CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In August 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
151 CVE-2020-19888 863 2020-08-24 2021-07-21
4.3
None Remote Medium Not required None Partial None
DBHcms v1.2.0 has an unauthorized operation vulnerability because there's no access control at line 175 of dbhcms\page.php for empty cache operation. This vulnerability can be exploited to empty a table.
152 CVE-2020-19887 79 XSS 2020-08-24 2020-08-25
3.5
None Remote Medium ??? None Partial None
DBHcms v1.2.0 has a stored XSS vulnerability as there is no htmlspecialchars function for '$_POST['pageparam_insert_description']' variable in dbhcms\mod\mod.page.edit.php line 227, A remote authenticated with admin user can exploit this vulnerability to hijack other users.
153 CVE-2020-19886 352 CSRF 2020-08-24 2020-08-25
4.3
None Remote Medium Not required None Partial None
DBHcms v1.2.0 has no CSRF protection mechanism,as demonstrated by CSRF for an /index.php?dbhcms_pid=-80&deletemenu=9 can delete any menu.
154 CVE-2020-19885 79 XSS 2020-08-24 2020-08-25
3.5
None Remote Medium ??? None Partial None
DBHcms v1.2.0 has a stored xss vulnerability as there is no htmlspecialchars function for '$_POST['pageparam_insert_name']' variable in dbhcms\mod\mod.page.edit.php line 227, A remote authenticated with admin user can exploit this vulnerability to hijack other users.
155 CVE-2020-19884 79 XSS 2020-08-24 2020-08-25
3.5
None Remote Medium ??? None Partial None
DBHcms v1.2.0 has a stored xss vulnerability as there is no htmlspecialchars function in dbhcms\mod\mod.domain.edit.php line 119.
156 CVE-2020-19883 79 XSS 2020-08-24 2020-08-25
3.5
None Remote Medium ??? None Partial None
DBHcms v1.2.0 has a stored xss vulnerability as there is no security filter in dbhcms\mod\mod.users.view.php line 57 for user_login, A remote authenticated with admin user can exploit this vulnerability to hijack other users.
157 CVE-2020-19882 79 XSS 2020-08-24 2020-08-25
3.5
None Remote Medium ??? None Partial None
DBHcms v1.2.0 has a stored xss vulnerability as there is no htmlspecialchars function for 'menu_description' variable in dbhcms\mod\mod.menus.edit.php line 83 and in dbhcms\mod\mod.menus.view.php line 111, A remote authenticated with admin user can exploit this vulnerability to hijack other users.
158 CVE-2020-19881 79 XSS 2020-08-24 2020-08-25
3.5
None Remote Medium ??? None Partial None
DBHcms v1.2.0 has a reflected xss vulnerability as there is no security filter in dbhcms\mod\mod.selector.php line 108 for $_GET['return_name'] parameter, A remote authenticated with admin user can exploit this vulnerability to hijack other users.
159 CVE-2020-19880 79 XSS 2020-08-24 2020-08-25
4.3
None Remote Medium Not required None Partial None
DBHcms v1.2.0 has a stored xss vulnerability as there is no htmlspecialchars function form 'Name' in dbhcms\types.php, A remote unauthenticated attacker can exploit this vulnerability to hijack other users.
160 CVE-2020-19879 79 XSS 2020-08-24 2020-08-25
4.3
None Remote Medium Not required None Partial None
DBHcms v1.2.0 has a stored xss vulnerability as there is no security filter of $_GET['dbhcms_pid'] variable in dbhcms\page.php line 107,
161 CVE-2020-19878 200 +Info 2020-08-24 2021-07-21
5.0
None Remote Low Not required Partial None None
DBHcms v1.2.0 has a sensitive information leaks vulnerability as there is no security access control in /dbhcms/ext/news/ext.news.be.php, A remote unauthenticated attacker can exploit this vulnerability to get path information.
162 CVE-2020-19877 22 Dir. Trav. +Info 2020-08-24 2020-08-25
5.0
None Remote Low Not required Partial None None
DBHcms v1.2.0 has a directory traversal vulnerability as there is no directory control function in directory /dbhcms/. A remote unauthenticated attacker can exploit this vulnerability to obtain server-sensitive information.
163 CVE-2020-19007 79 Exec Code XSS 2020-08-26 2020-08-31
3.5
None Remote Medium ??? None Partial None
Halo blog 1.2.0 allows users to submit comments on blog posts via /api/content/posts/comments. The javascript code supplied by the attacker will then execute in the victim user's browser.
164 CVE-2020-19005 863 2020-08-25 2020-09-03
3.5
None Remote Medium ??? Partial None None
zrlog v2.1.0 has a vulnerability with the permission check. If admin account is logged in, other unauthorized users can download the database backup file directly.
165 CVE-2020-17538 787 DoS Overflow 2020-08-13 2020-08-31
4.3
None Remote Medium Not required None None Partial
A buffer overflow vulnerability in GetNumSameData() in contrib/lips4/gdevlips.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. This is fixed in v9.51.
166 CVE-2020-17507 125 2020-08-12 2020-09-30
5.0
None Remote Low Not required None None Partial
An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.
167 CVE-2020-17506 89 +Priv Sql Bypass 2020-08-12 2020-09-22
7.5
None Remote Low Not required Partial Partial Partial
Artica Web Proxy 4.30.00000000 allows remote attacker to bypass privilege detection and gain web backend administrator privileges through SQL injection of the apikey parameter in fw.login.php.
168 CVE-2020-17505 78 Exec Code 2020-08-12 2020-09-22
9.0
None Remote Low ??? Complete Complete Complete
Artica Web Proxy 4.30.000000 allows an authenticated remote attacker to inject commands via the service-cmds parameter in cyrus.php. These commands are executed with root privileges via service_cmds_peform.
169 CVE-2020-17498 415 2020-08-13 2021-01-20
4.3
None Remote Medium Not required None None Partial
In Wireshark 3.2.0 to 3.2.5, the Kafka protocol dissector could crash. This was addressed in epan/dissectors/packet-kafka.c by avoiding a double free during LZ4 decompression.
170 CVE-2020-17497 2020-08-12 2020-08-19
4.8
None Local Network Low Not required Partial Partial None
eapol.c in iNet wireless daemon (IWD) through 1.8 allows attackers to trigger a PTK reinstallation by retransmitting EAPOL Msg4/4.
171 CVE-2020-17496 74 Exec Code 2020-08-12 2020-08-17
7.5
None Remote Low Not required Partial Partial Partial
vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.
172 CVE-2020-17495 312 2020-08-11 2020-08-14
5.0
None Remote Low Not required Partial None None
django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.
173 CVE-2020-17489 522 2020-08-11 2021-03-26
1.9
None Local Medium Not required Partial None None
An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible for a brief moment upon a logout. (If the password were never shown in cleartext, only the password length is revealed.)
174 CVE-2020-17487 2020-08-11 2021-03-26
5.0
None Remote Low Not required None None Partial
radare2 4.5.0 misparses signature information in PE files, causing a segmentation fault in r_x509_parse_algorithmidentifier in libr/util/x509.c. This is due to a malformed object identifier in IMAGE_DIRECTORY_ENTRY_SECURITY.
175 CVE-2020-17480 79 XSS 2020-08-10 2020-08-11
4.3
None Remote Medium Not required None Partial None
TinyMCE before 4.9.7 and 5.x before 5.1.4 allows XSS in the core parser, the paste plugin, and the visualchars plugin by using the clipboard or APIs to insert content into the editor.
176 CVE-2020-17479 20 2020-08-10 2020-08-19
7.5
None Remote Low Not required Partial Partial Partial
jpv (aka Json Pattern Validator) before 2.2.2 does not properly validate input, as demonstrated by a corrupted array.
177 CVE-2020-17478 203 2020-08-10 2020-08-12
5.0
None Remote Low Not required Partial None None
ECDSA/EC/Point.pm in Crypt::Perl before 0.33 does not properly consider timing attacks against the EC point multiplication algorithm.
178 CVE-2020-17476 79 XSS 2020-08-10 2020-08-10
4.3
None Remote Medium Not required None Partial None
Mibew Messenger before 3.2.7 allows XSS via a crafted user name.
179 CVE-2020-17475 306 2020-08-14 2020-08-21
5.0
None Remote Low Not required None Partial None
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
180 CVE-2020-17474 613 2020-08-14 2020-08-21
7.5
None Remote Low Not required Partial Partial Partial
A token-reuse vulnerability in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to create arbitrary new users, elevate users to administrators, delete users, and download user faces from the database.
181 CVE-2020-17473 613 2020-08-14 2020-08-21
4.3
None Remote Medium Not required None Partial None
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.
182 CVE-2020-17466 287 Bypass 2020-08-11 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
Turcom TRCwifiZone through 2020-08-10 allows authentication bypass by visiting manage/control.php and ignoring 302 Redirect responses.
183 CVE-2020-17465 79 XSS 2020-08-31 2020-09-04
4.3
None Remote Medium Not required None Partial None
Dashboards and progressiveProfileForms in ForgeRock Identity Manager before 7.0.0 are vulnerable to stored XSS. The vulnerability affects versions 6.5.0.4, 6.0.0.6.
184 CVE-2020-17463 89 Sql 2020-08-13 2020-08-13
7.5
None Remote Low Not required Partial Partial Partial
FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.
185 CVE-2020-17462 434 2020-08-14 2020-08-19
6.5
None Remote Low ??? Partial Partial Partial
CMS Made Simple 2.2.14 allows Authenticated Arbitrary File Upload because the File Manager does not block .ptar files, a related issue to CVE-2017-16798.
186 CVE-2020-17456 78 Exec Code 2020-08-20 2022-04-22
7.5
None Remote Low Not required Partial Partial Partial
SEOWON INTECH SLC-130 And SLR-120S devices allow Remote Code Execution via the ipAddr parameter to the system_log.cgi page.
187 CVE-2020-17452 434 2020-08-09 2020-08-10
9.0
None Remote Low ??? Complete Complete Complete
flatCore before 1.5.7 allows upload and execution of a .php file by an admin.
188 CVE-2020-17451 79 XSS 2020-08-09 2020-08-10
3.5
None Remote Medium ??? None Partial None
flatCore before 1.5.7 allows XSS by an admin via the acp/acp.php?tn=pages&sub=edit&editpage=1 page_linkname, page_title, page_content, or page_extracontent parameter, or the acp/acp.php?tn=system&sub=sys_pref prefs_pagename, prefs_pagetitle, or prefs_pagesubtitle parameter.
189 CVE-2020-17450 79 XSS 2020-08-12 2020-08-13
4.3
None Remote Medium Not required None Partial None
PHP-Fusion 9.03 allows XSS on the preview page.
190 CVE-2020-17449 79 XSS 2020-08-12 2020-08-13
3.5
None Remote Medium ??? None Partial None
PHP-Fusion 9.03 allows XSS via the error_log file.
191 CVE-2020-17448 863 Bypass 2020-08-11 2021-01-28
6.8
None Remote Medium Not required Partial Partial Partial
Telegram Desktop through 2.1.13 allows a spoofed file type to bypass the Dangerous File Type Execution protection mechanism, as demonstrated by use of the chat window with a filename that lacks an extension.
192 CVE-2020-17446 824 Exec Code 2020-08-12 2020-09-03
7.5
None Remote Low Not required Partial Partial Partial
asyncpg before 0.21.0 allows a malicious PostgreSQL server to trigger a crash or execute arbitrary code (on a database client) via a crafted server response, because of access to an uninitialized pointer in the array data decoder.
193 CVE-2020-17404 787 Exec Code 2020-08-25 2020-09-01
6.8
None Remote Medium Not required Partial Partial Partial
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Studio Photo 3.6.6.922. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of PSD files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-11191.
194 CVE-2020-17403 787 Exec Code 2020-08-25 2020-09-01
6.8
None Remote Medium Not required Partial Partial Partial
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Studio Photo 3.6.6.922. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of PSD files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-11003.
195 CVE-2020-17402 732 Exec Code +Info 2020-08-25 2020-08-31
2.1
None Local Low Not required Partial None None
This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 15.1.4 (47270). An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the prl_hypervisor kext. By examining a log file, an attacker can disclose a memory address. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute code in the context of the kernel. Was ZDI-CAN-11063.
196 CVE-2020-17401 129 Exec Code +Info 2020-08-25 2020-08-26
2.1
None Local Low Not required Partial None None
This vulnerability allows local attackers to disclose sensitive informations on affected installations of Parallels Desktop 15.1.4. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the VGA virtual device. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated array. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute code in the context of the hypervisor. Was ZDI-CAN-11363.
197 CVE-2020-17400 129 Exec Code 2020-08-25 2020-08-26
4.6
None Local Low Not required Partial Partial Partial
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 15.1.4. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the prl_hypervisor kext. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the hypervisor. Was ZDI-CAN-11304.
198 CVE-2020-17399 129 Exec Code 2020-08-25 2020-08-26
4.6
None Local Low Not required Partial Partial Partial
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 15.1.4. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the prl_hypervisor kext. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the kernel. Was ZDI-CAN-11303.
199 CVE-2020-17398 129 Exec Code +Info 2020-08-25 2020-08-26
2.1
None Local Low Not required Partial None None
This vulnerability allows local attackers to disclose information on affected installations of Parallels Desktop 15.1.4. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the prl_hypervisor kext. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the kernel. Was ZDI-CAN-11302.
200 CVE-2020-17397 119 Exec Code Overflow Mem. Corr. 2020-08-25 2020-08-31
4.6
None Local Low Not required Partial Partial Partial
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 15.1.4. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the handling of network packets. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the hypervisor. Was ZDI-CAN-11253.
Total number of vulnerabilities : 1155   Page : 1 2 3 4 (This Page)5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.