CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In November 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
951 CVE-2020-7762 200 +Info 2020-11-05 2021-07-21
4.0
None Remote Low ??? Partial None None
This affects the package jsreport-chrome-pdf before 1.10.0.
952 CVE-2020-7761 DoS 2020-11-05 2020-11-13
5.0
None Remote Low Not required None None Partial
This affects the package @absolunet/kafe before 3.2.10. It allows cause a denial of service when validating crafted invalid emails.
953 CVE-2020-7758 22 Dir. Trav. 2020-11-02 2020-11-18
5.0
None Remote Low Not required Partial None None
This affects versions of package browserless-chrome before 1.40.2-chrome-stable. User input flowing from the workspace endpoint gets used to create a file path filePath and this is fetched and then sent back to a user. This can be escaped to fetch arbitrary files from a server.
954 CVE-2020-7757 22 Dir. Trav. 2020-11-02 2020-11-10
4.0
None Remote Low ??? Partial None None
This affects all versions of package droppy. It is possible to traverse directories to fetch configuration files from a droopy server.
955 CVE-2020-7573 284 2020-11-19 2020-11-27
6.4
None Remote Low Not required Partial Partial None
A CWE-284 Improper Access Control vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause a remote attacker being able to access a restricted web resources due to improper access control.
956 CVE-2020-7572 611 DoS 2020-11-19 2020-11-27
6.5
None Remote Low ??? Partial Partial Partial
A CWE-611 Improper Restriction of XML External Entity Reference vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause an authenticated remote user being able to inject arbitrary XML code and obtain disclosure of confidential data, denial of service, server side request forgery due to improper configuration of the XML parser.
957 CVE-2020-7571 79 XSS 2020-11-19 2020-11-27
3.5
None Remote Medium ??? None Partial None
A CWE-79 Multiple Improper Neutralization of Input During Web Page Generation (Cross-site Scripting Reflected) vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause a remote attacker to inject arbitrary web script or HTML due to incorrect sanitization of user supplied data and achieve a Cross-Site Scripting reflected attack against other WebReport users.
958 CVE-2020-7570 79 XSS 2020-11-19 2020-11-27
3.5
None Remote Medium ??? None Partial None
A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting Stored) vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause an authenticated remote user being able to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and achieve a Cross-Site Scripting stored attack against other WebReport users.
959 CVE-2020-7569 434 Exec Code 2020-11-19 2020-11-27
6.5
None Remote Low ??? Partial Partial Partial
A CWE-434 Unrestricted Upload of File with Dangerous Type vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause an authenticated remote user being able to upload arbitrary files due to incorrect verification of user supplied files and achieve remote code execution.
960 CVE-2020-7568 200 +Info 2020-11-19 2020-12-11
3.3
None Local Network Low Not required Partial None None
A CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Modicon M221 (all references, all versions) that could allow non sensitive information disclosure when the attacker has captured the traffic between EcoStruxure Machine - Basic software and Modicon M221 controller.
961 CVE-2020-7567 311 2020-11-19 2020-12-11
2.9
None Local Network Medium Not required Partial None None
A CWE-311: Missing Encryption of Sensitive Data vulnerability exists in Modicon M221 (all references, all versions) that could allow the attacker to find the password hash when the attacker has captured the traffic between EcoStruxure Machine - Basic software and Modicon M221 controller and broke the encryption keys.
962 CVE-2020-7566 334 2020-11-19 2021-09-21
4.3
None Local Network Medium Not required Partial Partial None
A CWE-334: Small Space of Random Values vulnerability exists in Modicon M221 (all references, all versions) that could allow the attacker to break the encryption keys when the attacker has captured the traffic between EcoStruxure Machine - Basic software and Modicon M221 controller.
963 CVE-2020-7565 326 2020-11-19 2021-09-21
4.3
None Local Network Medium Not required Partial Partial None
A CWE-326: Inadequate Encryption Strength vulnerability exists in Modicon M221 (all references, all versions) that could allow the attacker to break the encryption key when the attacker has captured the traffic between EcoStruxure Machine - Basic software and Modicon M221 controller.
964 CVE-2020-7564 120 Exec Code Overflow 2020-11-18 2020-12-02
6.5
None Remote Low ??? Partial Partial Partial
A CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability exists in the Web Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy offers and their Communication Modules (see notification for details) which could cause write access and the execution of commands when uploading a specially crafted file on the controller over FTP.
965 CVE-2020-7563 787 Exec Code 2020-11-18 2020-12-02
6.5
None Remote Low ??? Partial Partial Partial
A CWE-787: Out-of-bounds Write vulnerability exists in the Web Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy offers and their Communication Modules (see notification for details) which could cause corruption of data, a crash, or code execution when uploading a specially crafted file on the controller over FTP.
966 CVE-2020-7562 125 Overflow 2020-11-18 2020-12-02
5.8
None Remote Medium Not required Partial None Partial
A CWE-125: Out-of-Bounds Read vulnerability exists in the Web Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy offers and their Communication Modules (see notification for details) which could cause a segmentation fault or a buffer overflow when uploading a specially crafted file on the controller over FTP.
967 CVE-2020-7561 284 DoS Exec Code 2020-11-19 2020-12-11
7.5
None Remote Low Not required Partial Partial Partial
A CWE-284: Improper Access Control vulnerability exists in Easergy T300 (with firmware 2.7 and older) that could cause a wide range of problems, including information exposure, denial of service, and command execution when access to a resource from an attacker is not restricted or incorrectly restricted.
968 CVE-2020-7559 120 Overflow 2020-11-19 2020-12-09
5.0
None Remote Low Not required None None Partial
A CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability exists in PLC Simulator on EcoStruxureª Control Expert (now Unity Pro) (all versions) that could cause a crash of the PLC simulator present in EcoStruxureª Control Expert software when receiving a specially crafted request over Modbus.
969 CVE-2020-7558 787 Exec Code 2020-11-19 2021-02-01
6.8
None Remote Medium Not required Partial Partial Partial
A CWE-787 Out-of-bounds Write vulnerability exists in IGSS Definition (Def.exe) version 14.0.0.20247 that could cause Remote Code Execution when malicious CGF (Configuration Group File) file is imported to IGSS Definition.
970 CVE-2020-7557 125 Exec Code 2020-11-19 2021-02-01
6.8
None Remote Medium Not required Partial Partial Partial
A CWE-125 Out-of-bounds Read vulnerability exists in IGSS Definition (Def.exe) version 14.0.0.20247 that could cause Remote Code Execution when malicious CGF (Configuration Group File) file is imported to IGSS Definition.
971 CVE-2020-7556 787 Exec Code 2020-11-19 2021-02-01
6.8
None Remote Medium Not required Partial Partial Partial
A CWE-787 Out-of-bounds Write vulnerability exists in IGSS Definition (Def.exe) version 14.0.0.20247 that could cause Remote Code Execution when malicious CGF (Configuration Group File) file is imported to IGSS Definition.
972 CVE-2020-7555 787 Exec Code 2020-11-19 2021-01-30
6.8
None Remote Medium Not required Partial Partial Partial
A CWE-787 Out-of-bounds Write vulnerability exists in IGSS Definition (Def.exe) version 14.0.0.20247 that could cause Remote Code Execution when malicious CGF (Configuration Group File) file is imported to IGSS Definition.
973 CVE-2020-7554 119 Exec Code Overflow 2020-11-19 2021-02-01
6.8
None Remote Medium Not required Partial Partial Partial
A CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in IGSS Definition (Def.exe) version 14.0.0.20247 that could cause Remote Code Execution when malicious CGF (Configuration Group File) file is imported to IGSS Definition.
974 CVE-2020-7553 787 Exec Code 2020-11-19 2021-03-15
6.8
None Remote Medium Not required Partial Partial Partial
A CWE-787 Out-of-bounds Write vulnerability exists in IGSS Definition (Def.exe) version 14.0.0.20247 that could cause Remote Code Execution when malicious CGF (Configuration Group File) file is imported to IGSS Definition.
975 CVE-2020-7552 787 Exec Code 2020-11-19 2022-01-01
6.8
None Remote Medium Not required Partial Partial Partial
A CWE-787: Out-of-bounds Write vulnerability exists in IGSS Definition (Def.exe) version 14.0.0.20247, that could cause Remote Code Execution when malicious CGF (Configuration Group File) file is imported to IGSS Definition.
976 CVE-2020-7551 787 Exec Code 2020-11-19 2022-01-01
6.8
None Remote Medium Not required Partial Partial Partial
A CWE-787: Out-of-bounds Write vulnerability exists in IGSS Definition (Def.exe) version 14.0.0.20247, that could cause Remote Code Execution when malicious CGF (Configuration Group File) file is imported to IGSS Definition.
977 CVE-2020-7550 119 Exec Code Overflow 2020-11-19 2021-02-01
6.8
None Remote Medium Not required Partial Partial Partial
A CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in IGSS Definition (Def.exe) version 14.0.0.20247 and prior that could cause Remote Code Execution when malicious CGF (Configuration Group File) file is imported to IGSS Definition.
978 CVE-2020-7544 269 2020-11-19 2021-01-13
7.2
None Local Low Not required Complete Complete Complete
A CWE-269 Improper Privilege Management vulnerability exists in EcoStruxureª Operator Terminal Expert runtime (Vijeo XD) that could cause privilege escalation on the workstation when interacting directly with a driver installed by the runtime software of EcoStruxureª Operator Terminal Expert.
979 CVE-2020-7538 754 2020-11-19 2020-12-08
5.0
None Remote Low Not required None None Partial
A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in PLC Simulator on EcoStruxureª Control Expert (now Unity Pro) (all versions) that could cause a crash of the PLC simulator present in EcoStruxureª Control Expert software when receiving a specially crafted request over Modbus.
980 CVE-2020-7472 862 Exec Code Bypass 2020-11-12 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
An authorization bypass and PHP local-file-include vulnerability in the installation component of SugarCRM before 8.0, 8.0 before 8.0.7, 9.0 before 9.0.4, and 10.0 before 10.0.0 allows for unauthenticated remote code execution against a configured SugarCRM instance via crafted HTTP requests. (This is exploitable even after installation is completed.).
981 CVE-2020-7378 287 2020-11-24 2020-12-07
6.4
None Remote Low Not required Partial Partial None
CRIXP OpenCRX version 4.30 and 5.0-20200717 and prior suffers from an unverified password change vulnerability. An attacker who is able to connect to the affected OpenCRX instance can change the password of any user, including admin-Standard, to any chosen value. This issue was resolved in version 5.0-20200904, released September 4, 2020.
982 CVE-2020-7333 79 XSS 2020-11-12 2020-11-23
3.5
None Remote Medium ??? None Partial None
Cross site scripting vulnerability in the firewall ePO extension of McAfee Endpoint Security (ENS) prior to 10.7.0 November 2020 Update allows administrators to inject arbitrary web script or HTML via the configuration wizard.
983 CVE-2020-7332 352 Exec Code CSRF 2020-11-12 2020-11-23
6.8
None Remote Medium Not required Partial Partial Partial
Cross Site Request Forgery vulnerability in the firewall ePO extension of McAfee Endpoint Security (ENS) prior to 10.7.0 November 2020 Update allows an attacker to execute arbitrary HTML code due to incorrect security configuration.
984 CVE-2020-7331 428 DoS 2020-11-12 2020-11-23
4.6
None Local Low Not required Partial Partial Partial
Unquoted service executable path in McAfee Endpoint Security (ENS) prior to 10.7.0 November 2020 Update allows local users to cause a denial of service and malicious file execution via carefully crafted and named executable files.
985 CVE-2020-7329 918 2020-11-11 2020-11-20
6.5
None Remote Low ??? Partial Partial Partial
Server-side request forgery vulnerability in the ePO extension in McAfee MVISION Endpoint prior to 20.11 allows remote attackers trigger server-side DNS requests to arbitrary domains via carefully constructed XML files loaded by an ePO administrator.
986 CVE-2020-7328 918 Exec Code 2020-11-11 2020-11-23
6.5
None Remote Low ??? Partial Partial Partial
External entity attack vulnerability in the ePO extension in McAfee MVISION Endpoint prior to 20.11 allows remote attackers to gain control of a resource or trigger arbitrary code execution via improper input validation of an HTTP request, where the content for the attack has been loaded into ePO by an ePO administrator.
987 CVE-2020-7207 269 2020-11-05 2021-07-21
7.2
None Local Low Not required Complete Complete Complete
A local elevation of privilege using physical access security vulnerability was found in HPE Proliant Gen10 Servers using Intel Innovation Engine (IE). This attack requires a physical attack to the server motherboard. To mitigate this issue, ensure your server is always physically secured. HPE will not address this issue in the impacted Gen 10 servers listed. HPE recommends using appropriate physical security methods as a compensating control to disallow an attacker from having physical access to the server main circuit board.
988 CVE-2020-7198 269 2020-11-06 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
There is a remote escalation of privilege possible for a malicious user that has a OneView account in OneView and Synergy Composer. HPE has provided updates to Oneview and Synergy Composer: Update to version 5.5 of OneView, Composer, or Composer2.
989 CVE-2020-7129 77 Exec Code 2020-11-04 2021-07-21
9.0
None Remote Low ??? Complete Complete Complete
A remote execution of arbitrary commands vulnerability was discovered in Aruba Airwave Software version(s): Prior to 1.3.2.
990 CVE-2020-7128 77 Exec Code 2020-11-04 2021-07-21
10.0
None Remote Low Not required Complete Complete Complete
A remote unauthenticated arbitrary code execution vulnerability was discovered in Aruba Airwave Software version(s): Prior to 1.3.2.
991 CVE-2020-7033 79 XSS 2020-11-13 2020-11-29
3.5
None Remote Medium ??? None Partial None
A Cross Site Scripting (XSS) Vulnerability on the Unified Portal Client (web client) used in Avaya Equinox Conferencing can allow an authenticated user to perform XSS attacks. The affected versions of Equinox Conferencing includes all 9.x versions before 9.1.10.
992 CVE-2020-7032 611 2020-11-13 2021-01-12
5.5
None Remote Low ??? Partial None Partial
An XML external entity (XXE) vulnerability in Avaya WebLM admin interface allows authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. Affected versions of Avaya WebLM include: 7.0 through 7.1.3.6 and 8.0 through 8.1.2.
993 CVE-2020-6939 2020-11-23 2020-12-08
10.0
None Remote Low Not required Complete Complete Complete
Tableau Server installations configured with Site-Specific SAML that allows the APIs to be used by unauthenticated users. If exploited, this could allow a malicious user to configure Site-Specific SAML settings and could lead to account takeover for users of that site. Tableau Server versions affected on both Windows and Linux are: 2018.2 through 2018.2.27, 2018.3 through 2018.3.24, 2019.1 through 2019.1.22, 2019.2 through 2019.2.18, 2019.3 through 2019.3.14, 2019.4 through 2019.4.13, 2020.1 through 2020.1.10, 2020.2 through 2020.2.7, and 2020.3 through 2020.3.2.
994 CVE-2020-6879 20 Bypass 2020-11-19 2020-12-02
2.7
None Local Network Low ??? None Partial None
Some ZTE devices have input verification vulnerabilities. The devices support configuring a static prefix through the web management page. The restriction of the front-end code can be bypassed by constructing a POST request message and sending the request to the creation of a static routing rule configuration interface. The WEB service backend fails to effectively verify the abnormal input. As a result, the attacker can successfully use the vulnerability to tamper parameter values. This affects: ZXHN Z500 V1.0.0.2B1.1000 and ZXHN F670L V1.1.10P1N2E. This is fixed in ZXHN Z500 V1.0.1.1B1.1000 and ZXHN F670L V1.1.10P2N2.
995 CVE-2020-6877 200 +Info 2020-11-05 2021-07-21
4.0
None Remote Low ??? Partial None None
A ZTE product is impacted by an information leak vulnerability. An attacker could use this vulnerability to obtain the authentication password of the handheld terminal and access the device illegally for operation. This affects: ZXA10 eODN V2.3P2T1
996 CVE-2020-6557 2020-11-03 2021-01-27
4.3
None Remote Medium Not required None Partial None
Inappropriate implementation in networking in Google Chrome prior to 86.0.4240.75 allowed a remote attacker to perform domain spoofing via a crafted HTML page.
997 CVE-2020-6317 200 +Info 2020-11-30 2021-07-21
2.7
None Local Network Low ??? Partial None None
In certain situations, an attacker with regular user credentials and local access to an ASE cockpit installation can access sensitive information which appears in the installation log files. This information although sensitive is of limited utility and cannot be used to further access, modify or render unavailable any other information in the cockpit or system. This affects SAP Adaptive Server Enterprise, Versions - 15.7, 16.0.
998 CVE-2020-6316 862 2020-11-10 2020-11-24
4.0
None Remote Low ??? Partial None None
SAP ERP and SAP S/4 HANA allows an authenticated user to see cost records to objects to which he has no authorization in PS reporting, leading to Missing Authorization check.
999 CVE-2020-6157 2020-11-13 2020-11-30
4.3
None Remote Medium Not required None Partial None
Opera Touch for iOS before version 2.4.5 is vulnerable to an address bar spoofing attack. The vulnerability allows a malicious page to trick the browser into showing an address of a different page. This may allow the malicious page to impersonate another page and trick a user into providing sensitive data.
1000 CVE-2020-6156 787 Overflow 2020-11-13 2020-11-20
6.8
None Remote Medium Not required Partial Partial Partial
A heap overflow vulnerability exists in Pixar OpenUSD 20.05 when the software parses compressed sections in binary USD files. To trigger this vulnerability, the victim needs to open an attacker-provided malformed file in an instance USDC file format path element token index.
Total number of vulnerabilities : 1271   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 (This Page)21 22 23 24 25 26
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.