CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In December 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1501 CVE-2019-7726 89 Sql 2020-12-31 2021-01-05
7.5
None Remote Low Not required Partial Partial Partial
modules/banners/funcs/click.php in NukeViet before 4.3.04 has a SQL INSERT statement with raw header data from an HTTP request (e.g., Referer and User-Agent).
1502 CVE-2019-7725 502 2020-12-31 2021-01-05
7.5
None Remote Low Not required Partial Partial Partial
includes/core/is_user.php in NukeViet before 4.3.04 deserializes the untrusted nvloginhash cookie (i.e., the code relies on PHP's serialization format when JSON can be used to eliminate the risk).
1503 CVE-2019-7198 77 Exec Code 2020-12-10 2021-06-21
7.5
None Remote Low Not required Partial Partial Partial
This command injection vulnerability allows attackers to execute arbitrary commands in a compromised application. QNAP have already fixed this vulnerability in the following versions of QTS and QuTS hero. QuTS hero h4.5.1.1472 build 20201031 and later QTS 4.5.1.1456 build 20201015 and later QTS 4.4.3.1354 build 20200702 and later
1504 CVE-2019-4738 312 2020-12-10 2020-12-11
4.0
None Remote Low ??? Partial None None
IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5 and 6.0.0.0 through 6.0.3.1 discloses sensitive information to an authenticated user from the dashboard UI which could be used in further attacks against the system. IBM X-Force ID: 172753.
1505 CVE-2018-1000893 400 2020-12-23 2020-12-23
5.0
None Remote Low Not required None None Partial
Bitcoin SV before 0.1.1 allows uncontrolled resource consumption when deserializing transactions.
1506 CVE-2018-1000892 400 2020-12-23 2020-12-23
5.0
None Remote Low Not required None None Partial
Bitcoin SV before 0.1.1 allows uncontrolled resource consumption when receiving sendheaders messages.
1507 CVE-2018-1000891 400 2020-12-23 2020-12-23
5.0
None Remote Low Not required None None Partial
Bitcoin SV before 0.1.1 allows uncontrolled resource consumption when receiving messages with invalid checksums.
1508 CVE-2018-25001 416 2020-12-31 2021-01-05
4.0
None Remote Low ??? None Partial None
An issue was discovered in the libpulse-binding crate before 2.5.0 for Rust. proplist::Iterator can cause a use-after-free.
1509 CVE-2018-21270 125 2020-12-03 2021-02-16
5.8
None Remote Medium Not required Partial None Partial
Versions less than 0.0.6 of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream (when using Node.js 4.x).
1510 CVE-2018-19945 22 Dir. Trav. 2020-12-31 2021-01-06
8.5
None Remote Low Not required None Partial Complete
A vulnerability has been reported to affect earlier QNAP devices running QTS 4.3.4 to 4.3.6. Caused by improper limitations of a pathname to a restricted directory, this vulnerability allows for renaming arbitrary files on the target system, if exploited. QNAP have already fixed this vulnerability in the following versions: QTS 4.3.6.0895 build 20190328 (and later) QTS 4.3.4.0899 build 20190322 (and later) This issue does not affect QTS 4.4.x or QTS 4.5.x.
1511 CVE-2018-19944 319 2020-12-31 2021-01-07
5.0
None Remote Low Not required Partial None None
A cleartext transmission of sensitive information vulnerability has been reported to affect certain QTS devices. If exploited, this vulnerability allows a remote attacker to gain access to sensitive information. QNAP have already fixed this vulnerability in the following versions: QTS 4.4.3.1354 build 20200702 (and later)
1512 CVE-2018-19941 312 2020-12-31 2021-01-07
5.0
None Remote Low Not required Partial None None
A vulnerability has been reported to affect QNAP NAS. If exploited, this vulnerability allows an attacker to access sensitive information stored in cleartext inside cookies via certain widely-available tools. QNAP have already fixed this vulnerability in the following versions: QTS 4.5.1.1456 build 20201015 (and later) QuTS hero h4.5.1.1472 build 20201031 (and later) QuTScloud c4.5.2.1379 build 20200730 (and later)
1513 CVE-2018-16795 352 CSRF 2020-12-31 2021-01-05
6.8
None Remote Medium Not required Partial Partial Partial
OpenEMR 5.0.1.3 allows Cross-Site Request Forgery (CSRF) via library/ajax and interface/super, as demonstrated by use of interface/super/manage_site_files.php to upload a .php file.
1514 CVE-2018-16243 79 XSS 2020-12-15 2020-12-17
3.5
None Remote Medium ??? None Partial None
SolarWinds Database Performance Analyzer (DPA) 11.1.468 and 12.0.3074 have several persistent XSS vulnerabilities, related to logViewer.iwc, centralManage.cen, userAdministration.iwc, database.iwc, alertManagement.iwc, eventAnnotations.iwc, and central.cen.
1515 CVE-2018-15645 732 2020-12-22 2020-12-23
4.0
None Remote Low ??? None Partial None
Improper access control in message routing in Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier allows remote authenticated users to create arbitrary records via crafted payloads, which may allow privilege escalation.
1516 CVE-2018-15641 79 XSS 2020-12-22 2020-12-22
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) issue in web module in Odoo Community 11.0 through 14.0 and Odoo Enterprise 11.0 through 14.0, allows remote authenticated internal users to inject arbitrary web script in the browser of a victim via crafted calendar event attributes.
1517 CVE-2018-15638 79 XSS 2020-12-22 2020-12-22
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) issue in mail module in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted channel names.
1518 CVE-2018-15634 79 XSS 2020-12-22 2020-12-22
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) issue in attachment management in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via a crafted link.
1519 CVE-2018-15633 79 XSS 2020-12-22 2020-12-22
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) issue in "document" module in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted attachment filenames.
1520 CVE-2018-15632 20 2020-12-22 2020-12-22
8.5
None Remote Low Not required None Partial Complete
Improper input validation in database creation logic in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to initialize an empty database on which they can connect with default credentials.
1521 CVE-2018-14067 77 Exec Code 2020-12-31 2021-01-06
10.0
None Remote Low Not required Complete Complete Complete
Green Packet WiMax DV-360 2.10.14-g1.0.6.1 devices allow Command Injection, with unauthenticated remote command execution, via a crafted payload to the HTTPS port, because lighttpd listens on all network interfaces (including the external Internet) by default. NOTE: this may overlap CVE-2017-9980.
1522 CVE-2018-7580 DoS 2020-12-21 2020-12-29
5.0
None Remote Low Not required None None Partial
Philips Hue is vulnerable to a Denial of Service attack. Sending a SYN flood on port tcp/80 will freeze Philips Hue's hub and it will stop responding. The "hub" will stop operating and be frozen until the flood stops. During the flood, the user won't be able to turn on/off the lights, and all of the hub's functionality will be unresponsive. The cloud service also won't work with the hub.
1523 CVE-2017-14451 125 Exec Code 2020-12-02 2020-12-09
7.5
None Remote Low Not required Partial Partial Partial
An exploitable out-of-bounds read vulnerability exists in libevm (Ethereum Virtual Machine) of CPP-Ethereum. A specially crafted smart contract code can cause an out-of-bounds read which can subsequently trigger an out-of-bounds write resulting in remote code execution. An attacker can create/send malicious smart contract to trigger this vulnerability.
1524 CVE-2017-2910 787 Exec Code Mem. Corr. 2020-12-02 2020-12-04
6.8
None Remote Medium Not required Partial Partial Partial
An exploitable Out-of-bounds Write vulnerability exists in the xls_addCell function of libxls 2.0. A specially crafted xls file can cause a memory corruption resulting in remote code execution. An attacker can send malicious xls file to trigger this vulnerability.
1525 CVE-2016-9026 20 2020-12-31 2021-01-04
7.5
None Remote Low Not required Partial Partial Partial
Exponent CMS before 2.6.0 has improper input validation in fileController.php.
1526 CVE-2016-9025 20 2020-12-31 2021-01-04
7.5
None Remote Low Not required Partial Partial Partial
Exponent CMS before 2.6.0 has improper input validation in purchaseOrderController.php.
1527 CVE-2016-9023 20 2020-12-31 2021-01-04
7.5
None Remote Low Not required Partial Partial Partial
Exponent CMS before 2.6.0 has improper input validation in cron/find_help.php.
1528 CVE-2016-9022 20 2020-12-31 2021-01-04
7.5
None Remote Low Not required Partial Partial Partial
Exponent CMS before 2.6.0 has improper input validation in usersController.php.
1529 CVE-2016-9021 20 2020-12-31 2021-01-04
7.5
None Remote Low Not required Partial Partial Partial
Exponent CMS before 2.6.0 has improper input validation in storeController.php.
1530 CVE-2012-0955 295 2020-12-02 2020-12-08
5.8
None Remote Medium Not required Partial Partial None
software-properties was vulnerable to a person-in-the-middle attack due to incorrect TLS certificate validation in softwareproperties/ppa.py. software-properties didn't check TLS certificates under python2 and only checked certificates under python3 if a valid certificate bundle was provided. Fixed in software-properties version 0.92.
Total number of vulnerabilities : 1530   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.