CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In August 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
551 CVE-2020-12456 22 Exec Code Dir. Trav. 2020-08-26 2020-09-01
6.5
None Remote Low ??? Partial Partial Partial
A remote code execution vulnerability in Mitel MiVoice Connect Client before 214.100.1223.0 could allow an attacker to execute arbitrary code in the chat notification window, due to improper rendering of chat messages. A successful exploit could allow an attacker to steal session cookies, perform directory traversal, and execute arbitrary scripts in the context of the Connect client.
552 CVE-2020-12441 119 Overflow 2020-08-06 2020-08-10
10.0
None Remote Low Not required Complete Complete Complete
Denial-of-Service (DoS) in Ivanti Service Manager HEAT Remote Control 7.4 due to a buffer overflow in the protocol parser of the ‘HEATRemoteService’ agent. The DoS can be triggered by sending a specially crafted network packet.
553 CVE-2020-12301 665 2020-08-13 2020-08-19
4.6
None Local Low Not required Partial Partial Partial
Improper initialization in BIOS firmware for Intel(R) Server Board Families S2600ST, S2600BP and S2600WF may allow a privileged user to potentially enable escalation of privilege via local access.
554 CVE-2020-12300 824 2020-08-13 2020-08-19
4.6
None Local Low Not required Partial Partial Partial
Uninitialized pointer in BIOS firmware for Intel(R) Server Board Families S2600CW, S2600KP, S2600TP, and S2600WT may allow a privileged user to potentially enable escalation of privilege via local access.
555 CVE-2020-12299 20 2020-08-13 2020-08-19
4.6
None Local Low Not required Partial Partial Partial
Improper input validation in BIOS firmware for Intel(R) Server Board Families S2600ST, S2600BP and S2600WF may allow a privileged user to potentially enable escalation of privilege via local access.
556 CVE-2020-12287 276 2020-08-13 2020-08-18
4.6
None Local Low Not required Partial Partial Partial
Incorrect permissions in the Intel(R) Distribution of OpenVINO(TM) Toolkit before version 2020.2 may allow an authenticated user to potentially enable escalation of privilege via local access.
557 CVE-2020-12107 78 2020-08-12 2020-08-19
7.5
None Remote Low Not required Partial Partial Partial
The Web portal of the WiFi module of VPNCrypt M10 2.6.5 allows command injection via a text field, which allow full control over this module's Operating System.
558 CVE-2020-12106 20 2020-08-12 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
The Web portal of the WiFi module of VPNCrypt M10 2.6.5 allows unauthenticated users to send HTTP POST request to several critical Administrative functions such as, changing credentials of the Administrator account or connect the product to a rogue access point.
559 CVE-2020-12100 674 DoS 2020-08-12 2021-01-06
5.0
None Remote Low Not required None None Partial
In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service (resource consumption) via a crafted e-mail message with deeply nested MIME parts.
560 CVE-2020-11993 444 2020-08-07 2021-06-06
4.3
None Remote Medium Not required None None Partial
Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers.
561 CVE-2020-11985 345 2020-08-07 2021-06-06
4.3
None Remote Medium Not required None Partial None
IP address spoofing when proxying using mod_remoteip and mod_rewrite For configurations using proxying with mod_remoteip and certain mod_rewrite rules, an attacker could spoof their IP address for logging and PHP scripts. Note this issue was fixed in Apache HTTP Server 2.4.24 but was retrospectively allocated a low severity CVE in 2020.
562 CVE-2020-11984 120 2020-08-07 2021-06-06
7.5
None Remote Low Not required Partial Partial Partial
Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE
563 CVE-2020-11976 552 2020-08-11 2022-04-26
5.0
None Remote Low Not required Partial None None
By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5
564 CVE-2020-11937 401 DoS 2020-08-06 2021-09-13
2.1
None Local Low Not required None None Partial
In whoopsie, parse_report() from whoopsie.c allows a local attacker to cause a denial of service via a crafted file. The DoS is caused by resource exhaustion due to a memory leak. Fixed in 0.2.52.5ubuntu0.5, 0.2.62ubuntu0.5 and 0.2.69ubuntu0.1.
565 CVE-2020-11852 74 2020-08-07 2021-07-21
9.0
None Remote Low ??? Complete Complete Complete
DKIM key management page vulnerability on Micro Focus Secure Messaging Gateway (SMG). Affecting all SMG Appliance running releases prior to July 2020. The vulnerability could allow a logged in user with rights to generate DKIM key information to inject system commands into the call to the DKIM system command.
566 CVE-2020-11848 DoS 2020-08-19 2020-08-25
5.0
None Remote Low Not required None None Partial
Denial of service vulnerability on Micro Focus ArcSight Management Center. Affecting all versions prior to version 2.9.5. The vulnerability could cause the server to become unavailable, causing a denial of service.
567 CVE-2020-11797 306 Bypass 2020-08-26 2021-07-21
5.0
None Remote Low Not required Partial None None
An Authentication Bypass vulnerability in the Published Area of the web conferencing component of Mitel MiCollab AWV before 8.1.2.4 and 9.x before 9.1.3 could allow an unauthenticated attacker to gain access to unauthorized information due to insufficient access validation. A successful exploit could allow an attacker to access sensitive shared files.
568 CVE-2020-11733 74 2020-08-13 2021-07-21
9.0
None Remote Low ??? Complete Complete Complete
An issue was discovered on Spirent TestCenter and Avalanche appliance admin interface firmware. An attacker, who already has access to an SSH restricted shell, can achieve root access via shell metacharacters. The attacker can then, for example, read sensitive files such as appliance admin configuration source code. This affects Spirent TestCenter and Avalanche products which chassis version <= 5.08. The SSH restricted shell is available with default credentials.
569 CVE-2020-11618 2020-08-31 2020-09-09
7.2
None Local Low Not required Complete Complete Complete
THOMSON THT741FTA 2.2.1 and Philips DTR3502BFTA DVB-T2 2.2.1 set-top boxes have their TELNET service hardcoded to start on boot, which allows an attacker on the local network to achieve root access via the TELNET protocol.
570 CVE-2020-11617 295 2020-08-31 2020-09-09
4.3
None Remote Medium Not required None Partial None
The RSS application on THOMSON THT741FTA 2.2.1 and Philips DTR3502BFTA DVB-T2 2.2.1 set-top boxes doesn't validate the SSL certificates of RSS servers, which allows a man-in-the-middle attacker to modify the data delivered to the client.
571 CVE-2020-11584 79 XSS 2020-08-03 2020-08-04
4.3
None Remote Medium Not required None Partial None
A GET-based XSS reflected vulnerability in Plesk Onyx 17.8.11 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.
572 CVE-2020-11583 79 XSS 2020-08-03 2020-08-04
4.3
None Remote Medium Not required None Partial None
A GET-based XSS reflected vulnerability in Plesk Obsidian 18.0.17 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.
573 CVE-2020-11552 269 2020-08-11 2020-08-13
10.0
None Remote Low Not required Complete Complete Complete
An elevation of privilege vulnerability exists in ManageEngine ADSelfService Plus before build 6003 because it does not properly enforce user privileges associated with a Certificate dialog. This vulnerability could allow an unauthenticated attacker to escalate privileges on a Windows host. An attacker does not require any privilege on the target system in order to exploit this vulnerability. One option is the self-service option on the Windows login screen. Upon selecting this option, the thick-client software is launched, which connects to a remote ADSelfService Plus server to facilitate self-service operations. An unauthenticated attacker having physical access to the host could trigger a security alert by supplying a self-signed SSL certificate to the client. The View Certificate option from the security alert allows an attacker to export a displayed certificate to a file. This can further cascade to a dialog that can open Explorer as SYSTEM. By navigating from Explorer to \windows\system32, cmd.exe can be launched as a SYSTEM.
574 CVE-2020-11497 354 Bypass 2020-08-26 2020-09-01
5.0
None Remote Low Not required None Partial None
An issue was discovered in the NAB Transact extension 2.1.0 for the WooCommerce plugin for WordPress. An online payment system bypass allows orders to be marked as fully paid by assigning an arbitrary bank transaction ID during the payment-details entry step.
575 CVE-2020-10783 863 2020-08-11 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
Red Hat CloudForms 4.7 and 5 is affected by a role-based privilege escalation flaw. An attacker with EVM-Operator group can perform actions restricted only to EVM-Super-administrator group, leads to, exporting or importing administrator files.
576 CVE-2020-10780 20 2020-08-11 2021-07-21
4.9
None Remote Medium ??? Partial Partial None
Red Hat CloudForms 4.7 and 5 is affected by CSV Injection flaw, a crafted payload stays dormant till a victim export as CSV and opens the file with Excel. Once the victim opens the file, the formula executes, triggering any number of possible events. While this is strictly not an flaw that affects the application directly, attackers could use the loosely validated parameters to trigger several attack possibilities.
577 CVE-2020-10779 862 Bypass 2020-08-11 2021-07-21
4.0
None Remote Low ??? Partial None None
Red Hat CloudForms 4.7 and 5 leads to insecure direct object references (IDOR) and functional level access control bypass due to missing privilege check. Therefore, if an attacker knows the right criteria, it is possible to access some sensitive data within the CloudForms.
578 CVE-2020-10778 863 2020-08-11 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
In Red Hat CloudForms 4.7 and 5, the read only widgets can be edited by inspecting the forms and dropping the disabled attribute from the fields since there is no server-side validation. This business logic flaw violate the expected behavior.
579 CVE-2020-10777 79 XSS 2020-08-11 2020-08-12
3.5
None Remote Medium ??? None Partial None
A cross-site scripting flaw was found in Report Menu feature of Red Hat CloudForms 4.7 and 5. An attacker could use this flaw to execute a stored XSS attack on an application administrator using CloudForms.
580 CVE-2020-10775 601 2020-08-24 2020-09-04
2.6
None Remote High Not required Partial None None
An Open redirect vulnerability was found in ovirt-engine versions 4.4 and earlier, where it allows remote attackers to redirect users to arbitrary web sites and attempt phishing attacks. Once the target has opened the malicious URL in their browser, the critical part of the URL is no longer visible. The highest threat from this vulnerability is on confidentiality.
581 CVE-2020-10518 Exec Code 2020-08-27 2021-12-20
6.5
None Remote Low ??? Partial Partial Partial
A remote code execution vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration of the underlying parsers used by GitHub Pages were not sufficiently restricted and made it possible to execute commands on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 2.22 and was fixed in 2.21.6, 2.20.15, and 2.19.21. The underlying issues contributing to this vulnerability were identified both internally and through the GitHub Security Bug Bounty program.
582 CVE-2020-10517 2020-08-27 2021-10-07
4.0
None Remote Low ??? Partial None None
An improper access control vulnerability was identified in GitHub Enterprise Server that allowed authenticated users of the instance to determine the names of unauthorized private repositories given their numerical IDs. This vulnerability did not allow unauthorized access to any repository content besides the name. This vulnerability affected all versions of GitHub Enterprise Server prior to 2.22 and was fixed in versions 2.21.6, 2.20.15, and 2.19.21. This vulnerability was reported via the GitHub Bug Bounty program.
583 CVE-2020-10290 269 2020-08-21 2021-09-14
7.2
None Local Low Not required Complete Complete Complete
Universal Robots controller execute URCaps (zip files containing Java-powered applications) without any permission restrictions and a wide API that presents many primitives that can compromise the overall robot operations as demonstrated in our video. In our PoC we demonstrate how a malicious actor could 'cook' a custom URCap that when deployed by the user (intendedly or unintendedly) compromises the system
584 CVE-2020-10289 502 Exec Code 2020-08-20 2021-12-20
6.5
None Remote Low ??? Partial Partial Partial
Use of unsafe yaml load. Allows instantiation of arbitrary objects. The flaw itself is caused by an unsafe parsing of YAML values which happens whenever an action message is processed to be sent, and allows for the creation of Python objects. Through this flaw in the ROS core package of actionlib, an attacker with local or remote access can make the ROS Master, execute arbitrary code in Python form. Consider yaml.safe_load() instead. Located first in actionlib/tools/library.py:132. See links for more info on the bug.
585 CVE-2020-10283 Bypass 2020-08-20 2021-12-20
7.5
None Remote Low Not required Partial Partial Partial
The Micro Air Vehicle Link (MAVLink) protocol presents authentication mechanisms on its version 2.0 however according to its documentation, in order to maintain backwards compatibility, GCS and autopilot negotiate the version via the AUTOPILOT_VERSION message. Since this negotiation depends on the answer, an attacker may craft packages in a way that hints the autopilot to adopt version 1.0 of MAVLink for the communication. Given the lack of authentication capabilities in such version of MAVLink (refer to CVE-2020-10282), attackers may use this method to bypass authentication capabilities and interact with the autopilot directly.
586 CVE-2020-10126 347 Exec Code 2020-08-21 2021-12-20
7.2
None Local Low Not required Complete Complete Complete
NCR SelfServ ATMs running APTRA XFS 05.01.00 do not properly validate softare updates for the bunch note acceptor (BNA), enabling an attacker with physical access to internal ATM components to restart the host computer and execute arbitrary code with SYSTEM privileges because while booting, the update process looks for CAB archives on removable media and executes a specific file without first validating the signature of the CAB archive.
587 CVE-2020-10125 326 Exec Code Bypass 2020-08-21 2020-08-27
4.6
None Local Low Not required Partial Partial Partial
NCR SelfServ ATMs running APTRA XFS 04.02.01 and 05.01.00 implement 512-bit RSA certificates to validate bunch note acceptor (BNA) software updates, which can be broken by an attacker with physical access in a sufficiently short period of time, thereby enabling the attacker to sign arbitrary files and CAB archives used to update BNA software, as well as bypass application whitelisting, resulting in the ability to execute arbitrary code.
588 CVE-2020-10124 319 Exec Code 2020-08-21 2021-12-20
4.4
None Local Medium Not required Partial Partial Partial
NCR SelfServ ATMs running APTRA XFS 05.01.00 do not encrypt, authenticate, or verify the integrity of messages between the BNA and the host computer, which could allow an attacker with physical access to the internal components of the ATM to execute arbitrary code, including code that enables the attacker to commit deposit forgery.
589 CVE-2020-10123 287 2020-08-21 2020-08-27
2.1
None Local Low Not required None Partial None
The currency dispenser of NCR SelfSev ATMs running APTRA XFS 05.01.00 or earlier does not adequately authenticate session key generation requests from the host computer, allowing an attacker with physical access to internal ATM components to issue valid commands to dispense currency by generating a new session key that the attacker knows.
590 CVE-2020-10055 94 Exec Code 2020-08-14 2020-08-21
9.3
None Remote Medium Not required Complete Complete Complete
A vulnerability has been identified in Desigo CC (V4.x), Desigo CC (V3.x), Desigo CC Compact (V4.x), Desigo CC Compact (V3.x). Affected applications are delivered with a 3rd party component (BIRT) that contains a remote code execution vulnerability if the Advanced Reporting Engine is enabled. The vulnerability could allow a remote unauthenticated attacker to execute arbitrary commands on the server with SYSTEM privileges.
591 CVE-2020-9767 427 2020-08-14 2020-08-21
7.2
None Local Low Not required Complete Complete Complete
A vulnerability related to Dynamic-link Library (“DLL”) loading in the Zoom Sharing Service would allow an attacker who had local access to a machine on which the service was running with elevated privileges to elevate their system privileges as well through use of a malicious DLL. Zoom addressed this issue, which only applies to Windows users, in the 5.0.4 client release.
592 CVE-2020-9724 269 2020-08-19 2021-07-21
6.8
None Remote Medium Not required Partial Partial Partial
Adobe Lightroom versions 9.2.0.10 and earlier have an insecure library loading vulnerability. Successful exploitation could lead to privilege escalation.
593 CVE-2020-9723 125 2020-08-19 2021-09-08
5.0
None Remote Low Not required Partial None None
Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
594 CVE-2020-9722 416 Exec Code 2020-08-19 2021-09-08
9.3
None Remote Medium Not required Complete Complete Complete
Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523 and earlier have an use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution .
595 CVE-2020-9721 125 2020-08-19 2021-09-08
5.0
None Remote Low Not required Partial None None
Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
596 CVE-2020-9720 125 2020-08-19 2021-09-08
5.0
None Remote Low Not required Partial None None
Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
597 CVE-2020-9719 125 2020-08-19 2021-09-08
5.0
None Remote Low Not required Partial None None
Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
598 CVE-2020-9718 125 2020-08-19 2021-09-08
5.0
None Remote Low Not required Partial None None
Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
599 CVE-2020-9717 125 2020-08-19 2021-09-08
5.0
None Remote Low Not required Partial None None
Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
600 CVE-2020-9716 125 2020-08-19 2021-09-08
5.0
None Remote Low Not required Partial None None
Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
Total number of vulnerabilities : 1155   Page : 1 2 3 4 5 6 7 8 9 10 11 12 (This Page)13 14 15 16 17 18 19 20 21 22 23 24
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.