CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In August 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
501 CVE-2020-13404 78 2020-08-05 2020-08-10
9.0
None Remote Low ??? Complete Complete Complete
The ATOS/Sips (aka Atos-Magento) community module 3.0.0 to 3.0.5 for Magento allows command injection.
502 CVE-2020-13376 22 Exec Code Dir. Trav. 2020-08-07 2020-08-12
9.3
None Remote Medium Not required Complete Complete Complete
SecurEnvoy SecurMail 9.3.503 allows attackers to upload executable files and achieve OS command execution via a crafted SecurEnvoyReply cookie.
503 CVE-2020-13365 287 2020-08-06 2022-02-09
9.0
None Remote Low ??? Complete Complete Complete
Certain Zyxel products have a locally accessible binary that allows a non-root user to generate a password for an undocumented user account that can be used for a TELNET session as root. This affects NAS520 V5.21(AASZ.4)C0, V5.21(AASZ.0)C0, V5.11(AASZ.3)C0, and V5.11(AASZ.0)C0; NAS542 V5.11(ABAG.0)C0, V5.20(ABAG.1)C0, and V5.21(ABAG.3)C0; NSA325 v2_V4.81(AALS.0)C0 and V4.81(AAAJ.1)C0; NSA310 4.22(AFK.0)C0 and 4.22(AFK.1)C0; NAS326 V5.21(AAZF.8)C0, V5.11(AAZF.4)C0, V5.11(AAZF.2)C0, and V5.11(AAZF.3)C0; NSA310S V4.75(AALH.2)C0; NSA320S V4.75(AANV.2)C0 and V4.75(AANV.1)C0; NSA221 V4.41(AFM.1)C0; and NAS540 V5.21(AATB.5)C0 and V5.21(AATB.3)C0.
504 CVE-2020-13364 2020-08-06 2022-02-09
9.0
None Remote Low ??? Complete Complete Complete
A backdoor in certain Zyxel products allows remote TELNET access via a CGI script. This affects NAS520 V5.21(AASZ.4)C0, V5.21(AASZ.0)C0, V5.11(AASZ.3)C0, and V5.11(AASZ.0)C0; NAS542 V5.11(ABAG.0)C0, V5.20(ABAG.1)C0, and V5.21(ABAG.3)C0; NSA325 v2_V4.81(AALS.0)C0 and V4.81(AAAJ.1)C0; NSA310 4.22(AFK.0)C0 and 4.22(AFK.1)C0; NAS326 V5.21(AAZF.8)C0, V5.11(AAZF.4)C0, V5.11(AAZF.2)C0, and V5.11(AAZF.3)C0; NSA310S V4.75(AALH.2)C0; NSA320S V4.75(AANV.2)C0 and V4.75(AANV.1)C0; NSA221 V4.41(AFM.1)C0; and NAS540 V5.21(AATB.5)C0 and V5.21(AATB.3)C0.
505 CVE-2020-13295 918 2020-08-10 2020-08-12
6.5
None Remote Low ??? Partial Partial Partial
For GitLab Runner before 13.0.12, 13.1.6, 13.2.3, by replacing dockerd with a malicious server, the Shared Runner is susceptible to SSRF.
506 CVE-2020-13294 2020-08-10 2020-10-06
5.5
None Remote Low ??? Partial Partial None
In GitLab before 13.0.12, 13.1.6 and 13.2.3, access grants were not revoked when a user revoked access to an application.
507 CVE-2020-13293 704 2020-08-10 2021-07-21
5.5
None Remote Low ??? None Partial Partial
In GitLab before 13.0.12, 13.1.6 and 13.2.3 using a branch with a hexadecimal name could override an existing hash.
508 CVE-2020-13292 287 Bypass 2020-08-10 2020-08-11
5.5
None Remote Low ??? Partial Partial None
In GitLab before 13.0.12, 13.1.6 and 13.2.3, it is possible to bypass E-mail verification which is required for OAuth Flow.
509 CVE-2020-13291 2020-08-12 2020-08-17
5.5
None Remote Low ??? Partial Partial None
In GitLab before 13.2.3, project sharing could temporarily allow too permissive access.
510 CVE-2020-13290 287 2020-08-12 2021-12-22
6.5
None Remote Low ??? Partial Partial Partial
In GitLab before 13.0.12, 13.1.6, and 13.2.3, improper access control was used on the Applications page
511 CVE-2020-13288 79 XSS 2020-08-12 2020-08-14
3.5
None Remote Medium ??? None Partial None
In GitLab before 13.0.12, 13.1.6, and 13.2.3, a stored XSS vulnerability exists in the CI/CD Jobs page
512 CVE-2020-13286 918 2020-08-13 2020-08-14
4.0
None Remote Low ??? None Partial None
For GitLab before 13.0.12, 13.1.6, 13.2.3 user controlled git configuration settings can be modified to result in Server Side Request Forgery.
513 CVE-2020-13285 79 XSS 2020-08-13 2021-05-03
3.5
None Remote Medium ??? None Partial None
For GitLab before 13.0.12, 13.1.6, 13.2.3 a cross-site scripting (XSS) vulnerability exists in the issue reference number tooltip.
514 CVE-2020-13283 79 XSS 2020-08-13 2020-08-14
3.5
None Remote Medium ??? None Partial None
For GitLab before 13.0.12, 13.1.6, 13.2.3 a cross-site scripting vulnerability exists in the issues list via milestone title.
515 CVE-2020-13282 281 2020-08-13 2020-08-19
4.9
None Remote Medium ??? Partial Partial None
For GitLab before 13.0.12, 13.1.6, 13.2.3 after a group transfer occurs, members from a parent group keep their access level on the subgroup leading to improper access.
516 CVE-2020-13281 20 DoS 2020-08-13 2021-07-21
4.0
None Remote Low ??? None None Partial
For GitLab before 13.0.12, 13.1.6, 13.2.3 a denial of service exists in the project import feature
517 CVE-2020-13280 400 2020-08-13 2020-08-19
4.0
None Remote Low ??? None None Partial
For GitLab before 13.0.12, 13.1.6, 13.2.3 a memory exhaustion flaw exists due to excessive logging of an invite email error message.
518 CVE-2020-13278 79 XSS 2020-08-12 2020-08-17
4.3
None Remote Medium Not required None Partial None
Reflected Cross-Site Scripting vulnerability in Modules.php in RosarioSIS Student Information System < 6.5.1 allows remote attackers to execute arbitrary web script via embedding javascript or HTML tags in a GET request.
519 CVE-2020-13183 79 XSS 2020-08-17 2020-08-21
4.3
None Remote Medium Not required None Partial None
Reflected Cross Site Scripting in Teradici PCoIP Management Console prior to 20.07 could allow an attacker to take over the user's active session if the user is exposed to a malicious payload.
520 CVE-2020-13179 212 2020-08-11 2021-11-04
2.1
None Local Low Not required Partial None None
Broker Protocol messages in Teradici PCoIP Standard Agent for Windows and Graphics Agent for Windows prior to 20.04.1 are not cleaned up in server memory, which may allow an attacker to read confidential information from a memory dump via forcing a crashing during the single sign-on procedure.
521 CVE-2020-13178 345 +Priv 2020-08-11 2020-08-13
4.6
None Local Low Not required Partial Partial Partial
A function in the Teradici PCoIP Standard Agent for Windows and Graphics Agent for Windows prior to version 20.04.1 does not properly validate the signature of an external binary, which could allow an attacker to gain elevated privileges via execution in the context of the PCoIP Agent process.
522 CVE-2020-13177 427 Exec Code +Priv 2020-08-11 2020-08-13
4.4
None Local Medium Not required Partial Partial Partial
The support bundler in Teradici PCoIP Standard Agent for Windows and Graphics Agent for Windows versions prior to 20.04.1 and 20.07.0 does not use hard coded paths for certain Windows binaries, which allows an attacker to gain elevated privileges via execution of a malicious binary placed in the system path.
523 CVE-2020-13176 79 XSS 2020-08-11 2020-08-13
4.3
None Remote Medium Not required None Partial None
The Management Interface of the Teradici Cloud Access Connector and Cloud Access Connector Legacy for releases prior to April 24, 2020 (v16 and earlier for the Cloud Access Connector) contains a stored cross-site scripting (XSS) vulnerability which allows a remote unauthenticated attacker to poison log files with malicious JavaScript via the login page which is executed when an administrator views the logs within the application.
524 CVE-2020-13175 829 File Inclusion 2020-08-11 2020-08-14
5.0
None Remote Low Not required Partial None None
The Management Interface of the Teradici Cloud Access Connector and Cloud Access Connector Legacy for releases prior to April 20, 2020 (v15 and earlier for Cloud Access Connector) contains a local file inclusion vulnerability which allows an unauthenticated remote attacker to leak LDAP credentials via a specially crafted HTTP request.
525 CVE-2020-13174 1021 2020-08-11 2020-08-13
4.3
None Remote Medium Not required None Partial None
The web server in the Teradici Managament console versions 20.04 and 20.01.1 did not properly set the X-Frame-Options HTTP header, which could allow an attacker to trick a user into clicking a malicious link via clickjacking.
526 CVE-2020-13151 78 Exec Code 2020-08-05 2020-12-11
10.0
None Remote Low Not required Complete Complete Complete
Aerospike Community Edition 4.9.0.5 allows for unauthenticated submission and execution of user-defined functions (UDFs), written in Lua, as part of a database query. It attempts to restrict code execution by disabling os.execute() calls, but this is insufficient. Anyone with network access can use a crafted UDF to execute arbitrary OS commands on all nodes of the cluster at the permission level of the user running the Aerospike service.
527 CVE-2020-13124 78 Exec Code 2020-08-11 2020-08-13
6.5
None Remote Low ??? Partial Partial Partial
SABnzbd 2.3.9 and 3.0.0Alpha2 has a command injection vulnerability in the web configuration interface that permits an authenticated user to execute arbitrary Python commands on the underlying operating system.
528 CVE-2020-13122 78 Exec Code 2020-08-17 2020-08-21
8.0
None Remote Low ??? Partial Partial Complete
The novish command-line interface, included in NoviFlow NoviWare before NW500.2.12 and deployed on NoviSwitch devices, is vulnerable to command injection in the "show status destination ipaddr" command. This could be used by a read-only user (monitoring group) or admin to execute commands on the operating system.
529 CVE-2020-13101 347 2020-08-24 2020-12-11
5.0
None Remote Low Not required None Partial None
In OASIS Digital Signature Services (DSS) 1.0, an attacker can control the validation outcome (i.e., trigger either a valid or invalid outcome for a valid or invalid signature) via a crafted XML signature, when the InlineXML option is used. This defeats the expectation of non-repudiation.
530 CVE-2020-12855 74 2020-08-26 2020-09-01
6.5
None Remote Low ??? Partial Partial Partial
A Host header injection vulnerability has been discovered in SecZetta NEProfile 3.3.11. Authenticated remote adversaries can poison this header resulting in an adversary controlling the execution flow for the 302 HTTP status.
531 CVE-2020-12829 190 DoS Overflow 2020-08-31 2020-12-14
2.1
None Local Low Not required None None Partial
In QEMU through 5.0.0, an integer overflow was found in the SM501 display driver implementation. This flaw occurs in the COPY_AREA macro while handling MMIO write operations through the sm501_2d_engine_write() callback. A local attacker could abuse this flaw to crash the QEMU process in sm501_2d_operation() in hw/display/sm501.c on the host, resulting in a denial of service.
532 CVE-2020-12781 352 Exec Code CSRF 2020-08-10 2020-09-25
6.8
None Remote Medium Not required Partial Partial Partial
Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery.
533 CVE-2020-12780 863 2020-08-10 2022-04-28
5.0
None Remote Low Not required Partial None None
A security misconfiguration exists in Combodo iTop, which can expose sensitive information.
534 CVE-2020-12779 79 XSS 2020-08-10 2020-10-28
3.5
None Remote Medium ??? None Partial None
Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.
535 CVE-2020-12778 79 XSS 2020-08-10 2020-09-25
4.3
None Remote Medium Not required None Partial None
Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack.
536 CVE-2020-12777 200 +Info 2020-08-10 2020-09-25
5.0
None Remote Low Not required Partial None None
A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information.
537 CVE-2020-12759 79 XSS 2020-08-21 2020-08-26
4.3
None Remote Medium Not required None Partial None
Zulip Server before 2.1.5 allows reflected XSS via the Dropbox webhook.
538 CVE-2020-12739 20 2020-08-03 2021-07-21
5.0
None Remote Low Not required None None Partial
A denial-of-service vulnerability in the Fanuc i Series CNC (0i-MD and 0i Mate-MD) could allow an unauthenticated, remote attacker to cause an affected CNC to become inaccessible to other devices.
539 CVE-2020-12674 125 2020-08-12 2020-10-13
5.0
None Remote Low Not required None None Partial
In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of zero is mishandled.
540 CVE-2020-12673 125 2020-08-12 2020-10-13
5.0
None Remote Low Not required None None Partial
In Dovecot before 2.3.11.3, sending a specially formatted NTLM request will crash the auth service because of an out-of-bounds read.
541 CVE-2020-12648 79 XSS 2020-08-14 2020-08-17
4.3
None Remote Medium Not required None Partial None
A cross-site scripting (XSS) vulnerability in TinyMCE 5.2.1 and earlier allows remote attackers to inject arbitrary web script when configured in classic editing mode.
542 CVE-2020-12646 79 XSS 2020-08-31 2020-09-09
3.5
None Remote Medium ??? None Partial None
OX App Suite 7.10.3 and earlier allows XSS via text/x-javascript, text/rdf, or a PDF document.
543 CVE-2020-12645 20 2020-08-31 2021-07-21
5.0
None Remote Low Not required Partial None None
OX App Suite 7.10.1 to 7.10.3 has improper input validation for rate limits with a crafted User-Agent header, spoofed vacation notices, and /apps/load memory consumption.
544 CVE-2020-12644 918 2020-08-31 2020-09-09
4.0
None Remote Low ??? Partial None None
OX App Suite 7.10.3 and earlier allows SSRF, related to the mail account API and the /folder/list API.
545 CVE-2020-12643 863 2020-08-31 2021-07-21
4.0
None Remote Low ??? Partial None None
OX App Suite 7.10.3 and earlier has Incorrect Access Control via an /api/subscriptions request for a snippet containing an email address.
546 CVE-2020-12619 295 2020-08-20 2021-07-21
4.3
None Remote Medium Not required None Partial None
MailMate before 1.11 automatically imported S/MIME certificates and thereby silently replaced existing ones. This allowed a man-in-the-middle attacker to obtain an email-validated S/MIME certificate from a trusted CA and replace the public key of the entity to be impersonated. This enabled the attacker to decipher further communication. The entire attack could be accomplished by sending a single email.
547 CVE-2020-12618 295 2020-08-20 2021-07-21
5.8
None Remote Medium Not required Partial Partial None
eM Client before 7.2.33412.0 automatically imported S/MIME certificates and thereby silently replaced existing ones. This allowed a man-in-the-middle attacker to obtain an email-validated S/MIME certificate from a trusted CA and replace the public key of the entity to be impersonated. This enabled the attacker to decipher further communication. The entire attack could be accomplished by sending a single email.
548 CVE-2020-12606 89 Exec Code Sql 2020-08-17 2020-08-21
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in DB Soft SGLAC before 20.05.001. The ProcedimientoGenerico method in the SVCManejador.svc webservice of the SGLAC web frontend allows an attacker to run arbitrary SQL commands on the SQL Server. Command execution can be easily achieved by using the xp_cmdshell stored procedure.
549 CVE-2020-12480 352 Bypass CSRF 2020-08-17 2020-08-24
4.3
None Remote Medium Not required None Partial None
In Play Framework 2.6.0 through 2.8.1, the CSRF filter can be bypassed by making CORS simple requests with content types that contain parameters that can't be parsed.
550 CVE-2020-12457 20 DoS 2020-08-21 2021-07-21
5.0
None Remote Low Not required None None Partial
An issue was discovered in wolfSSL before 4.5.0. It mishandles the change_cipher_spec (CCS) message processing logic for TLS 1.3. If an attacker sends ChangeCipherSpec messages in a crafted way involving more than one in a row, the server becomes stuck in the ProcessReply() loop, i.e., a denial of service.
Total number of vulnerabilities : 1155   Page : 1 2 3 4 5 6 7 8 9 10 11 (This Page)12 13 14 15 16 17 18 19 20 21 22 23 24
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.