Weekly Vulnerabilities Reports > November 9 to 15, 2020
Overview
310 new vulnerabilities reported during this period, including 44 critical vulnerabilities and 125 high severity vulnerabilities. This weekly summary report vulnerabilities in 976 products from 100 vendors including Intel, Qualcomm, Google, Netapp, and SAP. Vulnerabilities are notably categorized as "Out-of-bounds Write", "Cross-site Scripting", "Improper Input Validation", "Out-of-bounds Read", and "Integer Overflow or Wraparound".
- 151 reported vulnerabilities are remotely exploitables.
- 51 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 141 reported vulnerabilities are exploitable by an anonymous user.
- Intel has the most reported vulnerabilities, with 95 reported vulnerabilities.
- Qualcomm has the most reported critical vulnerabilities, with 5 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
44 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2020-11-10 | CVE-2020-26824 | SAP | Missing Authentication for Critical Function vulnerability in SAP Solution Manager 7.20 SAP Solution Manager (JAVA stack), version - 7.20, allows an unauthenticated attacker to compromise the system because of missing authorization checks in the Upgrade Legacy Ports Service, this has an impact to the integrity and availability of the service. | 10.0 |
2020-11-10 | CVE-2020-26823 | SAP | Missing Authentication for Critical Function vulnerability in SAP Solution Manager 7.20 SAP Solution Manager (JAVA stack), version - 7.20, allows an unauthenticated attacker to compromise the system because of missing authorization checks in the Upgrade Diagnostics Agent Connection Service, this has an impact to the integrity and availability of the service. | 10.0 |
2020-11-10 | CVE-2020-26822 | SAP | Missing Authentication for Critical Function vulnerability in SAP Solution Manager 7.20 SAP Solution Manager (JAVA stack), version - 7.20, allows an unauthenticated attacker to compromise the system because of missing authorization checks in the Outside Discovery Configuration Service, this has an impact to the integrity and availability of the service. | 10.0 |
2020-11-10 | CVE-2020-26821 | SAP | Missing Authentication for Critical Function vulnerability in SAP Solution Manager 7.20 SAP Solution Manager (JAVA stack), version - 7.20, allows an unauthenticated attacker to compromise the system because of missing authorization checks in the SVG Converter Service, this has an impact to the integrity and availability of the service. | 10.0 |
2020-11-12 | CVE-2020-13774 | Ivanti | Unrestricted Upload of File with Dangerous Type vulnerability in Ivanti Endpoint Manager 2019.1/2020.1 An unrestricted file-upload issue in EditLaunchPadDialog.aspx in Ivanti Endpoint Manager 2019.1 and 2020.1 allows an authenticated attacker to gain remote code execution by uploading a malicious aspx file. | 9.9 |
2020-11-15 | CVE-2020-7772 | DOC Path Project | Unspecified vulnerability in Doc-Path Project Doc-Path This affects the package doc-path before 2.1.2. | 9.8 |
2020-11-13 | CVE-2020-28638 | Dyne | Improper Authentication vulnerability in Dyne Tomb ask_password in Tomb 2.0 through 2.7 returns a warning when pinentry-curses is used and $DISPLAY is non-empty, causing affected users' files to be encrypted with "tomb {W] Detected DISPLAY, but only pinentry-curses is found." as the encryption key. | 9.8 |
2020-11-13 | CVE-2020-13638 | Rconfig | Improper Privilege Management vulnerability in Rconfig lib/crud/userprocess.php in rConfig 3.9.x before 3.9.7 has an authentication bypass, leading to administrator account creation. | 9.8 |
2020-11-13 | CVE-2020-12338 | Intel | Unspecified vulnerability in Intel Open Webrtc Toolkit 4.3 Insufficient control flow management in the Open WebRTC Toolkit before version 4.3.1 may allow an unauthenticated user to potentially enable escalation of privilege via network access. | 9.8 |
2020-11-12 | CVE-2020-24719 | Couchbase | OS Command Injection vulnerability in Couchbase Server 6.5.1/6.5.2 Exposed Erlang Cookie could lead to Remote Command Execution (RCE) attack. | 9.8 |
2020-11-12 | CVE-2020-13877 | Resourcexpress | SQL Injection vulnerability in Resourcexpress Meeting Monitor 4.9 SQL Injection issues in various ASPX pages of ResourceXpress Meeting Monitor 4.9 could lead to remote code execution and information disclosure. | 9.8 |
2020-11-12 | CVE-2020-12315 | Intel | Path Traversal vulnerability in Intel Endpoint Management Assistant 1.3.1/1.3.2/1.3.2.1 Path traversal in the Intel(R) EMA before version 1.3.3 may allow an unauthenticated user to potentially enable escalation of privilege via network access. | 9.8 |
2020-11-12 | CVE-2020-8752 | Intel Netapp | Out-of-bounds Write vulnerability in multiple products Out-of-bounds write in IPv6 subsystem for Intel(R) AMT, Intel(R) ISM versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70, 14.0.45 may allow an unauthenticated user to potentially enable escalation of privileges via network access. | 9.8 |
2020-11-12 | CVE-2020-7472 | Sugarcrm | Improper Input Validation vulnerability in Sugarcrm An authorization bypass and PHP local-file-include vulnerability in the installation component of SugarCRM before 8.0, 8.0 before 8.0.7, 9.0 before 9.0.4, and 10.0 before 10.0.0 allows for unauthenticated remote code execution against a configured SugarCRM instance via crafted HTTP requests. | 9.8 |
2020-11-12 | CVE-2020-28271 | Deephas Project | Unspecified vulnerability in Deephas Project Deephas Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service and may lead to remote code execution. | 9.8 |
2020-11-12 | CVE-2020-28270 | Mjpclab | Unspecified vulnerability in Mjpclab Object-Hierarchy-Access Prototype pollution vulnerability in 'object-hierarchy-access' versions 0.2.0 through 0.32.0 allows attacker to cause a denial of service and may lead to remote code execution. | 9.8 |
2020-11-12 | CVE-2020-28269 | Exodus | Unspecified vulnerability in Exodus Field 0.0.1/1.0.0/1.0.1 Prototype pollution vulnerability in 'field' versions 0.0.1 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution. | 9.8 |
2020-11-12 | CVE-2020-27481 | Goodlayers | SQL Injection vulnerability in Goodlayers Good Learning Management System An unauthenticated SQL Injection vulnerability in Good Layers LMS Plugin <= 2.1.4 exists due to the usage of "wp_ajax_nopriv" call in WordPress, which allows any unauthenticated user to get access to the function "gdlr_lms_cancel_booking" where POST Parameter "id" was sent straight into SQL query without sanitization. | 9.8 |
2020-11-12 | CVE-2020-7770 | Json8 Project | Unspecified vulnerability in Json8 Project Json8 This affects the package json8 before 1.0.3. | 9.8 |
2020-11-12 | CVE-2020-3639 | Qualcomm | Improper Validation of Array Index vulnerability in Qualcomm products u'When a non standard SIP sigcomp message is received from the network, then there may be chances of using more UDVM cycle or memory overflow' in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in APQ8009, APQ8017, APQ8037, APQ8053, MDM9250, MDM9607, MDM9628, MDM9640, MDM9650, MSM8108, MSM8208, MSM8209, MSM8608, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, QCM4290, QCM6125, QCS410, QCS4290, QCS603, QCS605, QCS610, QCS6125, QM215, QSM8350, SA415M, SA6145P, SA6150P, SA6155P, SA8150P, SA8155, SA8155P, SA8195P, SC7180, SC8180X, SC8180X+SDX55, SC8180XP, SDA429W, SDA640, SDA660, SDA670, SDA845, SDA855, SDM1000, SDM429, SDM429W, SDM439, SDM450, SDM455, SDM630, SDM632, SDM636, SDM640, SDM660, SDM670, SDM710, SDM712, SDM845, SDM850, SDX24, SDX50M, SDX55, SDX55M, SM4125, SM4250, SM4250P, SM6115, SM6115P, SM6125, SM6150, SM6150P, SM6250, SM6250P, SM7125, SM7150, SM7150P, SM7250, SM7250P, SM8150, SM8150P, SM8350, SM8350P, SXR1120, SXR1130 | 9.8 |
2020-11-12 | CVE-2020-11196 | Qualcomm | Integer Overflow or Wraparound vulnerability in Qualcomm products u'Integer overflow to buffer overflow occurs while playback of ASF clip having unexpected number of codec entries' in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8009W, APQ8017, APQ8037, APQ8053, APQ8064AU, APQ8096, APQ8096AU, APQ8096SG, APQ8098, MDM9206, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8996SG, MSM8998, QCM4290, QCM6125, QCS405, QCS410, QCS4290, QCS603, QCS605, QCS610, QCS6125, QM215, SA6145P, SA6150P, SA6155, SA6155P, SA8150P, SA8155, SA8155P, SA8195P, SDA429W, SDA640, SDA660, SDA670, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM455, SDM630, SDM632, SDM636, SDM640, SDM660, SDM670, SDM710, SDM830, SDM845, SDW2500, SDX20, SDX20M, SDX50M, SDX55, SDX55M, SM4125, SM4250, SM4250P, SM6115, SM6115P, SM6125, SM6150, SM6150P, SM6250, SM6250P, SM6350, SM7125, SM7150, SM7150P, SM7225, SM7250, SM7250P, SM8150, SM8150P, SM8250, SXR1120, SXR1130, SXR2130, SXR2130P, WCD9330 | 9.8 |
2020-11-12 | CVE-2020-11193 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products u'Buffer over read can happen while parsing mkv clip due to improper typecasting of data returned from atomsize' in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8009W, APQ8017, APQ8037, APQ8053, APQ8064AU, APQ8096, APQ8096AU, APQ8096SG, APQ8098, MDM9206, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8996SG, MSM8998, QCM4290, QCM6125, QCS405, QCS410, QCS4290, QCS603, QCS605, QCS610, QCS6125, QM215, QSM8350, SA6145P, SA6155, SA6155P, SA8155, SA8155P, SDA429W, SDA640, SDA660, SDA670, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM455, SDM630, SDM632, SDM636, SDM640, SDM660, SDM670, SDM710, SDM830, SDM845, SDW2500, SDX20, SDX20M, SDX50M, SDX55, SDX55M, SM4125, SM4250, SM4250P, SM6115, SM6115P, SM6125, SM6150, SM6150P, SM6250, SM6250P, SM6350, SM7125, SM7150, SM7150P, SM7225, SM7250, SM7250P, SM8150, SM8150P, SM8250, SM8350, SM8350P, SXR1120, SXR1130, SXR2130, SXR2130P, WCD9330 | 9.8 |
2020-11-12 | CVE-2020-11184 | Qualcomm | Integer Overflow or Wraparound vulnerability in Qualcomm products u'Possible buffer overflow will occur in video while parsing mp4 clip with crafted esds atom size.' in Snapdragon Auto, Snapdragon Compute, Snapdragon Industrial IOT, Snapdragon Mobile in QCM4290, QCS4290, QM215, QSM8350, SA6145P, SA6155, SA6155P, SA8155, SA8155P, SDX55, SDX55M, SM4250, SM4250P, SM6115, SM6115P, SM6125, SM6250, SM6350, SM7125, SM7225, SM7250, SM7250P, SM8150, SM8150P, SM8250, SM8350, SM8350P, SXR2130, SXR2130P | 9.8 |
2020-11-12 | CVE-2020-11168 | Qualcomm | NULL Pointer Dereference vulnerability in Qualcomm products u'Null-pointer dereference can occur while accessing data buffer beyond its size that leads to access the buffer beyond its range' in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8009W, APQ8017, APQ8053, APQ8064AU, APQ8096AU, APQ8098, MDM9206, MDM9650, MSM8909W, MSM8953, MSM8996AU, QCM4290, QCS405, QCS4290, QCS603, QCS605, QM215, QSM8350, SA6155, SA6155P, SA8155, SA8155P, SDA429W, SDA640, SDA660, SDA845, SDA855, SDM1000, SDM429, SDM429W, SDM450, SDM632, SDM640, SDM830, SDM845, SDW2500, SDX20, SDX20M, SDX50M, SDX55, SDX55M, SM4250, SM4250P, SM6115, SM6115P, SM6125, SM6250, SM6350, SM7125, SM7225, SM7250, SM7250P, SM8150, SM8150P, SM8250, SM8350, SM8350P, SXR2130, SXR2130P, WCD9330 | 9.8 |
2020-11-12 | CVE-2020-7769 | Nodemailer | Argument Injection or Modification vulnerability in Nodemailer This affects the package nodemailer before 6.4.16. | 9.8 |
2020-11-11 | CVE-2020-5426 | Vmware | Cleartext Transmission of Sensitive Information vulnerability in VMWare Pivotal Scheduler Scheduler for TAS prior to version 1.4.0 was permitting plaintext transmission of UAA client token by sending it over a non-TLS connection. | 9.8 |
2020-11-11 | CVE-2020-7768 | Grpc | Unspecified vulnerability in Grpc The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition. | 9.8 |
2020-11-10 | CVE-2020-25074 | Moinmo Debian | Path Traversal vulnerability in multiple products The cache action in action/cache.py in MoinMoin through 1.9.10 allows directory traversal through a crafted HTTP request. | 9.8 |
2020-11-10 | CVE-2020-7766 | Json PTR Project | Unspecified vulnerability in Json-Ptr Project Json-Ptr This affects all versions of package json-ptr. | 9.8 |
2020-11-10 | CVE-2020-13927 | Apache | Insecure Default Initialization of Resource vulnerability in Apache Airflow The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. | 9.8 |
2020-11-10 | CVE-2020-24384 | A10Networks | Unspecified vulnerability in A10Networks Advanced Core Operating System and Agalaxy A10 Networks ACOS and aGalaxy management Graphical User Interfaces (GUIs) have an unauthenticated Remote Code Execution (RCE) vulnerability that could be used to compromise affected ACOS systems. | 9.8 |
2020-11-10 | CVE-2020-0452 | Google Fedoraproject | Integer Overflow or Wraparound vulnerability in multiple products In exif_entry_get_value of exif-entry.c, there is a possible out of bounds write due to an integer overflow. | 9.8 |
2020-11-10 | CVE-2020-0447 | Out-of-bounds Write vulnerability in Google Android There is a possible out of bounds write due to a missing bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-168251617 | 9.8 | |
2020-11-10 | CVE-2020-0446 | Out-of-bounds Write vulnerability in Google Android There is a possible out of bounds write due to a missing bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-168264528 | 9.8 | |
2020-11-10 | CVE-2020-0445 | Out-of-bounds Write vulnerability in Google Android There is a possible out of bounds write due to a missing bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-168264527 | 9.8 | |
2020-11-09 | CVE-2020-28371 | Readytalk | Integer Overflow or Wraparound vulnerability in Readytalk Avian 1.2.0 An issue was discovered in ReadyTalk Avian 1.2.0 before 2020-10-27. | 9.8 |
2020-11-09 | CVE-2020-26168 | Hazelcast | Improper Authentication vulnerability in Hazelcast and JET The LDAP authentication method in LdapLoginModule in Hazelcast IMDG Enterprise 4.x before 4.0.3, and Jet Enterprise 4.x through 4.2, doesn't verify properly the password in some system-user-dn scenarios. | 9.8 |
2020-11-09 | CVE-2020-14189 | Atlassian | Unspecified vulnerability in Atlassian Jira Comment The execute function in in the Atlassian gajira-comment GitHub Action before version 2.0.2 allows remote attackers to execute arbitrary code in the context of a GitHub runner by creating a specially crafted GitHub issue comment. | 9.8 |
2020-11-09 | CVE-2020-14188 | Atlassian | Unspecified vulnerability in Atlassian Jira Create The preprocessArgs function in the Atlassian gajira-create GitHub Action before version 2.0.1 allows remote attackers to execute arbitrary code in the context of a GitHub runner by creating a specially crafted GitHub issue. | 9.8 |
2020-11-09 | CVE-2020-26542 | Percona | Improper Authentication vulnerability in Percona Server 20201002 An issue was discovered in the MongoDB Simple LDAP plugin through 2020-10-02 for Percona Server when using the SimpleLDAP authentication in conjunction with Microsoft’s Active Directory, Percona has discovered a flaw that would allow authentication to complete when passing a blank value for the account password, leading to access against the service integrated with which Active Directory is deployed at the level granted to the authenticating account. | 9.8 |
2020-11-09 | CVE-2020-23138 | Microweber | Unrestricted Upload of File with Dangerous Type vulnerability in Microweber 1.1.18 An unrestricted file upload vulnerability was discovered in the Microweber 1.1.18 admin account page. | 9.8 |
2020-11-12 | CVE-2020-8747 | Intel Netapp | Out-of-bounds Read vulnerability in multiple products Out-of-bounds read in subsystem for Intel(R) AMT versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow an unauthenticated user to potentially enable information disclosure and/or denial of service via network access. | 9.1 |
2020-11-09 | CVE-2020-15297 | Bitdefender | Server-Side Request Forgery (SSRF) vulnerability in Bitdefender Update Server 3.4.0.276 Insufficient validation in the Bitdefender Update Server and BEST Relay components of Bitdefender Endpoint Security Tools versions prior to 6.6.20.294 allows an unprivileged attacker to bypass the in-place mitigations and interact with hosts on the network. | 9.1 |
2020-11-09 | CVE-2020-24407 | Magento | Unspecified vulnerability in Magento Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an unsafe file upload vulnerability that could result in arbitrary code execution. | 9.1 |
125 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2020-11-13 | CVE-2020-12313 | Intel | Unspecified vulnerability in Intel Proset/Wireless Wifi Insufficient control flow management in some Intel(R) PROSet/Wireless WiFi products before version 21.110 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access. | 8.8 |
2020-11-13 | CVE-2020-26222 | Dependabot Project | Unspecified vulnerability in Dependabot Project Dependabot Dependabot is a set of packages for automated dependency management for Ruby, JavaScript, Python, PHP, Elixir, Rust, Java, .NET, Elm and Go. | 8.8 |
2020-11-13 | CVE-2020-25557 | Cmsuno Project | Code Injection vulnerability in Cmsuno Project Cmsuno 1.6.2 In CMSuno 1.6.2, an attacker can inject malicious PHP code as a "username" while changing his/her username & password. | 8.8 |
2020-11-13 | CVE-2020-25538 | Cmsuno Project | Code Injection vulnerability in Cmsuno Project Cmsuno 1.6.2 An authenticated attacker can inject malicious code into "lang" parameter in /uno/central.php file in CMSuno 1.6.2 and run this PHP code in the web page. | 8.8 |
2020-11-12 | CVE-2020-27386 | Flexdotnetcms Project | Unrestricted Upload of File with Dangerous Type vulnerability in Flexdotnetcms Project Flexdotnetcms An unrestricted file upload issue in FlexDotnetCMS before v1.5.9 allows an authenticated remote attacker to upload and execute arbitrary files by using the FileManager to upload malicious code (e.g., ASP code) in the form of a safe file type (e.g., a TXT file), and then using the FileEditor (in v1.5.8 and prior) or the FileManager's rename function (in v1.5.7 and prior) to rename the file to an executable extension (e.g., ASP), and finally executing the file via an HTTP GET request to /<path_to_file>. | 8.8 |
2020-11-12 | CVE-2020-26804 | Sapplica | Unrestricted Upload of File with Dangerous Type vulnerability in Sapplica Sentrifugo 3.2 In Sentrifugo 3.2, users can share an announcement under "Organization -> Announcements" tab. | 8.8 |
2020-11-12 | CVE-2020-26803 | Sapplica | Unrestricted Upload of File with Dangerous Type vulnerability in Sapplica Sentrifugo 3.2 In Sentrifugo 3.2, users can upload an image under "Assets -> Add" tab. | 8.8 |
2020-11-12 | CVE-2020-12347 | Intel | Improper Input Validation vulnerability in Intel Data Center Manager Improper input validation in the Intel(R) Data Center Manager Console before version 3.6.2 may allow an authenticated user to potentially enable escalation of privilege via network access. | 8.8 |
2020-11-12 | CVE-2020-8749 | Intel Netapp | Out-of-bounds Read vulnerability in multiple products Out-of-bounds read in subsystem for Intel(R) AMT versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access. | 8.8 |
2020-11-12 | CVE-2020-12321 | Intel | Unspecified vulnerability in Intel products Improper buffer restriction in some Intel(R) Wireless Bluetooth(R) products before version 21.110 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access. | 8.8 |
2020-11-12 | CVE-2020-7332 | Mcafee | Cross-Site Request Forgery (CSRF) vulnerability in Mcafee Endpoint Security Cross Site Request Forgery vulnerability in the firewall ePO extension of McAfee Endpoint Security (ENS) prior to 10.7.0 November 2020 Update allows an attacker to execute arbitrary HTML code due to incorrect security configuration. | 8.8 |
2020-11-10 | CVE-2020-25268 | Ilias | Argument Injection or Modification vulnerability in Ilias 6.4.0 Remote Code Execution can occur via the external news feed in ILIAS 6.4 because of incorrect parameter sanitization for Magpie RSS data. | 8.8 |
2020-11-10 | CVE-2019-7357 | Intelliants | Cross-Site Request Forgery (CSRF) vulnerability in Intelliants Subrion CMS 4.2.1 Subrion CMS 4.2.1 has CSRF in panel/modules/plugins/. | 8.8 |
2020-11-10 | CVE-2020-27146 | Tibco | Cross-Site Request Forgery (CSRF) vulnerability in Tibco Iprocess Workspace Browser The Core component of TIBCO Software Inc.'s TIBCO iProcess Workspace (Browser) contains a vulnerability that theoretically allows an unauthenticated attacker with network access to execute a Cross Site Request Forgery (CSRF) attack on the affected system. | 8.8 |
2020-11-10 | CVE-2020-26819 | SAP | Unspecified vulnerability in SAP Netweaver Application Server Abap SAP NetWeaver AS ABAP (Web Dynpro), versions - 731, 740, 750, 751, 752, 753, 754, 755, 782, allows an authenticated user to access Web Dynpro components, that allows them to read and delete database logfiles because of Improper Access Control. | 8.8 |
2020-11-10 | CVE-2020-26818 | SAP | Missing Authorization vulnerability in SAP Netweaver Application Server Abap SAP NetWeaver AS ABAP (Web Dynpro), versions - 731, 740, 750, 751, 752, 753, 754, 755, 782, allows an authenticated user to access Web Dynpro components, which reveals sensitive system information that would otherwise be restricted to highly privileged users because of missing authorization, resulting in Information Disclosure. | 8.8 |
2020-11-10 | CVE-2020-0451 | Out-of-bounds Write vulnerability in Google Android In sbrDecoder_AssignQmfChannels2SbrChannels of sbrdecoder.cpp, there is a possible out of bounds write due to a heap buffer overflow. | 8.8 | |
2020-11-10 | CVE-2020-0449 | Use After Free vulnerability in Google Android In btm_sec_disconnected of btm_sec.cc, there is a possible memory corruption due to a use after free. | 8.8 | |
2020-11-09 | CVE-2020-27694 | Trendmicro | Unspecified vulnerability in Trendmicro Interscan Messaging Security Virtual Appliance 8.5.1.1516/9.0/9.1 Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 has updated a specific critical library that may vulnerable to attack. | 8.8 |
2020-11-09 | CVE-2020-27016 | Trendmicro | Cross-Site Request Forgery (CSRF) vulnerability in Trendmicro Interscan Messaging Security Virtual Appliance 8.5.1.1516/9.0/9.1 Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to a cross-site request forgery (CSRF) vulnerability which could allow an attacker to modify policy rules by tricking an authenticated administrator into accessing an attacker-controlled web page. | 8.8 |
2020-11-09 | CVE-2020-28373 | Netgear | Out-of-bounds Write vulnerability in Netgear products upnpd on certain NETGEAR devices allows remote (LAN) attackers to execute arbitrary code via a stack-based buffer overflow. | 8.8 |
2020-11-12 | CVE-2020-26070 | Cisco | Improper Resource Shutdown or Release vulnerability in Cisco IOS XR A vulnerability in the ingress packet processing function of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. | 8.6 |
2020-11-10 | CVE-2020-26815 | SAP | Server-Side Request Forgery (SSRF) vulnerability in SAP Fiori Launchpad (News Tile Application) SAP Fiori Launchpad (News tile Application), versions - 750,751,752,753,754,755, allows an unauthorized attacker to send a crafted request to a vulnerable web application. | 8.6 |
2020-11-12 | CVE-2020-2050 | Paloaltonetworks | Improper Authentication vulnerability in Paloaltonetworks Pan-Os An authentication bypass vulnerability exists in the GlobalProtect SSL VPN component of Palo Alto Networks PAN-OS software that allows an attacker to bypass all client certificate checks with an invalid certificate. | 8.2 |
2020-11-12 | CVE-2020-27385 | Flexdotnetcms Project | Path Traversal vulnerability in Flexdotnetcms Project Flexdotnetcms Incorrect Access Control in the FileEditor (/Admin/Views/FileEditor/) in FlexDotnetCMS before v1.5.11 allows an authenticated remote attacker to read and write to existing files outside the web root. | 8.1 |
2020-11-09 | CVE-2020-23140 | Microweber | Insufficient Session Expiration vulnerability in Microweber 1.1.18 Microweber 1.1.18 is affected by insufficient session expiration. | 8.1 |
2020-11-13 | CVE-2020-15481 | Passmark | Unspecified vulnerability in Passmark Burnintest, Osforensics and Performancetest An issue was discovered in PassMark BurnInTest v9.1 Build 1008, OSForensics v7.1 Build 1012, and PerformanceTest v10.0 Build 1008. | 7.8 |
2020-11-13 | CVE-2020-5796 | Nagios | Improper Preservation of Permissions vulnerability in Nagios XI 5.7.4 Improper preservation of permissions in Nagios XI 5.7.4 allows a local, low-privileged, authenticated user to weaken the permissions of files, resulting in low-privileged users being able to write to and execute arbitrary PHP code with root privileges. | 7.8 |
2020-11-13 | CVE-2020-6156 | Pixar | Out-of-bounds Write vulnerability in Pixar Openusd 20.05 A heap overflow vulnerability exists in Pixar OpenUSD 20.05 when the software parses compressed sections in binary USD files. | 7.8 |
2020-11-13 | CVE-2020-6155 | Pixar | Out-of-bounds Write vulnerability in Pixar Openusd 20.05 A heap overflow vulnerability exists in the Pixar OpenUSD 20.05 while parsing compressed value rep arrays in binary USD files. | 7.8 |
2020-11-13 | CVE-2020-6150 | Pixar | Out-of-bounds Write vulnerability in Pixar Openusd 20.05 A heap overflow vulnerability exists in Pixar OpenUSD 20.05 when the software USDC file format SPECS section decompression heap overflow. | 7.8 |
2020-11-13 | CVE-2020-6149 | Pixar | Out-of-bounds Write vulnerability in Pixar Openusd 20.05 A heap overflow vulnerability exists in Pixar OpenUSD 20.05 when the software parses compressed sections in binary USD files. | 7.8 |
2020-11-13 | CVE-2020-6148 | Pixar | Out-of-bounds Write vulnerability in Pixar Openusd 20.05 A heap overflow vulnerability exists in Pixar OpenUSD 20.05 when the software parses compressed sections in binary USD files. | 7.8 |
2020-11-13 | CVE-2020-6147 | Pixar Apple | Out-of-bounds Write vulnerability in multiple products A heap overflow vulnerability exists in Pixar OpenUSD 20.05 when the software parses compressed sections in binary USD files. | 7.8 |
2020-11-12 | CVE-2020-12927 | AMD | Unspecified vulnerability in AMD Vbios Flash Tool Software Development KIT A potential vulnerability in a dynamically loaded AMD driver in AMD VBIOS Flash Tool SDK may allow any authenticated user to escalate privileges to NT authority system. | 7.8 |
2020-11-12 | CVE-2020-24525 | Intel | Incorrect Permission Assignment for Critical Resource vulnerability in Intel products Insecure inherited permissions in firmware update tool for some Intel(R) NUCs may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2020-11-12 | CVE-2020-24456 | Intel | Incorrect Default Permissions vulnerability in Intel Board ID Tool 1.01 Incorrect default permissions in the Intel(R) Board ID Tool version v.1.01 may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2020-11-12 | CVE-2020-16273 | ARM | Integer Underflow (Wrap or Wraparound) vulnerability in ARM Armv8-M Firmware In Arm software implementing the Armv8-M processors (all versions), the stack selection mechanism could be influenced by a stack-underflow attack in v8-M TrustZone based processors. | 7.8 |
2020-11-12 | CVE-2020-12350 | Intel | Unspecified vulnerability in Intel Extreme Tuning Utility 6.4.1.21 Improper access control in the Intel(R) XTU before version 6.5.1.360 may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2020-11-12 | CVE-2020-12346 | Intel | Incorrect Default Permissions vulnerability in Intel Battery Life Diagnostic Tool Improper permissions in the installer for the Intel(R) Battery Life Diagnostic Tool before version 1.0.7 may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2020-11-12 | CVE-2020-12345 | Intel | Improper Preservation of Permissions vulnerability in Intel Data Center Manager Improper permissions in the installer for the Intel(R) Data Center Manager Console before version 3.6.2 may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2020-11-12 | CVE-2020-12336 | Intel | Insecure Default Initialization of Resource vulnerability in Intel products Insecure default variable initialization in firmware for some Intel(R) NUCs may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2020-11-12 | CVE-2020-12335 | Intel | Improper Preservation of Permissions vulnerability in Intel Processor Identification Utility 6.1.0731 Improper permissions in the installer for the Intel(R) Processor Identification Utility before version 6.4.0603 may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2020-11-12 | CVE-2020-12334 | Intel | Improper Preservation of Permissions vulnerability in Intel Advisor Tools 2020 Improper permissions in the installer for the Intel(R) Advisor tools before version 2020 Update 2 may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2020-11-12 | CVE-2020-12333 | Intel | Insufficiently Protected Credentials vulnerability in Intel Quickassist Technology 1.0.4000004 Insufficiently protected credentials in the Intel(R) QAT for Linux before version 1.7.l.4.10.0 may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2020-11-12 | CVE-2020-12332 | Intel | Improper Preservation of Permissions vulnerability in Intel HID Event Filter Driver Improper permissions in the installer for the Intel(R) HID Event Filter Driver, all versions, may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2020-11-12 | CVE-2020-12331 | Intel | Unspecified vulnerability in Intel Unite Cloud Service Client Improper access controls in Intel Unite(R) Cloud Service client before version 4.2.12212 may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2020-11-12 | CVE-2020-12330 | Intel | Improper Preservation of Permissions vulnerability in Intel Falcon 8+ UAS Asctec Thermal Viewer Firmware Improper permissions in the installer for the Intel(R) Falcon 8+ UAS AscTec Thermal Viewer, all versions, may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2020-11-12 | CVE-2020-12329 | Intel | Uncontrolled Search Path Element vulnerability in Intel Vtune Profiler 2017/2018/2019 Uncontrolled search path in the Intel(R) VTune(TM) Profiler before version 2020 Update 1 may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2020-11-12 | CVE-2020-12325 | Intel | Unspecified vulnerability in Intel Thunderbolt DCH Driver 1.41.1054.0 Improper buffer restrictions in some Intel(R) Thunderbolt(TM) DCH drivers for Windows* before version 72 may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2020-11-12 | CVE-2020-12324 | Intel | Unspecified vulnerability in Intel Thunderbolt DCH Driver 1.41.1054.0 Protection mechanism failure in some Intel(R) Thunderbolt(TM) DCH drivers for Windows* before version 72 may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2020-11-12 | CVE-2020-12320 | Intel | Uncontrolled Search Path Element vulnerability in Intel SCS Add-On for Microsoft Sccm 2.1.10 Uncontrolled search path in Intel(R) SCS Add-on for Microsoft* SCCM before version 2.1.10 may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2020-11-12 | CVE-2020-8760 | Intel Netapp | Integer Overflow or Wraparound vulnerability in multiple products Integer overflow in subsystem for Intel(R) AMT versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70, 14.0.45 may allow a privileged user to potentially enable escalation of privilege via local access. | 7.8 |
2020-11-12 | CVE-2020-8750 | Intel | Use After Free vulnerability in Intel Trusted Execution Engine 3.0/3.1.75/4.0.25 Use after free in Kernel Mode Driver for Intel(R) TXE versions before 3.1.80 and 4.0.30 may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2020-11-12 | CVE-2020-8744 | Intel Siemens | Improper Initialization vulnerability in multiple products Improper initialization in subsystem for Intel(R) CSME versions before12.0.70, 13.0.40, 13.30.10, 14.0.45 and 14.5.25, Intel(R) TXE versions before 4.0.30 Intel(R) SPS versions before E3_05.01.04.200 may allow a privileged user to potentially enable escalation of privilege via local access. | 7.8 |
2020-11-12 | CVE-2020-8739 | Intel Netapp | Use of potentially dangerous function in Intel BIOS platform sample code for some Intel(R) Processors may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2020-11-12 | CVE-2020-13771 | Ivanti | Uncontrolled Search Path Element vulnerability in Ivanti Endpoint Manager Various components in Ivanti Endpoint Manager through 2020.1.1 rely on Windows search order when loading a (nonexistent) library file, allowing (under certain conditions) one to gain code execution (and elevation of privileges to the level of privilege held by the vulnerable component such as NT AUTHORITY\SYSTEM) via DLL hijacking. | 7.8 |
2020-11-12 | CVE-2020-13770 | Ivanti | Incorrect Default Permissions vulnerability in Ivanti Endpoint Manager Several services are accessing named pipes in Ivanti Endpoint Manager through 2020.1.1 with default or overly permissive security attributes; as these services run as user ‘NT AUTHORITY\SYSTEM’, the issue can be used to escalate privileges from a local standard or service account having SeImpersonatePrivilege (eg. | 7.8 |
2020-11-12 | CVE-2020-12354 | Intel | Incorrect Default Permissions vulnerability in Intel Active Management Technology Software Development KIT Incorrect default permissions in Windows(R) installer in Intel(R) AMT SDK versions before 14.0.0.1 may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2020-11-12 | CVE-2020-12318 | Intel | Unspecified vulnerability in Intel Proset/Wireless Wifi Protection mechanism failure in some Intel(R) PROSet/Wireless WiFi products before version 21.110 may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2020-11-12 | CVE-2020-12307 | Intel | Incorrect Default Permissions vulnerability in Intel High Definition Audio Driver Improper permissions in some Intel(R) High Definition Audio drivers before version 9.21.00.4561 may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2020-11-12 | CVE-2020-12306 | Intel | Incorrect Default Permissions vulnerability in Intel Realsense D400 Series Dynamic Calibration Tool Incorrect default permissions in the Intel(R) RealSense(TM) D400 Series Dynamic Calibration Tool before version 2.11, may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2020-11-12 | CVE-2020-12304 | Intel | Unspecified vulnerability in Intel Dynamic Application Loader Software Developement KIT Improper access control in Installer for Intel(R) DAL SDK before version 2.1 for Windows may allow an authenticated user to potentially enable escalation of privileges via local access. | 7.8 |
2020-11-12 | CVE-2020-12303 | Intel | Use After Free vulnerability in Intel products Use after free in DAL subsystem for Intel(R) CSME versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70, 13.0.40, 13.30.10, 14.0.45 and 14.5.25, Intel(R) TXE 3.1.80, 4.0.30 may allow an authenticated user to potentially enable escalation of privileges via local access. | 7.8 |
2020-11-12 | CVE-2020-12297 | Intel | Unspecified vulnerability in Intel products Improper access control in Installer for Intel(R) CSME Driver for Windows versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70, 13.0.40, 13.30.10, 14.0.45 and 14.5.25, Intel TXE 3.1.80, 4.0.30 may allow an authenticated user to potentially enable escalation of privileges via local access. | 7.8 |
2020-11-12 | CVE-2020-0590 | Intel Netapp Siemens | Improper Input Validation vulnerability in multiple products Improper input validation in BIOS firmware for some Intel(R) Processors may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2020-11-12 | CVE-2019-11121 | Intel | Incorrect Permission Assignment for Critical Resource vulnerability in Intel Media SDK 2018 Improper file permissions in the installer for the Intel(R) Media SDK for Windows before version 2019 R1 may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2020-11-12 | CVE-2020-7331 | Mcafee | Unquoted Search Path or Element vulnerability in Mcafee Endpoint Security Unquoted service executable path in McAfee Endpoint Security (ENS) prior to 10.7.0 November 2020 Update allows local users to cause a denial of service and malicious file execution via carefully crafted and named executable files. | 7.8 |
2020-11-12 | CVE-2020-3632 | Qualcomm | Improper Validation of Array Index vulnerability in Qualcomm products u'Incorrect validation of ring context fetched from host memory can lead to memory overflow' in Snapdragon Compute, Snapdragon Mobile in QSM8350, SC7180, SDX55, SDX55M, SM6150, SM6250, SM6250P, SM7125, SM7150, SM7150P, SM7250, SM7250P, SM8150, SM8150P, SM8250, SM8350, SM8350P, SXR2130, SXR2130P | 7.8 |
2020-11-12 | CVE-2020-11208 | Qualcomm | Integer Underflow (Wrap or Wraparound) vulnerability in Qualcomm products Out of Bound issue in DSP services while processing received arguments due to improper validation of length received as an argument' in SD820, SD821, SD820, QCS603, QCS605, SDA855, SA6155P, SA6145P, SA6155, SA6155P, SD855, SD 675, SD660, SD429, SD439 | 7.8 |
2020-11-12 | CVE-2020-11207 | Qualcomm | Classic Buffer Overflow vulnerability in Qualcomm products Buffer overflow in LibFastCV library due to improper size checks with respect to buffer length' in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile in APQ8052, APQ8056, APQ8076, APQ8096, APQ8096SG, APQ8098, MDM9655, MSM8952, MSM8956, MSM8976, MSM8976SG, MSM8996, MSM8996SG, MSM8998, QCM4290, QCM6125, QCS410, QCS4290, QCS610, QCS6125, QSM8250, SA6145P, SA6150P, SA6155, SA6155P, SA8150P, SA8155, SA8155P, SA8195P, SC7180, SDA640, SDA660, SDA845, SDA855, SDM640, SDM660, SDM830, SDM845, SDM850, SDX50M, SDX55, SDX55M, SM4250, SM4250P, SM6115, SM6115P, SM6125, SM6150, SM6150P, SM6250, SM6250P, SM6350, SM7125, SM7150, SM7150P, SM7225, SM7250, SM7250P, SM8150, SM8150P, SM8250, SXR2130, SXR2130P | 7.8 |
2020-11-12 | CVE-2020-11206 | Qualcomm | Unspecified vulnerability in Qualcomm products Possible buffer overflow in Fastrpc while handling received parameters due to lack of validation on input parameters' in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile in APQ8098, MSM8998, QCM4290, QCM6125, QCS410, QCS4290, QCS610, QCS6125, QSM8250, QSM8350, SA6145P, SA6150P, SA6155, SA6155P, SA8150P, SA8155, SA8155P, SA8195P, SC7180, SDA640, SDA660, SDA845, SDA855, SDM640, SDM660, SDM830, SDM845, SDM850, SDX50M, SDX55, SDX55M, SM4250, SM4250P, SM6115, SM6115P, SM6125, SM6150, SM6150P, SM6250, SM6250P, SM6350, SM7125, SM7150, SM7150P, SM7225, SM7250, SM7250P, SM8150, SM8150P, SM8250, SM8350, SM8350P, SXR2130, SXR2130P | 7.8 |
2020-11-12 | CVE-2020-11205 | Qualcomm | Integer Overflow or Wraparound vulnerability in Qualcomm products u'Possible integer overflow to heap overflow while processing command due to lack of check of packet length received' in Snapdragon Auto, Snapdragon Compute, Snapdragon Mobile in QSM8350, SA6145P, SA6150P, SA6155, SA6155P, SA8150P, SA8155P, SA8195P, SDX55M, SM8250, SM8350, SM8350P, SXR2130, SXR2130P | 7.8 |
2020-11-12 | CVE-2020-11202 | Qualcomm | Out-of-bounds Write vulnerability in Qualcomm products Buffer overflow/underflow occurs when typecasting the buffer passed by CPU internally in the library which is not aligned with the actual size of the structure' in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile in QCM6125, QCS410, QCS603, QCS605, QCS610, QCS6125, SA6145P, SA6155, SA6155P, SA8155, SA8155P, SDA640, SDA670, SDA845, SDM640, SDM670, SDM710, SDM830, SDM845, SDX50M, SDX55, SDX55M, SM6125, SM6150, SM6150P, SM6250, SM6250P, SM7125, SM7150, SM7150P, SM8150, SM8150P | 7.8 |
2020-11-12 | CVE-2020-11201 | Qualcomm | Improper Input Validation vulnerability in Qualcomm products Arbitrary access to DSP memory due to improper check in loaded library for data received from CPU side' in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile in QCM6125, QCS410, QCS603, QCS605, QCS610, QCS6125, SA6145P, SA6155, SA6155P, SA8155, SA8155P, SDA640, SDA845, SDM640, SDM830, SDM845, SDX50M, SDX55, SDX55M, SM6125, SM6150, SM6250, SM6250P, SM7125, SM7150, SM7150P, SM8150, SM8150P | 7.8 |
2020-11-12 | CVE-2020-11175 | Qualcomm | Use After Free vulnerability in Qualcomm products u'Use after free issue in Bluetooth transport driver when a method in the object is accessed after the object has been deleted due to improper timer handling.' in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in APQ8009W, MSM8909W, QCS605, QM215, SA6155, SA6155P, SA8155, SA8155P, SDA640, SDA670, SDA855, SDM1000, SDM640, SDM670, SDM710, SDM845, SDX50M, SDX55, SDX55M, SM6125, SM6350, SM7225, SM7250, SM7250P, SM8150, SM8150P, SM8250, SXR1120, SXR1130, SXR2130, SXR2130P | 7.8 |
2020-11-12 | CVE-2020-11131 | Qualcomm | Integer Overflow or Wraparound vulnerability in Qualcomm products u'Possible buffer overflow in WMA message processing due to integer overflow occurs when processing command received from user space' in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music in APQ8009, APQ8053, APQ8096AU, MDM9206, MDM9250, MDM9628, MDM9640, MDM9650, MSM8996AU, QCS405, SDA845, SDX20, SDX20M, WCD9330 | 7.8 |
2020-11-12 | CVE-2020-11130 | Qualcomm | Classic Buffer Overflow vulnerability in Qualcomm products u'Possible buffer overflow in WIFI hal process due to copying data without checking the buffer length' in Snapdragon Auto, Snapdragon Compute, Snapdragon Industrial IOT, Snapdragon Mobile in QCM4290, QCS4290, QM215, QSM8350, SA6145P, SA6155, SA6155P, SA8155, SA8155P, SC8180X, SC8180XP, SDX55, SDX55M, SM4250, SM4250P, SM6115, SM6115P, SM6125, SM6250, SM6350, SM7125, SM7225, SM7250, SM7250P, SM8150, SM8150P, SM8250, SM8350, SM8350P, SXR2130, SXR2130P | 7.8 |
2020-11-12 | CVE-2020-11127 | Qualcomm | Integer Overflow or Wraparound vulnerability in Qualcomm products u'Integer overflow can cause a buffer overflow due to lack of table length check in the extensible boot Loader during the validation of security metadata while processing objects to be loaded' in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking in MDM9205, QCM4290, QCS405, QCS410, QCS4290, QCS610, QSM8250, SA415M, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8150P, SA8155, SA8155P, SA8195P, SC7180, SC8180X, SC8180X+SDX55, SC8180XP, SDA640, SDA845, SDA855, SDM1000, SDM640, SDM830, SDM845, SDM850, SDX24, SDX50M, SDX55, SDX55M, SM4125, SM4250, SM4250P, SM6115, SM6115P, SM6150, SM6150P, SM6250, SM6250P, SM6350, SM7125, SM7150, SM7150P, SM7225, SM7250, SM7250P, SM8150, SM8150P, SM8250, SXR2130, SXR2130P | 7.8 |
2020-11-12 | CVE-2020-11121 | Qualcomm | Classic Buffer Overflow vulnerability in Qualcomm products u'Possible buffer overflow in WIFI hal process due to usage of memcpy without checking length of destination buffer' in Snapdragon Auto, Snapdragon Compute, Snapdragon Industrial IOT, Snapdragon Mobile in QCM4290, QCS4290, QM215, QSM8350, SA6145P, SA6155, SA6155P, SA8155, SA8155P, SC8180X, SC8180XP, SDX55, SDX55M, SM4250, SM4250P, SM6115, SM6115P, SM6125, SM6250, SM6350, SM7125, SM7225, SM7250, SM7250P, SM8150, SM8150P, SM8250, SM8350, SM8350P, SXR2130, SXR2130P | 7.8 |
2020-11-11 | CVE-2020-5992 | Nvidia | Uncontrolled Search Path Element vulnerability in Nvidia Geforce NOW NVIDIA GeForce NOW application software on Windows, all versions prior to 2.0.25.119, contains a vulnerability in its open-source software dependency in which the OpenSSL library is vulnerable to binary planting attacks by a local user, which may lead to code execution or escalation of privileges. | 7.8 |
2020-11-10 | CVE-2020-24367 | Bluestacks | Incorrect Permission Assignment for Critical Resource vulnerability in Bluestacks Incorrect file permissions in BlueStacks 4 through 4.230 on Windows allow a local attacker to escalate privileges by modifying a file that is later executed by a higher-privileged user. | 7.8 |
2020-11-10 | CVE-2020-23968 | Ilex | Link Following vulnerability in Ilex International Sign&Go 7.1 Ilex International Sign&go Workstation Security Suite 7.1 allows elevation of privileges via a symlink attack on ProgramData\Ilex\S&G\Logs\000-sngWSService1.log. | 7.8 |
2020-11-10 | CVE-2020-28055 | TCL | Incorrect Permission Assignment for Critical Resource vulnerability in TCL products A vulnerability in the TCL Android Smart TV series V8-R851T02-LF1 V295 and below and V8-T658T01-LF1 V373 and below by TCL Technology Group Corporation allows a local unprivileged attacker, such as a malicious App, to read & write to the /data/vendor/tcl, /data/vendor/upgrade, and /var/TerminalManager directories within the TV file system. | 7.8 |
2020-11-10 | CVE-2020-26817 | SAP | Out-of-bounds Write vulnerability in SAP 3D Visual Enterprise Viewer 9 SAP 3D Visual Enterprise Viewer, version - 9, allows an user to open manipulated HPGL file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation. | 7.8 |
2020-11-10 | CVE-2020-0439 | Missing Authorization vulnerability in Google Android In generatePackageInfo of PackageManagerService.java, there is a possible permissions bypass due to an incorrect permission check. | 7.8 | |
2020-11-10 | CVE-2020-0438 | Missing Initialization of Resource vulnerability in Google Android 10.0/11.0 In the AIBinder_Class constructor of ibinder.cpp, there is a possible arbitrary code execution due to uninitialized data. | 7.8 | |
2020-11-10 | CVE-2020-0418 | Unspecified vulnerability in Google Android 10.0 In getPermissionInfosForGroup of Utils.java, there is a logic error. | 7.8 | |
2020-11-10 | CVE-2020-0409 | Integer Overflow or Wraparound vulnerability in Google Android In create of FileMap.cpp, there is a possible out of bounds write due to an integer overflow. | 7.8 | |
2020-11-09 | CVE-2020-4759 | IBM | Improper Neutralization of Formula Elements in a CSV File vulnerability in IBM Filenet Content Manager 5.5.4/5.5.5 IBM FileNet Content Manager 5.5.4 and 5.5.5 is potentially vulnerable to CVS Injection. | 7.8 |
2020-11-09 | CVE-2020-27977 | Capasystems | Unspecified vulnerability in Capasystems Capainstaller CapaSystems CapaInstaller before 6.0.101 does not properly assign, modify, or check privileges for an actor who attempts to edit registry values, allowing an attacker to escalate privileges. | 7.8 |
2020-11-15 | CVE-2020-28268 | Controlled Merge Project | Unspecified vulnerability in Controlled-Merge Project Controlled-Merge Prototype pollution vulnerability in 'controlled-merge' versions 1.0.0 through 1.2.0 allows attacker to cause a denial of service and may lead to remote code execution. | 7.5 |
2020-11-13 | CVE-2020-27217 | Eclipse | Unspecified vulnerability in Eclipse Hono 1.3.0/1.4.0 In Eclipse Hono version 1.3.0 and 1.4.0 the AMQP protocol adapter does not verify the size of AMQP messages received from devices. | 7.5 |
2020-11-13 | CVE-2020-8583 | Netapp | Unspecified vulnerability in Netapp Element OS and HCI Element Software versions prior to 12.2 and HCI versions prior to 1.8P1 are susceptible to a vulnerability which could allow an attacker to discover sensitive information by intercepting its transmission within an https session. | 7.5 |
2020-11-13 | CVE-2020-6019 | Valvesoftware | Unspecified vulnerability in Valvesoftware Game Networking Sockets 1.0.0/1.1.0 Valve's Game Networking Sockets prior to version v1.2.0 improperly handles inlined statistics messages in function CConnectionTransportUDPBase::Received_Data(), leading to an exception thrown from libprotobuf and resulting in a crash. | 7.5 |
2020-11-13 | CVE-2020-25165 | BD | Unspecified vulnerability in BD Alaris 8015 PCU Firmware and Alaris Systems Manager BD Alaris PC Unit, Model 8015, Versions 9.33.1 and earlier and BD Alaris Systems Manager, Versions 4.33 and earlier The affected products are vulnerable to a network session authentication vulnerability within the authentication process between specified versions of the BD Alaris PC Unit and the BD Alaris Systems Manager. | 7.5 |
2020-11-13 | CVE-2020-25155 | Nexcom | Cleartext Transmission of Sensitive Information vulnerability in Nexcom NIO 50 Firmware The affected product transmits unencrypted sensitive information, which may allow an attacker to access this information on the NIO 50 (all versions). | 7.5 |
2020-11-13 | CVE-2020-25151 | Nexcom | Unspecified vulnerability in Nexcom NIO 50 Firmware The affected product does not properly validate input, which may allow an attacker to execute a denial-of-service attack on the NIO 50 (all versions). | 7.5 |
2020-11-13 | CVE-2020-1847 | Huawei | Unspecified vulnerability in Huawei products There is a denial of service vulnerability in some Huawei products. | 7.5 |
2020-11-12 | CVE-2020-15783 | Siemens | Unspecified vulnerability in Siemens products A vulnerability has been identified in SIMATIC S7-300 CPU family (incl. | 7.5 |
2020-11-12 | CVE-2020-24454 | Intel | XXE vulnerability in Intel Quartus Prime Improper Restriction of XML External Entity Reference in subsystem forIntel(R) Quartus(R) Prime Pro Edition before version 20.3 and Intel(R) Quartus(R) Prime Standard Edition before version 20.2 may allow unauthenticated user to potentially enable information disclosure via network access. | 7.5 |
2020-11-12 | CVE-2020-8754 | Intel Netapp | Out-of-bounds Read vulnerability in multiple products Out-of-bounds read in subsystem for Intel(R) AMT, Intel(R) ISM versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow an unauthenticated user to potentially enable information disclosure via network access. | 7.5 |
2020-11-12 | CVE-2020-8753 | Intel | Out-of-bounds Read vulnerability in Intel Active Management Technology Firmware Out-of-bounds read in DHCP subsystem for Intel(R) AMT, Intel(R) ISM versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow an unauthenticated user to potentially enable information disclosure via network access. | 7.5 |
2020-11-12 | CVE-2020-24573 | BAB Technologie | Resource Exhaustion vulnerability in Bab-Technologie Eibport Firmware 3.8.2 BAB TECHNOLOGIE GmbH eibPort V3 prior to 3.8.3 devices allow denial of service (Uncontrolled Resource Consumption) via requests to the lighttpd component. | 7.5 |
2020-11-12 | CVE-2019-17566 | Apache Oracle | Server-Side Request Forgery (SSRF) vulnerability in multiple products Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. | 7.5 |
2020-11-12 | CVE-2020-2022 | Paloaltonetworks | Improper Privilege Management vulnerability in Paloaltonetworks Pan-Os An information exposure vulnerability exists in Palo Alto Networks Panorama software that discloses the token for the Panorama web interface administrator's session to a managed device when the Panorama administrator performs a context switch into that device. | 7.5 |
2020-11-11 | CVE-2020-27523 | Mersive | Use of Externally-Controlled Format String vulnerability in Mersive Solstice POD Firmware Solstice-Pod up to 5.0.2 WEBRTC server mishandles the format-string specifiers %x; %p; %c and %s in the screen_key, display_name, browser_name, and operation_system parameter during the authentication process. | 7.5 |
2020-11-10 | CVE-2020-26810 | SAP | Unspecified vulnerability in SAP Commerce Cloud (Accelerator Payment Mock) SAP Commerce Cloud (Accelerator Payment Mock), versions - 1808, 1811, 1905, 2005, allows an unauthenticated attacker to submit a crafted request over a network to a particular SAP Commerce module URL which will be processed without further interaction, the crafted request can render the SAP Commerce service itself unavailable leading to Denial of Service with no impact on confidentiality or integrity. | 7.5 |
2020-11-10 | CVE-2020-28267 | SET Project | Unspecified vulnerability in SET Project SET 1.0.0 Prototype pollution vulnerability in '@strikeentco/set' version 1.0.0 allows attacker to cause a denial of service and may lead to remote code execution. | 7.5 |
2020-11-10 | CVE-2020-0442 | Improper Input Validation vulnerability in Google Android In Message and toBundle of Notification.java, there is a possible UI slowdown or crash due to improper input validation. | 7.5 | |
2020-11-10 | CVE-2020-0441 | Resource Exhaustion vulnerability in Google Android In Message and toBundle of Notification.java, there is a possible resource exhaustion due to improper input validation. | 7.5 | |
2020-11-09 | CVE-2020-14366 | Redhat | Path Traversal vulnerability in Redhat Keycloak A vulnerability was found in keycloak, where path traversal using URL-encoded path segments in the request is possible because the resources endpoint applies a transformation of the url path to the file path. | 7.5 |
2020-11-09 | CVE-2020-8268 | Json8 Merge Patch Project | Improper Input Validation vulnerability in Json8-Merge-Patch Project Json8-Merge-Patch Prototype pollution vulnerability in json8-merge-patch npm package < 1.0.3 may allow attackers to inject or modify methods and properties of the global object constructor. | 7.5 |
2020-11-13 | CVE-2020-21667 | Fastadmin TP6 Project | SQL Injection vulnerability in Fastadmin-Tp6 Project Fastadmin-Tp6 1.0 In fastadmin-tp6 v1.0, in the file app/admin/controller/Ajax.php the 'table' parameter passed is not filtered so a malicious parameter can be passed for SQL injection. | 7.2 |
2020-11-12 | CVE-2020-26805 | Sapplica | SQL Injection vulnerability in Sapplica Sentrifugo 3.2 In Sentrifugo 3.2, admin can edit employee's informations via this endpoint --> /sentrifugo/index.php/empadditionaldetails/edit/userid/2. | 7.2 |
2020-11-12 | CVE-2020-2000 | Paloaltonetworks | OS Command Injection vulnerability in Paloaltonetworks Pan-Os An OS command injection and memory corruption vulnerability in the PAN-OS management web interface that allows authenticated administrators to disrupt system processes and potentially execute arbitrary code and OS commands with root privileges. | 7.2 |
2020-11-11 | CVE-2020-4685 | IBM | Unspecified vulnerability in IBM Cognos Controller A low level user of IBM Cognos Controller 10.3.0, 10.3.1, 10.4.0, 10.4.1, and 10.4.2 who has Administration rights to the server where the application is installed, can escalate their privilege from Low level to Super Admin and gain access to Create/Update/Delete any level of user in Cognos Controller. | 7.2 |
2020-11-11 | CVE-2020-7329 | Mcafee | Server-Side Request Forgery (SSRF) vulnerability in Mcafee Mvision Endpoint Server-side request forgery vulnerability in the ePO extension in McAfee MVISION Endpoint prior to 20.11 allows remote attackers trigger server-side DNS requests to arbitrary domains via carefully constructed XML files loaded by an ePO administrator. | 7.2 |
2020-11-11 | CVE-2020-7328 | Mcafee | Server-Side Request Forgery (SSRF) vulnerability in Mcafee Mvision Endpoint External entity attack vulnerability in the ePO extension in McAfee MVISION Endpoint prior to 20.11 allows remote attackers to gain control of a resource or trigger arbitrary code execution via improper input validation of an HTTP request, where the content for the attack has been loaded into ePO by an ePO administrator. | 7.2 |
2020-11-10 | CVE-2020-24063 | Canto | Server-Side Request Forgery (SSRF) vulnerability in Canto 1.3.0 The Canto plugin 1.3.0 for WordPress allows includes/lib/download.php?subdomain= SSRF. | 7.2 |
2020-11-10 | CVE-2020-26820 | SAP | Unrestricted Upload of File with Dangerous Type vulnerability in SAP Netweaver Application Server Java SAP NetWeaver AS JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker who is authenticated as an administrator to use the administrator console, to expose unauthenticated access to the file system and upload a malicious file. | 7.2 |
2020-11-10 | CVE-2020-26808 | SAP | Unspecified vulnerability in SAP AS Abap(Dmis) and SAP S4 Hana(Dmis) SAP AS ABAP(DMIS), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA(DMIS), versions - 101, 102, 103, 104, 105, allows an authenticated attacker to inject arbitrary code into function module leading to code injection that can be executed in the application which affects the confidentiality, availability and integrity of the application. | 7.2 |
2020-11-12 | CVE-2020-11132 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products u'Buffer over read in boot due to size check ignored before copying GUID attribute from request to response' in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking in APQ8009, APQ8096AU, APQ8098, MDM8207, MDM9150, MDM9205, MDM9206, MDM9207, MDM9250, MDM9607, MDM9628, MDM9650, MSM8108, MSM8208, MSM8209, MSM8608, MSM8905, MSM8909, MSM8998, QCM4290, QCS405, QCS410, QCS4290, QCS603, QCS605, QCS610, QSM8250, SA415M, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8150P, SA8155, SA8155P, SA8195P, SC7180, SC8180X, SC8180X+SDX55, SC8180XP, SDA640, SDA670, SDA845, SDA855, SDM1000, SDM640, SDM670, SDM710, SDM712, SDM830, SDM845, SDM850, SDX24, SDX50M, SDX55, SDX55M, SM4125, SM4250, SM4250P, SM6115, SM6115P, SM6125, SM6150, SM6150P, SM6250, SM6250P, SM6350, SM7125, SM7150, SM7150P, SM7225, SM7250, SM7250P, SM8150, SM8150P, SM8250, SXR1120, SXR1130, SXR2130, SXR2130P, WCD9330 | 7.1 |
2020-11-11 | CVE-2020-27524 | Audi | Use of Externally-Controlled Format String vulnerability in Audi MMI Multiplayer N+Rcnaup0395 On Audi A7 MMI 2014 vehicles, the Bluetooth stack in Audi A7 MMI Multiplayer with version (N+R_CN_AU_P0395) mishandles %x and %s format string specifiers in a device name. | 7.1 |
2020-11-09 | CVE-2020-24400 | Magento | Unspecified vulnerability in Magento Magento versions 2.4.0 and 2.3.5 (and earlier) are affected by an SQL Injection vulnerability that could lead to sensitive information disclosure. | 7.1 |
131 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2020-11-10 | CVE-2020-5388 | Dell | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Dell Inspiron 15 7579 Firmware Dell Inspiron 15 7579 2-in-1 BIOS versions prior to 1.31.0 contain an Improper SMM communication buffer verification vulnerability. | 6.9 |
2020-11-12 | CVE-2020-8745 | Intel Siemens | Insufficient control flow management in subsystem for Intel(R) CSME versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70, 13.0.40, 13.30.10, 14.0.45 and 14.5.25 , Intel(R) TXE versions before 3.1.80 and 4.0.30 may allow an unauthenticated user to potentially enable escalation of privilege via physical access. | 6.8 |
2020-11-12 | CVE-2020-8737 | Intel | Unspecified vulnerability in Intel Quartus Prime and Stratix 10 Fpga Firmware Improper buffer restrictions in the Intel(R) Stratix(R) 10 FPGA firmware provided with the Intel(R) Quartus(R) Prime Pro software before version 20.1 may allow an unauthenticated user to potentially enable escalation of privilege and/or information disclosure via physical access. | 6.8 |
2020-11-12 | CVE-2020-8705 | Intel | Insecure Default Initialization of Resource vulnerability in Intel products Insecure default initialization of resource in Intel(R) Boot Guard in Intel(R) CSME versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70, 13.0.40, 13.30.10, 14.0.45 and 14.5.25, Intel(R) TXE versions before 3.1.80 and 4.0.30, Intel(R) SPS versions before E5_04.01.04.400, E3_04.01.04.200, SoC-X_04.00.04.200 and SoC-A_04.00.04.300 may allow an unauthenticated user to potentially enable escalation of privileges via physical access. | 6.8 |
2020-11-12 | CVE-2020-12355 | Intel | Authentication Bypass by Capture-replay vulnerability in Intel Trusted Execution Engine Authentication bypass by capture-replay in RPMB protocol message authentication subsystem in Intel(R) TXE versions before 4.0.30 may allow an unauthenticated user to potentially enable escalation of privilege via physical access. | 6.8 |
2020-11-12 | CVE-2020-12312 | Intel | Unspecified vulnerability in Intel Quartus Prime PRO and Stratix 10 Fpga Firmware Improper buffer restrictions in the Intel(R) Stratix(R) 10 FPGA firmware provided with the Intel(R) Quartus(R) Prime Pro software before version 20.2 may allow an unauthenticated user to potentially enable escalation of privilege via physical access. | 6.8 |
2020-11-10 | CVE-2020-16125 | Gnome | Improper Check for Unusual or Exceptional Conditions vulnerability in Gnome Display Manager gdm3 versions before 3.36.2 or 3.38.2 would start gnome-initial-setup if gdm3 can't contact the accountservice service via dbus in a timely manner; on Ubuntu (and potentially derivatives) this could be be chained with an additional issue that could allow a local user to create a new privileged account. | 6.8 |
2020-11-13 | CVE-2020-0599 | Intel | Unspecified vulnerability in Intel products Improper access control in the PMC for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access. | 6.7 |
2020-11-13 | CVE-2020-9129 | Huawei | Out-of-bounds Write vulnerability in Huawei Mate 30 Firmware HUAWEI Mate 30 versions earlier than 10.1.0.159(C00E159R7P2) have a vulnerability of improper buffer operation. | 6.7 |
2020-11-13 | CVE-2020-9127 | Huawei | Command Injection vulnerability in Huawei products Some Huawei products have a command injection vulnerability. | 6.7 |
2020-11-12 | CVE-2020-12337 | Intel | Unspecified vulnerability in Intel products Improper buffer restrictions in firmware for some Intel(R) NUCs may allow a privileged user to potentially enable escalation of privilege via local access. | 6.7 |
2020-11-12 | CVE-2020-12323 | Intel | Improper Input Validation vulnerability in Intel Adas IE Improper input validation in the Intel(R) ADAS IE before version ADAS_IE_1.0.766 may allow a privileged user to potentially enable escalation of privilege via local access. | 6.7 |
2020-11-12 | CVE-2020-0572 | Intel | Improper Input Validation vulnerability in Intel products Improper input validation in the firmware for Intel(R) Server Board S2600ST and S2600WF families may allow a privileged user to potentially enable escalation of privilege via local access. | 6.7 |
2020-11-12 | CVE-2020-8764 | Intel Netapp | Improper access control in BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access. | 6.7 |
2020-11-12 | CVE-2020-8757 | Intel Netapp | Out-of-bounds Read vulnerability in multiple products Out-of-bounds read in subsystem for Intel(R) AMT versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow a privileged user to potentially enable escalation of privilege via local access. | 6.7 |
2020-11-12 | CVE-2020-8756 | Intel | Improper Input Validation vulnerability in Intel Converged Security and Manageability Engine Improper input validation in subsystem for Intel(R) CSME versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow a privileged user to potentially enable escalation of privilege via local access. | 6.7 |
2020-11-12 | CVE-2020-8740 | Intel Netapp | Out-of-bounds Write vulnerability in multiple products Out of bounds write in Intel BIOS platform sample code for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access. | 6.7 |
2020-11-12 | CVE-2020-8738 | Intel Netapp | Improper Check for Unusual or Exceptional Conditions vulnerability in multiple products Improper conditions check in Intel BIOS platform sample code for some Intel(R) Processors before may allow a privileged user to potentially enable escalation of privilege via local access. | 6.7 |
2020-11-12 | CVE-2020-8693 | Intel | Unspecified vulnerability in Intel products Improper buffer restrictions in the firmware of the Intel(R) Ethernet 700 Series Controllers may allow a privileged user to potentially enable escalation of privilege and/or denial of service via local access. | 6.7 |
2020-11-12 | CVE-2020-8692 | Intel | Unspecified vulnerability in Intel products Insufficient access control in the firmware of the Intel(R) Ethernet 700 Series Controllers before version 7.3 may allow a privileged user to potentially enable escalation of privilege and/or denial of service via local access. | 6.7 |
2020-11-12 | CVE-2020-8691 | Intel | Unspecified vulnerability in Intel products A logic issue in the firmware of the Intel(R) Ethernet 700 Series Controllers may allow a privileged user to potentially enable escalation of privilege and/or denial of service via local access. | 6.7 |
2020-11-12 | CVE-2020-8690 | Intel | Unspecified vulnerability in Intel products Protection mechanism failure in Intel(R) Ethernet 700 Series Controllers before version 7.3 may allow a privileged user to potentially enable escalation of privilege and/or denial of service via local access. | 6.7 |
2020-11-12 | CVE-2020-8676 | Intel | Unspecified vulnerability in Intel Visual Compute Accelerator 2 Firmware Improper access control in the Intel(R) Visual Compute Accelerator 2, all versions, may allow a privileged user to potentially enable escalation of privilege via local access. | 6.7 |
2020-11-12 | CVE-2020-0593 | Intel | Unspecified vulnerability in Intel Bios Improper buffer restrictions in BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access. | 6.7 |
2020-11-12 | CVE-2020-0592 | Intel | Out-of-bounds Write vulnerability in Intel Bios Out of bounds write in BIOS firmware for some Intel(R) Processors may allow an authenticated user to potentially enable escalation of privilege and/or denial of service via local access. | 6.7 |
2020-11-12 | CVE-2020-0591 | Intel Siemens | Improper buffer restrictions in BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access. | 6.7 |
2020-11-12 | CVE-2020-0588 | Intel | Improper Check for Unusual or Exceptional Conditions vulnerability in Intel Bios Improper conditions check in BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access. | 6.7 |
2020-11-12 | CVE-2020-0587 | Intel | Improper Check for Unusual or Exceptional Conditions vulnerability in Intel Bios Improper conditions check in BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access. | 6.7 |
2020-11-11 | CVE-2020-8354 | Lenovo | Unspecified vulnerability in Lenovo Notebook Firmware A potential vulnerability in the SMI callback function used in the VariableServiceSmm driver in some Lenovo Notebook models may allow arbitrary code execution. | 6.7 |
2020-11-11 | CVE-2020-8353 | Lenovo | Unspecified vulnerability in Lenovo products Prior to August 10, 2020, some Lenovo Desktop and Workstation systems were shipped with the Embedded Host Based Configuration (EHBC) feature of Intel AMT enabled. | 6.7 |
2020-11-13 | CVE-2020-26223 | Spreecommerce | Unspecified vulnerability in Spreecommerce Spree Spree is a complete open source e-commerce solution built with Ruby on Rails. | 6.5 |
2020-11-13 | CVE-2020-8582 | Netapp | Unspecified vulnerability in Netapp Element OS and HCI Element Software versions prior to 12.2 and HCI versions prior to 1.8P1 are susceptible to a vulnerability which could allow an authenticated user to view sensitive information. | 6.5 |
2020-11-13 | CVE-2020-7032 | Avaya | XXE vulnerability in Avaya Aura System Manager and Weblm An XML external entity (XXE) vulnerability in Avaya WebLM admin interface allows authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. | 6.5 |
2020-11-12 | CVE-2020-8669 | Intel | Improper Input Validation vulnerability in Intel Data Center Manager Improper input validation in the Intel(R) Data Center Manager Console before version 3.6.2 may allow an authenticated user to potentially enable information disclosure via network access. | 6.5 |
2020-11-12 | CVE-2020-12353 | Intel | Improper Preservation of Permissions vulnerability in Intel Data Center Manager Improper permissions in the Intel(R) Data Center Manager Console before version 3.6.2 may allow an authenticated user to potentially enable denial of service via network access. | 6.5 |
2020-11-12 | CVE-2020-12349 | Intel | Improper Input Validation vulnerability in Intel Data Center Manager Improper input validation in the Intel(R) Data Center Manager Console before version 3.6.2 may allow an authenticated user to potentially enable information disclosure via network access. | 6.5 |
2020-11-12 | CVE-2020-8766 | Intel | Improper Check for Unusual or Exceptional Conditions vulnerability in Intel Software Guard Extensions Data Center Attestation Primitives Improper conditions check in the Intel(R) SGX DCAP software before version 1.6 may allow an unauthenticated user to potentially enable denial of service via adjacent access. | 6.5 |
2020-11-12 | CVE-2020-8746 | Intel Netapp | Integer Overflow or Wraparound vulnerability in multiple products Integer overflow in subsystem for Intel(R) AMT versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow an unauthenticated user to potentially enable denial of service via adjacent access. | 6.5 |
2020-11-12 | CVE-2020-12322 | Intel | Improper Input Validation vulnerability in Intel products Improper input validation in some Intel(R) Wireless Bluetooth(R) products before version 21.110 may allow an unauthenticated user to potentially enable denial of service via adjacent access. | 6.5 |
2020-11-12 | CVE-2020-12319 | Intel | Unspecified vulnerability in Intel Proset/Wireless Wifi Insufficient control flow management in some Intel(R) PROSet/Wireless WiFi products before version 21.110 may allow an unauthenticated user to potentially enable denial of service via adjacent access. | 6.5 |
2020-11-12 | CVE-2020-12317 | Intel | Unspecified vulnerability in Intel Proset/Wireless Wifi Improper buffer restriction in some Intel(R) PROSet/Wireless WiFi products before version 21.110 may allow an unauthenticated user to potentially enable denial of service via adjacent access. | 6.5 |
2020-11-12 | CVE-2020-12314 | Intel | Improper Input Validation vulnerability in Intel Proset/Wireless Wifi Improper input validation in some Intel(R) PROSet/Wireless WiFi products before version 21.110 may allow an unauthenticated user to potentially enable denial of service via adjacent access. | 6.5 |
2020-11-12 | CVE-2020-12308 | Intel | Unspecified vulnerability in Intel Computing Improvement Program Improper access control for the Intel(R) Computing Improvement Program before version 2.4.5982 may allow an unprivileged user to potentially enable information disclosure via network access. | 6.5 |
2020-11-10 | CVE-2020-27403 | TCL | Information Exposure vulnerability in TCL products A vulnerability in the TCL Android Smart TV series V8-R851T02-LF1 V295 and below and V8-T658T01-LF1 V373 and below by TCL Technology Group Corporation allows an attacker on the adjacent network to arbitrarily browse and download sensitive files over an insecure web server running on port 7989 that lists all files & directories. | 6.5 |
2020-11-10 | CVE-2020-0450 | Improper Initialization vulnerability in Google Android In rw_i93_sm_format of rw_i93.cc, there is a possible out of bounds read due to uninitialized data. | 6.5 | |
2020-11-09 | CVE-2020-9300 | Netflix | Unspecified vulnerability in Netflix Dispatch The Access Control issues include allowing a regular user to view a restricted incident, user role escalation to admin, users adding themselves as a participant in a restricted incident, and users able to view restricted incidents via the search feature. | 6.5 |
2020-11-09 | CVE-2020-25655 | Redhat | Incorrect Authorization vulnerability in Redhat Advanced Cluster Management for Kubernetes 2.0 An issue was discovered in ManagedClusterView API, that could allow secrets to be disclosed to users without the correct permissions. | 6.5 |
2020-11-09 | CVE-2020-28349 | Chirpstack | Improper Input Validation vulnerability in Chirpstack Network Server 3.9.0 An inaccurate frame deduplication process in ChirpStack Network Server 3.9.0 allows a malicious gateway to perform uplink Denial of Service via malformed frequency attributes in CollectAndCallOnceCollect in internal/uplink/collect.go. | 6.5 |
2020-11-09 | CVE-2020-24401 | Magento | Unspecified vulnerability in Magento Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect authorization vulnerability. | 6.5 |
2020-11-12 | CVE-2020-12926 | AMD | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in AMD Trusted Platform Modules Reference The Trusted Platform Modules (TPM) reference software may not properly track the number of times a failed shutdown happens. | 6.4 |
2020-11-12 | CVE-2020-8755 | Intel | Race Condition vulnerability in Intel products Race condition in subsystem for Intel(R) CSME versions before 12.0.70 and 14.0.45, Intel(R) SPS versions before E5_04.01.04.400 and E3_05.01.04.200 may allow an unauthenticated user to potentially enable escalation of privilege via physical access. | 6.4 |
2020-11-12 | CVE-2020-0584 | Intel | Classic Buffer Overflow vulnerability in Intel products Buffer overflow in firmware for Intel(R) SSD DC P4800X and P4801X Series, Intel(R) Optane(TM) SSD 900P and 905P Series may allow an unauthenticated user to potentially enable a denial of service via local access. | 6.2 |
2020-11-13 | CVE-2020-26825 | SAP | Cross-site Scripting vulnerability in SAP Fiori Launchpad (News Tile Application) SAP Fiori Launchpad (News tile Application), versions - 750,751,752,753,754,755, allows an unauthorized attacker to use SAP Fiori Launchpad News tile Application to send malicious code, to a different end user (victim), because News tile does not sufficiently encode user controlled inputs, resulting in Reflected Cross-Site Scripting (XSS) vulnerability. | 6.1 |
2020-11-12 | CVE-2020-27193 | Ckeditor Oracle | Cross-site Scripting vulnerability in multiple products A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0 allows remote attackers to run arbitrary web script after persuading a user to copy and paste crafted HTML code into one of editor inputs. | 6.1 |
2020-11-12 | CVE-2020-28415 | Tranzware Payment Gateway Project | Cross-site Scripting vulnerability in Tranzware Payment Gateway Project Tranzware Payment Gateway 3.1.12.3.2 A reflected cross-site scripting (XSS) vulnerability exists in the TranzWare Payment Gateway 3.1.12.3.2. | 6.1 |
2020-11-12 | CVE-2020-28414 | Tranzware Payment Gateway Project | Cross-site Scripting vulnerability in Tranzware Payment Gateway Project Tranzware Payment Gateway 3.1.12.3.2 A reflected cross-site scripting (XSS) vulnerability exists in the TranzWare Payment Gateway 3.1.12.3.2. | 6.1 |
2020-11-12 | CVE-2020-24443 | Adobe | Unspecified vulnerability in Adobe Connect Adobe Connect version 11.0 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. | 6.1 |
2020-11-12 | CVE-2020-24442 | Adobe | Unspecified vulnerability in Adobe Connect Adobe Connect version 11.0 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. | 6.1 |
2020-11-12 | CVE-2020-25706 | Cacti Debian | A cross-site scripting (XSS) vulnerability exists in templates_import.php (Cacti 1.2.13) due to Improper escaping of error message during template import preview in the xml_path field | 6.1 |
2020-11-12 | CVE-2020-13954 | Apache Netapp Oracle | Cross-site Scripting vulnerability in multiple products By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. | 6.1 |
2020-11-11 | CVE-2020-26221 | Touchbase AI Project | Unspecified vulnerability in Touchbase.Ai Project Touchbase.Ai 1.1.0 touchbase.ai before version 2.0 is vulnerable to Cross-Site Scripting (XSS). | 6.1 |
2020-11-11 | CVE-2020-26219 | Touchbase AI Project | Unspecified vulnerability in Touchbase.Ai Project Touchbase.Ai 1.1.0 touchbase.ai before version 2.0 is vulnerable to Open Redirect. | 6.1 |
2020-11-11 | CVE-2020-26218 | Touchbase AI Project | Unspecified vulnerability in Touchbase.Ai Project Touchbase.Ai 1.1.0 touchbase.ai before version 2.0 is vulnerable to Cross-Site Scripting. | 6.1 |
2020-11-09 | CVE-2020-28364 | Locust | Cross-site Scripting vulnerability in Locust A stored cross-site scripting (XSS) vulnerability affects the Web UI in Locust before 1.3.2, if the installation violates the usage expectations by exposing this UI to outside users. | 6.1 |
2020-11-09 | CVE-2020-24353 | Pega | Cross-site Scripting vulnerability in Pega Platform Pega Platform before 8.4.0 has a XSS issue via stream rule parameters used in the request header. | 6.1 |
2020-11-09 | CVE-2020-28351 | Mitel | Cross-site Scripting vulnerability in Mitel Shoretel Firmware 19.46.1802.0 The conferencing component on Mitel ShoreTel 19.46.1802.0 devices could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack (via the PATH_INFO to index.php) due to insufficient validation for the time_zone object in the HOME_MEETING& page. | 6.1 |
2020-11-12 | CVE-2020-25658 | Python RSA Project Redhat Fedoraproject | It was found that python-rsa is vulnerable to Bleichenbacher timing attacks. | 5.9 |
2020-11-12 | CVE-2020-12912 | AMD | Information Exposure Through Discrepancy vulnerability in AMD Energy Driver for Linux A potential vulnerability in the AMD extension to Linux "hwmon" service may allow an attacker to use the Linux-based Running Average Power Limit (RAPL) interface to show various side channel attacks. | 5.5 |
2020-11-12 | CVE-2020-24460 | Intel | Incorrect Default Permissions vulnerability in Intel Driver & Support Assistant Incorrect default permissions in the Intel(R) DSA before version 20.8.30.6 may allow an authenticated user to potentially enable denial of service via local access. | 5.5 |
2020-11-12 | CVE-2020-12326 | Intel | Improper Initialization vulnerability in Intel Thunderbolt DCH Driver 1.41.1054.0 Improper initialization in some Intel(R) Thunderbolt(TM) DCH drivers for Windows* before version 72 may allow an authenticated user to potentially enable information disclosure via local access. | 5.5 |
2020-11-12 | CVE-2020-12316 | Intel | Insufficiently Protected Credentials vulnerability in Intel Endpoint Management Assistant 1.3.1/1.3.2/1.3.2.1 Insufficiently protected credentials in the Intel(R) EMA before version 1.3.3 may allow an authorized user to potentially enable information disclosure via local access. | 5.5 |
2020-11-12 | CVE-2020-0573 | Intel | Out-of-bounds Read vulnerability in Intel Csi2 Host Controller Out of bounds read in the Intel CSI2 Host Controller driver may allow an authenticated user to potentially enable information disclosure via local access. | 5.5 |
2020-11-12 | CVE-2020-8767 | Intel | Improper Handling of Exceptional Conditions vulnerability in Intel Quartus Prime Uncaught exception in the Intel(R) 50GbE IP Core for Intel(R) Quartus Prime before version 20.2 may allow an authenticated user to potentially enable denial of service via local access. | 5.5 |
2020-11-12 | CVE-2020-8698 | Intel Netapp Fedoraproject Debian Siemens | Exposure of Resource to Wrong Sphere vulnerability in multiple products Improper isolation of shared resources in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. | 5.5 |
2020-11-12 | CVE-2020-8696 | Intel Netapp Fedoraproject Debian | Improper Cross-boundary Removal of Sensitive Data vulnerability in multiple products Improper removal of sensitive information before storage or transfer in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. | 5.5 |
2020-11-12 | CVE-2020-8695 | Intel Fedoraproject Debian | Information Exposure Through Discrepancy vulnerability in multiple products Observable discrepancy in the RAPL interface for some Intel(R) Processors may allow a privileged user to potentially enable information disclosure via local access. | 5.5 |
2020-11-12 | CVE-2020-8694 | Intel | Unspecified vulnerability in Intel products Insufficient access control in the Linux kernel driver for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. | 5.5 |
2020-11-12 | CVE-2020-0575 | Intel | Unspecified vulnerability in Intel Unite Improper buffer restrictions in the Intel(R) Unite Client for Windows* before version 4.2.13064 may allow an authenticated user to potentially enable information disclosure via local access. | 5.5 |
2020-11-12 | CVE-2020-24441 | Adobe | Unspecified vulnerability in Adobe Acrobat Reader 20.6.0/20.6.2 Adobe Acrobat Reader for Android version 20.6.2 (and earlier) does not properly restrict access to directories created by the application. | 5.5 |
2020-11-12 | CVE-2020-11209 | Qualcomm | Incorrect Authorization vulnerability in Qualcomm products Improper authorization in DSP process could allow unauthorized users to downgrade the library versions in SD820, SD821, SD820, QCS603, QCS605, SDA855, SA6155P, SA6145P, SA6155, SA6155P, SD855, SD 675, SD660, SD429, SD439 | 5.5 |
2020-11-12 | CVE-2020-11123 | Qualcomm | Unspecified vulnerability in Qualcomm products u'information disclosure in gatekeeper trustzone implementation as the throttling mechanism to prevent brute force attempts at getting user`s lock-screen password can be bypassed by performing the standard gatekeeper operations.' in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in APQ8009, APQ8009W, APQ8017, APQ8037, APQ8053, APQ8064AU, APQ8096, APQ8096AU, APQ8096SG, APQ8098, MDM8207, MDM9150, MDM9205, MDM9206, MDM9207, MDM9250, MDM9607, MDM9628, MDM9640, MDM9650, MDM9655, MSM8108, MSM8208, MSM8209, MSM8608, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8996SG, MSM8998, QCM4290, QCS405, QCS410, QCS4290, QCS603, QCS605, QCS610, QM215, QSM8250, QSM8350, SA415M, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8150P, SA8155, SA8155P, SA8195P, SC7180, SC8180X, SC8180XP, SDA429W, SDA640, SDA660, SDA670, SDA845, SDA855, SDM1000, SDM429, SDM429W, SDM439, SDM450, SDM455, SDM630, SDM632, SDM636, SDM640, SDM660, SDM670, SDM710, SDM712, SDM830, SDM845, SDM850, SDW2500, SDX24, SDX50M, SDX55, SDX55M, SM4125, SM4250, SM4250P, SM6115, SM6115P, SM6125, SM6150, SM6150P, SM6250, SM6250P, SM6350, SM7125, SM7150, SM7150P, SM7225, SM7250, SM7250P, SM8150, SM8150P, SM8250, SM8350, SM8350P, SXR1120, SXR1130, SXR2130, SXR2130P, WCD9330 | 5.5 |
2020-11-11 | CVE-2020-16127 | Freedesktop | Infinite Loop vulnerability in Freedesktop Accountsservice An Ubuntu-specific modification to AccountsService in versions before 0.6.55-0ubuntu13.2, among other earlier versions, would perform unbounded read operations on user-controlled ~/.pam_environment files, allowing an infinite loop if /dev/zero is symlinked to this location. | 5.5 |
2020-11-10 | CVE-2020-12485 | Vivo | Out-of-bounds Read vulnerability in Vivo Frame Touch Module 10 The frame touch module does not make validity judgments on parameter lengths when processing specific parameters,which caused out of the boundary when memory access.The vulnerability eventually leads to a local DOS on the device. | 5.5 |
2020-11-10 | CVE-2020-4568 | IBM | Insufficiently Protected Credentials vulnerability in IBM Security KEY Lifecycle Manager 3.0/3.0.1/4.0 IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, and 4.0 stores user credentials in plain in clear text which can be read by a local user. | 5.5 |
2020-11-10 | CVE-2020-0454 | Missing Authorization vulnerability in Google Android 9.0 In callCallbackForRequest of ConnectivityService.java, there is a possible permission bypass due to a missing permission check. | 5.5 | |
2020-11-10 | CVE-2020-0453 | Unspecified vulnerability in Google Android 8.0/8.1/9.0 In updateNotification of BeamTransferManager.java, there is a possible permission bypass due to an unsafe PendingIntent. | 5.5 | |
2020-11-10 | CVE-2020-0448 | Missing Authorization vulnerability in Google Android In getPhoneAccountsForPackage of TelecomServiceImpl.java, there is a possible way to access a tracking identifier due to a missing permission check. | 5.5 | |
2020-11-10 | CVE-2020-0443 | Improper Handling of Exceptional Conditions vulnerability in Google Android In LocaleList of LocaleList.java, there is a possible forced reboot due to an uncaught exception. | 5.5 | |
2020-11-10 | CVE-2020-0437 | Missing Authorization vulnerability in Google Android In CellBroadcastReceiver's intent handlers, there is a possible denial of service due to a missing permission check. | 5.5 | |
2020-11-10 | CVE-2020-0424 | Out-of-bounds Read vulnerability in Google Android 10.0/11.0/9.0 In send_vc of res_send.cpp, there is a possible out of bounds read due to an incorrect bounds check. | 5.5 | |
2020-11-09 | CVE-2020-27019 | Trendmicro | Missing Authentication for Critical Function vulnerability in Trendmicro Interscan Messaging Security Virtual Appliance 8.5.1.1516/9.0/9.1 Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to an information disclosure vulnerability which could allow an attacker to access a specific database and key. | 5.5 |
2020-11-09 | CVE-2020-27018 | Trendmicro | Server-Side Request Forgery (SSRF) vulnerability in Trendmicro Interscan Messaging Security Virtual Appliance 8.5.1.1516/9.0/9.1 Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to a server side request forgery vulnerability which could allow an authenticated attacker to abuse the product's web server and grant access to web resources or parts of local files. | 5.5 |
2020-11-09 | CVE-2020-23139 | Microweber | Improper Authentication vulnerability in Microweber 1.1.18 Microweber 1.1.18 is affected by broken authentication and session management. | 5.5 |
2020-11-09 | CVE-2020-23136 | Microweber | Insufficient Session Expiration vulnerability in Microweber 1.1.18 Microweber v1.1.18 is affected by no session expiry after log-out. | 5.5 |
2020-11-09 | CVE-2020-8276 | Brave | Cleartext Storage of Sensitive Information vulnerability in Brave The implementation of Brave Desktop's privacy-preserving analytics system (P3A) between 1.1 and 1.18.35 logged the timestamp of when the user last opened an incognito window, including Tor windows. | 5.5 |
2020-11-13 | CVE-2020-7033 | Avaya | Cross-site Scripting vulnerability in Avaya Equinox Conferencing 9.0.0/9.1.9 A Cross Site Scripting (XSS) Vulnerability on the Unified Portal Client (web client) used in Avaya Equinox Conferencing can allow an authenticated user to perform XSS attacks. | 5.4 |
2020-11-11 | CVE-2020-15275 | Moinmo | Unspecified vulnerability in Moinmo Moinmoin MoinMoin is a wiki engine. | 5.4 |
2020-11-10 | CVE-2020-25267 | Ilias | Cross-site Scripting vulnerability in Ilias 6.4.0 An XSS issue exists in the question-pool file-upload preview feature in ILIAS 6.4. | 5.4 |
2020-11-10 | CVE-2020-28409 | Dundas | Cross-site Scripting vulnerability in Dundas BI 5.0.1.1010/8.0.0.1001 The server in Dundas BI through 8.0.0.1001 allows XSS via addition of a Component (e.g., a button) when events such as click, hover, etc. | 5.4 |
2020-11-10 | CVE-2020-28408 | Dundas | Cross-site Scripting vulnerability in Dundas BI 5.0.1.1010/8.0.0.1001 The server in Dundas BI through 8.0.0.1001 allows XSS via an HTML label when creating or editing a dashboard. | 5.4 |
2020-11-10 | CVE-2020-4760 | IBM | Cross-site Scripting vulnerability in IBM Content Navigator 3.0.0 IBM Content Navigator 3.0CD is vulnerable to cross-site scripting. | 5.4 |
2020-11-10 | CVE-2020-4704 | IBM | Cross-site Scripting vulnerability in IBM Content Navigator 3.0.0 IBM Content Navigator 3.0CD is vulnerable to stored cross-site scripting. | 5.4 |
2020-11-09 | CVE-2020-9299 | Netflix | Cross-site Scripting vulnerability in Netflix Dispatch There were XSS vulnerabilities discovered and reported in the Dispatch application, affecting name and description parameters of Incident Priority, Incident Type, Tag Type, and Incident Filter. | 5.4 |
2020-11-13 | CVE-2020-7962 | Oneidentity | Information Exposure Through Discrepancy vulnerability in Oneidentity Password Manager 5.8 An issue was discovered in One Identity Password Manager 5.8. | 5.3 |
2020-11-13 | CVE-2020-26230 | Radarcovid | Unspecified vulnerability in Radarcovid Radar-Covid-Backend-Dp3T-Server and Radarcovid Radar COVID is the official COVID-19 exposure notification app for Spain. | 5.3 |
2020-11-12 | CVE-2020-17494 | Untangle | Inadequate Encryption Strength vulnerability in Untangle Firewall NG Untangle Firewall NG before 16.0 uses MD5 for passwords. | 5.3 |
2020-11-12 | CVE-2020-28247 | Lettre | Unspecified vulnerability in Lettre The lettre library through 0.10.0-alpha for Rust allows arbitrary sendmail option injection via transport/sendmail/mod.rs. | 5.3 |
2020-11-12 | CVE-2020-1999 | Paloaltonetworks | Improper Check for Unusual or Exceptional Conditions vulnerability in Paloaltonetworks Pan-Os A vulnerability exists in the Palo Alto Network PAN-OS signature-based threat detection engine that allows an attacker to communicate with devices in the network in a way that is not analyzed for threats by sending data through specifically crafted TCP packets. | 5.3 |
2020-11-10 | CVE-2020-26811 | SAP | Server-Side Request Forgery (SSRF) vulnerability in SAP Commerce Cloud (Accelerator Payment Mock) SAP Commerce Cloud (Accelerator Payment Mock), versions - 1808, 1811, 1905, 2005, allows an unauthenticated attacker to submit a crafted request over a network to a particular SAP Commerce module URL which will be processed without further interaction, the crafted request leads to Server Side Request Forgery attack which could lead to retrieval of limited pieces of information about the service with no impact on integrity or availability. | 5.3 |
2020-11-10 | CVE-2020-26809 | SAP | Incorrect Default Permissions vulnerability in SAP Commerce Cloud SAP Commerce Cloud, versions- 1808,1811,1905,2005, allows an attacker to bypass existing authentication and permission checks via the '/medias' endpoint hence gaining access to Secure Media folders. | 5.3 |
2020-11-09 | CVE-2020-8133 | Nextcloud | Improper Verification of Cryptographic Signature vulnerability in Nextcloud Server 19.0.1 A wrong generation of the passphrase for the encrypted block in Nextcloud Server 19.0.1 allowed an attacker to overwrite blocks in a file. | 5.3 |
2020-11-10 | CVE-2020-26814 | SAP | Unspecified vulnerability in SAP Process Integration (Pgp Module - Business-To-Business ADD On) 1.0 SAP Process Integration (PGP Module - Business-to-Business Add On), version - 1.0, allows an attacker to read PGP Keys under certain conditions in the PGP Module of Business-to-Business Add-On, these keys can then be used to read messages processed by the module leading to Information Disclosure. | 4.9 |
2020-11-09 | CVE-2020-27017 | Trendmicro | XXE vulnerability in Trendmicro Interscan Messaging Security Virtual Appliance 8.5.1.1516/9.0/9.1 Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to an XML External Entity Processing (XXE) vulnerability which could allow an authenticated administrator to read arbitrary local files. | 4.9 |
2020-11-12 | CVE-2020-7333 | Mcafee | Cross-site Scripting vulnerability in Mcafee Endpoint Security Cross site scripting vulnerability in the firewall ePO extension of McAfee Endpoint Security (ENS) prior to 10.7.0 November 2020 Update allows administrators to inject arbitrary web script or HTML via the configuration wizard. | 4.8 |
2020-11-09 | CVE-2020-4651 | IBM | Cross-Site Request Forgery (CSRF) vulnerability in IBM Maximo Spatial Asset Management IBM Maximo Spatial Asset Management 7.6.0.3, 7.6.0.4, 7.6.0.5, and 7.6.1.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | 4.8 |
2020-11-12 | CVE-2020-8761 | Intel | Inadequate Encryption Strength vulnerability in Intel Converged Security and Manageability Engine Inadequate encryption strength in subsystem for Intel(R) CSME versions before 13.0.40 and 13.30.10 may allow an unauthenticated user to potentially enable information disclosure via physical access. | 4.6 |
2020-11-12 | CVE-2020-8751 | Intel | Unspecified vulnerability in Intel products Insufficient control flow management in subsystem for Intel(R) CSME versions before 11.8.80, Intel(R) TXE versions before 3.1.80 may allow an unauthenticated user to potentially enable information disclosure via physical access. | 4.6 |
2020-11-12 | CVE-2020-12311 | Intel | Unspecified vulnerability in Intel products Insufficient control flow managementin firmware in some Intel(R) Client SSDs and some Intel(R) Data Center SSDs may allow an unauthenticated user to potentially enable information disclosure via physical access. | 4.6 |
2020-11-12 | CVE-2020-12310 | Intel | Unspecified vulnerability in Intel products Insufficient control flow managementin firmware in some Intel(R) Client SSDs and some Intel(R) Data Center SSDs may allow an unauthenticated user to potentially enable information disclosure via physical access. | 4.6 |
2020-11-12 | CVE-2020-12309 | Intel | Insufficiently Protected Credentials vulnerability in Intel products Insufficiently protected credentialsin subsystem in some Intel(R) Client SSDs and some Intel(R) Data Center SSDs may allow an unauthenticated user to potentially enable information disclosure via physical access. | 4.6 |
2020-11-12 | CVE-2020-12328 | Intel | Unspecified vulnerability in Intel Thunderbolt DCH Driver 1.41.1054.0 Protection mechanism failure in some Intel(R) Thunderbolt(TM) DCH drivers for Windows* before version 72 may allow a privileged user to potentially enable information disclosure via local access. | 4.4 |
2020-11-12 | CVE-2020-12327 | Intel | Insecure Default Initialization of Resource vulnerability in Intel Thunderbolt DCH Driver 1.41.1054.0 Insecure default variable initialization in some Intel(R) Thunderbolt(TM) DCH drivers for Windows* before version 72 may allow a privileged user to potentially enable information disclosure via local access. | 4.4 |
2020-11-12 | CVE-2020-8677 | Intel | Unspecified vulnerability in Intel Visual Compute Accelerator 2 Firmware Improper access control in the Intel(R) Visual Compute Accelerator 2, all versions, may allow a privileged user to potentially enable denial of service via local access. | 4.4 |
2020-11-12 | CVE-2020-12356 | Intel Netapp | Out-of-bounds Read vulnerability in multiple products Out-of-bounds read in subsystem in Intel(R) AMT versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow a privileged user to potentially enable information disclosure via local access. | 4.4 |
2020-11-12 | CVE-2020-9128 | Huawei | Inadequate Encryption Strength vulnerability in Huawei Fusioncompute 8.0.0 FusionCompute versions 8.0.0 have an insecure encryption algorithm vulnerability. | 4.4 |
2020-11-10 | CVE-2020-28368 | XEN Fedoraproject Debian | Missing Authorization vulnerability in multiple products Xen through 4.14.x allows guest OS administrators to obtain sensitive information (such as AES keys from outside the guest) via a side-channel attack on a power/energy monitoring interface, aka a "Platypus" attack. | 4.4 |
2020-11-09 | CVE-2020-27693 | Trendmicro | Use of Password Hash With Insufficient Computational Effort vulnerability in Trendmicro Interscan Messaging Security Virtual Appliance 8.5.1.1516/9.0/9.1 Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 stores administrative passwords using a hash that is considered outdated. | 4.4 |
2020-11-13 | CVE-2020-6157 | Opera | Unspecified vulnerability in Opera Touch Opera Touch for iOS before version 2.4.5 is vulnerable to an address bar spoofing attack. | 4.3 |
2020-11-10 | CVE-2020-6316 | SAP | Missing Authorization vulnerability in SAP ERP and S/4Hana SAP ERP and SAP S/4 HANA allows an authenticated user to see cost records to objects to which he has no authorization in PS reporting, leading to Missing Authorization check. | 4.3 |
2020-11-09 | CVE-2020-24405 | Magento | Unspecified vulnerability in Magento Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions issue vulnerability in the Inventory module. | 4.3 |
2020-11-09 | CVE-2020-8150 | Nextcloud | Missing Encryption of Sensitive Data vulnerability in Nextcloud Server A cryptographic issue in Nextcloud Server 19.0.1 allowed an attacker to downgrade the encryption scheme and break the integrity of encrypted files. | 4.1 |
10 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2020-11-09 | CVE-2020-24406 | Magento | Path Traversal vulnerability in Magento When in maintenance mode, Magento version 2.4.0 and 2.3.4 (and earlier) are affected by an information disclosure vulnerability that could expose the installation path during build deployments. | 3.7 |
2020-11-11 | CVE-2020-26220 | Touchbase AI Project | Unspecified vulnerability in Touchbase.Ai Project Touchbase.Ai 1.1.0 toucbase.ai before version 2.0 leaks information by not stripping exif data from images. | 3.5 |
2020-11-13 | CVE-2020-4886 | IBM | Insecure Storage of Sensitive Information vulnerability in IBM Infosphere Information Server 11.7 IBM InfoSphere Information Server 11.7 stores sensitive information in the browser's history that could be obtained by a user who has access to the same system. | 3.3 |
2020-11-12 | CVE-2020-2048 | Paloaltonetworks | Information Exposure Through Log Files vulnerability in Paloaltonetworks Pan-Os An information exposure through log file vulnerability exists where the password for the configured system proxy server for a PAN-OS appliance may be displayed in cleartext when using the CLI in Palo Alto Networks PAN-OS software. | 3.3 |
2020-11-11 | CVE-2020-16126 | Freedesktop | Unspecified vulnerability in Freedesktop Accountsservice An Ubuntu-specific modification to AccountsService in versions before 0.6.55-0ubuntu13.2, among other earlier versions, improperly dropped the ruid, allowing untrusted users to send signals to AccountService, thus stopping it from handling D-Bus messages in a timely fashion. | 3.3 |
2020-11-10 | CVE-2020-26807 | SAP | Incorrect Default Permissions vulnerability in SAP ERP Client for E-Bilanz 1.0 SAP ERP Client for E-Bilanz, version - 1.0, installation sets Incorrect default filesystem permissions are set in its installation folder which allows anyone to modify the files in the folder. | 3.3 |
2020-11-09 | CVE-2020-4650 | IBM | Insecure Storage of Sensitive Information vulnerability in IBM Maximo Spatial Asset Management IBM Maximo Spatial Asset Management 7.6.0.3, 7.6.0.4, 7.6.0.5, and 7.6.1.0 allows web pages to be stored locally which can be read by another user on the system. | 3.3 |
2020-11-09 | CVE-2020-24404 | Magento | Unspecified vulnerability in Magento Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability within the Integrations component. | 2.7 |
2020-11-09 | CVE-2020-24403 | Magento | Unspecified vulnerability in Magento Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect user permissions vulnerability within the Inventory component. | 2.7 |
2020-11-11 | CVE-2020-8352 | Lenovo | Unspecified vulnerability in Lenovo products In some Lenovo Desktop models, the Configuration Change Detection BIOS setting failed to detect SATA configuration changes. | 2.4 |