| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2020-26935 |
89 |
|
Sql |
2020-10-10 |
2021-03-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in SearchController in phpMyAdmin before 4.9.6 and 5.x before 5.0.3. A SQL injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature. An attacker could use this flaw to inject malicious SQL in to a query. |
|
2 |
CVE-2020-26934 |
79 |
|
XSS |
2020-10-10 |
2021-01-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
phpMyAdmin before 4.9.6 and 5.x before 5.0.3 allows XSS through the transformation feature via a crafted link. |
|
3 |
CVE-2020-26164 |
400 |
|
DoS |
2020-10-07 |
2021-01-26 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
In kdeconnect-kde (aka KDE Connect) before 20.08.2, an attacker on the local network could send crafted packets that trigger use of large amounts of CPU, memory, or network connection slots, aka a Denial of Service attack. |
|
4 |
CVE-2020-25829 |
|
|
DoS |
2020-10-16 |
2022-06-15 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
An issue has been found in PowerDNS Recursor before 4.1.18, 4.2.x before 4.2.5, and 4.3.x before 4.3.5. A remote attacker can cause the cached records for a given name to be updated to the Bogus DNSSEC validation state, instead of their actual DNSSEC Secure state, via a DNS ANY query. This results in a denial of service for installation that always validate (dnssec=validate), and for clients requesting validation when on-demand validation is enabled (dnssec=process). |
|
5 |
CVE-2020-25032 |
22 |
|
Dir. Trav. |
2020-08-31 |
2022-04-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format. |
|
6 |
CVE-2020-24614 |
862 |
|
Exec Code |
2020-08-25 |
2022-04-28 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Fossil before 2.10.2, 2.11.x before 2.11.2, and 2.12.x before 2.12.1 allows remote authenticated users to execute arbitrary code. An attacker must have check-in privileges on the repository. |
|
7 |
CVE-2020-16011 |
787 |
|
Overflow |
2020-11-03 |
2021-03-11 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Heap buffer overflow in UI in Google Chrome on Windows prior to 86.0.4240.183 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. |
|
8 |
CVE-2020-16009 |
787 |
|
|
2020-11-03 |
2021-07-21 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.183 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
|
9 |
CVE-2020-16008 |
787 |
|
Overflow |
2020-11-03 |
2021-03-11 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Stack buffer overflow in WebRTC in Google Chrome prior to 86.0.4240.183 allowed a remote attacker to potentially exploit stack corruption via a crafted WebRTC packet. |
|
10 |
CVE-2020-16007 |
20 |
|
|
2020-11-03 |
2021-07-21 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Insufficient data validation in installer in Google Chrome prior to 86.0.4240.183 allowed a local attacker to potentially elevate privilege via a crafted filesystem. |
|
11 |
CVE-2020-16006 |
787 |
|
|
2020-11-03 |
2021-03-11 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.183 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
|
12 |
CVE-2020-16005 |
787 |
|
|
2020-11-03 |
2021-07-21 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Insufficient policy enforcement in ANGLE in Google Chrome prior to 86.0.4240.183 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
|
13 |
CVE-2020-16004 |
416 |
|
|
2020-11-03 |
2021-07-21 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Use after free in user interface in Google Chrome prior to 86.0.4240.183 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
|
14 |
CVE-2020-15966 |
|
|
+Info |
2020-09-21 |
2021-03-04 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Insufficient policy enforcement in extensions in Google Chrome prior to 85.0.4183.121 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information via a crafted Chrome Extension. |
|
15 |
CVE-2020-15965 |
843 |
|
|
2020-09-21 |
2021-01-30 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Type confusion in V8 in Google Chrome prior to 85.0.4183.121 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. |
|
16 |
CVE-2020-15964 |
787 |
|
|
2020-09-21 |
2021-07-21 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Insufficient data validation in media in Google Chrome prior to 85.0.4183.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
|
17 |
CVE-2020-15963 |
|
|
|
2020-09-21 |
2021-01-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Insufficient policy enforcement in extensions in Google Chrome prior to 85.0.4183.121 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension. |
|
18 |
CVE-2020-15962 |
|
|
|
2020-09-21 |
2021-01-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Insufficient policy validation in serial in Google Chrome prior to 85.0.4183.121 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. |
|
19 |
CVE-2020-15961 |
|
|
|
2020-09-21 |
2021-01-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Insufficient policy validation in extensions in Google Chrome prior to 85.0.4183.121 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension. |
|
20 |
CVE-2020-15960 |
787 |
|
Overflow |
2020-09-21 |
2021-01-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Heap buffer overflow in storage in Google Chrome prior to 85.0.4183.121 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. |
|
21 |
CVE-2020-15959 |
|
|
+Info |
2020-09-21 |
2021-01-30 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Insufficient policy enforcement in networking in Google Chrome prior to 85.0.4183.102 allowed an attacker who convinced the user to enable logging to obtain potentially sensitive information from process memory via social engineering. |
|
22 |
CVE-2020-15396 |
362 |
|
|
2020-06-30 |
2022-04-28 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
In HylaFAX+ through 7.0.2 and HylaFAX Enterprise, the faxsetup utility calls chown on files in user-owned directories. By winning a race, a local attacker could use this to escalate his privileges to root. |
|
23 |
CVE-2020-13696 |
863 |
|
|
2020-06-08 |
2022-04-28 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
None |
|
An issue was discovered in LinuxTV xawtv before 3.107. The function dev_open() in v4l-conf.c does not perform sufficient checks to prevent an unprivileged caller of the program from opening unintended filesystem paths. This allows a local attacker with access to the v4l-conf setuid-root program to test for the existence of arbitrary files and to trigger an open on arbitrary files with mode O_RDWR. To achieve this, relative path components need to be added to the device path, as demonstrated by a v4l-conf -c /dev/../root/.bash_history command. |
|
24 |
CVE-2020-13379 |
918 |
|
|
2020-06-03 |
2021-01-29 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
None |
Partial |
|
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault. |
|
25 |
CVE-2020-12641 |
78 |
|
Exec Code |
2020-05-04 |
2022-04-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path. |
|
26 |
CVE-2020-12244 |
347 |
|
Bypass |
2020-05-19 |
2022-04-26 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue has been found in PowerDNS Recursor 4.1.0 through 4.3.0 where records in the answer section of a NXDOMAIN response lacking an SOA were not properly validated in SyncRes::processAnswer, allowing an attacker to bypass DNSSEC validation. |
|
27 |
CVE-2020-12108 |
74 |
|
|
2020-05-06 |
2021-12-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection. |
|
28 |
CVE-2020-12066 |
20 |
|
|
2020-04-22 |
2022-04-29 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
CServer::SendMsg in engine/server/server.cpp in Teeworlds 0.7.x before 0.7.5 allows remote attackers to shut down the server. |
|
29 |
CVE-2020-12050 |
362 |
|
|
2020-04-30 |
2020-05-27 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
SQLiteODBC 0.9996, as packaged for certain Linux distributions as 0.9996-4, has a race condition leading to root privilege escalation because any user can replace a /tmp/sqliteodbc$$ file with new contents that cause loading of an arbitrary library. |
|
30 |
CVE-2020-11800 |
|
|
Exec Code |
2020-10-07 |
2022-01-01 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Zabbix Server 2.2.x and 3.0.x before 3.0.31, and 3.2 allows remote attackers to execute arbitrary code. |
|
31 |
CVE-2020-11653 |
617 |
|
|
2020-04-08 |
2022-08-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x and 6.2.x before 6.2.3, and 6.3.x before 6.3.2. It occurs when communication with a TLS termination proxy uses PROXY version 2. There can be an assertion failure and daemon restart, which causes a performance loss. |
|
32 |
CVE-2020-10995 |
400 |
|
|
2020-05-19 |
2022-04-26 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
PowerDNS Recursor from 4.1.0 up to and including 4.3.0 does not sufficiently defend against amplification attacks. An issue in the DNS protocol has been found that allow malicious parties to use recursive DNS services to attack third party authoritative name servers. The attack uses a crafted reply by an authoritative name server to amplify the resulting traffic between the recursive and other authoritative name servers. Both types of service can suffer degraded performance as an effect. This is triggered by random subdomains in the NSDNAME in NS records. PowerDNS Recursor 4.1.16, 4.2.2 and 4.3.1 contain a mitigation to limit the impact of this DNS protocol issue. |
|
33 |
CVE-2020-9273 |
416 |
|
Exec Code |
2020-02-20 |
2021-09-14 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
In ProFTPD 1.3.7, it is possible to corrupt the memory pool by interrupting the data transfer channel. This triggers a use-after-free in alloc_pool in pool.c, and possible remote code execution. |
|
34 |
CVE-2020-9272 |
125 |
|
|
2020-02-20 |
2021-11-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
ProFTPD 1.3.7 has an out-of-bounds (OOB) read vulnerability in mod_cap via the cap_text.c cap_to_text function. |
|
35 |
CVE-2020-8955 |
120 |
|
DoS Overflow |
2020-02-12 |
2022-04-18 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
irc_mode_channel_update in plugins/irc/irc-mode.c in WeeChat through 2.7 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a malformed IRC message 324 (channel mode). |
|
36 |
CVE-2020-8233 |
78 |
|
Exec Code |
2020-08-17 |
2022-05-24 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
A command injection vulnerability exists in EdgeSwitch firmware <v1.9.0 that allowed an authenticated read-only user to execute arbitrary shell commands over the HTTP interface, allowing them to escalate privileges. |
|
37 |
CVE-2020-8228 |
307 |
|
|
2020-10-05 |
2020-10-20 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A missing rate limit in the Preferred Providers app 1.7.0 allowed an attacker to set the password an uncontrolled amount of times. |
|
38 |
CVE-2020-8164 |
502 |
|
+Info |
2020-06-19 |
2022-05-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters. |
|
39 |
CVE-2020-8118 |
918 |
|
|
2020-02-04 |
2021-12-22 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
An authenticated server-side request forgery in Nextcloud server 16.0.1 allowed to detect local and remote services when adding a new subscription in the calendar application. |
|
40 |
CVE-2020-7106 |
79 |
|
XSS |
2020-01-16 |
2022-05-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the description parameter in data_sources.php (a raw string from the database that is displayed by $header to trigger the XSS). |
|
41 |
CVE-2020-7043 |
295 |
|
|
2020-02-27 |
2020-10-09 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
An issue was discovered in openfortivpn 1.11.0 when used with OpenSSL before 1.0.2. tunnel.c mishandles certificate validation because hostname comparisons do not consider '\0' characters, as demonstrated by a good.example.com\x00evil.example.com attack. |
|
42 |
CVE-2020-7042 |
295 |
|
|
2020-02-27 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
An issue was discovered in openfortivpn 1.11.0 when used with OpenSSL 1.0.2 or later. tunnel.c mishandles certificate validation because the hostname check operates on uninitialized memory. The outcome is that a valid certificate is never accepted (only a malformed certificate may be accepted). |
|
43 |
CVE-2020-7041 |
295 |
|
|
2020-02-27 |
2020-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
An issue was discovered in openfortivpn 1.11.0 when used with OpenSSL 1.0.2 or later. tunnel.c mishandles certificate validation because an X509_check_host negative error code is interpreted as a successful return value. |
|
44 |
CVE-2020-7040 |
59 |
|
|
2020-01-21 |
2020-09-17 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
storeBackup.pl in storeBackup through 3.5 relies on the /tmp/storeBackup.lock pathname, which allows symlink attacks that possibly lead to privilege escalation. (Local users can also create a plain file named /tmp/storeBackup.lock to block use of storeBackup until an admin manually deletes that file.) |
|
45 |
CVE-2020-6576 |
416 |
|
|
2020-09-21 |
2021-07-21 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Use after free in offscreen canvas in Google Chrome prior to 85.0.4183.102 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
|
46 |
CVE-2020-6575 |
362 |
|
|
2020-09-21 |
2021-01-27 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
Race in Mojo in Google Chrome prior to 85.0.4183.102 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. |
|
47 |
CVE-2020-6574 |
|
|
|
2020-09-21 |
2021-01-02 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Insufficient policy enforcement in installer in Google Chrome on OS X prior to 85.0.4183.102 allowed a local attacker to potentially achieve privilege escalation via a crafted binary. |
|
48 |
CVE-2020-6573 |
416 |
|
|
2020-09-21 |
2021-01-27 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Use after free in video in Google Chrome on Android prior to 85.0.4183.102 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. |
|
49 |
CVE-2020-6571 |
20 |
|
|
2020-09-21 |
2021-01-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Insufficient data validation in Omnibox in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. |
|
50 |
CVE-2020-6570 |
200 |
|
+Info |
2020-09-21 |
2021-01-28 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Information leakage in WebRTC in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to obtain potentially sensitive information via a crafted WebRTC interaction. |
