CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In February 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2013-1359 287 2 Bypass 2020-02-11 2020-02-14
10.0
None Remote Low Not required Complete Complete Complete
An Authentication Bypass Vulnerability exists in DELL SonicWALL Analyzer 7.0, Global Management System (GMS) 4.1, 5.0, 5.1, 6.0, and 7.0; Universal Management Appliance (UMA) 5.1, 6.0, and 7.0 and ViewPoint 4.1, 5.0, 5.1, and 6.0 via the skipSessionCheck parameter to the UMA interface (/appliance/), which could let a remote malicious user obtain access to the root account.
2 CVE-2014-8347 287 1 Bypass 2020-02-11 2020-02-13
4.6
None Local Low Not required Partial Partial Partial
An Authentication Bypass vulnerability exists in the MatchPasswordData function in DBEngine.dll in Filemaker Pro 13.03 and Filemaker Pro Advanced 12.04, which could let a malicious user obtain elevated privileges.
3 CVE-2014-5468 20 1 Exec Code +Info File Inclusion 2020-02-07 2020-02-11
6.8
None Remote Medium Not required Partial Partial Partial
A File Inclusion vulnerability exists in Railo 4.2.1 and earlier via a specially-crafted URL request to the thumbnail.cfm to specify a malicious PNG file, which could let a remote malicious user obtain sensitive information or execute arbitrary code.
4 CVE-2014-5091 20 1 Exec Code 2020-02-07 2020-02-11
10.0
None Remote Low Not required Complete Complete Complete
A vulnerability exits in Status2K 2.5 Server Monitoring Software via the multies parameter to includes/functions.php, which could let a malicious user execute arbitrary PHP code.
5 CVE-2014-4968 1 Exec Code 2020-02-12 2020-02-19
6.8
None Remote Medium Not required Partial Partial Partial
The WebView class and use of the WebView.addJavascriptInterface method in the Boat Browser application 8.0 and 8.0.1 for Android allow remote attackers to execute arbitrary code via a crafted web site, a related issue to CVE-2012-6636.
6 CVE-2014-4170 269 1 +Info 2020-02-13 2020-02-19
7.5
None Remote Low Not required Partial Partial Partial
A Privilege Escalation Vulnerability exists in Free Reprintables ArticleFR 11.06.2014 due to insufficient access restrictions in the data.php script, which could let a remote malicious user obtain access or modify or delete database information.
7 CVE-2014-4019 200 1 +Info 2020-02-20 2020-02-28
5.0
None Remote Low Not required Partial None None
ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK stores sensitive information under the web root with insufficient access control, which allows remote attackers to read backup files via a direct request for rom-0.
8 CVE-2013-7051 287 1 Bypass 2020-02-04 2020-02-04
6.8
None Remote Medium Not required Partial Partial Partial
D-Link DIR-100 4.03B07: cli.cgi security bypass due to failure to check authentication parameters
9 CVE-2013-5945 89 1 Exec Code Sql 2020-02-11 2021-04-23
10.0
None Remote Low Not required Complete Complete Complete
Multiple SQL injection vulnerabilities in D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmware before 1.05B64; DSR-250 and DSR-250N with firmware before 1.08B44; and DSR-500, DSR-500N, DSR-1000, and DSR-1000N with firmware before 1.08B77 allow remote attackers to execute arbitrary SQL commands via the password to (1) the login.authenticate function in share/lua/5.1/teamf1lualib/login.lua or (2) captivePortal.lua.
10 CVE-2013-4211 94 1 Exec Code 2020-02-14 2020-02-19
7.5
None Remote Low Not required Partial Partial Partial
A Code Execution Vulnerability exists in OpenX Ad Server 2.8.10 due to a backdoor in flowplayer-3.1.1.min.js library, which could let a remote malicious user execute arbitrary PHP code
11 CVE-2013-3629 1 Exec Code 2020-02-07 2020-02-10
6.5
None Remote Low ??? Partial Partial Partial
ISPConfig 3.0.5.2 has Arbitrary PHP Code Execution
12 CVE-2013-3628 74 1 Exec Code 2020-02-07 2020-02-10
6.5
None Remote Low ??? Partial Partial Partial
Zabbix 2.0.9 has an Arbitrary Command Execution Vulnerability
13 CVE-2013-3591 434 1 Exec Code 2020-02-07 2020-02-11
6.5
None Remote Low ??? Partial Partial Partial
vTiger CRM 5.3 and 5.4: 'files' Upload Folder Arbitrary PHP Code Execution Vulnerability
14 CVE-2013-3568 352 1 CSRF 2020-02-06 2020-02-12
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Cisco Linksys WRT110 allows remote attackers to hijack the authentication of users for requests that have unspecified impact via unknown vectors.
15 CVE-2013-2678 74 1 Exec Code +Info 2020-02-04 2020-02-07
6.8
None Remote Medium Not required Partial Partial Partial
Cisco Linksys E4200 1.0.05 Build 7 routers contain a Local File Include Vulnerability which could allow remote attackers to obtain sensitive information or execute arbitrary code by sending a crafted URL request to the apply.cgi script using the submit_type parameter.
16 CVE-2013-2637 79 1 Exec Code XSS 2020-02-12 2020-02-18
4.3
None Remote Medium Not required None Partial None
A Cross-Site Scripting (XSS) Vulnerability exists in OTRS ITSM prior to 3.2.4, 3.1.8, and 3.0.7 and FAQ prior to 2.1.4 and 2.0.8 via changes, workorder items, and FAQ articles, which could let a remote malicious user execute arbitrary code.
17 CVE-2013-2097 1 Exec Code 2020-02-12 2020-02-24
9.3
None Remote Medium Not required Complete Complete Complete
ZPanel through 10.1.0 has Remote Command Execution
18 CVE-2013-2010 74 1 Exec Code 2020-02-12 2020-02-14
7.5
None Remote Low Not required Partial Partial Partial
WordPress W3 Total Cache Plugin 0.9.2.8 has a Remote PHP Code Execution Vulnerability
19 CVE-2013-1360 287 1 Bypass 2020-02-11 2020-02-13
10.0
None Remote Low Not required Complete Complete Complete
An Authentication Bypass vulnerability exists in DELL SonicWALL Global Management System (GMS) 4.1, 5.0, 5.1, 6.0, and 7.0, Analyzer 7.0, Universal Management Appliance (UMA) 5.1, 6.0, and 7.0 and ViewPoint 4.1, 5.0, and 6.0 via a crafted request to the SGMS interface, which could let a remote malicious user obtain administrative access.
20 CVE-2013-0803 434 1 Exec Code 2020-02-11 2020-02-14
7.5
None Remote Low Not required Partial Partial Partial
A PHP File Upload Vulnerability exists in PolarBear CMS 2.5 via upload.php, which could let a malicious user execute arbitrary code.
21 CVE-2012-6614 862 1 2020-02-19 2020-03-05
9.0
None Remote Low ??? Complete Complete Complete
D-Link DSR-250N devices before 1.08B31 allow remote authenticated users to obtain "persistent root access" via the BusyBox CLI, as demonstrated by overwriting the super user password.
22 CVE-2012-2629 352 1 XSS CSRF 2020-02-20 2020-02-28
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) and cross-site scripting (XSS) vulnerabilities in Axous 1.1.1 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add an administrator account via an addnew action to admin/administrators_add.php; or (2) conduct cross-site scripting (XSS) attacks via the page_title parameter to admin/content_pages_edit.php; the (3) category_name[] parameter to admin/products_category.php; the (4) site_name, (5) seo_title, or (6) meta_keywords parameter to admin/settings_siteinfo.php; the (7) company_name, (8) address1, (9) address2, (10) city, (11) state, (12) country, (13) author_first_name, (14) author_last_name, (15) author_email, (16) contact_first_name, (17) contact_last_name, (18) contact_email, (19) general_email, (20) general_phone, (21) general_fax, (22) sales_email, (23) sales_phone, (24) support_email, or (25) support_phone parameter to admin/settings_company.php; or the (26) system_email, (27) sender_name, (28) smtp_server, (29) smtp_username, (30) smtp_password, or (31) order_notice_email parameter to admin/settings_email.php.
23 CVE-2012-2593 79 1 XSS 2020-02-06 2020-02-10
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the administrative interface in Atmail Webmail Server 6.4 allows remote attackers to inject arbitrary web script or HTML via the Date field of an email.
24 CVE-2012-1124 89 1 Exec Code Sql 2020-02-11 2020-02-13
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in search.php in phxEventManager 2.0 beta 5 allows remote attackers to execute arbitrary SQL commands via the search_terms parameter.
25 CVE-2020-9466 74 2020-02-28 2021-07-21
5.8
None Remote Medium Not required Partial Partial None
The Export Users to CSV plugin through 1.4.2 for WordPress allows CSV Injection.
26 CVE-2020-9465 89 Sql Bypass 2020-02-28 2020-03-04
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in EyesOfNetwork eonweb 5.1 through 5.3 before 5.3-3. The eonweb web interface is prone to a SQL injection, allowing an unauthenticated attacker to perform various tasks such as authentication bypass via the user_id field in a cookie.
27 CVE-2020-9463 78 Exec Code 2020-02-28 2020-03-03
9.0
None Remote Low ??? Complete Complete Complete
Centreon 19.10 allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the server_ip field in JSON data in an api/internal.php?object=centreon_configuration_remote request.
28 CVE-2020-9459 79 XSS 2020-02-28 2020-03-02
3.5
None Remote Medium ??? None Partial None
Multiple Stored Cross-site scripting (XSS) vulnerabilities in the Webnus Modern Events Calendar Lite plugin through 5.1.6 for WordPress allows remote authenticated users (with minimal permissions) to inject arbitrary JavaScript, HTML, or CSS via Ajax actions. This affects mec_save_notifications and import_settings.
29 CVE-2020-9449 330 2020-02-28 2020-03-04
6.5
None Remote Low ??? Partial Partial Partial
An insecure random number generation vulnerability in BlaB! AX, BlaB! AX Pro, BlaB! WS (client), and BlaB! WS Pro (client) version 19.11 allows an attacker (with a guest or user session cookie) to escalate privileges by retrieving the cookie salt value and creating a valid session cookie for an arbitrary user or admin.
30 CVE-2020-9447 79 XSS 2020-02-28 2021-12-21
4.3
None Remote Medium Not required None Partial None
There is an XSS (cross-site scripting) vulnerability in GwtUpload 1.0.3 in the file upload functionality. Someone can upload a file with a malicious filename, which contains JavaScript code, which would result in XSS. Cross-site scripting enables attackers to steal data, change the appearance of a website, and perform other malicious activities like phishing or drive-by hacking.
31 CVE-2020-9442 281 +Priv 2020-02-28 2020-03-03
7.2
None Local Low Not required Complete Complete Complete
OpenVPN Connect 3.1.0.361 on Windows has Insecure Permissions for %PROGRAMDATA%\OpenVPN Connect\drivers\tap\amd64\win10, which allows local users to gain privileges by copying a malicious drvstore.dll there.
32 CVE-2020-9434 295 2020-02-27 2020-02-28
6.4
None Remote Low Not required Partial Partial None
openssl_x509_check_ip_asc in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
33 CVE-2020-9433 295 2020-02-27 2020-02-28
6.4
None Remote Low Not required Partial Partial None
openssl_x509_check_email in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
34 CVE-2020-9432 295 2020-02-27 2020-02-28
6.4
None Remote Low Not required Partial Partial None
openssl_x509_check_host in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
35 CVE-2020-9431 400 2020-02-27 2021-07-21
5.0
None Remote Low Not required None None Partial
In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the LTE RRC dissector could leak memory. This was addressed in epan/dissectors/packet-lte-rrc.c by adjusting certain append operations.
36 CVE-2020-9430 20 2020-02-27 2021-02-09
5.0
None Remote Low Not required None None Partial
In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the WiMax DLMAP dissector could crash. This was addressed in plugins/epan/wimax/msg_dlmap.c by validating a length field.
37 CVE-2020-9429 476 2020-02-27 2021-12-30
5.0
None Remote Low Not required None None Partial
In Wireshark 3.2.0 to 3.2.1, the WireGuard dissector could crash. This was addressed in epan/dissectors/packet-wireguard.c by handling the situation where a certain data structure intentionally has a NULL value.
38 CVE-2020-9428 74 2020-02-27 2021-07-21
5.0
None Remote Low Not required None None Partial
In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the EAP dissector could crash. This was addressed in epan/dissectors/packet-eap.c by using more careful sscanf parsing.
39 CVE-2020-9407 200 +Info 2020-02-26 2021-07-21
5.0
None Remote Low Not required Partial None None
IBL Online Weather before 4.3.5a allows attackers to obtain sensitive information by reading the IWEBSERVICE_JSONRPC_COOKIE cookie.
40 CVE-2020-9406 74 2020-02-26 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
IBL Online Weather before 4.3.5a allows unauthenticated eval injection via the queryBCP method of the Auxiliary Service.
41 CVE-2020-9405 79 XSS 2020-02-26 2020-02-26
4.3
None Remote Medium Not required None Partial None
IBL Online Weather before 4.3.5a allows unauthenticated reflected XSS via the redirect page.
42 CVE-2020-9399 863 Bypass 2020-02-28 2021-07-21
4.3
None Remote Medium Not required None Partial None
The Avast AV parsing engine allows virus-detection bypass via a crafted ZIP archive. This affects versions before 12 definitions 200114-0 of Antivirus Pro, Antivirus Pro Plus, and Antivirus for Linux.
43 CVE-2020-9398 89 Sql 2020-02-25 2020-03-03
9.3
None Remote Medium Not required Complete Complete Complete
ISPConfig before 3.1.15p3, when the undocumented reverse_proxy_panel_allowed=sites option is manually enabled, allows SQL Injection.
44 CVE-2020-9394 352 CSRF 2020-02-25 2020-02-26
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress. It allows CSRF.
45 CVE-2020-9393 79 XSS 2020-02-25 2020-02-26
4.3
None Remote Medium Not required None Partial None
An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress. It allows XSS.
46 CVE-2020-9391 787 Mem. Corr. 2020-02-25 2022-04-18
2.1
None Local Low Not required None None Partial
An issue was discovered in the Linux kernel 5.4 and 5.5 through 5.5.6 on the AArch64 architecture. It ignores the top byte in the address passed to the brk system call, potentially moving the memory break downwards when the application expects it to move upwards, aka CID-dcde237319e6. This has been observed to cause heap corruption with the GNU C Library malloc implementation.
47 CVE-2020-9385 476 2020-02-25 2020-02-26
5.0
None Remote Low Not required None None Partial
A NULL Pointer Dereference exists in libzint in Zint 2.7.1 because multiple + characters are mishandled in add_on in upcean.c, when called from eanx in upcean.c during EAN barcode generation.
48 CVE-2020-9383 125 2020-02-25 2021-01-04
3.6
None Local Low Not required Partial None Partial
An issue was discovered in the Linux kernel 3.16 through 5.5.6. set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it, aka CID-2e90ca68b0d2.
49 CVE-2020-9382 732 2020-02-24 2021-07-21
5.5
None Remote Low ??? Partial Partial None
An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. Improper title sanitization allowed for the execution of any wiki page as a widget (as defined by this extension) via MediaWiki's {{#widget:}} parser function.
50 CVE-2020-9381 668 Exec Code 2020-02-24 2020-02-26
5.0
None Remote Low Not required None Partial None
controllers/admin.js in Total.js CMS 13 allows remote attackers to execute arbitrary code via a POST to the /admin/api/widgets/ URI. This can be exploited in conjunction with CVE-2019-15954.
Total number of vulnerabilities : 1395   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.