CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In November 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
901 CVE-2020-8583 2020-11-13 2021-05-10
5.0
None Remote Low Not required Partial None None
Element Software versions prior to 12.2 and HCI versions prior to 1.8P1 are susceptible to a vulnerability which could allow an attacker to discover sensitive information by intercepting its transmission within an https session.
902 CVE-2020-8582 2020-11-13 2021-05-10
4.0
None Remote Low ??? Partial None None
Element Software versions prior to 12.2 and HCI versions prior to 1.8P1 are susceptible to a vulnerability which could allow an authenticated user to view sensitive information.
903 CVE-2020-8580 DoS 2020-11-06 2020-11-12
5.0
None Remote Low Not required None None Partial
SANtricity OS Controller Software versions 11.30 and higher are susceptible to a vulnerability which allows an unauthenticated attacker with access to the system to cause a Denial of Service (DoS).
904 CVE-2020-8577 2020-11-06 2020-11-13
4.3
None Remote Medium Not required Partial None None
SANtricity OS Controller Software versions 11.50.1 and higher are susceptible to a vulnerability which could allow an attacker to discover sensitive information by intercepting its transmission within an https session.
905 CVE-2020-8354 Exec Code 2020-11-11 2020-11-30
7.2
None Local Low Not required Complete Complete Complete
A potential vulnerability in the SMI callback function used in the VariableServiceSmm driver in some Lenovo Notebook models may allow arbitrary code execution.
906 CVE-2020-8353 2020-11-11 2020-11-30
4.6
None Local Low Not required Partial Partial Partial
Prior to August 10, 2020, some Lenovo Desktop and Workstation systems were shipped with the Embedded Host Based Configuration (EHBC) feature of Intel AMT enabled. This could allow an administrative user with local access to configure Intel AMT.
907 CVE-2020-8352 2020-11-11 2020-11-25
2.1
None Local Low Not required None Partial None
In some Lenovo Desktop models, the Configuration Change Detection BIOS setting failed to detect SATA configuration changes.
908 CVE-2020-8351 269 Exec Code 2020-11-30 2020-12-02
4.6
None Local Low Not required Partial Partial Partial
A privilege escalation vulnerability was reported in Lenovo PCManager prior to version 3.0.50.9162 that could allow an authenticated user to execute code with elevated privileges.
909 CVE-2020-8279 295 2020-11-19 2020-11-25
5.8
None Remote Medium Not required Partial Partial None
Missing validation of server certificates for out-going connections in Nextcloud Social < 0.4.0 allowed a man-in-the-middle attack.
910 CVE-2020-8278 863 2020-11-19 2020-12-02
5.0
None Remote Low Not required Partial None None
Improper access control in Nextcloud Social app version 0.3.1 allowed to read posts of any user.
911 CVE-2020-8277 400 DoS 2020-11-19 2021-12-02
5.0
None Remote Low Not required None None Partial
A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1.
912 CVE-2020-8276 312 2020-11-09 2020-11-18
2.1
None Local Low Not required Partial None None
The implementation of Brave Desktop's privacy-preserving analytics system (P3A) between 1.1 and 1.18.35 logged the timestamp of when the user last opened an incognito window, including Tor windows. The intended behavior was to log the timestamp for incognito windows excluding Tor windows. Note that if a user has P3A enabled, the timestamp is not sent to Brave's server, but rather a value from:Used in last 24hUsed in last week but not 24hUsed in last 28 days but not weekEver used but not in last 28 daysNever usedThe privacy risk is low because a local attacker with disk access cannot tell if the timestamp corresponds to a Tor window or a non-Tor incognito window.
913 CVE-2020-8273 78 2020-11-16 2020-11-30
9.0
None Remote Low ??? Complete Complete Complete
Privilege escalation of an authenticated user to root in Citrix SD-WAN center versions before 11.2.2, 11.1.2b and 10.2.8.
914 CVE-2020-8272 287 Bypass 2020-11-16 2020-11-30
5.0
None Remote Low Not required None Partial None
Authentication Bypass resulting in exposure of SD-WAN functionality in Citrix SD-WAN Center versions before 11.2.2, 11.1.2b and 10.2.8
915 CVE-2020-8271 22 Exec Code Dir. Trav. 2020-11-16 2020-11-30
10.0
None Remote Low Not required Complete Complete Complete
Unauthenticated remote code execution with root privileges in Citrix SD-WAN Center versions before 11.2.2, 11.1.2b and 10.2.8
916 CVE-2020-8270 78 Exec Code 2020-11-16 2020-12-03
9.0
None Remote Low ??? Complete Complete Complete
An unprivileged Windows user on the VDA or an SMB user can perform arbitrary command execution as SYSTEM in CVAD versions before 2009, 1912 LTSR CU1 hotfixes CTX285871 and CTX285872, 7.15 LTSR CU6 hotfix CTX285341 and CTX285342
917 CVE-2020-8269 269 Exec Code 2020-11-16 2020-12-03
9.0
None Remote Low ??? Complete Complete Complete
An unprivileged Windows user on the VDA can perform arbitrary command execution as SYSTEM in CVAD versions before 2009, 1912 LTSR CU1 hotfixes CTX285870 and CTX286120, 7.15 LTSR CU6 hotfix CTX285344 and 7.6 LTSR CU9
918 CVE-2020-8268 20 2020-11-09 2020-11-18
5.0
None Remote Low Not required None Partial None
Prototype pollution vulnerability in json8-merge-patch npm package < 1.0.3 may allow attackers to inject or modify methods and properties of the global object constructor.
919 CVE-2020-8267 287 2020-11-05 2020-11-19
5.0
None Remote Low Not required None Partial None
A security issue was found in UniFi Protect controller v1.14.10 and earlier.The authentication in the UniFi Protect controller API was using “x-token” improperly, allowing attackers to use the API to send authenticated messages without a valid token.This vulnerability was fixed in UniFi Protect v1.14.11 and newer.This issue does not impact UniFi Cloud Key Gen 2 plus.This issue does not impact UDM-Pro customers with UniFi Protect stopped.Affected Products:UDM-Pro firmware 1.7.2 and earlier.UNVR firmware 1.3.12 and earlier.Mitigation:Update UniFi Protect to v1.14.11 or newer version; the UniFi Protect controller can be updated through your UniFi OS settings.Alternatively, you can update UNVR and UDM-Pro to:- UNVR firmware to 1.3.15 or newer.- UDM-Pro firmware to 1.8.0 or newer.
920 CVE-2020-8259 522 2020-11-16 2020-12-02
5.5
None Remote Low ??? Partial Partial None
Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the encryption keys.
921 CVE-2020-8236 287 2020-11-02 2020-11-16
4.6
None Local Low Not required Partial Partial Partial
A wrong configuration in Nextcloud Server 19.0.1 incorrectly made the user feel the passwordless WebAuthn is also a two factor verification by asking for the PIN of the passwordless WebAuthn but not verifying it.
922 CVE-2020-8183 522 2020-11-02 2020-11-12
5.0
None Remote Low Not required Partial None None
A logic error in Nextcloud Server 19.0.0 caused a plaintext storage of the share password when it was given on the initial create API call.
923 CVE-2020-8173 311 2020-11-02 2020-11-17
3.5
None Remote Medium ??? Partial None None
A too small set of random characters being used for encryption in Nextcloud Server 18.0.4 allowed decryption in shorter time than intended.
924 CVE-2020-8152 522 2020-11-16 2020-12-26
2.1
None Local Low Not required None Partial None
Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the public key to decrypt them later on.
925 CVE-2020-8150 311 2020-11-09 2020-12-29
1.9
None Local Medium Not required None Partial None
A cryptographic issue in Nextcloud Server 19.0.1 allowed an attacker to downgrade the encryption scheme and break the integrity of encrypted files.
926 CVE-2020-8133 347 2020-11-09 2020-11-19
5.0
None Remote Low Not required None Partial None
A wrong generation of the passphrase for the encrypted block in Nextcloud Server 19.0.1 allowed an attacker to overwrite blocks in a file.
927 CVE-2020-8037 770 2020-11-04 2021-04-27
5.0
None Remote Low Not required None None Partial
The ppp decapsulator in tcpdump 4.9.3 can be convinced to allocate a large amount of memory.
928 CVE-2020-8036 125 2020-11-04 2020-11-25
5.0
None Remote Low Not required None None Partial
The tok2strbuf() function in tcpdump 4.10.0-PRE-GIT was used by the SOME/IP dissector in an unsafe way.
929 CVE-2020-7962 200 +Info 2020-11-13 2021-07-21
5.0
None Remote Low Not required Partial None None
An issue was discovered in One Identity Password Manager 5.8. An attacker could enumerate valid answers for a user. It is possible for an attacker to detect a valid answer based on the HTTP response content, and reuse this answer later for a password reset on a chosen password. The enumeration is possible because, within the HTTP response content, WRONG ID is only returned when the answer is incorrect.
930 CVE-2020-7928 2020-11-23 2020-12-02
4.0
None Remote Low ??? Partial None None
A user authorized to perform database queries may trigger a read overrun and access arbitrary memory by issuing specially crafted queries. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prior to 4.0.20; v3.6 versions prior to 3.6.20.
931 CVE-2020-7927 2020-11-23 2020-12-03
4.0
None Remote Low ??? Partial None None
Specially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege. This issue affects MongoDB Ops Manager v4.2 versions 4.2.0-4.2.17, v4.3 versions 4.3.0-4.3.9 and v4.4 versions 4.4.0-4.4.2.
932 CVE-2020-7926 755 DoS 2020-11-23 2020-11-29
4.0
None Remote Low ??? None None Partial
A user authorized to perform database queries may cause denial of service by issuing a specially crafted query which violates an invariant in the server selection subsystem. This issue affects: MongoDB Server version 4.4 prior to 4.4.1. Versions before 4.4 are not affected.
933 CVE-2020-7925 20 DoS 2020-11-23 2021-10-19
5.0
None Remote Low Not required None None Partial
Incorrect validation of user input in the role name parser may lead to use of uninitialized memory allowing an unauthenticated attacker to use a specially crafted request to cause a denial of service. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.0-rc12; v4.2 versions prior to 4.2.9.
934 CVE-2020-7842 20 Exec Code 2020-11-20 2021-10-19
6.0
None Remote Medium ??? Partial Partial Partial
Improper Input validation vulnerability exists in Netis Korea D'live AP which could cause arbitrary command injection and execution when the time setting (using ntpServerlp1 parameter) for the users. This affects D'live set-top box AP(WF2429TB) v1.1.10.
935 CVE-2020-7841 20 Exec Code 2020-11-17 2020-12-02
6.8
None Remote Medium Not required Partial Partial Partial
Improper input validation vulnerability exists in TOBESOFT XPLATFORM which could cause arbitrary .hta file execution when the command string is begun with http://, https://, mailto://
936 CVE-2020-7780 352 Bypass CSRF 2020-11-27 2020-12-04
6.8
None Remote Medium Not required Partial Partial Partial
This affects the package com.softwaremill.akka-http-session:core_2.13 before 0.5.11; the package com.softwaremill.akka-http-session:core_2.12 before 0.5.11; the package com.softwaremill.akka-http-session:core_2.11 before 0.5.11. For older versions, endpoints protected by randomTokenCsrfProtection could be bypassed with an empty X-XSRF-TOKEN header and an empty XSRF-TOKEN cookie.
937 CVE-2020-7779 917 DoS 2020-11-26 2021-07-21
5.0
None Remote Low Not required None None Partial
All versions of package djvalidator are vulnerable to Regular Expression Denial of Service (ReDoS) by sending crafted invalid emails - for example, --@------------------------------------------------------------------------------------------------------------------------!.
938 CVE-2020-7778 78 2020-11-26 2020-12-01
7.5
None Remote Low Not required Partial Partial Partial
This affects the package systeminformation before 4.30.2. The attacker can overwrite the properties and functions of an object, which can lead to executing OS commands.
939 CVE-2020-7777 Exec Code 2020-11-23 2020-12-03
6.5
None Remote Low ??? Partial Partial Partial
This affects all versions of package jsen. If an attacker can control the schema file, it could run arbitrary JavaScript code on the victim machine. In the module description and README file there is no mention about the risks of untrusted schema files, so I assume that this is applicable. In particular the required field of the schema is not properly sanitized. The resulting string that is build based on the schema definition is then passed to a Function.apply();, leading to an Arbitrary Code Execution.
940 CVE-2020-7774 20 2020-11-17 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true
941 CVE-2020-7773 79 XSS 2020-11-16 2020-12-01
4.3
None Remote Medium Not required None Partial None
This affects the package markdown-it-highlightjs before 3.3.1. It is possible insert malicious JavaScript as a value of lang in the markdown-it-highlightjs Inline code highlighting feature. const markdownItHighlightjs = require("markdown-it-highlightjs"); const md = require('markdown-it'); const reuslt_xss = md() .use(markdownItHighlightjs, { inline: true }) .render('console.log(42){.">js}'); console.log(reuslt_xss);
942 CVE-2020-7772 2020-11-15 2020-11-30
10.0
None Remote Low Not required Complete Complete Complete
This affects the package doc-path before 2.1.2.
943 CVE-2020-7770 20 2020-11-12 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
This affects the package json8 before 1.0.3. The function adds in the target object the property specified in the path, however it does not properly check the key being set, leading to a prototype pollution.
944 CVE-2020-7769 74 2020-11-12 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.
945 CVE-2020-7768 74 2020-11-11 2021-07-21
5.0
None Remote Low Not required None None Partial
The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition.
946 CVE-2020-7767 DoS 2020-11-11 2021-07-21
5.0
None Remote Low Not required None None Partial
All versions of package express-validators are vulnerable to Regular Expression Denial of Service (ReDoS) when validating specifically-crafted invalid urls.
947 CVE-2020-7766 74 2020-11-10 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
This affects all versions of package json-ptr. The issue occurs in the set operation (https://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.htmlset) when the force flag is set to true. The function recursively set the property in the target object, however it does not properly check the key being set, leading to a prototype pollution.
948 CVE-2020-7765 2020-11-16 2020-12-01
5.0
None Remote Low Not required None Partial None
This affects the package @firebase/util before 0.3.4. This vulnerability relates to the deepExtend function within the DeepCopy.ts file. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.
949 CVE-2020-7764 444 DoS 2020-11-08 2020-11-16
5.0
None Remote Low Not required None None Partial
This affects the package find-my-way before 2.2.5, from 3.0.0 and before 3.0.5. It accepts the Accept-Version' header by default, and if versioned routes are not being used, this could lead to a denial of service. Accept-Version can be used as an unkeyed header in a cache poisoning attack.
950 CVE-2020-7763 200 +Info 2020-11-05 2021-07-21
5.0
None Remote Low Not required Partial None None
This affects the package phantom-html-to-pdf before 0.6.1.
Total number of vulnerabilities : 1271   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 (This Page)20 21 22 23 24 25 26
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.