Lista CVE - 2020 / Settembre
Visualizzazione 1501 - 1592 di 1592 CVE per Settembre 2020 (Pagina 16 di 16)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2020-14030 | 2020-09-29 | An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. It stores SMS messages in .NET serialized format on the filesystem. By generating (and writing to the disk) malicious... |
| CVE-2020-15594 | 2020-09-29 | An SSRF issue was discovered in Zoho Application Control Plus before version 10.0.511. The mail gateway configuration feature allows an attacker to perform a scan in order to discover open... |
| CVE-2020-26041 | 2020-09-29 | An issue was discovered in Hoosk CmS v1.8.0. There is an Remote Code Execution vulnerability in install/index.php |
| CVE-2020-8238 | 2020-09-29 | A vulnerability in the authenticated user web interface of Pulse Connect Secure and Pulse Policy Secure < 9.1R8.2 could allow attackers to conduct Cross-Site Scripting (XSS). |
| CVE-2020-8256 | 2020-09-29 | A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to gain arbitrary file reading access through Pulse Collaboration via XML External Entity... |
| CVE-2020-26042 | 2020-09-29 | An issue was discovered in Hoosk CMS v1.8.0. There is a SQL injection vulnerability in install/index.php |
| CVE-2020-8243 | 2020-09-29 | A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to upload custom template to perform an arbitrary code execution. |
| CVE-2020-26043 | 2020-09-29 | An issue was discovered in Hoosk CMS v1.8.0. There is a XSS vulnerability in install/index.php |
| CVE-2020-4607 | 2020-09-29 | IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884. |
| CVE-2020-20800 | 2020-09-29 | An issue was discovered in MetInfo v7.0.0 beta. There is SQL Injection via the install/index.php?action=adminsetup&cndata=yes&endata=yes&showdata=yes URI. |
| CVE-2020-13296 | 2020-09-29 | An issue has been discovered in GitLab affecting versions >=10.7 <13.0.14, >=13.1.0 <13.1.8, >=13.2.0 <13.2.6. Improper Access Control for Deploy Tokens |
| CVE-2020-13319 | 2020-09-29 | An issue has been discovered in GitLab affecting versions prior to 13.1.2, 13.0.8 and 12.10.13. Missing permission check for adding time spent on an issue. |
| CVE-2020-15216 | 2020-09-29 | Signature Validation Bypass in goxmldsig |
| CVE-2020-13322 | 2020-09-29 | A vulnerability was discovered in GitLab versions after 12.9. Due to improper verification of permissions, an unauthorized user can create and delete deploy tokens. |
| CVE-2020-13320 | 2020-09-29 | An issue has been discovered in GitLab before version 12.10.13 that allowed a project member with limited permissions to view the project security dashboard. |
| CVE-2020-13328 | 2020-09-29 | An issue has been discovered in GitLab affecting versions prior to 13.1.2, 13.0.8 and 12.10.13. GitLab was vulnerable to a stored XSS by using the PyPi files API. |
| CVE-2020-13329 | 2020-09-29 | An issue has been discovered in GitLab affecting versions from 12.6.2 prior to 12.10.13. GitLab was vulnerable to a stored XSS by in the blob view feature. |
| CVE-2020-13330 | 2020-09-29 | An issue has been discovered in GitLab affecting versions prior to 12.10.13. GitLab was vulnerable to a stored XSS in import the Bitbucket project feature. |
| CVE-2020-13331 | 2020-09-29 | An issue has been discovered in GitLab affecting versions prior to 12.10.13. GitLab was vulnerable to a stored XSS by in the Wiki pasges. |
| CVE-2020-13323 | 2020-09-29 | A vulnerability was discovered in GitLab versions prior 13.1. Under certain conditions private merge requests could be read via Todos |
| CVE-2020-13325 | 2020-09-29 | A vulnerability was discovered in GitLab versions prior 13.1. The comment section of the issue page was not restricting the characters properly, potentially resulting in a denial of service. |
| CVE-2020-13324 | 2020-09-29 | A vulnerability was discovered in GitLab versions prior to 13.1. Under certain conditions the private activity of a user could be exposed via the API. |
| CVE-2020-13321 | 2020-09-29 | A vulnerability was discovered in GitLab versions prior to 13.1. Username format restrictions could be bypassed allowing for html tags to be added. |
| CVE-2020-13326 | 2020-09-29 | A vulnerability was discovered in GitLab versions prior to 13.1. Under certain conditions the restriction for Github project import could be bypassed. |
| CVE-2020-26148 | 2020-09-29 | md_push_block_bytes in md4c.c in md4c 0.4.5 allows attackers to trigger use of uninitialized memory, and cause a denial of service (e.g., assertion failure) via a malformed Markdown document. |
| CVE-2020-13658 | 2020-09-29 | In Lansweeper 8.0.130.17, the web console is vulnerable to a CSRF attack that would allow a low-level Lansweeper user to elevate their privileges within the application. |
| CVE-2020-25760 | 2020-09-29 | Projectworlds Visitor Management System in PHP 1.0 allows SQL Injection. The file front.php does not perform input validation on the 'rid' parameter. An attacker can append SQL queries to the... |
| CVE-2020-25761 | 2020-09-29 | Projectworlds Visitor Management System in PHP 1.0 allows XSS. The file myform.php does not perform input validation on the request parameters. An attacker can inject javascript payloads in the parameters... |
| CVE-2020-25762 | 2020-09-29 | An issue was discovered in SourceCodester Seat Reservation System 1.0. The file admin_class.php does not perform input validation on the username and password parameters. An attacker can send malicious input... |
| CVE-2020-25763 | 2020-09-29 | Seat Reservation System version 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading PHP files. |
| CVE-2020-24569 | 2020-09-29 | An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.1. There is a blind SQL injection in the knximport component via an advanced attack vector, allowing logged... |
| CVE-2020-24570 | 2020-09-29 | An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.1. There is a CSRF issue (with resultant SSRF) in the com_mb24proxy module, allowing attackers to steal session... |
| CVE-2018-5354 | 2020-09-29 | The custom GINA/CP module in ANIXIS Password Reset Client before version 3.22 allows remote attackers to execute code and escalate privileges via spoofing. When the client is configured to use... |
| CVE-2018-5353 | 2020-09-29 | The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. It does not authenticate the intended... |
| CVE-2020-13794 | 2020-09-29 | Harbor 1.9.* 1.10.* and 2.0.* allows Exposure of Sensitive Information to an Unauthorized Actor. |
| CVE-2020-26150 | 2020-09-29 | info.php in Logaritmo Aware CallManager 2012 allows remote attackers to obtain sensitive information via a direct request, which calls the phpinfo function. |
| CVE-2020-26154 | 2020-09-29 | url.cpp in libproxy through 0.4.15 is prone to a buffer overflow when PAC is enabled, as demonstrated by a large PAC file that is delivered without a Content-length header. |
| CVE-2020-14378 | 2020-09-30 | An integer underflow in dpdk versions before 18.11.10 and before 19.11.5 in the `move_desc` function can lead to large amounts of CPU cycles being eaten up in a long running... |
| CVE-2020-22842 | 2020-09-30 | CMS Made Simple before 2.2.15 allows XSS via the m1_mod parameter in a ModuleManager local_uninstall action to admin/moduleinterface.php. |
| CVE-2020-26158 | 2020-09-30 | Leanote Desktop through 2.6.2 allows XSS because a note's title is mishandled when the batch feature is triggered. This leads to remote code execution because of Node integration. |
| CVE-2020-26157 | 2020-09-30 | Leanote Desktop through 2.6.2 allows XSS because a note's title is mishandled during syncing. This leads to remote code execution because of Node integration. |
| CVE-2020-5132 | 2020-09-30 | SonicWall SSL-VPN products and SonicWall firewall SSL-VPN feature misconfiguration leads to possible DNS flaw known as domain name collision vulnerability. When the users publicly display their organization’s internal domain names... |
| CVE-2020-15731 | 2020-09-30 | Local Privilege Escalation in Bitdefender Engines (VA-8953) |
| CVE-2020-26149 | 2020-09-30 | NATS nats.js before 2.0.0-209, nats.ws before 1.0.0-111, and nats.deno before 1.0.0-9 allow credential disclosure from a client to a server. |
| CVE-2019-20922 | 2020-09-30 | Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow... |
| CVE-2019-20921 | 2020-09-30 | bootstrap-select before 1.13.6 allows Cross-Site Scripting (XSS). It does not escape title values in OPTION elements. This may allow attackers to execute arbitrary JavaScript in a victim's browser. |
| CVE-2019-20920 | 2020-09-30 | Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript.... |
| CVE-2020-22481 | 2020-09-30 | An issue was discovered in HFish 0.5.1. When a payload is inserted where the password is entered, XSS code is triggered when the administrator views the information. |
| CVE-2020-26160 | 2020-09-30 | jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the... |
| CVE-2019-17098 | 2020-09-30 | Use of Hard-coded Cryptographic Key vulnerability in August Connect Wi-Fi Bridge App |
| CVE-2020-21244 | 2020-09-30 | An issue was discovered in FrontAccounting 2.4.7. There is a Directory Traversal vulnerability that can empty folder via admin/inst_lang.php. |
| CVE-2020-21522 | 2020-09-30 | An issue was discovered in halo V1.1.3. A Zip Slip Directory Traversal Vulnerability in the backend,the attacker can overwrite some files, such as ftl files, .bashrc files in the user... |
| CVE-2020-21523 | 2020-09-30 | A Server-Side Freemarker template injection vulnerability in halo CMS v1.1.3 In the Edit Theme File function. The ftl file can be edited. This is the Freemarker template file. This file... |
| CVE-2020-21524 | 2020-09-30 | There is a XML external entity (XXE) vulnerability in halo v1.1.3, The function of importing other blogs in the background(/api/admin/migrations/wordpress) needs to parse the xml file, but it is not... |
| CVE-2020-4629 | 2020-09-30 | IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local user with specialized access to obtain sensitive information from a detailed technical error message. This information could... |
| CVE-2020-21525 | 2020-09-30 | Halo V1.1.3 is affected by: Arbitrary File reading. In an interface that reads files in halo v1.1.3, a directory traversal check is performed on the input path parameter, but the... |
| CVE-2020-21526 | 2020-09-30 | An Arbitrary file writing vulnerability in halo v1.1.3. In an interface to write files in the background, a directory traversal check is performed on the input path parameter, but the... |
| CVE-2020-21527 | 2020-09-30 | There is an Arbitrary file deletion vulnerability in halo v1.1.3. A backup function in the background allows a user, when deleting their backup files, to delete any files on the... |
| CVE-2020-26163 | 2020-09-30 | BigBlueButton Greenlight before 2.5.6 allows HTTP header (Host and Origin) attacks, which can result in Account Takeover if a victim follows a spoofed password-reset link. |
| CVE-2020-21564 | 2020-09-30 | An issue was discovered in Pluck CMS 4.7.10-dev2 and 4.7.11. There is a file upload vulnerability that can cause a remote command execution via admin.php?action=files. |
| CVE-2020-12505 | 2020-09-30 | WAGO: Vulnerability in web-based authentication in WAGO 750-8XX Version <= FW07 |
| CVE-2020-12506 | 2020-09-30 | WAGO: Authentication Bypass Vulnerability in WAGO 750-36X and WAGO 750-8XX Versions <= FW03 |
| CVE-2020-13953 | 2020-09-30 | In Apache Tapestry from 5.4.0 to 5.5.0, crafting specific URLs, an attacker can download files inside the WEB-INF folder of the WAR being run. |
| CVE-2018-11765 | 2020-09-30 | In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP... |
| CVE-2020-19670 | 2020-09-30 | In Niushop B2B2C Multi-Business Basic Edition V1.11, authentication can be bypassed, causing administrators to reset any passwords. |
| CVE-2020-13951 | 2020-09-30 | Attackers can use public NetTest web service of Apache OpenMeetings 4.0.0-5.0.0 to organize denial of service attack. |
| CVE-2019-18989 | 2020-09-30 | A partial authentication bypass vulnerability exists on Mediatek MT7620N 1.06 devices. The vulnerability allows sending an unencrypted data frame to a WPA2-protected WLAN router where the packet is routed through... |
| CVE-2019-18990 | 2020-09-30 | A partial authentication bypass vulnerability exists on Realtek RTL8812AR 1.21WW, RTL8196D 1.0.0, RTL8192ER 2.10, and RTL8881AN 1.09 devices. The vulnerability allows sending an unencrypted data frame to a WPA2-protected WLAN... |
| CVE-2019-18991 | 2020-09-30 | A partial authentication bypass vulnerability exists on Atheros AR9132 3.60(AMX.8), AR9283 1.85, and AR9285 1.0.0.12NA devices. The vulnerability allows sending an unencrypted data frame to a WPA2-protected WLAN router where... |
| CVE-2020-19672 | 2020-09-30 | Niushop B2B2C Multi-business basic version V1.11, can bypass the administrator to obtain the background upload interface, through parameter upload, bypass the getimagesize function, upload php file, getshell. |
| CVE-2020-24721 | 2020-09-30 | An issue was discovered in the GAEN (aka Google/Apple Exposure Notifications) protocol through 2020-09-29, as used in COVID-19 applications on Android and iOS. It allows a user to be put... |
| CVE-2020-19676 | 2020-09-30 | Nacos 1.1.4 is affected by: Incorrect Access Control. An environment can be set up locally to get the service details interface. Then other Nacos service names can be accessed through... |
| CVE-2020-15487 | 2020-09-30 | Re:Desk 2.3 contains a blind unauthenticated SQL injection vulnerability in the getBaseCriteria() function in the protected/models/Ticket.php file. By modifying the folder GET parameter, it is possible to execute arbitrary SQL... |
| CVE-2020-15488 | 2020-09-30 | Re:Desk 2.3 allows insecure file upload. |
| CVE-2020-15849 | 2020-09-30 | Re:Desk 2.3 has a blind authenticated SQL injection vulnerability in the SettingsController class, in the actionEmailTemplates() method. A malicious actor with access to an administrative account could abuse this vulnerability... |
| CVE-2020-14375 | 2020-09-30 | A flaw was found in dpdk in versions before 18.11.10 and before 19.11.5. Virtio ring descriptors, and the data they describe are in a region of memory accessible by from... |
| CVE-2020-14376 | 2020-09-30 | A flaw was found in dpdk in versions before 18.11.10 and before 19.11.5. A lack of bounds checking when copying iv_data from the VM guest memory into host memory can... |
| CVE-2020-14377 | 2020-09-30 | A flaw was found in dpdk in versions before 18.11.10 and before 19.11.5. A complete lack of validation of attacker-controlled parameters can lead to a buffer over read. The results... |
| CVE-2020-14374 | 2020-09-30 | A flaw was found in dpdk in versions before 18.11.10 and before 19.11.5. A flawed bounds checking in the copy_data function leads to a buffer overflow allowing an attacker in... |
| CVE-2020-25626 | 2020-09-30 | A flaw was found in Django REST Framework versions before 3.12.0 and before 3.11.2. When using the browseable API viewer, Django REST Framework fails to properly escape certain strings that... |
| CVE-2020-25816 | 2020-09-30 | HashiCorp Vault and Vault Enterprise versions 1.0 and newer allowed leases created with a batch token to outlive their TTL because expiration time was not scheduled correctly. Fixed in 1.4.7... |
| CVE-2020-25288 | 2020-09-30 | An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of... |
| CVE-2020-25781 | 2020-09-30 | An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes... |
| CVE-2020-25830 | 2020-09-30 | An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary... |
| CVE-2020-6654 | 2020-09-30 | DLL Hijacking |
| CVE-2020-12870 | 2020-09-30 | RainbowFish PacsOne Server 6.8.4 allows SQL injection on the username parameter in the signup page. |
| CVE-2020-12715 | 2020-09-30 | RainbowFish PacsOne Server 6.8.4 has Incorrect Access Control. |
| CVE-2020-16234 | 2020-09-30 | FATEK Automation PLC WinProladder |
| CVE-2020-13952 | 2020-09-30 | In the course of work on the open source project it was discovered that authenticated users running queries against Hive and Presto database engines could access information via a number... |
| CVE-2020-12869 | 2020-09-30 | RainbowFish PacsOne Server 6.8.4 allows XSS. |
| CVE-2020-13336 | 2020-09-30 | An issue has been discovered in GitLab affecting versions from 11.8 before 12.10.13. GitLab was vulnerable to a stored XSS by in the error tracking feature. |
| CVE-2019-20902 | 2020-10-01 | Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP. The affected versions are from before version 3.4.6 and from 3.5.0 before 3.5.1. |
| CVE-2019-20903 | 2020-10-01 | The hyperlinks functionality in atlaskit/editor-core in before version 113.1.5 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in link targets. |
| CVE-2020-8109 | 2020-10-01 | Bitdefender ace.xmd parser out-of-bounds write (VA-8772) |
| CVE-2020-24861 | 2020-10-01 | GetSimple CMS 3.3.16 allows in parameter 'permalink' on the Settings page persistent Cross Site Scripting which is executed when you create and open a new page |
| CVE-2020-24860 | 2020-10-01 | CMS Made Simple 2.2.14 allows an authenticated user with access to the Content Manager to edit content and put persistent XSS payload in the affected text fields. The user can... |
| CVE-2020-25990 | 2020-10-01 | WebsiteBaker 2.12.2 allows SQL Injection via parameter 'display_name' in /websitebaker/admin/preferences/save.php. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in... |
| CVE-2020-4576 | 2020-10-01 | IBM WebSphere Application Server 7.5, 8.0, 8.5, and 9.0 traditional could allow a remote attacker to obtain sensitive information with a specially-crafted sequence of serialized objects. IBM X-Force ID: 184428. |
| CVE-2020-24620 | 2020-10-01 | Unisys Stealth(core) before 4.0.134 stores passwords in a recoverable format. Therefore, a search of Enterprise Manager can potentially reveal credentials. |
| CVE-2020-16844 | 2020-10-01 | In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes (e.g. *-some-suffix) for source principals or namespace fields,... |