CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In January 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2012-1261 79 2 XSS 2020-01-09 2020-01-14
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in cgi-bin/scrut_fa_exclusions.cgi in Plixer International Scrutinizer NetFlow and sFlow Analyzer 8.6.2.16204 and other versions before 9.0.1.19899 allows remote attackers to inject arbitrary web script or HTML via the standalone parameter.
2 CVE-2012-1260 79 2 XSS 2020-01-09 2020-01-22
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in cgi-bin/userprefs.cgi in Plixer International Scrutinizer NetFlow & sFlow Analyzer 8.6.2.16204, and possibly other versions before 9.0.1.19899, allows remote attackers to inject arbitrary web script or HTML via the newUser parameter. NOTE: this might not be a vulnerability, since an administrator might already have the privileges to create arbitrary script.
3 CVE-2012-1259 89 2 Exec Code Sql 2020-01-09 2020-01-24
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Plixer International Scrutinizer NetFlow & sFlow Analyzer 8.6.2.16204, and possibly other versions before 9.0.1.19899, allow remote attackers to execute arbitrary SQL commands via the (1) addip parameter to cgi-bin/scrut_fa_exclusions.cgi, (2) getPermissionsAndPreferences parameter to cgi-bin/login.cgi, or (3) possibly certain parameters to d4d/alarms.php as demonstrated by the search_str parameter.
4 CVE-2012-1258 287 2 2020-01-09 2020-01-22
4.0
None Remote Low ??? None Partial None
cgi-bin/userprefs.cgi in Plixer International Scrutinizer NetFlow & sFlow Analyzer before 9.0.1.19899 does not validate user permissions, which allow remote attackers to add user accounts with administrator privileges via the newuser, pwd, and selectedUserGroup parameters.
5 CVE-2015-0558 311 1 2020-01-14 2020-01-24
5.0
None Remote Low Not required None Partial None
The ADB (formerly Pirelli Broadband Solutions) P.DGA4001N router with firmware PDG_TEF_SP_4.06L.6, and possibly other routers, uses "1236790" and the MAC address to generate the WPA key.
6 CVE-2014-8322 787 1 Exec Code Overflow 2020-01-31 2020-02-05
7.5
None Remote Low Not required Partial Partial Partial
Stack-based buffer overflow in the tcp_test function in aireplay-ng.c in Aircrack-ng before 1.2 RC 1 allows remote attackers to execute arbitrary code via a crafted length parameter value.
7 CVE-2014-5140 89 1 Sql 2020-01-03 2020-01-14
6.5
None Remote Low ??? Partial Partial Partial
The bindReplace function in the query factory in includes/classes/database.php in Loaded Commerce 7 does not properly handle : (colon) characters, which allows remote authenticated users to conduct SQL injection attacks via the First name and Last name fields in the address book.
8 CVE-2013-7185 119 1 Overflow Mem. Corr. 2020-01-14 2020-01-24
6.8
None Remote Medium Not required Partial Partial Partial
PotPlayer 1.5.40688: .avi File Memory Corruption
9 CVE-2013-6231 269 1 2020-01-10 2020-01-21
9.0
None Remote Low ??? Complete Complete Complete
SpagoBI before 4.1 has Privilege Escalation via an error in the AdapterHTTP script
10 CVE-2013-6225 22 1 Exec Code Dir. Trav. 2020-01-13 2020-01-17
7.5
None Remote Low Not required Partial Partial Partial
LiveZilla 5.0.1.4 has a Remote Code Execution vulnerability
11 CVE-2013-5656 787 1 Overflow 2020-01-07 2020-01-08
4.6
None Local Low Not required Partial Partial Partial
FuzeZip 1.0.0.131625 has a Local Buffer Overflow vulnerability
12 CVE-2013-4865 352 1 CSRF 2020-01-28 2020-02-04
4.3
None Remote Medium Not required None Partial None
Cross-site request forgery (CSRF) vulnerability in upgrade_step2.sh in MiCasaVerde VeraLite with firmware 1.5.408 allows remote attackers to hijack the authentication of users for requests that install arbitrary firmware via the squashfs parameter.
13 CVE-2013-4864 918 1 2020-01-28 2020-02-04
7.5
None Remote Low Not required Partial Partial Partial
MiCasaVerde VeraLite with firmware 1.5.408 allows remote attackers to send HTTP requests to intranet servers via the url parameter to cgi-bin/cmh/proxy.sh, related to a Server-Side Request Forgery (SSRF) issue.
14 CVE-2013-4863 287 1 Exec Code 2020-01-28 2020-02-04
9.0
None Remote Low ??? Complete Complete Complete
The HomeAutomationGateway service in MiCasaVerde VeraLite with firmware 1.5.408 allows (1) remote attackers to execute arbitrary Lua code via a RunLua action in a request to upnp/control/hag on port 49451 or (2) remote authenticated users to execute arbitrary Lua code via a RunLua action in a request to port_49451/upnp/control/hag.
15 CVE-2013-4862 863 1 2020-01-28 2020-02-04
5.5
None Remote Low ??? Partial Partial None
MiCasaVerde VeraLite with firmware 1.5.408 does not properly restrict access, which allows remote authenticated users to (1) update the firmware via the squashfs parameter to upgrade_step2.sh or (2) obtain hashed passwords via the cgi-bin/cmh/backup.sh page.
16 CVE-2013-4861 22 1 Dir. Trav. 2020-01-28 2020-02-04
4.0
None Remote Low ??? Partial None None
Directory traversal vulnerability in cgi-bin/cmh/get_file.sh in MiCasaVerde VeraLite with firmware 1.5.408 allows remote authenticated users to read arbirary files via a .. (dot dot) in the filename parameter.
17 CVE-2013-3317 287 1 Bypass 2020-01-29 2020-02-01
10.0
None Remote Low Not required Complete Complete Complete
Netgear WNR1000v3 with firmware before 1.0.2.60 contains an Authentication Bypass via the NtgrBak key.
18 CVE-2013-3316 287 1 Bypass 2020-01-29 2020-02-01
10.0
None Remote Low Not required Complete Complete Complete
Netgear WNR1000v3 with firmware before 1.0.2.60 contains an Authentication Bypass due to the server skipping checks for URLs containing a ".jpg".
19 CVE-2013-3214 74 1 2020-01-28 2020-01-31
7.5
None Remote Low Not required Partial Partial Partial
vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'.
20 CVE-2013-3212 74 1 Exec Code 2020-01-28 2020-02-03
6.8
None Remote Medium Not required Partial Partial Partial
vtiger CRM 5.4.0 and earlier contain local file-include vulnerabilities in 'customerportal.php' which allows remote attackers to view files and execute local script code.
21 CVE-2013-2748 434 1 2020-01-28 2020-02-05
7.5
None Remote Low Not required Partial Partial Partial
Belkin Wemo Switch before WeMo_US_2.00.2176.PVT could allow remote attackers to upload arbitrary files onto the system.
22 CVE-2013-2574 863 1 +Info 2020-01-29 2020-02-04
5.0
None Remote Low Not required Partial None None
An Access vulnerability exists in FOSCAM IP Camera FI8620 due to insufficient access restrictions in the /tmpfs/ and /log/ directories, which could let a malicious user obtain sensitive information.
23 CVE-2013-2572 798 1 Bypass 2020-01-29 2020-01-31
5.0
None Remote Low Not required Partial None None
A Security Bypass vulnerability exists in TP-LINK IP Cameras TL-SC 3130, TL-SC 3130G, 3171G, 4171G, and 3130 1.6.18P12 due to default hard-coded credentials for the administrative Web interface, which could let a malicious user obtain unauthorized access to CGI files.
24 CVE-2013-2571 20 1 Exec Code 2020-01-28 2020-02-06
7.5
None Remote Low Not required Partial Partial Partial
Iris 3.8 before build 1548, as used in Xpient point of sale (POS) systems, allows remote attackers to execute arbitrary commands via a crafted request to TCP port 7510, as demonstrated by opening the cash drawer.
25 CVE-2013-2567 798 1 Bypass +Info 2020-01-29 2020-02-01
5.0
None Remote Low Not required Partial None None
An Authentication Bypass vulnerability exists in the web interface in Zavio IP Cameras through 1.6.03 due to a hardcoded admin account found in boa.conf, which lets a remote malicious user obtain sensitive information.
26 CVE-2013-2474 22 1 Dir. Trav. 2020-01-27 2020-01-29
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in AWS XMS 2.5 allows remote attackers to view arbitrary files via the 'what' parameter.
27 CVE-2013-2294 79 1 XSS 2020-01-30 2020-01-31
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in ViewGit before 0.0.7 allow remote repository users to inject arbitrary web script or HTML via a (1) tag name to the Shortlog table in templates/shortlog.php or branch name to the (2) Shortlog table in templates/shortlog.php or (3) Heads table in plates/summary.php.
28 CVE-2013-1599 78 1 Exec Code 2020-01-28 2021-04-27
10.0
None Remote Low Not required Complete Complete Complete
A Command Injection vulnerability exists in the /var/www/cgi-bin/rtpd.cgi script in D-Link IP Cameras DCS-3411/3430 firmware 1.02, DCS-5605/5635 1.01, DCS-1100L/1130L 1.04, DCS-1100/1130 1.03, DCS-1100/1130 1.04_US, DCS-2102/2121 1.05_RU, DCS-3410 1.02, DCS-5230 1.02, DCS-5230L 1.02, DCS-6410 1.00, DCS-7410 1.00, DCS-7510 1.00, and WCS-1100 1.02, which could let a remote malicious user execute arbitrary commands through the camera’s web interface.
29 CVE-2013-1594 200 1 +Info 2020-01-24 2020-01-28
5.0
None Remote Low Not required Partial None None
An Information Disclosure vulnerability exists via a GET request in Vivotek PT7135 IP Camera 0300a and 0400a due to wireless keys and 3rd party credentials stored in clear text.
30 CVE-2013-1592 120 1 Exec Code Overflow 2020-01-23 2020-01-31
10.0
None Remote Low Not required Complete Complete Complete
A Buffer Overflow vulnerability exists in the Message Server service _MsJ2EE_AddStatistics() function when sending specially crafted SAP Message Server packets to remote TCP ports 36NN and/or 39NN in SAP NetWeaver 2004s, 7.01 SR1, 7.02 SP06, and 7.30 SP04, which could let a remote malicious user execute arbitrary code.
31 CVE-2012-6613 1 2020-01-25 2020-01-30
9.0
None Remote Low ??? Complete Complete Complete
D-Link DSR-250N devices with firmware 1.05B73_WW allow Persistent Root Access because of the admin password for the admin account.
32 CVE-2012-5340 190 1 Overflow 2020-01-23 2020-01-28
6.8
None Remote Medium Not required Partial Partial Partial
SumatraPDF 2.1.1/MuPDF 1.0 allows remote attackers to cause an Integer Overflow in the lex_number() function via a corrupt PDF file.
33 CVE-2012-4284 1 Exec Code 2020-01-10 2020-01-22
10.0
None Remote Low Not required Complete Complete Complete
A Privilege Escalation vulnerability exists in Viscosity 1.4.1 on Mac OS X due to a path name validation issue in the setuid-set ViscosityHelper binary, which could let a remote malicious user execute arbitrary code
34 CVE-2020-8505 352 CSRF 2020-01-31 2020-02-05
4.3
None Remote Medium Not required None Partial None
School Management Software PHP/mySQL through 2019-03-14 allows office_admin/?action=deleteadmin CSRF to delete a user.
35 CVE-2020-8504 352 CSRF 2020-01-31 2020-02-05
4.3
None Remote Medium Not required None Partial None
School Management Software PHP/mySQL through 2019-03-14 allows office_admin/?action=addadmin CSRF to add an administrative user.
36 CVE-2020-8503 639 2020-01-31 2020-02-05
3.5
None Remote Medium ??? Partial None None
Biscom Secure File Transfer (SFT) 5.0.1050 through 5.1.1067 and 6.0.1000 through 6.0.1003 allows Insecure Direct Object Reference (IDOR) by an authenticated sender because of an error in a file-upload feature. This is fixed in 5.1.1068 and 6.0.1004.
37 CVE-2020-8498 79 Exec Code XSS 2020-01-30 2020-02-03
3.5
None Remote Medium ??? None Partial None
XSS exists in the shortcode functionality of the GistPress plugin before 3.0.2 for WordPress via the includes/class-gistpress.php id parameter. This allows an attacker with the WordPress Contributor role to execute arbitrary JavaScript code with the privileges of other users (e.g., ones who have the publish_posts capability).
38 CVE-2020-8496 79 XSS 2020-01-30 2020-02-05
3.5
None Remote Medium ??? None Partial None
In Kronos Web Time and Attendance (webTA) 4.1.x and later 4.x versions before 5.0, there is a Stored XSS vulnerability by setting the Application Banner input field of the /ApplicationBanner page as an authenticated administrator.
39 CVE-2020-8495 863 +Priv 2020-01-30 2021-07-21
6.0
None Remote Medium ??? Partial Partial Partial
In Kronos Web Time and Attendance (webTA) 3.8.x and later 3.x versions before 4.0, the com.threeis.webta.H491delegate servlet allows an attacker with Timekeeper or Supervisor privileges to gain unauthorized administrative privileges within the application via the delegate, delegateRole, and delegatorUserId parameters.
40 CVE-2020-8494 269 +Priv 2020-01-30 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
In Kronos Web Time and Attendance (webTA) 3.8.x and later 3.x versions before 4.0, the com.threeis.webta.H402editUser servlet allows an attacker with Timekeeper, Master Timekeeper, or HR Admin privileges to gain unauthorized administrative privileges within the application via the emp_id, userid, pw1, pw2, supervisor, and timekeeper parameters.
41 CVE-2020-8493 79 XSS 2020-01-30 2020-02-05
3.5
None Remote Medium ??? None Partial None
A stored XSS vulnerability in Kronos Web Time and Attendance (webTA) affects 3.8.x and later 3.x versions before 4.0 via multiple input fields (Login Message, Banner Message, and Password Instructions) of the com.threeis.webta.H261configMenu servlet via an authenticated administrator.
42 CVE-2020-8492 400 DoS 2020-01-30 2021-09-16
7.1
None Remote Medium Not required None None Complete
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
43 CVE-2020-8448 476 DoS 2020-01-30 2020-07-27
2.1
None Local Low Not required None None Partial
In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for log analysis (ossec-analysisd) is vulnerable to a denial of service (NULL pointer dereference) via crafted messages written directly to the analysisd UNIX domain socket by a local user.
44 CVE-2020-8447 416 2020-01-30 2020-07-27
7.5
None Remote Low Not required Partial Partial Partial
In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for log analysis (ossec-analysisd) is vulnerable to a use-after-free during processing of syscheck formatted msgs (received from authenticated remote agents and delivered to the analysisd processing queue by ossec-remoted).
45 CVE-2020-8446 22 Dir. Trav. 2020-01-30 2020-07-27
2.1
None Local Low Not required None Partial None
In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for log analysis (ossec-analysisd) is vulnerable to path traversal (with write access) via crafted syscheck messages written directly to the analysisd UNIX domain socket by a local user.
46 CVE-2020-8445 20 2020-01-30 2020-07-27
10.0
None Remote Low Not required Complete Complete Complete
In OSSEC-HIDS 2.7 through 3.5.0, the OS_CleanMSG function in ossec-analysisd doesn't remove or encode terminal control characters or newlines from processed log messages. In many cases, those characters are later logged. Because newlines (\n) are permitted in messages processed by ossec-analysisd, it may be possible to inject nested events into the ossec log. Use of terminal control characters may allow obfuscating events or executing commands when viewed through vulnerable terminal emulators. This may be an unauthenticated remote attack for certain types and origins of logged data.
47 CVE-2020-8444 416 2020-01-30 2020-07-27
7.5
None Remote Low Not required Partial Partial Partial
In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for log analysis (ossec-analysisd) is vulnerable to a use-after-free during processing of ossec-alert formatted msgs (received from authenticated remote agents and delivered to the analysisd processing queue by ossec-remoted).
48 CVE-2020-8443 787 Overflow 2020-01-30 2022-04-26
7.5
None Remote Low Not required Partial Partial Partial
In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for log analysis (ossec-analysisd) is vulnerable to an off-by-one heap-based buffer overflow during the cleaning of crafted syslog msgs (received from authenticated remote agents and delivered to the analysisd processing queue by ossec-remoted).
49 CVE-2020-8442 787 Overflow 2020-01-30 2020-07-27
6.5
None Remote Low ??? Partial Partial Partial
In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for log analysis (ossec-analysisd) is vulnerable to a heap-based buffer overflow in the rootcheck decoder component via an authenticated client.
50 CVE-2020-8440 434 Exec Code 2020-01-31 2020-02-05
7.5
None Remote Low Not required Partial Partial Partial
controllers/page_apply.php in Simplejobscript.com SJS through 1.66 is prone to unauthenticated Remote Code Execution by uploading a PHP script as a resume.
Total number of vulnerabilities : 1656   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.