CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In December 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2012-0955 295 2020-12-02 2020-12-08
5.8
None Remote Medium Not required Partial Partial None
software-properties was vulnerable to a person-in-the-middle attack due to incorrect TLS certificate validation in softwareproperties/ppa.py. software-properties didn't check TLS certificates under python2 and only checked certificates under python3 if a valid certificate bundle was provided. Fixed in software-properties version 0.92.
2 CVE-2016-9021 20 2020-12-31 2021-01-04
7.5
None Remote Low Not required Partial Partial Partial
Exponent CMS before 2.6.0 has improper input validation in storeController.php.
3 CVE-2016-9022 20 2020-12-31 2021-01-04
7.5
None Remote Low Not required Partial Partial Partial
Exponent CMS before 2.6.0 has improper input validation in usersController.php.
4 CVE-2016-9023 20 2020-12-31 2021-01-04
7.5
None Remote Low Not required Partial Partial Partial
Exponent CMS before 2.6.0 has improper input validation in cron/find_help.php.
5 CVE-2016-9025 20 2020-12-31 2021-01-04
7.5
None Remote Low Not required Partial Partial Partial
Exponent CMS before 2.6.0 has improper input validation in purchaseOrderController.php.
6 CVE-2016-9026 20 2020-12-31 2021-01-04
7.5
None Remote Low Not required Partial Partial Partial
Exponent CMS before 2.6.0 has improper input validation in fileController.php.
7 CVE-2017-2910 787 Exec Code Mem. Corr. 2020-12-02 2020-12-04
6.8
None Remote Medium Not required Partial Partial Partial
An exploitable Out-of-bounds Write vulnerability exists in the xls_addCell function of libxls 2.0. A specially crafted xls file can cause a memory corruption resulting in remote code execution. An attacker can send malicious xls file to trigger this vulnerability.
8 CVE-2017-14451 125 Exec Code 2020-12-02 2020-12-09
7.5
None Remote Low Not required Partial Partial Partial
An exploitable out-of-bounds read vulnerability exists in libevm (Ethereum Virtual Machine) of CPP-Ethereum. A specially crafted smart contract code can cause an out-of-bounds read which can subsequently trigger an out-of-bounds write resulting in remote code execution. An attacker can create/send malicious smart contract to trigger this vulnerability.
9 CVE-2018-7580 DoS 2020-12-21 2020-12-29
5.0
None Remote Low Not required None None Partial
Philips Hue is vulnerable to a Denial of Service attack. Sending a SYN flood on port tcp/80 will freeze Philips Hue's hub and it will stop responding. The "hub" will stop operating and be frozen until the flood stops. During the flood, the user won't be able to turn on/off the lights, and all of the hub's functionality will be unresponsive. The cloud service also won't work with the hub.
10 CVE-2018-14067 77 Exec Code 2020-12-31 2021-01-06
10.0
None Remote Low Not required Complete Complete Complete
Green Packet WiMax DV-360 2.10.14-g1.0.6.1 devices allow Command Injection, with unauthenticated remote command execution, via a crafted payload to the HTTPS port, because lighttpd listens on all network interfaces (including the external Internet) by default. NOTE: this may overlap CVE-2017-9980.
11 CVE-2018-15632 20 2020-12-22 2020-12-22
8.5
None Remote Low Not required None Partial Complete
Improper input validation in database creation logic in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to initialize an empty database on which they can connect with default credentials.
12 CVE-2018-15633 79 XSS 2020-12-22 2020-12-22
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) issue in "document" module in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted attachment filenames.
13 CVE-2018-15634 79 XSS 2020-12-22 2020-12-22
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) issue in attachment management in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via a crafted link.
14 CVE-2018-15638 79 XSS 2020-12-22 2020-12-22
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) issue in mail module in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted channel names.
15 CVE-2018-15641 79 XSS 2020-12-22 2020-12-22
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) issue in web module in Odoo Community 11.0 through 14.0 and Odoo Enterprise 11.0 through 14.0, allows remote authenticated internal users to inject arbitrary web script in the browser of a victim via crafted calendar event attributes.
16 CVE-2018-15645 732 2020-12-22 2020-12-23
4.0
None Remote Low ??? None Partial None
Improper access control in message routing in Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier allows remote authenticated users to create arbitrary records via crafted payloads, which may allow privilege escalation.
17 CVE-2018-16243 79 XSS 2020-12-15 2020-12-17
3.5
None Remote Medium ??? None Partial None
SolarWinds Database Performance Analyzer (DPA) 11.1.468 and 12.0.3074 have several persistent XSS vulnerabilities, related to logViewer.iwc, centralManage.cen, userAdministration.iwc, database.iwc, alertManagement.iwc, eventAnnotations.iwc, and central.cen.
18 CVE-2018-16795 352 CSRF 2020-12-31 2021-01-05
6.8
None Remote Medium Not required Partial Partial Partial
OpenEMR 5.0.1.3 allows Cross-Site Request Forgery (CSRF) via library/ajax and interface/super, as demonstrated by use of interface/super/manage_site_files.php to upload a .php file.
19 CVE-2018-19941 312 2020-12-31 2021-01-07
5.0
None Remote Low Not required Partial None None
A vulnerability has been reported to affect QNAP NAS. If exploited, this vulnerability allows an attacker to access sensitive information stored in cleartext inside cookies via certain widely-available tools. QNAP have already fixed this vulnerability in the following versions: QTS 4.5.1.1456 build 20201015 (and later) QuTS hero h4.5.1.1472 build 20201031 (and later) QuTScloud c4.5.2.1379 build 20200730 (and later)
20 CVE-2018-19944 319 2020-12-31 2021-01-07
5.0
None Remote Low Not required Partial None None
A cleartext transmission of sensitive information vulnerability has been reported to affect certain QTS devices. If exploited, this vulnerability allows a remote attacker to gain access to sensitive information. QNAP have already fixed this vulnerability in the following versions: QTS 4.4.3.1354 build 20200702 (and later)
21 CVE-2018-19945 22 Dir. Trav. 2020-12-31 2021-01-06
8.5
None Remote Low Not required None Partial Complete
A vulnerability has been reported to affect earlier QNAP devices running QTS 4.3.4 to 4.3.6. Caused by improper limitations of a pathname to a restricted directory, this vulnerability allows for renaming arbitrary files on the target system, if exploited. QNAP have already fixed this vulnerability in the following versions: QTS 4.3.6.0895 build 20190328 (and later) QTS 4.3.4.0899 build 20190322 (and later) This issue does not affect QTS 4.4.x or QTS 4.5.x.
22 CVE-2018-21270 125 2020-12-03 2021-02-16
5.8
None Remote Medium Not required Partial None Partial
Versions less than 0.0.6 of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream (when using Node.js 4.x).
23 CVE-2018-25001 416 2020-12-31 2021-01-05
4.0
None Remote Low ??? None Partial None
An issue was discovered in the libpulse-binding crate before 2.5.0 for Rust. proplist::Iterator can cause a use-after-free.
24 CVE-2018-1000891 400 2020-12-23 2020-12-23
5.0
None Remote Low Not required None None Partial
Bitcoin SV before 0.1.1 allows uncontrolled resource consumption when receiving messages with invalid checksums.
25 CVE-2018-1000892 400 2020-12-23 2020-12-23
5.0
None Remote Low Not required None None Partial
Bitcoin SV before 0.1.1 allows uncontrolled resource consumption when receiving sendheaders messages.
26 CVE-2018-1000893 400 2020-12-23 2020-12-23
5.0
None Remote Low Not required None None Partial
Bitcoin SV before 0.1.1 allows uncontrolled resource consumption when deserializing transactions.
27 CVE-2019-4738 312 2020-12-10 2020-12-11
4.0
None Remote Low ??? Partial None None
IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5 and 6.0.0.0 through 6.0.3.1 discloses sensitive information to an authenticated user from the dashboard UI which could be used in further attacks against the system. IBM X-Force ID: 172753.
28 CVE-2019-7198 77 Exec Code 2020-12-10 2021-06-21
7.5
None Remote Low Not required Partial Partial Partial
This command injection vulnerability allows attackers to execute arbitrary commands in a compromised application. QNAP have already fixed this vulnerability in the following versions of QTS and QuTS hero. QuTS hero h4.5.1.1472 build 20201031 and later QTS 4.5.1.1456 build 20201015 and later QTS 4.4.3.1354 build 20200702 and later
29 CVE-2019-7725 502 2020-12-31 2021-01-05
7.5
None Remote Low Not required Partial Partial Partial
includes/core/is_user.php in NukeViet before 4.3.04 deserializes the untrusted nvloginhash cookie (i.e., the code relies on PHP's serialization format when JSON can be used to eliminate the risk).
30 CVE-2019-7726 89 Sql 2020-12-31 2021-01-05
7.5
None Remote Low Not required Partial Partial Partial
modules/banners/funcs/click.php in NukeViet before 4.3.04 has a SQL INSERT statement with raw header data from an HTTP request (e.g., Referer and User-Agent).
31 CVE-2019-11781 20 2020-12-22 2020-12-23
6.8
None Remote Medium Not required Partial Partial Partial
Improper input validation in portal component in Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier, allows remote attackers to trick victims into modifying their account via crafted links, leading to privilege escalation.
32 CVE-2019-11782 2020-12-22 2021-11-02
4.0
None Remote Low ??? None Partial None
Improper access control in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users with access to contact management to modify user accounts, leading to privilege escalation.
33 CVE-2019-11783 862 2020-12-22 2021-10-28
4.0
None Remote Low ??? Partial None None
Improper access control in mail module (channel partners) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to subscribe to arbitrary mail channels uninvited.
34 CVE-2019-11784 862 2020-12-22 2021-10-28
4.0
None Remote Low ??? Partial None None
Improper access control in mail module (notifications) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to obtain access to arbitrary messages in conversations they were not a party to.
35 CVE-2019-11785 862 2020-12-22 2021-10-28
4.0
None Remote Low ??? Partial None None
Improper access control in mail module (followers) in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to obtain access to messages posted on business records there were not given access to, and subscribe to receive future messages.
36 CVE-2019-11786 2020-12-22 2021-11-02
4.0
None Remote Low ??? None Partial None
Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to modify translated terms, which may lead to arbitrary content modification on translatable elements.
37 CVE-2019-12768 287 Bypass 2020-12-30 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered on D-Link DAP-1650 devices through v1.03b07 before 1.04B02_J65H Hot Fix. Attackers can bypass authentication via forceful browsing.
38 CVE-2019-12953 200 +Info 2020-12-30 2021-07-21
5.0
None Remote Low Not required Partial None None
Dropbear 2011.54 through 2018.76 has an inconsistent failure delay that may lead to revealing valid usernames, a different issue than CVE-2018-15599.
39 CVE-2019-14476 918 2020-12-16 2020-12-18
4.0
None Remote Low ??? Partial None None
AdRem NetCrunch 10.6.0.4587 has a Server-Side Request Forgery (SSRF) vulnerability in the NetCrunch server. Every user can trick the server into performing SMB requests to other systems.
40 CVE-2019-14477 522 2020-12-16 2020-12-17
2.1
None Local Low Not required Partial None None
AdRem NetCrunch 10.6.0.4587 has Improper Credential Storage since the internal user database is readable by low-privileged users and passwords in the database are weakly encoded or encrypted.
41 CVE-2019-14478 79 Exec Code XSS 2020-12-16 2020-12-17
3.5
None Remote Medium ??? None Partial None
AdRem NetCrunch 10.6.0.4587 has a stored Cross-Site Scripting (XSS) vulnerability in the NetCrunch web client. The user's input data is not properly encoded when being echoed back to the user. This data can be interpreted as executable code by the browser and allows an attacker to execute JavaScript code in the context of the user's browser if the victim opens or searches for a node whose "Display Name" contains an XSS payload.
42 CVE-2019-14479 732 Exec Code 2020-12-16 2021-07-21
9.0
None Remote Low ??? Complete Complete Complete
AdRem NetCrunch 10.6.0.4587 allows Remote Code Execution. In the NetCrunch web client, a read-only administrator can execute arbitrary code on the server running the NetCrunch server software.
43 CVE-2019-14480 287 Bypass 2020-12-16 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
AdRem NetCrunch 10.6.0.4587 has an Improper Session Handling vulnerability in the NetCrunch web client, which can lead to an authentication bypass or escalation of privileges.
44 CVE-2019-14481 352 CSRF 2020-12-16 2020-12-17
5.8
None Remote Medium Not required Partial Partial None
AdRem NetCrunch 10.6.0.4587 has a Cross-Site Request Forgery (CSRF) vulnerability in the NetCrunch web client. Successful exploitation requires a logged-in user to open a malicious page and leads to account takeover.
45 CVE-2019-14482 798 2020-12-16 2020-12-17
10.0
None Remote Low Not required Complete Complete Complete
AdRem NetCrunch 10.6.0.4587 has a hardcoded SSL private key vulnerability in the NetCrunch web client. The same hardcoded SSL private key is used across different customers' installations when no other SSL certificate is installed, which allows remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge of this key from another installation.
46 CVE-2019-14483 522 2020-12-16 2021-07-21
9.0
None Remote Low ??? Complete Complete Complete
AdRem NetCrunch 10.6.0.4587 allows Credentials Disclosure. Every user can read the BSD, Linux, MacOS and Solaris private keys, private keys' passwords, and root passwords stored in the credential manager. Every administrator can read the ESX and Windows passwords stored in the credential manager.
47 CVE-2019-15078 2020-12-30 2021-01-04
5.0
None Remote Low Not required None Partial None
An issue was discovered in a smart contract implementation for AIRDROPX BORN through 2019-05-29, an Ethereum token. The name of the constructor has a typo (wrong case: XBornID versus XBORNID) that allows an attacker to change the owner of the contract and obtain cryptocurrency for free.
48 CVE-2019-15079 2020-12-30 2021-01-04
5.0
None Remote Low Not required None Partial None
A typo exists in the constructor of a smart contract implementation for EAI through 2019-06-05, an Ethereum token. This vulnerability could be used by an attacker to acquire EAI tokens for free.
49 CVE-2019-15080 2020-12-30 2021-01-04
5.0
None Remote Low Not required None None Partial
An issue was discovered in a smart contract implementation for MORPH Token through 2019-06-05, an Ethereum token. A typo in the constructor of the Owned contract (which is inherited by MORPH Token) allows attackers to acquire contract ownership. A new owner can subsequently obtain MORPH Tokens for free and can perform a DoS attack.
50 CVE-2019-15523 252 2020-12-30 2021-01-04
5.0
None Remote Low Not required None Partial None
An issue was discovered in LINBIT csync2 through 2.0. It does not correctly check for the return value GNUTLS_E_WARNING_ALERT_RECEIVED of the gnutls_handshake() function. It neglects to call this function again, as required by the design of the API.
Total number of vulnerabilities : 1530   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.