CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In February 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1101 CVE-2015-3612 79 XSS 2020-02-04 2020-02-05
3.5
None Remote Medium ??? None Partial None
A Cross-site Scripting (XSS) vulnerability exists in FortiManager 5.2.1 and earlier and 5.0.10 and earlier via an unspecified parameter in the FortiWeb auto update service page.
1102 CVE-2015-3611 78 2020-02-04 2020-02-05
9.0
None Remote Low ??? Complete Complete Complete
A Command Injection vulnerability exists in FortiManager 5.2.1 and earlier and FortiManager 5.0.10 and earlier via unspecified vectors, which could let a malicious user run systems commands when executing a report.
1103 CVE-2015-3423 89 Exec Code Sql 2020-02-08 2020-02-12
6.5
None Remote Low ??? Partial Partial Partial
Multiple SQL injection vulnerabilities in NetCracker Resource Management System before 8.2 allow remote authenticated users to execute arbitrary SQL commands via the (1) ctrl, (2) h____%2427, (3) h____%2439, (4) param0, (5) param1, (6) param2, (7) param3, (8) param4, (9) filter_INSERT_COUNT, (10) filter_MINOR_FALLOUT, (11) filter_UPDATE_COUNT, (12) sort, or (13) sessid parameter.
1104 CVE-2015-3309 22 Dir. Trav. 2020-02-13 2020-02-19
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in node/utils/Minify.js in Etherpad 1.1.2 through 1.5.4 allows remote attackers to read arbitrary files with permissions of the user running the service via a .. (dot dot) in the path parameter of HTTP API requests. NOTE: This vulnerability is due to an incomplete fix to CVE-2015-3297.
1105 CVE-2015-3006 331 2020-02-28 2020-03-10
6.8
None Remote Low ??? Complete None None
On the QFX3500 and QFX3600 platforms, the number of bytes collected from the RANDOM_INTERRUPT entropy source when the device boots up is insufficient, possibly leading to weak or duplicate SSH keys or self-signed SSL/TLS certificates. Entropy increases after the system has been up and running for some time, but immediately after boot, the entropy is very low. This issue only affects the QFX3500 and QFX3600 switches. No other Juniper Networks products or platforms are affected by this weak entropy vulnerability.
1106 CVE-2015-2992 79 XSS 2020-02-27 2021-01-08
4.3
None Remote Medium Not required None Partial None
Apache Struts before 2.3.20 has a cross-site scripting (XSS) vulnerability.
1107 CVE-2015-2923 20 2020-02-20 2020-02-28
3.3
None Local Network Low Not required None None Partial
The Neighbor Discovery (ND) protocol implementation in the IPv6 stack in FreeBSD through 10.1 allows remote attackers to reconfigure a hop-limit setting via a small hop_limit value in a Router Advertisement (RA) message.
1108 CVE-2015-2909 269 2020-02-06 2020-02-12
10.0
None Remote Low Not required Complete Complete Complete
Dedicated Micros DV-IP Express, SD Advanced, SD, EcoSense, and DS2 devices rely on a GUI warning to help ensure that the administrator configures login credentials, which makes it easier for remote attackers to obtain access by leveraging situations in which this warning was not heeded. NOTE: the vendor states "The user is presented with clear warnings on the GUI that they should set usernames and passwords."
1109 CVE-2015-2802 200 +Info 2020-02-04 2021-09-09
5.0
None Remote Low Not required Partial None None
An Information Disclosure vulnerability exists in HP SiteScope 11.2 and 11.3 on Windows, Linux and Solaris, HP Asset Manager 9.30 through 9.32, 9.40 through 9.41, 9.50, and Asset Manager Cloudsystem Chargeback 9.40, which could let a remote malicious user obtain sensitive information. This is the TLS vulnerability known as the RC4 cipher Bar Mitzvah vulnerability.
1110 CVE-2015-2207 79 XSS 2020-02-08 2020-02-11
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in NetCracker Resource Management System before 8.2 allow remote authenticated users to inject arbitrary web script or HTML via the (1) ctrl, (2) t90001_0_theform_selection, (3) _scroll, (4) tableName, (5) parent, (6) circuit, (7) return, (8) xname, or (9) mpTransactionId parameter.
1111 CVE-2015-2062 89 Exec Code Sql 2020-02-08 2020-02-11
6.5
None Remote Low ??? Partial Partial Partial
Multiple SQL injection vulnerabilities in the Huge-IT Slider (slider-image) plugin before 2.7.0 for WordPress allow remote administrators to execute arbitrary SQL commands via the removeslide parameter in a popup_posts or edit_cat action in the sliders_huge_it_slider page to wp-admin/admin.php.
1112 CVE-2015-1425 20 2020-02-18 2020-02-27
7.5
None Remote Low Not required Partial Partial Partial
JAKWEB Gecko CMS has Multiple Input Validation Vulnerabilities
1113 CVE-2015-1394 79 XSS 2020-02-08 2020-02-11
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Photo Gallery plugin before 1.2.11 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via the (1) sort_by, (2) sort_order, (3) items_view, (4) dir, (5) clipboard_task, (6) clipboard_files, (7) clipboard_src, or (8) clipboard_dest parameters in an addImages action to wp-admin/admin-ajax.php.
1114 CVE-2015-0749 79 Exec Code XSS 2020-02-19 2020-02-21
4.3
None Remote Medium Not required None Partial None
A vulnerability in Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on the affected software. The vulnerabilities is due to improper input validation of certain parameters passed to the affected software. An attacker could exploit this vulnerability by convincing a user to follow a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected site or allow the attacker to access sensitive browser-based information.
1115 CVE-2015-0565 119 Overflow 2020-02-25 2020-03-05
10.0
None Remote Low Not required Complete Complete Complete
NaCl in 2015 allowed the CLFLUSH instruction, making rowhammer attacks possible.
1116 CVE-2015-0258 434 Exec Code 2020-02-17 2022-01-01
6.5
None Remote Low ??? Partial Partial Partial
Multiple incomplete blacklist vulnerabilities in the avatar upload functionality in manageuser.php in Collabtive before 2.1 allow remote authenticated users to execute arbitrary code by uploading a file with a (1) .php3, (2) .php4, (3) .php5, or (4) .phtml extension.
1117 CVE-2015-0102 287 2020-02-05 2020-02-07
5.8
None Remote Medium Not required Partial Partial None
IBM Workflow for Bluemix does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
1118 CVE-2014-10400 384 2020-02-06 2020-02-11
4.3
None Remote Medium Not required None Partial None
The session.lua library in CGILua 5.0.x uses sequential session IDs, which makes it easier for remote attackers to predict the session ID and hijack arbitrary sessions. NOTE: this vulnerability was SPLIT from CVE-2014-2875.
1119 CVE-2014-10399 384 2020-02-06 2020-02-11
4.3
None Remote Medium Not required None Partial None
The session.lua library in CGILua 5.1.x uses the same ID for each session, which allows remote attackers to hijack arbitrary sessions. NOTE: this vulnerability was SPLIT from CVE-2014-2875.
1120 CVE-2014-9753 287 Bypass 2020-02-11 2020-02-12
7.5
None Remote Low Not required Partial Partial Partial
confirm.php in ATutor 2.2 and earlier allows remote attackers to bypass authentication and gain access as an existing user via the auto_login parameter.
1121 CVE-2014-9748 362 DoS 2020-02-11 2020-02-25
6.8
None Remote Medium Not required Partial Partial Partial
The uv_rwlock_t fallback implementation for Windows XP and Server 2003 in libuv before 1.7.4 does not properly prevent threads from releasing the locks of other threads, which allows attackers to cause a denial of service (deadlock) or possibly have unspecified other impact by leveraging a race condition.
1122 CVE-2014-9617 601 2020-02-19 2020-02-20
5.8
None Remote Medium Not required Partial Partial None
Open redirect vulnerability in remotereporter/load_logfiles.php in Netsweeper before 4.0.5 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter.
1123 CVE-2014-9615 79 XSS 2020-02-19 2020-02-20
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Netsweeper 4.0.4 allows remote attackers to inject arbitrary web script or HTML via the url parameter to webadmin/deny/index.php.
1124 CVE-2014-9614 798 2020-02-19 2020-02-20
7.5
None Remote Low Not required Partial Partial Partial
The Web Panel in Netsweeper before 4.0.5 has a default password of branding for the branding account, which makes it easier for remote attackers to obtain access via a request to webadmin/.
1125 CVE-2014-9613 89 Exec Code Sql 2020-02-19 2020-02-20
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Netsweeper before 2.6.29.10 allow remote attackers to execute arbitrary SQL commands via the (1) login parameter to webadmin/auth/verification.php or (2) dpid parameter to webadmin/deny/index.php.
1126 CVE-2014-9612 89 Exec Code Sql 2020-02-19 2020-02-20
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in remotereporter/load_logfiles.php in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to execute arbitrary SQL commands via the server parameter.
1127 CVE-2014-9609 22 Dir. Trav. 2020-02-19 2020-02-20
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in webadmin/reporter/view_server_log.php in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to list directory contents via a .. (dot dot) in the log parameter in a stats action.
1128 CVE-2014-9608 79 XSS 2020-02-19 2020-02-20
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in webadmin/policy/group_table_ajax.php/ in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.
1129 CVE-2014-9607 79 XSS 2020-02-19 2020-02-20
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in remotereporter/load_logfiles.php in Netsweeper 4.0.3 and 4.0.4 allows remote attackers to inject arbitrary web script or HTML via the url parameter.
1130 CVE-2014-9606 79 XSS 2020-02-19 2020-02-20
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) server parameter to remotereporter/load_logfiles.php, (2) customctid parameter to webadmin/policy/category_table_ajax.php, (3) urllist parameter to webadmin/alert/alert.php, (4) QUERY_STRING to webadmin/ajaxfilemanager/ajax_get_file_listing.php, or (5) PATH_INFO to webadmin/policy/policy_table_ajax.php/.
1131 CVE-2014-9530 2020-02-07 2020-02-10
7.5
None Remote Low Not required Partial Partial Partial
A vulnerability exists in nw.js before 0.11.3 when calling nw methods from normal frames, which has an unspecified impact.
1132 CVE-2014-9470 79 XSS 2020-02-08 2020-02-12
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the loadForm function in Frontend/Modules/Search/Actions/Index.php in Fork CMS before 3.8.4 allows remote attackers to inject arbitrary web script or HTML via the q_widget parameter to en/search.
1133 CVE-2014-9390 20 Exec Code 2020-02-12 2021-05-17
7.5
None Remote Low Not required Partial Partial Partial
Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.
1134 CVE-2014-9127 200 +Info 2020-02-08 2020-02-10
4.0
None Remote Low ??? Partial None None
Open-School Community Edition 2.2 does not properly restrict access to the export functionality, which allows remote authenticated users to obtain sensitive information via the r parameter with the value export to index.php.
1135 CVE-2014-9126 79 XSS CSRF 2020-02-08 2020-02-10
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Open-School Community Edition 2.2 allow remote attackers to inject arbitrary web script or HTML via the YII_CSRF_TOKEN HTTP cookie or the StudentDocument, StudentCategories, StudentPreviousDatas parameters to index.php.
1136 CVE-2014-8739 434 Exec Code 2020-02-08 2020-02-12
7.5
None Remote Low Not required Partial Partial Partial
Unrestricted file upload vulnerability in server/php/UploadHandler.php in the jQuery File Upload Plugin 6.4.4 for jQuery, as used in the Creative Solutions Creative Contact Form (formerly Sexy Contact Form) before 1.0.0 for WordPress and before 2.0.1 for Joomla!, allows remote attackers to execute arbitrary code by uploading a PHP file with an PHP extension, then accessing it via a direct request to the file in files/, as exploited in the wild in October 2014.
1137 CVE-2014-8347 287 1 Bypass 2020-02-11 2020-02-13
4.6
None Local Low Not required Partial Partial Partial
An Authentication Bypass vulnerability exists in the MatchPasswordData function in DBEngine.dll in Filemaker Pro 13.03 and Filemaker Pro Advanced 12.04, which could let a malicious user obtain elevated privileges.
1138 CVE-2014-8328 200 +Info 2020-02-03 2020-02-05
5.0
None Remote Low Not required Partial None None
The default configuration in the Dynamic Content Elements (dce) extension before 0.11.5 for TYPO3 allows remote attackers to obtain sensitive installation environment information by reading the update check request.
1139 CVE-2014-8271 120 Overflow +Priv 2020-02-06 2020-02-11
4.6
None Local Low Not required Partial Partial Partial
Buffer overflow in the Reclaim function in Tianocore EDK2 before SVN 16280 allows physically proximate attackers to gain privileges via a long variable name.
1140 CVE-2014-8128 787 DoS 2020-02-12 2020-02-14
4.3
None Remote Medium Not required None None Partial
LibTIFF prior to 4.0.4, as used in Apple iOS before 8.4 and OS X before 10.10.4 and other products, allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted TIFF image.
1141 CVE-2014-8089 89 Exec Code Sql 2020-02-17 2020-02-20
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Zend Framework before 1.12.9, 2.2.x before 2.2.8, and 2.3.x before 2.3.3, when using the sqlsrv PHP extension, allows remote attackers to execute arbitrary SQL commands via a null byte.
1142 CVE-2014-7951 22 Dir. Trav. 2020-02-20 2020-02-25
2.1
None Local Low Not required None Partial None
Directory traversal vulnerability in the Android debug bridge (aka adb) in Android 4.0.4 allows physically proximate attackers with a direct connection to the target Android device to write to arbitrary files owned by system via a .. (dot dot) in the tar archive headers.
1143 CVE-2014-7914 863 Bypass 2020-02-21 2020-02-26
5.8
None Remote Medium Not required Partial Partial None
btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets after the tapping of a crafted NFC tag.
1144 CVE-2014-7863 200 +Info 2020-02-08 2020-02-13
5.0
None Remote Low Not required Partial None None
The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before 11.9 build 11912, OpManager 8 through 11.5 build 11400, and IT360 10.5 and earlier does not properly restrict access, which allows remote attackers and remote authenticated users to (1) read arbitrary files via the fileName parameter in a copyfile operation or (2) obtain sensitive information via a directory listing in a listdirectory operation to servlet/FailOverHelperServlet.
1145 CVE-2014-7236 74 Exec Code 2020-02-17 2020-02-20
6.4
None Remote Low Not required Partial Partial None
Eval injection vulnerability in lib/TWiki/Plugins.pm in TWiki before 6.0.1 allows remote attackers to execute arbitrary Perl code via the debugenableplugins parameter to do/view/Main/WebHome.
1146 CVE-2014-7224 20 Exec Code 2020-02-07 2020-02-12
9.0
None Remote Low ??? Complete Complete Complete
A Code Execution vulnerability exists in Android prior to 4.4.0 related to the addJavascriptInterface method and the accessibility and accessibilityTraversal objects, which could let a remote malicious user execute arbitrary code.
1147 CVE-2014-6447 79 XSS 2020-02-11 2020-02-25
5.8
None Remote Medium Not required None Partial Partial
Multiple vulnerabilities exist in Juniper Junos J-Web error handling that may lead to cross site scripting (XSS) issues or crash the J-Web service (DoS). This affects Juniper Junos OS 12.1X44 before 12.1X44-D45, 12.1X46 before 12.1X46-D30, 12.1X47 before 12.1X47-D20, 12.3 before 12.3R8, 12.3X48 before 12.3X48-D10, 13.1 before 13.1R5, 13.2 before 13.2R6, 13.3 before 13.3R4, 14.1 before 14.1R3, 14.1X53 before 14.1X53-D10, 14.2 before 14.2R1, and 15.1 before 15.1R1.
1148 CVE-2014-6413 79 XSS 2020-02-07 2020-02-11
4.3
None Remote Medium Not required None Partial None
A Cross-site Scripting (XSS) vulnerability exists in WatchGuard XTM 11.8.3 via the poll_name parameter in the firewall/policy script.
1149 CVE-2014-6262 134 DoS Exec Code 2020-02-12 2022-01-01
5.0
None Remote Low Not required None None Partial
Multiple format string vulnerabilities in the python module in RRDtool, as used in Zenoss Core before 4.2.5 and other products, allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted third argument to the rrdtool.graph function, aka ZEN-15415, a related issue to CVE-2013-2131.
1150 CVE-2014-5468 20 1 Exec Code +Info File Inclusion 2020-02-07 2020-02-11
6.8
None Remote Medium Not required Partial Partial Partial
A File Inclusion vulnerability exists in Railo 4.2.1 and earlier via a specially-crafted URL request to the thumbnail.cfm to specify a malicious PNG file, which could let a remote malicious user obtain sensitive information or execute arbitrary code.
Total number of vulnerabilities : 1395   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 (This Page)24 25 26 27 28
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.