CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In October 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
301 CVE-2020-24630 269 2020-10-19 2021-07-21
9.0
None Remote Low ??? Complete Complete Complete
A remote operatoronlinelist_content privilege escalation vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
302 CVE-2020-24629 287 Bypass 2020-10-19 2020-10-21
10.0
None Remote Low Not required Complete Complete Complete
A remote urlaccesscontroller authentication bypass vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
303 CVE-2020-24628 94 2020-10-02 2020-10-14
6.5
None Remote Low ??? Partial Partial Partial
A remote code injection vulnerability was discovered in HPE KVM IP Console Switches version(s): G2 4x1Ex32 Prior to 2.8.3.
304 CVE-2020-24627 79 XSS 2020-10-02 2020-10-14
3.5
None Remote Medium ??? None Partial None
A remote stored xss vulnerability was discovered in HPE KVM IP Console Switches version(s): G2 4x1Ex32 Prior to 2.8.3.
305 CVE-2020-24620 798 2020-10-01 2021-02-12
2.1
None Local Low Not required Partial None None
Unisys Stealth(core) before 4.0.134 stores passwords in a recoverable format. Therefore, a search of Enterprise Manager can potentially reveal credentials.
306 CVE-2020-24568 89 Sql 2020-10-02 2020-10-15
4.0
None Remote Low ??? Partial None None
An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.1. There is a blind SQL injection in the lancompenent component, allowing logged-in attackers to discover arbitrary information.
307 CVE-2020-24551 601 2020-10-14 2020-10-26
5.8
None Remote Medium Not required Partial Partial None
IProom MMC+ Server login page does not validate specific parameters properly. Attackers can use the vulnerability to redirect to any malicious site and steal the victim's login credentials.
308 CVE-2020-24425 427 2020-10-21 2021-09-08
7.2
None Local Low Not required Complete Complete Complete
Dreamweaver version 20.2 (and earlier) is affected by an uncontrolled search path element vulnerability that could lead to privilege escalation. Successful exploitation could result in a local user with permissions to write to the file system running system commands with administrator privileges.
309 CVE-2020-24424 427 Exec Code 2020-10-21 2021-09-08
6.9
None Local Medium Not required Complete Complete Complete
Adobe Premiere Pro version 14.4 (and earlier) is affected by an uncontrolled search path element that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
310 CVE-2020-24423 427 Exec Code 2020-10-21 2020-10-29
6.9
None Local Medium Not required Complete Complete Complete
Adobe Media Encoder version 14.4 (and earlier) for Windows is affected by an uncontrolled search path vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
311 CVE-2020-24422 427 Exec Code 2020-10-21 2020-11-02
6.8
None Remote Medium Not required Partial Partial Partial
Adobe Creative Cloud Desktop Application version 5.2 (and earlier) and 2.1 (and earlier) for Windows is affected by an uncontrolled search path vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
312 CVE-2020-24421 476 2020-10-21 2021-12-10
4.3
None Remote Medium Not required None None Partial
Adobe InDesign version 15.1.2 (and earlier) is affected by a NULL pointer dereference bug that occurs when handling a malformed .indd file. The impact is limited to causing a denial-of-service of the client application. User interaction is required to exploit this issue.
313 CVE-2020-24420 427 Exec Code 2020-10-21 2020-10-29
6.9
None Local Medium Not required Complete Complete Complete
Adobe Photoshop for Windows version 21.2.1 (and earlier) is affected by an uncontrolled search path element vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
314 CVE-2020-24419 427 Exec Code 2020-10-21 2020-10-29
6.9
None Local Medium Not required Complete Complete Complete
Adobe After Effects version 17.1.1 (and earlier) for Windows is affected by an uncontrolled search path vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
315 CVE-2020-24418 125 Exec Code 2020-10-21 2020-10-29
9.3
None Remote Medium Not required Complete Complete Complete
Adobe After Effects version 17.1.1 (and earlier) is affected by an out-of-bounds read vulnerability when parsing a crafted .aepx file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. This vulnerability requires user interaction to exploit.
316 CVE-2020-24416 79 XSS 2020-10-20 2020-10-22
4.3
None Remote Medium Not required None Partial None
Marketo Sales Insight plugin version 1.4355 (and earlier) is affected by a blind stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
317 CVE-2020-24415 787 Exec Code Mem. Corr. 2020-10-20 2021-09-14
6.8
None Remote Medium Not required Partial Partial Partial
Adobe Illustrator version 24.1.2 (and earlier) is affected by a memory corruption vulnerability that occurs when parsing a specially crafted .svg file. This could result in arbitrary code execution in the context of the current user. This vulnerability requires user interaction to exploit.
318 CVE-2020-24414 787 Exec Code Mem. Corr. 2020-10-20 2021-09-14
6.8
None Remote Medium Not required Partial Partial Partial
Adobe Illustrator version 24.1.2 (and earlier) is affected by a memory corruption vulnerability that occurs when parsing a specially crafted .svg file. This could result in arbitrary code execution in the context of the current user. This vulnerability requires user interaction to exploit.
319 CVE-2020-24413 787 Exec Code Mem. Corr. 2020-10-20 2021-09-14
6.8
None Remote Medium Not required Partial Partial Partial
Adobe Illustrator version 24.1.2 (and earlier) is affected by a memory corruption vulnerability that occurs when parsing a specially crafted .svg file. This could result in arbitrary code execution in the context of the current user. This vulnerability requires user interaction to exploit.
320 CVE-2020-24412 787 Exec Code Mem. Corr. 2020-10-20 2021-09-14
6.8
None Remote Medium Not required Partial Partial Partial
Adobe Illustrator version 24.1.2 (and earlier) is affected by a memory corruption vulnerability that occurs when parsing a specially crafted .svg file. This could result in arbitrary code execution in the context of the current user. This vulnerability requires user interaction to exploit.
321 CVE-2020-24411 787 Exec Code 2020-10-20 2020-11-10
6.8
None Remote Medium Not required Partial Partial Partial
Adobe Illustrator version 24.2 (and earlier) is affected by an out-of-bounds write vulnerability when handling crafted PDF files. This could result in a write past the end of an allocated memory structure, potentially resulting in arbitrary code execution in the context of the current user. This vulnerability requires user interaction to exploit.
322 CVE-2020-24410 125 Exec Code 2020-10-20 2020-11-10
6.8
None Remote Medium Not required Partial Partial Partial
Adobe Illustrator version 24.2 (and earlier) is affected by an out-of-bounds read vulnerability when parsing crafted PDF files. This could result in a read past the end of an allocated memory structure, potentially resulting in arbitrary code execution in the context of the current user. This vulnerability requires user interaction to exploit.
323 CVE-2020-24409 125 Exec Code 2020-10-20 2020-11-10
6.8
None Remote Medium Not required Partial Partial Partial
Adobe Illustrator version 24.2 (and earlier) is affected by an out-of-bounds read vulnerability when parsing crafted PDF files. This could result in a read past the end of an allocated memory structure, potentially resulting in arbitrary code execution in the context of the current user. This vulnerability requires user interaction to exploit.
324 CVE-2020-24408 79 XSS 2020-10-16 2021-03-25
4.3
None Remote Medium Not required None Partial None
Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by a persistent XSS vulnerability that allows users to upload malicious JavaScript via the file upload component. This vulnerability could be abused by an unauthenticated attacker to execute XSS attacks against other Magento users. This vulnerability requires a victim to browse to the uploaded file.
325 CVE-2020-24397 190 Exec Code Overflow 2020-10-02 2021-07-21
9.0
None Remote Low ??? Complete Complete Complete
An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.0.SP-534. An attacker-controlled server can trigger an integer overflow in InternetSendRequestEx and InternetSendRequestByBitrate that leads to a heap-based buffer overflow and Remote Code Execution with SYSTEM privileges.
326 CVE-2020-24388 20 DoS 2020-10-19 2021-07-21
5.0
None Remote Low Not required None None Partial
An issue was discovered in the _send_secure_msg() function of yubihsm-shell through 2.0.2. The function does not validate the embedded length field of a message received from the device. This could lead to an oversized memcpy() call that will crash the running process. This could be used by an attacker to cause a denial of service.
327 CVE-2020-24387 613 DoS 2020-10-19 2021-07-21
5.0
None Remote Low Not required None None Partial
An issue was discovered in the yh_create_session() function of yubihsm-shell through 2.0.2. The function does not explicitly check the returned session id from the device. An invalid session id would lead to out-of-bounds read and write operations in the session array. This could be used by an attacker to cause a denial of service attack.
328 CVE-2020-24375 290 2020-10-19 2020-10-27
4.3
None Remote Medium Not required Partial None None
A DNS rebinding vulnerability in the UPnP MediaServer implementation in Freebox Server before 4.2.3.
329 CVE-2020-24356 269 Exec Code 2020-10-02 2021-07-21
4.6
None Local Low Not required Partial Partial Partial
`cloudflared` versions prior to 2020.8.1 contain a local privilege escalation vulnerability on Windows systems. When run on a Windows system, `cloudflared` searches for configuration files which could be abused by a malicious entity to execute commands as a privileged user. Version 2020.8.1 fixes this issue.
330 CVE-2020-24352 119 DoS Overflow 2020-10-16 2021-07-21
2.1
None Local Low Not required None None Partial
An issue was discovered in QEMU through 5.1.0. An out-of-bounds memory access was found in the ATI VGA device implementation. This flaw occurs in the ati_2d_blt() routine in hw/display/ati_2d.c while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service.
331 CVE-2020-24303 79 XSS 2020-10-28 2022-06-03
4.3
None Remote Medium Not required None Partial None
Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.
332 CVE-2020-24301 79 XSS 2020-10-08 2020-10-15
4.3
None Remote Medium Not required None Partial None
Users of the HAPI FHIR Testpage Overlay 5.0.0 and below can use a specially crafted URL to exploit an XSS vulnerability in this module, allowing arbitrary JavaScript to be executed in the user's browser. The impact of this vulnerability is believed to be low, as this module is intended for testing and not believed to be widely used for any production purposes.
333 CVE-2020-24266 787 DoS Overflow 2020-10-19 2022-04-08
5.0
None Remote Low Not required None None Partial
An issue was discovered in tcpreplay tcpprep v4.3.3. There is a heap buffer overflow vulnerability in get_l2len() that can make tcpprep crash and cause a denial of service.
334 CVE-2020-24265 787 DoS Overflow 2020-10-19 2022-04-08
5.0
None Remote Low Not required None None Partial
An issue was discovered in tcpreplay tcpprep v4.3.3. There is a heap buffer overflow vulnerability in MemcmpInterceptorCommon() that can make tcpprep crash and cause a denial of service.
335 CVE-2020-24246 2020-10-07 2020-10-23
5.0
None Remote Low Not required Partial None None
Peplink Balance before 8.1.0rc1 allows an unauthenticated attacker to download PHP configuration files (/filemanager/php/connector.php) from Web Admin.
336 CVE-2020-24231 Exec Code 2020-10-05 2020-10-20
7.5
None Remote Low Not required Partial Partial Partial
Symmetric DS <3.12.0 uses mx4j to provide access to JMX over HTTP. mx4j, by default, has no auth and is available on all interfaces. An attacker can interact with JMX: get system info, and invoke MBean methods. It is possible to install additional MBeans from a remote host using MLet that leads to arbitrary code execution.
337 CVE-2020-24219 22 Dir. Trav. 2020-10-06 2022-01-06
7.8
None Remote Low Not required Complete None None
An issue was discovered on URayTech IPTV/H.264/H.265 video encoders through 1.97. Attackers can send crafted unauthenticated HTTP requests to exploit path traversal and pattern-matching programming flaws, and retrieve any file from the device's file system, including the configuration file with the cleartext administrative password.
338 CVE-2020-24218 798 2020-10-06 2020-10-19
5.0
None Remote Low Not required Partial None None
An issue was discovered on URayTech IPTV/H.264/H.265 video encoders through 1.97. Attackers can log in as root via the password that is hard-coded in the executable file.
339 CVE-2020-24217 306 Exec Code 2020-10-06 2022-01-01
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in the box application on HiSilicon based IPTV/H.264/H.265 video encoders. The file-upload endpoint does not enforce authentication. Attackers can send an unauthenticated HTTP request to upload a custom firmware component, possibly in conjunction with command injection, to achieve arbitrary code execution.
340 CVE-2020-24216 2020-10-06 2020-10-19
5.0
None Remote Low Not required Partial None None
An issue was discovered in the box application on HiSilicon based IPTV/H.264/H.265 video encoders. When the administrator configures a secret URL for RTSP streaming, the stream is still available via its default name such as /0. Unauthenticated attackers can view video streams that are meant to be private.
341 CVE-2020-24215 798 Exec Code 2020-10-06 2020-10-20
5.0
None Remote Low Not required Partial None None
An issue was discovered in the box application on HiSilicon based IPTV/H.264/H.265 video encoders. Attackers can use hard-coded credentials in HTTP requests to perform any administrative task on the device including retrieving the device's configuration (with the cleartext admin password), and uploading a custom firmware update, to ultimately achieve arbitrary code execution.
342 CVE-2020-24214 Overflow 2020-10-06 2020-10-20
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in the box application on HiSilicon based IPTV/H.264/H.265 video encoders. Attackers can send a crafted unauthenticated RTSP request to cause a buffer overflow and application crash. The device will not be able to perform its main purpose of video encoding and streaming for up to a minute, until it automatically reboots. Attackers can send malicious requests once a minute, effectively disabling the device.
343 CVE-2020-24188 79 XSS 2020-10-14 2020-10-19
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 20.03 allows remote attackers to inject arbitrary web script or HTML via the request parameter.
344 CVE-2020-24033 352 2020-10-22 2020-11-02
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in fs.com S3900 24T4S 1.7.0 and earlier. The form does not have an authentication or token authentication mechanism that allows remote attackers to forge requests on behalf of a site administrator to change all settings including deleting users, creating new users with escalated privileges.
345 CVE-2020-23945 89 Sql +Info 2020-10-27 2020-10-27
5.0
None Remote Low Not required Partial None None
A SQL injection vulnerability exists in Victor CMS V1.0 in the cat_id parameter of the category.php file. This parameter can be used by sqlmap to obtain data information in the database.
346 CVE-2020-23864 2020-10-27 2020-10-27
6.9
None Local Medium Not required Complete Complete Complete
An issue exits in IOBit Malware Fighter version 8.0.2.547. Local escalation of privileges is possible by dropping a malicious DLL file into the WindowsApps folder.
347 CVE-2020-23832 79 XSS 2020-10-06 2020-10-14
4.3
None Remote Medium Not required None Partial None
A Persistent Cross-Site Scripting (XSS) vulnerability in message_admin.php in Projectworlds Car Rental Management System v1.0 allows unauthenticated remote attackers to harvest an admin login session cookie and steal an admin session upon an admin login.
348 CVE-2020-22552 2020-10-28 2020-11-03
5.0
None Remote Low Not required None None Partial
The Snap7 server component in version 1.4.1, when an attacker sends a crafted packet with COTP protocol the last-data-unit flag set to No and S7 writes a var function, the Snap7 server will be crashed.
349 CVE-2020-21674 787 DoS Overflow 2020-10-15 2020-10-26
4.3
None Remote Medium Not required None None Partial
Heap-based buffer overflow in archive_string_append_from_wcs() (archive_string.c) in libarchive-3.4.1dev allows remote attackers to cause a denial of service (out-of-bounds write in heap memory resulting into a crash) via a crafted archive file. NOTE: this only affects users who downloaded the development code from GitHub. Users of the product's official releases are unaffected.
350 CVE-2020-21266 79 XSS 2020-10-29 2020-11-03
4.3
None Remote Medium Not required None Partial None
Broadleaf Commerce 5.1.14-GA is affected by cross-site scripting (XSS) due to a slow HTTP post vulnerability.
Total number of vulnerabilities : 1563   Page : 1 2 3 4 5 6 7 (This Page)8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.