| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
801 |
CVE-2020-8199 |
269 |
|
|
2020-07-10 |
2021-07-21 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Improper access control in Citrix ADC Gateway Linux client versions before 1.0.0.137 results in local privilege escalation to root. |
|
802 |
CVE-2020-8198 |
79 |
|
XSS |
2020-07-10 |
2020-07-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in Stored Cross-Site Scripting (XSS). |
|
803 |
CVE-2020-8197 |
269 |
|
Exec Code |
2020-07-10 |
2021-07-21 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Privilege escalation vulnerability on Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 allows a low privileged user with management access to execute arbitrary commands. |
|
804 |
CVE-2020-8196 |
862 |
|
|
2020-07-10 |
2022-05-24 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in limited information disclosure to low privileged users. |
|
805 |
CVE-2020-8195 |
20 |
|
|
2020-07-10 |
2021-09-23 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in limited information disclosure to low privileged users. |
|
806 |
CVE-2020-8194 |
94 |
|
|
2020-07-10 |
2020-07-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Reflected code injection in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows the modification of a file download. |
|
807 |
CVE-2020-8193 |
862 |
|
|
2020-07-10 |
2020-11-13 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows unauthenticated access to certain URL endpoints. |
|
808 |
CVE-2020-8192 |
400 |
|
DoS |
2020-07-30 |
2020-08-06 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
A denial of service vulnerability exists in Fastify v2.14.1 and v3.0.0-rc.4 that allows a malicious user to trigger resource exhaustion (when the allErrors option is used) with specially crafted schemas. |
|
809 |
CVE-2020-8191 |
79 |
|
XSS |
2020-07-10 |
2020-07-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows reflected Cross Site Scripting (XSS). |
|
810 |
CVE-2020-8190 |
281 |
|
|
2020-07-10 |
2020-07-13 |
6.0 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
Partial |
|
Incorrect file permissions in Citrix ADC and Citrix Gateway before versions 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 allows privilege escalation. |
|
811 |
CVE-2020-8188 |
78 |
|
|
2020-07-02 |
2020-07-09 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
We have recently released new version of UniFi Protect firmware v1.13.3 and v1.14.10 for Unifi Cloud Key Gen2 Plus and UniFi Dream Machine Pro/UNVR respectively that fixes vulnerabilities found on Protect firmware v1.13.2, v1.14.9 and prior according to the description below:View only users can run certain custom commands which allows them to assign themselves unauthorized roles and escalate their privileges. |
|
812 |
CVE-2020-8187 |
20 |
|
DoS |
2020-07-10 |
2020-07-13 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Improper input validation in Citrix ADC and Citrix Gateway versions before 11.1-63.9 and 12.0-62.10 allows unauthenticated users to perform a denial of service attack. |
|
813 |
CVE-2020-8186 |
78 |
|
Exec Code |
2020-07-10 |
2021-10-07 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
A command injection vulnerability in the `devcert` module may lead to remote code execution when users of the module pass untrusted input to the `certificateFor` function. |
|
814 |
CVE-2020-8185 |
400 |
|
DoS |
2020-07-02 |
2021-10-21 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
A denial of service vulnerability exists in Rails <6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production. |
|
815 |
CVE-2020-8181 |
434 |
|
|
2020-07-10 |
2020-07-17 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
A missing file type check in Nextcloud Contacts 3.2.0 allowed a malicious user to upload any file as avatars. |
|
816 |
CVE-2020-8179 |
269 |
|
|
2020-07-02 |
2020-07-08 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
Improper access control in Nextcloud Deck 1.0.0 allowed an attacker to inject tasks into other users decks. |
|
817 |
CVE-2020-8178 |
78 |
|
|
2020-07-15 |
2020-07-21 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Insufficient input validation in npm package `jison` <= 0.4.18 may lead to OS command injection attacks. |
|
818 |
CVE-2020-8176 |
79 |
|
XSS |
2020-07-02 |
2020-07-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A cross-site scripting vulnerability exists in koa-shopify-auth v3.1.61-v3.1.62 that allows an attacker to inject JS payloads into the `shop` parameter on the `/shopify/auth/enable_cookies` endpoint. |
|
819 |
CVE-2020-8175 |
400 |
|
DoS |
2020-07-24 |
2020-07-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Uncontrolled resource consumption in `jpeg-js` before 0.4.0 may allow attacker to launch denial of service attacks using specially a crafted JPEG image. |
|
820 |
CVE-2020-8174 |
191 |
|
Mem. Corr. |
2020-07-24 |
2022-05-12 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0. |
|
821 |
CVE-2020-8166 |
352 |
|
CSRF |
2020-07-02 |
2020-11-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6.0.4 that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token. |
|
822 |
CVE-2020-8163 |
94 |
|
|
2020-07-02 |
2022-05-24 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the `locals` argument of a `render` call to perform a RCE. |
|
823 |
CVE-2020-8161 |
22 |
|
Dir. Trav. |
2020-07-02 |
2022-05-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure. |
|
824 |
CVE-2020-7829 |
787 |
|
Exec Code Overflow |
2020-07-30 |
2020-07-31 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
DaviewIndy 8.98.4 and earlier version contain Heap-based overflow vulnerability, triggered when the user opens a malformed specific file that is mishandled by Daview.exe. Attackers could exploit this and arbitrary code execution. |
|
825 |
CVE-2020-7828 |
787 |
|
Exec Code Overflow |
2020-07-30 |
2020-07-31 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
DaviewIndy 8.98.4 and earlier version contain Heap-based overflow vulnerability, triggered when the user opens a malformed specific file that is mishandled by Daview.exe. Attackers could exploit this and arbitrary code execution. |
|
826 |
CVE-2020-7827 |
416 |
|
Exec Code |
2020-07-30 |
2020-07-31 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
DaviewIndy 8.98.7 and earlier version contain Use-After-Free vulnerability, triggered when the user opens a malformed specific file that is mishandled by Daview.exe. Attackers could exploit this and arbitrary code execution. |
|
827 |
CVE-2020-7826 |
494 |
|
Exec Code |
2020-07-17 |
2020-07-22 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
EyeSurfer BflyInstallerX.ocx v1.0.0.16 and earlier versions contain a vulnerability that could allow remote files to be download by setting the arguments to the vulnerable method. This can be leveraged for code execution. When the vulnerable method is called, they fail to properly check the parameters that are passed to it. |
|
828 |
CVE-2020-7825 |
78 |
|
Exec Code |
2020-07-17 |
2020-07-23 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
A vulnerability exists that could allow the execution of operating system commands on systems running MiPlatform 2019.05.16 and earlier. An attacker could execute arbitrary remote command by sending parameters to WinExec function in ExtCommandApi.dll module of MiPlatform. |
|
829 |
CVE-2020-7821 |
20 |
|
Exec Code |
2020-07-02 |
2020-07-14 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Nexacro14/17 ExtCommonApiV13 Library under 2019.9.6 version contain a vulnerability that could allow remote attacker to execute arbitrary code by modifying the value of registry path. This can be leveraged for code execution by rebooting the victim’s PC |
|
830 |
CVE-2020-7820 |
20 |
|
Exec Code |
2020-07-02 |
2020-07-14 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Nexacro14/17 ExtCommonApiV13 Library under 2019.9.6 version contain a vulnerability that could allow remote attacker to execute arbitrary code by setting the arguments to the vulnerable API. This can be leveraged for code execution by rebooting the victim’s PC |
|
831 |
CVE-2020-7818 |
787 |
|
Exec Code Overflow |
2020-07-17 |
2020-07-22 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
DaviewIndy 8.98.9 and earlier has a Heap-based overflow vulnerability, triggered when the user opens a malformed PDF file that is mishandled by Daview.exe. Attackers could exploit this and arbitrary code execution. |
|
832 |
CVE-2020-7815 |
74 |
|
Exec Code |
2020-07-10 |
2021-07-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
XPLATFORM v9.2.260 and eariler versions contain a vulnerability that could allow remote files to be downloaded by setting the arguments to the vulnerable method. this can be leveraged for code execution. File download vulnerability in ____COMPONENT____ of TOBESOFT XPLATFORM allows ____ATTACKER/ATTACK____ to cause ____IMPACT____. This issue affects: TOBESOFT XPLATFORM 9.2.250 versions prior to 9.2.260 on Windows. |
|
833 |
CVE-2020-7814 |
74 |
|
Exec Code |
2020-07-10 |
2021-07-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
RAONWIZ v2018.0.2.50 and eariler versions contains a vulnerability that could allow remote files to be downloaded and excuted by lack of validation to file extension, witch can used as remote-code-excution attacks by hackers File download & execution vulnerability in ____COMPONENT____ of RAONWIZ RAON KUpload allows ____ATTACKER/ATTACK____ to cause ____IMPACT____. This issue affects: RAONWIZ RAON KUpload 2018.0.2.50 versions prior to 2018.0.2.51 on Windows. |
|
834 |
CVE-2020-7699 |
915 |
|
DoS Exec Code |
2020-07-30 |
2022-05-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution. |
|
835 |
CVE-2020-7698 |
74 |
|
|
2020-07-29 |
2021-07-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
This affects the package Gerapy from 0 and before 0.9.3. The input being passed to Popen, via the project_configure endpoint, isn’t being sanitized. |
|
836 |
CVE-2020-7697 |
74 |
|
|
2020-07-29 |
2021-07-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
This affects all versions of package mock2easy. a malicious user could inject commands through the _data variable: Affected Area require('../server/getJsonByCurl')(mock2easy, function (error, stdout) { if (error) { return res.json(500, error); } res.json(JSON.parse(stdout)); }, '', _data.interfaceUrl, query, _data.cookie,_data.interfaceType); |
|
837 |
CVE-2020-7696 |
200 |
|
+Info |
2020-07-17 |
2020-07-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
This affects all versions of package react-native-fast-image. When an image with source={{uri: "...", headers: { host: "somehost.com", authorization: "..." }} is loaded, all other subsequent images will use the same headers, this can lead to signing credentials or other session tokens being leaked to other servers. |
|
838 |
CVE-2020-7695 |
74 |
|
Http R.Spl. |
2020-07-27 |
2020-07-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit this to add arbitrary headers to HTTP responses, or even return an arbitrary response body, whenever crafted input is used to construct HTTP headers. |
|
839 |
CVE-2020-7694 |
74 |
|
|
2020-07-27 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request crafted URLs with percent-encoded escape sequences, the logging component will log the URL after it's been processed with urllib.parse.unquote, therefore converting any percent-encoded characters into their single-character equivalent, which can have special meaning in terminal emulators. By requesting URLs with crafted paths, attackers can: * Pollute uvicorn's access logs, therefore jeopardising the integrity of such files. * Use ANSI sequence codes to attempt to interact with the terminal emulator that's displaying the logs (either in real time or from a file). |
|
840 |
CVE-2020-7693 |
20 |
|
|
2020-07-09 |
2020-07-14 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20. |
|
841 |
CVE-2020-7692 |
863 |
|
|
2020-07-09 |
2022-05-03 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0. |
|
842 |
CVE-2020-7691 |
79 |
|
XSS |
2020-07-06 |
2020-07-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In all versions of the package jspdf, it is possible to use <<script>script> in order to go over the filtering regex. |
|
843 |
CVE-2020-7690 |
79 |
|
XSS |
2020-07-06 |
2020-08-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
All affected versions <2.0.0 of package jspdf are vulnerable to Cross-site Scripting (XSS). It is possible to inject JavaScript code via the html method. |
|
844 |
CVE-2020-7689 |
326 |
|
|
2020-07-01 |
2021-07-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Data is truncated wrong when its length is greater than 255 bytes. |
|
845 |
CVE-2020-7688 |
78 |
|
|
2020-07-01 |
2020-07-14 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The issue occurs because tagName user input is formatted inside the exec function is executed without any checks. |
|
846 |
CVE-2020-7687 |
22 |
|
Dir. Trav. |
2020-07-25 |
2020-07-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
This affects all versions of package fast-http. There is no path sanitization in the path provided at fs.readFile in index.js. |
|
847 |
CVE-2020-7686 |
22 |
|
Dir. Trav. |
2020-07-25 |
2020-07-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
This affects all versions of package rollup-plugin-dev-server. There is no path sanitization in readFile operation inside the readFileFromContentBase function. |
|
848 |
CVE-2020-7685 |
1188 |
|
|
2020-07-28 |
2020-07-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
This affects all versions of package UmbracoForms. When using the default configuration for upload forms, it is possible to upload arbitrary file types. The package offers a way for users to mitigate the issue. The users of this package can create a custom workflow and frontend validation that blocks certain file types, depending on their security needs and policies. |
|
849 |
CVE-2020-7684 |
22 |
|
Dir. Trav. |
2020-07-17 |
2020-07-23 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
This affects all versions of package rollup-plugin-serve. There is no path sanitization in readFile operation. |
|
850 |
CVE-2020-7683 |
22 |
|
Dir. Trav. |
2020-07-25 |
2020-07-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
This affects all versions of package rollup-plugin-server. There is no path sanitization in readFile operation performed inside the readFileFromContentBase function. |
