Lista CVE - 2020 / Settembre
Visualizzazione 101 - 200 di 1592 CVE per Settembre 2020 (Pagina 2 di 16)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2020-6152 | 2020-09-01 | A code execution vulnerability exists in the DICOM parse_dicom_meta_info functionality of Accusoft ImageGear 19.7. A specially crafted malformed file can cause an out-of-bounds write. An attacker can trigger this vulnerability... |
| CVE-2020-8335 | 2020-09-01 | The BIOS tamper detection mechanism was not triggered in Lenovo ThinkPad A285, BIOS versions up to r0xuj70w; A485, BIOS versions up to r0wuj65w; T495 BIOS versions up to r12uj55w; T495s/X395,... |
| CVE-2020-8341 | 2020-09-01 | In Lenovo systems, SMM BIOS Write Protection is used to prevent writes to SPI Flash. While this provides sufficient protection, an additional layer of protection is provided by SPI Protected... |
| CVE-2020-24955 | 2020-09-01 | SUPERAntiSyware Professional X Trial 10.0.1206 is vulnerable to local privilege escalation because it allows unprivileged users to restore a malicious DLL from quarantine into the system32 folder via an NTFS... |
| CVE-2020-16150 | 2020-09-02 | A Lucky 13 timing side channel in mbedtls_ssl_decrypt_buf in library/ssl_msg.c in Trusted Firmware Mbed TLS through 2.23.0 allows an attacker to recover secret key information. This affects CBC mode because... |
| CVE-2020-25073 | 2020-09-02 | FreedomBox through 20.13 allows remote attackers to obtain sensitive information from the /server-status page of the Apache HTTP Server, because a connection from the Tor onion service (or from PageKite)... |
| CVE-2020-5622 | 2020-09-02 | Shadankun Server Security Type (excluding normal blocking method types) Ver.1.5.3 and earlier allows remote attackers to cause a denial of service which may result in not being able to add... |
| CVE-2020-24355 | 2020-09-02 | Zyxel VMG5313-B30B router on firmware 5.13(ABCJ.6)b3_1127, and possibly older versions of firmware are affected by insecure permissions which allows regular and other users to create new users with elevated privileges.... |
| CVE-2020-16602 | 2020-09-02 | Razer Chroma SDK Rest Server through 3.12.17 allows remote attackers to execute arbitrary programs because there is a race condition in which a file created under "%PROGRAMDATA%\Razer Chroma\SDK\Apps" can be... |
| CVE-2020-17458 | 2020-09-02 | A post-authenticated stored XSS was found in MultiUx v.3.1.12.0 via the /multiux/SaveMailbox LastName field. |
| CVE-2020-24602 | 2020-09-02 | Ignite Realtime Openfire 4.5.1 has a reflected Cross-site scripting vulnerability which allows an attacker to execute arbitrary malicious URL via the vulnerable GET parameter searchName", "searchValue", "searchDescription", "searchDefaultValue","searchPlugin", "searchDescription" and... |
| CVE-2020-24604 | 2020-09-02 | A Reflected XSS vulnerability was discovered in Ignite Realtime Openfire version 4.5.1. The XSS vulnerability allows remote attackers to inject arbitrary web script or HTML via the GET request "searchName",... |
| CVE-2020-24601 | 2020-09-02 | In Ignite Realtime Openfire 4.5.1 a Stored Cross-site Vulnerability allows an attacker to execute an arbitrary malicious URL via the vulnerable POST parameter searchName", "alias" in the import certificate trusted... |
| CVE-2020-25079 | 2020-09-02 | An issue was discovered on D-Link DCS-2530L before 1.06.01 Hotfix and DCS-2670L through 2.02 devices. cgi-bin/ddns_enc.cgi allows authenticated command injection. |
| CVE-2020-25078 | 2020-09-02 | An issue was discovered on D-Link DCS-2530L before 1.06.01 Hotfix and DCS-2670L through 2.02 devices. The unauthenticated /config/getuser endpoint allows for remote administrator password disclosure. |
| CVE-2020-23830 | 2020-09-02 | A Cross-Site Request Forgery (CSRF) vulnerability in changeUsername.php in SourceCodester Stock Management System v1.0 allows remote attackers to deny future logins by changing an authenticated victim's username when they visit... |
| CVE-2020-24030 | 2020-09-02 | ForLogic Qualiex v1 and v3 has weak token expiration. This allows remote unauthenticated privilege escalation and access to sensitive data via token reuse. NOTE: as of 2025-10-14, the Supplier's perspective... |
| CVE-2020-24029 | 2020-09-02 | Because of unauthenticated password changes in ForLogic Qualiex v1 and v3, customer and admin permissions and data can be accessed via a simple request. NOTE: as of 2025-10-14, the Supplier's... |
| CVE-2020-24028 | 2020-09-02 | ForLogic Qualiex v1 and v3 allows any authenticated customer to achieve privilege escalation via user creations, password changes, or user permission updates. NOTE: as of 2025-10-14, the Supplier's perspective is... |
| CVE-2020-25026 | 2020-09-02 | The sf_event_mgt (aka Event management and registration) extension before 4.3.1 and 5.x before 5.1.1 for TYPO3 allows Information Disclosure (participant data, and event data via email) because of Broken Access... |
| CVE-2020-25025 | 2020-09-02 | The l10nmgr (aka Localization Manager) extension before 7.4.0, 8.x before 8.7.0, and 9.x before 9.2.0 for TYPO3 allows Information Disclosure (translatable fields). |
| CVE-2020-24654 | 2020-09-02 | In KDE Ark before 20.08.1, a crafted TAR archive with symlinks can install files outside the extraction directory, as demonstrated by a write operation to a user's home directory. |
| CVE-2020-24553 | 2020-09-02 | Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header. |
| CVE-2020-12621 | 2020-09-02 | The Teamwire application 5.3.0 for Android allows physically proximate attackers to exploit a flaw related to the pass-code component. |
| CVE-2020-13802 | 2020-09-02 | Rebar3 versions 3.0.0-beta.3 to 3.13.2 are vulnerable to OS command injection via URL parameter of dependency specification. |
| CVE-2020-14209 | 2020-09-02 | Dolibarr before 11.0.5 allows low-privilege users to upload files of dangerous types, leading to arbitrary code execution. This occurs because .pht and .phar files can be uploaded. Also, a .htaccess... |
| CVE-2020-15810 | 2020-09-02 | An issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Smuggling attacks may succeed against HTTP and HTTPS traffic. This leads... |
| CVE-2020-15811 | 2020-09-02 | An issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Splitting attacks may succeed against HTTP and HTTPS traffic. This leads... |
| CVE-2020-15094 | 2020-09-02 | RCE in Symfony |
| CVE-2020-15167 | 2020-09-02 | Arbitrary code execution via configuration file in Miller |
| CVE-2020-4445 | 2020-09-02 | IBM Jazz Team Server based Applications are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially... |
| CVE-2020-4522 | 2020-09-02 | IBM Jazz Team Server based Applications are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially... |
| CVE-2020-4546 | 2020-09-02 | IBM Jazz Team Server based Applications are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially... |
| CVE-2020-4693 | 2020-09-02 | IBM Spectrum Protect Operations Center 7.1.0.000 through 7.1.10 and 8.1.0.000 through 8.1.9 may allow an attacker to execute arbitrary code on the system, caused by improper validation of data prior... |
| CVE-2020-7830 | 2020-09-02 | RAONWIZ v2018.0.2.50 and earlier versions contains a vulnerability that could allow remote files to be downloaded by lack of validation. Vulnerabilities in downloading with Kupload agent allow files to be... |
| CVE-2020-8576 | 2020-09-02 | Clustered Data ONTAP versions prior to 9.3P19, 9.5P14, 9.6P9 and 9.7 are susceptible to a vulnerability which when successfully exploited could lead to addition or modification of data or disclosure... |
| CVE-2020-5778 | 2020-09-02 | A flaw exists in Trading Technologies Messaging 7.1.28.3 (ttmd.exe) due to improper validation of user-supplied data when processing a type 8 message sent to default TCP RequestPort 10200. An unauthenticated,... |
| CVE-2020-5779 | 2020-09-02 | A flaw in Trading Technologies Messaging 7.1.28.3 (ttmd.exe) relates to invalid parameter handling when calling strcpy_s() with an invalid parameter (i.e., a long src string parameter) as a part of... |
| CVE-2020-25045 | 2020-09-02 | Installers of Kaspersky Security Center and Kaspersky Security Center Web Console prior to 12 & prior to 12 Patch A were vulnerable to a DLL hijacking attack that allowed an... |
| CVE-2020-25043 | 2020-09-02 | The installer of Kaspersky VPN Secure Connection prior to 5.0 was vulnerable to arbitrary file deletion that could allow an attacker to delete any file in the system. |
| CVE-2020-25044 | 2020-09-02 | Kaspersky Virus Removal Tool (KVRT) prior to 15.0.23.0 was vulnerable to arbitrary file corruption that could provide an attacker with the opportunity to eliminate content of any file in the... |
| CVE-2020-5369 | 2020-09-02 | Dell EMC Isilon OneFS versions 8.2.2 and earlier and Dell EMC PowerScale OneFS version 9.0.0 contain a privilege escalation vulnerability. An authenticated malicious user may exploit this vulnerability by using... |
| CVE-2020-5376 | 2020-09-02 | Dell Inspiron 7347 BIOS versions prior to A13 contain a UEFI BIOS Boot Services overwrite vulnerability. A local attacker with access to system memory may exploit this vulnerability by overwriting... |
| CVE-2020-5378 | 2020-09-02 | Dell G7 17 7790 BIOS versions prior to 1.13.2 contain a UEFI BIOS Boot Services overwrite vulnerability. A local attacker with access to system memory may exploit this vulnerability by... |
| CVE-2020-5379 | 2020-09-02 | Dell Inspiron 7352 BIOS versions prior to A12 contain a UEFI BIOS Boot Services overwrite vulnerability. A local attacker with access to system memory may exploit this vulnerability by overwriting... |
| CVE-2020-5386 | 2020-09-02 | Dell EMC ECS, versions prior to 3.5, contains an Exposure of Resource vulnerability. A remote unauthenticated attacker can access the list of DT (Directory Table) objects of all internally running... |
| CVE-2020-5418 | 2020-09-03 | Cloud Controller allows users with no roles to list droplets |
| CVE-2020-5420 | 2020-09-03 | Gorouter is vulnerable to DoS attack via invalid HTTP responses |
| CVE-2020-25093 | 2020-09-03 | Ecommerce-CodeIgniter-Bootstrap before 2020-08-03 allows XSS in blog.php. within application/views/templates/clothesshop, application/views/templates/onepage, and application/views/templates/redlabel. |
| CVE-2020-25092 | 2020-09-03 | Ecommerce-CodeIgniter-Bootstrap before 2020-08-03 allows XSS in _parts/header.php, within application/views/templates/clothesshop, application/views/templates/greenlabel, and application/views/templates/redlabel. |
| CVE-2020-25091 | 2020-09-03 | Ecommerce-CodeIgniter-Bootstrap before 2020-08-03 allows XSS in application/modules/vendor/views/add_product.php. |
| CVE-2020-25090 | 2020-09-03 | Ecommerce-CodeIgniter-Bootstrap before 2020-08-03 allows XSS in application/modules/admin/views/ecommerce/publish.php. |
| CVE-2020-25089 | 2020-09-03 | Ecommerce-CodeIgniter-Bootstrap before 2020-08-03 allows XSS in application/modules/admin/views/ecommerce/discounts.php. |
| CVE-2020-25088 | 2020-09-03 | Ecommerce-CodeIgniter-Bootstrap before 2020-08-03 allows XSS in application/modules/admin/views/blog/blogpublish.php. |
| CVE-2020-25087 | 2020-09-03 | Ecommerce-CodeIgniter-Bootstrap before 2020-08-03 allows XSS in application/modules/admin/views/advanced_settings/languages.php. |
| CVE-2020-25086 | 2020-09-03 | Ecommerce-CodeIgniter-Bootstrap before 2020-08-03 allows XSS in application/modules/admin/views/advanced_settings/adminUsers.php. |
| CVE-2020-7729 | 2020-09-03 | Arbitrary Code Execution |
| CVE-2020-12058 | 2020-09-03 | Several XSS vulnerabilities in osCommerce CE Phoenix before 1.0.6.0 allow an attacker to inject and execute arbitrary JavaScript code. The malicious code can be injected as follows: the page parameter... |
| CVE-2020-24949 | 2020-09-03 | Privilege escalation in PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a crafted request to the server and perform remote command execution (RCE). |
| CVE-2020-4337 | 2020-09-03 | IBM API Connect 2018.4.1.0 through 2018.4.1.12 could allow an attacker to launch phishing attacks by tricking the server to generate user registration emails that contain malicious URLs. IBM X-Force ID:... |
| CVE-2020-4638 | 2020-09-03 | IBM API Connect's API Manager 2018.4.1.0 through 2018.4.1.12 is vulnerable to privilege escalation. An invitee to an API Provider organization can escalate privileges by manipulating the invitation link. IBM X-Force... |
| CVE-2020-7381 | 2020-09-03 | Code Injection in Rapid7 Nexpose Installer |
| CVE-2020-7382 | 2020-09-03 | Unquoted Path in Rapid7 Nexpose Installer |
| CVE-2020-24948 | 2020-09-03 | The ao_ccss_import AJAX call in Autoptimize Wordpress Plugin 2.7.6 does not ensure that the file provided is a legitimate Zip file, allowing high privilege users to upload arbitrary files, such... |
| CVE-2020-25105 | 2020-09-03 | eramba c2.8.1 and Enterprise before e2.19.3 has a weak password recovery token (createHash has only a million possibilities). |
| CVE-2020-25104 | 2020-09-03 | eramba c2.8.1 and Enterprise before e2.19.3 allows XSS via a crafted filename for a file attached to an object. For example, the filename has a complete XSS payload followed by... |
| CVE-2020-25042 | 2020-09-03 | An arbitrary file upload issue exists in Mara CMS 7.5. In order to exploit this, an attacker must have a valid authenticated (admin/manager) session and make a codebase/dir.php?type=filenew request to... |
| CVE-2020-25068 | 2020-09-03 | Setelsa Conacwin v3.7.1.2 is vulnerable to a local file inclusion vulnerability. This vulnerability allows a remote unauthenticated attacker to read internal files on the server via an http:IP:PORT/../../path/file_to_disclose Directory Traversal... |
| CVE-2020-24863 | 2020-09-03 | A memory corruption vulnerability was found in the kernel function kern_getfsstat in MidnightBSD before 1.2.7 and 1.3 through 2020-08-19, and FreeBSD through 11.4, that allows an attacker to trigger an... |
| CVE-2020-24385 | 2020-09-03 | In MidnightBSD before 1.2.6 and 1.3 before August 2020, and FreeBSD before 7, a NULL pointer dereference was found in the Linux emulation layer that allows attackers to crash the... |
| CVE-2020-13972 | 2020-09-03 | Enghouse Web Chat 6.2.284.34 allows XSS. When one enters their own domain name in the WebServiceLocation parameter, the response from the POST request is displayed, and any JavaScript returned from... |
| CVE-2019-10679 | 2020-09-03 | Thomson Reuters Eikon 4.0.42144 allows all local users to modify the service executable file because of weak %PROGRAMFILES(X86)%\Thomson Reuters\Eikon permissions. |
| CVE-2020-24876 | 2020-09-03 | Use of a hard-coded cryptographic key in Pancake versions < 4.13.29 allows an attacker to forge session cookies, which may lead to remote privilege escalation. |
| CVE-2020-24158 | 2020-09-03 | 360 Speed Browser 12.0.1247.0 has a DLL hijacking vulnerability, which can be exploited by attackers to execute malicious code. It is a dual-core browser owned by Beijing Qihoo Technology. |
| CVE-2020-24159 | 2020-09-03 | NetEase Youdao Dictionary has a DLL hijacking vulnerability, which can be exploited by attackers to gain server permissions. This affects Guangzhou NetEase Youdao Dictionary 8.9.2.0. |
| CVE-2020-24160 | 2020-09-03 | Shenzhen Tencent TIM Windows client 3.0.0.21315 has a DLL hijacking vulnerability, which can be exploited by attackers to execute malicious code. |
| CVE-2020-24161 | 2020-09-03 | Guangzhou NetEase Mail Master 4.14.1.1004 on Windows has a DLL hijacking vulnerability. Attackers can use this vulnerability to execute malicious code. |
| CVE-2020-24162 | 2020-09-03 | The Shenzhen Tencent app 5.8.2.5300 for PC platforms (from Tencent App Center) has a DLL hijacking vulnerability. Attackers can use this vulnerability to execute malicious code. |
| CVE-2020-25102 | 2020-09-03 | silverstripe-advancedreports (aka the Advanced Reports module for SilverStripe) 1.0 through 2.0 is vulnerable to Cross-Site Scripting (XSS) because it is possible to inject and store malicious JavaScript code. The affects... |
| CVE-2020-23811 | 2020-09-03 | xxl-job 2.2.0 allows Information Disclosure of username, model, and password via job/admin/controller/UserController.java. |
| CVE-2020-23814 | 2020-09-03 | Multiple cross-site scripting (XSS) vulnerabilities in xxl-job v2.2.0 allow remote attackers to inject arbitrary web script or HTML via (1) AppName and (2)AddressList parameter in JobGroupController.java file. |
| CVE-2020-11579 | 2020-09-03 | An issue was discovered in Chadha PHPKB 9.0 Enterprise Edition. installer/test-connection.php (part of the installation process) allows a remote unauthenticated attacker to disclose local files on hosts running PHP before... |
| CVE-2020-25124 | 2020-09-03 | The Admin CP in vBulletin 5.6.3 allows XSS via an admincp/attachment.php&do=rebuild&type= URI. |
| CVE-2020-25123 | 2020-09-03 | The Admin CP in vBulletin 5.6.3 allows XSS via a Smilie Title to Smilies Manager. |
| CVE-2020-25122 | 2020-09-03 | The Admin CP in vBulletin 5.6.3 allows XSS via a Rank Type to User Rank Manager. |
| CVE-2020-25121 | 2020-09-03 | The Admin CP in vBulletin 5.6.3 allows XSS via the Paid Subscription Email Notification field in the Options. |
| CVE-2020-25120 | 2020-09-03 | The Admin CP in vBulletin 5.6.3 allows XSS via the admincp/search.php?do=dosearch URI. |
| CVE-2020-25119 | 2020-09-03 | The Admin CP in vBulletin 5.6.3 allows XSS via a Title of a Child Help Item in the Login/Logoff part of the User Manual. |
| CVE-2020-25118 | 2020-09-03 | The Admin CP in vBulletin 5.6.3 allows XSS via a Style Options Settings Title to Styles Manager. |
| CVE-2020-25117 | 2020-09-03 | The Admin CP in vBulletin 5.6.3 allows XSS via a Junior Member Title to User Title Manager. |
| CVE-2020-25116 | 2020-09-03 | The Admin CP in vBulletin 5.6.3 allows XSS via an Announcement Title to Channel Manager. |
| CVE-2020-25115 | 2020-09-03 | The Admin CP in vBulletin 5.6.3 allows XSS via an Occupation Title or Description to User Profile Field Manager. |
| CVE-2020-25125 | 2020-09-03 | GnuPG 2.2.21 and 2.2.22 (and Gpg4win 3.1.12) has an array overflow, leading to a crash or possibly unspecified other impact, when a victim imports an attacker's OpenPGP key, and this... |
| CVE-2020-10720 | 2020-09-03 | A flaw was found in the Linux kernel's implementation of GRO in versions before 5.2. This flaw allows an attacker with local access to crash the system. |
| CVE-2020-14373 | 2020-09-03 | A use after free was found in igc_reloc_struct_ptr() of psi/igc.c of ghostscript-9.25. A local attacker could supply a specially crafted PDF file to cause a denial of service. |
| CVE-2020-9199 | 2020-09-03 | B2368-22 V100R001C00;B2368-57 V100R001C00;B2368-66 V100R001C00 have a command injection vulnerability. An attacker with high privileges may exploit this vulnerability through some operations on the LAN. Due to insufficient input validation of... |
| CVE-2020-24193 | 2020-09-03 | A SQL injection vulnerability in login in Sourcecodetester Daily Tracker System 1.0 allows unauthenticated user to execute authentication bypass with SQL injection via the email parameter. |
| CVE-2020-9235 | 2020-09-03 | Huawei smartphones HONOR 20 PRO Versions earlier than 10.1.0.230(C432E9R5P1),Versions earlier than 10.1.0.231(C10E3R3P2),Versions earlier than 10.1.0.231(C185E3R5P1),Versions earlier than 10.1.0.231(C636E3R3P1);Versions earlier than 10.1.0.212(C432E10R3P4),Versions earlier than 10.1.0.213(C636E3R4P3),Versions earlier than 10.1.0.214(C10E5R4P3),Versions earlier than 10.1.0.214(C185E3R3P3);Versions... |
| CVE-2020-9083 | 2020-09-03 | HUAWEI Mate 20 smart phones with Versions earlier than 10.1.0.163(C00E160R3P8) have a denial of service (DoS) vulnerability. The attacker can enter a large amount of text on the phone. Due... |
| CVE-2020-25006 | 2020-09-03 | Heybbs v1.2 has a SQL injection vulnerability in login.php file via the username parameter which may allow a remote attacker to execute arbitrary code. |