CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In November 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
451 CVE-2020-25013 DoS 2020-11-16 2020-11-21
5.0
None Remote Low Not required None None Partial
JetBrains ToolBox before version 1.18 is vulnerable to a Denial of Service attack via a browser protocol handler.
452 CVE-2020-24881 918 2020-11-02 2021-01-30
7.5
None Remote Low Not required Partial Partial Partial
SSRF exists in osTicket before 1.14.3, where an attacker can add malicious file to server or perform port scanning.
453 CVE-2020-24849 116 Exec Code 2020-11-05 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
A remote code execution vulnerability is identified in FruityWifi through 2.4. Due to improperly escaped shell metacharacters obtained from the POST request at the page_config_adv.php page, it is possible to perform remote code execution by an authenticated attacker. This is similar to CVE-2018-17317.
454 CVE-2020-24815 918 2020-11-24 2020-12-02
4.0
None Remote Low ??? Partial None None
A Server-Side Request Forgery (SSRF) affecting the PDF generation in MicroStrategy 10.4, 2019 before Update 6, and 2020 before Update 2 allows authenticated users to access the content of internal network resources or leak files from the local system via HTML containers embedded in a dossier/dashboard document. NOTE: 10.4., no fix will be released as version will reach end-of-life on 31/12/2020.
455 CVE-2020-24723 79 XSS 2020-11-18 2021-09-21
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) vulnerability in the Registration page of the admin panel in PHPGurukul User Registration & Login and User Management System With admin panel 2.1.
456 CVE-2020-24719 78 Exec Code 2020-11-12 2020-11-30
10.0
None Remote Low Not required Complete Complete Complete
Exposed Erlang Cookie could lead to Remote Command Execution (RCE) attack. Communication between Erlang nodes is done by exchanging a shared secret (aka "magic cookie"). There are cases where the magic cookie is included in the content of the logs. An attacker can use the cookie to attach to an Erlang node and run OS level commands on the system running the Erlang node. Affects version: 6.5.1. Fix version: 6.6.0.
457 CVE-2020-24573 400 DoS 2020-11-12 2020-11-24
5.0
None Remote Low Not required None None Partial
BAB TECHNOLOGIE GmbH eibPort V3 prior to 3.8.3 devices allow denial of service (Uncontrolled Resource Consumption) via requests to the lighttpd component.
458 CVE-2020-24525 281 2020-11-12 2021-07-21
4.6
None Local Low Not required Partial Partial Partial
Insecure inherited permissions in firmware update tool for some Intel(R) NUCs may allow an authenticated user to potentially enable escalation of privilege via local access.
459 CVE-2020-24460 276 DoS 2020-11-12 2020-11-20
2.1
None Local Low Not required None None Partial
Incorrect default permissions in the Intel(R) DSA before version 20.8.30.6 may allow an authenticated user to potentially enable denial of service via local access.
460 CVE-2020-24456 276 2020-11-12 2020-11-20
4.6
None Local Low Not required Partial Partial Partial
Incorrect default permissions in the Intel(R) Board ID Tool version v.1.01 may allow an authenticated user to potentially enable escalation of privilege via local access.
461 CVE-2020-24454 611 2020-11-12 2020-12-01
5.0
None Remote Low Not required Partial None None
Improper Restriction of XML External Entity Reference in subsystem forIntel(R) Quartus(R) Prime Pro Edition before version 20.3 and Intel(R) Quartus(R) Prime Standard Edition before version 20.2 may allow unauthenticated user to potentially enable information disclosure via network access.
462 CVE-2020-24443 79 XSS 2020-11-12 2020-11-17
4.3
None Remote Medium Not required None Partial None
Adobe Connect version 11.0 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.
463 CVE-2020-24442 79 XSS 2020-11-12 2020-11-17
4.3
None Remote Medium Not required None Partial None
Adobe Connect version 11.0 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.
464 CVE-2020-24441 284 2020-11-12 2020-11-23
4.3
None Remote Medium Not required Partial None None
Adobe Acrobat Reader for Android version 20.6.2 (and earlier) does not properly restrict access to directories created by the application. This could result in disclosure of sensitive information stored in databases used by the application. Exploitation requires a victim to download and run a malicious application.
465 CVE-2020-24439 347 Bypass 2020-11-05 2021-09-16
1.2
None Local High Not required None Partial None
Acrobat Reader DC for macOS versions 2020.012.20048 (and earlier), 2020.001.30005 (and earlier) and 2017.011.30175 (and earlier) are affected by a security feature bypass. While the practical security impact is minimal, a defense-in-depth fix has been implemented to further harden the Adobe Reader update process.
466 CVE-2020-24438 416 2020-11-05 2021-09-08
4.3
None Remote Medium Not required Partial None None
Acrobat Reader DC versions 2020.012.20048 (and earlier), 2020.001.30005 (and earlier) and 2017.011.30175 (and earlier) are affected by a use-after-free vulnerability that could result in a memory address leak. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
467 CVE-2020-24437 416 Exec Code 2020-11-05 2021-09-08
6.8
None Remote Medium Not required Partial Partial Partial
Acrobat Reader DC versions 2020.012.20048 (and earlier), 2020.001.30005 (and earlier) and 2017.011.30175 (and earlier) are affected by a use-after-free vulnerability in the processing of Format event actions that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
468 CVE-2020-24436 787 Exec Code 2020-11-05 2021-09-16
6.8
None Remote Medium Not required Partial Partial Partial
Acrobat Pro DC versions 2020.012.20048 (and earlier), 2020.001.30005 (and earlier) and 2017.011.30175 (and earlier) are affected by an out-of-bounds write vulnerability that could result in writing past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. This vulnerability requires user interaction to exploit in that the victim must open a malicious document.
469 CVE-2020-24435 122 Exec Code Overflow 2020-11-05 2021-09-08
6.8
None Remote Medium Not required Partial Partial Partial
Acrobat Reader DC versions 2020.012.20048 (and earlier), 2020.001.30005 (and earlier) and 2017.011.30175 (and earlier) are affected by a heap-based buffer overflow vulnerability in the submitForm function, potentially resulting in arbitrary code execution in the context of the current user. Exploitation requires user interaction in that a victim must open a crafted .pdf file in Acrobat Reader.
470 CVE-2020-24434 125 Bypass 2020-11-05 2021-09-16
4.3
None Remote Medium Not required Partial None None
Acrobat Reader DC versions 2020.012.20048 (and earlier), 2020.001.30005 (and earlier) and 2017.011.30175 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
471 CVE-2020-24433 284 Exec Code 2020-11-05 2021-09-08
9.3
None Remote Medium Not required Complete Complete Complete
Adobe Acrobat Reader DC versions 2020.012.20048 (and earlier), 2020.001.30005 (and earlier) and 2017.011.30175 (and earlier) are affected by a local privilege escalation vulnerability that could enable a user without administrator privileges to delete arbitrary files and potentially execute arbitrary code as SYSTEM. Exploitation of this issue requires an attacker to socially engineer a victim, or the attacker must already have some access to the environment.
472 CVE-2020-24432 20 2020-11-05 2021-09-08
6.8
None Remote Medium Not required Partial Partial Partial
Acrobat Reader DC versions 2020.012.20048 (and earlier), 2020.001.30005 (and earlier) and 2017.011.30175 (and earlier) and Adobe Acrobat Pro DC 2017.011.30175 (and earlier) are affected by an improper input validation vulnerability that could result in arbitrary JavaScript execution in the context of the current user. To exploit this issue, an attacker must acquire and then modify a certified PDF document that is trusted by the victim. The attacker then needs to convince the victim to open the document.
473 CVE-2020-24431 285 Bypass 2020-11-05 2021-09-08
5.8
None Remote Medium Not required Partial Partial None
Acrobat Reader DC versions 2020.012.20048 (and earlier), 2020.001.30005 (and earlier) and 2017.011.30175 (and earlier) for macOS are affected by a security feature bypass that could result in dynamic library code injection by the Adobe Reader process. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
474 CVE-2020-24430 416 Exec Code 2020-11-05 2021-09-08
6.8
None Remote Medium Not required Partial Partial Partial
Acrobat Reader DC versions 2020.012.20048 (and earlier), 2020.001.30005 (and earlier) and 2017.011.30175 (and earlier) are affected by a use-after-free vulnerability when handling malicious JavaScript. This vulnerability could result in arbitrary code execution in the context of the current user. Exploitation requires user interaction in that a victim must open a malicious file.
475 CVE-2020-24429 347 Bypass 2020-11-05 2021-09-08
6.8
None Remote Medium Not required Partial Partial Partial
Acrobat Reader DC versions 2020.012.20048 (and earlier), 2020.001.30005 (and earlier) and 2017.011.30175 (and earlier) for macOS are affected by a signature verification bypass that could result in local privilege escalation. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
476 CVE-2020-24428 367 2020-11-05 2021-09-08
5.1
None Remote High Not required Partial Partial Partial
Acrobat Reader DC versions 2020.012.20048 (and earlier), 2020.001.30005 (and earlier) and 2017.011.30175 (and earlier) for macOS are affected by a time-of-check time-of-use (TOCTOU) race condition vulnerability that could result in local privilege escalation. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
477 CVE-2020-24427 20 Bypass 2020-11-05 2021-09-08
4.3
None Remote Medium Not required Partial None None
Acrobat Reader versions 2020.012.20048 (and earlier), 2020.001.30005 (and earlier) and 2017.011.30175 (and earlier) are affected by an input validation vulnerability when decoding a crafted codec that could result in the disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
478 CVE-2020-24426 125 Bypass 2020-11-05 2021-09-16
4.3
None Remote Medium Not required Partial None None
Acrobat Reader DC versions 2020.012.20048 (and earlier), 2020.001.30005 (and earlier) and 2017.011.30175 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
479 CVE-2020-24407 434 Exec Code 2020-11-09 2020-11-12
9.0
None Remote Low ??? Complete Complete Complete
Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an unsafe file upload vulnerability that could result in arbitrary code execution. This vulnerability could be abused by authenticated users with administrative permissions to the System/Data and Transfer/Import components.
480 CVE-2020-24406 22 Dir. Trav. 2020-11-09 2020-11-12
4.3
None Remote Medium Not required Partial None None
When in maintenance mode, Magento version 2.4.0 and 2.3.4 (and earlier) are affected by an information disclosure vulnerability that could expose the installation path during build deployments. This information could be helpful to attackers if they are able to identify other exploitable vulnerabilities in the environment.
481 CVE-2020-24405 285 2020-11-09 2020-11-12
4.0
None Remote Low ??? None Partial None
Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions issue vulnerability in the Inventory module. This vulnerability could be abused by authenticated users to modify inventory stock data without authorization.
482 CVE-2020-24404 285 2020-11-09 2020-11-12
5.5
None Remote Low ??? None Partial Partial
Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability within the Integrations component. This vulnerability could be abused by users with permissions to the Pages resource to delete cms pages via the REST API without authorization.
483 CVE-2020-24403 285 2020-11-09 2020-11-12
4.0
None Remote Low ??? None Partial None
Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect user permissions vulnerability within the Inventory component. This vulnerability could be abused by authenticated users with Inventory and Source permissions to make unauthorized changes to inventory source data via the REST API.
484 CVE-2020-24402 285 2020-11-09 2020-11-12
5.5
None Remote Low ??? None Partial Partial
Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability in the Integrations component. This vulnerability could be abused by authenticated users with permissions to the Resource Access API to delete customer details via the REST API without authorization.
485 CVE-2020-24401 863 2020-11-09 2020-11-12
5.5
None Remote Low ??? Partial Partial None
Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect authorization vulnerability. A user can still access resources provisioned under their old role after an administrator removes the role or disables the user's account.
486 CVE-2020-24400 89 Sql 2020-11-09 2020-11-12
5.5
None Remote Low ??? Partial Partial None
Magento versions 2.4.0 and 2.3.5 (and earlier) are affected by an SQL Injection vulnerability that could lead to sensitive information disclosure. This vulnerability could be exploited by an authenticated user with permissions to the product listing page to read data from the database.
487 CVE-2020-24384 Exec Code 2020-11-10 2020-11-24
10.0
None Remote Low Not required Complete Complete Complete
A10 Networks ACOS and aGalaxy management Graphical User Interfaces (GUIs) have an unauthenticated Remote Code Execution (RCE) vulnerability that could be used to compromise affected ACOS systems. ACOS versions 3.2.x (including and after 3.2.2), 4.x, and 5.1.x are affected. aGalaxy versions 3.0.x, 3.2.x, and 5.0.x are affected.
488 CVE-2020-24367 269 2020-11-10 2021-07-21
4.6
None Local Low Not required Partial Partial Partial
Incorrect file permissions in BlueStacks 4 through 4.230 on Windows allow a local attacker to escalate privileges by modifying a file that is later executed by a higher-privileged user.
489 CVE-2020-24366 200 +Info 2020-11-16 2021-07-21
2.1
None Local Low Not required Partial None None
Sensitive information could be disclosed in the JetBrains YouTrack application before 2020.2.0 for Android via application backups.
490 CVE-2020-24353 79 XSS 2020-11-09 2020-11-13
4.3
None Remote Medium Not required None Partial None
Pega Platform before 8.4.0 has a XSS issue via stream rule parameters used in the request header.
491 CVE-2020-24297 78 Exec Code 2020-11-18 2020-12-01
9.0
None Remote Low ??? Complete Complete Complete
httpd on TP-Link TL-WPA4220 devices (versions 2 through 4) allows remote authenticated users to execute arbitrary OS commands by sending crafted POST requests to the endpoint /admin/powerline. Fixed version: TL-WPA4220(EU)_V4_201023
492 CVE-2020-24227 522 2020-11-23 2020-12-02
5.0
None Remote Low Not required Partial None None
Playground Sessions v2.5.582 (and earlier) for Windows, stores the user credentials in plain text allowing anyone with access to UserProfiles.sol to extract the email and password.
493 CVE-2020-24063 918 2020-11-10 2020-12-01
5.0
None Remote Low Not required None Partial None
The Canto plugin 1.3.0 for WordPress allows includes/lib/download.php?subdomain= SSRF.
494 CVE-2020-23989 79 XSS 2020-11-02 2020-11-03
3.5
None Remote Medium ??? None Partial None
NeDi 1.9C allows pwsec.php oid XSS.
495 CVE-2020-23968 59 2020-11-10 2020-12-01
6.9
None Local Medium Not required Complete Complete Complete
Ilex International Sign&go Workstation Security Suite 7.1 allows elevation of privileges via a symlink attack on ProgramData\Ilex\S&G\Logs\000-sngWSService1.log.
496 CVE-2020-23868 79 XSS 2020-11-02 2020-11-03
3.5
None Remote Medium ??? None Partial None
NeDi 1.9C allows inc/rt-popup.php d XSS.
497 CVE-2020-23639 77 Exec Code 2020-11-02 2020-11-12
10.0
None Remote Low Not required Complete Complete Complete
A command injection vulnerability exists in Moxa Inc VPort 461 Series Firmware Version 3.4 or lower that could allow a remote attacker to execute arbitrary commands in Moxa's VPort 461 Series Industrial Video Servers.
498 CVE-2020-23490 200 +Info 2020-11-16 2021-07-21
5.0
None Remote Low Not required Partial None None
There was a local file disclosure vulnerability in AVideo < 8.9 via the proxy streaming. An unauthenticated attacker can exploit this issue to read an arbitrary file on the server. Which could leak database credentials or other sensitive information such as /etc/passwd file.
499 CVE-2020-23489 269 2020-11-16 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
The import.json.php file before 8.9 for Avideo is vulnerable to a File Deletion vulnerability. This allows the deletion of configuration.php, which leads to certain privilege checks not being in place, and therefore a user can escalate privileges to admin.
500 CVE-2020-23140 613 2020-11-09 2020-11-20
5.8
None Remote Medium Not required Partial Partial None
Microweber 1.1.18 is affected by insufficient session expiration. When changing passwords, both sessions for when a user changes email and old sessions in any other browser or device, the session does not expire and remains active.
Total number of vulnerabilities : 1271   Page : 1 2 3 4 5 6 7 8 9 10 (This Page)11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.