CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In February 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
51 CVE-2020-9327 476 2020-02-21 2022-04-08
5.0
None Remote Low Not required None None Partial
In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations.
52 CVE-2020-9320 434 Bypass 2020-02-20 2021-03-04
4.3
None Remote Medium Not required None Partial None
** DISPUTED ** Avira AV Engine before 8.3.54.138 allows virus-detection bypass via a crafted ISO archive. This affects versions before 8.3.54.138 of Antivirus for Endpoint, Antivirus for Small Business, Exchange Security (Gateway), Internet Security Suite for Windows, Prime, Free Security Suite for Windows, and Cross Platform Anti-malware SDK. NOTE: Vendor asserts that vulnerability does not exist in product.
53 CVE-2020-9318 89 Sql 2020-02-20 2020-02-25
6.5
None Remote Low ??? Partial Partial Partial
Red Gate SQL Monitor 9.0.13 through 9.2.14 allows an administrative user to perform a SQL injection attack by configuring the SNMP alert settings in the UI. This is fixed in 9.2.15.
54 CVE-2020-9308 787 2020-02-20 2022-01-01
6.8
None Remote Medium Not required Partial Partial Partial
archive_read_support_format_rar5.c in libarchive before 3.4.2 attempts to unpack a RAR5 file with an invalid or corrupted header (such as a header size of zero), leading to a SIGSEGV or possibly unspecified other impact.
55 CVE-2020-9283 347 2020-02-20 2022-01-01
5.0
None Remote Low Not required None None Partial
golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.
56 CVE-2020-9274 824 2020-02-26 2020-09-22
5.0
None Remote Low Not required Partial None None
An issue was discovered in Pure-FTPd 1.0.49. An uninitialized pointer vulnerability has been detected in the diraliases linked list. When the *lookup_alias(const char alias) or print_aliases(void) function is called, they fail to correctly detect the end of the linked list and try to access a non-existent list member. This is related to init_aliases in diraliases.c.
57 CVE-2020-9273 416 Exec Code 2020-02-20 2021-09-14
9.0
None Remote Low ??? Complete Complete Complete
In ProFTPD 1.3.7, it is possible to corrupt the memory pool by interrupting the data transfer channel. This triggers a use-after-free in alloc_pool in pool.c, and possible remote code execution.
58 CVE-2020-9272 125 2020-02-20 2021-11-09
5.0
None Remote Low Not required Partial None None
ProFTPD 1.3.7 has an out-of-bounds (OOB) read vulnerability in mod_cap via the cap_text.c cap_to_text function.
59 CVE-2020-9271 352 CSRF 2020-02-18 2020-02-19
4.3
None Remote Medium Not required None Partial None
ICE Hrm 26.2.0 is vulnerable to CSRF that leads to user creation via service.php.
60 CVE-2020-9270 352 CSRF 2020-02-18 2020-02-19
6.8
None Remote Medium Not required Partial Partial Partial
ICE Hrm 26.2.0 is vulnerable to CSRF that leads to password reset via service.php.
61 CVE-2020-9269 89 Exec Code Sql 2020-02-18 2020-02-20
9.0
None Remote Low ??? Complete Complete Complete
SOPlanning 1.45 is vulnerable to authenticated SQL Injection that leads to command execution via the users parameter, as demonstrated by export_ical.php.
62 CVE-2020-9268 89 Sql 2020-02-18 2020-02-19
5.0
None Remote Low Not required Partial None None
SoPlanning 1.45 is vulnerable to SQL Injection in the OrderBy clause, as demonstrated by the projets.php?order=nom_createur&by= substring.
63 CVE-2020-9267 352 CSRF 2020-02-18 2020-02-19
4.3
None Remote Medium Not required None Partial None
SOPlanning 1.45 is vulnerable to a CSRF attack that allows for arbitrary user creation via process/xajax_server.php.
64 CVE-2020-9266 352 CSRF 2020-02-18 2020-02-19
4.3
None Remote Medium Not required None Partial None
SOPlanning 1.45 is vulnerable to a CSRF attack that allows for arbitrary changing of the admin password via process/xajax_server.php.
65 CVE-2020-9265 89 Sql 2020-02-18 2020-02-27
6.4
None Remote Low Not required Partial None Partial
phpMyChat-Plus 1.98 is vulnerable to multiple SQL injections against the deluser.php Delete User functionality, as demonstrated by pmc_username.
66 CVE-2020-9264 20 Bypass 2020-02-18 2021-07-21
4.3
None Remote Medium Not required None Partial None
ESET Archive Support Module before 1296 allows virus-detection bypass via a crafted Compression Information Field in a ZIP archive. This affects versions before 1294 of Smart Security Premium, Internet Security, NOD32 Antivirus, Cyber Security Pro (macOS), Cyber Security (macOS), Mobile Security for Android, Smart TV Security, and NOD32 Antivirus 4 for Linux Desktop.
67 CVE-2020-9043 269 2020-02-17 2021-07-21
9.0
None Remote Low ??? Complete Complete Complete
The wpCentral plugin before 1.5.1 for WordPress allows disclosure of the connection key.
68 CVE-2020-9039 276 2020-02-22 2022-01-01
7.5
None Remote Low Not required Partial Partial Partial
Couchbase Server 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0 through 4.6.5, 5.0.0, 5.1.1, 5.5.0 and 5.5.1 have Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).The /settings REST endpoint exposed by the projector process is an endpoint that administrators can use for various tasks such as updating configuration and collecting performance profiles. The endpoint was unauthenticated and has been updated to only allow authenticated users to access these administrative APIs.
69 CVE-2020-9038 79 XSS 2020-02-17 2021-12-30
3.5
None Remote Medium ??? None Partial None
Joplin through 1.0.184 allows Arbitrary File Read via XSS.
70 CVE-2020-9034 20 2020-02-17 2021-07-21
5.0
None Remote Low Not required None Partial None
Symmetricom SyncServer S100 2.90.70.3, S200 1.30, S250 1.25, S300 2.65.0, and S350 2.80.1 devices mishandle session validation, leading to unauthenticated creation, modification, or elimination of users.
71 CVE-2020-9033 22 Dir. Trav. 2020-02-17 2020-02-19
6.4
None Remote Low Not required Partial Partial None
Symmetricom SyncServer S100 2.90.70.3, S200 1.30, S250 1.25, S300 2.65.0, and S350 2.80.1 devices allow Directory Traversal via the FileName parameter to authlog.php.
72 CVE-2020-9032 22 Dir. Trav. 2020-02-17 2020-02-19
6.4
None Remote Low Not required Partial Partial None
Symmetricom SyncServer S100 2.90.70.3, S200 1.30, S250 1.25, S300 2.65.0, and S350 2.80.1 devices allow Directory Traversal via the FileName parameter to kernlog.php.
73 CVE-2020-9031 22 Dir. Trav. 2020-02-17 2020-02-19
6.4
None Remote Low Not required Partial Partial None
Symmetricom SyncServer S100 2.90.70.3, S200 1.30, S250 1.25, S300 2.65.0, and S350 2.80.1 devices allow Directory Traversal via the FileName parameter to daemonlog.php.
74 CVE-2020-9030 22 Dir. Trav. 2020-02-17 2020-02-19
6.4
None Remote Low Not required Partial Partial None
Symmetricom SyncServer S100 2.90.70.3, S200 1.30, S250 1.25, S300 2.65.0, and S350 2.80.1 devices allow Directory Traversal via the FileName parameter to the syslog.php.
75 CVE-2020-9029 22 Dir. Trav. 2020-02-17 2020-02-19
6.4
None Remote Low Not required Partial Partial None
Symmetricom SyncServer S100 2.90.70.3, S200 1.30, S250 1.25, S300 2.65.0, and S350 2.80.1 devices allow Directory Traversal via the FileName parameter to messagelog.php.
76 CVE-2020-9028 79 XSS 2020-02-17 2020-02-19
4.3
None Remote Medium Not required None Partial None
Symmetricom SyncServer S100 2.90.70.3, S200 1.30, S250 1.25, S300 2.65.0, and S350 2.80.1 devices allow stored XSS via the newUserName parameter on the "User Creation, Deletion and Password Maintenance" screen (when creating a new user).
77 CVE-2020-9027 78 2020-02-17 2020-02-19
10.0
None Remote Low Not required Complete Complete Complete
ELTEX NTP-RG-1402G 1v10 3.25.3.32 devices allow OS command injection via the TRACE field of the resource ping.cmd. The NTP-2 device is also affected.
78 CVE-2020-9026 78 2020-02-17 2020-02-19
10.0
None Remote Low Not required Complete Complete Complete
ELTEX NTP-RG-1402G 1v10 3.25.3.32 devices allow OS command injection via the PING field of the resource ping.cmd. The NTP-2 device is also affected.
79 CVE-2020-9025 79 XSS 2020-02-17 2020-02-19
4.3
None Remote Medium Not required None Partial None
Iteris Vantage Velocity Field Unit 2.4.2 devices have multiple stored XSS issues in all parameters of the Start Data Viewer feature of the /cgi-bin/loaddata.py script.
80 CVE-2020-9024 269 2020-02-17 2021-07-21
10.0
None Remote Low Not required Complete Complete Complete
Iteris Vantage Velocity Field Unit 2.3.1 and 2.4.2 devices have world-writable permissions for the /root/cleardata.pl (executed as root by crond) and /root/loadperl.sh (executed as root at boot time) scripts.
81 CVE-2020-9023 522 2020-02-17 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
Iteris Vantage Velocity Field Unit 2.3.1 and 2.4.2 devices have two users that are not documented and are configured with weak passwords (User bluetooth, password bluetooth; User eclipse, password eclipse). Also, bluetooth is the root password.
82 CVE-2020-9022 79 XSS 2020-02-17 2020-02-19
4.3
None Remote Medium Not required None Partial None
An issue was discovered on Xirrus XR520, XR620, XR2436, and XH2-120 devices. The cgi-bin/ViewPage.cgi user parameter allows XSS.
83 CVE-2020-9021 78 2020-02-17 2020-02-20
10.0
None Remote Low Not required Complete Complete Complete
Post Oak AWAM Bluetooth Field Device 7400v2.08.21.2018, 7800SD.2015.1.16, 2011.3, 7400v2.02.01.2019, and 7800SD.2012.12.5 is vulnerable to injections of operating system commands through timeconfig.py via shell metacharacters in the htmlNtpServer parameter.
84 CVE-2020-9020 78 2020-02-17 2020-02-19
10.0
None Remote Low Not required Complete Complete Complete
Iteris Vantage Velocity Field Unit 2.3.1, 2.4.2, and 3.0 devices allow the injection of OS commands into cgi-bin/timeconfig.py via shell metacharacters in the NTP Server field.
85 CVE-2020-9019 79 XSS 2020-02-25 2022-01-01
4.3
None Remote Medium Not required None Partial None
The WPJobBoard plugin 5.5.3 for WordPress allows Persistent XSS via the Add Job form, as demonstrated by title and Description.
86 CVE-2020-9018 352 CSRF 2020-02-25 2020-02-26
5.0
None Remote Low Not required None Partial None
LiteCart through 2.2.1 allows admin/?app=users&doc=edit_user CSRF to add a user.
87 CVE-2020-9017 74 2020-02-25 2021-07-21
6.0
None Remote Medium ??? Partial Partial Partial
LiteCart through 2.2.1 allows CSV injection via a customer's profile.
88 CVE-2020-9016 79 XSS 2020-02-16 2020-02-18
3.5
None Remote Medium ??? None Partial None
Dolibarr 11.0 allows XSS via the joinfiles, topic, or code parameter, or the HTTP Referer header.
89 CVE-2020-9015 Bypass 2020-02-20 2020-06-16
7.5
None Remote Low Not required Partial Partial Partial
** DISPUTED ** Arista DCS-7050QX-32S-R 4.20.9M, DCS-7050CX3-32S-R 4.20.11M, and DCS-7280SRAM-48C6-R 4.22.0.1F devices (and possibly other products) allow attackers to bypass intended TACACS+ shell restrictions via a | character. NOTE: the vendor reports that this is a configuration issue relating to an overly permissive regular expression in the TACACS+ server permitted commands.
90 CVE-2020-9013 20 Bypass 2020-02-16 2022-01-01
4.0
None Remote Low ??? None Partial None
Arvato Skillpipe 3.0 allows attackers to bypass intended print restrictions by deleting <div id="watermark"> from the HTML source code.
91 CVE-2020-9012 79 XSS 2020-02-16 2020-02-18
4.3
None Remote Medium Not required None Partial None
A cross-site scripting (XSS) vulnerability in the Import People functionality in Gluu Identity Configuration 4.0 allows remote attackers to inject arbitrary web script or HTML via the filename parameter.
92 CVE-2020-9008 79 XSS 2020-02-25 2020-03-09
3.5
None Remote Medium ??? None Partial None
Stored Cross-site scripting (XSS) vulnerability in Blackboard Learn/PeopleTool v9.1 allows users to inject arbitrary web script via the Tile widget in the People Tool profile editor.
93 CVE-2020-9007 79 XSS 2020-02-16 2020-02-18
3.5
None Remote Medium ??? None Partial None
Codoforum 4.8.8 allows self-XSS via the title of a new topic.
94 CVE-2020-9006 89 Exec Code Sql 2020-02-17 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
The Popup Builder plugin 2.2.8 through 2.6.7.6 for WordPress is vulnerable to SQL injection (in the sgImportPopups function in sg_popup_ajax.php) via PHP Deserialization on attacker-controlled data with the attachmentUrl POST variable. This allows creation of an arbitrary WordPress Administrator account, leading to possible Remote Code Execution because Administrators can run PHP code on Wordpress instances. (This issue has been fixed in the 3.x branch of popup-builder.)
95 CVE-2020-9005 787 DoS Exec Code 2020-02-17 2022-02-07
6.8
None Remote Medium Not required Partial Partial Partial
meshsystem.dll in Valve Dota 2 through 2020-02-17 allows remote attackers to achieve code execution or denial of service by creating a gaming server with a crafted map, and inviting a victim to this server. A GetValue call is mishandled.
96 CVE-2020-9003 79 XSS 2020-02-20 2020-02-24
3.5
None Remote Medium ??? None Partial None
A stored XSS vulnerability exists in the Modula Image Gallery plugin before 2.2.5 for WordPress. Successful exploitation of this vulnerability would allow an authenticated low-privileged user to inject arbitrary JavaScript code that is viewed by other users.
97 CVE-2020-8997 787 2020-02-16 2020-02-28
5.8
None Local Network Low Not required Partial Partial Partial
Older generation Abbott FreeStyle Libre sensors allow remote attackers within close proximity to enable write access to memory via a specific NFC unlock command. NOTE: The vulnerability is not present in the FreeStyle Libre 14-day in the U.S (announced in August 2018) and FreeStyle Libre 2 outside the U.S (announced in October 2018).
98 CVE-2020-8996 22 Dir. Trav. 2020-02-16 2020-02-21
4.0
None Remote Low ??? Partial None None
AnyShare Cloud 6.0.9 allows authenticated directory traversal to read files, as demonstrated by the interface/downloadwithpath/downloadfile/?filepath=/etc/passwd URI.
99 CVE-2020-8992 400 DoS 2020-02-14 2022-04-27
4.9
None Local Low Not required None None Complete
ext4_protect_reserved_inode in fs/ext4/block_validity.c in the Linux kernel through 5.5.3 allows attackers to cause a denial of service (soft lockup) via a crafted journal size.
100 CVE-2020-8991 401 DoS 2020-02-14 2022-01-01
2.1
None Local Low Not required None None Partial
** DISPUTED ** vg_lookup in daemons/lvmetad/lvmetad-core.c in LVM2 2.02 mismanages memory, leading to an lvmetad memory leak, as demonstrated by running pvs. NOTE: RedHat disputes CVE-2020-8991 as not being a vulnerability since there’s no apparent route to either privilege escalation or to denial of service through the bug.
Total number of vulnerabilities : 1395   Page : 1 2 (This Page)3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.