| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
201 |
CVE-2020-8547 |
843 |
|
Bypass |
2020-02-03 |
2021-07-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
phpList 3.5.0 allows type juggling for admin login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters. |
|
202 |
CVE-2020-8545 |
22 |
|
Dir. Trav. |
2020-02-03 |
2020-02-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Global.py in AIL framework 2.8 allows path traversal. |
|
203 |
CVE-2020-8518 |
94 |
|
Exec Code |
2020-02-17 |
2022-01-01 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, leading to remote code execution. |
|
204 |
CVE-2020-8517 |
20 |
|
DoS |
2020-02-04 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
An issue was discovered in Squid before 4.10. Due to incorrect input validation, the NTLM authentication credentials parser in ext_lm_group_acl may write to memory outside the credentials buffer. On systems with memory access protections, this can result in the helper process being terminated unexpectedly. This leads to the Squid process also terminating and a denial of service for all clients using the proxy. |
|
205 |
CVE-2020-8516 |
|
|
|
2020-02-02 |
2022-04-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
** DISPUTED ** The daemon in Tor through 0.4.1.8 and 0.4.2.x through 0.4.2.6 does not verify that a rendezvous node is known before attempting to connect to it, which might make it easier for remote attackers to discover circuit information. NOTE: The network team of Tor claims this is an intended behavior and not a vulnerability. |
|
206 |
CVE-2020-8515 |
78 |
|
Exec Code |
2020-02-01 |
2022-01-01 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI. This issue has been fixed in Vigor3900/2960/300B v1.5.1. |
|
207 |
CVE-2020-8514 |
79 |
|
XSS |
2020-02-02 |
2021-09-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in Rumpus 8.2.10 on macOS. By crafting a directory name, it is possible to activate JavaScript in the context of the web application after invoking the rename folder functionality. |
|
208 |
CVE-2020-8512 |
79 |
|
XSS |
2020-02-01 |
2020-02-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In IceWarp Webmail Server through 11.4.4.1, there is XSS in the /webmail/ color parameter. |
|
209 |
CVE-2020-8510 |
287 |
|
|
2020-02-03 |
2020-02-06 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in phpABook 0.9 Intermediate. On the login page, if one sets a userInfo cookie with the value of admin+1+en (user+perms+lang), one can login as any user without a password. |
|
210 |
CVE-2020-8508 |
787 |
|
|
2020-02-03 |
2020-02-06 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
nsak64.sys in Norman Malware Cleaner 2.08.08 allows users to call arbitrary kernel functions because the passing of function pointers between user and kernel mode is mishandled. |
|
211 |
CVE-2020-8507 |
319 |
|
|
2020-02-05 |
2021-12-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Citytv Video application 4.08.0 for Android and 3.35 for iOS sends Unencrypted Analytics. |
|
212 |
CVE-2020-8506 |
319 |
|
|
2020-02-05 |
2021-12-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Global TV application 2.3.2 for Android and 4.7.5 for iOS sends Unencrypted Analytics. |
|
213 |
CVE-2020-8450 |
119 |
|
Overflow |
2020-02-04 |
2021-07-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in Squid before 4.10. Due to incorrect buffer management, a remote client can cause a buffer overflow in a Squid instance acting as a reverse proxy. |
|
214 |
CVE-2020-8449 |
668 |
|
|
2020-02-04 |
2021-03-04 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in Squid before 4.10. Due to incorrect input validation, it can interpret crafted HTTP requests in unexpected ways to access server resources prohibited by earlier security filters. |
|
215 |
CVE-2020-8441 |
502 |
|
Exec Code |
2020-02-19 |
2020-03-13 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
JYaml through 1.3 allows remote code execution during deserialization of a malicious payload through the load() function. NOTE: this is a discontinued product. |
|
216 |
CVE-2020-8429 |
20 |
|
Bypass |
2020-02-11 |
2021-07-21 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
The Admin web application in Kinetica 7.0.9.2.20191118151947 does not properly sanitise the input for the function getLogs. This lack of sanitisation could be exploited to allow an authenticated attacker to run remote code on the underlying operating system. The logFile parameter in the getLogs function was used as a variable in a command to read log files; however, due to poor input sanitisation, it was possible to bypass a replacement and break out of the command. |
|
217 |
CVE-2020-8427 |
89 |
|
Sql Bypass |
2020-02-17 |
2022-01-01 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
In Unitrends Backup before 10.4.1, an HTTP request parameter was not properly sanitized, allowing for SQL injection that resulted in an authentication bypass. |
|
218 |
CVE-2020-8132 |
20 |
|
|
2020-02-28 |
2020-03-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Lack of input validation in pdf-image npm package version <= 2.0.0 may allow an attacker to run arbitrary code if PDF file path is constructed based on untrusted user input. |
|
219 |
CVE-2020-8131 |
22 |
|
Exec Code Dir. Trav. |
2020-02-24 |
2020-03-24 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package. |
|
220 |
CVE-2020-8130 |
78 |
|
|
2020-02-24 |
2020-06-30 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character `|`. |
|
221 |
CVE-2020-8129 |
94 |
|
Exec Code |
2020-02-14 |
2020-02-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An unintended require vulnerability in script-manager npm package version 0.8.6 and earlier may allow attackers to execute arbitrary code. |
|
222 |
CVE-2020-8128 |
918 |
|
Exec Code |
2020-02-14 |
2020-02-20 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An unintended require and server-side request forgery vulnerabilities in jsreport version 2.5.0 and earlier allow attackers to execute arbitrary code. |
|
223 |
CVE-2020-8127 |
79 |
|
XSS |
2020-02-28 |
2020-03-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Insufficient validation in cross-origin communication (postMessage) in reveal.js version 3.9.1 and earlier allow attackers to perform cross-site scripting attacks. |
|
224 |
CVE-2020-8126 |
269 |
|
Exec Code |
2020-02-07 |
2021-07-21 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
A privilege escalation in the EdgeSwitch prior to version 1.7.1, an CGI script don't fully sanitize the user input resulting in local commands execution, allowing an operator user (Privilege-1) to escalate privileges and became administrator (Privilege-15). |
|
225 |
CVE-2020-8125 |
20 |
|
DoS Exec Code |
2020-02-04 |
2020-02-06 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Flaw in input validation in npm package klona version 1.1.0 and earlier may allow prototype pollution attack that may result in remote code execution or denial of service of applications using klona. |
|
226 |
CVE-2020-8124 |
20 |
|
Bypass |
2020-02-04 |
2020-02-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks. |
|
227 |
CVE-2020-8123 |
400 |
|
DoS |
2020-02-04 |
2020-02-06 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
A denial of service exists in strapi v3.0.0-beta.18.3 and earlier that can be abused in the admin console using admin rights can lead to arbitrary restart of the application. |
|
228 |
CVE-2020-8122 |
20 |
|
|
2020-02-04 |
2020-02-11 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
A missing check in Nextcloud Server 14.0.3 could give recipient the possibility to extend the expiration date of a share they received. |
|
229 |
CVE-2020-8121 |
668 |
|
|
2020-02-04 |
2020-02-11 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
None |
|
A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. |
|
230 |
CVE-2020-8120 |
79 |
|
XSS |
2020-02-04 |
2020-02-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A reflected Cross-Site Scripting vulnerability in Nextcloud Server 16.0.1 was discovered in the svg generation. |
|
231 |
CVE-2020-8119 |
863 |
|
|
2020-02-04 |
2020-02-16 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Improper authorization in Nextcloud server 17.0.0 causes leaking of previews and files when a file-drop share link is opened via the gallery app. |
|
232 |
CVE-2020-8118 |
918 |
|
|
2020-02-04 |
2021-12-22 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
An authenticated server-side request forgery in Nextcloud server 16.0.1 allowed to detect local and remote services when adding a new subscription in the calendar application. |
|
233 |
CVE-2020-8117 |
281 |
|
|
2020-02-04 |
2020-02-06 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Improper preservation of permissions in Nextcloud Server 14.0.3 causes the event details to be leaked when sharing a non-public event. |
|
234 |
CVE-2020-8116 |
425 |
|
|
2020-02-04 |
2021-12-22 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects. |
|
235 |
CVE-2020-8115 |
79 |
|
Exec Code XSS |
2020-02-04 |
2020-02-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A reflected XSS vulnerability has been discovered in the publicly accessible afr.php delivery script of Revive Adserver <= 5.0.3 by Jacopo Tediosi. There are currently no known exploits: the session identifier cannot be accessed as it is stored in an http-only cookie as of v3.2.2. On older versions, however, under specific circumstances, it could be possible to steal the session identifier and gain access to the admin interface. The query string sent to the www/delivery/afr.php script was printed back without proper escaping in a JavaScript context, allowing an attacker to execute arbitrary JS code on the browser of the victim. |
|
236 |
CVE-2020-8114 |
276 |
|
|
2020-02-05 |
2020-02-07 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
GitLab EE 8.9 and later through 12.7.2 has Insecure Permission |
|
237 |
CVE-2020-8089 |
79 |
|
XSS |
2020-02-10 |
2020-02-14 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Piwigo 2.10.1 is affected by stored XSS via the Group Name Field to the group_list page. |
|
238 |
CVE-2020-8012 |
120 |
|
Exec Code Overflow |
2020-02-18 |
2022-04-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
CA Unified Infrastructure Management (Nimsoft/UIM) 20.1, 20.3.x, and 9.20 and below contains a buffer overflow vulnerability in the robot (controller) component. A remote attacker can execute arbitrary code. |
|
239 |
CVE-2020-8011 |
476 |
|
|
2020-02-18 |
2021-12-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
CA Unified Infrastructure Management (Nimsoft/UIM) 20.1, 20.3.x, and 9.20 and below contains a null pointer dereference vulnerability in the robot (controller) component. A remote attacker can crash the Controller service. |
|
240 |
CVE-2020-8010 |
|
|
Exec Code |
2020-02-18 |
2022-04-29 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
CA Unified Infrastructure Management (Nimsoft/UIM) 20.1, 20.3.x, and 9.20 and below contains an improper ACL handling vulnerability in the robot (controller) component. A remote attacker can execute commands, read from, or write to the target system. |
|
241 |
CVE-2020-7993 |
269 |
|
|
2020-02-03 |
2021-07-21 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
Prototype 1.6.0.1 allows remote authenticated users to forge ticket creation (on behalf of other user accounts) via a modified email ID field. |
|
242 |
CVE-2020-7979 |
276 |
|
|
2020-02-05 |
2020-02-07 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
GitLab EE 8.9 and later through 12.7.2 has Insecure Permission |
|
243 |
CVE-2020-7978 |
|
|
DoS |
2020-02-05 |
2020-02-06 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
GitLab EE 12.6 and later through 12.7.2 allows Denial of Service. |
|
244 |
CVE-2020-7977 |
276 |
|
|
2020-02-05 |
2020-02-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
GitLab EE 8.8 and later through 12.7.2 has Insecure Permissions. |
|
245 |
CVE-2020-7976 |
200 |
|
+Info |
2020-02-05 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
GitLab EE 12.4 and later through 12.7.2 has Incorrect Access Control. |
|
246 |
CVE-2020-7974 |
200 |
|
+Info |
2020-02-05 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
GitLab EE 10.1 through 12.7.2 allows Information Disclosure. |
|
247 |
CVE-2020-7973 |
79 |
|
XSS |
2020-02-05 |
2020-02-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
GitLab through 12.7.2 allows XSS. |
|
248 |
CVE-2020-7972 |
276 |
|
|
2020-02-05 |
2020-02-06 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
GitLab EE 12.2 has Insecure Permissions (issue 2 of 2). |
|
249 |
CVE-2020-7971 |
79 |
|
XSS |
2020-02-05 |
2020-02-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
GitLab EE 11.0 and later through 12.7.2 allows XSS. |
|
250 |
CVE-2020-7969 |
200 |
|
+Info |
2020-02-05 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
GitLab EE 8.0 and later through 12.7.2 allows Information Disclosure. |
