CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In October 2020 (CVSS score >= 9)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2020-27976 78 2020-10-28 2020-10-29
10.0
None Remote Low Not required Complete Complete Complete
osCommerce Phoenix CE before 1.0.5.4 allows OS command injection remotely. Within admin/mail.php, a from POST parameter can be passed to the application. This affects the PHP mail function, and the sendmail -f option.
2 CVE-2020-27887 78 2020-10-29 2020-11-04
9.0
None Remote Low ??? Complete Complete Complete
An issue was discovered in EyesOfNetwork 5.3 through 5.3-8. An authenticated web user with sufficient privileges could abuse the AutoDiscovery module to run arbitrary OS commands via the nmap_binary parameter to lilac/autodiscovery.php.
3 CVE-2020-27744 78 Exec Code 2020-10-29 2021-12-06
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered on Western Digital My Cloud NAS devices before 5.04.114. They allow remote code execution with resultant escalation of privileges.
4 CVE-2020-27159 78 Exec Code 2020-10-27 2021-12-02
10.0
None Remote Low Not required Complete Complete Complete
Addressed remote code execution vulnerability in DsdkProxy.php due to insufficient sanitization and insufficient validation of user input in Western Digital My Cloud NAS devices prior to 5.04.114
5 CVE-2020-27158 78 Exec Code 2020-10-27 2021-12-01
10.0
None Remote Low Not required Complete Complete Complete
Addressed remote code execution vulnerability in cgi_api.php that allowed escalation of privileges in Western Digital My Cloud NAS devices prior to 5.04.114.
6 CVE-2020-26943 Exec Code 2020-10-16 2020-10-27
9.0
None Remote Low ??? Complete Complete Complete
An issue was discovered in OpenStack blazar-dashboard before 1.3.1, 2.0.0, and 3.0.0. A user allowed to access the Blazar dashboard in Horizon may trigger code execution on the Horizon host as the user the Horizon service runs under (because the Python eval function is used). This may result in Horizon host unauthorized access and further compromise of the Horizon service. All setups using the Horizon dashboard with the blazar-dashboard plugin are affected.
7 CVE-2020-26908 Bypass 2020-10-09 2020-10-16
10.0
None Remote Low Not required Complete Complete Complete
Certain NETGEAR devices are affected by authentication bypass. This affects D6200 before 1.1.00.36, D7000 before 1.0.1.74, PR2000 before 1.0.0.30, R6020 before 1.0.0.42, R6050 before 1.0.1.22, JR6150 before 1.0.1.22, R6080 before 1.0.0.42, R6120 before 1.0.0.66, R6220 before 1.1.0.100, R6230 before 1.1.0.100, R6260 before 1.1.0.64, R6700v2 before 1.2.0.62, R6800 before 1.2.0.62, R69002 before 1.2.0.62, and WNR2020 before 1.1.0.62.
8 CVE-2020-26879 798 2020-10-26 2020-11-02
10.0
None Remote Low Not required Complete Complete Complete
Ruckus vRioT through 1.5.1.0.21 has an API backdoor that is hardcoded into validate_token.py. An unauthenticated attacker can interact with the service API by using a backdoor value as the Authorization header.
9 CVE-2020-26878 862 Exec Code 2020-10-26 2021-07-21
9.0
None Remote Low ??? Complete Complete Complete
Ruckus through 1.5.1.0.21 is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint), injecting arbitrary commands that will be executed as root user via web.py.
10 CVE-2020-26596 20 Exec Code 2020-10-07 2021-07-21
9.0
None Remote Low ??? Complete Complete Complete
The Dynamic OOO widget for the Elementor Pro plugin through 3.0.5 for WordPress allows remote authenticated users to execute arbitrary code because only the Editor role is needed to upload executable PHP code via the PHP Raw snippet. NOTE: this issue can be mitigated by removing the Dynamic OOO widget or by restricting availability of the Editor role.
11 CVE-2020-26582 77 Exec Code 2020-10-06 2021-07-21
9.0
None Remote Low ??? Complete Complete Complete
D-Link DAP-1360U before 3.0.1 devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the IP JSON value for ping (aka res_config_action=3&res_config_id=18).
12 CVE-2020-26574 79 Exec Code XSS 2020-10-06 2020-10-22
9.3
None Remote Medium Not required Complete Complete Complete
** UNSUPPORTED WHEN ASSIGNED ** Leostream Connection Broker 8.2.x is affected by stored XSS. An unauthenticated attacker can inject arbitrary JavaScript code via the webquery.pl User-Agent HTTP header. It is rendered by the admins the next time they log in. The JavaScript injected can be used to force the admin to upload a malicious Perl script that will be executed as root via libMisc::browser_client. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
13 CVE-2020-26124 94 Exec Code 2020-10-02 2022-01-06
9.0
None Remote Low ??? Complete Complete Complete
openmediavault before 4.1.36 and 5.x before 5.5.12 allows authenticated PHP code injection attacks, via the sortfield POST parameter of rpc.php, because json_encode_safe is not used in config/databasebackend.inc. Successful exploitation allows arbitrary command execution on the underlying operating system as root.
14 CVE-2020-25803 913 Exec Code 2020-10-06 2020-10-09
9.0
None Remote Low ??? Complete Complete Complete
Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker template exposed objects. This issue affects: Crafter Software Crafter CMS 3.0 versions prior to 3.0.27; 3.1 versions prior to 3.1.7.
15 CVE-2020-25802 913 Exec Code 2020-10-06 2020-10-09
9.0
None Remote Low ??? Complete Complete Complete
Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy scripting. This issue affects: Crafter Software Crafter CMS 3.0 versions prior to 3.0.27; 3.1 versions prior to 3.1.7.
16 CVE-2020-25765 20 Exec Code 2020-10-27 2021-12-01
10.0
None Remote Low Not required Complete Complete Complete
Addressed remote code execution vulnerability in reg_device.php due to insufficient validation of user input.in Western Digital My Cloud Devices prior to 5.4.1140.
17 CVE-2020-25214 2020-10-16 2020-10-28
9.3
None Remote Medium Not required Complete Complete Complete
In the client in Overwolf 0.149.2.30, a channel can be accessed or influenced by an actor that is not an endpoint.
18 CVE-2020-24707 1236 2020-10-28 2020-10-30
9.3
None Remote Medium Not required Complete Complete Complete
Gophish before 0.11.0 allows the creation of CSV sheets that contain malicious content.
19 CVE-2020-24652 917 Exec Code 2020-10-19 2020-10-21
10.0
None Remote Low Not required Complete Complete Complete
A addvsiinterfaceinfo expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
20 CVE-2020-24651 917 Exec Code 2020-10-19 2020-10-21
10.0
None Remote Low Not required Complete Complete Complete
A syslogtempletselectwin expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
21 CVE-2020-24650 917 Exec Code 2020-10-19 2020-10-21
10.0
None Remote Low Not required Complete Complete Complete
A legend expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
22 CVE-2020-24649 20 Exec Code 2020-10-19 2020-10-21
10.0
None Remote Low Not required Complete Complete Complete
A remote bytemessageresource transformentity" input validation code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
23 CVE-2020-24648 502 Exec Code 2020-10-19 2020-10-21
10.0
None Remote Low Not required Complete Complete Complete
A accessmgrservlet classname deserialization of untrusted data remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
24 CVE-2020-24647 20 Exec Code 2020-10-19 2020-10-21
10.0
None Remote Low Not required Complete Complete Complete
A remote accessmgrservlet classname input validation code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
25 CVE-2020-24646 787 Exec Code Overflow 2020-10-19 2020-10-21
10.0
None Remote Low Not required Complete Complete Complete
A tftpserver stack-based buffer overflow remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
26 CVE-2020-24632 77 Exec Code 2020-10-26 2021-07-21
9.0
None Remote Low ??? Complete Complete Complete
A remote execution of arbitrary commandss vulnerability was discovered in Aruba Airwave Software version(s): Prior to 1.3.2.
27 CVE-2020-24631 77 Exec Code 2020-10-26 2021-07-21
9.0
None Remote Low ??? Complete Complete Complete
A remote execution of arbitrary commands vulnerability was discovered in Aruba Airwave Software version(s): Prior to 1.3.2.
28 CVE-2020-24630 269 2020-10-19 2021-07-21
9.0
None Remote Low ??? Complete Complete Complete
A remote operatoronlinelist_content privilege escalation vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
29 CVE-2020-24629 287 Bypass 2020-10-19 2020-10-21
10.0
None Remote Low Not required Complete Complete Complete
A remote urlaccesscontroller authentication bypass vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
30 CVE-2020-24418 125 Exec Code 2020-10-21 2020-10-29
9.3
None Remote Medium Not required Complete Complete Complete
Adobe After Effects version 17.1.1 (and earlier) is affected by an out-of-bounds read vulnerability when parsing a crafted .aepx file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. This vulnerability requires user interaction to exploit.
31 CVE-2020-24397 190 Exec Code Overflow 2020-10-02 2021-07-21
9.0
None Remote Low ??? Complete Complete Complete
An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.0.SP-534. An attacker-controlled server can trigger an integer overflow in InternetSendRequestEx and InternetSendRequestByBitrate that leads to a heap-based buffer overflow and Remote Code Execution with SYSTEM privileges.
32 CVE-2020-17407 121 Exec Code 2020-10-13 2020-10-26
10.0
None Remote Low Not required Complete Complete Complete
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microhard Bullet-LTE prior to v1.2.0-r1112. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of authentication headers. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-10596.
33 CVE-2020-17406 78 Exec Code 2020-10-13 2020-10-26
9.0
None Remote Low ??? Complete Complete Complete
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microhard Bullet-LTE prior to v1.2.0-r1112. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of the ping parameter provided to tools.sh. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-10595.
34 CVE-2020-17023 Exec Code 2020-10-16 2020-10-20
9.3
None Remote Medium Not required Complete Complete Complete
A remote code execution vulnerability exists in Visual Studio Code when a user is tricked into opening a malicious 'package.json' file, aka 'Visual Studio JSON Remote Code Execution Vulnerability'.
35 CVE-2020-17003 Exec Code 2020-10-16 2020-10-21
9.3
None Remote Medium Not required Complete Complete Complete
A remote code execution vulnerability exists when the Base3D rendering engine improperly handles memory.An attacker who successfully exploited the vulnerability would gain execution on a victim system.The security update addresses the vulnerability by correcting how the Base3D rendering engine handles memory., aka 'Base3D Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-16918.
36 CVE-2020-16977 Exec Code 2020-10-16 2020-10-20
9.3
None Remote Medium Not required Complete Complete Complete
A remote code execution vulnerability exists in Visual Studio Code when the Python extension loads a Jupyter notebook file, aka 'Visual Studio Code Python Extension Remote Code Execution Vulnerability'.
37 CVE-2020-16968 119 Exec Code Overflow 2020-10-16 2021-07-21
9.3
None Remote Medium Not required Complete Complete Complete
A remote code execution vulnerability exists when the Windows Camera Codec Pack improperly handles objects in memory, aka 'Windows Camera Codec Pack Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-16967.
38 CVE-2020-16967 119 Exec Code Overflow 2020-10-16 2021-07-21
9.3
None Remote Medium Not required Complete Complete Complete
A remote code execution vulnerability exists when the Windows Camera Codec Pack improperly handles objects in memory, aka 'Windows Camera Codec Pack Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-16968.
39 CVE-2020-16957 Exec Code 2020-10-16 2020-10-20
9.3
None Remote Medium Not required Complete Complete Complete
A remote code execution vulnerability exists when the Microsoft Office Access Connectivity Engine improperly handles objects in memory, aka 'Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability'.
40 CVE-2020-16947 125 Exec Code 2020-10-16 2020-10-22
9.3
None Remote Medium Not required Complete Complete Complete
A remote code execution vulnerability exists in Microsoft Outlook software when the software fails to properly handle objects in memory, aka 'Microsoft Outlook Remote Code Execution Vulnerability'.
41 CVE-2020-16924 119 Exec Code Overflow 2020-10-16 2021-07-21
9.3
None Remote Medium Not required Complete Complete Complete
A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka 'Jet Database Engine Remote Code Execution Vulnerability'.
42 CVE-2020-16918 Exec Code 2020-10-16 2020-10-21
9.3
None Remote Medium Not required Complete Complete Complete
A remote code execution vulnerability exists when the Base3D rendering engine improperly handles memory.An attacker who successfully exploited the vulnerability would gain execution on a victim system.The security update addresses the vulnerability by correcting how the Base3D rendering engine handles memory., aka 'Base3D Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-17003.
43 CVE-2020-16911 Exec Code 2020-10-16 2020-10-20
9.3
None Remote Medium Not required Complete Complete Complete
A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory, aka 'GDI+ Remote Code Execution Vulnerability'.
44 CVE-2020-16259 732 2020-10-28 2021-07-21
10.0
None Remote Low Not required Complete Complete Complete
Winston 1.5.4 devices have an SSH user account with access from bastion hosts. This is undocumented in device documents and is not announced to the user.
45 CVE-2020-16257 77 2020-10-28 2021-07-21
10.0
None Remote Low Not required Complete Complete Complete
Winston 1.5.4 devices are vulnerable to command injection via the API.
46 CVE-2020-16256 352 CSRF 2020-10-28 2020-11-03
9.3
None Remote Medium Not required Complete Complete Complete
The API on Winston 1.5.4 devices is vulnerable to CSRF.
47 CVE-2020-15663 269 Exec Code 2020-10-01 2020-10-13
9.3
None Remote Medium Not required Complete Complete Complete
If Firefox is installed to a user-writable directory, the Mozilla Maintenance Service would execute updater.exe from the install location with system privileges. Although the Mozilla Maintenance Service does ensure that updater.exe is signed by Mozilla, the version could have been rolled back to a previous version which would have allowed exploitation of an older bug and arbitrary code execution with System Privileges. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.*. This vulnerability affects Firefox < 80, Thunderbird < 78.2, Thunderbird < 68.12, Firefox ESR < 68.12, and Firefox ESR < 78.2.
48 CVE-2020-15271 78 2020-10-26 2020-11-13
9.3
None Remote Medium Not required Complete Complete Complete
In lookatme (python/pypi package) versions prior to 2.3.0, the package automatically loaded the built-in "terminal" and "file_loader" extensions. Users that use lookatme to render untrusted markdown may have malicious shell commands automatically run on their system. This is fixed in version 2.3.0. As a workaround, the `lookatme/contrib/terminal.py` and `lookatme/contrib/file_loader.py` files may be manually deleted. Additionally, it is always recommended to be aware of what is being rendered with lookatme.
49 CVE-2020-15252 74 Exec Code 2020-10-16 2021-11-18
9.0
None Remote Low ??? Complete Complete Complete
In XWiki before version 12.5 and 11.10.6, any user with SCRIPT right (EDIT right before XWiki 7.4) can gain access to the application server Servlet context which contains tools allowing to instantiate arbitrary Java objects and invoke methods that may lead to arbitrary code execution. This is patched in XWiki 12.5 and XWiki 11.10.6.
50 CVE-2020-14883 2020-10-21 2020-11-19
9.0
None Remote Low ??? Complete Complete Complete
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
Total number of vulnerabilities : 183   Page : 1 (This Page)2 3 4
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.