| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1051 |
CVE-2020-16608 |
79 |
|
Exec Code XSS |
2020-12-10 |
2020-12-11 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Notable 1.8.4 allows XSS via crafted Markdown text, with resultant remote code execution (because nodeIntegration in webPreferences is true). |
|
1052 |
CVE-2020-16600 |
416 |
|
|
2020-12-09 |
2020-12-14 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
A Use After Free vulnerability exists in Artifex Software, Inc. MuPDF library 1.17.0-rc1 and earlier when a valid page was followed by a page with invalid pixmap dimensions, causing bander - a static - to point to previously freed memory instead of a newband_writer. |
|
1053 |
CVE-2020-16599 |
476 |
|
DoS |
2020-12-09 |
2022-03-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
A Null Pointer Dereference vulnerability exists in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35, in _bfd_elf_get_symbol_version_string, as demonstrated in nm-new, that can cause a denial of service via a crafted file. |
|
1054 |
CVE-2020-16593 |
476 |
|
DoS |
2020-12-09 |
2021-04-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
A Null Pointer Dereference vulnerability exists in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35, in scan_unit_for_symbols, as demonstrated in addr2line, that can cause a denial of service via a crafted file. |
|
1055 |
CVE-2020-16592 |
416 |
|
DoS |
2020-12-09 |
2021-01-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
A use after free issue exists in the Binary File Descriptor (BFD) library (aka libbfd) in GNU Binutils 2.34 in bfd_hash_lookup, as demonstrated in nm-new, that can cause a denial of service via a crafted file. |
|
1056 |
CVE-2020-16591 |
125 |
|
DoS |
2020-12-09 |
2022-03-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
A Denial of Service vulnerability exists in the Binary File Descriptor (BFD) in GNU Binutils 2.35 due to an invalid read in process_symbol_table, as demonstrated in readeif. |
|
1057 |
CVE-2020-16590 |
415 |
|
|
2020-12-09 |
2022-03-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
A double free vulnerability exists in the Binary File Descriptor (BFD) (aka libbrd) in GNU Binutils 2.35 in the process_symbol_table, as demonstrated in readelf, via a crafted file. |
|
1058 |
CVE-2020-16589 |
787 |
|
DoS Overflow |
2020-12-09 |
2020-12-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
A head-based buffer overflow exists in Academy Software Foundation OpenEXR 2.3.0 in writeTileData in ImfTiledOutputFile.cpp that can cause a denial of service via a crafted EXR file. |
|
1059 |
CVE-2020-16588 |
476 |
|
DoS |
2020-12-09 |
2020-12-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
A Null Pointer Deference issue exists in Academy Software Foundation OpenEXR 2.3.0 in generatePreview in makePreview.cpp that can cause a denial of service via a crafted EXR file. |
|
1060 |
CVE-2020-16587 |
787 |
|
DoS Overflow |
2020-12-09 |
2021-07-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
A heap-based buffer overflow vulnerability exists in Academy Software Foundation OpenEXR 2.3.0 in chunkOffsetReconstruction in ImfMultiPartInputFile.cpp that can cause a denial of service via a crafted EXR file. |
|
1061 |
CVE-2020-16268 |
269 |
|
+Priv |
2020-12-29 |
2021-07-21 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
The MSI installer in 1E Client 4.1.0.267 and 5.0.0.745 allows remote authenticated users and local users to gain elevated privileges via the repair option. This applies to installations that have a TRANSFORM (MST) with the option to disable the installation of the Nomad module. An attacker may craft a .reg file in a specific location that will be able to write to any registry key as an elevated user. |
|
1062 |
CVE-2020-16128 |
209 |
|
|
2020-12-09 |
2020-12-11 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The aptdaemon DBus interface disclosed file existence disclosure by setting Terminal/DebconfSocket properties, aka GHSL-2020-192 and GHSL-2020-196. This affected versions prior to 1.1.1+bzr982-0ubuntu34.1, 1.1.1+bzr982-0ubuntu32.3, 1.1.1+bzr982-0ubuntu19.5, 1.1.1+bzr982-0ubuntu14.5. |
|
1063 |
CVE-2020-16123 |
362 |
|
|
2020-12-04 |
2020-12-10 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An Ubuntu-specific patch in PulseAudio created a race condition where the snap policy module would fail to identify a client connection from a snap as coming from a snap if SCM_CREDENTIALS were missing, allowing the snap to connect to PulseAudio without proper confinement. This could be exploited by an attacker to expose sensitive information. Fixed in 1:13.99.3-1ubuntu2, 1:13.99.2-1ubuntu2.1, 1:13.99.1-1ubuntu3.8, 1:11.1-1ubuntu7.11, and 1:8.0-0ubuntu3.15. |
|
1064 |
CVE-2020-16104 |
89 |
|
Exec Code +Priv Sql |
2020-12-14 |
2020-12-16 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SQL Injection vulnerability in Enterprise Data Interface of Gallagher Command Centre allows a remote attacker with 'Edit Enterprise Data Interfaces' privilege to execute arbitrary SQL against a third party database if EDI is configured to import data from this database. This issue affects: Gallagher Command Centre 8.30 versions prior to 8.30.1236(MR1); 8.20 versions prior to 8.20.1166(MR3); 8.10 versions prior to 8.10.1211(MR5); 8.00 versions prior to 8.00.1228(MR6); version 7.90 and prior versions. |
|
1065 |
CVE-2020-16103 |
843 |
|
Exec Code |
2020-12-14 |
2022-04-25 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Type confusion in Gallagher Command Centre Server allows a remote attacker to crash the server or possibly cause remote code execution. This issue affects: Gallagher Command Centre 8.30 versions prior to 8.30.1236(MR1); 8.20 versions prior to 8.20.1166(MR3); 8.10 versions prior to 8.10.1211(MR5); version 8.00 and prior versions. |
|
1066 |
CVE-2020-16102 |
306 |
|
|
2020-12-14 |
2021-11-18 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
|
Improper Authentication vulnerability in Gallagher Command Centre Server allows an unauthenticated remote attacker to create items with invalid configuration, potentially causing the server to crash and fail to restart. This issue affects: Gallagher Command Centre 8.30 versions prior to 8.30.1299(MR2); 8.20 versions prior to 8.20.1218(MR4); 8.10 versions prior to 8.10.1253(MR6); 8.00 versions prior to 8.00.1252(MR7); version 7.90 and prior versions. |
|
1067 |
CVE-2020-15898 |
|
|
|
2020-12-28 |
2021-01-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
In Arista EOS malformed packets can be incorrectly forwarded across VLAN boundaries in one direction. This vulnerability is only susceptible to exploitation by unidirectional traffic (ex. UDP) and not bidirectional traffic (ex. TCP). This affects: EOS 7170 platforms version 4.21.4.1F and below releases in the 4.21.x train; EOS X-Series versions 4.21.11M and below releases in the 4.21.x train; 4.22.6M and below releases in the 4.22.x train; 4.23.4M and below releases in the 4.23.x train; 4.24.2.1F and below releases in the 4.24.x train. |
|
1068 |
CVE-2020-15796 |
248 |
|
|
2020-12-14 |
2020-12-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A vulnerability has been identified in SIMATIC ET 200SP Open Controller (incl. SIPLUS variants) (V20.8), SIMATIC S7-1500 Software Controller (V20.8). The web server of the affected products contains a vulnerability that could allow a remote attacker to trigger a denial-of-service condition by sending a specially crafted HTTP request. |
|
1069 |
CVE-2020-15733 |
346 |
|
|
2020-12-14 |
2020-12-16 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
An Origin Validation Error vulnerability in the SafePay component of Bitdefender Antivirus Plus allows a web resource to misrepresent itself in the URL bar. This issue affects: Bitdefender Antivirus Plus versions prior to 25.0.7.29. |
|
1070 |
CVE-2020-15376 |
|
|
|
2020-12-11 |
2021-09-09 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Brocade Fabric OS versions before v9.0.0 and after version v8.1.0, configured in Virtual Fabric mode contain a weakness in the ldap implementation that could allow a remote ldap user to login in the Brocade Fibre Channel SAN switch with "user" privileges if it is not associated with any groups. |
|
1071 |
CVE-2020-15375 |
20 |
|
|
2020-12-11 |
2021-06-22 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Brocade Fabric OS versions before v9.0.0, v8.2.2c, v8.2.1e, v8.1.2k, v8.2.0_CBN3, v7.4.2g contain an improper input validation weakness in the command line interface when secccrypptocfg is invoked. The vulnerability could allow a local authenticated user to run arbitrary commands and perform escalation of privileges. |
|
1072 |
CVE-2020-15357 |
78 |
|
Exec Code |
2020-12-11 |
2022-04-26 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Network Analysis functionality in Askey AP5100W_Dual_SIG_1.01.097 and all prior versions allows remote attackers to execute arbitrary commands via a shell metacharacter in the ping, traceroute, or route options. |
|
1073 |
CVE-2020-15294 |
|
|
Exec Code |
2020-12-17 |
2020-12-22 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Compiler Optimization Removal or Modification of Security-critical Code vulnerability in IntPeParseUnwindData() results in multiple dereferences to the same pointer. If the pointer is located in memory-mapped from the guest space, this may cause a race-condition where the generated code would dereference the same address twice, thus obtaining different values, which may lead to arbitrary code execution. This issue affects: Bitdefender Hypervisor Introspection versions prior to 1.132.2. |
|
1074 |
CVE-2020-15293 |
20 |
|
DoS Mem. Corr. |
2020-12-17 |
2020-12-22 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
Memory corruption in IntLixCrashDumpDmesg, IntLixTaskFetchCmdLine, IntLixFileReadDentry and IntLixFileGetPath due to insufficient guest-data input validation may lead to denial of service conditions. |
|
1075 |
CVE-2020-15292 |
20 |
|
|
2020-12-17 |
2020-12-22 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
Lack of validation on data read from guest memory in IntPeGetDirectory, IntPeParseUnwindData, IntLogExceptionRecord, IntKsymExpandSymbol and IntLixTaskDumpTree may lead to out-of-bounds read or it could cause DoS due to integer-overflor (IntPeGetDirectory), TOCTOU (IntPeParseUnwindData) or insufficient validations. |
|
1076 |
CVE-2020-15257 |
669 |
|
+Priv |
2020-12-01 |
2022-01-01 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
None |
|
containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. This vulnerability has been fixed in containerd 1.3.9 and 1.4.3. Users should update to these versions as soon as they are released. It should be noted that containers started with an old version of containerd-shim should be stopped and restarted, as running containers will continue to be vulnerable even after an upgrade. If you are not providing the ability for untrusted users to start containers in the same network namespace as the shim (typically the "host" network namespace, for example with docker run --net=host or hostNetwork: true in a Kubernetes pod) and run with an effective UID of 0, you are not vulnerable to this issue. If you are running containers with a vulnerable configuration, you can deny access to all abstract sockets with AppArmor by adding a line similar to deny unix addr=@**, to your policy. It is best practice to run containers with a reduced set of privileges, with a non-zero UID, and with isolated namespaces. The containerd maintainers strongly advise against sharing namespaces with the host. Reducing the set of isolation mechanisms used for a container necessarily increases that container's privilege, regardless of what container runtime is used for running that container. |
|
1077 |
CVE-2020-15023 |
330 |
|
|
2020-12-11 |
2020-12-17 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Askey AP5100W devices through AP5100W_Dual_SIG_1.01.097 are affected by WPS PIN offline brute-force cracking. This arises because of issues with the random number selection for the Diffie-Hellman exchange. By capturing an attempted (and even failed) WPS authentication attempt, it is possible to brute force the overall authentication exchange. This allows an attacker to obtain the recovered WPS PIN in minutes or even seconds, and eventually obtain the Wi-Fi PSK key, gaining access to the Wi=Fi network. |
|
1078 |
CVE-2020-14874 |
|
|
DoS |
2020-12-22 |
2021-05-10 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Vulnerability in the Oracle Cloud Infrastructure Identity and Access Management product of Oracle Cloud Services. Easily exploitable vulnerability allows high privileged attacker with network access to compromise Oracle Cloud Infrastructure Identity and Access Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Cloud Infrastructure Identity and Access Management accessible data as well as unauthorized read access to a subset of Oracle Cloud Infrastructure Identity and Access Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Cloud Infrastructure Identity and Access Management. |
|
1079 |
CVE-2020-14383 |
|
|
|
2020-12-02 |
2020-12-24 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
A flaw was found in samba's DNS server. An authenticated user could use this flaw to the RPC server to crash. This RPC server, which also serves protocols other than dnsserver, will be restarted after a short delay, but it is easy for an authenticated non administrative attacker to crash it again as soon as it returns. The Samba DNS server itself will continue to operate, but many RPC services will not. |
|
1080 |
CVE-2020-14381 |
416 |
|
|
2020-12-03 |
2020-12-08 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
A flaw was found in the Linux kernel’s futex implementation. This flaw allows a local attacker to corrupt system memory or escalate their privileges when creating a futex on a filesystem that is about to be unmounted. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. |
|
1081 |
CVE-2020-14369 |
352 |
|
CSRF |
2020-12-02 |
2020-12-04 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
This release fixes a Cross Site Request Forgery vulnerability was found in Red Hat CloudForms which forces end users to execute unwanted actions on a web application in which the user is currently authenticated. An attacker can make a forgery HTTP request to the server by crafting custom flash file which can force the user to perform state changing requests like provisioning VMs, running ansible playbooks and so forth. |
|
1082 |
CVE-2020-14368 |
352 |
|
CSRF |
2020-12-14 |
2021-01-04 |
4.6 |
None |
Remote |
High |
??? |
Partial |
Partial |
Partial |
|
A flaw was found in Eclipse Che in versions prior to 7.14.0 that impacts CodeReady Workspaces. When configured with cookies authentication, Theia IDE doesn't properly set the SameSite value, allowing a Cross-Site Request Forgery (CSRF) and consequently allowing a cross-site WebSocket hijack on Theia IDE. This flaw allows an attacker to gain full access to the victim's workspace through the /services endpoint. To perform a successful attack, the attacker conducts a Man-in-the-middle attack (MITM) and tricks the victim into executing a request via an untrusted link, which performs the CSRF and the Socket hijack. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. |
|
1083 |
CVE-2020-14351 |
416 |
|
|
2020-12-03 |
2021-11-04 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
A flaw was found in the Linux kernel. A use-after-free memory flaw was found in the perf subsystem allowing a local attacker with permission to monitor perf events to corrupt memory and possibly escalate privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. |
|
1084 |
CVE-2020-14339 |
772 |
|
+Priv |
2020-12-03 |
2021-02-09 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
A flaw was found in libvirt, where it leaked a file descriptor for `/dev/mapper/control` into the QEMU process. This file descriptor allows for privileged operations to happen against the device-mapper on the host. This flaw allows a malicious guest user or process to perform operations outside of their standard permissions, potentially causing serious damage to the host operating system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. |
|
1085 |
CVE-2020-14318 |
266 |
|
|
2020-12-03 |
2022-01-01 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
A flaw was found in the way samba handled file and directory permissions. An authenticated user could use this flaw to gain access to certain file and directory information which otherwise would be unavailable to the attacker. |
|
1086 |
CVE-2020-14305 |
787 |
|
DoS |
2020-12-02 |
2020-12-10 |
8.3 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Complete |
|
An out-of-bounds memory write flaw was found in how the Linux kernel’s Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. |
|
1087 |
CVE-2020-14302 |
294 |
|
|
2020-12-15 |
2020-12-18 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
A flaw was found in Keycloak before 13.0.0 where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same "state" parameter. This flaw allows a malicious user to perform replay attacks. |
|
1088 |
CVE-2020-14273 |
20 |
|
DoS |
2020-12-28 |
2021-11-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
HCL Domino is susceptible to a Denial of Service (DoS) vulnerability due to insufficient validation of input to its public API. An unauthenticated attacker could could exploit this vulnerability to crash the Domino server. |
|
1089 |
CVE-2020-14271 |
79 |
|
XSS |
2020-12-18 |
2020-12-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
HCL iNotes v9, v10 and v11 is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability due to improper handling of message content. An unauthenticated remote attacker could exploit this vulnerability using specially-crafted markup to execute script in a victim's web browser within the security context of the hosting Web site and/or steal the victim's cookie-based authentication credentials. |
|
1090 |
CVE-2020-14270 |
209 |
|
+Info |
2020-12-22 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
HCL Domino v9, v10, v11 is susceptible to an Information Disclosure vulnerability in XPages due to improper error handling of user input. An unauthenticated attacker could exploit this vulnerability to obtain information about the XPages software running on the Domino server. |
|
1091 |
CVE-2020-14268 |
787 |
|
Exec Code Overflow |
2020-12-14 |
2020-12-15 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
A vulnerability in the MIME message handling of the Notes client (versions 9 and 10) could potentially be exploited by an unauthenticated attacker resulting in a stack buffer overflow. This could allow a remote attacker to crash the client or inject code into the system which would execute with the privileges of the client. |
|
1092 |
CVE-2020-14260 |
120 |
|
Exec Code Overflow |
2020-12-02 |
2020-12-04 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
HCL Domino is susceptible to a Buffer Overflow vulnerability in DXL due to improper validation of user input. A successful exploit could enable an attacker to crash Domino or execute attacker-controlled code on the server system. |
|
1093 |
CVE-2020-14254 |
311 |
|
|
2020-12-16 |
2021-07-21 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
TLS-RSA cipher suites are not disabled in HCL BigFix Inventory up to v10.0.2. If TLS 2.0 and secure ciphers are not enabled then an attacker can passively record traffic and later decrypt it. |
|
1094 |
CVE-2020-14248 |
319 |
|
|
2020-12-16 |
2020-12-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
BigFix Inventory up to v10.0.2 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. |
|
1095 |
CVE-2020-14244 |
787 |
|
Exec Code Overflow |
2020-12-14 |
2020-12-16 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
A vulnerability in the MIME message handling of the Domino server (versions 9 and 10) could potentially be exploited by an unauthenticated attacker resulting in a stack buffer overflow. This could allow a remote attacker to crash the server or inject code into the system which would execute with the privileges of the server. |
|
1096 |
CVE-2020-14232 |
|
|
Exec Code Overflow |
2020-12-18 |
2020-12-21 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
A vulnerability in the input parameter handling of HCL Notes v9 could potentially be exploited by an authenticated attacker resulting in a stack buffer overflow. This could allow the attacker to crash the program or inject code into the system which would execute with the privileges of the currently logged in user. |
|
1097 |
CVE-2020-14231 |
787 |
|
Exec Code Overflow |
2020-12-22 |
2021-07-21 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
A vulnerability in the input parameter handling of HCL Client Application Access v9 could potentially be exploited by an authenticated attacker resulting in a stack buffer overflow. This could allow the attacker to crash the program or inject code into the system which would execute with the privileges of the currently logged in user. |
|
1098 |
CVE-2020-14225 |
|
|
|
2020-12-21 |
2020-12-23 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
HCL iNotes is susceptible to a Tabnabbing vulnerability caused by improper sanitization of message content. A remote unauthenticated attacker could use this vulnerability to trick the end user into entering sensitive information such as credentials, e.g. as part of a phishing attack. |
|
1099 |
CVE-2020-14224 |
787 |
|
Exec Code Overflow |
2020-12-18 |
2020-12-22 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
A vulnerability in the MIME message handling of the HCL Notes v9 client could potentially be exploited by an unauthenticated attacker resulting in a stack buffer overflow. This could allow a remote attacker to crash the Notes application or inject code into the system which would execute with the privileges of the currently logged-in user. |
|
1100 |
CVE-2020-14207 |
89 |
|
Sql |
2020-12-08 |
2020-12-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The DiveBook plugin 1.1.4 for WordPress was prone to a SQL injection within divelog.php, allowing unauthenticated users to retrieve data from the database via the divelog.php filter_diver parameter. |
