause a confidentiality issue when using the FTP, Telnet, or SSH... |
| CVE-2020-24057 | 2020-08-21 | The management website of the Verint S5120FD Verint_FW_0_42 unit features a CGI endpoint ('ipfilter.cgi') that allows the user to manage network filtering on the unit. This endpoint is vulnerable to... |
| CVE-2020-20634 | 2020-08-21 | Elementor 2.9.5 and below WordPress plugin allows authenticated users to activate its safe mode feature. This can be exploited to disable all security plugins on the blog. |
| CVE-2020-10290 | 2020-08-21 | RVD#1495: Universal Robots URCaps execute with unbounded privileges |
| CVE-2020-20633 | 2020-08-21 | ajax_policy_generator in admin/modules/cli-policy-generator/classes/class-policy-generator-ajax.php in GDPR Cookie Consent (cookie-law-info) 1.8.2 and below plugin for WordPress, allows authenticated stored XSS and privilege escalation. |
| CVE-2020-15140 | 2020-08-21 | Remote Code Execution in Red Discord Bot |
| CVE-2020-15147 | 2020-08-21 | Remote Code Execution in Red Discord Bot |
| CVE-2020-5775 | 2020-08-21 | Server-Side Request Forgery in Canvas LMS 2020-07-29 allows a remote, unauthenticated attacker to cause the Canvas application to perform HTTP GET requests to arbitrary domains. |
| CVE-2020-3975 | 2020-08-21 | VMware App Volumes 2.x prior to 2.18.6 and VMware App Volumes 4 prior to 2006 contain a Stored Cross-Site Scripting (XSS) vulnerability. A malicious actor with access to create and... |
| CVE-2020-14201 | 2020-08-21 | Dolibarr CRM before 11.0.5 allows privilege escalation. This could allow remote authenticated attackers to upload arbitrary files via societe/document.php in which "disabled" is changed to "enabled" in the HTML source... |
| CVE-2019-11847 | 2020-08-21 | ALEOS User Root Shell Escalation |
| CVE-2019-11849 | 2020-08-21 | ALEOS AT API Stack Overflow |
| CVE-2019-11850 | 2020-08-21 | ALEOS AT Command Stack Overflow |
| CVE-2019-11848 | 2020-08-21 | ALEOS AT Command API Abuse |
| CVE-2019-11852 | 2020-08-21 | ALEOS ACEView Service Out-Of-Bounds Read |
| CVE-2019-11855 | 2020-08-21 | ALEOS LAN-Side RPC Server |
| CVE-2019-11856 | 2020-08-21 | ALEOS ACEView Message Replay |
| CVE-2019-11857 | 2020-08-21 | ALEOS AceManager Information Disclosure |
| CVE-2019-11859 | 2020-08-21 | ALEOS SMS Handler Buffer Overflow |
| CVE-2019-11853 | 2020-08-21 | ALEOS AT Command Injections |
| CVE-2019-11858 | 2020-08-21 | ALEOS Multiple Web UI vulnerabilities |
| CVE-2019-11862 | 2020-08-21 | ALEOS SSH Service Allows Traffic Proxying |
| CVE-2020-24590 | 2020-08-21 | The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML Entity Expansion attacks. |
| CVE-2020-24591 | 2020-08-21 | The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates. This affects API Manager through 3.0.0, API Manager Analytics 2.2.0 and 2.5.0, API Microgateway 2.2.0, Enterprise Integrator... |
| CVE-2020-24589 | 2020-08-21 | The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML External Entity injection (XXE) attacks. |
| CVE-2020-10123 | 2020-08-21 | The currency dispenser of NCR SelfSev ATMs running APTRA XFS 05.01.00 or earlier does not adequately authenticate session key generation requests from the host computer, allowing an attacker with physical... |
| CVE-2020-10124 | 2020-08-21 | NCR SelfServ ATMs running APTRA XFS 05.01.00 do not encrypt, authenticate, or verify the integrity of messages between the BNA and the host computer, which could allow an attacker with... |
| CVE-2020-10125 | 2020-08-21 | NCR SelfServ ATMs running APTRA XFS 04.02.01 and 05.01.00 implement 512-bit RSA certificates to validate bunch note acceptor (BNA) software updates, which can be broken by an attacker with physical... |
| CVE-2020-10126 | 2020-08-21 | NCR SelfServ ATMs running APTRA XFS 05.01.00 do not properly validate softare updates for the bunch note acceptor (BNA), enabling an attacker with physical access to internal ATM components to... |
| CVE-2020-9062 | 2020-08-21 | Diebold Nixdorf ProCash 2100xe USB ATMs running Wincor Probase version 1.1.30 do not encrypt, authenticate, or verify the integrity of messages between the CCDM and the host computer, allowing an... |
| CVE-2020-9063 | 2020-08-21 | NCR SelfServ ATMs running APTRA XFS 05.01.00 or earlier do not authenticate or protect the integrity of USB HID communications between the currency dispenser and the host computer, permitting an... |
| CVE-2020-8227 | 2020-08-21 | Missing sanitization of a server response in Nextcloud Desktop Client 2.6.4 for Linux allowed a malicious Nextcloud Server to store files outside of the dedicated sync directory. |
| CVE-2020-8189 | 2020-08-21 | A cross-site scripting error in Nextcloud Desktop client 2.6.4 allowed to present any html (including local links) when responding with invalid data on the login attempt. |
| CVE-2020-8234 | 2020-08-21 | A vulnerability exists in The EdgeMax EdgeSwitch firmware <v1.9.1 where the EdgeSwitch legacy web interface SIDSSL cookie for admin can be guessed, enabling the attacker to obtain high privileges and... |
| CVE-2020-8620 | 2020-08-21 | In BIND 9.15.6 -> 9.16.5, 9.17.0 -> 9.17.3, An attacker who can establish a TCP connection with the server and send data on that connection can exploit this to trigger... |