CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In January 2020 (CVSS score >= 5)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2020-8495 863 +Priv 2020-01-30 2021-07-21
6.0
None Remote Medium ??? Partial Partial Partial
In Kronos Web Time and Attendance (webTA) 3.8.x and later 3.x versions before 4.0, the com.threeis.webta.H491delegate servlet allows an attacker with Timekeeper or Supervisor privileges to gain unauthorized administrative privileges within the application via the delegate, delegateRole, and delegatorUserId parameters.
2 CVE-2020-8494 269 +Priv 2020-01-30 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
In Kronos Web Time and Attendance (webTA) 3.8.x and later 3.x versions before 4.0, the com.threeis.webta.H402editUser servlet allows an attacker with Timekeeper, Master Timekeeper, or HR Admin privileges to gain unauthorized administrative privileges within the application via the emp_id, userid, pw1, pw2, supervisor, and timekeeper parameters.
3 CVE-2020-8492 400 DoS 2020-01-30 2021-09-16
7.1
None Remote Medium Not required None None Complete
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
4 CVE-2020-8447 416 2020-01-30 2020-07-27
7.5
None Remote Low Not required Partial Partial Partial
In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for log analysis (ossec-analysisd) is vulnerable to a use-after-free during processing of syscheck formatted msgs (received from authenticated remote agents and delivered to the analysisd processing queue by ossec-remoted).
5 CVE-2020-8445 20 2020-01-30 2020-07-27
10.0
None Remote Low Not required Complete Complete Complete
In OSSEC-HIDS 2.7 through 3.5.0, the OS_CleanMSG function in ossec-analysisd doesn't remove or encode terminal control characters or newlines from processed log messages. In many cases, those characters are later logged. Because newlines (\n) are permitted in messages processed by ossec-analysisd, it may be possible to inject nested events into the ossec log. Use of terminal control characters may allow obfuscating events or executing commands when viewed through vulnerable terminal emulators. This may be an unauthenticated remote attack for certain types and origins of logged data.
6 CVE-2020-8444 416 2020-01-30 2020-07-27
7.5
None Remote Low Not required Partial Partial Partial
In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for log analysis (ossec-analysisd) is vulnerable to a use-after-free during processing of ossec-alert formatted msgs (received from authenticated remote agents and delivered to the analysisd processing queue by ossec-remoted).
7 CVE-2020-8443 787 Overflow 2020-01-30 2022-04-26
7.5
None Remote Low Not required Partial Partial Partial
In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for log analysis (ossec-analysisd) is vulnerable to an off-by-one heap-based buffer overflow during the cleaning of crafted syslog msgs (received from authenticated remote agents and delivered to the analysisd processing queue by ossec-remoted).
8 CVE-2020-8442 787 Overflow 2020-01-30 2020-07-27
6.5
None Remote Low ??? Partial Partial Partial
In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for log analysis (ossec-analysisd) is vulnerable to a heap-based buffer overflow in the rootcheck decoder component via an authenticated client.
9 CVE-2020-8440 434 Exec Code 2020-01-31 2020-02-05
7.5
None Remote Low Not required Partial Partial Partial
controllers/page_apply.php in Simplejobscript.com SJS through 1.66 is prone to unauthenticated Remote Code Execution by uploading a PHP script as a resume.
10 CVE-2020-8438 78 Exec Code 2020-01-29 2020-01-31
9.0
None Remote Low ??? Complete Complete Complete
Ruckus ZoneFlex R500 104.0.0.0.1347 devices allow an authenticated attacker to execute arbitrary OS commands via the hidden /forms/nslookupHandler form, as demonstrated by the nslookuptarget=|cat${IFS} substring.
11 CVE-2020-8432 415 Exec Code 2020-01-29 2021-07-21
10.0
None Remote Low Not required Complete Complete Complete
In Das U-Boot through 2020.01, a double free has been found in the cmd/gpt.c do_rename_gpt_parts() function. Double freeing may result in a write-what-where condition, allowing an attacker to execute arbitrary code. NOTE: this vulnerablity was introduced when attempting to fix a memory leak identified by static analysis.
12 CVE-2020-8424 352 CSRF 2020-01-28 2020-12-15
6.8
None Remote Medium Not required Partial Partial Partial
Cups Easy (Purchase & Inventory) 1.0 is vulnerable to CSRF that leads to admin account takeover via passwordmychange.php.
13 CVE-2020-8420 352 CSRF 2020-01-28 2020-02-07
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in Joomla! before 3.9.15. A missing CSRF token check in the LESS compiler of com_templates causes a CSRF vulnerability.
14 CVE-2020-8419 352 CSRF 2020-01-28 2020-02-06
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in Joomla! before 3.9.15. Missing token checks in the batch actions of various components cause CSRF vulnerabilities.
15 CVE-2020-8417 352 CSRF 2020-01-28 2020-02-06
6.8
None Remote Medium Not required Partial Partial Partial
The Code Snippets plugin before 2.14.0 for WordPress allows CSRF because of the lack of a Referer check on the import menu.
16 CVE-2020-8416 400 DoS 2020-01-29 2021-07-21
5.0
None Remote Low Not required None None Partial
IKTeam BearFTP before 0.2.0 allows remote attackers to achieve denial of service via a large volume of connections to the PASV mode port.
17 CVE-2020-8112 787 Overflow 2020-01-28 2021-04-02
6.8
None Remote Medium Not required Partial Partial Partial
opj_t1_clbl_decode_processor in openjp2/t1.c in OpenJPEG 2.3.1 through 2020-01-28 has a heap-based buffer overflow in the qmfbid==1 case, a different issue than CVE-2020-6851.
18 CVE-2020-8088 843 Bypass 2020-01-27 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
panel_login.php in UseBB 1.0.12 allows type juggling for login bypass because != is used instead of !== for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters.
19 CVE-2020-8087 Exec Code 2020-01-27 2021-07-21
10.0
None Remote Low Not required Complete Complete Complete
SMC Networks D3G0804W D3GNV5M-3.5.1.6.10_GA devices allow remote command execution by leveraging access to the Network Diagnostic Tools screen, as demonstrated by an admin login. The attacker must use a Parameter Pollution approach against goform/formSetDiagnosticToolsFmPing by providing the vlu_diagnostic_tools__ping_address parameter twice: once with a shell metacharacter and a command name, and once with a command argument.
20 CVE-2020-8086 863 2020-01-28 2020-02-04
6.8
None Remote Medium Not required Partial Partial Partial
The mod_auth_ldap and mod_auth_ldap2 Community Modules through 2020-01-27 for Prosody incompletely verify the XMPP address passed to the is_admin() function. This grants remote entities admin-only functionality if their username matches the username of a local admin.
21 CVE-2020-8009 22 Dir. Trav. 2020-01-27 2020-02-06
5.0
None Remote Low Not required Partial None None
AVB MOTU devices through 2020-01-22 allow /.. Directory Traversal, as demonstrated by reading the /etc/passwd file.
22 CVE-2020-8001 798 2020-01-27 2020-01-30
10.0
None Remote Low Not required Complete Complete Complete
The Intellian Aptus application 1.0.2 for Android has a hardcoded password of intellian for the masteruser FTP account.
23 CVE-2020-8000 798 2020-01-27 2020-01-31
10.0
None Remote Low Not required Complete Complete Complete
Intellian Aptus Web 1.24 has a hardcoded password of 12345678 for the intellian account.
24 CVE-2020-7999 798 2020-01-27 2020-01-30
7.5
None Remote Low Not required Partial Partial Partial
The Intellian Aptus application 1.0.2 for Android has hardcoded values for DOWNLOAD_API_KEY and FILE_DOWNLOAD_API_KEY.
25 CVE-2020-7998 434 2020-01-28 2020-02-04
9.0
None Remote Low ??? Complete Complete Complete
An arbitrary file upload vulnerability has been discovered in the Super File Explorer app 1.0.1 for iOS. The vulnerability is located in the developer path that is accessible and hidden next to the root path. By default, there is no password set for the FTP or Web UI service.
26 CVE-2020-7995 307 2020-01-26 2022-04-26
10.0
None Remote Low Not required Complete Complete Complete
The htdocs/index.php?mainmenu=home login page in Dolibarr 10.0.6 allows an unlimited rate of failed authentication attempts.
27 CVE-2020-7991 352 CSRF 2020-01-26 2020-01-28
6.8
None Remote Medium Not required Partial Partial Partial
Adive Framework 2.0.8 has admin/config CSRF to change the Administrator password.
28 CVE-2020-7984 319 +Info 2020-01-26 2020-02-05
5.0
None Remote Low Not required Partial None None
SolarWinds N-central before 12.1 SP1 HF5 and 12.2 before SP1 HF2 allows remote attackers to retrieve cleartext domain admin credentials from the Agent & Probe settings, and obtain other sensitive information. The attacker can use a customer ID to self register and read any aspects of the agent/appliance configuration.
29 CVE-2020-7981 89 Sql 2020-01-25 2020-01-27
7.5
None Remote Low Not required Partial Partial Partial
sql.rb in Geocoder before 1.6.1 allows Boolean-based SQL injection when within_bounding_box is used in conjunction with untrusted sw_lat, sw_lng, ne_lat, or ne_lng data.
30 CVE-2020-7980 78 Exec Code 2020-01-25 2020-01-29
10.0
None Remote Low Not required Complete Complete Complete
Intellian Aptus Web 1.24 allows remote attackers to execute arbitrary OS commands via the Q field within JSON data to the cgi-bin/libagent.cgi URI. NOTE: a valid sid cookie for a login to the intellian default account might be needed.
31 CVE-2020-7965 352 CSRF 2020-01-29 2020-02-03
6.8
None Remote Medium Not required Partial Partial Partial
flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made across domains, leading to CSRF.
32 CVE-2020-7964 200 +Info 2020-01-24 2021-07-21
5.0
None Remote Low Not required Partial None None
An issue was discovered in Mirumee Saleor 2.x before 2.9.1. Incorrect access control in the checkoutCustomerAttach mutations allows attackers to attach their checkouts to any user ID and consequently leak user data (e.g., name, address, and previous orders of any other customer).
33 CVE-2020-7956 295 2020-01-31 2020-02-04
7.5
None Remote Low Not required Partial Partial Partial
HashiCorp Nomad and Nomad Enterprise up to 0.10.2 incorrectly validated role/region associated with TLS certificates used for mTLS RPC, and were susceptible to privilege escalation. Fixed in 0.10.3.
34 CVE-2020-7955 200 +Info 2020-01-31 2021-07-21
5.0
None Remote Low Not required Partial None None
HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3.
35 CVE-2020-7952 DoS Exec Code Mem. Corr. 2020-01-27 2020-01-29
6.8
None Remote Medium Not required Partial Partial Partial
rendersystemdx9.dll in Valve Dota 2 before 7.23f allows remote attackers to achieve code execution or denial of service by creating a gaming server and inviting a victim to this server, because a crafted map is affected by memory corruption.
36 CVE-2020-7951 DoS Exec Code Mem. Corr. 2020-01-27 2021-07-21
6.8
None Remote Medium Not required Partial Partial Partial
meshsystem.dll in Valve Dota 2 before 7.23e allows remote attackers to achieve code execution or denial of service by creating a gaming server and inviting a victim to this server, because a crafted map is affected by memory corruption.
37 CVE-2020-7950 DoS Exec Code 2020-01-27 2020-01-27
6.8
None Remote Medium Not required Partial Partial Partial
meshsystem.dll in Valve Dota 2 before 7.23f allows remote attackers to achieve code execution or denial of service by creating a gaming server and inviting a victim to this server, because a crafted map is mishandled during a vulnerable function call.
38 CVE-2020-7949 DoS Exec Code 2020-01-27 2020-01-27
6.8
None Remote Medium Not required Partial Partial Partial
schemasystem.dll in Valve Dota 2 before 7.23f allows remote attackers to achieve code execution or denial of service by creating a gaming server and inviting a victim to this server, because a crafted map is mishandled during a GetValue call.
39 CVE-2020-7941 269 2020-01-23 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
A privilege escalation issue in plone.app.contenttypes in Plone 4.3 through 5.2.1 allows users to PUT (overwrite) some content without needing write permission.
40 CVE-2020-7940 521 2020-01-23 2020-01-24
5.0
None Remote Low Not required None Partial None
Missing password strength checks on some forms in Plone 4.3 through 5.2.0 allow users to set weak passwords, leading to easier cracking.
41 CVE-2020-7939 89 Sql 2020-01-23 2020-01-24
6.5
None Remote Low ??? Partial Partial Partial
SQL Injection in DTML or in connection objects in Plone 4.0 through 5.2.1 allows users to perform unwanted SQL queries. (This is a problem in Zope.)
42 CVE-2020-7938 269 2020-01-23 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
plone.restapi in Plone 5.2.0 through 5.2.1 allows users with a certain privilege level to escalate their privileges up to the highest level.
43 CVE-2020-7936 601 2020-01-23 2020-01-24
5.8
None Remote Medium Not required Partial Partial None
An open redirect on the login form (and possibly other places) in Plone 4.0 through 5.2.1 allows an attacker to craft a link to a Plone Site that, when followed, and possibly after login, will redirect to an attacker's site.
44 CVE-2020-7931 Exec Code 2020-01-23 2020-01-30
6.5
None Remote Low ??? Partial Partial Partial
In JFrog Artifactory 5.x and 6.x, insecure FreeMarker template processing leads to remote code execution, e.g., by modifying a .ssh/authorized_keys file. Patches are available for various versions between 5.11.8 and 6.16.0. The issue exists because use of the DefaultObjectWrapper class makes certain Java functions accessible to a template.
45 CVE-2020-7914 200 +Info 2020-01-31 2021-07-21
5.0
None Remote Low Not required Partial None None
In JetBrains IntelliJ IDEA 2019.2, an XSLT debugger plugin misconfiguration allows arbitrary file read operations over the network. This issue was fixed in 2019.3.
46 CVE-2020-7912 668 2020-01-30 2020-02-01
5.0
None Remote Low Not required Partial None None
In JetBrains YouTrack before 2019.2.59309, SMTP/Jabber settings could be accessed using backups.
47 CVE-2020-7909 522 2020-01-30 2020-02-01
5.0
None Remote Low Not required Partial None None
In JetBrains TeamCity before 2019.1.5, some server-stored passwords could be shown via the web UI.
48 CVE-2020-7906 347 2020-01-30 2020-02-01
5.0
None Remote Low Not required Partial None None
In JetBrains Rider versions 2019.3 EAP2 through 2019.3 EAP7, there were unsigned binaries provided by the Windows installer. This issue was fixed in release version 2019.3.
49 CVE-2020-7905 200 +Info 2020-01-30 2021-07-21
5.0
None Remote Low Not required Partial None None
Ports listened to by JetBrains IntelliJ IDEA before 2019.3 were exposed to the network.
50 CVE-2020-7904 295 2020-01-30 2020-02-01
5.8
None Remote Medium Not required Partial Partial None
In JetBrains IntelliJ IDEA before 2019.3, some Maven repositories were accessed via HTTP instead of HTTPS.
Total number of vulnerabilities : 998   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.