CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In February 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
201 CVE-2020-8547 843 Bypass 2020-02-03 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
phpList 3.5.0 allows type juggling for admin login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters.
202 CVE-2020-8545 22 Dir. Trav. 2020-02-03 2020-02-06
5.0
None Remote Low Not required Partial None None
Global.py in AIL framework 2.8 allows path traversal.
203 CVE-2020-8518 94 Exec Code 2020-02-17 2022-01-01
7.5
None Remote Low Not required Partial Partial Partial
Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, leading to remote code execution.
204 CVE-2020-8517 20 DoS 2020-02-04 2021-07-21
5.0
None Remote Low Not required None None Partial
An issue was discovered in Squid before 4.10. Due to incorrect input validation, the NTLM authentication credentials parser in ext_lm_group_acl may write to memory outside the credentials buffer. On systems with memory access protections, this can result in the helper process being terminated unexpectedly. This leads to the Squid process also terminating and a denial of service for all clients using the proxy.
205 CVE-2020-8516 2020-02-02 2022-04-18
5.0
None Remote Low Not required Partial None None
** DISPUTED ** The daemon in Tor through 0.4.1.8 and 0.4.2.x through 0.4.2.6 does not verify that a rendezvous node is known before attempting to connect to it, which might make it easier for remote attackers to discover circuit information. NOTE: The network team of Tor claims this is an intended behavior and not a vulnerability.
206 CVE-2020-8515 78 Exec Code 2020-02-01 2022-01-01
10.0
None Remote Low Not required Complete Complete Complete
DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI. This issue has been fixed in Vigor3900/2960/300B v1.5.1.
207 CVE-2020-8514 79 XSS 2020-02-02 2021-09-08
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Rumpus 8.2.10 on macOS. By crafting a directory name, it is possible to activate JavaScript in the context of the web application after invoking the rename folder functionality.
208 CVE-2020-8512 79 XSS 2020-02-01 2020-02-04
4.3
None Remote Medium Not required None Partial None
In IceWarp Webmail Server through 11.4.4.1, there is XSS in the /webmail/ color parameter.
209 CVE-2020-8510 287 2020-02-03 2020-02-06
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in phpABook 0.9 Intermediate. On the login page, if one sets a userInfo cookie with the value of admin+1+en (user+perms+lang), one can login as any user without a password.
210 CVE-2020-8508 787 2020-02-03 2020-02-06
7.5
None Remote Low Not required Partial Partial Partial
nsak64.sys in Norman Malware Cleaner 2.08.08 allows users to call arbitrary kernel functions because the passing of function pointers between user and kernel mode is mishandled.
211 CVE-2020-8507 319 2020-02-05 2021-12-30
5.0
None Remote Low Not required Partial None None
The Citytv Video application 4.08.0 for Android and 3.35 for iOS sends Unencrypted Analytics.
212 CVE-2020-8506 319 2020-02-05 2021-12-22
5.0
None Remote Low Not required Partial None None
The Global TV application 2.3.2 for Android and 4.7.5 for iOS sends Unencrypted Analytics.
213 CVE-2020-8450 119 Overflow 2020-02-04 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Squid before 4.10. Due to incorrect buffer management, a remote client can cause a buffer overflow in a Squid instance acting as a reverse proxy.
214 CVE-2020-8449 668 2020-02-04 2021-03-04
5.0
None Remote Low Not required Partial None None
An issue was discovered in Squid before 4.10. Due to incorrect input validation, it can interpret crafted HTTP requests in unexpected ways to access server resources prohibited by earlier security filters.
215 CVE-2020-8441 502 Exec Code 2020-02-19 2020-03-13
7.5
None Remote Low Not required Partial Partial Partial
JYaml through 1.3 allows remote code execution during deserialization of a malicious payload through the load() function. NOTE: this is a discontinued product.
216 CVE-2020-8429 20 Bypass 2020-02-11 2021-07-21
9.0
None Remote Low ??? Complete Complete Complete
The Admin web application in Kinetica 7.0.9.2.20191118151947 does not properly sanitise the input for the function getLogs. This lack of sanitisation could be exploited to allow an authenticated attacker to run remote code on the underlying operating system. The logFile parameter in the getLogs function was used as a variable in a command to read log files; however, due to poor input sanitisation, it was possible to bypass a replacement and break out of the command.
217 CVE-2020-8427 89 Sql Bypass 2020-02-17 2022-01-01
7.5
None Remote Low Not required Partial Partial Partial
In Unitrends Backup before 10.4.1, an HTTP request parameter was not properly sanitized, allowing for SQL injection that resulted in an authentication bypass.
218 CVE-2020-8132 20 2020-02-28 2020-03-03
7.5
None Remote Low Not required Partial Partial Partial
Lack of input validation in pdf-image npm package version <= 2.0.0 may allow an attacker to run arbitrary code if PDF file path is constructed based on untrusted user input.
219 CVE-2020-8131 22 Exec Code Dir. Trav. 2020-02-24 2020-03-24
5.1
None Remote High Not required Partial Partial Partial
Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.
220 CVE-2020-8130 78 2020-02-24 2020-06-30
6.9
None Local Medium Not required Complete Complete Complete
There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character `|`.
221 CVE-2020-8129 94 Exec Code 2020-02-14 2020-02-21
7.5
None Remote Low Not required Partial Partial Partial
An unintended require vulnerability in script-manager npm package version 0.8.6 and earlier may allow attackers to execute arbitrary code.
222 CVE-2020-8128 918 Exec Code 2020-02-14 2020-02-20
7.5
None Remote Low Not required Partial Partial Partial
An unintended require and server-side request forgery vulnerabilities in jsreport version 2.5.0 and earlier allow attackers to execute arbitrary code.
223 CVE-2020-8127 79 XSS 2020-02-28 2020-03-03
4.3
None Remote Medium Not required None Partial None
Insufficient validation in cross-origin communication (postMessage) in reveal.js version 3.9.1 and earlier allow attackers to perform cross-site scripting attacks.
224 CVE-2020-8126 269 Exec Code 2020-02-07 2021-07-21
7.2
None Local Low Not required Complete Complete Complete
A privilege escalation in the EdgeSwitch prior to version 1.7.1, an CGI script don't fully sanitize the user input resulting in local commands execution, allowing an operator user (Privilege-1) to escalate privileges and became administrator (Privilege-15).
225 CVE-2020-8125 20 DoS Exec Code 2020-02-04 2020-02-06
7.5
None Remote Low Not required Partial Partial Partial
Flaw in input validation in npm package klona version 1.1.0 and earlier may allow prototype pollution attack that may result in remote code execution or denial of service of applications using klona.
226 CVE-2020-8124 20 Bypass 2020-02-04 2020-02-18
5.0
None Remote Low Not required None Partial None
Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks.
227 CVE-2020-8123 400 DoS 2020-02-04 2020-02-06
4.0
None Remote Low ??? None None Partial
A denial of service exists in strapi v3.0.0-beta.18.3 and earlier that can be abused in the admin console using admin rights can lead to arbitrary restart of the application.
228 CVE-2020-8122 20 2020-02-04 2020-02-11
4.0
None Remote Low ??? None Partial None
A missing check in Nextcloud Server 14.0.3 could give recipient the possibility to extend the expiration date of a share they received.
229 CVE-2020-8121 668 2020-02-04 2020-02-11
5.5
None Remote Low ??? Partial Partial None
A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer.
230 CVE-2020-8120 79 XSS 2020-02-04 2020-02-06
4.3
None Remote Medium Not required None Partial None
A reflected Cross-Site Scripting vulnerability in Nextcloud Server 16.0.1 was discovered in the svg generation.
231 CVE-2020-8119 863 2020-02-04 2020-02-16
4.0
None Remote Low ??? Partial None None
Improper authorization in Nextcloud server 17.0.0 causes leaking of previews and files when a file-drop share link is opened via the gallery app.
232 CVE-2020-8118 918 2020-02-04 2021-12-22
4.0
None Remote Low ??? Partial None None
An authenticated server-side request forgery in Nextcloud server 16.0.1 allowed to detect local and remote services when adding a new subscription in the calendar application.
233 CVE-2020-8117 281 2020-02-04 2020-02-06
4.0
None Remote Low ??? Partial None None
Improper preservation of permissions in Nextcloud Server 14.0.3 causes the event details to be leaked when sharing a non-public event.
234 CVE-2020-8116 425 2020-02-04 2021-12-22
7.5
None Remote Low Not required Partial Partial Partial
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
235 CVE-2020-8115 79 Exec Code XSS 2020-02-04 2020-02-11
4.3
None Remote Medium Not required None Partial None
A reflected XSS vulnerability has been discovered in the publicly accessible afr.php delivery script of Revive Adserver <= 5.0.3 by Jacopo Tediosi. There are currently no known exploits: the session identifier cannot be accessed as it is stored in an http-only cookie as of v3.2.2. On older versions, however, under specific circumstances, it could be possible to steal the session identifier and gain access to the admin interface. The query string sent to the www/delivery/afr.php script was printed back without proper escaping in a JavaScript context, allowing an attacker to execute arbitrary JS code on the browser of the victim.
236 CVE-2020-8114 276 2020-02-05 2020-02-07
7.5
None Remote Low Not required Partial Partial Partial
GitLab EE 8.9 and later through 12.7.2 has Insecure Permission
237 CVE-2020-8089 79 XSS 2020-02-10 2020-02-14
3.5
None Remote Medium ??? None Partial None
Piwigo 2.10.1 is affected by stored XSS via the Group Name Field to the group_list page.
238 CVE-2020-8012 120 Exec Code Overflow 2020-02-18 2022-04-29
7.5
None Remote Low Not required Partial Partial Partial
CA Unified Infrastructure Management (Nimsoft/UIM) 20.1, 20.3.x, and 9.20 and below contains a buffer overflow vulnerability in the robot (controller) component. A remote attacker can execute arbitrary code.
239 CVE-2020-8011 476 2020-02-18 2021-12-30
5.0
None Remote Low Not required None None Partial
CA Unified Infrastructure Management (Nimsoft/UIM) 20.1, 20.3.x, and 9.20 and below contains a null pointer dereference vulnerability in the robot (controller) component. A remote attacker can crash the Controller service.
240 CVE-2020-8010 Exec Code 2020-02-18 2022-04-29
10.0
None Remote Low Not required Complete Complete Complete
CA Unified Infrastructure Management (Nimsoft/UIM) 20.1, 20.3.x, and 9.20 and below contains an improper ACL handling vulnerability in the robot (controller) component. A remote attacker can execute commands, read from, or write to the target system.
241 CVE-2020-7993 269 2020-02-03 2021-07-21
4.0
None Remote Low ??? None Partial None
Prototype 1.6.0.1 allows remote authenticated users to forge ticket creation (on behalf of other user accounts) via a modified email ID field.
242 CVE-2020-7979 276 2020-02-05 2020-02-07
4.3
None Remote Medium Not required Partial None None
GitLab EE 8.9 and later through 12.7.2 has Insecure Permission
243 CVE-2020-7978 DoS 2020-02-05 2020-02-06
5.0
None Remote Low Not required None None Partial
GitLab EE 12.6 and later through 12.7.2 allows Denial of Service.
244 CVE-2020-7977 276 2020-02-05 2020-02-06
4.3
None Remote Medium Not required None Partial None
GitLab EE 8.8 and later through 12.7.2 has Insecure Permissions.
245 CVE-2020-7976 200 +Info 2020-02-05 2021-07-21
5.0
None Remote Low Not required Partial None None
GitLab EE 12.4 and later through 12.7.2 has Incorrect Access Control.
246 CVE-2020-7974 200 +Info 2020-02-05 2021-07-21
5.0
None Remote Low Not required Partial None None
GitLab EE 10.1 through 12.7.2 allows Information Disclosure.
247 CVE-2020-7973 79 XSS 2020-02-05 2020-02-06
4.3
None Remote Medium Not required None Partial None
GitLab through 12.7.2 allows XSS.
248 CVE-2020-7972 276 2020-02-05 2020-02-06
5.0
None Remote Low Not required None Partial None
GitLab EE 12.2 has Insecure Permissions (issue 2 of 2).
249 CVE-2020-7971 79 XSS 2020-02-05 2020-02-06
4.3
None Remote Medium Not required None Partial None
GitLab EE 11.0 and later through 12.7.2 allows XSS.
250 CVE-2020-7969 200 +Info 2020-02-05 2021-07-21
5.0
None Remote Low Not required Partial None None
GitLab EE 8.0 and later through 12.7.2 allows Information Disclosure.
Total number of vulnerabilities : 1395   Page : 1 2 3 4 5 (This Page)6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.