CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In October 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
151 CVE-2020-26868 2020-10-12 2020-12-18
5.0
None Remote Low Not required None None Partial
ARC Informatique PcVue prior to version 12.0.17 is vulnerable to a denial-of-service attack due to the ability of an unauthorized user to modify information used to validate messages sent by legitimate web clients. This issue also affects third-party systems based on the Web Services Toolkit.
152 CVE-2020-26867 502 Exec Code 2020-10-12 2020-12-18
7.5
None Remote Low Not required Partial Partial Partial
ARC Informatique PcVue prior to version 12.0.17 is vulnerable due to the deserialization of untrusted data, which may allow an attacker to remotely execute arbitrary code on the web and mobile back-end server.
153 CVE-2020-26802 352 CSRF 2020-10-08 2020-10-15
6.8
None Remote Medium Not required Partial Partial Partial
forma.lms 2.3.0.2 is affected by Cross Site Request Forgery (CSRF) in formalms/appCore/index.php?r=lms/profile/show&ap=saveinfo via a GET request to change the admin email address in order to accomplish an account takeover.
154 CVE-2020-26682 190 Overflow 2020-10-16 2022-06-15
6.8
None Remote Medium Not required Partial Partial Partial
In libass 0.14.0, the `ass_outline_construct`'s call to `outline_stroke` causes a signed integer overflow.
155 CVE-2020-26672 79 XSS 2020-10-16 2020-11-19
3.5
None Remote Medium ??? None Partial None
Testimonial Rotator Wordpress Plugin 3.0.2 is affected by Cross Site Scripting (XSS) in /wp-admin/post.php. If a user intercepts a request and inserts a payload in "cite" parameter, the payload will be stored in the database.
156 CVE-2020-26650 862 2020-10-22 2021-07-21
5.0
None Remote Low Not required Partial None None
AtomXCMS 2.0 is affected by Arbitrary File Read via admin/dump.php
157 CVE-2020-26649 862 2020-10-22 2021-07-21
5.5
None Remote Low ??? None Partial Partial
AtomXCMS 2.0 is affected by Incorrect Access Control via admin/dump.php
158 CVE-2020-26607 269 2020-10-06 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in TimaService on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. PendingIntent with an empty intent is mishandled, allowing an attacker to perform a privileged action via a modified intent. The Samsung ID is SVE-2020-18418 (October 2020).
159 CVE-2020-26606 200 +Info 2020-10-06 2021-07-21
5.0
None Remote Low Not required Partial None None
An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), Q(10.0), and R(11.0) software. An attacker can access certain Secure Folder content via a debugging command. The Samsung ID is SVE-2020-18673 (October 2020).
160 CVE-2020-26605 532 +Info 2020-10-06 2020-10-08
5.0
None Remote Low Not required Partial None None
An issue was discovered on Samsung mobile devices with Q(10.0) and R(11.0) (Exynos chipsets) software. They allow attackers to obtain sensitive information by reading a log. The Samsung ID is SVE-2020-18596 (October 2020).
161 CVE-2020-26604 269 2020-10-06 2021-07-21
5.0
None Remote Low Not required Partial None None
An issue was discovered in SystemUI on Samsung mobile devices with O(8.x), P(9.0), Q(10.0), and R(11.0) software. PendingIntent allows an unprivileged process to access contact numbers. The Samsung ID is SVE-2020-18467 (October 2020).
162 CVE-2020-26603 22 Dir. Trav. 2020-10-06 2020-10-08
5.0
None Remote Low Not required Partial None None
An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. Sticker Center allows directory traversal for an unprivileged process to read arbitrary files. The Samsung ID is SVE-2020-18433 (October 2020).
163 CVE-2020-26602 668 2020-10-06 2020-10-08
5.0
None Remote Low Not required Partial None None
An issue was discovered in EthernetNetwork on Samsung mobile devices with O(8.1), P(9.0), Q(10.0), and R(11.0) software. PendingIntent allows sdcard access by an unprivileged process. The Samsung ID is SVE-2020-18392 (October 2020).
164 CVE-2020-26601 269 2020-10-06 2021-07-21
5.0
None Remote Low Not required None Partial None
An issue was discovered in DirEncryptService on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. PendingIntent with an empty intent is mishandled, allowing an attacker to perform a privileged action via a modified intent. The Samsung ID is SVE-2020-18034 (October 2020).
165 CVE-2020-26600 200 +Info 2020-10-06 2021-07-21
5.0
None Remote Low Not required Partial None None
An issue was discovered on Samsung mobile devices with Q(10.0) software. Auto Hotspot allows attackers to obtain sensitive information. The Samsung ID is SVE-2020-17288 (October 2020).
166 CVE-2020-26599 287 2020-10-06 2021-07-21
5.0
None Remote Low Not required None Partial None
An issue was discovered on Samsung mobile devices with Q(10.0) software. The DynamicLockscreen Terms and Conditions can be accepted without authentication. The Samsung ID is SVE-2020-17079 (October 2020).
167 CVE-2020-26598 862 2020-10-06 2020-10-08
5.0
None Remote Low Not required None Partial None
An issue was discovered on LG mobile devices with Android OS 8.0, 8.1, and 9.0 software. The Network Management component could allow an unauthorized actor to kill a TCP connection. The LG ID is LVE-SMP-200023 (October 2020).
168 CVE-2020-26597 20 2020-10-06 2020-10-08
5.0
None Remote Low Not required None None Partial
An issue was discovered on LG mobile devices with Android OS 9.0 and 10 software. The Wi-Fi subsystem has incorrect input validation, leading to a crash. The LG ID is LVE-SMP-200022 (October 2020).
169 CVE-2020-26596 20 Exec Code 2020-10-07 2021-07-21
9.0
None Remote Low ??? Complete Complete Complete
The Dynamic OOO widget for the Elementor Pro plugin through 3.0.5 for WordPress allows remote authenticated users to execute arbitrary code because only the Editor role is needed to upload executable PHP code via the PHP Raw snippet. NOTE: this issue can be mitigated by removing the Dynamic OOO widget or by restricting availability of the Editor role.
170 CVE-2020-26584 79 Exec Code XSS 2020-10-16 2020-10-27
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Sage DPW 2020_06_x before 2020_06_002. The search field "Kurs suchen" on the page Kurskatalog is vulnerable to Reflected XSS. If the attacker can lure a user into clicking a crafted link, he can execute arbitrary JavaScript code in the user's browser. The vulnerability can be used to change the contents of the displayed site, redirect to other sites, or steal user credentials. Additionally, users are potential victims of browser exploits and JavaScript malware.
171 CVE-2020-26583 434 2020-10-16 2020-10-29
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Sage DPW 2020_06_x before 2020_06_002. It allows unauthenticated users to upload JavaScript (in a file) via the expenses claiming functionality. However, to view the file, authentication is required. By exploiting this vulnerability, an attacker can persistently include arbitrary HTML or JavaScript code into the affected web page. The vulnerability can be used to change the contents of the displayed site, redirect to other sites, or steal user credentials. Additionally, users are potential victims of browser exploits and JavaScript malware.
172 CVE-2020-26582 77 Exec Code 2020-10-06 2021-07-21
9.0
None Remote Low ??? Complete Complete Complete
D-Link DAP-1360U before 3.0.1 devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the IP JSON value for ping (aka res_config_action=3&res_config_id=18).
173 CVE-2020-26575 835 2020-10-06 2021-02-11
5.0
None Remote Low Not required None None Partial
In Wireshark through 3.2.7, the Facebook Zero Protocol (aka FBZERO) dissector could enter an infinite loop. This was addressed in epan/dissectors/packet-fbzero.c by correcting the implementation of offset advancement.
174 CVE-2020-26574 79 Exec Code XSS 2020-10-06 2020-10-22
9.3
None Remote Medium Not required Complete Complete Complete
** UNSUPPORTED WHEN ASSIGNED ** Leostream Connection Broker 8.2.x is affected by stored XSS. An unauthenticated attacker can inject arbitrary JavaScript code via the webquery.pl User-Agent HTTP header. It is rendered by the admins the next time they log in. The JavaScript injected can be used to force the admin to upload a malicious Perl script that will be executed as root via libMisc::browser_client. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
175 CVE-2020-26572 787 Overflow 2020-10-06 2021-11-30
2.1
None Local Low Not required None None Partial
The TCOS smart card software driver in OpenSC before 0.21.0-rc1 has a stack-based buffer overflow in tcos_decipher.
176 CVE-2020-26571 787 Overflow 2020-10-06 2021-11-30
2.1
None Local Low Not required None None Partial
The gemsafe GPK smart card software driver in OpenSC before 0.21.0-rc1 has a stack-based buffer overflow in sc_pkcs15emu_gemsafeGPK_init.
177 CVE-2020-26570 787 Overflow 2020-10-06 2021-11-29
2.1
None Local Low Not required None None Partial
The Oberthur smart card software driver in OpenSC before 0.21.0-rc1 has a heap-based buffer overflow in sc_oberthur_read_file.
178 CVE-2020-26567 306 2020-10-08 2020-10-19
4.9
None Local Low Not required None None Complete
An issue was discovered on D-Link DSR-250N before 3.17B devices. The CGI script upgradeStatusReboot.cgi can be accessed without authentication. Any access reboots the device, rendering it therefore unusable for several minutes.
179 CVE-2020-26566 125 DoS 2020-10-26 2020-10-29
5.0
None Remote Low Not required None None Partial
A Denial of Service condition in Motion-Project Motion 3.2 through 4.3.1 allows remote unauthenticated users to cause a webu.c segmentation fault and kill the main process via a crafted HTTP request.
180 CVE-2020-26561 787 Exec Code Overflow 2020-10-23 2020-10-27
6.5
None Remote Low ??? Partial Partial Partial
** UNSUPPORTED WHEN ASSIGNED ** Belkin LINKSYS WRT160NL 1.0.04.002_US_20130619 devices have a stack-based buffer overflow vulnerability because of sprintf in create_dir in mini_httpd. Successful exploitation leads to arbitrary code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
181 CVE-2020-26546 89 Sql 2020-10-12 2020-10-27
5.0
None Remote Low Not required Partial None None
** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered in HelpDeskZ 1.0.2. The feature to auto-login a user, via the RememberMe functionality, is prone to SQL injection. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
182 CVE-2020-26541 2020-10-02 2020-10-05
6.9
None Local Medium Not required Complete Complete Complete
The Linux kernel through 5.8.13 does not properly enforce the Secure Boot Forbidden Signature Database (aka dbx) protection mechanism. This affects certs/blacklist.c and certs/system_keyring.c.
183 CVE-2020-26540 347 +Info 2020-10-02 2021-09-08
5.0
None Remote Low Not required Partial None None
An issue was discovered in Foxit Reader and PhantomPDF before 4.1 on macOS. Because the Hardened Runtime protection mechanism is not applied to code signing, code injection (or an information leak) can occur.
184 CVE-2020-26539 416 Exec Code +Info 2020-10-02 2020-10-05
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Foxit Reader and PhantomPDF before 10.1. When there is a multiple interpretation error for /V (in the Additional Action and Field dictionaries), a use-after-free can occur with resultant remote code execution (or an information leak).
185 CVE-2020-26538 Exec Code 2020-10-02 2021-07-21
4.4
None Local Medium Not required Partial Partial Partial
An issue was discovered in Foxit Reader and PhantomPDF before 10.1. It allows attackers to execute arbitrary code via a Trojan horse taskkill.exe in the current working directory.
186 CVE-2020-26537 787 2020-10-02 2020-10-05
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Foxit Reader and PhantomPDF before 10.1. In a certain Shading calculation, the number of outputs is unequal to the number of color components in a color space. This causes an out-of-bounds write.
187 CVE-2020-26536 476 2020-10-02 2020-10-02
4.3
None Remote Medium Not required None None Partial
An issue was discovered in Foxit Reader and PhantomPDF before 10.1. There is a NULL pointer dereference via a crafted PDF document.
188 CVE-2020-26535 787 2020-10-02 2020-10-05
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Foxit Reader and PhantomPDF before 10.1. If TslAlloc attempts to allocate thread local storage but obtains an unacceptable index value, V8 throws an exception that leads to a write access violation (and read access violation).
189 CVE-2020-26534 416 2020-10-02 2020-10-05
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Foxit Reader and PhantomPDF before 10.1. There is an Opt object use-after-free related to Field::ClearItems and Field::DeleteOptions, during AcroForm JavaScript execution.
190 CVE-2020-26527 346 2020-10-02 2020-10-14
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in API/api/Version in Damstra Smart Asset 2020.7. Cross-origin resource sharing trusts random origins by accepting the arbitrary 'Origin: example.com' header and responding with 200 OK and a wildcard 'Access-Control-Allow-Origin: *' header.
191 CVE-2020-26526 2020-10-02 2020-10-06
5.0
None Remote Low Not required Partial None None
An issue was discovered in Damstra Smart Asset 2020.7. It is possible to enumerate valid usernames on the login page. The application sends a different server response when the username is invalid than when the username is valid ("Unable to find an APIDomain" versus "Wrong email or password").
192 CVE-2020-26525 89 Sql 2020-10-02 2020-10-06
6.4
None Remote Low Not required Partial Partial None
Damstra Smart Asset 2020.7 has SQL injection via the API/api/Asset originator parameter. This allows forcing the database and server to initiate remote connections to third party DNS servers.
193 CVE-2020-26524 2020-10-02 2022-04-27
5.0
None Remote Low Not required Partial None None
CodeLathe FileCloud before 20.2.0.11915 allows username enumeration.
194 CVE-2020-26523 79 XSS 2020-10-02 2020-10-02
4.3
None Remote Medium Not required None Partial None
Froala Editor before 3.2.2 allows XSS via pasted content.
195 CVE-2020-26522 352 CSRF 2020-10-09 2020-10-16
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery (CSRF) vulnerability in mod/user/act_user.php in Garfield Petshop through 2020-10-01 allows remote attackers to hijack the authentication of administrators for requests that create new administrative accounts.
196 CVE-2020-26519 787 DoS 2020-10-02 2022-01-06
4.3
None Remote Medium Not required None None Partial
Artifex MuPDF before 1.18.0 has a heap based buffer over-write when parsing JBIG2 files allowing attackers to cause a denial of service.
197 CVE-2020-26518 89 Sql 2020-10-02 2020-10-09
7.5
None Remote Low Not required Partial Partial Partial
Artica Pandora FMS before 743 allows unauthenticated attackers to conduct SQL injection attacks via the pandora_console/include/chart_generator.php session_id parameter.
198 CVE-2020-26511 Bypass 2020-10-02 2021-07-21
5.0
None Remote Low Not required None Partial None
The wpo365-login plugin before v11.7 for WordPress allows use of a symmetric algorithm to decrypt a JWT token. This leads to authentication bypass.
199 CVE-2020-26205 79 XSS 2020-10-29 2020-11-03
3.5
None Remote Medium ??? None Partial None
Sal is a multi-tenanted reporting dashboard for Munki with the ability to display information from Facter. In Sal through version 4.1.6 there is an XSS vulnerability on the machine_list view.
200 CVE-2020-26183 552 2020-10-16 2020-10-21
4.0
None Remote Low ??? None Partial None
Dell EMC NetWorker versions prior to 19.3.0.2 contain an improper authorization vulnerability. Certain remote users with low privileges may exploit this vulnerability to perform 'nsrmmdbd' operations in an unintended manner.
Total number of vulnerabilities : 1563   Page : 1 2 3 4 (This Page)5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.