CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In February 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
751 CVE-2020-0020 119 Overflow 2020-02-13 2020-02-18
4.9
None Local Low Not required Complete None None
In getAttributeRange of ExifInterface.java, there is a possible failure to redact location information from media files due to an incorrect bounds check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-143118731
752 CVE-2020-0018 532 2020-02-13 2020-02-18
2.1
None Local Low Not required Partial None None
In MotionEntry::appendDescription of InputDispatcher.cpp, there is a possible log information disclosure. This could lead to local disclosure of user input with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-139945049
753 CVE-2020-0017 200 +Info 2020-02-13 2021-07-21
3.3
None Local Medium Not required Partial Partial None
In multiple places, it was possible for the primary user’s dictionary to be visible to and modifiable by secondary users. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-123232892
754 CVE-2020-0015 269 2020-02-13 2021-07-21
4.4
None Local Medium Not required Partial Partial Partial
In onCreate of CertInstaller.java, there is a possible way to overlay the Certificate Installation dialog by a malicious application. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-139017101
755 CVE-2020-0014 1021 2020-02-13 2020-02-19
4.3
None Remote Medium Not required Partial None None
It is possible for a malicious application to construct a TYPE_TOAST window manually and make that window clickable. This could lead to a local escalation of privilege with no additional execution privileges needed. User action is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-128674520
756 CVE-2020-0005 787 2020-02-13 2020-02-18
7.2
None Local Low Not required Complete Complete Complete
In btm_read_remote_ext_features_complete of btm_acl.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-141552859
757 CVE-2019-20481 287 2020-02-24 2020-08-24
5.0
None Remote Low Not required Partial None None
In MIELE XGW 3000 ZigBee Gateway before 2.4.0, the Password Change Function does not require knowledge of the old password. This can be exploited in conjunction with CVE-2019-20480.
758 CVE-2019-20480 352 CSRF 2020-02-24 2020-02-28
6.8
None Remote Medium Not required Partial Partial Partial
In MIELE XGW 3000 ZigBee Gateway before 2.4.0, a malicious website visited by an authenticated admin user or a malicious mail is allowed to make arbitrary changes in the "admin panel" because there is no CSRF protection.
759 CVE-2019-20479 601 2020-02-20 2022-01-01
5.8
None Remote Medium Not required Partial Partial None
A flaw was found in mod_auth_openidc before version 2.4.1. An open redirect issue exists in URLs with a slash and backslash at the beginning.
760 CVE-2019-20478 20 Exec Code 2020-02-19 2021-07-21
10.0
None Remote Low Not required Complete Complete Complete
In ruamel.yaml through 0.16.7, the load method allows remote code execution if the application calls this method with an untrusted argument. In other words, this issue affects developers who are unaware of the need to use methods such as safe_load in these use cases.
761 CVE-2019-20477 502 2020-02-19 2022-01-01
7.5
None Remote Low Not required Partial Partial Partial
PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.
762 CVE-2019-20474 918 2020-02-17 2022-01-01
4.0
None Remote Low ??? Partial None None
An issue was discovered in Zoho ManageEngine Remote Access Plus 10.0.447. The service to test the mail-server configuration suffers from an authorization issue allowing a user with the Guest role (read-only access) to use and abuse it. One of the abuses allows performing network and port scan operations of the localhost or the hosts on the same network segment, aka SSRF.
763 CVE-2019-20456 426 2020-02-16 2020-02-26
4.4
None Local Medium Not required Partial Partial Partial
Goverlan Reach Console before 9.50, Goverlan Reach Server before 3.50, and Goverlan Client Agent before 9.20.50 have an Untrusted Search Path that leads to Command Injection and Local Privilege Escalation via DLL hijacking.
764 CVE-2019-20455 295 2020-02-14 2021-11-30
4.3
None Remote Medium Not required Partial None None
Gateways/Gateway.php in Heartland & Global Payments PHP SDK before 2.0.0 does not enforce SSL certificate validations.
765 CVE-2019-20454 125 2020-02-14 2020-07-09
5.0
None Remote Low Not required None None Partial
An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c.
766 CVE-2019-20451 434 Exec Code 2020-02-10 2021-09-09
10.0
None Remote Low Not required Complete Complete Complete
The HTTP API in Prismview System 9 11.10.17.00 and Prismview Player 11 13.09.1100 allows remote code execution by uploading RebootSystem.lnk and requesting /REBOOTSYSTEM or /RESTARTVNC. (Authentication is required but an XML file containing credentials can be downloaded.)
767 CVE-2019-20447 89 Sql 2020-02-05 2020-02-07
7.5
None Remote Low Not required Partial Partial Partial
Jobberbase 2.0 has SQL injection via the PATH_INFO to the jobs-in endpoint.
768 CVE-2019-20446 400 DoS 2020-02-02 2021-01-05
4.3
None Remote Medium Not required None None Partial
In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.
769 CVE-2019-20406 427 2020-02-06 2021-12-13
4.4
None Local Medium Not required Partial Partial Partial
The usage of Tomcat in Confluence on the Microsoft Windows operating system before version 7.0.5, and from version 7.1.0 before version 7.1.1 allows local system attackers who have permission to write a DLL file in a directory in the global path environmental variable variable to inject code & escalate their privileges via a DLL hijacking vulnerability.
770 CVE-2019-20405 352 CSRF 2020-02-06 2022-03-30
4.3
None Remote Medium Not required None Partial None
The JMX monitoring flag in Atlassian Jira Server and Data Center before version 8.6.0 allows remote attackers to turn the JMX monitoring flag off or on via a Cross-site request forgery (CSRF) vulnerability.
771 CVE-2019-20404 2020-02-06 2022-03-30
4.0
None Remote Low ??? Partial None None
The API in Atlassian Jira Server and Data Center before version 8.6.0 allows authenticated remote attackers to determine project titles they do not have access to via an improper authorization vulnerability.
772 CVE-2019-20403 2020-02-06 2022-03-30
5.0
None Remote Low Not required Partial None None
The API in Atlassian Jira Server and Data Center before version 8.6.0 allows remote attackers to determine if a Jira project key exists or not via an information disclosure vulnerability.
773 CVE-2019-20402 2020-02-06 2020-08-24
4.0
None Remote Low ??? None Partial None
Support zip files in Atlassian Jira Server and Data Center before version 8.6.0 could be downloaded by a System Administrator user without requiring the user to re-enter their password via an improper authorization vulnerability.
774 CVE-2019-20401 352 CSRF 2020-02-06 2022-03-25
4.3
None Remote Medium Not required None Partial None
Various installation setup resources in Jira before version 8.5.2 allow remote attackers to configure a Jira instance, which has not yet finished being installed, via Cross-site request forgery (CSRF) vulnerabilities.
775 CVE-2019-20400 427 2020-02-06 2022-03-25
4.4
None Local Medium Not required Partial Partial Partial
The usage of Tomcat in Jira before version 8.5.2 allows local attackers with permission to write a dll file to a directory in the global path environmental variable can inject code into via a DLL hijacking vulnerability.
776 CVE-2019-20174 79 XSS 2020-02-03 2020-02-05
4.3
None Remote Medium Not required None Partial None
Auth0 Lock before 11.21.0 allows XSS when additionalSignUpFields is used with an untrusted placeholder.
777 CVE-2019-20173 79 XSS 2020-02-05 2020-02-07
4.3
None Remote Medium Not required None Partial None
The Auth0 wp-auth0 plugin 3.11.x before 3.11.3 for WordPress allows XSS via a wle parameter associated with wp-login.php.
778 CVE-2019-20106 276 2020-02-06 2022-03-30
4.0
None Remote Low ??? None Partial None
Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1 allows remote attackers to make comments on a ticket to which they do not have commenting permissions via a broken access control bug.
779 CVE-2019-20104 776 DoS 2020-02-06 2022-01-01
5.0
None Remote Low Not required None None Partial
The OpenID client application in Atlassian Crowd before version 3.6.2, and from version 3.7.0 before 3.7.1 allows remote attackers to perform a Denial of Service attack via an XML Entity Expansion vulnerability.
780 CVE-2019-20100 352 CSRF 2020-02-12 2022-03-30
4.3
None Remote Medium Not required Partial None None
The Atlassian Application Links plugin is vulnerable to cross-site request forgery (CSRF). The following versions are affected: all versions prior to 5.4.21, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.2, and from version 7.1.0 before version 7.1.3. The vulnerable plugin is used by Atlassian Jira Server and Data Center before version 8.7.0. An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present.
781 CVE-2019-20099 352 CSRF 2020-02-12 2022-03-30
4.3
None Remote Medium Not required Partial None None
The VerifyPopServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present.
782 CVE-2019-20098 352 CSRF 2020-02-12 2022-03-30
4.3
None Remote Medium Not required Partial None None
The VerifySmtpServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present.
783 CVE-2019-20062 916 2020-02-10 2021-07-21
5.0
None Remote Low Not required None Partial None
MFScripts YetiShare v3.5.2 through v4.5.4 might allow an attacker to reset a password by using a leaked hash (the hash never expires until used).
784 CVE-2019-20061 319 2020-02-10 2020-02-11
5.0
None Remote Low Not required Partial None None
The user-introduction email in MFScripts YetiShare v3.5.2 through v4.5.4 may leak the (system-picked) password if this email is sent in cleartext. In other words, the user is not allowed to choose their own initial password.
785 CVE-2019-20060 922 +Info 2020-02-10 2020-02-11
5.0
None Remote Low Not required Partial None None
MFScripts YetiShare v3.5.2 through v4.5.4 places sensitive information in the Referer header. If this leaks, then third parties may discover password-reset hashes, file-delete links, or other sensitive information.
786 CVE-2019-20059 352 Sql 2020-02-10 2020-02-11
6.8
None Remote Medium Not required Partial Partial Partial
payment_manage.ajax.php and various *_manage.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.4 directly insert values from the sSortDir_0 parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL Injection. NOTE: this issue exists because of an incomplete fix for CVE-2019-19732.
787 CVE-2019-20046 287 Exec Code 2020-02-14 2020-02-25
7.5
None Remote Low Not required Partial Partial Partial
The Synergy Systems & Solutions PLC & RTU system has a vulnerability in HUSKY RTU 6049-E70 firmware versions 5.0 and prior. The affected product does not require adequate authentication, which may allow an attacker to read sensitive information or execute arbitrary code. This is a different issue than CVE-2019-16879 and CVE-2019-20045.
788 CVE-2019-20045 20 2020-02-14 2020-02-25
7.8
None Remote Low Not required None None Complete
The Synergy Systems & Solutions PLC & RTU system has a vulnerability in HUSKY RTU 6049-E70 firmware versions 5.0 and prior. Specially crafted malicious packets could cause disconnection of active authentic connections or reboot of device. This is a different issue than CVE-2019-16879 and CVE-2019-20046.
789 CVE-2019-20044 273 Exec Code +Priv 2020-02-24 2021-09-16
7.2
None Local Low Not required Complete Complete Complete
In Zsh before 5.8, attackers able to execute commands can regain privileges dropped by the --no-PRIVILEGED option. Zsh fails to overwrite the saved uid, so the original privileges can be restored by executing MODULE_PATH=/dir/with/module zmodload with a module that calls setuid().
790 CVE-2019-19994 78 Exec Code 2020-02-26 2020-02-27
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. It allows blind Command Injection. An attacker without authentication is able to execute arbitrary operating system command by injecting the vulnerable parameter in the PHP Web page /common/vam_monitor_sap.php.
791 CVE-2019-19993 209 2020-02-26 2020-02-27
5.0
None Remote Low Not required Partial None None
An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. Several full path disclosure vulnerability were discovered. A user, even with no authentication, may simply send arbitrary content to the vulnerable pages to generate error messages that expose some full paths.
792 CVE-2019-19992 200 +Info 2020-02-26 2021-07-21
4.0
None Remote Low ??? Partial None None
An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. A user with valid credentials is able to read XML files on the filesystem via the web interface. The PHP page /common/vam_editXml.php doesn't check the parameter that identifies the file name to be read. Thus, an attacker can manipulate the file name to access a potentially sensitive file within the filesystem.
793 CVE-2019-19991 79 XSS 2020-02-26 2020-02-27
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. Multiple Reflected Cross-site scripting (XSS) vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML via the web pages /vam/vam_anagraphic.php, /vam/vam_vamuser.php, /common/vamp_main.php, and /wiz/change_password.php.
794 CVE-2019-19990 79 XSS 2020-02-26 2020-02-27
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. Multiple Stored Cross-site scripting (XSS) vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML via the web pages /monitor/s_headmodel.php and /vam/vam_user.php.
795 CVE-2019-19989 862 2020-02-26 2020-02-27
5.0
None Remote Low Not required Partial None None
An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. Several PHP pages, and other type of files, are reachable by any user without checking for user identity and authorization.
796 CVE-2019-19988 787 2020-02-26 2020-02-27
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. A user with valid credentials is able to create and write XML files on the filesystem via /common/vam_editXml.php in the web interface. The vulnerable PHP page checks none of these: the parameter that identifies the file name to be created, the destination path, or the extension. Thus, an attacker can manipulate the file name to create any type of file within the filesystem with arbitrary content.
797 CVE-2019-19987 352 CSRF 2020-02-26 2020-02-27
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. It allows Cross-Site Request Forgery (CSRF) on any HTML form. An attacker can exploit the vulnerability to abuse functionalities such as change password, add user, add privilege, and so on.
798 CVE-2019-19986 89 Sql +Info 2020-02-26 2020-02-27
5.0
None Remote Low Not required Partial None None
An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. An attacker without authentication is able to execute arbitrary SQL SELECT statements by injecting the HTTP (POST or GET) parameter persoid into /tools/VamPersonPhoto.php. The SQL Injection type is Error-based (this means that relies on error messages thrown by the database server to obtain information about the structure of the database).
799 CVE-2019-19968 79 XSS 2020-02-04 2020-02-05
3.5
None Remote Medium ??? None Partial None
PandoraFMS 742 suffers from multiple XSS vulnerabilities, affecting the Agent Management, Report Builder, and Graph Builder components. An authenticated user can inject dangerous content into a data store that is later read and included in dynamic content.
800 CVE-2019-19943 415 Exec Code Mem. Corr. 2020-02-28 2021-07-21
5.0
None Remote Low Not required None None Partial
The HTTP service in quickweb.exe in Pablo Quick 'n Easy Web Server 3.3.8 allows Remote Unauthenticated Heap Memory Corruption via a large host or domain parameter. It may be possible to achieve remote code execution because of a double free.
Total number of vulnerabilities : 1395   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 (This Page)17 18 19 20 21 22 23 24 25 26 27 28
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.