CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In July 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
551 CVE-2020-13919 78 2020-07-28 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
emfd/libemf in Ruckus Wireless Unleashed through 200.7.10.102.92 allows a remote attacker to achieve command injection via a crafted HTTP request. This affects C110, E510, H320, H510, M510, R320, R310, R500, R510 R600, R610, R710, R720, R750, T300, T301n, T301s, T310c, T310d, T310n, T310s, T610, T710, and T710s devices.
552 CVE-2020-13918 200 +Info 2020-07-28 2021-07-21
5.0
None Remote Low Not required Partial None None
Incorrect access control in webs in Ruckus Wireless Unleashed through 200.7.10.102.92 allows a remote attacker to leak system information (that can be used for a jailbreak) via an unauthenticated crafted HTTP request. This affects C110, E510, H320, H510, M510, R320, R310, R500, R510 R600, R610, R710, R720, R750, T300, T301n, T301s, T310c, T310d, T310n, T310s, T610, T710, and T710s devices.
553 CVE-2020-13917 78 2020-07-28 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
rkscli in Ruckus Wireless Unleashed through 200.7.10.92 allows a remote attacker to achieve command injection and jailbreak the CLI via a crafted CLI command. This affects C110, E510, H320, H510, M510, R320, R310, R500, R510 R600, R610, R710, R720, R750, T300, T301n, T301s, T310c, T310d, T310n, T310s, T610, T710, and T710s devices.
554 CVE-2020-13916 787 Exec Code Overflow 2020-07-28 2020-07-28
7.5
None Remote Low Not required Partial Partial Partial
A stack buffer overflow in webs in Ruckus Wireless Unleashed through 200.7.10.102.92 allows a remote attacker to execute code via an unauthenticated crafted HTTP request. This affects C110, E510, H320, H510, M510, R320, R310, R500, R510 R600, R610, R710, R720, R750, T300, T301n, T301s, T310c, T310d, T310n, T310s, T610, T710, and T710s devices.
555 CVE-2020-13915 522 2020-07-28 2021-07-21
6.4
None Remote Low Not required None Partial Partial
Insecure permissions in emfd/libemf in Ruckus Wireless Unleashed through 200.7.10.102.92 allow a remote attacker to overwrite admin credentials via an unauthenticated crafted HTTP request. This affects C110, E510, H320, H510, M510, R320, R310, R500, R510 R600, R610, R710, R720, R750, T300, T301n, T301s, T310c, T310d, T310n, T310s, T610, T710, and T710s devices.
556 CVE-2020-13914 20 DoS 2020-07-28 2021-07-21
5.0
None Remote Low Not required None None Partial
webs in Ruckus Wireless Unleashed through 200.7.10.102.92 allows a remote attacker to cause a denial of service (Segmentation fault) to the webserver via an unauthenticated crafted HTTP request. This affects C110, E510, H320, H510, M510, R320, R310, R500, R510 R600, R610, R710, R720, R750, T300, T301n, T301s, T310c, T310d, T310n, T310s, T610, T710, and T710s devices.
557 CVE-2020-13913 79 Exec Code XSS 2020-07-28 2020-07-29
4.3
None Remote Medium Not required None Partial None
An XSS issue in emfd in Ruckus Wireless Unleashed through 200.7.10.102.92 allows a remote attacker to execute JavaScript code via an unauthenticated crafted HTTP request. This affects C110, E510, H320, H510, M510, R320, R310, R500, R510 R600, R610, R710, R720, R750, T300, T301n, T301s, T310c, T310d, T310n, T310s, T610, T710, and T710s devices.
558 CVE-2020-13847 354 2020-07-14 2020-09-18
5.0
None Remote Low Not required None Partial None
Sylabs Singularity 3.0 through 3.5 lacks support for an Integrity Check. Singularity's sign and verify commands do not sign metadata found in the global header or data object descriptors of a SIF file.
559 CVE-2020-13846 2020-07-14 2020-09-18
5.0
None Remote Low Not required None Partial None
Sylabs Singularity 3.5.0 through 3.5.3 fails to report an error in a Status Code.
560 CVE-2020-13845 347 2020-07-14 2020-09-18
5.0
None Remote Low Not required None Partial None
Sylabs Singularity 3.0 through 3.5 has Improper Validation of an Integrity Check Value. Image integrity is not validated when an ECL policy is enforced. The fingerprint required by the ECL is compared against the signature object descriptor(s) in the SIF file, rather than to a cryptographically validated signature.
561 CVE-2020-13788 918 2020-07-15 2020-07-22
4.0
None Remote Low ??? Partial None None
Harbor prior to 2.0.1 allows SSRF with this limitation: an attacker with the ability to edit projects can scan ports of hosts accessible on the Harbor server's intranet.
562 CVE-2020-13753 20 Exec Code 2020-07-14 2020-07-27
7.5
None Remote Low Not required Partial Partial Partial
The bubblewrap sandbox of WebKitGTK and WPE WebKit, prior to 2.28.3, failed to properly block access to CLONE_NEWUSER and the TIOCSTI ioctl. CLONE_NEWUSER could potentially be used to confuse xdg-desktop-portal, which allows access outside the sandbox. TIOCSTI can be used to directly execute commands outside the sandbox by writing to the controlling terminal's input buffer, similar to CVE-2017-5226.
563 CVE-2020-13699 428 2020-07-29 2021-07-21
6.8
None Remote Medium Not required Partial Partial Partial
TeamViewer Desktop for Windows before 15.8.3 does not properly quote its custom URI handlers. A malicious website could launch TeamViewer with arbitrary parameters, as demonstrated by a teamviewer10: --play URL. An attacker could force a victim to send an NTLM authentication request and either relay the request or capture the hash for offline password cracking. This affects teamviewer10, teamviewer8, teamviewerapi, tvchat1, tvcontrol1, tvfiletransfer1, tvjoinv8, tvpresent1, tvsendfile1, tvsqcustomer1, tvsqsupport1, tvvideocall1, and tvvpn1. The issue is fixed in 8.0.258861, 9.0.258860, 10.0.258873, 11.0.258870, 12.0.258869, 13.2.36220, 14.2.56676, 14.7.48350, and 15.8.3.
564 CVE-2020-13653 79 Exec Code XSS 2020-07-02 2020-07-09
4.3
None Remote Medium Not required None Partial None
An XSS vulnerability exists in the Webmail component of Zimbra Collaboration Suite before 8.8.15 Patch 11. It allows an attacker to inject executable JavaScript into the account name of a user's profile. The injected code can be reflected and executed when changing an e-mail signature.
565 CVE-2020-13619 74 Exec Code 2020-07-01 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
php/exec/escapeshellarg in Locutus PHP through 2.0.11 allows an attacker to achieve code execution.
566 CVE-2020-13405 200 +Info 2020-07-16 2021-07-21
5.0
None Remote Low Not required Partial None None
userfiles/modules/users/controller/controller.php in Microweber before 1.1.20 allows an unauthenticated user to disclose the users database via a /modules/ POST request.
567 CVE-2020-13383 22 Dir. Trav. 2020-07-01 2020-07-06
5.0
None Remote Low Not required Partial None None
openSIS through 7.4 allows Directory Traversal.
568 CVE-2020-13382 306 2020-07-01 2022-04-26
6.4
None Remote Low Not required Partial Partial None
openSIS through 7.4 has Incorrect Access Control.
569 CVE-2020-13381 89 Sql 2020-07-01 2020-07-06
7.5
None Remote Low Not required Partial Partial Partial
openSIS through 7.4 allows SQL Injection.
570 CVE-2020-13380 89 Sql 2020-07-01 2020-07-02
7.5
None Remote Low Not required Partial Partial Partial
openSIS before 7.4 allows SQL Injection.
571 CVE-2020-13132 327 DoS 2020-07-09 2021-07-21
2.1
None Local Low Not required None None Partial
An issue was discovered in Yubico libykpiv before 2.1.0. An attacker can trigger an incorrect free() in the ykpiv_util_generate_key() function in lib/util.c through incorrect error handling code. This could be used to cause a denial of service attack.
572 CVE-2020-13131 125 +Info 2020-07-09 2020-07-16
1.9
None Local Medium Not required Partial None None
An issue was discovered in Yubico libykpiv before 2.1.0. lib/util.c in this library (which is included in yubico-piv-tool) does not properly check embedded length fields during device communication. A malicious PIV token can misreport the returned length fields during RSA key generation. This will cause stack memory to be copied into heap allocated memory that gets returned to the caller. The leaked memory could include PINs, passwords, key material, and other sensitive information depending on the integration. During further processing by the caller, this information could leak across trust boundaries. Note that RSA key generation is triggered by the host and cannot directly be triggered by the token.
573 CVE-2020-12880 200 +Info 2020-07-27 2021-07-21
2.1
None Local Low Not required Partial None None
An issue was discovered in Pulse Policy Secure (PPS) and Pulse Connect Secure (PCS) Virtual Appliance before 9.1R8. By manipulating a certain kernel boot parameter, it can be tricked into dropping into a root shell in a pre-install phase where the entire source code of the appliance is available and can be retrieved. (The source code is otherwise inaccessible because the appliance has its hard disks encrypted, and no root shell is available during normal operation.)
574 CVE-2020-12854 434 Exec Code 2020-07-15 2020-07-22
6.5
None Remote Low ??? Partial Partial Partial
A remote code execution vulnerability was identified in SecZetta NEProfile 3.3.11. Authenticated remote adversaries can invoke code execution upon uploading a carefully crafted JPEG file as part of the profile avatar.
575 CVE-2020-12845 476 DoS 2020-07-27 2020-12-23
5.0
None Remote Low Not required None None Partial
Cherokee 0.4.27 to 1.2.104 is affected by a denial of service due to a NULL pointer dereferences. A remote unauthenticated attacker can crash the server by sending an HTTP request to protected resources using a malformed Authorization header that is mishandled during a cherokee_buffer_add call within cherokee_validator_parse_basic or cherokee_validator_parse_digest.
576 CVE-2020-12821 2020-07-07 2020-07-15
7.5
None Remote Low Not required Partial Partial Partial
Gossipsub 1.0 does not properly resist invalid message spam, such as an eclipse attack or a sybil attack.
577 CVE-2020-12812 287 2020-07-24 2020-07-28
7.5
None Remote Low Not required Partial Partial Partial
An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.
578 CVE-2020-12774 78 2020-07-22 2021-04-23
4.6
None Local Low Not required Partial Partial Partial
D-Link DSL-7740C does not properly validate user input, which allows an authenticated LAN user to inject arbitrary command.
579 CVE-2020-12736 269 Exec Code 2020-07-07 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
Code42 environments with on-premises server versions 7.0.4 and earlier allow for possible remote code execution. When an administrator creates a local (non-SSO) user via a Code42-generated email, the administrator has the option to modify content for the email invitation. If the administrator entered template language code in the subject line, that code could be interpreted by the email generation services, potentially resulting in server-side code injection.
580 CVE-2020-12684 611 2020-07-15 2020-07-22
7.5
None Remote Low Not required Partial Partial Partial
XXE injection can occur in i-net Clear Reports 2019 19.0.287 (Designer), as used in i-net HelpDesk and other products, when XML input containing a reference to an external entity is processed by a weakly configured XML parser.
581 CVE-2020-12638 287 Bypass 2020-07-23 2021-07-21
4.3
None Local Network Medium Not required Partial Partial None
An encryption-bypass issue was discovered on Espressif ESP-IDF devices through 4.2, ESP8266_NONOS_SDK devices through 3.0.3, and ESP8266_RTOS_SDK devices through 3.3. Broadcasting forged beacon frames forces a device to change its authentication mode to OPEN, effectively disabling its 802.11 encryption.
582 CVE-2020-12620 269 2020-07-30 2021-07-21
7.2
None Local Low Not required Complete Complete Complete
Pi-hole 4.4 allows a user able to write to /etc/pihole/dns-servers.conf to escalate privileges through command injection (shell metacharacters after an IP address).
583 CVE-2020-12605 400 2020-07-01 2021-07-21
5.0
None Remote Low Not required None None Partial
Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may consume excessive amounts of memory when processing HTTP/1.1 headers with long field names or requests with long URLs.
584 CVE-2020-12604 119 Overflow 2020-07-01 2021-07-21
5.0
None Remote Low Not required None None Partial
Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier is susceptible to increased memory usage in the case where an HTTP/2 client requests a large payload but does not send enough window updates to consume the entire stream and does not reset the stream.
585 CVE-2020-12603 400 2020-07-01 2020-07-09
5.0
None Remote Low Not required None None Partial
Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may consume excessive amounts of memory when proxying HTTP/2 requests or responses with many small (i.e. 1 byte) data frames.
586 CVE-2020-12499 22 Dir. Trav. 2020-07-21 2020-08-05
4.4
None Local Medium Not required Partial Partial Partial
In PHOENIX CONTACT PLCnext Engineer version 2020.3.1 and earlier an improper path sanitation vulnerability exists on import of project files.
587 CVE-2020-12498 125 Exec Code 2020-07-01 2020-07-10
6.8
None Remote Medium Not required Partial Partial Partial
mwe file parsing in Phoenix Contact PC Worx and PC Worx Express version 1.87 and earlier is vulnerable to out-of-bounds read remote code execution. Manipulated PC Worx projects could lead to a remote code execution due to insufficient input data validation.
588 CVE-2020-12497 787 Exec Code Overflow 2020-07-01 2021-03-31
6.8
None Remote Medium Not required Partial Partial Partial
PLCopen XML file parsing in Phoenix Contact PC Worx and PC Worx Express version 1.87 and earlier can lead to a stack-based overflow. Manipulated PC Worx projects could lead to a remote code execution due to insufficient input data validation.
589 CVE-2020-12460 787 Overflow Mem. Corr. 2020-07-27 2021-05-31
7.5
None Remote Low Not required Partial Partial Partial
OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 has improper null termination in the function opendmarc_xml_parse that can result in a one-byte heap overflow in opendmarc_xml when parsing a specially crafted DMARC aggregate report. This can cause remote memory corruption when a '\0' byte overwrites the heap metadata of the next chunk and its PREV_INUSE flag.
590 CVE-2020-12432 79 XSS 2020-07-21 2020-07-24
4.3
None Remote Medium Not required None Partial None
The WOPI API integration for Vereign Collabora CODE through 4.2.2 does not properly restrict delivery of JavaScript to a victim's browser, and lacks proper MIME type access control, which could lead to XSS that steals account credentials via cookies or local storage. The attacker must first obtain an API access token, which can be accomplished if the attacker is able to upload a .docx or .odt file. The associated API endpoints for exploitation are /wopi/files and /wopi/getAccessToken.
591 CVE-2020-12426 787 Mem. Corr. 2020-07-09 2022-04-27
9.3
None Remote Medium Not required Complete Complete Complete
Mozilla developers and community members reported memory safety bugs present in Firefox 77. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 78.
592 CVE-2020-12425 125 2020-07-09 2020-07-27
4.3
None Remote Medium Not required Partial None None
Due to confusion processing a hyphen character in Date.parse(), a one-byte out of bounds read could have occurred, leading to potential information disclosure. This vulnerability affects Firefox < 78.
593 CVE-2020-12424 276 Bypass 2020-07-09 2020-07-27
4.3
None Remote Medium Not required None Partial None
When constructing a permission prompt for WebRTC, a URI was supplied from the content process. This URI was untrusted, and could have been the URI of an origin that was previously granted permission; bypassing the prompt. This vulnerability affects Firefox < 78.
594 CVE-2020-12423 427 Exec Code 2020-07-09 2020-07-20
6.9
None Local Medium Not required Complete Complete Complete
When the Windows DLL "webauthn.dll" was missing from the Operating System, and a malicious one was placed in a folder in the user's %PATH%, Firefox may have loaded the DLL, leading to arbitrary code execution. *Note: This issue only affects the Windows operating system; other operating systems are unaffected.* This vulnerability affects Firefox < 78.
595 CVE-2020-12422 787 Overflow Mem. Corr. 2020-07-09 2020-07-27
7.6
None Remote High Not required Complete Complete Complete
In non-standard configurations, a JPEG image created by JavaScript could have caused an internal variable to overflow, resulting in an out of bounds write, memory corruption, and a potentially exploitable crash. This vulnerability affects Firefox < 78.
596 CVE-2020-12421 295 2020-07-09 2020-07-27
4.3
None Remote Medium Not required None Partial None
When performing add-on updates, certificate chains terminating in non-built-in-roots were rejected (even if they were legitimately added by an administrator.) This could have caused add-ons to become out-of-date silently without notification to the user. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.
597 CVE-2020-12420 362 Mem. Corr. 2020-07-09 2022-05-03
9.3
None Remote Medium Not required Complete Complete Complete
When trying to connect to a STUN server, a race condition could have caused a use-after-free of a pointer, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.
598 CVE-2020-12419 416 Mem. Corr. 2020-07-09 2020-07-27
9.3
None Remote Medium Not required Complete Complete Complete
When processing callbacks that occurred during window flushing in the parent process, the associated window may die; causing a use-after-free condition. This could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.
599 CVE-2020-12418 125 2020-07-09 2020-07-27
4.3
None Remote Medium Not required Partial None None
Manipulating individual parts of a URL object could have caused an out-of-bounds read, leaking process memory to malicious JavaScript. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.
600 CVE-2020-12417 787 Mem. Corr. 2020-07-09 2022-05-03
9.3
None Remote Medium Not required Complete Complete Complete
Due to confusion about ValueTags on JavaScript Objects, an object may pass through the type barrier, resulting in memory corruption and a potentially exploitable crash. *Note: this issue only affects Firefox on ARM64 platforms.* This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.
Total number of vulnerabilities : 1418   Page : 1 2 3 4 5 6 7 8 9 10 11 12 (This Page)13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.