CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In December 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
501 CVE-2020-28274 DoS Exec Code 2020-12-08 2020-12-10
7.5
None Remote Low Not required Partial Partial Partial
Prototype pollution vulnerability in 'deepref' versions 1.1.1 through 1.2.1 allows attacker to cause a denial of service and may lead to remote code execution.
502 CVE-2020-28273 DoS Exec Code 2020-12-02 2020-12-07
7.5
None Remote Low Not required Partial Partial Partial
Prototype pollution vulnerability in 'set-in' versions 1.0.0 through 2.0.0 allows attacker to cause a denial of service and may lead to remote code execution.
503 CVE-2020-28272 DoS Exec Code 2020-12-02 2020-12-07
7.5
None Remote Low Not required Partial Partial Partial
Prototype pollution vulnerability in 'keyget' versions 1.0.0 through 2.2.0 allows attacker to cause a denial of service and may lead to remote code execution.
504 CVE-2020-28251 269 2020-12-03 2021-07-21
9.3
None Remote Medium Not required Complete Complete Complete
NETSCOUT AirMagnet Enterprise 11.1.4 build 37257 and earlier has a sensor escalated privileges vulnerability that can be exploited to provide someone with administrative access to a sensor, with credentials to invoke a command to provide root access to the operating system. The attacker must complete a straightforward password-cracking exercise.
505 CVE-2020-28220 119 Overflow 2020-12-11 2022-02-03
5.2
None Local Network Low ??? Partial Partial Partial
A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Modicon M258 Firmware (All versions prior to V5.0.4.11) and SoMachine/SoMachine Motion software (All versions), that could cause a buffer overflow when the length of a file transferred to the webserver is not verified.
506 CVE-2020-28219 522 2020-12-11 2020-12-16
2.1
None Local Low Not required Partial None None
A CWE-522: Insufficiently Protected Credentials vulnerability exists in EcoStruxure Geo SCADA Expert 2019 (Original release and Monthly Updates to September 2020, from 81.7268.1 to 81.7578.1) and EcoStruxure Geo SCADA Expert 2020 (Original release and Monthly Updates to September 2020, from 83.7551.1 to 83.7578.1), that could cause exposure of credentials to server-side users when web users are logged in to Virtual ViewX.
507 CVE-2020-28218 1021 2020-12-11 2020-12-14
4.3
None Remote Medium Not required None Partial None
A CWE-1021: Improper Restriction of Rendered UI Layers or Frames vulnerability exists in Easergy T300 (firmware 2.7 and older), that would allow an attacker to trick a user into initiating an unintended action.
508 CVE-2020-28217 311 2020-12-11 2020-12-14
5.0
None Remote Low Not required Partial None None
A CWE-311: Missing Encryption of Sensitive Data vulnerability exists in Easergy T300 (firmware 2.7 and older), that would allow an attacker to read network traffic over HTTP protocol.
509 CVE-2020-28216 311 2020-12-11 2020-12-14
5.0
None Remote Low Not required Partial None None
A CWE-311: Missing Encryption of Sensitive Data vulnerability exists in Easergy T300 (firmware 2.7 and older), that would allow an attacker to read network traffic over HTTP protocol.
510 CVE-2020-28215 862 DoS Exec Code 2020-12-11 2020-12-14
7.5
None Remote Low Not required Partial Partial Partial
A CWE-862: Missing Authorization vulnerability exists in Easergy T300 (firmware 2.7 and older), that could cause a wide range of problems, including information exposures, denial of service, and arbitrary code execution when access control checks are not applied consistently.
511 CVE-2020-28214 760 2020-12-11 2022-02-03
2.1
None Local Low Not required Partial None None
A CWE-760: Use of a One-Way Hash with a Predictable Salt vulnerability exists in Modicon M221 (all references, all versions), that could allow an attacker to pre-compute the hash value using dictionary attack technique such as rainbow tables, effectively disabling the protection that an unpredictable salt would provide.
512 CVE-2020-28206 307 2020-12-02 2020-12-04
4.0
None Remote Low ??? Partial None None
An issue was discovered in Bitrix24 Bitrix Framework (1c site management) 20.0. An "User enumeration and Improper Restriction of Excessive Authentication Attempts" vulnerability exists in the admin login form, allowing a remote user to enumerate users in the administrator group. This also allows brute-force attacks on the passwords of users not in the administrator group.
513 CVE-2020-28203 476 DoS 2020-12-15 2020-12-16
4.3
None Remote Medium Not required None None Partial
An issue was discovered in Foxit Reader and PhantomPDF 10.1.0.37527 and earlier. There is a null pointer access/dereference while opening a crafted PDF file, leading the application to crash (denial of service).
514 CVE-2020-28190 2020-12-24 2020-12-28
4.3
None Remote Medium Not required None Partial None
TerraMaster TOS <= 4.2.06 was found to check for updates (of both system and applications) via an insecure channel (HTTP). Man-in-the-middle attackers are able to intercept these requests and serve a weaponized/infected version of applications or updates.
515 CVE-2020-28188 78 Exec Code 2020-12-24 2021-02-02
10.0
None Remote Low Not required Complete Complete Complete
Remote Command Execution (RCE) vulnerability in TerraMaster TOS <= 4.2.06 allow remote unauthenticated attackers to inject OS commands via /include/makecvs.php in Event parameter.
516 CVE-2020-28187 22 Dir. Trav. 2020-12-24 2020-12-28
10.0
None Remote Low Not required Complete Complete Complete
Multiple directory traversal vulnerabilities in TerraMaster TOS <= 4.2.06 allow remote authenticated attackers to read, edit or delete any file within the filesystem via the (1) filename parameter to /tos/index.php?editor/fileGet, Event parameter to /include/ajax/logtable.php, or opt parameter to /include/core/index.php.
517 CVE-2020-28186 640 2020-12-24 2020-12-28
6.8
None Remote Medium Not required Partial Partial Partial
Email Injection in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to abuse the forget password functionality and achieve account takeover.
518 CVE-2020-28185 2020-12-24 2020-12-28
5.0
None Remote Low Not required Partial None None
User Enumeration vulnerability in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to identify valid users within the system via the username parameter to wizard/initialise.php.
519 CVE-2020-28184 79 XSS 2020-12-24 2020-12-28
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in TerraMaster TOS <= 4.2.06 allows remote authenticated users to inject arbitrary web script or HTML via the mod parameter to /module/index.php.
520 CVE-2020-28175 269 2020-12-03 2021-07-21
4.6
None Local Low Not required Partial Partial Partial
There is a local privilege escalation vulnerability in Alfredo Milani Comparetti SpeedFan 4.52. Attackers can use constructed programs to increase user privileges
521 CVE-2020-28169 732 +Priv 2020-12-24 2022-04-05
6.9
None Local Medium Not required Complete Complete Complete
The td-agent-builder plugin before 2020-12-18 for Fluentd allows attackers to gain privileges because the bin directory is writable by a user account, but a file in bin is executed as NT AUTHORITY\SYSTEM.
522 CVE-2020-28096 2020-12-28 2020-12-30
7.2
None Local Low Not required Complete Complete Complete
FOSCAM FHD X1 1.14.2.4 devices allow attackers (with physical UART access) to login via the ipc.fos~ password.
523 CVE-2020-28095 835 2020-12-30 2021-01-05
7.8
None Remote Low Not required None None Complete
On Tenda AC1200 (Model AC6) 15.03.06.51_multi devices, a large HTTP POST request sent to the change password API will trigger the router to crash and enter an infinite boot loop.
524 CVE-2020-28094 2020-12-28 2020-12-30
5.0
None Remote Low Not required Partial None None
On Tenda AC1200 (Model AC6) 15.03.06.51_multi devices, the default settings for the router speed test contain links to download malware named elive or CNKI E-Learning.
525 CVE-2020-28093 2020-12-28 2020-12-30
6.5
None Remote Low ??? Partial Partial Partial
On Tenda AC1200 (Model AC6) 15.03.06.51_multi devices, admin, support, user, and nobody have a password of 1234.
526 CVE-2020-28086 287 2020-12-09 2021-07-21
5.0
None Remote Low Not required None Partial None
pass through 1.7.3 has a possibility of using a password for an unintended resource. For exploitation to occur, the user must do a git pull, decrypt a password, and log into a remote service with the password. If an attacker controls the central Git server or one of the other members' machines, and also controls one of the services already in the password store, they can rename one of the password files in the Git repository to something else: pass doesn't correctly verify that the content of a file matches the filename, so a user might be tricked into decrypting the wrong password and sending that to a service that the attacker controls. NOTE: for environments in which this threat model is of concern, signing commits can be a solution.
527 CVE-2020-28074 89 Sql Bypass 2020-12-23 2020-12-23
7.5
None Remote Low Not required Partial Partial Partial
SourceCodester Online Health Care System 1.0 is affected by SQL Injection which allows a potential attacker to bypass the authentication system and become an admin.
528 CVE-2020-28073 89 Sql Bypass 2020-12-23 2020-12-23
7.5
None Remote Low Not required Partial Partial Partial
SourceCodester Library Management System 1.0 is affected by SQL Injection allowing an attacker to bypass the user authentication and impersonate any user on the system.
529 CVE-2020-28072 434 Exec Code 2020-12-15 2020-12-17
6.5
None Remote Low ??? Partial Partial Partial
A Remote Code Execution vulnerability exists in DourceCodester Alumni Management System 1.0. An authenticated attacker can upload arbitrary file in the gallery.php page and executing it on the server reaching the RCE.
530 CVE-2020-28071 79 XSS 2020-12-23 2020-12-23
3.5
None Remote Medium ??? None Partial None
SourceCodester Alumni Management System 1.0 is affected by cross-site Scripting (XSS) in /admin/gallery.php. After the admin authentication an attacker can upload an image in the gallery using a XSS payload in the description textarea called 'about' and reach a stored XSS.
531 CVE-2020-28070 89 Exec Code Sql 2020-12-23 2020-12-23
7.5
None Remote Low Not required Partial Partial Partial
SourceCodester Alumni Management System 1.0 is affected by SQL injection causing arbitrary remote code execution from GET input in view_event.php via the 'id' parameter.
532 CVE-2020-28052 2020-12-18 2022-05-12
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.
533 CVE-2020-27950 665 2020-12-08 2021-02-11
7.1
None Remote Medium Not required Complete None None
A memory initialization issue was addressed. This issue is fixed in macOS Big Sur 11.0.1, watchOS 7.1, iOS 12.4.9, watchOS 6.2.9, Security Update 2020-006 High Sierra, Security Update 2020-006 Mojave, iOS 14.2 and iPadOS 14.2, watchOS 5.3.9, macOS Catalina 10.15.7 Supplemental Update, macOS Catalina 10.15.7 Update. A malicious application may be able to disclose kernel memory.
534 CVE-2020-27932 843 Exec Code 2020-12-08 2021-02-11
9.3
None Remote Medium Not required Complete Complete Complete
A type confusion issue was addressed with improved state handling. This issue is fixed in macOS Big Sur 11.0.1, watchOS 7.1, iOS 12.4.9, watchOS 6.2.9, Security Update 2020-006 High Sierra, Security Update 2020-006 Mojave, iOS 14.2 and iPadOS 14.2, watchOS 5.3.9, macOS Catalina 10.15.7 Supplemental Update, macOS Catalina 10.15.7 Update. A malicious application may be able to execute arbitrary code with kernel privileges.
535 CVE-2020-27930 787 Exec Code Mem. Corr. 2020-12-08 2021-02-11
6.8
None Remote Medium Not required Partial Partial Partial
A memory corruption issue was addressed with improved input validation. This issue is fixed in macOS Big Sur 11.0.1, watchOS 7.1, iOS 12.4.9, watchOS 6.2.9, Security Update 2020-006 High Sierra, Security Update 2020-006 Mojave, iOS 14.2 and iPadOS 14.2, watchOS 5.3.9, macOS Catalina 10.15.7 Supplemental Update, macOS Catalina 10.15.7 Update. Processing a maliciously crafted font may lead to arbitrary code execution.
536 CVE-2020-27929 2020-12-08 2020-12-09
4.3
None Remote Medium Not required None Partial None
A logic issue existed in the handling of Group FaceTime calls. The issue was addressed with improved state management. This issue is fixed in iOS 12.4.9. A user may send video in Group FaceTime calls without knowing that they have done so.
537 CVE-2020-27927 787 Exec Code 2020-12-08 2021-03-10
6.8
None Remote Medium Not required Partial Partial Partial
An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in macOS Big Sur 11.0.1, iOS 14.2 and iPadOS 14.2, tvOS 14.2, watchOS 7.1. Processing a maliciously crafted font file may lead to arbitrary code execution.
538 CVE-2020-27926 416 Exec Code 2020-12-08 2021-03-10
9.3
None Remote Medium Not required Complete Complete Complete
A use after free issue was addressed with improved memory management. This issue is fixed in iOS 14.2 and iPadOS 14.2. Processing maliciously crafted web content may lead to arbitrary code execution.
539 CVE-2020-27925 2020-12-08 2020-12-10
1.9
None Local Medium Not required None Partial None
An issue existed in the handling of incoming calls. The issue was addressed with additional state checks. This issue is fixed in iOS 14.2 and iPadOS 14.2. A user may answer two calls simultaneously without indication they have answered a second call.
540 CVE-2020-27918 416 Exec Code 2020-12-08 2021-05-01
6.8
None Remote Medium Not required Partial Partial Partial
A use after free issue was addressed with improved memory management. This issue is fixed in macOS Big Sur 11.0.1, watchOS 7.1, iOS 14.2 and iPadOS 14.2, iCloud for Windows 11.5, Safari 14.0.1, tvOS 14.2, iTunes 12.11 for Windows. Processing maliciously crafted web content may lead to arbitrary code execution.
541 CVE-2020-27917 416 Exec Code 2020-12-08 2021-03-10
9.3
None Remote Medium Not required Complete Complete Complete
A use after free issue was addressed with improved memory management. This issue is fixed in macOS Big Sur 11.0.1, watchOS 7.1, iOS 14.2 and iPadOS 14.2, iCloud for Windows 11.5, tvOS 14.2, iTunes 12.11 for Windows. Processing maliciously crafted web content may lead to code execution.
542 CVE-2020-27916 787 Exec Code 2020-12-08 2021-03-10
9.3
None Remote Medium Not required Complete Complete Complete
An out-of-bounds write was addressed with improved input validation. This issue is fixed in macOS Big Sur 11.0.1, iOS 14.2 and iPadOS 14.2, tvOS 14.2, watchOS 7.1. Processing a maliciously crafted audio file may lead to arbitrary code execution.
543 CVE-2020-27912 787 Exec Code 2020-12-08 2021-03-10
9.3
None Remote Medium Not required Complete Complete Complete
An out-of-bounds write was addressed with improved input validation. This issue is fixed in macOS Big Sur 11.0.1, watchOS 7.1, iOS 14.2 and iPadOS 14.2, iCloud for Windows 11.5, tvOS 14.2, iTunes 12.11 for Windows. Processing a maliciously crafted image may lead to arbitrary code execution.
544 CVE-2020-27911 190 Exec Code Overflow 2020-12-08 2021-03-10
9.3
None Remote Medium Not required Complete Complete Complete
An integer overflow was addressed through improved input validation. This issue is fixed in macOS Big Sur 11.0.1, watchOS 7.1, iOS 14.2 and iPadOS 14.2, iCloud for Windows 11.5, tvOS 14.2, iTunes 12.11 for Windows. A remote attacker may be able to cause unexpected application termination or arbitrary code execution.
545 CVE-2020-27910 125 Exec Code 2020-12-08 2021-03-10
9.3
None Remote Medium Not required Complete Complete Complete
An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Big Sur 11.0.1, iOS 14.2 and iPadOS 14.2, tvOS 14.2, watchOS 7.1. Processing a maliciously crafted audio file may lead to arbitrary code execution.
546 CVE-2020-27909 125 Exec Code 2020-12-08 2021-03-30
9.3
None Remote Medium Not required Complete Complete Complete
An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 14.2 and iPadOS 14.2, tvOS 14.2, watchOS 7.1. Processing a maliciously crafted audio file may lead to arbitrary code execution.
547 CVE-2020-27906 190 Overflow 2020-12-08 2021-07-21
9.3
None Remote Medium Not required Complete Complete Complete
Multiple integer overflows were addressed with improved input validation. This issue is fixed in macOS Big Sur 11.0.1. A remote attacker may be able to cause unexpected application termination or heap corruption.
548 CVE-2020-27905 Exec Code Mem. Corr. 2020-12-08 2021-07-21
9.3
None Remote Medium Not required Complete Complete Complete
A memory corruption issue was addressed with improved state management. This issue is fixed in iOS 14.2 and iPadOS 14.2, tvOS 14.2, watchOS 7.1. A malicious application may be able to execute arbitrary code with system privileges.
549 CVE-2020-27904 Exec Code Mem. Corr. 2020-12-08 2021-02-10
9.3
None Remote Medium Not required Complete Complete Complete
A logic issue existed resulting in memory corruption. This was addressed with improved state management. This issue is fixed in macOS Big Sur 11.0.1. An application may be able to execute arbitrary code with kernel privileges.
550 CVE-2020-27903 269 +Priv 2020-12-08 2021-07-21
9.3
None Remote Medium Not required Complete Complete Complete
This issue was addressed by removing the vulnerable code. This issue is fixed in macOS Big Sur 11.0.1. An application may be able to gain elevated privileges.
Total number of vulnerabilities : 1530   Page : 1 2 3 4 5 6 7 8 9 10 11 (This Page)12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.