CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In August 2020 (CVSS score >= 7)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2020-25065 203 2020-08-31 2020-09-01
7.8
None Remote Low Not required Complete None None
An issue was discovered on LG mobile devices with Android OS 4.4, 5.0, 5.1, 6.0, 7.0, 7.1, 8.0, 8.1, 9.0, and 10 software. Key logging may occur because of an obsolete API. The LG ID is LVE-SMP-170010 (August 2020).
2 CVE-2020-25062 269 Bypass 2020-08-31 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered on LG mobile devices with Android OS 9 and 10 software. LGTelephonyProvider allows a bypass of intended privilege restrictions. The LG ID is LVE-SMP-200017 (July 2020).
3 CVE-2020-25061 2020-08-31 2020-09-01
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered on LG mobile devices with Android OS 9 and 10 software on the VZW network. lge_property allows property overwrites. The LG ID is LVE-SMP-200016 (July 2020).
4 CVE-2020-25058 2020-08-31 2020-09-01
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered on LG mobile devices with Android OS 8.0, 8.1, 9, and 10 software. The network_management service does not properly restrict configuration changes. The LG ID is LVE-SMP-200012 (July 2020).
5 CVE-2020-25057 2020-08-31 2020-09-01
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered on LG mobile devices with Android OS 10 software. MDMService does not properly restrict APK installations. The LG ID is LVE-SMP-200011 (July 2020).
6 CVE-2020-25055 863 Bypass 2020-08-31 2020-09-03
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. The persona service allows attackers (who control an unprivileged SecureFolder process) to bypass admin restrictions in KnoxContainer. The Samsung ID is SVE-2020-18133 (August 2020).
7 CVE-2020-25053 Exec Code 2020-08-31 2020-09-03
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered on Samsung mobile devices with Q(10.0) (exynos9830 chipsets) software. RKP allows arbitrary code execution. The Samsung ID is SVE-2020-17435 (August 2020).
8 CVE-2020-25052 20 DoS Exec Code Mem. Corr. 2020-08-31 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered on Samsung mobile devices with Q(10.0) (exynos9830 chipsets) software. H-Arx allows attackers to execute arbitrary code or cause a denial of service (memory corruption) because indexes are mishandled. The Samsung ID is SVE-2020-17426 (August 2020).
9 CVE-2020-25049 863 2020-08-31 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software. StatusBarService has insufficient DEX access control. The Samsung ID is SVE-2020-17797 (August 2020).
10 CVE-2020-25031 59 2020-08-31 2020-09-04
7.2
None Local Low Not required Complete Complete Complete
checkinstall 1.6.2, when used to create a package that contains a symlink, may trigger the creation of a mode 0777 executable file.
11 CVE-2020-25020 611 2020-08-29 2021-01-20
7.5
None Remote Low Not required Partial Partial Partial
MPXJ through 8.1.3 allows XXE attacks. This affects the GanttProjectReader and PhoenixReader components.
12 CVE-2020-24786 287 Bypass 2020-08-31 2020-09-10
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService Plus before build number 5817, DataSecurity Plus before build number 6033, RecoverManager Plus before build number 6017, EventLog Analyzer before build number 12136, ADAudit Plus before build number 6052, O365 Manager Plus before build number 4334, Cloud Security Plus before build number 4110, ADManager Plus before build number 7055, and Log360 before build number 5166. The remotely accessible Java servlet com.manageengine.ads.fw.servlet.UpdateProductDetails is prone to an authentication bypass. System integration properties can be modified and lead to full ManageEngine suite compromise.
13 CVE-2020-24717 276 2020-08-27 2020-09-04
7.2
None Local Low Not required Complete Complete Complete
OpenZFS before 2.0.0-rc1, when used on FreeBSD, misinterprets group permissions as user permissions, as demonstrated by mode 0770 being equivalent to mode 0777.
14 CVE-2020-24606 20 DoS 2020-08-24 2021-07-21
7.1
None Remote Medium Not required None None Complete
Squid before 4.13 and 5.x before 5.0.4 allows a trusted peer to perform Denial of Service by consuming all available CPU cycles during handling of a crafted Cache Digest response message. This only occurs when cache_peer is used with the cache digests feature. The problem exists because peerDigestHandleReply() livelocking in peer_digest.cc mishandles EOF.
15 CVE-2020-24572 78 Exec Code 2020-08-24 2020-09-01
9.0
None Remote Low ??? Complete Complete Complete
An issue was discovered in includes/webconsole.php in RaspAP 2.5. With authenticated access, an attacker can use a misconfigured (and virtually unrestricted) web console to attack the underlying OS (Raspberry Pi) running this software, and execute commands on the system (including ones for uploading of files and execution of code).
16 CVE-2020-24363 306 2020-08-31 2020-09-08
8.3
None Local Network Low Not required Complete Complete Complete
TP-Link TL-WA855RE V5 20200415-rel37464 devices allow an unauthenticated attacker (on the same network) to submit a TDDP_RESET POST request for a factory reset and reboot. The attacker can then obtain incorrect access control by setting a new administrative password.
17 CVE-2020-24361 273 Exec Code 2020-08-16 2020-10-02
7.5
None Remote Low Not required Partial Partial Partial
SNMPTT before 1.4.2 allows attackers to execute shell code via EXEC, PREXEC, or unknown_trap_exec.
18 CVE-2020-24331 269 2020-08-13 2022-04-28
7.2
None Local Low Not required Complete Complete Complete
An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon is started with root privileges, the tss user still has read and write access to the /etc/tcsd.conf file (which contains various settings related to this daemon).
19 CVE-2020-24330 269 2020-08-13 2022-04-28
7.2
None Local Low Not required Complete Complete Complete
An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon is started with root privileges instead of by the tss user, it fails to drop the root gid privilege when no longer needed.
20 CVE-2020-24240 416 2020-08-25 2020-09-02
7.1
None Remote Medium Not required None None Complete
GNU Bison before 3.7.1 has a use-after-free in _obstack_free in lib/obstack.c (called from gram_lex) when a '\0' byte is encountered. NOTE: there is a risk only if Bison is used with untrusted input, and the observed bug happens to cause unsafe behavior with a specific compiler/architecture. The bug report was intended to show that a crash may occur in Bison itself, not that a crash may occur in code that is generated by Bison.
21 CVE-2020-24220 78 Exec Code 2020-08-17 2020-08-24
9.0
None Remote Low ??? Complete Complete Complete
ShopXO v1.8.1 has a command execution vulnerability. Attackers can use this vulnerability to execute arbitrary commands and gain control of the server.
22 CVE-2020-24208 89 Sql Bypass 2020-08-17 2020-08-21
7.5
None Remote Low Not required Partial Partial Partial
A SQL injection vulnerability in SourceCodester Online Shopping Alphaware 1.0 allows remote unauthenticated attackers to bypass the authentication process via email and password parameters.
23 CVE-2020-24203 434 Exec Code 2020-08-27 2021-05-24
7.5
None Remote Low Not required Partial Partial Partial
Insecure File Permissions and Arbitrary File Upload in the upload pic function in updatesubcategory.php in Projects World Travel Management System v1.0 allows remote unauthenticated attackers to gain remote code execution.
24 CVE-2020-24202 434 Exec Code 2020-08-27 2020-08-31
7.5
None Remote Low Not required Partial Partial Partial
File Upload component in Projects World House Rental v1.0 suffers from an arbitrary file upload vulnerability with regular users, which allows remote attackers to conduct code execution.
25 CVE-2020-24186 434 Exec Code 2020-08-24 2022-01-01
7.5
None Remote Low Not required Partial Partial Partial
A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for WordPress, which allows unauthenticated users to upload any type of file, including PHP files via the wmuUploadFiles AJAX action.
26 CVE-2020-24057 78 Exec Code 2020-08-21 2020-08-27
9.0
None Remote Low ??? Complete Complete Complete
The management website of the Verint S5120FD Verint_FW_0_42 unit features a CGI endpoint ('ipfilter.cgi') that allows the user to manage network filtering on the unit. This endpoint is vulnerable to a command injection. An authenticated attacker can leverage this issue to execute arbitrary commands as 'root'.
27 CVE-2020-24055 787 Overflow 2020-08-21 2020-08-27
7.5
None Remote Low Not required Partial Partial Partial
Verint 5620PTZ Verint_FW_0_42 and Verint 4320 V4320_FW_0_23, and V4320_FW_0_31 units feature an autodiscovery service implemented in the binary executable '/usr/sbin/DM' that listens on port TCP 6666. The service is vulnerable to a stack buffer overflow. It is worth noting that this service does not require any authentication.
28 CVE-2020-24054 78 Exec Code 2020-08-21 2020-08-27
10.0
None Remote Low Not required Complete Complete Complete
The administration console of the Moog EXO Series EXVF5C-2 and EXVP7C2-3 units features a 'statusbroadcast' command that can spawn a given process repeatedly at a certain time interval as 'root'. One of the limitations of this feature is that it only takes a path to a binary without arguments; however, this can be circumvented using special shell variables, such as '${IFS}'. As a result, an attacker can execute arbitrary commands as 'root' on the units.
29 CVE-2020-24051 287 Bypass 2020-08-21 2021-07-21
10.0
None Remote Low Not required Complete Complete Complete
The Moog EXO Series EXVF5C-2 and EXVP7C2-3 units support the ONVIF interoperability IP-based physical security protocol, which requires authentication for some of its operations. It was found that the authentication check for those ONVIF operations can be bypassed. An attacker can abuse this issue to execute privileged operations without authentication, for instance, to create a new Administrator user.
30 CVE-2020-24032 78 2020-08-18 2020-08-27
10.0
None Remote Low Not required Complete Complete Complete
tz.pl on XoruX LPAR2RRD and STOR2RRD 2.70 virtual appliances allows cmd=set&tz=OS command injection via shell metacharacters in a timezone.
31 CVE-2020-24007 307 2020-08-26 2020-09-01
7.5
None Remote Low Not required Partial Partial Partial
Umanni RH 1.0 does not limit the number of authentication attempts. An unauthenticated user may exploit this vulnerability to launch a brute-force authentication attack against the Login page.
32 CVE-2020-23980 89 Sql 2020-08-27 2020-09-01
7.5
None Remote Low Not required Partial Partial Partial
DesignMasterEvents Conference management 1.0.0 allows SQL Injection via the username field on the administrator login page.
33 CVE-2020-23979 89 Sql 2020-08-27 2020-08-28
7.5
None Remote Low Not required Partial Partial Partial
13enforme CMS 1.0 has SQL Injection via the 'content.php' id parameter.
34 CVE-2020-23978 89 Sql 2020-08-27 2020-08-28
7.5
None Remote Low Not required Partial Partial Partial
SQL injection can occur in Soluzione Globale Ecommerce CMS v1 via the parameter " offerta.php"
35 CVE-2020-23976 89 Sql 2020-08-27 2020-08-31
7.5
None Remote Low Not required Partial Partial Partial
Webexcels Ecommerce CMS 2.x, 2017, 2018, 2019, 2020 has SQL Injection via the 'content.php' id parameter.
36 CVE-2020-23973 89 Sql 2020-08-27 2020-09-02
7.5
None Remote Low Not required Partial Partial Partial
KandNconcepts Club CMS 1.1 and 1.2 has SQL Injection via the 'team.php,player.php,club.php' id parameter.
37 CVE-2020-23936 287 Bypass 2020-08-20 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
PHPGurukul Vehicle Parking Management System 1.0 is vulnerable to Authentication Bypass via "Username: admin'# && Password: (Write Something)".
38 CVE-2020-23935 89 Sql Bypass 2020-08-20 2021-12-14
7.5
None Remote Low Not required Partial Partial Partial
Kabir Alhasan Student Management System 1.0 is vulnerable to Authentication Bypass via "Username: admin'# && Password: (Write Something)".
39 CVE-2020-23934 78 Exec Code 2020-08-18 2020-08-26
9.0
None Remote Low ??? Complete Complete Complete
An issue was discovered in RiteCMS 2.2.1. An authenticated user can directly execute system commands by uploading a php web shell in the "Filemanager" section.
40 CVE-2020-22722 434 2020-08-14 2020-08-21
7.2
None Local Low Not required Complete Complete Complete
Rapid Software LLC Rapid SCADA 5.8.0 is affected by a local privilege escalation vulnerability in the ScadaAgentSvc.exe executable file. An attacker can obtain admin privileges by placing a malicious .exe file in the application and renaming it ScadaAgentSvc.exe, which would result in executing the binary as NT AUTHORITY\SYSTEM in a Windows operating system. For example, an attacker can plant a reverse shell from a low privileged user account and by restarting the computer, the malicious service will be started as NT AUTHORITY\SYSTEM by giving the attacker full system access to the remote PC.
41 CVE-2020-17506 89 +Priv Sql Bypass 2020-08-12 2020-09-22
7.5
None Remote Low Not required Partial Partial Partial
Artica Web Proxy 4.30.00000000 allows remote attacker to bypass privilege detection and gain web backend administrator privileges through SQL injection of the apikey parameter in fw.login.php.
42 CVE-2020-17505 78 Exec Code 2020-08-12 2020-09-22
9.0
None Remote Low ??? Complete Complete Complete
Artica Web Proxy 4.30.000000 allows an authenticated remote attacker to inject commands via the service-cmds parameter in cyrus.php. These commands are executed with root privileges via service_cmds_peform.
43 CVE-2020-17496 74 Exec Code 2020-08-12 2020-08-17
7.5
None Remote Low Not required Partial Partial Partial
vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.
44 CVE-2020-17479 20 2020-08-10 2020-08-19
7.5
None Remote Low Not required Partial Partial Partial
jpv (aka Json Pattern Validator) before 2.2.2 does not properly validate input, as demonstrated by a corrupted array.
45 CVE-2020-17474 613 2020-08-14 2020-08-21
7.5
None Remote Low Not required Partial Partial Partial
A token-reuse vulnerability in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to create arbitrary new users, elevate users to administrators, delete users, and download user faces from the database.
46 CVE-2020-17466 287 Bypass 2020-08-11 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
Turcom TRCwifiZone through 2020-08-10 allows authentication bypass by visiting manage/control.php and ignoring 302 Redirect responses.
47 CVE-2020-17463 89 Sql 2020-08-13 2020-08-13
7.5
None Remote Low Not required Partial Partial Partial
FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.
48 CVE-2020-17456 78 Exec Code 2020-08-20 2022-04-22
7.5
None Remote Low Not required Partial Partial Partial
SEOWON INTECH SLC-130 And SLR-120S devices allow Remote Code Execution via the ipAddr parameter to the system_log.cgi page.
49 CVE-2020-17452 434 2020-08-09 2020-08-10
9.0
None Remote Low ??? Complete Complete Complete
flatCore before 1.5.7 allows upload and execution of a .php file by an admin.
50 CVE-2020-17446 824 Exec Code 2020-08-12 2020-09-03
7.5
None Remote Low Not required Partial Partial Partial
asyncpg before 0.21.0 allows a malicious PostgreSQL server to trigger a crash or execute arbitrary code (on a database client) via a crafted server response, because of access to an uninitialized pointer in the array data decoder.
Total number of vulnerabilities : 253   Page : 1 (This Page)2 3 4 5 6
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.