CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In February 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
951 CVE-2019-11189 290 Bypass 2020-02-20 2020-02-28
5.0
None Remote Low Not required None Partial None
Authentication Bypass by Spoofing in org.onosproject.acl (access control) and org.onosproject.mobility (host mobility) in ONOS v2.0 and earlier allows attackers to bypass network access control via data plane packet injection. To exploit the vulnerability, an attacker sends a gratuitous ARP reply that causes the host mobility application to remove existing access control flow denial rules in the network. The access control application does not re-install flow deny rules, so the attacker can bypass the intended access control policy.
952 CVE-2019-10805 668 Bypass 2020-02-28 2020-03-05
5.0
None Remote Low Not required None Partial None
valib through 2.0.0 allows Internal Property Tampering. A maliciously crafted JavaScript object can bypass several inspection functions provided by valib. Valib uses a built-in function (hasOwnProperty) from the unsafe user-input to examine an object. It is possible for a crafted payload to overwrite this function to manipulate the inspection results to bypass security checks.
953 CVE-2019-10804 78 Exec Code 2020-02-28 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
serial-number through 1.3.0 allows execution of arbritary commands. The "cmdPrefix" argument in serialNumber function is used by the "exec" function without any validation.
954 CVE-2019-10803 78 Exec Code 2020-02-28 2020-03-03
7.5
None Remote Low Not required Partial Partial Partial
push-dir through 0.4.1 allows execution of arbritary commands. Arguments provided as part of the variable "opt.branch" is not validated before being provided to the "git" command within "index.js#L139". This could be abused by an attacker to inject arbitrary commands.
955 CVE-2019-10802 78 Exec Code 2020-02-28 2020-03-03
7.5
None Remote Low Not required Partial Partial Partial
giting version prior to 0.0.8 allows execution of arbritary commands. The first argument "repo" of function "pull()" is executed by the package without any validation.
956 CVE-2019-10801 78 Exec Code 2020-02-28 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
enpeem through 2.2.0 allows execution of arbitrary commands. The "options.dir" argument is provided to the "exec" function without any sanitization.
957 CVE-2019-10799 78 Exec Code 2020-02-24 2022-01-01
8.5
None Remote Low Not required Complete Partial None
compile-sass prior to 1.0.5 allows execution of arbritary commands. The function "setupCleanupOnExit(cssPath)" within "dist/index.js" is executed as part of the "rm" command without any sanitization.
958 CVE-2019-10798 2020-02-24 2020-03-05
5.0
None Remote Low Not required None Partial None
rdf-graph-array through 0.3.0-rc6 manipulation of JavaScript objects resutling in Prototype Pollution. The rdf.Graph.prototype.add method could be tricked into adding or modifying properties of Object.prototype.
959 CVE-2019-10797 Http R.Spl. 2020-02-19 2020-03-02
4.3
None Remote Medium Not required None Partial None
Netty in WSO2 transport-http before v6.3.1 is vulnerable to HTTP Response Splitting due to HTTP Header validation being disabled.
960 CVE-2019-10796 78 Exec Code 2020-02-24 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
rpi through 0.0.3 allows execution of arbritary commands. The variable pinNumbver in function GPIO within src/lib/gpio.js is used as part of the arguement of exec function without any sanitization.
961 CVE-2019-10795 74 2020-02-18 2020-02-27
6.5
None Remote Low ??? Partial Partial Partial
undefsafe before 2.0.3 is vulnerable to Prototype Pollution. The 'a' function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
962 CVE-2019-10794 74 2020-02-18 2020-03-06
6.5
None Remote Low ??? Partial Partial Partial
All versions of component-flatten are vulnerable to Prototype Pollution. The a function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
963 CVE-2019-10793 74 2020-02-18 2020-02-27
6.5
None Remote Low ??? Partial Partial Partial
dot-object before 2.1.3 is vulnerable to Prototype Pollution. The set function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
964 CVE-2019-10792 74 2020-02-18 2020-02-27
6.5
None Remote Low ??? Partial Partial Partial
bodymen before 1.1.1 is vulnerable to Prototype Pollution. The handler function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
965 CVE-2019-10791 78 2020-02-18 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
promise-probe before 0.10.0 allows remote attackers to perform a command injection attack. The file, outputFile and options functions can be controlled by users without any sanitization.
966 CVE-2019-10790 20 2020-02-17 2021-07-21
5.0
None Remote Low Not required Partial None None
taffy through 2.6.2 allows attackers to forge adding additional properties into user-input processed by taffy which can allow access to any data items in the DB. taffy sets an internal index for each data item in its DB. However, it is found that the internal index can be forged by adding additional properties into user-input. If index is found in the query, taffyDB will ignore other query conditions and directly return the indexed data item. Moreover, the internal index is in an easily-guessable format (e.g., T000002R000001). As such, attackers can use this vulnerability to access any data items in the DB.
967 CVE-2019-10789 78 2020-02-06 2020-02-07
10.0
None Remote Low Not required Complete Complete Complete
All versions of curling.js are vulnerable to Command Injection via the run function. The command argument can be controlled by users without any sanitization.
968 CVE-2019-10788 78 Exec Code 2020-02-04 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
im-metadata through 3.0.1 allows remote attackers to execute arbitrary commands via the "exec" argument. It is possible to inject arbitrary commands as part of the metadata options which is given to the "exec" function.
969 CVE-2019-10787 78 Exec Code 2020-02-04 2020-08-24
10.0
None Remote Low Not required Complete Complete Complete
im-resize through 2.3.2 allows remote attackers to execute arbitrary commands via the "exec" argument. The cmd argument used within index.js, can be controlled by user without any sanitization.
970 CVE-2019-10786 20 Exec Code 2020-02-04 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
network-manager through 1.0.2 allows remote attackers to execute arbitrary commands via the "execSync()" argument.
971 CVE-2019-10785 79 XSS 2020-02-13 2020-04-09
4.3
None Remote Medium Not required None Partial None
dojox is vulnerable to Cross-site Scripting in all versions before version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due to dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character, not all of them.
972 CVE-2019-10784 352 Exec Code CSRF 2020-02-04 2020-02-12
9.3
None Remote Medium Not required Complete Complete Complete
phppgadmin through 7.12.1 allows sensitive actions to be performed without validating that the request originated from the application. One such area, "database.php" does not verify the source of an HTTP request. This can be leveraged by a remote attacker to trick a logged-in administrator to visit a malicious page with a CSRF exploit and execute arbitrary system commands on the server.
973 CVE-2019-10590 129 2020-02-07 2020-02-10
10.0
None Remote Low Not required Complete Complete Complete
Out of bound access while parsing dts atom, which is non-standard as it does not have valid number of tracks in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCS405, QCS605, QM215, Rennell, SA6155P, Saipan, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130
974 CVE-2019-10567 Exec Code 2020-02-07 2020-02-10
7.2
None Local Low Not required Complete Complete Complete
There is a way to deceive the GPU kernel driver into thinking there is room in the GPU ringbuffer and overwriting existing commands could allow unintended GPU opcodes to be executed in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9650, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCS405, QCS605, QM215, Rennell, SA6155P, Saipan, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130
975 CVE-2019-10064 331 2020-02-28 2022-01-01
5.0
None Remote Low Not required None None Partial
hostapd before 2.6, in EAP mode, makes calls to the rand() and random() standard library functions without any preceding srand() or srandom() call, which results in inappropriate use of deterministic values. This was fixed in conjunction with CVE-2016-10743.
976 CVE-2019-9674 400 DoS 2020-02-04 2020-07-27
5.0
None Remote Low Not required None None Partial
Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.
977 CVE-2019-9502 787 Exec Code Overflow 2020-02-03 2020-02-10
8.3
None Local Network Low Not required Complete Complete Complete
The Broadcom wl WiFi driver is vulnerable to a heap buffer overflow. If the vendor information element data length is larger than 164 bytes, a heap buffer overflow is triggered in wlc_wpa_plumb_gtk. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, this vulnerability will result in denial-of-service conditions.
978 CVE-2019-9501 787 Exec Code Overflow 2020-02-03 2020-02-10
8.3
None Local Network Low Not required Complete Complete Complete
The Broadcom wl WiFi driver is vulnerable to a heap buffer overflow. By supplying a vendor information element with a data length larger than 32 bytes, a heap buffer overflow is triggered in wlc_wpa_sup_eapol. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, this vulnerability will result in denial-of-service conditions.
979 CVE-2019-8741 835 DoS 2020-02-28 2020-04-01
7.8
None Remote Low Not required None None Complete
A denial of service issue was addressed with improved input validation.
980 CVE-2019-7007 22 Dir. Trav. 2020-02-28 2020-03-06
5.0
None Remote Low Not required Partial None None
A directory traversal vulnerability has been found in the Avaya Equinox Management(iView)versions R9.1.9.0 and earlier. Successful exploitation could potentially allow an unauthenticated attacker to access files that are outside the restricted directory on the remote server.
981 CVE-2019-6744 287 +Info 2020-02-10 2020-10-19
2.1
None Local Low Not required Partial None None
This vulnerability allows local attackers to disclose sensitive information on affected installations of Samsung Knox 1.2.02.39 on Samsung Galaxy S9 build G9600ZHS3ARL1 Secure Folder. An attacker must first obtain physical access to the device in order to exploit this vulnerability. The specific flaws exists within the the handling of the lock screen for Secure Folder. The issue results from the lack of proper validation that a user has correctly authenticated. An attacker can leverage this vulnerability to disclose the contents of the secure container. Was ZDI-CAN-7381.
982 CVE-2019-6195 269 Bypass 2020-02-14 2020-03-04
2.1
None Remote High ??? Partial None None
An authorization bypass exists in Lenovo XClarity Controller (XCC) versions prior to 3.08 CDI340V, 3.01 TEI392O, 1.71 PSI328N where a valid authenticated user with lesser privileges may be granted read-only access to higher-privileged information if 1) “LDAP Authentication Only with Local Authorization” mode is configured and used by XCC, and 2) a lesser privileged user logs into XCC within 1 minute of a higher privileged user logging out. The authorization bypass does not exist when “Local Authentication and Authorization” or “LDAP Authentication and Authorization” modes are configured and used by XCC.
983 CVE-2019-6194 611 2020-02-14 2020-02-21
4.3
None Remote Medium Not required Partial None None
An XML External Entity (XXE) processing vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.6.6 that could allow information disclosure.
984 CVE-2019-6193 200 +Info 2020-02-14 2020-02-24
5.0
None Remote Low Not required Partial None None
An information disclosure vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.6.6 that could allow unauthenticated access to some configuration files which may contain usernames, license keys, IP addresses, and encrypted password hashes.
985 CVE-2019-6190 665 DoS 2020-02-14 2020-03-16
2.1
None Local Low Not required None None Partial
Lenovo was notified of a potential denial of service vulnerability, affecting various versions of BIOS for Lenovo Desktop, Desktop - All in One, and ThinkStation, that could cause PCRs to be cleared intermittently after resuming from sleep (S3) on systems with Intel TXT enabled.
986 CVE-2019-5613 345 2020-02-18 2020-03-05
7.5
None Remote Low Not required Partial Partial Partial
In FreeBSD 12.0-RELEASE before 12.0-RELEASE-p13, a missing check in the ipsec packet processor allows reinjection of an old packet to be accepted by the ipsec endpoint. Depending on the higher-level protocol in use over ipsec, this could allow an action to be repeated.
987 CVE-2019-5326 502 Exec Code 2020-02-27 2020-03-03
6.5
None Remote Low ??? Partial Partial Partial
An administrative application user of or application user with write access to Aruba Airwave VisualRF is able to obtain code execution on the AMP platform. This is possible due to the ability to overwrite a file on disk which is subsequently deserialized by the Java application component.
988 CVE-2019-5323 77 Exec Code 2020-02-27 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
There are command injection vulnerabilities present in the AirWave application. Certain input fields controlled by an administrative user are not properly sanitized before being parsed by AirWave. If conditions are met, an attacker can obtain command execution on the host.
989 CVE-2019-5322 2020-02-13 2020-08-24
5.0
None Remote Low Not required Partial None None
A remotely exploitable information disclosure vulnerability is present in Aruba Intelligent Edge Switch models 5400, 3810, 2920, 2930, 2530 with GigT port, 2530 10/100 port, or 2540. The vulnerability impacts firmware 16.08.* before 16.08.0009, 16.09.* before 16.09.0007 and 16.10.* before 16.10.0003. The vulnerability allows an attacker to retrieve sensitive system information. This attack can be carried out without user authentication under very specific conditions.
990 CVE-2019-5187 787 Exec Code 2020-02-14 2022-06-13
6.8
None Remote Medium Not required Partial Partial Partial
An exploitable out-of-bounds write vulnerability exists in the TIFreadstripdata function of the igcore19d.dll library of Accusoft ImageGear 19.5.0. A specially crafted TIFF file file can cause an out-of-bounds write, resulting in a remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.
991 CVE-2019-5165 287 Bypass 2020-02-25 2022-06-13
6.5
None Remote Low ??? Partial Partial Partial
An exploitable authentication bypass vulnerability exists in the hostname processing of the Moxa AWK-3131A firmware version 1.13. A specially configured device hostname can cause the device to interpret select remote traffic as local traffic, resulting in a bypass of web authentication. An attacker can send authenticated SNMP requests to trigger this vulnerability.
992 CVE-2019-5162 2020-02-25 2022-06-13
9.0
None Remote Low ??? Complete Complete Complete
An exploitable improper access control vulnerability exists in the iw_webs account settings functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted user name entry can cause the overwrite of an existing user account password, resulting in remote shell access to the device as that user. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability.
993 CVE-2019-5153 787 Exec Code Overflow 2020-02-25 2022-06-13
6.5
None Remote Low ??? Partial Partial Partial
An exploitable remote code execution vulnerability exists in the iw_webs configuration parsing functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted user name entry can cause an overflow of an error message buffer, resulting in remote code execution. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability.
994 CVE-2019-5148 191 2020-02-25 2022-06-13
5.0
None Remote Low Not required None None Partial
An exploitable denial-of-service vulnerability exists in ServiceAgent functionality of the Moxa AWK-3131A, firmware version 1.13. A specially crafted packet can cause an integer underflow, triggering a large memcpy that will access unmapped or out-of-bounds memory. An attacker can send this packet while unauthenticated to trigger this vulnerability.
995 CVE-2019-5143 134 Exec Code Overflow 2020-02-25 2022-06-13
6.5
None Remote Low ??? Partial Partial Partial
An exploitable format string vulnerability exists in the iw_console conio_writestr functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted time server entry can cause an overflow of the time server buffer, resulting in remote code execution. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability.
996 CVE-2019-5142 78 Exec Code 2020-02-25 2022-06-13
9.0
None Remote Low ??? Complete Complete Complete
An exploitable command injection vulnerability exists in the hostname functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted entry to network configuration information can cause execution of arbitrary system commands, resulting in full control of the device. An attacker can send various authenticated requests to trigger this vulnerability.
997 CVE-2019-5141 78 2020-02-25 2022-06-13
6.5
None Remote Low ??? Partial Partial Partial
An exploitable command injection vulnerability exists in the iw_webs functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted iw_serverip parameter can cause user input to be reflected in a subsequent iw_system call, resulting in remote control over the device. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability.
998 CVE-2019-5140 78 2020-02-25 2022-06-13
6.5
None Remote Low ??? Partial Partial Partial
An exploitable command injection vulnerability exists in the iwwebs functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted diagnostic script file name can cause user input to be reflected in a subsequent iwsystem call, resulting in remote control over the device. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability.
999 CVE-2019-5139 798 2020-02-25 2022-06-13
3.6
None Local Low Not required Partial Partial None
An exploitable use of hard-coded credentials vulnerability exists in multiple iw_* utilities of the Moxa AWK-3131A firmware version 1.13. The device operating system contains an undocumented encryption password, allowing for the creation of custom diagnostic scripts.
1000 CVE-2019-5138 78 Exec Code 2020-02-25 2022-06-13
9.0
None Remote Low ??? Complete Complete Complete
An exploitable command injection vulnerability exists in encrypted diagnostic script functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted diagnostic script file can cause arbitrary busybox commands to be executed, resulting in remote control over the device. An attacker can send diagnostic while authenticated as a low privilege user to trigger this vulnerability.
Total number of vulnerabilities : 1395   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 (This Page)21 22 23 24 25 26 27 28
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.