CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In February 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
851 CVE-2019-17333 79 XSS 2020-02-19 2020-02-26
3.5
None Remote Medium ??? None Partial None
The Web server component of TIBCO Software Inc.'s TIBCO EBX contains a vulnerability that theoretically allows authenticated users to perform stored cross-site scripting (XSS) attacks. Affected releases are TIBCO Software Inc.'s TIBCO EBX: versions 5.8.1.fixS and below, versions 5.9.3, 5.9.4, 5.9.5, 5.9.6, and 5.9.7.
852 CVE-2019-17275 Exec Code 2020-02-26 2020-02-28
7.5
None Remote Low Not required Partial Partial Partial
OnCommand Cloud Manager versions prior to 3.8.0 are susceptible to arbitrary code execution by remote attackers.
853 CVE-2019-17274 1188 Exec Code 2020-02-26 2020-08-24
7.2
None Local Low Not required Complete Complete Complete
NetApp FAS 8300/8700 and AFF A400 Baseboard Management Controller (BMC) firmware versions 13.x prior to 13.1P1 were shipped with a default account enabled that could allow unauthorized arbitrary command execution via local access.
854 CVE-2019-17268 94 Exec Code 2020-02-07 2020-02-11
7.5
None Remote Low Not required Partial Partial Partial
The omniauth-weibo-oauth2 gem 0.4.6 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. Versions through 0.4.5, and 0.5.1 and later, are unaffected.
855 CVE-2019-17229 79 XSS 2020-02-24 2020-02-26
4.3
None Remote Medium Not required None Partial None
includes/options.php in the motors-car-dealership-classified-listings (aka Motors - Car Dealer & Classified Ads) plugin through 1.4.0 for WordPress has multiple stored XSS issues.
856 CVE-2019-17228 345 2020-02-24 2020-02-26
6.4
None Remote Low Not required Partial Partial None
includes/options.php in the motors-car-dealership-classified-listings (aka Motors - Car Dealer & Classified Ads) plugin through 1.4.0 for WordPress allows unauthenticated options changes.
857 CVE-2019-17137 Bypass 2020-02-10 2020-10-09
7.5
None Remote Low Not required Partial Partial Partial
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR AC1200 R6220 Firmware version 1.1.0.86 Smart WiFi Router. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of path strings. By inserting a null byte into the path, the user can skip most authentication checks. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-8616.
858 CVE-2019-17136 125 Exec Code 2020-02-08 2022-01-01
6.8
None Remote Medium Not required Partial Partial Partial
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the conversion of DXF files to PDF. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8776.
859 CVE-2019-17135 787 Exec Code Mem. Corr. 2020-02-08 2020-10-09
6.8
None Remote Medium Not required Partial Partial Partial
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8775.
860 CVE-2019-17061 120 Overflow 2020-02-10 2022-01-01
6.1
None Local Network Low Not required None None Complete
The Bluetooth Low Energy (BLE) stack implementation on Cypress PSoC 4 through 3.62 devices does not properly restrict the BLE Link Layer header and executes certain memory contents upon receiving a packet with a Link Layer ID (LLID) equal to zero. This allows attackers within radio range to cause deadlocks, cause anomalous behavior in the BLE state machine, or trigger a buffer overflow via a crafted BLE Link Layer frame.
861 CVE-2019-17060 120 Overflow 2020-02-10 2020-02-13
6.1
None Local Network Low Not required None None Complete
The Bluetooth Low Energy (BLE) stack implementation on the NXP KW41Z (based on the MCUXpresso SDK with Bluetooth Low Energy Driver 2.2.1 and earlier) does not properly restrict the BLE Link Layer header and executes certain memory contents upon receiving a packet with a Link Layer ID (LLID) equal to zero. This allows attackers within radio range to cause deadlocks, cause anomalous behavior in the BLE state machine, or trigger a buffer overflow via a crafted BLE Link Layer frame.
862 CVE-2019-16893 20 2020-02-03 2021-07-21
7.8
None Remote Low Not required None None Complete
The Web Management of TP-Link TP-SG105E V4 1.0.0 Build 20181120 devices allows an unauthenticated attacker to reboot the device via a reboot.cgi request.
863 CVE-2019-16336 120 DoS 2020-02-12 2022-01-01
3.3
None Local Network Low Not required None None Partial
The Bluetooth Low Energy implementation in Cypress PSoC 4 BLE component 3.61 and earlier processes data channel frames with a payload length larger than the configured link layer maximum RX payload size, which allows attackers (in radio range) to cause a denial of service (crash) via a crafted BLE Link Layer frame.
864 CVE-2019-16302 755 Exec Code 2020-02-20 2020-02-25
5.0
None Remote Low Not required None None Partial
An issue was discovered in Open Network Operating System (ONOS) 1.14. In the Ethernet VPN application (org.onosproject.evpnopenflow), the host event listener does not handle the following event types: HOST_MOVED, HOST_UPDATED. In combination with other applications, this could lead to the absence of intended code execution.
865 CVE-2019-16301 755 Exec Code 2020-02-20 2020-02-25
5.0
None Remote Low Not required None None Partial
An issue was discovered in Open Network Operating System (ONOS) 1.14. In the virtual tenant network application (org.onosproject.vtn), the host event listener does not handle the following event types: HOST_MOVED. In combination with other applications, this could lead to the absence of intended code execution.
866 CVE-2019-16300 755 Exec Code 2020-02-20 2020-02-25
5.0
None Remote Low Not required None None Partial
An issue was discovered in Open Network Operating System (ONOS) 1.14. In the access control application (org.onosproject.acl), the host event listener does not handle the following event types: HOST_REMOVED. In combination with other applications, this could lead to the absence of intended code execution.
867 CVE-2019-16299 755 Exec Code 2020-02-20 2020-02-25
5.0
None Remote Low Not required None None Partial
An issue was discovered in Open Network Operating System (ONOS) 1.14. In the mobility application (org.onosproject.mobility), the host event listener does not handle the following event types: HOST_ADDED, HOST_REMOVED, HOST_UPDATED. In combination with other applications, this could lead to the absence of intended code execution.
868 CVE-2019-16298 755 Exec Code 2020-02-20 2020-02-25
5.0
None Remote Low Not required None None Partial
An issue was discovered in Open Network Operating System (ONOS) 1.14. In the virtual broadband network gateway application (org.onosproject.virtualbng), the host event listener does not handle the following event types: HOST_MOVED, HOST_REMOVED, HOST_UPDATED. In combination with other applications, this could lead to the absence of intended code execution.
869 CVE-2019-16297 755 Exec Code 2020-02-20 2020-02-25
5.0
None Remote Low Not required None None Partial
An issue was discovered in Open Network Operating System (ONOS) 1.14. In the P4 tutorial application (org.onosproject.p4tutorial), the host event listener does not handle the following event types: HOST_MOVED, HOST_REMOVED, HOST_UPDATED. In combination with other applications, this could lead to the absence of intended code execution.
870 CVE-2019-16204 532 2020-02-05 2022-01-01
5.0
None Remote Low Not required Partial None None
Brocade Fabric OS Versions before v7.4.2f, v8.2.2a, v8.1.2j and v8.2.1d could expose external passwords, common secrets or authentication keys used between the switch and an external server.
871 CVE-2019-16203 532 2020-02-05 2022-01-01
5.0
None Remote Low Not required Partial None None
Brocade Fabric OS Versions before v8.2.2a and v8.2.1d could expose the credentials of the remote ESRS server when these credentials are given as a command line option when configuring the ESRS client.
872 CVE-2019-16155 2020-02-07 2020-08-24
6.6
None Local Low Not required None Complete Complete
A privilege escalation vulnerability in FortiClient for Linux 6.2.1 and below may allow a user with low privilege to overwrite system files as root with arbitrary content through system backup file via specially crafted "BackupConfig" type IPC client requests to the fctsched process. Further more, FortiClient for Linux 6.2.2 and below allow low privilege user write the system backup file under root privilege through GUI thus can cause root system file overwrite.
873 CVE-2019-16152 20 DoS 2020-02-06 2020-02-12
6.8
None Remote Low ??? None None Complete
A Denial of service (DoS) vulnerability in FortiClient for Linux 6.2.1 and below may allow an user with low privilege to cause FortiClient processes running under root privilege crashes via sending specially crafted IPC client requests to the fctsched process due the nanomsg not been correctly validated.
874 CVE-2019-15875 665 2020-02-18 2020-03-04
2.1
None Local Low Not required Partial None None
In FreeBSD 12.1-STABLE before r354734, 12.1-RELEASE before 12.1-RELEASE-p2, 12.0-RELEASE before 12.0-RELEASE-p13, 11.3-STABLE before r354735, and 11.3-RELEASE before 11.3-RELEASE-p6, due to incorrect initialization of a stack data structure, core dump files may contain up to 20 bytes of kernel data previously stored on the stack.
875 CVE-2019-15711 2020-02-06 2020-08-24
7.2
None Local Low Not required Complete Complete Complete
A privilege escalation vulnerability in FortiClient for Linux 6.2.1 and below may allow an user with low privilege to run system commands under root privilege via injecting specially crafted "ExportLogs" type IPC client requests to the fctsched process.
876 CVE-2019-15624 20 2020-02-04 2022-01-01
4.0
None Remote Low ??? None Partial None
Improper Input Validation in Nextcloud Server 15.0.7 allows group admins to create users with IDs of system folders.
877 CVE-2019-15623 2020-02-04 2021-10-29
5.0
None Remote Low Not required Partial None None
Exposure of Private Information in Nextcloud Server 16.0.1 causes the server to send it's domain and user IDs to the Nextcloud Lookup Server without any further data when the Lookup server is disabled.
878 CVE-2019-15622 89 Sql 2020-02-04 2020-02-12
2.1
None Local Low Not required Partial None None
Not strictly enough sanitization in the Nextcloud Android app 3.6.0 allowed an attacker to get content information from protected tables when using custom queries.
879 CVE-2019-15621 281 2020-02-04 2020-02-16
4.0
None Remote Low ??? None Partial None
Improper permissions preservation in Nextcloud Server 16.0.1 causes sharees to be able to reshare with write permissions when sharing the mount point of a share they received, as a public link.
880 CVE-2019-15620 2020-02-04 2020-10-09
4.0
None Remote Low ??? Partial None None
Improper access control in Nextcloud Talk 6.0.3 leaks the existance and the name of private conversations when linked them to another shared item via the projects feature.
881 CVE-2019-15619 79 XSS 2020-02-04 2020-02-12
3.5
None Remote Medium ??? None Partial None
Improper neutralization of file names, conversation names and board names in Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3 and Nextcloud Deck 0.6.5 causes an XSS when linking them with each others in a project.
882 CVE-2019-15618 79 XSS 2020-02-04 2020-02-06
3.5
None Remote Medium ??? None Partial None
Missing escaping of HTML in the Updater of Nextcloud 15.0.5 allowed a reflected XSS when starting the updater from a malicious location.
883 CVE-2019-15617 2020-02-04 2020-10-09
5.5
None Remote Low ??? Partial Partial None
A missing check in Nextcloud Server 17.0.0 allowed an attacker to set up a new second factor when trying to login.
884 CVE-2019-15616 74 2020-02-04 2020-02-11
4.0
None Remote Low ??? None Partial None
Dangling remote share attempts in Nextcloud 16 allow a DNS pollution when running long.
885 CVE-2019-15615 287 Bypass 2020-02-04 2020-02-13
3.6
None Local Low Not required Partial Partial None
A wrong check for the system time in the Android App 3.9.0 causes a bypass of the lock protection when changing the time of the system to the past.
886 CVE-2019-15614 79 XSS 2020-02-04 2020-02-12
3.5
None Remote Medium ??? None Partial None
Missing sanitization in the iOS App 2.24.4 causes an XSS when opening malicious HTML files.
887 CVE-2019-15613 345 2020-02-04 2020-02-16
6.0
None Remote Medium ??? Partial Partial Partial
A bug in Nextcloud Server 17.0.1 causes the workflow rules to depend their behaviour on the file extension when checking file mimetypes.
888 CVE-2019-15612 384 2020-02-04 2020-03-24
3.2
None Local Low ??? Partial Partial None
A bug in Nextcloud Server 15.0.2 causes pending 2FA logins to not be correctly expired when the password of the user is reset.
889 CVE-2019-15611 2020-02-04 2020-02-11
4.0
None Remote Low ??? Partial None None
Violation of Secure Design Principles in the iOS App 2.23.0 causes the app to leak its login and token to other Nextcloud services when search e.g. for federated users or registering for push notifications.
890 CVE-2019-15610 2020-02-04 2020-10-09
4.0
None Remote Low ??? Partial None None
Improper authorization in the Circles app 0.17.7 causes retaining access when an email address was removed from a circle.
891 CVE-2019-15609 78 2020-02-28 2020-03-02
10.0
None Remote Low Not required Complete Complete Complete
The kill-port-process package version < 2.2.0 is vulnerable to a Command Injection vulnerability.
892 CVE-2019-15606 Bypass 2020-02-07 2021-07-20
7.5
None Remote Low Not required Partial Partial Partial
Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons
893 CVE-2019-15605 444 2020-02-07 2021-07-20
7.5
None Remote Low Not required Partial Partial Partial
HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed
894 CVE-2019-15604 295 2020-02-07 2021-07-20
5.0
None Remote Low Not required None None Partial
Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate
895 CVE-2019-15594 2020-02-14 2021-09-14
4.0
None Remote Low ??? Partial None None
GitLab 11.8 and later contains a security vulnerability that allows a user to obtain details of restricted pipelines via the merge request endpoint.
896 CVE-2019-15592 2020-02-14 2021-08-27
4.0
None Remote Low ??? Partial None None
GitLab 12.2.2 and below contains a security vulnerability that allows a guest user in a private project to see the merge request ID associated to an issue via the activity timeline.
897 CVE-2019-15299 287 Bypass 2020-02-24 2020-02-28
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in Centreon Web through 19.04.3. When a user changes his password on his profile page, the contact_autologin_key field in the database becomes blank when it should be NULL. This makes it possible to partially bypass authentication.
898 CVE-2019-15253 79 Exec Code XSS 2020-02-05 2021-12-21
3.5
None Remote Medium ??? None Partial None
A vulnerability in the web-based management interface of Cisco Digital Network Architecture (DNA) Center could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker needs administrator credentials. This vulnerability affects Cisco DNA Center Software releases earlier than 1.3.0.6 and 1.3.1.4.
899 CVE-2019-15126 367 2020-02-05 2020-08-11
2.9
None Local Network Medium Not required Partial None None
An issue was discovered on Broadcom Wi-Fi client devices. Specifically timed and handcrafted traffic can cause internal errors (related to state transitions) in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic, a different vulnerability than CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, and CVE-2019-9503.
900 CVE-2019-14688 427 2020-02-20 2020-03-04
5.1
None Remote High Not required Partial Partial Partial
Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial product installation by an authorized user. The attacker must convince the target to download malicious DLL locally which must be present when the installer is run.
Total number of vulnerabilities : 1395   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 (This Page)19 20 21 22 23 24 25 26 27 28
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.