CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In December 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2018-14067 77 Exec Code 2020-12-31 2021-01-06
10.0
None Remote Low Not required Complete Complete Complete
Green Packet WiMax DV-360 2.10.14-g1.0.6.1 devices allow Command Injection, with unauthenticated remote command execution, via a crafted payload to the HTTPS port, because lighttpd listens on all network interfaces (including the external Internet) by default. NOTE: this may overlap CVE-2017-9980.
2 CVE-2019-14482 798 2020-12-16 2020-12-17
10.0
None Remote Low Not required Complete Complete Complete
AdRem NetCrunch 10.6.0.4587 has a hardcoded SSL private key vulnerability in the NetCrunch web client. The same hardcoded SSL private key is used across different customers' installations when no other SSL certificate is installed, which allows remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge of this key from another installation.
3 CVE-2020-2320 494 2020-12-03 2020-12-08
10.0
None Remote Low Not required Complete Complete Complete
Jenkins Plugin Installation Manager Tool 2.1.3 and earlier does not verify plugin downloads.
4 CVE-2020-5639 22 Exec Code Dir. Trav. 2020-12-14 2020-12-15
10.0
None Remote Low Not required Complete Complete Complete
Directory traversal vulnerability in FileZen versions from V3.0.0 to V4.2.2 allows remote attackers to upload an arbitrary file in a specific directory via unspecified vectors. As a result, an arbitrary OS command may be executed.
5 CVE-2020-7199 287 DoS Exec Code +Priv Bypass 2020-12-02 2020-12-04
10.0
None Remote Low Not required Complete Complete Complete
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gaining privileged access, causing denial of service, and changing the configuration.
6 CVE-2020-8465 287 Exec Code Bypass CSRF 2020-12-17 2021-07-21
10.0
None Remote Low Not required Complete Complete Complete
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to manipulate system updates using a combination of CSRF bypass (CVE-2020-8461) and authentication bypass (CVE-2020-8464) to execute code as user root.
7 CVE-2020-10207 798 2020-12-29 2021-01-14
10.0
None Remote Low Not required Complete Complete Complete
Use of Hard-coded Credentials in EntoneWebEngine in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series and Kami7B allows remote attackers to retrieve and modify the device settings.
8 CVE-2020-10210 798 2020-12-29 2021-01-14
10.0
None Remote Low Not required Complete Complete Complete
Because of hard-coded SSH keys for the root user in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series, Kami7B, an attacker may remotely log in through SSH.
9 CVE-2020-12519 269 2020-12-17 2020-12-21
10.0
None Remote Low Not required Complete Complete Complete
On Phoenix Contact PLCnext Control Devices versions before 2021.0 LTS an attacker can use this vulnerability i.e. to open a reverse shell with root privileges.
10 CVE-2020-12522 78 Exec Code 2020-12-17 2020-12-23
10.0
None Remote Low Not required Complete Complete Complete
The reported vulnerability allows an attacker who has network access to the device to execute code with specially crafted packets in WAGO Series PFC 100 (750-81xx/xxx-xxx), Series PFC 200 (750-82xx/xxx-xxx), Series Wago Touch Panel 600 Standard Line (762-4xxx), Series Wago Touch Panel 600 Advanced Line (762-5xxx), Series Wago Touch Panel 600 Marine Line (762-6xxx) with firmware versions <=FW10.
11 CVE-2020-14224 787 Exec Code Overflow 2020-12-18 2020-12-22
10.0
None Remote Low Not required Complete Complete Complete
A vulnerability in the MIME message handling of the HCL Notes v9 client could potentially be exploited by an unauthenticated attacker resulting in a stack buffer overflow. This could allow a remote attacker to crash the Notes application or inject code into the system which would execute with the privileges of the currently logged-in user.
12 CVE-2020-14244 787 Exec Code Overflow 2020-12-14 2020-12-16
10.0
None Remote Low Not required Complete Complete Complete
A vulnerability in the MIME message handling of the Domino server (versions 9 and 10) could potentially be exploited by an unauthenticated attacker resulting in a stack buffer overflow. This could allow a remote attacker to crash the server or inject code into the system which would execute with the privileges of the server.
13 CVE-2020-14260 120 Exec Code Overflow 2020-12-02 2020-12-04
10.0
None Remote Low Not required Complete Complete Complete
HCL Domino is susceptible to a Buffer Overflow vulnerability in DXL due to improper validation of user input. A successful exploit could enable an attacker to crash Domino or execute attacker-controlled code on the server system.
14 CVE-2020-14268 787 Exec Code Overflow 2020-12-14 2020-12-15
10.0
None Remote Low Not required Complete Complete Complete
A vulnerability in the MIME message handling of the Notes client (versions 9 and 10) could potentially be exploited by an unauthenticated attacker resulting in a stack buffer overflow. This could allow a remote attacker to crash the client or inject code into the system which would execute with the privileges of the client.
15 CVE-2020-15357 78 Exec Code 2020-12-11 2022-04-26
10.0
None Remote Low Not required Complete Complete Complete
Network Analysis functionality in Askey AP5100W_Dual_SIG_1.01.097 and all prior versions allows remote attackers to execute arbitrary commands via a shell metacharacter in the ping, traceroute, or route options.
16 CVE-2020-17118 Exec Code 2020-12-10 2021-03-03
10.0
None Remote Low Not required Complete Complete Complete
Microsoft SharePoint Remote Code Execution Vulnerability This CVE ID is unique from CVE-2020-17121.
17 CVE-2020-19142 78 Exec Code 2020-12-10 2020-12-11
10.0
None Remote Low Not required Complete Complete Complete
iCMS 7 attackers to execute arbitrary OS commands via shell metacharacters in the DB_PREFIX parameter to install/install.php.
18 CVE-2020-19527 78 Exec Code 2020-12-10 2020-12-11
10.0
None Remote Low Not required Complete Complete Complete
iCMS 7.0.14 attackers to execute arbitrary OS commands via shell metacharacters in the DB_NAME parameter to install/install.php.
19 CVE-2020-24633 120 Exec Code Overflow 2020-12-11 2021-11-18
10.0
None Remote Low Not required Complete Complete Complete
There are multiple buffer overflow vulnerabilities that could lead to unauthenticated remote code execution by sending especially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211) of access-points or controllers in Aruba 9000 Gateway; Aruba 7000 Series Mobility Controllers; Aruba 7200 Series Mobility Controllers version(s): 2.1.0.1, 2.2.0.0 and below; 6.4.4.23, 6.5.4.17, 8.2.2.9, 8.3.0.13, 8.5.0.10, 8.6.0.5, 8.7.0.0 and below; 6.4.4.23, 6.5.4.17, 8.2.2.9, 8.3.0.13, 8.5.0.10, 8.6.0.5, 8.7.0.0 and below.
20 CVE-2020-24634 77 2020-12-11 2021-11-18
10.0
None Remote Low Not required Complete Complete Complete
An attacker is able to remotely inject arbitrary commands by sending especially crafted packets destined to the PAPI (Aruba Networks AP Management protocol) UDP port (8211) of access-pointsor controllers in Aruba 9000 Gateway; Aruba 7000 Series Mobility Controllers; Aruba 7200 Series Mobility Controllers version(s): 2.1.0.1, 2.2.0.0 and below; 6.4.4.23, 6.5.4.17, 8.2.2.9, 8.3.0.13, 8.5.0.10, 8.6.0.5, 8.7.0.0 and below ; 6.4.4.23, 6.5.4.17, 8.2.2.9, 8.3.0.13, 8.5.0.10, 8.6.0.5, 8.7.0.0 and below.
21 CVE-2020-24679 20 Exec Code 2020-12-22 2021-10-07
10.0
None Remote Low Not required Complete Complete Complete
A S+ Operations and S+ Historian service is subject to a DoS by special crafted messages. An attacker might use this flaw to make it crash or even execute arbitrary code on the machine where the service is hosted.
22 CVE-2020-25094 74 2020-12-17 2021-07-21
10.0
None Remote Low Not required Complete Complete Complete
LogRhythm Platform Manager 7.4.9 allows Command Injection. To exploit this, an attacker can inject arbitrary program names and arguments into a WebSocket. These are forwarded to any remote server with a LogRhythm Smart Response agent installed. By default, the commands are run with LocalSystem privileges.
23 CVE-2020-25187 787 Exec Code Overflow 2020-12-14 2020-12-15
10.0
None Remote Low Not required Complete Complete Complete
Medtronic MyCareLink Smart 25000 all versions are vulnerable when an attacker who gains auth runs a debug command, which is sent to the reader causing heap overflow in the MCL Smart Reader stack. A heap overflow allows attacker to remotely execute code on the MCL Smart Reader, could lead to control of device.
24 CVE-2020-25228 306 2020-12-14 2020-12-16
10.0
None Remote Low Not required Complete Complete Complete
A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions < V8.3). A service available on port 10005/tcp of the affected devices could allow complete access to all services without authorization. An attacker could gain full control over an affected device, if he has access to this service. The system manual recommends to protect access to this port.
25 CVE-2020-25848 522 2020-12-31 2021-07-21
10.0
None Remote Low Not required Complete Complete Complete
HGiga MailSherlock contains weak authentication flaw that attackers grant privilege remotely with default password generation mechanism.
26 CVE-2020-26201 521 2020-12-10 2020-12-17
10.0
None Remote Low Not required Complete Complete Complete
Askey AP5100W_Dual_SIG_1.01.097 and all prior versions use a weak password at the Operating System (rlx-linux) level. This allows an attacker to gain unauthorized access as an admin or root user to the device Operating System via Telnet or SSH.
27 CVE-2020-27780 287 2020-12-18 2020-12-28
10.0
None Remote Low Not required Complete Complete Complete
A flaw was found in Linux-Pam in versions prior to 1.5.1 in the way it handle empty passwords for non-existing users. When the user doesn't exist PAM try to authenticate with root and in the case of an empty password it successfully authenticate.
28 CVE-2020-27846 115 Bypass 2020-12-21 2021-03-31
10.0
None Remote Low Not required Complete Complete Complete
A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
29 CVE-2020-28187 22 Dir. Trav. 2020-12-24 2020-12-28
10.0
None Remote Low Not required Complete Complete Complete
Multiple directory traversal vulnerabilities in TerraMaster TOS <= 4.2.06 allow remote authenticated attackers to read, edit or delete any file within the filesystem via the (1) filename parameter to /tos/index.php?editor/fileGet, Event parameter to /include/ajax/logtable.php, or opt parameter to /include/core/index.php.
30 CVE-2020-28188 78 Exec Code 2020-12-24 2021-02-02
10.0
None Remote Low Not required Complete Complete Complete
Remote Command Execution (RCE) vulnerability in TerraMaster TOS <= 4.2.06 allow remote unauthenticated attackers to inject OS commands via /include/makecvs.php in Event parameter.
31 CVE-2020-29311 77 Exec Code 2020-12-10 2021-07-21
10.0
None Remote Low Not required Complete Complete Complete
Ubilling v1.0.9 allows Remote Command Execution as Root user by executing a malicious command that is injected inside the config file and being triggered by another part of the software.
32 CVE-2020-29389 306 2020-12-02 2020-12-22
10.0
None Remote Low Not required Complete Complete Complete
The official Crux Linux Docker images 3.0 through 3.4 contain a blank password for a root user. System using the Crux Linux Docker container deployed by affected versions of the Docker image may allow an attacker to achieve root access with a blank password.
33 CVE-2020-29552 78 Exec Code 2020-12-23 2020-12-29
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered in URVE Build 24.03.2020. By using the _internal/pc/vpro.php?mac=0&ip=0&operation=0&usr=0&pass=0%3bpowershell+-c+" substring, it is possible to execute a Powershell command and redirect its output to a file under the web root.
34 CVE-2020-29564 2020-12-08 2020-12-22
10.0
None Remote Low Not required Complete Complete Complete
The official Consul Docker images 0.7.1 through 1.4.2 contain a blank password for a root user. System using the Consul Docker container deployed by affected versions of the Docker image may allow a remote attacker to achieve root access with a blank password.
35 CVE-2020-29575 2020-12-08 2020-12-22
10.0
None Remote Low Not required Complete Complete Complete
The official elixir Docker images before 1.8.0-alpine (Alpine specific) contain a blank password for a root user. Systems using the elixir Linux Docker container deployed by affected versions of the Docker image may allow a remote attacker to achieve root access with a blank password.
36 CVE-2020-29576 2020-12-08 2020-12-22
10.0
None Remote Low Not required Complete Complete Complete
The official eggdrop Docker images before 1.8.4rc2 contain a blank password for a root user. Systems using the Eggdrop Docker container deployed by affected versions of the Docker image may allow an remote attacker to achieve root access with a blank password.
37 CVE-2020-29577 2020-12-08 2020-12-22
10.0
None Remote Low Not required Complete Complete Complete
The official znc docker images before 1.7.1-slim contain a blank password for a root user. Systems using the znc docker container deployed by affected versions of the Docker image may allow an remote attacker to achieve root access with a blank password.
38 CVE-2020-29578 2020-12-08 2020-12-22
10.0
None Remote Low Not required Complete Complete Complete
The official piwik Docker images before fpm-alpine (Alpine specific) contain a blank password for a root user. Systems using the Piwik Docker container deployed by affected versions of the Docker image may allow an remote attacker to achieve root access.
39 CVE-2020-29579 2020-12-08 2020-12-22
10.0
None Remote Low Not required Complete Complete Complete
The official Express Gateway Docker images before 1.14.0 contain a blank password for a root user. Systems using the Express Gateway Docker container deployed by affected versions of the Docker image may allow an remote attacker to achieve root access.
40 CVE-2020-29580 2020-12-08 2020-12-22
10.0
None Remote Low Not required Complete Complete Complete
The official storm Docker images before 1.2.1 contain a blank password for a root user. Systems using the Storm Docker container deployed by affected versions of the Docker image may allow an remote attacker to achieve root access with a blank password.
41 CVE-2020-29581 2020-12-08 2020-12-22
10.0
None Remote Low Not required Complete Complete Complete
The official spiped docker images before 1.5-alpine contain a blank password for a root user. Systems using the spiped docker container deployed by affected versions of the docker image may allow an remote attacker to achieve root access with a blank password.
42 CVE-2020-29583 312 2020-12-22 2021-01-14
10.0
None Remote Low Not required Complete Complete Complete
Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.
43 CVE-2020-29591 521 2020-12-11 2020-12-15
10.0
None Remote Low Not required Complete Complete Complete
Versions of the Official registry Docker images through 2.7.0 contain a blank password for the root user. Systems deployed using affected versions of the registry container may allow a remote attacker to achieve root access with a blank password.
44 CVE-2020-29601 2020-12-08 2020-12-09
10.0
None Remote Low Not required Complete Complete Complete
The official notary docker images before signer-0.6.1-1 contain a blank password for a root user. System using the notary docker container deployed by affected versions of the docker image may allow an remote attacker to achieve root access with a blank password.
45 CVE-2020-29602 2020-12-08 2020-12-09
10.0
None Remote Low Not required Complete Complete Complete
The official irssi docker images before 1.1-alpine (Alpine specific) contain a blank password for a root user. System using the irssi docker container deployed by affected versions of the Docker image may allow an remote attacker to achieve root access with a blank password.
46 CVE-2020-29659 120 Exec Code Overflow 2020-12-09 2020-12-17
10.0
None Remote Low Not required Complete Complete Complete
A buffer overflow in the web server of Flexense DupScout Enterprise 10.0.18 allows a remote anonymous attacker to execute code as SYSTEM by overflowing the sid parameter via a GET /settings&sid= attack.
47 CVE-2020-29667 613 2020-12-10 2020-12-14
10.0
None Remote Low Not required Complete Complete Complete
In Lan ATMService M3 ATM Monitoring System 6.1.0, a remote attacker able to use a default cookie value, such as PHPSESSID=LANIT-IMANAGER, can achieve control over the system because of Insufficient Session Expiration.
48 CVE-2020-35184 306 2020-12-17 2021-07-08
10.0
None Remote Low Not required Complete Complete Complete
The official composer docker images before 1.8.3 contain a blank password for a root user. System using the composer docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.
49 CVE-2020-35185 306 2020-12-17 2020-12-18
10.0
None Remote Low Not required Complete Complete Complete
The official ghost docker images before 2.16.1-alpine (Alpine specific) contain a blank password for a root user. System using the ghost docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.
50 CVE-2020-35186 306 2020-12-17 2020-12-17
10.0
None Remote Low Not required Complete Complete Complete
The official adminer docker images before 4.7.0-fastcgi contain a blank password for a root user. System using the adminer docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.
Total number of vulnerabilities : 1530   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.