CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In November 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1201 CVE-2020-0443 754 DoS 2020-11-10 2021-07-21
2.1
None Local Low Not required None None Partial
In LocaleList of LocaleList.java, there is a possible forced reboot due to an uncaught exception. This could lead to local denial of service requiring factory reset to restore with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-152410253
1202 CVE-2020-0442 20 DoS 2020-11-10 2020-11-10
7.8
None Remote Low Not required None None Complete
In Message and toBundle of Notification.java, there is a possible UI slowdown or crash due to improper input validation. This could lead to remote denial of service if a malicious contact file is received, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.0 Android-8.1 Android-9Android ID: A-147358092
1203 CVE-2020-0441 400 DoS 2020-11-10 2020-11-12
7.8
None Remote Low Not required None None Complete
In Message and toBundle of Notification.java, there is a possible resource exhaustion due to improper input validation. This could lead to remote denial of service requiring a device reset to fix with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-158304295
1204 CVE-2020-0439 276 Bypass 2020-11-10 2020-11-12
4.6
None Local Low Not required Partial Partial Partial
In generatePackageInfo of PackageManagerService.java, there is a possible permissions bypass due to an incorrect permission check. This could lead to local escalation of privilege that allows instant apps access to permissions not allowed for instant apps, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11 Android-8.0Android ID: A-140256621
1205 CVE-2020-0438 665 Exec Code 2020-11-10 2021-07-21
4.6
None Local Low Not required Partial Partial Partial
In the AIBinder_Class constructor of ibinder.cpp, there is a possible arbitrary code execution due to uninitialized data. This could lead to local escalation of privilege if a process were using libbinder_ndk in a vulnerable way with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-10Android ID: A-161812320
1206 CVE-2020-0437 276 DoS 2020-11-10 2020-11-12
2.1
None Local Low Not required None None Partial
In CellBroadcastReceiver's intent handlers, there is a possible denial of service due to a missing permission check. This could lead to local denial of service of emergency alerts with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10 Android-11Android ID: A-162741784
1207 CVE-2020-0424 2020-11-10 2021-07-21
2.1
None Local Low Not required Partial None None
In send_vc of res_send.cpp, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-9 Android-10Android ID: A-161362564
1208 CVE-2020-0418 2020-11-10 2020-11-17
4.6
None Local Low Not required Partial Partial Partial
In getPermissionInfosForGroup of Utils.java, there is a logic error. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-153879813
1209 CVE-2020-0409 787 Overflow 2020-11-10 2021-07-21
4.6
None Local Low Not required Partial Partial Partial
In create of FileMap.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-8.0 Android-8.1 Android-9Android ID: A-156997193
1210 CVE-2019-20934 416 2020-11-28 2021-01-12
5.4
None Local Medium Not required Partial None Complete
An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.
1211 CVE-2019-20933 287 Bypass 2020-11-19 2021-01-02
7.5
None Remote Low Not required Partial Partial Partial
InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).
1212 CVE-2019-20925 697 DoS 2020-11-24 2020-12-03
5.0
None Remote Low Not required None None Partial
An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.1; v4.0 versions prior to 4.0.13; v3.6 versions prior to 3.6.15; v3.4 versions prior to 3.4.24.
1213 CVE-2019-20924 754 DoS 2020-11-23 2020-11-29
4.0
None Remote Low ??? None None Partial
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries which trigger an invariant in the IndexBoundsBuilder. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.2.
1214 CVE-2019-20923 DoS 2020-11-23 2020-11-29
4.0
None Remote Low ??? None None Partial
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which throw unhandled Javascript exceptions containing types intended to be scoped to the Javascript engine's internals. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.7.
1215 CVE-2019-19878 287 Bypass 2020-11-27 2021-07-21
5.0
None Remote Low Not required Partial None None
An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08. An attacker can get access to historical data from AprolSqlServer by bypassing authentication, a different vulnerability than CVE-2019-16358.
1216 CVE-2019-19877 22 Dir. Trav. 2020-11-27 2020-11-30
5.0
None Remote Low Not required Partial None None
An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08. An attacker can get access to sensitive information outside the working directory via Directory Traversal attacks against AprolSqlServer, a different vulnerability than CVE-2019-16357.
1217 CVE-2019-19876 89 Sql 2020-11-27 2020-11-30
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08. An EnMon PHP script was vulnerable to SQL injection, a different vulnerability than CVE-2019-10006.
1218 CVE-2019-19875 77 Exec Code 2020-11-27 2020-12-03
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08. Arbitrary commands could be injected (using Python scripts) via the AprolCluster script that is invoked via sudo and thus executes with root privileges, a different vulnerability than CVE-2019-16364.
1219 CVE-2019-19874 74 Exec Code 2020-11-27 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08. Some web scripts in the web interface allowed injection and execution of arbitrary unintended commands on the web server, a different vulnerability than CVE-2019-16364.
1220 CVE-2019-19873 287 Bypass 2020-11-27 2021-07-21
5.0
None Remote Low Not required Partial None None
An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08. An attacker can get information from the AprolSqlServer DBMS by bypassing authentication, a different vulnerability than CVE-2019-16356 and CVE-2019-9983.
1221 CVE-2019-19872 74 Exec Code 2020-11-27 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08. The AprolLoader could be used to inject and execute arbitrary unintended commands via an unspecified attack scenario, a different vulnerability than CVE-2019-16364.
1222 CVE-2019-19869 2020-11-27 2020-12-03
5.0
None Remote Low Not required None Partial None
An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08. PVs could be changed (unencrypted) by using the IosHttp service and the JSON interface.
1223 CVE-2019-19563 +Info 2020-11-16 2020-11-30
2.1
None Local Low Not required Partial None None
A misconfiguration in the debug interface in Mercedes-Benz HERMES 2.1 allows an attacker with direct physical access to device hardware to obtain cellular modem information.
1224 CVE-2019-19562 922 Bypass +Info 2020-11-16 2021-07-21
2.1
None Local Low Not required Partial None None
An authentication bypass in the debug interface in Mercedes-Benz HERMES 2.1 allows an attacker with physical access to device hardware to obtain system information.
1225 CVE-2019-19561 922 +Info 2020-11-16 2020-11-30
2.1
None Local Low Not required Partial None None
A misconfiguration in the debug interface in Mercedes-Benz HERMES 1.5 allows an attacker with direct physical access to device hardware to obtain cellular modem information.
1226 CVE-2019-19560 922 Bypass +Info 2020-11-16 2021-07-21
2.1
None Local Low Not required Partial None None
An authentication bypass in the debug interface in Mercedes-Benz HERMES 1.5 allows an attacker with physical access to device hardware to obtain system information.
1227 CVE-2019-19557 922 +Info 2020-11-16 2020-11-30
2.1
None Local Low Not required Partial None None
A misconfiguration in the debug interface in Mercedes-Benz HERMES 1 allows an attacker with direct physical access to device hardware to obtain cellular modem information.
1228 CVE-2019-19556 287 Bypass +Info 2020-11-16 2021-07-21
2.1
None Local Low Not required Partial None None
An authentication bypass in the debug interface in Mercedes-Benz HERMES 1 allows an attacker with physical access to device hardware to obtain system information.
1229 CVE-2019-17566 20 2020-11-12 2021-10-20
5.0
None Remote Low Not required None Partial None
Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
1230 CVE-2019-14587 DoS 2020-11-23 2022-01-01
3.3
None Local Network Low Not required None None Partial
Logic issue EDK II may allow an unauthenticated user to potentially enable denial of service via adjacent access.
1231 CVE-2019-14586 416 DoS 2020-11-23 2022-01-01
5.2
None Local Network Low ??? Partial Partial Partial
Use after free vulnerability in EDK II may allow an authenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via adjacent access.
1232 CVE-2019-14575 2020-11-23 2022-01-01
4.6
None Local Low Not required Partial Partial Partial
Logic issue in DxeImageVerificationHandler() for EDK II may allow an authenticated user to potentially enable escalation of privilege via local access.
1233 CVE-2019-14563 787 2020-11-23 2022-01-01
4.6
None Local Low Not required Partial Partial Partial
Integer truncation in EDK II may allow an authenticated user to potentially enable escalation of privilege via local access.
1234 CVE-2019-14562 190 DoS Overflow 2020-11-23 2022-01-01
2.1
None Local Low Not required None None Partial
Integer overflow in DxeImageVerificationHandler() EDK II may allow an authenticated user to potentially enable denial of service via local access.
1235 CVE-2019-14559 401 DoS 2020-11-23 2022-01-01
5.0
None Remote Low Not required None None Partial
Uncontrolled resource consumption in EDK II may allow an unauthenticated user to potentially enable denial of service via network access.
1236 CVE-2019-14553 287 2020-11-23 2020-11-25
4.0
None Remote Low ??? Partial None None
Improper authentication in EDK II may allow a privileged user to potentially enable information disclosure via network access.
1237 CVE-2019-12412 476 DoS 2020-11-19 2020-11-30
5.0
None Remote Low Not required None None Partial
A flaw in the libapreq2 v2.07 to v2.13 multipart parser can deference a null pointer leading to a process crash. A remote attacker could send a request causing a process crash which could lead to a denial of service attack.
1238 CVE-2019-11121 732 2020-11-12 2020-11-19
4.6
None Local Low Not required Partial Partial Partial
Improper file permissions in the installer for the Intel(R) Media SDK for Windows before version 2019 R1 may allow an authenticated user to potentially enable escalation of privilege via local access.
1239 CVE-2019-7357 352 CSRF 2020-11-10 2020-11-25
6.8
None Remote Medium Not required Partial Partial Partial
Subrion CMS 4.2.1 has CSRF in panel/modules/plugins/. The attacker can remotely activate/deactivate the plugins.
1240 CVE-2019-7356 79 XSS 2020-11-04 2020-11-10
3.5
None Remote Medium ??? None Partial None
Subrion CMS v4.2.1 allows XSS via the panel/phrases/ VALUE parameter.
1241 CVE-2019-4349 200 +Info 2020-11-03 2020-11-10
3.6
None Local Low Not required Partial Partial None
IBM Maximo Anywhere 7.6.2.0, 7.6.2.1, 7.6.3.0, and 7.6.3.1 applications can be installed on a deprecated operating system version that could compromised the confidentiality and integrity of the service. IBM X-Force ID: 161486
1242 CVE-2019-2393 416 DoS 2020-11-23 2020-11-29
4.0
None Remote Low ??? None None Partial
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use $lookup and collations. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.1; v4.0 versions prior to 4.0.13; v3.6 versions prior to 3.6.15.
1243 CVE-2019-2392 190 DoS Overflow 2020-11-23 2020-11-29
4.0
None Remote Low ??? None None Partial
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use the $mod operator to overflow negative values. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prior to 4.0.20; v3.6 versions prior to 3.6.20.
1244 CVE-2018-20805 834 DoS 2020-11-23 2020-11-29
4.0
None Remote Low ??? None None Partial
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which perform an $elemMatch This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.5; v3.6 versions prior to 3.6.10. This issue affects: MongoDB Inc. MongoDB Server 3.6 versions prior to 3.6.10; 4.0 versions prior to 4.0.5.
1245 CVE-2018-20804 20 DoS 2020-11-23 2020-11-29
4.0
None Remote Low ??? None None Partial
A user authorized to perform database queries may trigger denial of service by issuing specially crafted applyOps invocations. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.10; v3.6 versions prior to 3.6.13.
1246 CVE-2018-20803 835 DoS 2020-11-23 2020-12-02
4.0
None Remote Low ??? None None Partial
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which loop indefinitely in mathematics processing while retaining locks. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.5; v3.6 versions prior to 3.6.10; v3.4 versions prior to 3.4.19.
1247 CVE-2018-20802 DoS 2020-11-23 2020-11-29
4.0
None Remote Low ??? None None Partial
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting QueryPlanner. This issue affects: MongoDB Inc. MongoDB Server v3.6 versions prior to 3.6.9, v4.0 versions prior to 4.0.3.
1248 CVE-2018-19956 79 XSS 2020-11-02 2020-11-02
4.3
None Remote Medium Not required None Partial None
The cross-site scripting vulnerability has been reported to affect earlier versions of Photo Station. If exploited, the vulnerability could allow remote attackers to inject malicious code. This issue affects: QNAP Systems Inc. Photo Station versions prior to 5.7.11; versions prior to 6.0.10.
1249 CVE-2018-19955 79 XSS 2020-11-02 2020-11-02
4.3
None Remote Medium Not required None Partial None
The cross-site scripting vulnerability has been reported to affect earlier versions of Photo Station. If exploited, the vulnerability could allow remote attackers to inject malicious code. This issue affects: QNAP Systems Inc. Photo Station versions prior to 5.7.11; versions prior to 6.0.10.
1250 CVE-2018-19954 79 XSS 2020-11-02 2020-11-02
4.3
None Remote Medium Not required None Partial None
The cross-site scripting vulnerability has been reported to affect earlier versions of Photo Station. If exploited, the vulnerability could allow remote attackers to inject malicious code. This issue affects: QNAP Systems Inc. Photo Station versions prior to 5.7.11; versions prior to 6.0.10.
Total number of vulnerabilities : 1271   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 (This Page)26
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.