CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In July 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
801 CVE-2020-8199 269 2020-07-10 2021-07-21
4.6
None Local Low Not required Partial Partial Partial
Improper access control in Citrix ADC Gateway Linux client versions before 1.0.0.137 results in local privilege escalation to root.
802 CVE-2020-8198 79 XSS 2020-07-10 2020-07-13
4.3
None Remote Medium Not required None Partial None
Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in Stored Cross-Site Scripting (XSS).
803 CVE-2020-8197 269 Exec Code 2020-07-10 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
Privilege escalation vulnerability on Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 allows a low privileged user with management access to execute arbitrary commands.
804 CVE-2020-8196 862 2020-07-10 2022-05-24
4.0
None Remote Low ??? Partial None None
Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in limited information disclosure to low privileged users.
805 CVE-2020-8195 20 2020-07-10 2021-09-23
4.0
None Remote Low ??? Partial None None
Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in limited information disclosure to low privileged users.
806 CVE-2020-8194 94 2020-07-10 2020-07-13
4.3
None Remote Medium Not required None Partial None
Reflected code injection in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows the modification of a file download.
807 CVE-2020-8193 862 2020-07-10 2020-11-13
5.0
None Remote Low Not required None Partial None
Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows unauthenticated access to certain URL endpoints.
808 CVE-2020-8192 400 DoS 2020-07-30 2020-08-06
4.0
None Remote Low ??? None None Partial
A denial of service vulnerability exists in Fastify v2.14.1 and v3.0.0-rc.4 that allows a malicious user to trigger resource exhaustion (when the allErrors option is used) with specially crafted schemas.
809 CVE-2020-8191 79 XSS 2020-07-10 2020-07-13
4.3
None Remote Medium Not required None Partial None
Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows reflected Cross Site Scripting (XSS).
810 CVE-2020-8190 281 2020-07-10 2020-07-13
6.0
None Remote Medium ??? Partial Partial Partial
Incorrect file permissions in Citrix ADC and Citrix Gateway before versions 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 allows privilege escalation.
811 CVE-2020-8188 78 2020-07-02 2020-07-09
6.5
None Remote Low ??? Partial Partial Partial
We have recently released new version of UniFi Protect firmware v1.13.3 and v1.14.10 for Unifi Cloud Key Gen2 Plus and UniFi Dream Machine Pro/UNVR respectively that fixes vulnerabilities found on Protect firmware v1.13.2, v1.14.9 and prior according to the description below:View only users can run certain custom commands which allows them to assign themselves unauthorized roles and escalate their privileges.
812 CVE-2020-8187 20 DoS 2020-07-10 2020-07-13
5.0
None Remote Low Not required None None Partial
Improper input validation in Citrix ADC and Citrix Gateway versions before 11.1-63.9 and 12.0-62.10 allows unauthenticated users to perform a denial of service attack.
813 CVE-2020-8186 78 Exec Code 2020-07-10 2021-10-07
7.5
None Remote Low Not required Partial Partial Partial
A command injection vulnerability in the `devcert` module may lead to remote code execution when users of the module pass untrusted input to the `certificateFor` function.
814 CVE-2020-8185 400 DoS 2020-07-02 2021-10-21
4.0
None Remote Low ??? None None Partial
A denial of service vulnerability exists in Rails <6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production.
815 CVE-2020-8181 434 2020-07-10 2020-07-17
4.0
None Remote Low ??? None Partial None
A missing file type check in Nextcloud Contacts 3.2.0 allowed a malicious user to upload any file as avatars.
816 CVE-2020-8179 269 2020-07-02 2020-07-08
4.0
None Remote Low ??? None Partial None
Improper access control in Nextcloud Deck 1.0.0 allowed an attacker to inject tasks into other users decks.
817 CVE-2020-8178 78 2020-07-15 2020-07-21
10.0
None Remote Low Not required Complete Complete Complete
Insufficient input validation in npm package `jison` <= 0.4.18 may lead to OS command injection attacks.
818 CVE-2020-8176 79 XSS 2020-07-02 2020-07-10
4.3
None Remote Medium Not required None Partial None
A cross-site scripting vulnerability exists in koa-shopify-auth v3.1.61-v3.1.62 that allows an attacker to inject JS payloads into the `shop` parameter on the `/shopify/auth/enable_cookies` endpoint.
819 CVE-2020-8175 400 DoS 2020-07-24 2020-07-27
4.3
None Remote Medium Not required None None Partial
Uncontrolled resource consumption in `jpeg-js` before 0.4.0 may allow attacker to launch denial of service attacks using specially a crafted JPEG image.
820 CVE-2020-8174 191 Mem. Corr. 2020-07-24 2022-05-12
9.3
None Remote Medium Not required Complete Complete Complete
napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0.
821 CVE-2020-8166 352 CSRF 2020-07-02 2020-11-20
4.3
None Remote Medium Not required None Partial None
A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6.0.4 that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token.
822 CVE-2020-8163 94 2020-07-02 2022-05-24
6.5
None Remote Low ??? Partial Partial Partial
The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the `locals` argument of a `render` call to perform a RCE.
823 CVE-2020-8161 22 Dir. Trav. 2020-07-02 2022-05-24
5.0
None Remote Low Not required Partial None None
A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure.
824 CVE-2020-7829 787 Exec Code Overflow 2020-07-30 2020-07-31
6.8
None Remote Medium Not required Partial Partial Partial
DaviewIndy 8.98.4 and earlier version contain Heap-based overflow vulnerability, triggered when the user opens a malformed specific file that is mishandled by Daview.exe. Attackers could exploit this and arbitrary code execution.
825 CVE-2020-7828 787 Exec Code Overflow 2020-07-30 2020-07-31
6.8
None Remote Medium Not required Partial Partial Partial
DaviewIndy 8.98.4 and earlier version contain Heap-based overflow vulnerability, triggered when the user opens a malformed specific file that is mishandled by Daview.exe. Attackers could exploit this and arbitrary code execution.
826 CVE-2020-7827 416 Exec Code 2020-07-30 2020-07-31
6.8
None Remote Medium Not required Partial Partial Partial
DaviewIndy 8.98.7 and earlier version contain Use-After-Free vulnerability, triggered when the user opens a malformed specific file that is mishandled by Daview.exe. Attackers could exploit this and arbitrary code execution.
827 CVE-2020-7826 494 Exec Code 2020-07-17 2020-07-22
7.5
None Remote Low Not required Partial Partial Partial
EyeSurfer BflyInstallerX.ocx v1.0.0.16 and earlier versions contain a vulnerability that could allow remote files to be download by setting the arguments to the vulnerable method. This can be leveraged for code execution. When the vulnerable method is called, they fail to properly check the parameters that are passed to it.
828 CVE-2020-7825 78 Exec Code 2020-07-17 2020-07-23
10.0
None Remote Low Not required Complete Complete Complete
A vulnerability exists that could allow the execution of operating system commands on systems running MiPlatform 2019.05.16 and earlier. An attacker could execute arbitrary remote command by sending parameters to WinExec function in ExtCommandApi.dll module of MiPlatform.
829 CVE-2020-7821 20 Exec Code 2020-07-02 2020-07-14
7.5
None Remote Low Not required Partial Partial Partial
Nexacro14/17 ExtCommonApiV13 Library under 2019.9.6 version contain a vulnerability that could allow remote attacker to execute arbitrary code by modifying the value of registry path. This can be leveraged for code execution by rebooting the victim’s PC
830 CVE-2020-7820 20 Exec Code 2020-07-02 2020-07-14
7.5
None Remote Low Not required Partial Partial Partial
Nexacro14/17 ExtCommonApiV13 Library under 2019.9.6 version contain a vulnerability that could allow remote attacker to execute arbitrary code by setting the arguments to the vulnerable API. This can be leveraged for code execution by rebooting the victim’s PC
831 CVE-2020-7818 787 Exec Code Overflow 2020-07-17 2020-07-22
6.8
None Remote Medium Not required Partial Partial Partial
DaviewIndy 8.98.9 and earlier has a Heap-based overflow vulnerability, triggered when the user opens a malformed PDF file that is mishandled by Daview.exe. Attackers could exploit this and arbitrary code execution.
832 CVE-2020-7815 74 Exec Code 2020-07-10 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
XPLATFORM v9.2.260 and eariler versions contain a vulnerability that could allow remote files to be downloaded by setting the arguments to the vulnerable method. this can be leveraged for code execution. File download vulnerability in ____COMPONENT____ of TOBESOFT XPLATFORM allows ____ATTACKER/ATTACK____ to cause ____IMPACT____. This issue affects: TOBESOFT XPLATFORM 9.2.250 versions prior to 9.2.260 on Windows.
833 CVE-2020-7814 74 Exec Code 2020-07-10 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
RAONWIZ v2018.0.2.50 and eariler versions contains a vulnerability that could allow remote files to be downloaded and excuted by lack of validation to file extension, witch can used as remote-code-excution attacks by hackers File download & execution vulnerability in ____COMPONENT____ of RAONWIZ RAON KUpload allows ____ATTACKER/ATTACK____ to cause ____IMPACT____. This issue affects: RAONWIZ RAON KUpload 2018.0.2.50 versions prior to 2018.0.2.51 on Windows.
834 CVE-2020-7699 915 DoS Exec Code 2020-07-30 2022-05-03
7.5
None Remote Low Not required Partial Partial Partial
This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution.
835 CVE-2020-7698 74 2020-07-29 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
This affects the package Gerapy from 0 and before 0.9.3. The input being passed to Popen, via the project_configure endpoint, isn’t being sanitized.
836 CVE-2020-7697 74 2020-07-29 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
This affects all versions of package mock2easy. a malicious user could inject commands through the _data variable: Affected Area require('../server/getJsonByCurl')(mock2easy, function (error, stdout) { if (error) { return res.json(500, error); } res.json(JSON.parse(stdout)); }, '', _data.interfaceUrl, query, _data.cookie,_data.interfaceType);
837 CVE-2020-7696 200 +Info 2020-07-17 2020-07-22
5.0
None Remote Low Not required Partial None None
This affects all versions of package react-native-fast-image. When an image with source={{uri: "...", headers: { host: "somehost.com", authorization: "..." }} is loaded, all other subsequent images will use the same headers, this can lead to signing credentials or other session tokens being leaked to other servers.
838 CVE-2020-7695 74 Http R.Spl. 2020-07-27 2020-07-29
5.0
None Remote Low Not required None Partial None
Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit this to add arbitrary headers to HTTP responses, or even return an arbitrary response body, whenever crafted input is used to construct HTTP headers.
839 CVE-2020-7694 74 2020-07-27 2021-07-21
5.0
None Remote Low Not required None Partial None
This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request crafted URLs with percent-encoded escape sequences, the logging component will log the URL after it's been processed with urllib.parse.unquote, therefore converting any percent-encoded characters into their single-character equivalent, which can have special meaning in terminal emulators. By requesting URLs with crafted paths, attackers can: * Pollute uvicorn's access logs, therefore jeopardising the integrity of such files. * Use ANSI sequence codes to attempt to interact with the terminal emulator that's displaying the logs (either in real time or from a file).
840 CVE-2020-7693 20 2020-07-09 2020-07-14
5.0
None Remote Low Not required None None Partial
Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20.
841 CVE-2020-7692 863 2020-07-09 2022-05-03
6.4
None Remote Low Not required Partial Partial None
PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0.
842 CVE-2020-7691 79 XSS 2020-07-06 2020-07-10
4.3
None Remote Medium Not required None Partial None
In all versions of the package jspdf, it is possible to use <<script>script> in order to go over the filtering regex.
843 CVE-2020-7690 79 XSS 2020-07-06 2020-08-24
4.3
None Remote Medium Not required None Partial None
All affected versions <2.0.0 of package jspdf are vulnerable to Cross-site Scripting (XSS). It is possible to inject JavaScript code via the html method.
844 CVE-2020-7689 326 2020-07-01 2021-07-21
4.3
None Remote Medium Not required None Partial None
Data is truncated wrong when its length is greater than 255 bytes.
845 CVE-2020-7688 78 2020-07-01 2020-07-14
4.6
None Local Low Not required Partial Partial Partial
The issue occurs because tagName user input is formatted inside the exec function is executed without any checks.
846 CVE-2020-7687 22 Dir. Trav. 2020-07-25 2020-07-27
5.0
None Remote Low Not required Partial None None
This affects all versions of package fast-http. There is no path sanitization in the path provided at fs.readFile in index.js.
847 CVE-2020-7686 22 Dir. Trav. 2020-07-25 2020-07-27
5.0
None Remote Low Not required Partial None None
This affects all versions of package rollup-plugin-dev-server. There is no path sanitization in readFile operation inside the readFileFromContentBase function.
848 CVE-2020-7685 1188 2020-07-28 2020-07-29
5.0
None Remote Low Not required None Partial None
This affects all versions of package UmbracoForms. When using the default configuration for upload forms, it is possible to upload arbitrary file types. The package offers a way for users to mitigate the issue. The users of this package can create a custom workflow and frontend validation that blocks certain file types, depending on their security needs and policies.
849 CVE-2020-7684 22 Dir. Trav. 2020-07-17 2020-07-23
7.5
None Remote Low Not required Partial Partial Partial
This affects all versions of package rollup-plugin-serve. There is no path sanitization in readFile operation.
850 CVE-2020-7683 22 Dir. Trav. 2020-07-25 2020-07-27
5.0
None Remote Low Not required Partial None None
This affects all versions of package rollup-plugin-server. There is no path sanitization in readFile operation performed inside the readFileFromContentBase function.
Total number of vulnerabilities : 1418   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 (This Page)18 19 20 21 22 23 24 25 26 27 28 29
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.