CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
2051 CVE-2020-12894 787 DoS 2021-11-15 2021-11-17
3.6
None Local Low Not required None Partial Partial
Arbitrary Write in AMD Graphics Driver for Windows 10 in Escape 0x40010d may lead to arbitrary write to kernel memory or denial of service.
2052 CVE-2020-12882 79 XSS 2020-05-15 2020-05-19
3.5
None Remote Medium ??? None Partial None
Submitty through 20.04.01 allows XSS via upload of an SVG document, as demonstrated by an attack by a Student against a Teaching Fellow.
2053 CVE-2020-12869 79 XSS 2020-09-30 2020-10-02
3.5
None Remote Medium ??? None Partial None
RainbowFish PacsOne Server 6.8.4 allows XSS.
2054 CVE-2020-12864 908 2020-06-24 2021-07-21
3.3
None Local Network Low Not required Partial None None
An out-of-bounds read in SANE Backends before 1.0.30 may allow a malicious device connected to the same local network as the victim to read important information, such as the ASLR offsets of the program, aka GHSL-2020-081.
2055 CVE-2020-12863 125 2020-06-24 2020-11-02
3.3
None Local Network Low Not required Partial None None
An out-of-bounds read in SANE Backends before 1.0.30 may allow a malicious device connected to the same local network as the victim to read important information, such as the ASLR offsets of the program, aka GHSL-2020-083.
2056 CVE-2020-12862 125 2020-06-24 2020-11-02
3.3
None Local Network Low Not required Partial None None
An out-of-bounds read in SANE Backends before 1.0.30 may allow a malicious device connected to the same local network as the victim to read important information, such as the ASLR offsets of the program, aka GHSL-2020-082.
2057 CVE-2020-12849 79 XSS 2020-06-05 2020-06-12
3.5
None Remote Medium ??? None Partial None
Pydio Cells 2.0.4 allows any user to upload a profile image to the web application, including standard and shared user roles. These profile pictures can later be accessed directly with the generated URL by any unauthenticated or authenticated user.
2058 CVE-2020-12815 79 XSS 2020-09-24 2020-10-06
3.5
None Remote Medium ??? None Partial None
An improper neutralization of input vulnerability in FortiTester before 3.9.0 may allow a remote authenticated attacker to inject script related HTML tags via IPv4/IPv6 address fields.
2059 CVE-2020-12814 79 Exec Code XSS 2021-11-02 2021-11-03
3.5
None Remote Medium ??? None Partial None
A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiAnalyzer version 6.0.6 and below, version 6.4.4 allows attacker to execute unauthorized code or commands via specifically crafted requests to the web GUI.
2060 CVE-2020-12779 79 XSS 2020-08-10 2020-10-28
3.5
None Remote Medium ??? None Partial None
Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.
2061 CVE-2020-12732 522 2021-07-15 2021-07-28
3.3
None Local Network Low Not required Partial None None
DEPSTECH WiFi Digital Microscope 3 has a default SSID of Jetion_xxxxxxxx with a password of 12345678.
2062 CVE-2020-12718 79 XSS Bypass 2020-05-08 2020-05-14
3.5
None Remote Medium ??? None Partial None
In administration/comments.php in PHP-Fusion 9.03.50, an authenticated attacker can take advantage of a stored XSS vulnerability in the Preview Comment feature. The protection mechanism can be bypassed by using HTML event handlers such as ontoggle.
2063 CVE-2020-12717 20 2020-05-14 2021-07-21
3.3
None Local Network Low Not required None None Partial
The COVIDSafe (Australia) app 1.0 and 1.1 for iOS allows a remote attacker to crash the app, and consequently interfere with COVID-19 contact tracing, via a Bluetooth advertisement containing manufacturer data that is too short. This occurs because of an erroneous OpenTrace manuData.subdata call. The ABTraceTogether (Alberta), ProteGO (Poland), and TraceTogether (Singapore) apps were also affected.
2064 CVE-2020-12706 79 XSS 2020-05-07 2020-05-12
3.5
None Remote Medium ??? None Partial None
Multiple Cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the go parameter to faq/faq_admin.php or shoutbox_panel/shoutbox_admin.php
2065 CVE-2020-12683 79 XSS 2020-05-07 2020-05-11
3.5
None Remote Medium ??? None Partial None
Katyshop2 before 2.12 has multiple stored XSS issues.
2066 CVE-2020-12646 79 XSS 2020-08-31 2020-09-09
3.5
None Remote Medium ??? None Partial None
OX App Suite 7.10.3 and earlier allows XSS via text/x-javascript, text/rdf, or a PDF document.
2067 CVE-2020-12629 79 XSS 2020-05-04 2020-05-06
3.5
None Remote Medium ??? None Partial None
include/class.sla.php in osTicket before 1.14.2 allows XSS via the SLA Name.
2068 CVE-2020-12621 863 2020-09-02 2021-07-21
3.6
None Local Low Not required Partial Partial None
The Teamwire application 5.3.0 for Android allows physically proximate attackers to exploit a flaw related to the pass-code component.
2069 CVE-2020-12512 79 XSS 2021-01-22 2021-01-27
3.5
None Remote Medium ??? None Partial None
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
2070 CVE-2020-12472 79 XSS 2020-04-29 2020-05-04
3.5
None Remote Medium ??? None Partial None
MonoX through 5.1.40.5152 allows stored XSS via User Status, Blog Comments, or Blog Description.
2071 CVE-2020-12438 79 XSS 2020-04-28 2020-05-05
3.5
None Remote Medium ??? None Partial None
An XSS vulnerability exists in the banners.php page of PHP-Fusion 9.03.50. This can be exploited because the only security measure used against XSS is the stripping of SCRIPT tags. A malicious actor can use HTML event handlers to run JavaScript instead of using SCRIPT tags.
2072 CVE-2020-12352 200 +Info 2020-11-23 2021-07-21
3.3
None Local Network Low Not required Partial None None
Improper access control in BlueZ may allow an unauthenticated user to potentially enable information disclosure via adjacent access.
2073 CVE-2020-12322 20 DoS 2020-11-12 2020-11-24
3.3
None Local Network Low Not required None None Partial
Improper input validation in some Intel(R) Wireless Bluetooth(R) products before version 21.110 may allow an unauthenticated user to potentially enable denial of service via adjacent access.
2074 CVE-2020-12319 DoS 2020-11-12 2020-11-20
3.3
None Local Network Low Not required None None Partial
Insufficient control flow management in some Intel(R) PROSet/Wireless WiFi products before version 21.110 may allow an unauthenticated user to potentially enable denial of service via adjacent access.
2075 CVE-2020-12317 119 DoS Overflow 2020-11-12 2021-07-21
3.3
None Local Network Low Not required None None Partial
Improper buffer restriction in some Intel(R) PROSet/Wireless WiFi products before version 21.110 may allow an unauthenticated user to potentially enable denial of service via adjacent access.
2076 CVE-2020-12314 20 DoS 2020-11-12 2020-11-20
3.3
None Local Network Low Not required None None Partial
Improper input validation in some Intel(R) PROSet/Wireless WiFi products before version 21.110 may allow an unauthenticated user to potentially enable denial of service via adjacent access.
2077 CVE-2020-12276 79 XSS 2020-04-29 2020-05-04
3.5
None Remote Medium ??? None Partial None
GitLab 9.5.9 through 12.9 is vulnerable to stored XSS in an admin notification feature.
2078 CVE-2020-12270 330 2020-04-27 2020-05-06
3.3
None Local Network Low Not required Partial None None
** DISPUTED ** React Native Bluetooth Scan in Bluezone 1.0.0 uses six-character alphanumeric IDs, which might make it easier for remote attackers to interfere with COVID-19 contact tracing by using many IDs. NOTE: the vendor disputes the relevance of this report because the recipient of an F1 alert will know it was a false alert if contact-history comparison fails (i.e., an F0 is not actually part of the contact history obtained from the device of this recipient, or this recipient is not actually part of the contact history obtained from the device of an F0).
2079 CVE-2020-12262 79 XSS 2020-11-27 2020-12-08
3.5
None Remote Medium ??? None Partial None
Intelbras TIP200 60.61.75.15, TIP200LITE 60.61.75.15, and TIP300 65.61.75.15 devices allow /cgi-bin/cgiServer.exx?page= XSS.
2080 CVE-2020-12261 79 XSS 2020-04-28 2020-05-28
3.5
None Remote Medium ??? None Partial None
Open-AudIT 3.3.0 allows an XSS attack after login.
2081 CVE-2020-12259 79 XSS 2020-05-18 2020-05-18
3.5
None Remote Medium ??? None Partial None
rConfig 3.9.4 is vulnerable to reflected XSS. The configDevice.php file improperly validates user input. An attacker can exploit this vulnerability by crafting arbitrary JavaScript in the rid GET parameter of devicemgmnt.php.
2082 CVE-2020-12256 79 XSS 2020-05-18 2020-05-18
3.5
None Remote Medium ??? None Partial None
rConfig 3.9.4 is vulnerable to reflected XSS. The devicemgmnt.php file improperly validates user input. An attacker can exploit this by crafting arbitrary JavaScript in the deviceId GET parameter to devicemgmnt.php.
2083 CVE-2020-12251 22 Dir. Trav. 2020-04-29 2020-05-18
3.5
None Remote Medium ??? Partial None None
An issue was discovered in Gigamon GigaVUE 5.5.01.11. The upload functionality allows an authenticated user to change the filename value (in the POST method) from the original filename to achieve directory traversal via a ../ sequence and, for example, obtain a complete directory listing of the machine.
2084 CVE-2020-12082 79 XSS 2021-09-17 2021-09-28
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting issue impacts certain areas of the Web UI for Code Insight v7.x releases up to and including 2020 R1 (7.11.0-64).
2085 CVE-2020-12071 79 XSS 2020-04-23 2020-04-27
3.5
None Remote Medium ??? None Partial None
Anchor 0.12.7 allows admins to cause XSS via crafted post content.
2086 CVE-2020-12046 347 2020-05-14 2020-05-18
3.5
None Remote Medium ??? None Partial None
Opto 22 SoftPAC Project Version 9.6 and prior. SoftPAC’s firmware files’ signatures are not verified upon firmware update. This allows an attacker to replace legitimate firmware files with malicious files.
2087 CVE-2020-12035 798 2020-06-29 2020-07-14
3.6
None Local Low Not required None Partial Partial
Baxter PrismaFlex all versions, PrisMax all versions prior to 3.x, The PrismaFlex device contains a hard-coded service password that provides access to biomedical information, device settings, calibration settings, and network configuration. This could allow an attacker to modify device settings and calibration.
2088 CVE-2020-12024 2020-06-29 2021-11-04
3.6
None Local Low Not required Partial Partial None
Baxter ExactaMix EM 2400 versions 1.10, 1.11, 1.13, 1.14 and ExactaMix EM1200 Versions 1.1, 1.2, 1.4 and 1.5 does not restrict access to the USB interface from an unauthorized user with physical access. Successful exploitation of this vulnerability may allow an attacker with physical access to the system the ability to load an unauthorized payload or unauthorized access to the hard drive by booting a live USB OS. This could impact confidentiality and integrity of the system and risk exposure of sensitive information including PHI.
2089 CVE-2020-12020 668 2020-06-29 2020-07-08
3.6
None Local Low Not required None Partial Partial
Baxter ExactaMix EM 2400 Versions 1.10, 1.11, and 1.13 and ExactaMix EM1200 Versions 1.1, 1.2, and 1.4 does not restrict non administrative users from gaining access to the operating system and editing the application startup script. Successful exploitation of this vulnerability may allow an attacker to alter the startup script as the limited-access user.
2090 CVE-2020-12012 798 2020-06-29 2020-07-07
3.6
None Local Low Not required Partial Partial None
Baxter ExactaMix EM 2400 & EM 1200, Versions ExactaMix EM2400 Versions 1.10, 1.11, 1.13, 1.14, ExactaMix EM1200 Versions 1.1, 1.2, 1.4, 1.5, Baxter ExactaMix EM 2400 Versions 1.10, 1.11, and 1.13, and ExactaMix EM1200 Versions 1.1, 1.2, and 1.4 have hard-coded administrative account credentials for the ExactaMix application. Successful exploitation of this vulnerability may allow an attacker with physical access to gain unauthorized access to view/update system configuration or data. This could impact confidentiality and integrity of the system and risk exposure of sensitive information including PHI.
2091 CVE-2020-11983 79 XSS 2020-07-17 2020-07-21
3.5
None Remote Medium ??? None Partial None
An issue was found in Apache Airflow versions 1.10.10 and below. It was discovered that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks.
2092 CVE-2020-11922 200 +Info 2021-04-02 2021-04-09
3.3
None Local Network Low Not required Partial None None
An issue was discovered in WiZ Colors A60 1.14.0. The device sends unnecessary information to the cloud controller server. Although this information is sent encrypted and has low risk in isolation, it decreases the privacy of the end user. The information sent includes the local IP address being used and the SSID of the Wi-Fi network the device is connected to. (Various resources such as wigle.net can be use for mapping of SSIDs to physical locations.)
2093 CVE-2020-11914 125 2020-06-17 2020-07-22
3.3
None Local Network Low Not required Partial None None
The Treck TCP/IP stack before 6.0.1.66 has an ARP Out-of-bounds Read.
2094 CVE-2020-11912 125 2020-06-17 2020-07-22
3.3
None Local Network Low Not required None None Partial
The Treck TCP/IP stack before 6.0.1.66 has a TCP Out-of-bounds Read.
2095 CVE-2020-11908 2020-06-17 2020-07-22
3.3
None Local Network Low Not required None None Partial
The Treck TCP/IP stack before 4.7.1.27 mishandles '\0' termination in DHCP.
2096 CVE-2020-11905 125 2020-06-17 2020-07-22
3.3
None Local Network Low Not required Partial None None
The Treck TCP/IP stack before 6.0.1.66 has a DHCPv6 Out-of-bounds Read.
2097 CVE-2020-11903 125 2020-06-17 2020-07-22
3.3
None Local Network Low Not required Partial None None
The Treck TCP/IP stack before 6.0.1.28 has a DHCP Out-of-bounds Read.
2098 CVE-2020-11838 79 XSS 2020-06-16 2020-06-19
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) vulnerability in Micro Focus ArcSight Management Center product, Affecting versions 2.6.1, 2.7.x, 2.8.x, 2.9.x prior to 2.9.4. The vulnerabilities could be remotely exploited resulting in Cross-Site Scripting (XSS) or information disclosure.
2099 CVE-2020-11823 79 XSS 2020-04-16 2020-04-20
3.5
None Remote Medium ??? None Partial None
In Dolibarr 10.0.6, if USER_LOGIN_FAILED is active, there is a stored XSS vulnerability on the admin tools --> audit page. This may lead to stealing of the admin account.
2100 CVE-2020-11813 79 XSS 2020-04-16 2020-04-23
3.5
None Remote Medium ??? None Partial None
In Rukovoditel 2.5.2, there is a stored XSS vulnerability on the configuration page via the copyright text input. Thus, an attacker can inject a malicious script to steal all users' valuable data. This copyright text is on every page so this attack vector can be very dangerous.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.