CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In July 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
901 CVE-2020-6520 120 Overflow 2020-07-22 2021-07-21
9.3
None Remote Medium Not required Complete Complete Complete
Buffer overflow in Skia in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
902 CVE-2020-6519 Bypass 2020-07-22 2021-03-12
4.3
None Remote Medium Not required None Partial None
Policy bypass in CSP in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to bypass content security policy via a crafted HTML page.
903 CVE-2020-6518 416 2020-07-22 2021-07-21
9.3
None Remote Medium Not required Complete Complete Complete
Use after free in developer tools in Google Chrome prior to 84.0.4147.89 allowed a remote attacker who had convinced the user to use developer tools to potentially exploit heap corruption via a crafted HTML page.
904 CVE-2020-6517 787 Overflow 2020-07-22 2021-03-12
9.3
None Remote Medium Not required Complete Complete Complete
Heap buffer overflow in history in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
905 CVE-2020-6516 Bypass 2020-07-22 2021-03-12
4.3
None Remote Medium Not required Partial None None
Policy bypass in CORS in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
906 CVE-2020-6515 416 2020-07-22 2021-07-21
9.3
None Remote Medium Not required Complete Complete Complete
Use after free in tab strip in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
907 CVE-2020-6514 2020-07-22 2021-07-21
4.3
None Remote Medium Not required None Partial None
Inappropriate implementation in WebRTC in Google Chrome prior to 84.0.4147.89 allowed an attacker in a privileged network position to potentially exploit heap corruption via a crafted SCTP stream.
908 CVE-2020-6513 787 Overflow 2020-07-22 2021-01-28
6.8
None Remote Medium Not required Partial Partial Partial
Heap buffer overflow in PDFium in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.
909 CVE-2020-6512 843 2020-07-22 2021-07-21
9.3
None Remote Medium Not required Complete Complete Complete
Type Confusion in V8 in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
910 CVE-2020-6511 200 +Info 2020-07-22 2021-07-21
4.3
None Remote Medium Not required Partial None None
Information leak in content security policy in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
911 CVE-2020-6510 787 Overflow 2020-07-22 2021-01-27
6.8
None Remote Medium Not required Partial Partial Partial
Heap buffer overflow in background fetch in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
912 CVE-2020-6509 416 2020-07-22 2020-09-18
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in extensions in Google Chrome prior to 83.0.4103.116 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension.
913 CVE-2020-6507 787 2020-07-22 2021-07-21
6.8
None Remote Medium Not required Partial Partial Partial
Out of bounds write in V8 in Google Chrome prior to 83.0.4103.106 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
914 CVE-2020-6506 863 Bypass 2020-07-22 2021-07-21
4.3
None Remote Medium Not required None Partial None
Insufficient policy enforcement in WebView in Google Chrome on Android prior to 83.0.4103.106 allowed a remote attacker to bypass site isolation via a crafted HTML page.
915 CVE-2020-6505 416 2020-07-22 2020-07-27
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in speech in Google Chrome prior to 83.0.4103.106 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.
916 CVE-2020-6292 613 2020-07-14 2020-07-14
6.5
None Remote Low ??? Partial Partial Partial
Logout mechanism in SAP Disclosure Management, version 10.1, does not invalidate one of the session cookies, leading to Insufficient Session Expiration.
917 CVE-2020-6291 613 2020-07-14 2020-07-14
6.5
None Remote Low ??? Partial Partial Partial
SAP Disclosure Management, version 10.1, session mechanism does not have expiration data set therefore allows unlimited access after authenticating once, leading to Insufficient Session Expiration
918 CVE-2020-6290 384 2020-07-14 2020-07-14
6.8
None Remote Medium Not required Partial Partial Partial
SAP Disclosure Management, version 10.1, is vulnerable to Session Fixation attacks wherein the attacker tricks the user into using a specific session ID.
919 CVE-2020-6289 352 CSRF 2020-07-14 2020-07-15
6.8
None Remote Medium Not required Partial Partial Partial
SAP Disclosure Management, version 10.1, had insufficient protection against Cross-Site Request Forgery, which could be used to trick user in to browsing malicious site.
920 CVE-2020-6287 306 2020-07-14 2022-04-28
10.0
None Remote Low Not required Complete Complete Complete
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.
921 CVE-2020-6286 22 Dir. Trav. 2020-07-14 2020-07-15
5.0
None Remote Low Not required Partial None None
The insufficient input path validation of certain parameter in the web service of SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to exploit a method to download zip files to a specific directory, leading to Path Traversal.
922 CVE-2020-6285 200 +Info 2020-07-14 2021-07-21
3.5
None Remote Medium ??? Partial None None
SAP NetWeaver - XML Toolkit for JAVA (ENGINEAPI) (versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50), under certain conditions allows an attacker to access information which would otherwise be restricted, leading to Information Disclosure.
923 CVE-2020-6282 918 2020-07-14 2020-07-15
5.0
None Remote Low Not required Partial None None
SAP NetWeaver AS JAVA (IIOP service) (SERVERCORE), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, and SAP NetWeaver AS JAVA (IIOP service) (CORE-TOOLS), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send a crafted request from a vulnerable web application. It is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a Server-Side Request Forgery vulnerability.
924 CVE-2020-6281 79 XSS 2020-07-14 2020-07-14
4.3
None Remote Medium Not required None Partial None
SAP Business Objects Business Intelligence Platform (BI Launchpad), version 4.2, does not sufficiently encode user-controlled inputs, resulting reflected in Cross-Site Scripting.
925 CVE-2020-6280 200 +Info 2020-07-14 2021-07-21
4.0
None Remote Low ??? Partial None None
SAP NetWeaver (ABAP Server) and ABAP Platform, versions 731, 740, 750, allows an attacker with admin privileges to access certain files which should otherwise be restricted, leading to Information Disclosure.
926 CVE-2020-6278 79 XSS 2020-07-14 2020-07-14
3.5
None Remote Medium ??? None Partial None
SAP Business Objects Business Intelligence Platform (BI Launchpad and CMC), versions 4.1, 4.2, allows to an attacker to embed malicious scripts in the application while uploading images, which gets executed when the victim opens these files, leading to Stored Cross Site Scripting
927 CVE-2020-6276 79 XSS 2020-07-14 2020-07-14
4.3
None Remote Medium Not required None Partial None
SAP Business Objects Business Intelligence Platform (bipodata), version 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability.
928 CVE-2020-6267 732 2020-07-14 2020-07-23
5.8
None Remote Medium Not required Partial Partial None
Some sensitive cookies in SAP Disclosure Management, version 10.1, are missing HttpOnly flag, leading to sensitive cookie without Http Only flag.
929 CVE-2020-6261 74 2020-07-01 2021-07-21
5.0
None Remote Low Not required None Partial None
SAP Solution Manager (Trace Analysis), version 7.20, allows an attacker to perform a log injection into the trace file, due to Incomplete XML Validation. The readability of the trace file is impaired.
930 CVE-2020-6165 276 2020-07-15 2020-07-23
5.0
None Remote Low Not required Partial None None
SilverStripe 4.5.0 allows attackers to read certain records that should not have been placed into a result set. This affects silverstripe/recipe-cms. The automatic permission-checking mechanism in the silverstripe/graphql module does not provide complete protection against lists that are limited (e.g., through pagination), resulting in records that should have failed a permission check being added to the final result set. GraphQL endpoints are configured by default (e.g., for assets), but the admin/graphql endpoint is access protected by default. This limits the vulnerability to all authenticated users, including those with limited permissions (e.g., where viewing records exposed through admin/graphql requires administrator permissions). However, if custom GraphQL endpoints have been configured for a specific implementation (usually under /graphql), this vulnerability could also be exploited through unauthenticated requests. This vulnerability only applies to reading records; it does not allow unauthorised changing of records.
931 CVE-2020-6164 200 +Info 2020-07-15 2021-07-21
5.0
None Remote Low Not required Partial None None
In SilverStripe through 4.5.0, a specific URL path configured by default through the silverstripe/framework module can be used to disclose the fact that a domain is hosting a Silverstripe application. There is no disclosure of the specific version. The functionality on this URL path is limited to execution in a CLI context, and is not known to present a vulnerability through web-based access. As a side-effect, this preconfigured path also blocks the creation of other resources on this path (e.g. a page).
932 CVE-2020-6114 89 Sql 2020-07-10 2022-05-12
6.5
None Remote Low ??? Partial Partial Partial
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
933 CVE-2020-6103 787 Exec Code 2020-07-20 2020-07-24
6.5
None Remote Low ??? Partial Partial Partial
An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.dll 26.20.15019.19000. An attacker can provide a a specially crafted shader file to trigger this vulnerability, resulting in code execution. This vulnerability can be triggered from a HYPER-V guest using the RemoteFX feature, leading to executing the vulnerable code on the HYPER-V host (inside of the rdvgm.exe process). Theoretically this vulnerability could be also triggered from web browser (using webGL and webassembly).
934 CVE-2020-6102 787 Exec Code 2020-07-20 2022-04-27
6.5
None Remote Low ??? Partial Partial Partial
An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.dll 26.20.15019.19000. An attacker can provide a a specially crafted shader file to trigger this vulnerability, resulting in code execution. This vulnerability can be triggered from a HYPER-V guest using the RemoteFX feature, leading to executing the vulnerable code on the HYPER-V host (inside of the rdvgm.exe process). Theoretically this vulnerability could be also triggered from web browser (using webGL and webassembly).
935 CVE-2020-6101 787 Exec Code 2020-07-20 2020-07-24
6.5
None Remote Low ??? Partial Partial Partial
An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.dll 26.20.15019.19000. An attacker can provide a specially crafted shader file to trigger this vulnerability, resulting in code execution. This vulnerability can be triggered from a HYPER-V guest using the RemoteFX feature, leading to executing the vulnerable code on the HYPER-V host (inside of the rdvgm.exe process). Theoretically this vulnerability could be also triggered from web browser (using webGL and webassembly).
936 CVE-2020-6100 787 Mem. Corr. 2020-07-20 2020-07-24
6.5
None Remote Low ??? Partial Partial Partial
An exploitable memory corruption vulnerability exists in AMD atidxx64.dll 26.20.15019.19000 graphics driver. A specially crafted pixel shader can cause memory corruption vulnerability. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability potentially could be triggered from guest machines running virtualization environments (ie. VMware, qemu, VirtualBox etc.) in order to perform guest-to-host escape - as it was demonstrated before (TALOS-2018-0533, TALOS-2018-0568, etc.). Theoretically this vulnerability could be also triggered from web browser (using webGL and webassembly). This vulnerability was triggered from HYPER-V guest using RemoteFX feature leading to executing the vulnerable code on the HYPER-V host (inside of the rdvgm.exe process).
937 CVE-2020-6098 787 DoS Mem. Corr. 2020-07-28 2022-05-12
5.0
None Remote Low Not required None None Partial
An exploitable denial of service vulnerability exists in the freeDiameter functionality of freeDiameter 1.3.2. A specially crafted Diameter request can trigger a memory corruption resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.
938 CVE-2020-6089 787 Exec Code Overflow 2020-07-01 2022-05-12
6.8
None Remote Medium Not required Partial Partial Partial
An exploitable code execution vulnerability exists in the ANI file format parser of Leadtools 20. A specially crafted ANI file can cause a buffer overflow resulting in remote code execution. An attacker can provide a malicious file to trigger this vulnerability.
939 CVE-2020-6013 269 Exec Code 2020-07-06 2020-07-13
6.5
None Remote Low ??? Partial Partial Partial
ZoneAlarm Firewall and Antivirus products before version 15.8.109.18436 allow an attacker who already has access to the system to execute code at elevated privileges through a combination of file permission manipulation and exploitation of Windows CVE-2020-00896 on unpatched systems.
940 CVE-2020-5974 276 2020-07-08 2020-07-14
4.6
None Local Low Not required Partial Partial Partial
NVIDIA JetPack SDK, version 4.2 and 4.3, contains a vulnerability in its installation scripts in which permissions are incorrectly set on certain directories, which can lead to escalation of privileges.
941 CVE-2020-5911 2020-07-02 2020-07-08
7.5
None Remote Low Not required Partial Partial Partial
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.
942 CVE-2020-5910 287 2020-07-02 2021-07-21
5.0
None Remote Low Not required Partial None None
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
943 CVE-2020-5909 295 2020-07-02 2020-07-08
5.8
None Remote Medium Not required Partial Partial None
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
944 CVE-2020-5908 200 +Info 2020-07-01 2021-07-21
2.1
None Local Low Not required Partial None None
In versions bundled with BIG-IP APM 12.1.0-12.1.5 and 11.6.1-11.6.5.2, Edge Client for Linux exposes full session ID in the local log files.
945 CVE-2020-5907 2020-07-01 2022-05-03
6.0
None Remote Medium ??? Partial Partial Partial
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, an authorized user provided with access only to the TMOS Shell (tmsh) may be able to conduct arbitrary file read/writes via the built-in sftp functionality.
946 CVE-2020-5906 276 2020-07-01 2020-07-08
5.5
None Remote Low ??? Partial Partial None
In versions 13.1.0-13.1.3.3, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2, the BIG-IP system does not properly enforce the access controls for the scp.blacklist files. This allows Admin and Resource Admin users with Secure Copy (SCP) protocol access to read and overwrite blacklisted files via SCP.
947 CVE-2020-5905 20 2020-07-01 2021-07-21
6.0
None Remote Medium ??? Partial Partial Partial
In version 11.6.1-11.6.5.2 of the BIG-IP system Configuration utility Network > WCCP page, the system does not sanitize all user-provided data before display.
948 CVE-2020-5904 352 CSRF 2020-07-01 2020-07-10
6.8
None Remote Medium Not required Partial Partial Partial
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, a cross-site request forgery (CSRF) vulnerability in the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, exists in an undisclosed page.
949 CVE-2020-5903 79 XSS 2020-07-01 2020-07-08
4.3
None Remote Medium Not required None Partial None
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, a Cross-Site Scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility.
950 CVE-2020-5902 22 Exec Code Dir. Trav. 2020-07-01 2022-05-03
10.0
None Remote Low Not required Complete Complete Complete
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
Total number of vulnerabilities : 1418   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 (This Page)20 21 22 23 24 25 26 27 28 29
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.