Lista CVE - 2020 / Luglio
Visualizzazione 1 - 100 di 1417 CVE per Luglio 2020 (Pagina 1 di 15)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2019-20408 | 2020-07-01 | The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.7.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a... |
| CVE-2020-14164 | 2020-07-01 | The WYSIWYG editor resource in Jira Server and Data Center before version 8.8.2 allows remote attackers to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability... |
| CVE-2020-14165 | 2020-07-01 | The UniversalAvatarResource.getAvatars resource in Jira Server and Data Center before version 8.9.0 allows remote attackers to obtain information about custom project avatars names via an Improper authorization vulnerability. |
| CVE-2020-14166 | 2020-07-01 | The /servicedesk/customer/portals resource in Jira Service Desk Server and Data Center before version 4.10.0 allows remote attackers with project administrator privileges to inject arbitrary HTML or JavaScript names via an... |
| CVE-2020-14167 | 2020-07-01 | The MessageBundleResource resource in Jira Server and Data Center before version 7.13.4, from 8.5.0 before 8.5.5, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to impact... |
| CVE-2020-14168 | 2020-07-01 | The email client in Jira Server and Data Center before version 7.13.16, from 8.5.0 before 8.5.7, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to access... |
| CVE-2020-14169 | 2020-07-01 | The quick search component in Atlassian Jira Server and Data Center before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability |
| CVE-2020-4022 | 2020-07-01 | The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML... |
| CVE-2020-4024 | 2020-07-01 | The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML... |
| CVE-2020-4025 | 2020-07-01 | The attachment download resource in Atlassian Jira Server and Data Center The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and... |
| CVE-2020-4027 | 2020-07-01 | Affected versions of Atlassian Confluence Server and Data Center allowed remote attackers with system administration permissions to bypass velocity template injection mitigations via an injection vulnerability in custom user macros.... |
| CVE-2020-4029 | 2020-07-01 | The /rest/project-templates/1.0/createshared resource in Atlassian Jira Server and Data Center before version 8.5.5, from 8.6.0 before 8.7.2, and from 8.8.0 before 8.8.1 allows remote attackers to enumerate project names via... |
| CVE-2020-15468 | 2020-07-01 | Persian VIP Download Script 1.0 allows SQL Injection via the cart_edit.php active parameter. |
| CVE-2020-15470 | 2020-07-01 | ffjpeg through 2020-02-24 has a heap-based buffer overflow in jfif_decode in jfif.c. |
| CVE-2020-15476 | 2020-07-01 | In nDPI through 3.2, the Oracle protocol dissector has a heap-based buffer over-read in ndpi_search_oracle in lib/protocols/oracle.c. |
| CVE-2020-15475 | 2020-07-01 | In nDPI through 3.2, ndpi_reset_packet_line_info in lib/ndpi_main.c omits certain reinitialization, leading to a use-after-free. |
| CVE-2020-15474 | 2020-07-01 | In nDPI through 3.2, there is a stack overflow in extractRDNSequence in lib/protocols/tls.c. |
| CVE-2020-15473 | 2020-07-01 | In nDPI through 3.2, the OpenVPN dissector is vulnerable to a heap-based buffer over-read in ndpi_search_openvpn in lib/protocols/openvpn.c. |
| CVE-2020-15472 | 2020-07-01 | In nDPI through 3.2, the H.323 dissector is vulnerable to a heap-based buffer over-read in ndpi_search_h323 in lib/protocols/h323.c, as demonstrated by a payload packet length that is too short. |
| CVE-2020-15471 | 2020-07-01 | In nDPI through 3.2, the packet parsing code is vulnerable to a heap-based buffer over-read in ndpi_parse_packet_line_info in lib/ndpi_main.c. |
| CVE-2020-15478 | 2020-07-01 | The Journal theme before 3.1.0 for OpenCart allows exposure of sensitive data via SQL errors. |
| CVE-2020-6261 | 2020-07-01 | SAP Solution Manager (Trace Analysis), version 7.20, allows an attacker to perform a log injection into the trace file, due to Incomplete XML Validation. The readability of the trace file... |
| CVE-2017-1659 | 2020-07-01 | "HCL iNotes is susceptible to a Cross-Site Scripting (XSS) Vulnerability. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials." |
| CVE-2017-1712 | 2020-07-01 | "A vulnerability in the TLS protocol implementation of the Domino server could allow an unauthenticated, remote attacker to access sensitive information, aka a Return of Bleichenbacher's Oracle Threat (ROBOT) attack.... |
| CVE-2020-12603 | 2020-07-01 | Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may consume excessive amounts of memory when proxying HTTP/2 requests or responses with many small (i.e. 1 byte) data frames. |
| CVE-2020-7689 | 2020-07-01 | Insecure Encryption |
| CVE-2020-5900 | 2020-07-01 | In versions 3.0.0-3.4.0, 2.0.0-2.9.0, and 1.0.1, there is insufficient cross-site request forgery (CSRF) protections for the NGINX Controller user interface. |
| CVE-2020-5899 | 2020-07-01 | In NGINX Controller 3.0.0-3.4.0, recovery code required to change a user's password is transmitted and stored in the database in plain text, which allows an attacker who can intercept the... |
| CVE-2020-5901 | 2020-07-01 | In NGINX Controller 3.3.0-3.4.0, undisclosed API endpoints may allow for a reflected Cross Site Scripting (XSS) attack. If the victim user is logged in as admin this could result in... |
| CVE-2020-13380 | 2020-07-01 | openSIS before 7.4 allows SQL Injection. |
| CVE-2020-13381 | 2020-07-01 | openSIS through 7.4 allows SQL Injection. |
| CVE-2020-8663 | 2020-07-01 | Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may exhaust file descriptors and/or memory when accepting too many connections. |
| CVE-2020-13382 | 2020-07-01 | openSIS through 7.4 has Incorrect Access Control. |
| CVE-2020-13383 | 2020-07-01 | openSIS through 7.4 allows Directory Traversal. |
| CVE-2020-12604 | 2020-07-01 | Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier is susceptible to increased memory usage in the case where an HTTP/2 client requests a large payload but does not send enough window... |
| CVE-2019-4676 | 2020-07-01 | IBM Security Identity Manager Virtual Appliance 7.0.2 stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 171512. |
| CVE-2019-4704 | 2020-07-01 | IBM Security Identity Manager Virtual Appliance 7.0.2 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending... |
| CVE-2019-4705 | 2020-07-01 | IBM Security Identity Manager Virtual Appliance 7.0.2 discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. IBM X-Force ID: 172015. |
| CVE-2019-4706 | 2020-07-01 | IBM Security Identity Manager Virtual Appliance 7.0.2 writes information to log files which can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user... |
| CVE-2020-4355 | 2020-07-01 | IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 is vulnerable to a denial of service, caused by improper handling of Secure... |
| CVE-2020-4363 | 2020-07-01 | IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 is vulnerable to a buffer overflow, caused by improper bounds checking which could... |
| CVE-2020-4376 | 2020-07-01 | IBM MQ, IBM MQ Appliance, IBM MQ for HPE NonStop 8.0.4 and 8.1.0 could allow an attacker to cause a denial of service caused by an error within the pubsub... |
| CVE-2020-4386 | 2020-07-01 | IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a local user to obtain sensitive information using a race condition... |
| CVE-2020-4387 | 2020-07-01 | IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a local user to obtain sensitive information using a race condition... |
| CVE-2020-4414 | 2020-07-01 | IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a local attacker to perform unauthorized actions on the system, caused... |
| CVE-2020-4420 | 2020-07-01 | IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow an unauthenticated attacker to cause a denial of service due a... |
| CVE-2020-5906 | 2020-07-01 | In versions 13.1.0-13.1.3.3, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2, the BIG-IP system does not properly enforce the access controls for the scp.blacklist files. This allows Admin and Resource Admin users with Secure Copy... |
| CVE-2020-12605 | 2020-07-01 | Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may consume excessive amounts of memory when processing HTTP/1.1 headers with long field names or requests with long URLs. |
| CVE-2020-5908 | 2020-07-01 | In versions bundled with BIG-IP APM 12.1.0-12.1.5 and 11.6.1-11.6.5.2, Edge Client for Linux exposes full session ID in the local log files. |
| CVE-2020-5904 | 2020-07-01 | In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, a cross-site request forgery (CSRF) vulnerability in the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, exists in an... |
| CVE-2020-5905 | 2020-07-01 | In version 11.6.1-11.6.5.2 of the BIG-IP system Configuration utility Network > WCCP page, the system does not sanitize all user-provided data before display. |
| CVE-2020-5903 | 2020-07-01 | In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, a Cross-Site Scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility. |
| CVE-2020-5907 | 2020-07-01 | In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, an authorized user provided with access only to the TMOS Shell (tmsh) may be able to conduct arbitrary file read/writes via... |
| CVE-2020-6089 | 2020-07-01 | An exploitable code execution vulnerability exists in the ANI file format parser of Leadtools 20. A specially crafted ANI file can cause a buffer overflow resulting in remote code execution.... |
| CVE-2020-12497 | 2020-07-01 | Phoenix Contact Automation Worx <= 1.87: stack-based overflow |
| CVE-2020-12498 | 2020-07-01 | Phoenix Contact Automation Worx <= 1.87: out-of-bounds read remote code execution |
| CVE-2020-2500 | 2020-07-01 | This improper access control vulnerability in Helpdesk allows attackers to get control of QNAP Kayako service. Attackers can access the sensitive data on QNAP Kayako server with API keys. We... |
| CVE-2020-14056 | 2020-07-01 | Monsta FTP 2.10.1 or below is prone to a server-side request forgery vulnerability due to insufficient restriction of the web fetch functionality. This allows attackers to read arbitrary local files... |
| CVE-2020-14055 | 2020-07-01 | Monsta FTP 2.10.1 or below is prone to a stored cross-site scripting vulnerability in the language setting due to insufficient output encoding. |
| CVE-2020-14057 | 2020-07-01 | Monsta FTP 2.10.1 or below allows external control of paths used in filesystem operations. This allows attackers to read and write arbitrary local files, allowing an attacker to gain remote... |
| CVE-2020-7688 | 2020-07-01 | Command Injection |
| CVE-2020-13619 | 2020-07-01 | php/exec/escapeshellarg in Locutus PHP through 2.0.11 allows an attacker to achieve code execution. |
| CVE-2020-14196 | 2020-07-01 | In PowerDNS Recursor versions up to and including 4.3.1, 4.2.2 and 4.1.16, the ACL restricting access to the internal web server is not properly enforced. |
| CVE-2019-15310 | 2020-07-01 | An issue was discovered on various devices via the Linkplay firmware. There is WAN remote code execution without user interaction. An attacker could retrieve the AWS key from the firmware... |
| CVE-2019-15311 | 2020-07-01 | An issue was discovered on Zolo Halo devices via the Linkplay firmware. There is Zolo Halo LAN remote code execution. The Zolo Halo Bluetooth speaker had a GoAhead web server... |
| CVE-2019-15312 | 2020-07-01 | An issue was discovered on Zolo Halo devices via the Linkplay firmware. There is a Zolo Halo DNS rebinding attack. The device was found to be vulnerable to DNS rebinding.... |
| CVE-2020-15490 | 2020-07-01 | An issue was discovered on Wavlink WL-WN530HG4 M30HG4.V5030.191116 devices. Multiple buffer overflow vulnerabilities exist in CGI scripts, leading to remote code execution with root privileges. (The set of affected scripts... |
| CVE-2020-15489 | 2020-07-01 | An issue was discovered on Wavlink WL-WN530HG4 M30HG4.V5030.191116 devices. Multiple shell metacharacter injection vulnerabilities exist in CGI scripts, leading to remote code execution with root privileges. |
| CVE-2020-15500 | 2020-07-01 | An issue was discovered in server.js in TileServer GL through 3.0.0. The content of the key GET parameter is reflected unsanitized in an HTTP response for the application's main page,... |
| CVE-2020-5238 | 2020-07-01 | Denial of service in table parsing in cmark-gfm |
| CVE-2020-15503 | 2020-07-02 | LibRaw before 0.20-RC1 lacks a thumbnail size range check. This affects decoders/unpack_thumb.cpp, postprocessing/mem_image.cpp, and utils/thumb_utils.cpp. For example, malloc(sizeof(libraw_processed_image_t)+T.tlength) occurs without validating T.tlength. |
| CVE-2020-8161 | 2020-07-02 | A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in... |
| CVE-2020-3297 | 2020-07-02 | Cisco Small Business Smart and Managed Switches Session Management Vulnerability |
| CVE-2020-3340 | 2020-07-02 | Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerabilities |
| CVE-2020-3391 | 2020-07-02 | Cisco Digital Network Architecture Center Information Disclosure Vulnerability |
| CVE-2020-3402 | 2020-07-02 | Cisco Unified Customer Voice Portal Information Disclosure Vulnerability |
| CVE-2020-15502 | 2020-07-02 | The DuckDuckGo application through 5.58.0 for Android, and through 7.47.1.0 for iOS, sends hostnames of visited web sites within HTTPS .ico requests to servers in the duckduckgo.com domain, which might... |
| CVE-2020-5911 | 2020-07-02 | In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system. |
| CVE-2020-5910 | 2020-07-02 | In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful... |
| CVE-2020-5909 | 2020-07-02 | In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified. |
| CVE-2020-9497 | 2020-07-02 | Apache Guacamole 1.1.0 and older do not properly validate datareceived from RDP servers via static virtual channels. If a userconnects to a malicious or compromised RDP server, specially-craftedPDUs could result... |
| CVE-2020-9498 | 2020-07-02 | Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted... |
| CVE-2020-7821 | 2020-07-02 | Tobesoft NEXACRO14/17 ExCommonApiV13 Arbitrary Code Execution Vulnerability |
| CVE-2020-7820 | 2020-07-02 | Tobesoft NEXACRO14/17 ExCommonApiV13 Arbitrary Code Execution Vulnerability |
| CVE-2020-3282 | 2020-07-02 | Cisco Unified Communications Products Cross-Site Scripting Vulnerability |
| CVE-2020-12119 | 2020-07-02 | Ledger Live before 2.7.0 does not handle Bitcoin's Replace-By-Fee (RBF). It increases the user's balance with the value of an unconfirmed transaction as soon as it is received (before the... |
| CVE-2020-2201 | 2020-07-02 | Jenkins Sonargraph Integration Plugin 3.0.0 and earlier does not escape the file path for the Log file field form validation, resulting in a stored cross-site scripting vulnerability. |
| CVE-2020-2202 | 2020-07-02 | A missing permission check in Jenkins Fortify on Demand Plugin 6.0.0 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. |
| CVE-2020-2203 | 2020-07-02 | A cross-site request forgery vulnerability in Jenkins Fortify on Demand Plugin 5.0.1 and earlier allows attackers to connect to the globally configured Fortify on Demand endpoint using attacker-specified credentials IDs. |
| CVE-2020-2204 | 2020-07-02 | A missing permission check in Jenkins Fortify on Demand Plugin 5.0.1 and earlier allows attackers with Overall/Read permission to connect to the globally configured Fortify on Demand endpoint using attacker-specified... |
| CVE-2020-2205 | 2020-07-02 | Jenkins VncRecorder Plugin 1.25 and earlier does not escape a tool path in the `checkVncServ` form validation endpoint, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by Jenkins administrators. |
| CVE-2020-2206 | 2020-07-02 | Jenkins VncRecorder Plugin 1.25 and earlier does not escape a parameter value in the checkVncServ form validation endpoint, resulting in a reflected cross-site scripting (XSS) vulnerability. |
| CVE-2020-2207 | 2020-07-02 | Jenkins VncViewer Plugin 1.7 and earlier does not escape a parameter value in the checkVncServ form validation endpoint, resulting in a reflected cross-site scripting (XSS) vulnerability. |
| CVE-2020-2208 | 2020-07-02 | Jenkins Slack Upload Plugin 1.7 and earlier stores a secret unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission,... |
| CVE-2020-2209 | 2020-07-02 | Jenkins TestComplete support Plugin 2.4.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission,... |
| CVE-2020-2210 | 2020-07-02 | Jenkins Stash Branch Parameter Plugin 0.3.0 and earlier transmits configured passwords in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure. |
| CVE-2020-2211 | 2020-07-02 | Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin 1.3 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. |
| CVE-2020-2212 | 2020-07-02 | Jenkins GitHub Coverage Reporter Plugin 1.8 and earlier stores secrets unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to... |
| CVE-2020-2213 | 2020-07-02 | Jenkins White Source Plugin 19.1.1 and earlier stores credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they can be viewed by... |
| CVE-2020-2214 | 2020-07-02 | Jenkins ZAP Pipeline Plugin 1.9 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download. |