Lista CVE - 2020 / Ottobre
Visualizzazione 201 - 300 di 1594 CVE per Ottobre 2020 (Pagina 3 di 16)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2020-26603 | 2020-10-06 | An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. Sticker Center allows directory traversal for an unprivileged process to read arbitrary files. The Samsung ID... |
| CVE-2020-26607 | 2020-10-06 | An issue was discovered in TimaService on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. PendingIntent with an empty intent is mishandled, allowing an attacker to perform a privileged... |
| CVE-2020-26606 | 2020-10-06 | An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), Q(10.0), and R(11.0) software. An attacker can access certain Secure Folder content via a debugging command. The Samsung ID... |
| CVE-2020-26605 | 2020-10-06 | An issue was discovered on Samsung mobile devices with Q(10.0) and R(11.0) (Exynos chipsets) software. They allow attackers to obtain sensitive information by reading a log. The Samsung ID is... |
| CVE-2020-26604 | 2020-10-06 | An issue was discovered in SystemUI on Samsung mobile devices with O(8.x), P(9.0), Q(10.0), and R(11.0) software. PendingIntent allows an unprivileged process to access contact numbers. The Samsung ID is... |
| CVE-2020-26602 | 2020-10-06 | An issue was discovered in EthernetNetwork on Samsung mobile devices with O(8.1), P(9.0), Q(10.0), and R(11.0) software. PendingIntent allows sdcard access by an unprivileged process. The Samsung ID is SVE-2020-18392... |
| CVE-2020-26601 | 2020-10-06 | An issue was discovered in DirEncryptService on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. PendingIntent with an empty intent is mishandled, allowing an attacker to perform a privileged... |
| CVE-2020-26600 | 2020-10-06 | An issue was discovered on Samsung mobile devices with Q(10.0) software. Auto Hotspot allows attackers to obtain sensitive information. The Samsung ID is SVE-2020-17288 (October 2020). |
| CVE-2020-15927 | 2020-10-06 | Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the SAP module. |
| CVE-2020-16267 | 2020-10-06 | Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the RCA module. |
| CVE-2020-14183 | 2020-10-06 | Affected versions of Jira Server & Data Center allow a remote attacker with limited (non-admin) privileges to view a Jira instance's Support Entitlement Number (SEN) via an Information Disclosure vulnerability... |
| CVE-2020-7742 | 2020-10-07 | Prototype Pollution |
| CVE-2020-25985 | 2020-10-07 | MonoCMS Blog 1.0 is affected by: Arbitrary File Deletion. Any authenticated user can delete files on and off the webserver (php files can be unlinked and not deleted). |
| CVE-2020-13335 | 2020-10-07 | Improper group membership validation when deleting a user account in GitLab >=7.12 allows a user to delete own account without deleting/transferring their group. |
| CVE-2020-13347 | 2020-10-07 | A command injection vulnerability was discovered in Gitlab runner versions prior to 13.2.4, 13.3.2 and 13.4.1. When the runner is configured on a Windows system with a docker executor, which... |
| CVE-2020-13334 | 2020-10-07 | In GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, improper authorization checks allow a non-member of a project/group to change the confidentiality attribute of issue via mutation GraphQL query |
| CVE-2020-13346 | 2020-10-07 | Membership changes are not reflected in ToDo subscriptions in GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, allowing guest users to access confidential issues through API. |
| CVE-2020-25343 | 2020-10-07 | Cross-site scripting (XSS) vulnerabilities in Symphony CMS 3.0.0 allow remote attackers to inject arbitrary web script or HTML to fields['body'] param via events\event.publish_article.php |
| CVE-2020-24722 | 2020-10-07 | An issue was discovered in the GAEN (aka Google/Apple Exposure Notifications) protocol through 2020-10-05, as used in COVID-19 applications on Android and iOS. The encrypted metadata block with a TX... |
| CVE-2020-14355 | 2020-10-07 | Multiple buffer overflow vulnerabilities were found in the QUIC image decoding process of the SPICE remote display system, before spice-0.14.2-1. Both the SPICE client (spice-gtk) and server are affected by... |
| CVE-2020-11800 | 2020-10-07 | Zabbix Server 2.2.x and 3.0.x before 3.0.31, and 3.2 allows remote attackers to execute arbitrary code. |
| CVE-2019-16160 | 2020-10-07 | An integer underflow in the SMB server of MikroTik RouterOS before 6.45.5 allows remote unauthenticated attackers to crash the service. |
| CVE-2020-24246 | 2020-10-07 | Peplink Balance before 8.1.0rc1 allows an unauthenticated attacker to download PHP configuration files (/filemanager/php/connector.php) from Web Admin. |
| CVE-2020-26596 | 2020-10-07 | The Dynamic OOO widget for the Elementor Pro plugin through 3.0.5 for WordPress allows remote authenticated users to execute arbitrary code because only the Editor role is needed to upload... |
| CVE-2020-26870 | 2020-10-07 | Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML,... |
| CVE-2020-13342 | 2020-10-07 | An issue has been discovered in GitLab affecting versions prior to 13.2.10, 13.3.7 and 13.4.2: Lack of Rate Limiting at Re-Sending Confirmation Email |
| CVE-2020-17551 | 2020-10-07 | ImpressCMS 1.4.0 is affected by XSS in modules/system/admin.php which may result in arbitrary remote code execution. |
| CVE-2020-26876 | 2020-10-07 | The wp-courses plugin through 2.0.27 for WordPress allows remote attackers to bypass the intended payment step (for course videos and materials) by using the /wp-json REST API, as exploited in... |
| CVE-2020-26880 | 2020-10-07 | Sympa through 6.2.57b.2 allows a local privilege escalation from the sympa user account to full root access by modifying the sympa.conf configuration file (which is owned by sympa) and parsing... |
| CVE-2020-26164 | 2020-10-07 | In kdeconnect-kde (aka KDE Connect) before 20.08.2, an attacker on the local network could send crafted packets that trigger use of large amounts of CPU, memory, or network connection slots,... |
| CVE-2020-7316 | 2020-10-07 | File and Removable Media Protection update fixes one vulnerability |
| CVE-2020-15175 | 2020-10-07 | Unauthenticated File Deletion in GLPI |
| CVE-2020-15176 | 2020-10-07 | SQL injection in GLPI |
| CVE-2020-15177 | 2020-10-07 | Unauthenticated Stored XSS in GLPI |
| CVE-2020-15217 | 2020-10-07 | User data exposure in GLPI |
| CVE-2020-15226 | 2020-10-07 | SQL Injection in GLPI Search API |
| CVE-2020-25768 | 2020-10-07 | Contao before 4.4.52, 4.9.x before 4.9.6, and 4.10.x before 4.10.1 have Improper Input Validation. It is possible to inject insert tags in front end forms which will be replaced when... |
| CVE-2020-25867 | 2020-10-07 | SoPlanning before 1.47 doesn't correctly check the security key used to publicly share plannings. It allows a bypass to get access without authentication. |
| CVE-2020-15501 | 2020-10-07 | Smarter Coffee Maker before 2nd generation allows firmware replacement without authentication or authorization. User interaction is required to press a button. NOTE: This vulnerability only affects products that are no... |
| CVE-2020-12400 | 2020-10-08 | When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80... |
| CVE-2020-12401 | 2020-10-08 | During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. This vulnerability affects Firefox <... |
| CVE-2020-3320 | 2020-10-08 | Cisco Firepower Management Center Cross-Site Scripting Vulnerability |
| CVE-2020-3467 | 2020-10-08 | Cisco Identity Services Engine Authorization Bypass Vulnerability |
| CVE-2020-3535 | 2020-10-08 | Cisco Webex Teams Client for Windows DLL Hijacking Vulnerability |
| CVE-2020-3536 | 2020-10-08 | Cisco SD-WAN vManage Cross-Site Scripting Vulnerability |
| CVE-2020-3543 | 2020-10-08 | Cisco Video Surveillance 8000 Series IP Cameras Cisco Discovery Protocol Memory Leak Vulnerability |
| CVE-2020-3544 | 2020-10-08 | Cisco Video Surveillance 8000 Series IP Cameras Cisco Discovery Protocol Remote Code Execution and Denial of Service Vulnerability |
| CVE-2020-3567 | 2020-10-08 | Cisco Industrial Network Director Denial of Service Vulnerability |
| CVE-2020-3568 | 2020-10-08 | Cisco Email Security Appliance URL Filtering Bypass Vulnerability |
| CVE-2020-3589 | 2020-10-08 | Cisco Identity Services Engine Cross-Site Scripting Vulnerability |
| CVE-2020-3596 | 2020-10-08 | Cisco Expressway Series and TelePresence Video Communication Server Denial of Service Vulnerability |
| CVE-2020-3597 | 2020-10-08 | Cisco Nexus Data Broker Software Path Traversal Vulnerability |
| CVE-2020-3598 | 2020-10-08 | Cisco Vision Dynamic Signage Director Missing Authentication Vulnerability |
| CVE-2020-3601 | 2020-10-08 | Cisco StarOS Privilege Escalation Vulnerability |
| CVE-2020-3602 | 2020-10-08 | Cisco StarOS Privilege Escalation Vulnerability |
| CVE-2020-26567 | 2020-10-08 | An issue was discovered on D-Link DSR-250N before 3.17B devices. The CGI script upgradeStatusReboot.cgi can be accessed without authentication. Any access reboots the device, rendering it therefore unusable for several... |
| CVE-2020-25272 | 2020-10-08 | In SourceCodester Online Bus Booking System 1.0, there is XSS through the name parameter in book_now.php. |
| CVE-2020-25271 | 2020-10-08 | PHPGurukul hospital-management-system-in-php 4.0 allows XSS via admin/patient-search.php, doctor/search.php, book-appointment.php, doctor/appointment-history.php, or admin/appointment-history.php. |
| CVE-2020-25270 | 2020-10-08 | PHPGurukul hostel-management-system 2.1 allows XSS via Guardian Name, Guardian Relation, Guardian Contact no, Address, or City. |
| CVE-2020-25263 | 2020-10-08 | PyroCMS 3.7 is vulnerable to cross-site request forgery (CSRF) via the admin/addons/uninstall/anomaly.module.blocks URI: an arbitrary plugin will be deleted. |
| CVE-2020-25262 | 2020-10-08 | PyroCMS 3.7 is vulnerable to cross-site request forgery (CSRF) via the admin/pages/delete/ URI: pages will be deleted. |
| CVE-2020-25273 | 2020-10-08 | In SourceCodester Online Bus Booking System 1.0, there is Authentication bypass on the Admin Login screen in admin.php via username or password SQL injection. |
| CVE-2020-2286 | 2020-10-08 | Jenkins Role-based Authorization Strategy Plugin 3.0 and earlier does not properly invalidate a permission cache when the configuration is changed, resulting in permissions being granted based on an outdated configuration. |
| CVE-2020-2287 | 2020-10-08 | Jenkins Audit Trail Plugin 3.6 and earlier applies pattern matching to a different representation of request URL paths than the Stapler web framework uses for dispatching requests, which allows attackers... |
| CVE-2020-2288 | 2020-10-08 | In Jenkins Audit Trail Plugin 3.6 and earlier, the default regular expression pattern could be bypassed in many cases by adding a suffix to the URL that would be ignored... |
| CVE-2020-2289 | 2020-10-08 | Jenkins Active Choices Plugin 2.4 and earlier does not escape the name and description of build parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure... |
| CVE-2020-2290 | 2020-10-08 | Jenkins Active Choices Plugin 2.4 and earlier does not escape some return values of sandboxed scripts for Reactive Reference Parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by... |
| CVE-2020-2291 | 2020-10-08 | Jenkins couchdb-statistics Plugin 0.3 and earlier stores its server password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to... |
| CVE-2020-2292 | 2020-10-08 | Jenkins Release Plugin 2.10.2 and earlier does not escape the release version in badge tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Release/Release permission. |
| CVE-2020-2293 | 2020-10-08 | Jenkins Persona Plugin 2.4 and earlier allows users with Overall/Read permission to read arbitrary files on the Jenkins controller. |
| CVE-2020-2294 | 2020-10-08 | Jenkins Maven Cascade Release Plugin 1.3.2 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to start cascade builds and layout builds, and... |
| CVE-2020-2295 | 2020-10-08 | A cross-site request forgery (CSRF) vulnerability in Jenkins Maven Cascade Release Plugin 1.3.2 and earlier allows attackers to start cascade builds and layout builds, and reconfigure the plugin. |
| CVE-2020-2296 | 2020-10-08 | A cross-site request forgery (CSRF) vulnerability in Jenkins Shared Objects Plugin 0.44 and earlier allows attackers to configure shared objects. |
| CVE-2020-2297 | 2020-10-08 | Jenkins SMS Notification Plugin 1.2 and earlier stores an access token unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access... |
| CVE-2020-2298 | 2020-10-08 | Jenkins Nerrvana Plugin 1.02.06 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
| CVE-2019-4545 | 2020-10-08 | IBM QRadar SIEM 7.3 and 7.4 when configured to use Active Directory Authentication may be susceptible to spoofing attacks. IBM X-Force ID: 165877. |
| CVE-2020-4280 | 2020-10-08 | IBM QRadar SIEM 7.3 and 7.4 could allow a remote attacker to execute arbitrary commands on the system, caused by insecure deserialization of user-supplied content by the Java deserialization function.... |
| CVE-2020-4799 | 2020-10-08 | IBM Informix spatial 14.10 could allow a local user to execute commands as a privileged user due to an out of bounds write vulnerability. IBM X-Force ID: 189460. |
| CVE-2020-24301 | 2020-10-08 | Users of the HAPI FHIR Testpage Overlay 5.0.0 and below can use a specially crafted URL to exploit an XSS vulnerability in this module, allowing arbitrary JavaScript to be executed... |
| CVE-2020-15646 | 2020-10-08 | If an attacker intercepts Thunderbird's initial attempt to perform automatic account setup using the Microsoft Exchange autodiscovery mechanism, and the attacker sends a crafted response, then Thunderbird sends username and... |
| CVE-2020-13344 | 2020-10-08 | An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2. Sessions keys are stored in plain-text in Redis which allows attacker with Redis access... |
| CVE-2020-13340 | 2020-10-08 | An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2: Stored XSS in CI Job Log |
| CVE-2020-13339 | 2020-10-08 | An issue has been discovered in GitLab affecting all versions before 13.2.10, 13.3.7 and 13.4.2: XSS in SVG File Preview. Overall impact is limited due to the current user only... |
| CVE-2020-5389 | 2020-10-08 | Dell EMC OpenManage Integration for Microsoft System Center (OMIMSSC) for SCCM and SCVMM versions prior to 7.2.1 contain an information disclosure vulnerability. Authenticated low privileged OMIMSCC users may be able... |
| CVE-2020-26802 | 2020-10-08 | forma.lms 2.3.0.2 is affected by Cross Site Request Forgery (CSRF) in formalms/appCore/index.php?r=lms/profile/show&ap=saveinfo via a GET request to change the admin email address in order to accomplish an account takeover. |
| CVE-2020-10816 | 2020-10-08 | Zoho ManageEngine Applications Manager 14780 and before allows a remote unauthenticated attacker to register managed servers via AAMRequestProcessor servlet. |
| CVE-2020-9048 | 2020-10-08 | victor Web Client - Arbitrary File Deletion Vulnerability |
| CVE-2020-1914 | 2020-10-08 | A logic vulnerability when handling the SaveGeneratorLong instruction in Facebook Hermes prior to commit b2021df620824627f5a8c96615edbd1eb7fdddfc allows attackers to potentially read out of bounds or theoretically execute arbitrary code via crafted... |
| CVE-2020-15242 | 2020-10-08 | Open Redirect in Next.js |
| CVE-2020-26894 | 2020-10-08 | LiveCode v9.6.1 on Windows allows local, low-privileged users to gain privileges by creating a malicious "cmd.exe" in the folder of the vulnerable LiveCode application. If the application is using LiveCode's... |
| CVE-2020-15241 | 2020-10-08 | Cross-Site Scripting in TYPO3 Fluid Engine |
| CVE-2019-19115 | 2020-10-08 | An escalation of privilege vulnerability in Nahimic APO Software Component Driver 1.4.2, 1.5.0, 1.5.1, 1.6.1 and 1.6.2 allows an attacker to execute code with SYSTEM privileges. |
| CVE-2020-15243 | 2020-10-08 | WebApi Authentication attribute missing in Smartstore |
| CVE-2020-13626 | 2020-10-09 | OnePlus App Locker through 2020-10-06 allows physically proximate attackers to use Google Assistant to bypass an authorization check in order to send an SMS message when the SMS application is... |
| CVE-2020-26931 | 2020-10-09 | Certain NETGEAR devices are affected by disclosure of sensitive information. This affects WC7500 before 6.5.5.24, WC7600 before 6.5.5.24, WC7600v2 before 6.5.5.24, and WC9500 before 6.5.5.24. |
| CVE-2020-26930 | 2020-10-09 | NETGEAR EX7700 devices before 1.0.0.210 are affected by incorrect configuration of security settings. |
| CVE-2020-26929 | 2020-10-09 | Certain NETGEAR devices are affected by command injection by an authenticated user. This affects R6220 before 1.1.0.100 and R6230 before 1.1.0.100. |
| CVE-2020-26928 | 2020-10-09 | Certain NETGEAR devices are affected by authentication bypass. This affects CBR40 before 2.5.0.10, RBK752 before 3.2.15.25, RBR750 before 3.2.15.25, RBS750 before 3.2.15.25, RBK852 before 3.2.10.11, RBR850 before 3.2.10.11, and RBS850... |
| CVE-2020-26927 | 2020-10-09 | Certain NETGEAR devices are affected by authentication bypass. This affects D6200 before 1.1.00.40, D7000 before 1.0.1.78, R6020 before 1.0.0.42, R6080 before 1.0.0.42, R6050 before 1.0.1.26, JR6150 before 1.0.1.26, R6120 before... |
| CVE-2020-26926 | 2020-10-09 | Certain NETGEAR devices are affected by authentication bypass. This affects CBR40 before 2.5.0.10, RBK752 before 3.2.15.25, RBR750 before 3.2.15.25, RBS750 before 3.2.15.25, RBK852 before 3.2.10.11, RBR850 before 3.2.10.11, and RBS850... |