CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In July 2020 (CVSS score >= 8)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
51 CVE-2020-11953 78 Exec Code 2020-07-14 2020-07-17
9.0
None Remote Low ??? Complete Complete Complete
An issue was discovered on Rittal PDU-3C002DEC through 5.15.40 and CMCIII-PU-9333E0FB through 3.15.70_4 devices. Attackers can execute code.
52 CVE-2020-11951 798 2020-07-14 2020-07-17
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered on Rittal PDU-3C002DEC through 5.17.10 and CMCIII-PU-9333E0FB through 3.17.10 devices. There is a Backdoor root account.
53 CVE-2020-11749 79 Exec Code XSS 2020-07-13 2020-07-30
9.3
None Remote Medium Not required Complete Complete Complete
Pandora FMS 7.0 NG <= 746 suffers from Multiple XSS vulnerabilities in different browser views. A network administrator scanning a SNMP device can trigger a Cross Site Scripting (XSS), which can run arbitrary code to allow Remote Code Execution as root or apache2.
54 CVE-2020-11476 434 2020-07-28 2021-11-01
9.0
None Remote Low ??? Complete Complete Complete
Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file.
55 CVE-2020-11439 20 File Inclusion 2020-07-15 2021-07-21
9.0
None Remote Low ??? Complete Complete Complete
LibreHealth EMR v2.0.0 is affected by a Local File Inclusion issue allowing arbitrary PHP to be included and executed within the EMR application.
56 CVE-2020-10988 798 2020-07-13 2020-07-15
10.0
None Remote Low Not required Complete Complete Complete
A hard-coded telnet credential in the tenda_login binary of Tenda AC15 AC1900 version 15.03.05.19 allows unauthenticated remote attackers to start a telnetd service on the device.
57 CVE-2020-10987 74 Exec Code 2020-07-13 2021-07-21
10.0
None Remote Low Not required Complete Complete Complete
The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute arbitrary system commands via the deviceName POST parameter.
58 CVE-2020-10929 190 Exec Code Overflow 2020-07-28 2020-07-30
8.3
None Local Network Low Not required Complete Complete Complete
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6700 V1.0.4.84_10.0.58 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of string table file uploads. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the admin user. Was ZDI-CAN-9768.
59 CVE-2020-10927 327 Exec Code 2020-07-28 2021-10-26
8.3
None Local Network Low Not required Complete Complete Complete
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6700 V1.0.4.84_10.0.58 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the encryption of firmware update images. The issue results from the use of an inappropriate encryption algorithm. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of root. Was ZDI-CAN-9649.
60 CVE-2020-10926 494 Exec Code 2020-07-28 2020-07-29
8.3
None Local Network Low Not required Complete Complete Complete
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6700 V1.0.4.84_10.0.58 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of firmware updates. The issue results from the lack of proper validation of the firmware image prior to performing an upgrade. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of root. Was ZDI-CAN-9648.
61 CVE-2020-10925 295 Exec Code 2020-07-28 2020-07-29
8.3
None Local Network Low Not required Complete Complete Complete
This vulnerability allows network-adjacent attackers to compromise the integrity of downloaded information on affected installations of NETGEAR R6700 V1.0.4.84_10.0.58 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the downloading of files via HTTPS. The issue results from the lack of proper validation of the certificate presented by the server. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-9647.
62 CVE-2020-10924 121 Exec Code Bypass 2020-07-28 2020-07-29
8.3
None Local Network Low Not required Complete Complete Complete
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6700 V1.0.4.84_10.0.58 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the UPnP service, which listens on TCP port 5000 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9643.
63 CVE-2020-10923 305 Exec Code Bypass 2020-07-28 2020-07-29
8.3
None Local Network Low Not required Complete Complete Complete
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6700 V1.0.4.84_10.0.58 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UPnP service, which listens on TCP port 5000. A crafted UPnP message can be used to bypass authentication. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-9642.
64 CVE-2020-9692 863 Exec Code Bypass 2020-07-29 2021-07-21
8.5
None Remote Medium ??? Complete Complete Complete
Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.
65 CVE-2020-9691 79 Exec Code XSS 2020-07-29 2020-07-29
9.3
None Remote Medium Not required Complete Complete Complete
Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a dom-based cross-site scripting vulnerability. Successful exploitation could lead to arbitrary code execution.
66 CVE-2020-9689 22 Exec Code Dir. Trav. 2020-07-29 2020-07-30
8.5
None Remote Medium ??? Complete Complete Complete
Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a path traversal vulnerability. Successful exploitation could lead to arbitrary code execution.
67 CVE-2020-9688 74 Exec Code 2020-07-17 2021-07-21
9.3
None Remote Medium Not required Complete Complete Complete
Adobe Download Manager version 2.0.0.518 have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.
68 CVE-2020-9682 59 2020-07-17 2021-10-05
10.0
None Remote Low Not required Complete Complete Complete
Adobe Creative Cloud Desktop Application versions 5.1 and earlier have a symlink vulnerability vulnerability. Successful exploitation could lead to arbitrary file system write.
69 CVE-2020-8958 78 Exec Code 2020-07-15 2020-07-22
9.0
None Remote Low ??? Complete Complete Complete
Guangzhou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and V2804RGW 1.9.1-181203 through 2.9.0-181024 devices allow remote attackers to execute arbitrary OS commands via shell metacharacters in the boaform/admin/formPing Dest IP Address field.
70 CVE-2020-8178 78 2020-07-15 2020-07-21
10.0
None Remote Low Not required Complete Complete Complete
Insufficient input validation in npm package `jison` <= 0.4.18 may lead to OS command injection attacks.
71 CVE-2020-8174 191 Mem. Corr. 2020-07-24 2022-05-12
9.3
None Remote Medium Not required Complete Complete Complete
napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0.
72 CVE-2020-7825 78 Exec Code 2020-07-17 2020-07-23
10.0
None Remote Low Not required Complete Complete Complete
A vulnerability exists that could allow the execution of operating system commands on systems running MiPlatform 2019.05.16 and earlier. An attacker could execute arbitrary remote command by sending parameters to WinExec function in ExtCommandApi.dll module of MiPlatform.
73 CVE-2020-6524 787 Overflow 2020-07-22 2021-01-27
9.3
None Remote Medium Not required Complete Complete Complete
Heap buffer overflow in WebAudio in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
74 CVE-2020-6523 787 2020-07-22 2021-07-21
9.3
None Remote Medium Not required Complete Complete Complete
Out of bounds write in Skia in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
75 CVE-2020-6520 120 Overflow 2020-07-22 2021-07-21
9.3
None Remote Medium Not required Complete Complete Complete
Buffer overflow in Skia in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
76 CVE-2020-6518 416 2020-07-22 2021-07-21
9.3
None Remote Medium Not required Complete Complete Complete
Use after free in developer tools in Google Chrome prior to 84.0.4147.89 allowed a remote attacker who had convinced the user to use developer tools to potentially exploit heap corruption via a crafted HTML page.
77 CVE-2020-6517 787 Overflow 2020-07-22 2021-03-12
9.3
None Remote Medium Not required Complete Complete Complete
Heap buffer overflow in history in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
78 CVE-2020-6515 416 2020-07-22 2021-07-21
9.3
None Remote Medium Not required Complete Complete Complete
Use after free in tab strip in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
79 CVE-2020-6512 843 2020-07-22 2021-07-21
9.3
None Remote Medium Not required Complete Complete Complete
Type Confusion in V8 in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
80 CVE-2020-6287 306 2020-07-14 2022-04-28
10.0
None Remote Low Not required Complete Complete Complete
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.
81 CVE-2020-5902 22 Exec Code Dir. Trav. 2020-07-01 2022-05-03
10.0
None Remote Low Not required Complete Complete Complete
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
82 CVE-2020-5901 79 XSS 2020-07-01 2020-07-10
9.3
None Remote Medium Not required Complete Complete Complete
In NGINX Controller 3.3.0-3.4.0, undisclosed API endpoints may allow for a reflected Cross Site Scripting (XSS) attack. If the victim user is logged in as admin this could result in a complete compromise of the system.
83 CVE-2020-5763 326 2020-07-29 2020-07-31
9.0
None Remote Low ??? Complete Complete Complete
Grandstream HT800 series firmware version 1.0.17.5 and below contain a backdoor in the SSH service. An authenticated remote attacker can obtain a root shell by correctly answering a challenge prompt.
84 CVE-2020-5760 78 Exec Code 2020-07-29 2020-07-31
9.3
None Remote Medium Not required Complete Complete Complete
Grandstream HT800 series firmware version 1.0.17.5 and below is vulnerable to an OS command injection vulnerability. Unauthenticated remote attackers can execute arbitrary commands as root by crafting a special configuration file and sending a crafted SIP message.
85 CVE-2020-5759 78 Exec Code 2020-07-17 2020-07-23
10.0
None Remote Low Not required Complete Complete Complete
Grandstream UCM6200 series firmware version 1.0.20.23 and below is vulnerable to OS command injection via SSH. An authenticated remote attacker can execute commands as the root user by issuing a specially crafted "unset" command.
86 CVE-2020-5758 78 Exec Code 2020-07-17 2020-07-23
9.0
None Remote Low ??? Complete Complete Complete
Grandstream UCM6200 series firmware version 1.0.20.23 and below is vulnerable to OS command injection via HTTP. An authenticated remote attacker can execute commands as the root user by sending a crafted HTTP GET to the UCM's "Old" HTTPS API.
87 CVE-2020-5757 78 Exec Code Bypass 2020-07-17 2020-07-23
10.0
None Remote Low Not required Complete Complete Complete
Grandstream UCM6200 series firmware version 1.0.20.23 and below is vulnerable to OS command injection via HTTP. An authenticated remote attacker can bypass command injection mitigations and execute commands as the root user by sending a crafted HTTP POST to the UCM's "New" HTTPS API.
88 CVE-2020-5756 78 Exec Code 2020-07-17 2020-07-22
9.0
None Remote Low ??? Complete Complete Complete
Grandstream GWN7000 firmware version 1.0.9.4 and below allows authenticated remote users to modify the system's crontab via undocumented API. An attacker can use this functionality to execute arbitrary OS commands on the router.
89 CVE-2020-5610 119 Exec Code Overflow 2020-07-30 2021-07-21
9.3
None Remote Medium Not required Complete Complete Complete
Global TechStream (GTS) for TOYOTA dealers version 15.10.032 and earlier allows an attacker to cause a denial-of-service (DoS) condition and execute arbitrary code via unspecified vectors.
90 CVE-2020-5599 74 Exec Code 2020-07-07 2021-07-21
10.0
None Remote Low Not required Complete Complete Complete
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains an improper neutralization of argument delimiters in a command ('Argument Injection') vulnerability, which may allow a remote attacker to stop the network functions of the products or execute a malicious program via a specially crafted packet.
91 CVE-2020-5352 78 Exec Code 2020-07-06 2020-07-13
9.0
None Remote Low ??? Complete Complete Complete
Dell EMC Data Protection Advisor 6.4, 6.5 and 18.1 contain an OS command injection vulnerability. A remote authenticated malicious user may exploit this vulnerability to execute arbitrary commands on the affected system.
92 CVE-2020-4464 502 Exec Code 2020-07-17 2020-07-22
9.0
None Remote Low ??? Complete Complete Complete
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional could allow a remote attacker to execute arbitrary code on a system with a specially-crafted sequence of serialized objects over the SOAP connector. IBM X-Force ID: 181489.
93 CVE-2020-4305 502 Exec Code 2020-07-09 2020-07-17
9.3
None Remote Medium Not required Complete Complete Complete
IBM InfoSphere Information Server 11.3, 11.5, and 11.7 could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 176677.
94 CVE-2020-4074 287 Exec Code 2020-07-02 2020-07-07
10.0
None Remote Low Not required Complete Complete Complete
In PrestaShop from version 1.5.0.0 and before version 1.7.6.6, the authentication system is malformed and an attacker is able to forge requests and execute admin commands. The problem is fixed in 1.7.6.6.
95 CVE-2020-3387 20 Exec Code 2020-07-16 2021-08-06
9.0
None Remote Low ??? Complete Complete Complete
A vulnerability in Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to execute code with root privileges on an affected system. The vulnerability is due to insufficient input sanitization during user authentication processing. An attacker could exploit this vulnerability by sending a crafted response to the Cisco SD-WAN vManage Software. A successful exploit could allow the attacker to access the software and execute commands they should not be authorized to execute.
96 CVE-2020-3386 863 Bypass 2020-07-31 2020-08-05
9.0
None Remote Low ??? Complete Complete Complete
A vulnerability in the REST API endpoint of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker with a low-privileged account to bypass authorization on the API of an affected device. The vulnerability is due to insufficient authorization of certain API functions. An attacker could exploit this vulnerability by sending a crafted request to the API using low-privileged credentials. A successful exploit could allow the attacker to perform arbitrary actions through the REST API with administrative privileges.
97 CVE-2020-3383 22 Dir. Trav. 2020-07-31 2021-08-06
9.0
None Remote Low ??? Complete Complete Complete
A vulnerability in the archive utility of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to conduct directory traversal attacks on an affected device. The vulnerability is due to a lack of proper input validation of paths that are embedded within archive files. An attacker could exploit this vulnerability by sending a crafted request to an affected device. A successful exploit could allow the attacker to write arbitrary files in the system with the privileges of the logged-in user.
98 CVE-2020-3382 798 Bypass 2020-07-31 2020-08-05
10.0
None Remote Low Not required Complete Complete Complete
A vulnerability in the REST API of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability exists because different installations share a static encryption key. An attacker could exploit this vulnerability by using the static key to craft a valid session token. A successful exploit could allow the attacker to perform arbitrary actions through the REST API with administrative privileges.
99 CVE-2020-3375 20 Exec Code Overflow +Priv 2020-07-31 2021-08-06
10.0
None Remote Low Not required Complete Complete Complete
A vulnerability in Cisco SD-WAN Solution Software could allow an unauthenticated, remote attacker to cause a buffer overflow on an affected device. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted traffic to an affected device. A successful exploit could allow the attacker to gain access to information that they are not authorized to access, make changes to the system that they are not authorized to make, and execute commands on an affected system with privileges of the root user.
100 CVE-2020-3374 863 +Priv Bypass 2020-07-31 2020-08-06
9.0
None Remote Low ??? Complete Complete Complete
A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to bypass authorization, enabling them to access sensitive information, modify the system configuration, or impact the availability of the affected system. The vulnerability is due to insufficient authorization checking on the affected system. An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management interface of an affected system. A successful exploit could allow the attacker to gain privileges beyond what would normally be authorized for their configured user authorization level. The attacker may be able to access sensitive information, modify the system configuration, or impact the availability of the affected system.
Total number of vulnerabilities : 131   Page : 1 2 (This Page)3
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.