Lista CVE - 2020 / Giugno
Visualizzazione 1 - 100 di 1807 CVE per Giugno 2020 (Pagina 1 di 19)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2020-4014 | 2020-06-01 | The /profile/deleteWatch.do resource in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to remove another user's watching settings for a repository via an improper authorization vulnerability. |
| CVE-2020-4015 | 2020-06-01 | The /json/fe/activeUserFinder.do resource in Altassian Fisheye and Crucible before version 4.8.1 allows remote attackers to view user user email addresses via a information disclosure vulnerability. |
| CVE-2020-4016 | 2020-06-01 | The /plugins/servlet/jira-blockers/ resource in the crucible-jira-ril plugin in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to get the ID of configured Jira application links via an information... |
| CVE-2020-4017 | 2020-06-01 | The /rest/jira-ril/1.0/jira-rest/applinks resource in the crucible-jira-ril plugin in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to get information about any configured Jira application links via an information... |
| CVE-2020-4018 | 2020-06-01 | The setup resources in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to complete the setup process via a cross-site request forgery (CSRF) vulnerability. |
| CVE-2020-4019 | 2020-06-01 | The file editing functionality in the Atlassian Companion App before version 1.0.0 allows local attackers to have the app run a different executable in place of the app's cmd.exe via... |
| CVE-2020-4020 | 2020-06-01 | The file downloading functionality in the Atlassian Companion App before version 1.0.0 allows remote attackers, who control a Confluence Server instance that the Companion App is connected to, execute arbitrary... |
| CVE-2020-4021 | 2020-06-01 | Affected versions are: Before 8.5.5, and from 8.6.0 before 8.8.1 of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site... |
| CVE-2020-4023 | 2020-06-01 | The review coverage resource in Atlassian Fisheye and Crucible before version 4.8.2 allows remote attackers to inject arbitrary HTML or Javascript via a cross site scripting (XSS) vulnerability through the... |
| CVE-2020-6868 | 2020-06-01 | There is an input validation vulnerability in a PON terminal product of ZTE, which supports the creation of WAN connections through WEB management pages. The front-end limits the length of... |
| CVE-2020-7659 | 2020-06-01 | reel through 0.6.1 allows Request Smuggling attacks due to incorrect Content-Length and Transfer encoding header parsing. It is possible to conduct HTTP request smuggling attacks by sending the Content-Length header... |
| CVE-2020-8967 | 2020-06-01 | GESIO SQL injection vulnerability |
| CVE-2019-20805 | 2020-06-01 | p_lx_elf.cpp in UPX before 3.96 has an integer overflow during unpacking via crafted values in a PT_DYNAMIC segment. |
| CVE-2020-12867 | 2020-06-01 | A NULL pointer dereference in sanei_epson_net_read in SANE Backends before 1.0.30 allows a malicious device connected to the same local network as the victim to cause a denial of service,... |
| CVE-2020-9071 | 2020-06-01 | There is a few bytes out-of-bounds read vulnerability in some Huawei products. The software reads data past the end of the intended buffer when parsing certain message, an authenticated attacker... |
| CVE-2020-7660 | 2020-06-01 | serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js". |
| CVE-2020-13448 | 2020-06-01 | QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8 allows an authenticated remote attacker to execute code on the server via command injection in the servicestart parameter. |
| CVE-2020-13694 | 2020-06-01 | In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user can execute sudo mysql without a password, which means that the www-data user can execute... |
| CVE-2020-12062 | 2020-06-01 | The scp client in OpenSSH 8.2 incorrectly sends duplicate responses to the server upon a utimes system call failure, which allows a malicious unprivileged user on the remote server to... |
| CVE-2014-8945 | 2020-06-01 | admin.php?page=projects in Lexiglot through 2014-11-20 allows command injection via username and password fields. |
| CVE-2014-8940 | 2020-06-01 | Lexiglot through 2014-11-20 allows remote attackers to obtain sensitive information (names and details of projects) by visiting the /update.log URI. |
| CVE-2014-8939 | 2020-06-01 | Lexiglot through 2014-11-20 allows remote attackers to obtain sensitive information (full path) via an include/smarty/plugins/modifier.date_format.php request if PHP has a non-recommended configuration that produces warning messages. |
| CVE-2014-8938 | 2020-06-01 | Lexiglot through 2014-11-20 allows local users to obtain sensitive information by listing a process because the username and password are on the command line. |
| CVE-2014-8937 | 2020-06-01 | Lexiglot through 2014-11-20 allows denial of service because api/update.php launches svn update operations that use a great deal of resources. |
| CVE-2014-8944 | 2020-06-01 | Lexiglot through 2014-11-20 allows XSS (Reflected) via the username, or XSS (Stored) via the admin.php?page=config install_name, intro_message, or new_file_content parameter. |
| CVE-2014-8943 | 2020-06-01 | Lexiglot through 2014-11-20 allows SSRF via the admin.php?page=projects svn_url parameter. |
| CVE-2014-8942 | 2020-06-01 | Lexiglot through 2014-11-20 allows CSRF. |
| CVE-2014-8941 | 2020-06-01 | Lexiglot through 2014-11-20 allows SQL injection via an admin.php?page=users&from_id= or admin.php?page=history&limit= URI. |
| CVE-2014-7174 | 2020-06-01 | FarLinX X25 Gateway through 2014-09-25 allows directory traversal via the log-handling feature. |
| CVE-2014-7175 | 2020-06-01 | FarLinX X25 Gateway through 2014-09-25 allows attackers to write arbitrary data to fsUI.xyz via fsSaveUIPersistence.php. |
| CVE-2014-7173 | 2020-06-01 | FarLinX X25 Gateway through 2014-09-25 allows command injection via shell metacharacters to sysSaveMonitorData.php, fsx25MonProxy.php, syseditdate.php, iframeupload.php, or sysRestoreX25Cplt.php. |
| CVE-2014-9702 | 2020-06-01 | system/classes/DbPDO.php in Cmfive through 2015-03-15, when database connectivity malfunctions, allows remote attackers to obtain sensitive information (username and password) via any request, such as a password reset request. |
| CVE-2020-13695 | 2020-06-01 | In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user has sudo privileges to execute grep as root without a password, which allows an attacker... |
| CVE-2020-13757 | 2020-06-01 | Python-RSA before 4.1 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA,... |
| CVE-2020-13758 | 2020-06-01 | modules/security/classes/general.post_filter.php/post_filter.php in the Web Application Firewall in Bitrix24 through 20.0.950 allows XSS by placing %00 before the payload. |
| CVE-2019-15709 | 2020-06-01 | An improper input validation in FortiAP-S/W2 6.2.0 to 6.2.2, 6.0.5 and below, FortiAP-U 6.0.1 and below CLI admin console may allow unauthorized administrators to overwrite system files via specially crafted... |
| CVE-2020-9291 | 2020-06-01 | An Insecure Temporary File vulnerability in FortiClient for Windows 6.2.1 and below may allow a local user to gain elevated privileges via exhausting the pool of temporary file names combined... |
| CVE-2020-10703 | 2020-06-02 | A NULL pointer dereference was found in the libvirt API responsible introduced in upstream version 3.10.0, and fixed in libvirt 6.0.0, for fetching a storage pool based on its target... |
| CVE-2020-10136 | 2020-06-02 | IP-in-IP protocol allows a remote, unauthenticated attacker to route arbitrary network traffic |
| CVE-2020-10739 | 2020-06-02 | Istio 1.4.x before 1.4.9 and Istio 1.5.x before 1.5.4 contain the following vulnerability when telemetry v2 is enabled: by sending a specially crafted packet, an attacker could trigger a Null... |
| CVE-2020-13659 | 2020-06-02 | address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL pointer dereference related to BounceBuffer. |
| CVE-2020-13754 | 2020-06-02 | hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation. |
| CVE-2020-13401 | 2020-06-02 | An issue was discovered in Docker Engine before 19.03.11. An attacker in a container, with the CAP_NET_RAW capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts, obtain... |
| CVE-2020-13229 | 2020-06-02 | An issue was discovered in Sysax Multi Server 6.90. A session can be hijacked if one observes the sid value in any /scgi URI, because it is an authentication token. |
| CVE-2020-4360 | 2020-06-02 | IBM Planning Analytics Local 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading... |
| CVE-2020-4366 | 2020-06-02 | IBM Planning Analytics Local 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading... |
| CVE-2020-4367 | 2020-06-02 | IBM Planning Analytics Local 2.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 179001. |
| CVE-2020-4431 | 2020-06-02 | IBM Planning Analytics Local 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading... |
| CVE-2020-4503 | 2020-06-02 | IBM Planning Analytics Local 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading... |
| CVE-2020-13228 | 2020-06-02 | An issue was discovered in Sysax Multi Server 6.90. There is reflected XSS via the /scgi sid parameter. |
| CVE-2020-10959 | 2020-06-02 | resources/src/mediawiki.page.ready/ready.js in MediaWiki before 1.35 allows remote attackers to force a logout and external redirection via HTML content in a MediaWiki page. |
| CVE-2020-13227 | 2020-06-02 | An issue was discovered in Sysax Multi Server 6.90. An attacker can determine the username (under which the web server is running) by triggering an invalid path permission error. This... |
| CVE-2019-17603 | 2020-06-02 | Ene.sys in Asus Aura Sync through 1.07.71 does not properly validate input to IOCTL 0x80102044, 0x80102050, and 0x80102054, which allows local users to cause a denial of service (system crash)... |
| CVE-2019-14038 | 2020-06-02 | Buffer over-read in ADSP parse function due to lack of check for availability of sufficient data payload received in command response in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon... |
| CVE-2019-14039 | 2020-06-02 | Out of bound read in adm call back function due to incorrect boundary check for payload in command response in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT,... |
| CVE-2019-14042 | 2020-06-02 | Out of bound read in in fingerprint application due to requested data assigned to a local buffer without length check in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT,... |
| CVE-2019-14043 | 2020-06-02 | Out of bound read in Fingerprint application due to requested data is being used without length check in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT,... |
| CVE-2019-14053 | 2020-06-02 | When attempting to create a new XFRM policy, a stack out-of-bounds read will occur if the user provides a template where the mode is set to a value that does... |
| CVE-2019-14054 | 2020-06-02 | Improper permissions in XBL_SEC region enable user to update XBL_SEC code and data and divert the RAM dump path to normal cold boot path in Snapdragon Compute, Snapdragon Consumer IOT,... |
| CVE-2019-14066 | 2020-06-02 | Integer overflow in calculating estimated output buffer size when getting a list of installed Feature IDs, Serial Numbers or checking Feature ID status in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer... |
| CVE-2019-14067 | 2020-06-02 | Using non-time-constant functions like memcmp to compare sensitive data can lead to information leakage through timing side channel issue. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon... |
| CVE-2019-14077 | 2020-06-02 | Out of bound memory access while processing ese transmit command due to passing Response buffer received from user in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial... |
| CVE-2019-14078 | 2020-06-02 | Out of bound memory access while processing qpay due to not validating length of the response buffer provided by User. in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial... |
| CVE-2019-14087 | 2020-06-02 | Failure in buffer management while accessing handle for HDR blit when color modes not supported by display in Snapdragon Consumer IOT, Snapdragon Mobile, Snapdragon Wearables in MSM8909W, QCS605 |
| CVE-2020-3610 | 2020-06-02 | Possibility of double free of the drawobj that is added to the drawqueue array of the context during IOCTL commands as there is no refcount taken for this object in... |
| CVE-2020-3615 | 2020-06-02 | Valid deauth/disassoc frames is dropped in case if RMF is enabled and some rouge peer keep on sending rogue deauth/disassoc frames due to improper enum values used to check the... |
| CVE-2020-3616 | 2020-06-02 | Buffer overflow in display function due to memory copy without checking length of size using strcpy function in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT,... |
| CVE-2020-3618 | 2020-06-02 | NULL exception due to accessing bad pointer while posting events on RT FIFO in Snapdragon Compute, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking in IPQ6018, IPQ8074, QCA8081, SC8180X, SXR2130 |
| CVE-2020-3623 | 2020-06-02 | kernel failure due to load failures while running v1 path directly via kernel in Snapdragon Mobile in SM8250, SXR2130 |
| CVE-2020-3625 | 2020-06-02 | When making query to DSP capabilities, Stack out of bounds occurs due to wrong buffer length configured for DSP attributes in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Mobile in SM8250,... |
| CVE-2020-3630 | 2020-06-02 | Possibility of out of bound access while processing the responses from video firmware in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice... |
| CVE-2020-3633 | 2020-06-02 | Array out of bound may occur while playing mp3 file as no check is there on offset if it is greater than the buffer allocated or not in Snapdragon Auto,... |
| CVE-2020-3641 | 2020-06-02 | Integer overflow may occur if atom size is less than atom offset as there is improper validation of atom size in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial... |
| CVE-2020-3645 | 2020-06-02 | Firmware will hit assert in WLAN firmware If encrypted data length in FILS IE of reassoc response is more than 528 bytes in Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics... |
| CVE-2020-3680 | 2020-06-02 | A race condition can occur when using the fastrpc memory mapping API. in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in APQ8009, APQ8053,... |
| CVE-2018-18623 | 2020-06-02 | Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099. |
| CVE-2018-18624 | 2020-06-02 | Grafana 5.3.1 has XSS via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099. |
| CVE-2018-18625 | 2020-06-02 | Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > General" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099. |
| CVE-2019-11843 | 2020-06-02 | The MailPoet plugin before 3.23.2 for WordPress allows remote attackers to inject arbitrary web script or HTML using extra parameters in the URL (Reflective Server-Side XSS). |
| CVE-2020-5410 | 2020-06-02 | Directory Traversal with spring-cloud-config-server |
| CVE-2020-13759 | 2020-06-02 | rust-vmm vm-memory before 0.1.1 and 0.2.x before 0.2.1 allows attackers to cause a denial of service (loss of IP networking) because read_obj and write_obj do not properly access memory. This... |
| CVE-2020-7663 | 2020-06-02 | websocket-extensions ruby module prior to 0.1.5 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter... |
| CVE-2020-7662 | 2020-06-02 | websocket-extensions npm module prior to 0.1.4 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter... |
| CVE-2020-12017 | 2020-06-02 | GE Grid Solutions Reason RT Clocks, RT430, RT431, and RT434, all firmware versions prior to 08A05. The device’s vulnerability in the web application could allow multiple unauthenticated attacks that could... |
| CVE-2020-13763 | 2020-06-02 | In Joomla! before 3.9.19, the default settings of the global textfilter configuration do not block HTML inputs for Guest users. |
| CVE-2020-13762 | 2020-06-02 | In Joomla! before 3.9.19, incorrect input validation of the module tag option in com_modules allows XSS. |
| CVE-2020-13761 | 2020-06-02 | In Joomla! before 3.9.19, lack of input validation in the heading tag option of the "Articles - Newsflash" and "Articles - Categories" modules allows XSS. |
| CVE-2020-13760 | 2020-06-02 | In Joomla! before 3.9.19, missing token checks in com_postinstall lead to CSRF. |
| CVE-2020-13764 | 2020-06-02 | common.php in the Gravity Forms plugin before 2.4.9 for WordPress can leak hashed passwords because user_pass is not considered a special case for a $current_user->get($property) call. |
| CVE-2020-12607 | 2020-06-02 | An issue was discovered in fastecdsa before 2.1.2. When using the NIST P-256 curve in the ECDSA implementation, the point at infinity is mishandled. This means that for an extreme... |
| CVE-2020-13775 | 2020-06-02 | ZNC 1.8.0 up to 1.8.1-rc1 allows authenticated users to trigger an application crash (with a NULL pointer dereference) if echo-message is not enabled and there is no network. |
| CVE-2019-20810 | 2020-06-02 | go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the Linux kernel before 5.6 does not call snd_card_free for a failure path, which causes a memory leak, aka CID-9453264ef586. |
| CVE-2020-4026 | 2020-06-02 | The CustomAppsRestResource list resource in Atlassian Navigator Links before version 3.3.23, from version 4.0.0 before version 4.3.7, from version 5.0.0 before 5.0.1, and from version 5.1.0 before 5.1.1 allows remote... |
| CVE-2020-11080 | 2020-06-03 | Denial of service in nghttp2 |
| CVE-2020-13776 | 2020-06-03 | systemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x followed by hex digits, as demonstrated by use of root privileges when privileges of the... |
| CVE-2019-20812 | 2020-06-03 | An issue was discovered in the Linux kernel before 5.4.7. The prb_calc_retire_blk_tmo() function in net/packet/af_packet.c can result in a denial of service (CPU consumption and soft lockup) in a certain... |
| CVE-2019-20811 | 2020-06-03 | An issue was discovered in the Linux kernel before 5.0.6. In rx_queue_add_kobject() and netdev_queue_add_kobject() in net/core/net-sysfs.c, a reference count is mishandled, aka CID-a3e23f719f5c. |
| CVE-2020-2190 | 2020-06-03 | Jenkins Script Security Plugin 1.72 and earlier does not correctly escape pending or approved classpath entries on the In-process Script Approval page, resulting in a stored cross-site scripting vulnerability. |
| CVE-2020-2191 | 2020-06-03 | Jenkins Self-Organizing Swarm Plug-in Modules Plugin 3.20 and earlier does not check permissions on API endpoints that allow adding and removing agent labels. |
| CVE-2020-2192 | 2020-06-03 | A cross-site request forgery vulnerability in Jenkins Self-Organizing Swarm Plug-in Modules Plugin 3.20 and earlier allows attackers to add or remove agent labels. |