CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In September 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2012-3336 89 Sql 2020-09-01 2020-09-04
6.5
None Remote Low ??? Partial Partial Partial
IBM InfoSphere Guardium 8.0, 8.01, and 8.2 is vulnerable to SQL injection. A remote authenticated attacker could send specially-crafted SQL statements to multiple scripts, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 78282.
2 CVE-2012-3337 22 Dir. Trav. 2020-09-01 2020-09-04
5.0
None Remote Low Not required Partial None None
IBM InfoSphere Guardium 8.0, 8.01, and 8.2 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to download arbitrary files on the system. IBM X-Force ID: 78284.
3 CVE-2012-3338 20 Bypass 2020-09-01 2020-09-04
5.0
None Remote Low Not required None Partial None
IBM InfoSphere Guardium 8.0, 8.01, and 8.2 could allow a remote attacker to bypass security restrictions, caused by improper restrictions on the create new user account functionality. An attacker could exploit this vulnerability to create unprivileged user accounts. IBM X-Force ID: 78286.
4 CVE-2012-3340 776 +Info 2020-09-01 2020-09-03
4.0
None Remote Low ??? Partial None None
IBM InfoSphere Guardium 8.0, 8.01, and 8.2 is vulnerable to XML external entity injection, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to obtain sensitive information. IBM X-Force ID: 78291.
5 CVE-2012-3341 79 XSS 2020-09-01 2020-09-03
3.5
None Remote Medium ??? None Partial None
IBM InfoSphere Guardium 7.0, 8.0, 8.01, and 8.2 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. IBM X-Force ID: 78294.
6 CVE-2013-7490 119 Overflow Mem. Corr. 2020-09-11 2020-09-18
5.0
None Remote Low Not required None None Partial
An issue was discovered in the DBI module before 1.632 for Perl. Using many arguments to methods for Callbacks may lead to memory corruption.
7 CVE-2013-7491 787 Mem. Corr. 2020-09-11 2020-09-17
5.0
None Remote Low Not required None None Partial
An issue was discovered in the DBI module before 1.628 for Perl. Stack corruption occurs when a user-defined function requires a non-trivial amount of memory and the Perl stack gets reallocated.
8 CVE-2014-1420 502 2020-09-11 2020-09-16
2.1
None Local Low Not required Partial None None
On desktop, Ubuntu UI Toolkit's StateSaver would serialise data on tmp/ files which an attacker could use to expose potentially sensitive data. StateSaver would also open files without the O_EXCL flag. An attacker could exploit this to launch a symlink attack, though this is partially mitigated by symlink and hardlink restrictions in Ubuntu. Fixed in 1.1.1188+14.10.20140813.4-0ubuntu1.
9 CVE-2014-10401 732 2020-09-11 2020-09-30
3.6
None Local Low Not required Partial None Partial
An issue was discovered in the DBI module before 1.632 for Perl. DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute.
10 CVE-2014-10402 732 2020-09-16 2022-06-02
3.6
None Local Low Not required Partial None Partial
An issue was discovered in the DBI module through 1.643 for Perl. DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute in the data source name (DSN). NOTE: this issue exists because of an incomplete fix for CVE-2014-10401.
11 CVE-2015-4719 269 +Priv 2020-09-24 2020-10-07
7.5
None Remote Low Not required Partial Partial Partial
The client API authentication mechanism in Pexip Infinity before 10 allows remote attackers to gain privileges via a crafted request.
12 CVE-2016-11086 295 +Info 2020-09-24 2020-10-05
5.8
None Remote Medium Not required Partial Partial None
lib/oauth/consumer.rb in the oauth-ruby gem through 0.5.4 for Ruby does not verify server X.509 certificates if a certificate bundle cannot be found, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information.
13 CVE-2017-17477 79 XSS 2020-09-25 2020-10-02
4.3
None Remote Medium Not required None Partial None
Pexip Infinity before 17 allows an unauthenticated remote attacker to achieve stored XSS via management web interface views.
14 CVE-2018-5353 290 Exec Code +Priv 2020-09-30 2020-10-15
7.5
None Remote Low Not required Partial Partial Partial
The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. It does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable of conducting a spoofing attack can redirect the browser to gain execution in the context of the WinLogon.exe process. If Network Level Authentication is not enforced, the vulnerability can be exploited via RDP. Additionally, if the web server has a misconfigured certificate then no spoofing attack is required
15 CVE-2018-5354 290 Exec Code +Priv 2020-09-30 2020-10-20
5.8
None Local Network Low Not required Partial Partial Partial
The custom GINA/CP module in ANIXIS Password Reset Client before version 3.22 allows remote attackers to execute code and escalate privileges via spoofing. When the client is configured to use HTTP, it does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable of conducting a spoofing attack can redirect the browser to gain execution in the context of the WinLogon.exe process. If Network Level Authentication is not enforced, the vulnerability can be exploited via RDP.
16 CVE-2018-6447 79 XSS 2020-09-25 2021-08-23
3.5
None Remote Medium ??? None Partial None
A Reflective XSS Vulnerability in HTTP Management Interface in Brocade Fabric OS versions before Brocade Fabric OS v9.0.0, v8.2.2c, v8.2.1e, v8.1.2k, v8.2.0_CBN3, v7.4.2g could allow authenticated attackers with access to the web interface to hijack a user’s session and take over the account.
17 CVE-2018-6448 DoS 2020-09-25 2021-07-30
5.0
None Remote Low Not required None None Partial
A vulnerability in the management interface in Brocade Fabric OS Versions before Brocade Fabric OS v9.0.0 could allow a remote attacker to perform a denial of service attack on the vulnerable host.
18 CVE-2018-6449 79 XSS 2020-09-25 2021-09-09
4.3
None Remote Medium Not required None Partial None
Host Header Injection vulnerability in the http management interface in Brocade Fabric OS versions before v9.0.0 could allow a remote attacker to exploit this vulnerability by injecting arbitrary HTTP headers
19 CVE-2018-10432 400 DoS 2020-09-25 2020-10-07
7.8
None Remote Low Not required None None Complete
Pexip Infinity before 18 allows Remote Denial of Service (TLS handshakes in RTMP).
20 CVE-2018-10585 400 DoS 2020-09-25 2020-10-02
7.8
None Remote Low Not required None None Complete
Pexip Infinity before 18 allows remote Denial of Service (XML parsing).
21 CVE-2018-11765 287 2020-09-30 2020-10-16
4.3
None Remote Medium Not required Partial None None
In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled.
22 CVE-2018-12475 610 2020-09-01 2020-09-10
5.5
None Remote Low ??? Partial Partial None
A Externally Controlled Reference to a Resource in Another Sphere vulnerability in obs-service-download_files of openSUSE Open Build Service allows authenticated users to generate HTTP request against internal networks and potentially downloading data that is exposed there. This issue affects: openSUSE Open Build Service .
23 CVE-2018-13903 362 2020-09-08 2020-09-11
9.3
None Remote Medium Not required Complete Complete Complete
u'Error in UE due to race condition in EPCO handling' in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in APQ8053, MDM9205, MDM9206, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, SDM450, SM8150
24 CVE-2018-17145 400 DoS 2020-09-10 2020-09-15
5.0
None Remote Low Not required None None Partial
Bitcoin Core 0.16.x before 0.16.2 and Bitcoin Knots 0.16.x before 0.16.2 allow remote denial of service via a flood of multiple transaction inv messages with random hashes, aka INVDoS. NOTE: this can also affect other cryptocurrencies, e.g., if they were forked from Bitcoin Core after 2017-11-15.
25 CVE-2018-17765 2020-09-09 2020-11-24
7.2
None Local Low Not required Complete Complete Complete
Ingenico Telium 2 POS terminals have undeclared TRACE protocol commands. This is fixed in Telium 2 SDK v9.32.03 patch N.
26 CVE-2018-17766 732 Bypass 2020-09-09 2020-11-24
2.1
None Local Low Not required Partial None None
Ingenico Telium 2 POS Telium2 OS allow bypass of file-reading restrictions via the NTPT3 protocol. This is fixed in Telium 2 SDK v9.32.03 patch N.
27 CVE-2018-17767 798 2020-09-09 2020-11-24
7.2
None Local Low Not required Complete Complete Complete
Ingenico Telium 2 POS terminals have hardcoded PPP credentials. This is fixed in Telium 2 SDK v9.32.03 patch N.
28 CVE-2018-17768 2020-09-09 2020-11-24
7.2
None Local Low Not required Complete Complete Complete
Ingenico Telium 2 POS terminals have an insecure TRACE protocol. This is fixed in Telium 2 SDK v9.32.03 patch N.
29 CVE-2018-17769 120 Overflow 2020-09-09 2020-11-24
7.2
None Local Low Not required Complete Complete Complete
Ingenico Telium 2 POS terminals have a buffer overflow via the 0x26 command of the NTPT3 protocol. This is fixed in Telium 2 SDK v9.32.03 patch N.
30 CVE-2018-17770 120 Overflow 2020-09-09 2020-11-24
7.2
None Local Low Not required Complete Complete Complete
Ingenico Telium 2 POS terminals have a buffer overflow via the RemotePutFile command of the NTPT3 protocol. This is fixed in Telium 2 SDK v9.32.03 patch N.
31 CVE-2018-17771 798 2020-09-09 2020-11-24
7.2
None Local Low Not required Complete Complete Complete
Ingenico Telium 2 POS terminals have hardcoded FTP credentials. This is fixed in Telium 2 SDK v9.32.03 patch N.
32 CVE-2018-17772 Exec Code 2020-09-09 2022-01-01
7.2
None Local Low Not required Complete Complete Complete
Ingenico Telium 2 POS terminals allow arbitrary code execution via the TRACE protocol. This is fixed in Telium 2 SDK v9.32.03 patch N.
33 CVE-2018-17773 120 Overflow 2020-09-09 2020-11-24
7.2
None Local Low Not required Complete Complete Complete
Ingenico Telium 2 POS terminals have a buffer overflow via SOCKET_TASK in the NTPT3 protocol. This is fixed in Telium 2 SDK v9.32.03 patch N.
34 CVE-2018-17774 2020-09-09 2020-11-24
7.2
None Local Low Not required Complete Complete Complete
Ingenico Telium 2 POS terminals have an insecure NTPT3 protocol. This is fixed in Telium 2 SDK v9.32.03 patch N.
35 CVE-2018-19946 295 2020-09-11 2020-09-16
4.3
None Remote Medium Not required None Partial None
The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this improper certificate validation vulnerability could allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. QNAP has already fixed the issue in Helpdesk 3.0.3 and later.
36 CVE-2018-19947 209 2020-09-11 2020-09-16
4.0
None Remote Low ??? Partial None None
The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this information exposure vulnerability could disclose sensitive information. QNAP has already fixed the issue in Helpdesk 3.0.3 and later.
37 CVE-2018-19948 352 CSRF 2020-09-11 2020-09-16
4.3
None Remote Medium Not required None Partial None
The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this cross-site request forgery (CSRF) vulnerability could allow attackers to force NAS users to execute unintentional actions through a web application. QNAP has already fixed the issue in Helpdesk 3.0.3 and later.
38 CVE-2018-20432 798 +Priv 2020-09-14 2020-10-29
10.0
None Remote Low Not required Complete Complete Complete
D-Link COVR-2600R and COVR-3902 Kit before 1.01b05Beta01 use hardcoded credentials for telnet connection, which allows unauthenticated attackers to gain privileged access to the router, and to extract sensitive data or modify the configuration.
39 CVE-2019-0230 915 Exec Code 2020-09-14 2022-04-18
7.5
None Remote Low Not required Partial Partial Partial
Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
40 CVE-2019-0233 281 DoS 2020-09-14 2022-04-18
5.0
None Remote Low Not required None None Partial
An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload.
41 CVE-2019-1736 347 Bypass 2020-09-23 2020-10-23
6.9
None Local Medium Not required Complete Complete Complete
A vulnerability in the firmware of the Cisco UCS C-Series Rack Servers could allow an authenticated, physical attacker to bypass Unified Extensible Firmware Interface (UEFI) Secure Boot validation checks and load a compromised software image on an affected device. The vulnerability is due to improper validation of the server firmware upgrade images. An attacker could exploit this vulnerability by installing a server firmware version that would allow the attacker to disable UEFI Secure Boot. A successful exploit could allow the attacker to bypass the signature validation checks that are done by UEFI Secure Boot technology and load a compromised software image on the affected device. A compromised software image is any software image that has not been digitally signed by Cisco.
42 CVE-2019-1888 434 Exec Code 2020-09-23 2020-09-29
9.0
None Remote Low ??? Complete Complete Complete
A vulnerability in the Administration Web Interface of Cisco Unified Contact Center Express (Unified CCX) could allow an authenticated, remote attacker to upload arbitrary files and execute commands on the underlying operating system. To exploit this vulnerability, an attacker needs valid Administrator credentials. The vulnerability is due to insufficient restrictions for the content uploaded to an affected system. An attacker could exploit this vulnerability by uploading arbitrary files containing operating system commands that will be executed by an affected system. A successful exploit could allow the attacker to execute arbitrary commands with the privileges of the web interface and then elevate their privileges to root.
43 CVE-2019-1947 20 DoS 2020-09-23 2020-10-01
7.8
None Remote Low Not required None None Complete
A vulnerability in the email message filtering feature of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to cause the CPU utilization to increase to 100 percent, causing a denial of service (DoS) condition on an affected device. The vulnerability is due to improper handling of email messages that contain large attachments. An attacker could exploit this vulnerability by sending a malicious email message through the targeted device. A successful exploit could allow the attacker to cause a permanent DoS condition due to high CPU utilization. This vulnerability may require manual intervention to recover the ESA.
44 CVE-2019-1983 20 DoS 2020-09-23 2020-10-01
7.8
None Remote Low Not required None None Complete
A vulnerability in the email message filtering feature of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) and Cisco Content Security Management Appliance (SMA) could allow an unauthenticated, remote attacker to cause repeated crashes in some internal processes that are running on the affected devices, resulting in a denial of service (DoS) condition. The vulnerability is due to insufficient input validation of email attachments. An attacker could exploit this vulnerability by sending an email message with a crafted attachment through an affected device. A successful exploit could allow the attacker to cause specific processes to crash repeatedly, resulting in the complete unavailability of both the Cisco Advanced Malware Protection (AMP) and message tracking features and in severe performance degradation while processing email. After the affected processes restart, the software resumes filtering for the same attachment, causing the affected processes to crash and restart again. A successful exploit could also allow the attacker to cause a repeated DoS condition. Manual intervention may be required to recover from this situation.
45 CVE-2019-3881 427 Exec Code 2020-09-04 2021-11-02
4.4
None Local Medium Not required Partial Partial Partial
Bundler prior to 2.1.0 uses a predictable path in /tmp/, created with insecure permissions as a storage location for gems, if locations under the user's home directory are not available. If Bundler is used in a scenario where the user does not have a writable home directory, an attacker could place malicious code in this directory that would be later loaded and executed.
46 CVE-2019-4671 89 Sql 2020-09-15 2020-09-16
6.5
None Remote Low ??? Partial Partial Partial
IBM Maximo Asset Management 7.6.0 and 7.6.1 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 171437.
47 CVE-2019-5645 400 2020-09-01 2020-09-08
5.0
None Remote Low Not required None None Partial
By sending a specially crafted HTTP GET request to a listening Rapid7 Metasploit HTTP handler, an attacker can register an arbitrary regular expression. When evaluated, this malicious handler can either prevent new HTTP handler sessions from being established, or cause a resource exhaustion on the Metasploit server.
48 CVE-2019-7177 94 2020-09-25 2020-10-02
9.0
None Remote Low ??? Complete Complete Complete
Pexip Infinity before 20.1 allows Code Injection onto nodes via an admin.
49 CVE-2019-7178 20 2020-09-25 2020-09-30
9.0
None Remote Low ??? Complete Complete Complete
Pexip Infinity before 20.1 allows privilege escalation by restoring a system backup.
50 CVE-2019-10527 129 Mem. Corr. 2020-09-08 2021-07-21
7.2
None Local Low Not required Complete Complete Complete
u'SMEM partition can be manipulated in case of any compromise on HLOS, thus resulting in access to memory outside of SMEM address range which could lead to memory corruption' in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, Bitra, IPQ6018, IPQ8074, Kamorta, MDM9150, MDM9205, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA4531, QCA6574AU, QCA8081, QCM2150, QCN7605, QCN7606, QCS404, QCS405, QCS605, QCS610, QM215, Rennell, SA415M, SA515M, SA6155P, Saipan, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130
Total number of vulnerabilities : 1593   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.