CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In October 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
951 CVE-2020-9092 74 Bypass 2020-10-19 2021-07-21
2.1
None Local Low Not required None Partial None
HUAWEI Mate 20 versions earlier than 10.1.0.163(C00E160R3P8) have a JavaScript injection vulnerability. A module does not verify a specific input. This could allow attackers to bypass filter mechanism to launch JavaScript injection. This could compromise normal service of the affected module.
952 CVE-2020-9091 125 2020-10-12 2020-10-16
2.1
None Local Low Not required None None Partial
Taurus-AN00B versions earlier than 10.1.0.156(C00E155R7P2) have an out-of-bounds read and write vulnerability. Some functions do not verify inputs sufficiently. Attackers can exploit this vulnerability by sending specific request. This could compromise normal service of the affected device.
953 CVE-2020-9090 863 Exec Code 2020-10-12 2021-07-21
4.6
None Local Low Not required Partial Partial Partial
FusionAccess version 6.5.1 has an improper authorization vulnerability. A command is authorized with incorrect privilege. Attackers with other privilege can execute the command to exploit this vulnerability. This may compromise normal service of the affected product.
954 CVE-2020-9087 125 +Info 2020-10-12 2020-10-16
2.1
None Local Low Not required Partial None None
Taurus-AL00A version 10.0.0.1(C00E1R1P1) has an out-of-bounds read vulnerability in XFRM module. An authenticated, local attacker may perform a specific operation to exploit this vulnerability. Due to insufficient validation of the parameters, which may be exploited to cause information leak.
955 CVE-2020-9048 732 DoS 2020-10-08 2021-01-07
7.8
None Local Network Low Not required None Complete Complete
A vulnerability in specified versions of American Dynamics victor Web Client and Software House CCURE Web Client could allow a remote unauthenticated attacker on the network to delete arbitrary files on the system or render the system unusable by conducting a Denial of Service attack.
956 CVE-2020-8956 521 2020-10-27 2020-10-27
1.9
None Local Medium Not required Partial None None
Pulse Secure Desktop Client 9.0Rx before 9.0R5 and 9.1Rx before 9.1R4 on Windows reveals users' passwords if Save Settings is enabled.
957 CVE-2020-8929 2020-10-19 2020-10-29
5.0
None Remote Low Not required None Partial None
A mis-handling of invalid unicode characters in the Java implementation of Tink versions prior to 1.5 allows an attacker to change the ID part of a ciphertext, which result in the creation of a second ciphertext that can decrypt to the same plaintext. This can be a problem with encrypting deterministic AEAD with a single key, and rely on a unique ciphertext-per-plaintext.
958 CVE-2020-8821 74 Exec Code 2020-10-12 2021-07-21
3.5
None Remote Medium ??? None Partial None
An Improper Data Validation Vulnerability exists in Webmin 1.941 and earlier affecting the Command Shell Endpoint. A user may enter HTML code into the Command field and submit it. Then, after visiting the Action Logs Menu and displaying logs, the HTML code will be rendered (however, JavaScript is not executed). Changes are kept across users.
959 CVE-2020-8820 79 Exec Code XSS 2020-10-12 2020-10-16
3.5
None Remote Medium ??? None Partial None
An XSS Vulnerability exists in Webmin 1.941 and earlier affecting the Cluster Shell Commands Endpoint. A user may enter any XSS Payload into the Command field and execute it. Then, after revisiting the Cluster Shell Commands Menu, the XSS Payload will be rendered and executed.
960 CVE-2020-8782 Exec Code 2020-10-06 2022-02-09
7.5
None Remote Low Not required Partial Partial Partial
Unauthenticated RPC server on ALEOS before 4.4.9, 4.9.5, and 4.14.0 allows remote code execution.
961 CVE-2020-8781 2020-10-06 2022-02-09
7.2
None Local Low Not required Complete Complete Complete
Lack of input sanitization in UpdateRebootMgr service of ALEOS 4.11 and later allow an escalation to root from a low-privilege process.
962 CVE-2020-8671 670 2020-10-05 2021-07-21
2.1
None Local Low Not required Partial None None
Insufficient control flow management in BIOS firmware 8th, 9th Generation Intel(R) Core(TM) Processors and Intel(R) Celeron(R) Processor 4000 Series may allow an authenticated user to potentially enable information disclosure via local access.
963 CVE-2020-8579 DoS 2020-10-27 2020-10-27
5.0
None Remote Low Not required None None Partial
Clustered Data ONTAP versions 9.7 through 9.7P7 are susceptible to a vulnerability which allows an attacker with access to an intercluster LIF to cause a Denial of Service (DoS).
964 CVE-2020-8350 287 Bypass 2020-10-14 2020-10-20
5.8
None Local Network Low Not required Partial Partial Partial
An authentication bypass vulnerability was reported in Lenovo ThinkPad Stack Wireless Router firmware version 1.1.3.4 that could allow escalation of privilege.
965 CVE-2020-8349 94 Exec Code 2020-10-14 2020-10-29
6.8
None Remote Medium Not required Partial Partial Partial
An internal security review has identified an unauthenticated remote code execution vulnerability in Cloud Networking Operating System (CNOS)’ optional REST API management interface. This interface is disabled by default and not vulnerable unless enabled. When enabled, it is only vulnerable where attached to a VRF and as allowed by defined ACLs. Lenovo strongly recommends upgrading to a non-vulnerable CNOS release. Where not possible, Lenovo recommends disabling the REST API management interface or restricting access to the management VRF and further limiting access to authorized management stations via ACL.
966 CVE-2020-8345 427 2020-10-14 2020-10-26
4.4
None Local Medium Not required Partial Partial Partial
A DLL search path vulnerability was reported in the Lenovo HardwareScan Plugin for the Lenovo Vantage hardware scan feature prior to version 1.0.46.11 that could allow escalation of privilege.
967 CVE-2020-8338 426 Exec Code 2020-10-14 2020-10-16
7.2
None Local Low Not required Complete Complete Complete
A DLL search path vulnerability was reported in Lenovo Diagnostics prior to version 4.35.4 that could allow a user with local access to execute code on the system.
968 CVE-2020-8332 367 Exec Code 2020-10-14 2020-10-29
6.9
None Local Medium Not required Complete Complete Complete
A potential vulnerability in the SMI callback function used in the legacy BIOS mode USB drivers in some legacy Lenovo and IBM System x servers may allow arbitrary code execution. Servers operating in UEFI mode are not affected.
969 CVE-2020-8263 79 XSS 2020-10-28 2021-08-17
3.5
None Remote Medium ??? None Partial None
A vulnerability in the authenticated user web interface of Pulse Connect Secure < 9.1R9 could allow attackers to conduct Cross-Site Scripting (XSS) through the CGI file.
970 CVE-2020-8262 79 XSS 2020-10-28 2020-11-03
4.3
None Remote Medium Not required None Partial None
A vulnerability in the Pulse Connect Secure / Pulse Policy Secure below 9.1R9 could allow attackers to conduct Cross-Site Scripting (XSS) and Open Redirection for authenticated user web interface.
971 CVE-2020-8261 120 2020-10-28 2020-11-03
4.3
None Remote Medium Not required Partial None None
A vulnerability in the Pulse Connect Secure / Pulse Policy Secure < 9.1R9 is vulnerable to arbitrary cookie injection.
972 CVE-2020-8260 434 Exec Code 2020-10-28 2021-09-21
6.5
None Remote Low ??? Partial Partial Partial
A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction.
973 CVE-2020-8255 2020-10-28 2021-08-17
4.0
None Remote Low ??? Partial None None
A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary file reading vulnerability is fixed using encrypted URL blacklisting that prevents these messages.
974 CVE-2020-8254 22 Exec Code Dir. Trav. 2020-10-28 2020-11-03
6.8
None Remote Medium Not required Partial Partial Partial
A vulnerability in the Pulse Secure Desktop Client < 9.1R9 has Remote Code Execution (RCE) if users can be convinced to connect to a malicious server. This vulnerability only affects Windows PDC.To improve the security of connections between Pulse clients and Pulse Connect Secure, see below recommendation(s):Disable Dynamic certificate trust for PDC.
975 CVE-2020-8250 2020-10-28 2021-08-17
4.6
None Local Low Not required Partial Partial Partial
A vulnerability in the Pulse Secure Desktop Client (Linux) < 9.1R9 could allow local attackers to escalate privilege.
976 CVE-2020-8249 120 Overflow 2020-10-28 2021-08-17
4.6
None Local Low Not required Partial Partial Partial
A vulnerability in the Pulse Secure Desktop Client (Linux) < 9.1R9 could allow local attackers to perform buffer overflow.
977 CVE-2020-8248 2020-10-28 2021-08-17
4.6
None Local Low Not required Partial Partial Partial
A vulnerability in the Pulse Secure Desktop Client (Linux) < 9.1R9 could allow local attackers to escalate privilege.
978 CVE-2020-8241 2020-10-28 2021-08-17
5.1
None Remote High Not required Partial Partial Partial
A vulnerability in the Pulse Secure Desktop Client < 9.1R9 could allow the attacker to perform a MITM Attack if end users are convinced to connect to a malicious server.
979 CVE-2020-8240 2020-10-28 2020-11-03
6.9
None Local Medium Not required Complete Complete Complete
A vulnerability in the Pulse Secure Desktop Client < 9.1R9 allows a restricted user on an endpoint machine can use system-level privileges if the Embedded Browser is configured with Credential Provider. This vulnerability only affects Windows PDC if the Embedded Browser is configured with the Credential Provider.
980 CVE-2020-8239 2020-10-28 2021-08-17
7.5
None Remote Low Not required Partial Partial Partial
A vulnerability in the Pulse Secure Desktop Client < 9.1R9 is vulnerable to the client registry privilege escalation attack. This fix also requires Server Side Upgrade due to Standalone Host Checker Client (Windows) and Windows PDC.
981 CVE-2020-8235 639 2020-10-05 2020-10-13
4.0
None Remote Low ??? Partial None None
Missing access control in Nextcloud Deck 1.0.4 caused an insecure direct object reference allowing an attacker to view all attachments.
982 CVE-2020-8228 307 2020-10-05 2020-10-20
5.0
None Remote Low Not required None None Partial
A missing rate limit in the Preferred Providers app 1.7.0 allowed an attacker to set the password an uncontrolled amount of times.
983 CVE-2020-8223 269 2020-10-05 2022-01-01
3.5
None Remote Medium ??? None Partial None
A logic error in Nextcloud Server 19.0.0 caused a privilege escalation allowing malicious users to reshare with higher permissions than they got assigned themselves.
984 CVE-2020-8182 281 2020-10-05 2020-10-14
6.0
None Remote Medium ??? Partial Partial Partial
Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permissions than they had themselves.
985 CVE-2020-8110 824 2020-10-02 2020-10-09
5.0
None Remote Low Not required None None Partial
A vulnerability has been discovered in the ceva_emu.cvd module that results from a lack of proper validation of user-supplied data, which can result in a pointer that is fetched from uninitialized memory. This can lead to denial-of-service. This issue affects: Bitdefender Engines version 7.84897 and prior versions.
986 CVE-2020-8109 787 2020-10-01 2020-10-14
5.0
None Remote Low Not required None None Partial
A vulnerability has been discovered in the ace.xmd parser that results from a lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. This can result in denial-of-service. This issue affects: Bitdefender Engines version 7.84892 and prior versions.
987 CVE-2020-7811 502 Exec Code 2020-10-12 2020-10-19
4.6
None Local Low Not required Partial Partial Partial
Samsung Update 3.0.2.0 ~ 3.0.32.0 has a vulnerability that allows privilege escalation as commands crafted by attacker are executed while the engine deserializes the data received during inter-process communication
988 CVE-2020-7760 400 2020-10-30 2022-05-12
5.0
None Remote Low Not required None None Partial
This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2. The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vulnerability of the regex is mainly due to the sub-pattern (s|/*.*?*/)*
989 CVE-2020-7759 89 Sql 2020-10-30 2020-11-03
6.5
None Remote Low ??? Partial Partial Partial
The package pimcore/pimcore from 6.7.2 and before 6.8.3 are vulnerable to SQL Injection in data classification functionality in ClassificationstoreController. This can be exploited by sending a specifically-crafted input in the relationIds parameter as demonstrated by the following request: http://vulnerable.pimcore.example/admin/classificationstore/relations?relationIds=[{"keyId"%3a"''","groupId"%3a"'asd'))+or+1%3d1+union+(select+1,2,3,4,5,6,name,8,password,'',11,12,'',14+from+users)+--+"}]
990 CVE-2020-7755 DoS 2020-10-27 2021-07-21
5.0
None Remote Low Not required None None Partial
All versions of package dat.gui are vulnerable to Regular Expression Denial of Service (ReDoS) via specifically crafted rgb and rgba values.
991 CVE-2020-7754 2020-10-27 2020-10-27
5.0
None Remote Low Not required None None Partial
This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.
992 CVE-2020-7753 400 DoS 2020-10-27 2022-04-26
5.0
None Remote Low Not required None None Partial
All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().
993 CVE-2020-7752 77 Exec Code 2020-10-26 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl's parameters to overwrite Javascript files and then execute any OS commands.
994 CVE-2020-7751 1321 2020-10-26 2022-04-08
6.5
None Remote Low ??? Partial Partial Partial
pathval before version 1.1.1 is vulnerable to prototype pollution.
995 CVE-2020-7750 79 XSS 2020-10-21 2020-12-02
6.8
None Remote Medium Not required Partial Partial Partial
This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the _transformMeasurements function.
996 CVE-2020-7749 918 XSS 2020-10-20 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
This affects all versions of package osm-static-maps. User input given to the package is passed directly to a template without escaping ({{{ ... }}}). As such, it is possible for an attacker to inject arbitrary HTML/JS code and depending on the context. It will be outputted as an HTML on the page which gives opportunity for XSS or rendered on the server (puppeteer) which also gives opportunity for SSRF and Local File Read.
997 CVE-2020-7748 400 2020-10-20 2021-07-21
6.8
None Remote Medium Not required Partial Partial Partial
This affects the package @tsed/core before 5.65.7. This vulnerability relates to the deepExtend function which is used as part of the utils directory. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.
998 CVE-2020-7747 79 XSS 2020-10-20 2020-10-22
3.5
None Remote Medium ??? None Partial None
This affects all versions of package lightning-server. It is possible to inject malicious JavaScript code as part of a session controller.
999 CVE-2020-7746 20 2020-10-29 2021-07-21
5.0
None Remote Low Not required None None Partial
This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to a prototype pollution.
1000 CVE-2020-7745 94 Exec Code 2020-10-19 2020-10-21
10.0
None Remote Low Not required Complete Complete Complete
This affects the package MintegralAdSDK before 6.6.0.0. The SDK distributed by the company contains malicious functionality that acts as a backdoor. Mintegral and their partners (advertisers) can remotely execute arbitrary code on a user device.
Total number of vulnerabilities : 1563   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 (This Page)21 22 23 24 25 26 27 28 29 30 31 32
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.