CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In November 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2015-9550 668 2020-11-24 2020-12-04
5.0
None Remote Low Not required Partial None None
An issue was discovered on TOTOLINK A850R-V1 through 1.0.1-B20150707.1612 and F1-V2 through 1.1-B20150708.1646 devices. By sending a specific hel,xasf packet to the WAN interface, it is possible to open the web management interface on the WAN interface.
2 CVE-2015-9551 Exec Code 2020-11-24 2020-12-04
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered on TOTOLINK A850R-V1 through 1.0.1-B20150707.1612 and F1-V2 through 1.1-B20150708.1646 devices. There is Remote Code Execution in the management interface via the formSysCmd sysCmd parameter.
3 CVE-2017-15680 862 2020-11-27 2020-11-28
6.4
None Remote Low Not required Partial Partial None
In Crafter CMS Crafter Studio 3.0.1 an IDOR vulnerability exists which allows unauthenticated attackers to view and modify administrative data.
4 CVE-2017-15681 22 Dir. Trav. 2020-11-27 2020-11-28
7.5
None Remote Low Not required Partial Partial Partial
In Crafter CMS Crafter Studio 3.0.1 a directory traversal vulnerability exists which allows unauthenticated attackers to overwrite files from the operating system which can lead to RCE.
5 CVE-2017-15682 79 XSS 2020-11-27 2020-11-28
4.3
None Remote Medium Not required None Partial None
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel.
6 CVE-2017-15683 91 2020-11-27 2020-11-28
5.0
None Remote Low Not required Partial None None
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.
7 CVE-2017-15684 22 Dir. Trav. 2020-11-27 2020-11-28
5.0
None Remote Low Not required Partial None None
Crafter CMS Crafter Studio 3.0.1 has a directory traversal vulnerability which allows unauthenticated attackers to view files from the operating system.
8 CVE-2017-15685 91 2020-11-27 2020-11-28
5.0
None Remote Low Not required Partial None None
Crafter CMS Crafter Studio 3.0.1 is affected by: XML External Entity (XXE). An unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.
9 CVE-2017-15686 79 XSS 2020-11-27 2020-11-28
4.3
None Remote Medium Not required None Partial None
Crafter CMS Crafter Studio 3.0.1 is affected by: Cross Site Scripting (XSS), which allows remote attackers to steal users’ cookies.
10 CVE-2017-18926 787 Overflow 2020-11-06 2020-11-19
5.8
None Remote Medium Not required None Partial Partial
raptor_xml_writer_start_element_common in raptor_xml_writer.c in Raptor RDF Syntax Library 2.0.15 miscalculates the maximum nspace declarations for the XML writer, leading to heap-based buffer overflows (sometimes seen in raptor_qname_format_as_xml).
11 CVE-2018-1725 2020-11-05 2020-11-12
2.1
None Local Low Not required Partial None None
IBM QRadar SIEM 7.3 and 7.4 n a multi tenant configuration could be vulnerable to information disclosure. IBM X-Force ID: 147440.
12 CVE-2018-16719 20 DoS 2020-11-23 2020-11-25
4.6
None Local Low Not required Partial Partial Partial
In Jingyun Antivirus v2.4.2.39, the driver file (hookbody.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x00221482.
13 CVE-2018-16720 20 DoS 2020-11-23 2020-11-25
4.6
None Local Low Not required Partial Partial Partial
In Jingyun Antivirus v2.4.2.39, the driver file (ZySandbox.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x1236001c, a related issue to CVE-2018-16304.
14 CVE-2018-16721 20 DoS 2020-11-23 2020-11-25
4.6
None Local Low Not required Partial Partial Partial
In Jingyun Antivirus v2.4.2.39, the driver file (ZySandbox.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x12360090, a related issue to CVE-2018-16306.
15 CVE-2018-16722 20 DoS 2020-11-23 2020-11-25
4.6
None Local Low Not required Partial Partial Partial
In Jingyun Antivirus v2.4.2.39, the driver file (ZySandbox.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x12360094, a related issue to CVE-2018-16305.
16 CVE-2018-16723 20 DoS 2020-11-23 2020-11-25
4.6
None Local Low Not required Partial Partial Partial
In Jingyun Antivirus v2.4.2.39, the driver file (ZySandbox.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x12364020.
17 CVE-2018-17932 294 2020-11-02 2020-11-12
10.0
None Remote Low Not required Complete Complete Complete
JUUKO K-800 (Firmware versions prior to numbers ending ...9A, ...9B, ...9C, etc.) is vulnerable to a replay attack and command forgery, which could allow attackers to replay commands, control the device, view commands, or cause the device to stop running.
18 CVE-2018-19025 294 Exec Code 2020-11-02 2020-11-12
10.0
None Remote Low Not required Complete Complete Complete
In JUUKO K-808, an attacker could specially craft a packet that encodes an arbitrary command, which could be executed on the K-808 (Firmware versions prior to numbers ending ...9A, ...9B, ...9C, etc.).
19 CVE-2018-19950 78 Exec Code 2020-11-02 2020-11-02
7.5
None Remote Low Not required Partial Partial Partial
If exploited, this command injection vulnerability could allow remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Music Station versions prior to 5.1.13; versions prior to 5.2.9; versions prior to 5.3.11.
20 CVE-2018-19951 79 XSS 2020-11-02 2020-11-02
4.3
None Remote Medium Not required None Partial None
If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code. This issue affects: QNAP Systems Inc. Music Station versions prior to 5.1.13; versions prior to 5.2.9; versions prior to 5.3.11.
21 CVE-2018-19952 89 Sql +Info 2020-11-02 2020-11-04
5.0
None Remote Low Not required Partial None None
If exploited, this SQL injection vulnerability could allow remote attackers to obtain application information. This issue affects: QNAP Systems Inc. Music Station versions prior to 5.1.13; versions prior to 5.2.9; versions prior to 5.3.11.
22 CVE-2018-19954 79 XSS 2020-11-02 2020-11-02
4.3
None Remote Medium Not required None Partial None
The cross-site scripting vulnerability has been reported to affect earlier versions of Photo Station. If exploited, the vulnerability could allow remote attackers to inject malicious code. This issue affects: QNAP Systems Inc. Photo Station versions prior to 5.7.11; versions prior to 6.0.10.
23 CVE-2018-19955 79 XSS 2020-11-02 2020-11-02
4.3
None Remote Medium Not required None Partial None
The cross-site scripting vulnerability has been reported to affect earlier versions of Photo Station. If exploited, the vulnerability could allow remote attackers to inject malicious code. This issue affects: QNAP Systems Inc. Photo Station versions prior to 5.7.11; versions prior to 6.0.10.
24 CVE-2018-19956 79 XSS 2020-11-02 2020-11-02
4.3
None Remote Medium Not required None Partial None
The cross-site scripting vulnerability has been reported to affect earlier versions of Photo Station. If exploited, the vulnerability could allow remote attackers to inject malicious code. This issue affects: QNAP Systems Inc. Photo Station versions prior to 5.7.11; versions prior to 6.0.10.
25 CVE-2018-20802 DoS 2020-11-23 2020-11-29
4.0
None Remote Low ??? None None Partial
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting QueryPlanner. This issue affects: MongoDB Inc. MongoDB Server v3.6 versions prior to 3.6.9, v4.0 versions prior to 4.0.3.
26 CVE-2018-20803 835 DoS 2020-11-23 2020-12-02
4.0
None Remote Low ??? None None Partial
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which loop indefinitely in mathematics processing while retaining locks. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.5; v3.6 versions prior to 3.6.10; v3.4 versions prior to 3.4.19.
27 CVE-2018-20804 20 DoS 2020-11-23 2020-11-29
4.0
None Remote Low ??? None None Partial
A user authorized to perform database queries may trigger denial of service by issuing specially crafted applyOps invocations. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.10; v3.6 versions prior to 3.6.13.
28 CVE-2018-20805 834 DoS 2020-11-23 2020-11-29
4.0
None Remote Low ??? None None Partial
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which perform an $elemMatch This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.5; v3.6 versions prior to 3.6.10. This issue affects: MongoDB Inc. MongoDB Server 3.6 versions prior to 3.6.10; 4.0 versions prior to 4.0.5.
29 CVE-2019-2392 190 DoS Overflow 2020-11-23 2020-11-29
4.0
None Remote Low ??? None None Partial
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use the $mod operator to overflow negative values. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prior to 4.0.20; v3.6 versions prior to 3.6.20.
30 CVE-2019-2393 416 DoS 2020-11-23 2020-11-29
4.0
None Remote Low ??? None None Partial
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use $lookup and collations. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.1; v4.0 versions prior to 4.0.13; v3.6 versions prior to 3.6.15.
31 CVE-2019-4349 200 +Info 2020-11-03 2020-11-10
3.6
None Local Low Not required Partial Partial None
IBM Maximo Anywhere 7.6.2.0, 7.6.2.1, 7.6.3.0, and 7.6.3.1 applications can be installed on a deprecated operating system version that could compromised the confidentiality and integrity of the service. IBM X-Force ID: 161486
32 CVE-2019-7356 79 XSS 2020-11-04 2020-11-10
3.5
None Remote Medium ??? None Partial None
Subrion CMS v4.2.1 allows XSS via the panel/phrases/ VALUE parameter.
33 CVE-2019-7357 352 CSRF 2020-11-10 2020-11-25
6.8
None Remote Medium Not required Partial Partial Partial
Subrion CMS 4.2.1 has CSRF in panel/modules/plugins/. The attacker can remotely activate/deactivate the plugins.
34 CVE-2019-11121 732 2020-11-12 2020-11-19
4.6
None Local Low Not required Partial Partial Partial
Improper file permissions in the installer for the Intel(R) Media SDK for Windows before version 2019 R1 may allow an authenticated user to potentially enable escalation of privilege via local access.
35 CVE-2019-12412 476 DoS 2020-11-19 2020-11-30
5.0
None Remote Low Not required None None Partial
A flaw in the libapreq2 v2.07 to v2.13 multipart parser can deference a null pointer leading to a process crash. A remote attacker could send a request causing a process crash which could lead to a denial of service attack.
36 CVE-2019-14553 287 2020-11-23 2020-11-25
4.0
None Remote Low ??? Partial None None
Improper authentication in EDK II may allow a privileged user to potentially enable information disclosure via network access.
37 CVE-2019-14559 401 DoS 2020-11-23 2022-01-01
5.0
None Remote Low Not required None None Partial
Uncontrolled resource consumption in EDK II may allow an unauthenticated user to potentially enable denial of service via network access.
38 CVE-2019-14562 190 DoS Overflow 2020-11-23 2022-01-01
2.1
None Local Low Not required None None Partial
Integer overflow in DxeImageVerificationHandler() EDK II may allow an authenticated user to potentially enable denial of service via local access.
39 CVE-2019-14563 787 2020-11-23 2022-01-01
4.6
None Local Low Not required Partial Partial Partial
Integer truncation in EDK II may allow an authenticated user to potentially enable escalation of privilege via local access.
40 CVE-2019-14575 2020-11-23 2022-01-01
4.6
None Local Low Not required Partial Partial Partial
Logic issue in DxeImageVerificationHandler() for EDK II may allow an authenticated user to potentially enable escalation of privilege via local access.
41 CVE-2019-14586 416 DoS 2020-11-23 2022-01-01
5.2
None Local Network Low ??? Partial Partial Partial
Use after free vulnerability in EDK II may allow an authenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via adjacent access.
42 CVE-2019-14587 DoS 2020-11-23 2022-01-01
3.3
None Local Network Low Not required None None Partial
Logic issue EDK II may allow an unauthenticated user to potentially enable denial of service via adjacent access.
43 CVE-2019-17566 918 2020-11-12 2022-04-05
5.0
None Remote Low Not required None Partial None
Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
44 CVE-2019-19556 287 Bypass +Info 2020-11-16 2021-07-21
2.1
None Local Low Not required Partial None None
An authentication bypass in the debug interface in Mercedes-Benz HERMES 1 allows an attacker with physical access to device hardware to obtain system information.
45 CVE-2019-19557 922 +Info 2020-11-16 2020-11-30
2.1
None Local Low Not required Partial None None
A misconfiguration in the debug interface in Mercedes-Benz HERMES 1 allows an attacker with direct physical access to device hardware to obtain cellular modem information.
46 CVE-2019-19560 922 Bypass +Info 2020-11-16 2021-07-21
2.1
None Local Low Not required Partial None None
An authentication bypass in the debug interface in Mercedes-Benz HERMES 1.5 allows an attacker with physical access to device hardware to obtain system information.
47 CVE-2019-19561 922 +Info 2020-11-16 2020-11-30
2.1
None Local Low Not required Partial None None
A misconfiguration in the debug interface in Mercedes-Benz HERMES 1.5 allows an attacker with direct physical access to device hardware to obtain cellular modem information.
48 CVE-2019-19562 922 Bypass +Info 2020-11-16 2021-07-21
2.1
None Local Low Not required Partial None None
An authentication bypass in the debug interface in Mercedes-Benz HERMES 2.1 allows an attacker with physical access to device hardware to obtain system information.
49 CVE-2019-19563 +Info 2020-11-16 2020-11-30
2.1
None Local Low Not required Partial None None
A misconfiguration in the debug interface in Mercedes-Benz HERMES 2.1 allows an attacker with direct physical access to device hardware to obtain cellular modem information.
50 CVE-2019-19869 2020-11-27 2020-12-03
5.0
None Remote Low Not required None Partial None
An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08. PVs could be changed (unencrypted) by using the IosHttp service and the JSON interface.
Total number of vulnerabilities : 1271   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.