CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
2401 CVE-2020-7068 416 2020-09-09 2021-07-22
3.3
None Local Medium Not required Partial None Partial
In PHP versions 7.2.x below 7.2.33, 7.3.x below 7.3.21 and 7.4.x below 7.4.9, while processing PHAR files using phar extension, phar_parse_zipfile could be tricked into accessing freed memory, which could lead to a crash or information disclosure.
2402 CVE-2020-7050 79 XSS 2020-02-15 2020-02-20
3.5
None Remote Medium ??? None Partial None
Codologic Codoforum through 4.8.4 allows a DOM-based XSS. While creating a new topic as a normal user, it is possible to add a poll that is automatically loaded in the DOM once the thread/topic is opened. Because session cookies lack the HttpOnly flag, it is possible to steal authentication cookies and take over accounts.
2403 CVE-2020-7045 74 2020-01-16 2021-07-21
3.3
None Local Network Low Not required None None Partial
In Wireshark 3.0.x before 3.0.8, the BT ATT dissector could crash. This was addressed in epan/dissectors/packet-btatt.c by validating opcodes.
2404 CVE-2020-7033 79 XSS 2020-11-13 2020-11-29
3.5
None Remote Medium ??? None Partial None
A Cross Site Scripting (XSS) Vulnerability on the Unified Portal Client (web client) used in Avaya Equinox Conferencing can allow an authenticated user to perform XSS attacks. The affected versions of Equinox Conferencing includes all 9.x versions before 9.1.10.
2405 CVE-2020-7020 269 2020-10-22 2020-11-23
3.5
None Remote Medium ??? Partial None None
Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.
2406 CVE-2020-7015 79 XSS +Info 2020-06-03 2020-06-05
3.5
None Remote Medium ??? None Partial None
Kibana versions before 6.8.9 and 7.7.0 contains a stored XSS flaw in the TSVB visualization. An attacker who is able to edit or create a TSVB visualization could allow the attacker to obtain sensitive information from, or perform destructive actions, on behalf of Kibana users who edit the TSVB visualization.
2407 CVE-2020-6876 79 XSS 2020-10-26 2020-10-30
3.5
None Remote Medium ??? None Partial None
A ZTE product is impacted by an XSS vulnerability. The vulnerability is caused by the lack of correct verification of client data in the WEB module. By inserting malicious scripts into the web module, a remote attacker could trigger an XSS attack when the user browses the web page. Then the attacker could use the vulnerability to steal user cookies or destroy the page structure. This affects: eVDC ZXCLOUD-iROSV6.03.04
2408 CVE-2020-6868 20 Bypass 2020-06-01 2020-12-04
3.3
None Local Network Low Not required None Partial None
There is an input validation vulnerability in a PON terminal product of ZTE, which supports the creation of WAN connections through WEB management pages. The front-end limits the length of the WAN connection name that is created, but the HTTP proxy is available to be used to bypass the limitation. An attacker can exploit the vulnerability to tamper with the parameter value. This affects: ZTE F680 V9.0.10P1N6
2409 CVE-2020-6864 200 +Info 2020-02-27 2021-07-21
3.3
None Local Network Low Not required Partial None None
ZTE E8820V3 router product is impacted by an information leak vulnerability. Attackers could use this vulnerability to to gain wireless passwords. After obtaining the wireless password, the attacker could collect information and attack the router.
2410 CVE-2020-6863 732 2020-02-27 2021-07-21
3.3
None Local Network Low Not required None None Partial
ZTE E8820V3 router product is impacted by a permission and access control vulnerability. Attackers could use this vulnerability to tamper with DDNS parameters and send DoS attacks on the specified URL.
2411 CVE-2020-6854 79 XSS 2020-02-05 2020-02-07
3.5
None Remote Medium ??? None Partial None
A cross-site scripting (XSS) vulnerability in the JOC Cockpit component of SOS JobScheduler 1.11 and 1.13.2 allows attackers to inject arbitrary web script or HTML via JSON properties available from the REST API.
2412 CVE-2020-6847 79 XSS 2020-01-11 2020-01-15
3.5
None Remote Medium ??? None Partial None
OpenTrade through 0.2.0 has a DOM-based XSS vulnerability that is executed when an administrator attempts to delete a message that contains JavaScript.
2413 CVE-2020-6843 79 XSS 2020-01-23 2020-01-27
3.5
None Remote Medium ??? None Partial None
Zoho ManageEngine ServiceDesk Plus 11.0 Build 11007 allows XSS. This issue was fixed in version 11.0 Build 11010, SD-83959.
2414 CVE-2020-6777 79 Exec Code +Priv XSS 2021-01-14 2021-01-21
3.5
None Remote Medium ??? None Partial None
A vulnerability in the web-based management interface of Bosch PRAESIDEO until and including version 4.41 and Bosch PRAESENSA until and including version 1.10 allows an authenticated remote attacker with admin privileges to mount a stored Cross-Site-Scripting (XSS) attack against another user. When the victim logs into the management interface, the stored script code is executed in the context of his browser. A successful exploit would allow an attacker to interact with the management interface with the privileges of the victim. However, as the attacker already needs admin privileges, there is no additional impact on the management interface itself.
2415 CVE-2020-6647 79 XSS 2020-04-07 2020-04-09
3.5
None Remote Medium ??? None Partial None
An improper neutralization of input vulnerability in the dashboard of FortiADC may allow an authenticated attacker to perform a cross site scripting attack (XSS) via the name parameter.
2416 CVE-2020-6646 79 XSS 2020-03-17 2020-03-19
3.5
None Remote Medium ??? None Partial None
An improper neutralization of input vulnerability in FortiWeb allows a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Disclaimer Description of a Replacement Message.
2417 CVE-2020-6643 79 XSS 2020-03-12 2020-03-17
3.5
None Remote Medium ??? None Partial None
An improper neutralization of input vulnerability in the URL Description in Fortinet FortiIsolator version 1.2.2 allows a remote authenticated attacker to perform a cross site scripting attack (XSS).
2418 CVE-2020-6640 79 XSS 2020-06-04 2020-06-08
3.5
None Remote Medium ??? None Partial None
An improper neutralization of input vulnerability in the Admin Profile of FortiAnalyzer may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Description Area.
2419 CVE-2020-6616 338 2020-05-08 2021-07-21
3.3
None Local Network Low Not required None Partial None
Some Broadcom chips mishandle Bluetooth random-number generation because a low-entropy Pseudo Random Number Generator (PRNG) is used in situations where a Hardware Random Number Generator (HRNG) should have been used to prevent spoofing. This affects, for example, Samsung Galaxy S8, S8+, and Note8 devices with the BCM4361 chipset. The Samsung ID is SVE-2020-16882 (May 2020).
2420 CVE-2020-6586 79 XSS 2020-03-16 2020-03-18
3.5
None Remote Medium ??? None Partial None
Nagios Log Server 2.1.3 allows XSS by visiting /profile and entering a crafted name field that is mishandled on the /admin/users page. Any malicious user with limited access can store an XSS payload in his Name. When any admin views this, the XSS is triggered.
2421 CVE-2020-6581 74 2020-03-16 2021-07-21
3.7
None Local High Not required Partial Partial Partial
Nagios NRPE 3.2.1 has Insufficient Filtering because, for example, nasty_metachars interprets \n as the character \ and the character n (not as the \n newline sequence). This can cause command injection.
2422 CVE-2020-6370 79 XSS 2020-10-20 2020-10-22
3.5
None Remote Medium ??? None Partial None
SAP NetWeaver Design Time Repository (DTR), versions - 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
2423 CVE-2020-6368 79 XSS +Info 2020-10-15 2020-10-19
3.5
None Remote Medium ??? None Partial None
SAP Business Planning and Consolidation, versions - 750, 751, 752, 753, 754, 755, 810, 100, 200, can be abused by an attacker, allowing them to modify displayed application content without authorization, and to potentially obtain authentication information from other legitimate users, leading to Cross Site Scripting.
2424 CVE-2020-6326 79 XSS 2020-09-09 2020-09-14
3.5
None Remote Medium ??? None Partial None
SAP NetWeaver (Knowledge Management), version-7.30,7.31,7.40,7.50, allows an authenticated attacker to create malicious links in the UI, when clicked by victim, will execute arbitrary java scripts thus extracting or modifying information otherwise restricted leading to Stored Cross Site Scripting.
2425 CVE-2020-6312 79 XSS 2020-09-09 2020-09-10
3.5
None Remote Medium ??? None Partial None
SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface), versions - 4.1, 4.2, allows an attacker with a non-administrative user account that can edit certain web page properties, can modify how a browser processes particular page elements, leading to stored Cross Site Scripting. In certain situations, when a user accesses an affected web page element, the attacker will be able to access or modify metadata for which they are not authorized.
2426 CVE-2020-6303 79 XSS 2020-01-14 2020-01-24
3.5
None Remote Medium ??? None Partial None
SAP Disclosure Management, before version 10.1, does not validate user input properly in specific use cases leading to Cross-Site Scripting.
2427 CVE-2020-6300 79 XSS 2020-08-12 2020-08-13
3.5
None Remote Medium ??? None Partial None
SAP Business Objects Business Intelligence Platform (Central Management Console), versions- 4.2, 4.3, allows an attacker with administrator rights can use the web application to send malicious code to a different end user (victim), as it does not sufficiently encode user-controlled inputs for RecycleBin, resulting in Stored Cross-Site Scripting (XSS) vulnerability.
2428 CVE-2020-6285 200 +Info 2020-07-14 2021-07-21
3.5
None Remote Medium ??? Partial None None
SAP NetWeaver - XML Toolkit for JAVA (ENGINEAPI) (versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50), under certain conditions allows an attacker to access information which would otherwise be restricted, leading to Information Disclosure.
2429 CVE-2020-6278 79 XSS 2020-07-14 2020-07-14
3.5
None Remote Medium ??? None Partial None
SAP Business Objects Business Intelligence Platform (BI Launchpad and CMC), versions 4.1, 4.2, allows to an attacker to embed malicious scripts in the application while uploading images, which gets executed when the victim opens these files, leading to Stored Cross Site Scripting
2430 CVE-2020-6272 79 XSS 2020-10-15 2020-10-19
3.5
None Remote Medium ??? None Partial None
SAP Commerce Cloud versions - 1808, 1811, 1905, 2005, does not sufficiently encode user inputs, which allows an authenticated and authorized content manager to inject malicious script into several web CMS components. These can be saved and later triggered, if an affected web page is visited, resulting in Cross-Site Scripting (XSS) vulnerability.
2431 CVE-2020-6257 79 XSS 2020-05-12 2020-05-15
3.5
None Remote Medium ??? None Partial None
SAP Business Objects Business Intelligence Platform (CMC and BI Launchpad) 4.2 does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability.
2432 CVE-2020-6231 79 XSS 2020-04-14 2020-04-15
3.5
None Remote Medium ??? None Partial None
SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface), version 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
2433 CVE-2020-6226 79 XSS 2020-04-14 2020-04-15
3.5
None Remote Medium ??? None Partial None
SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface), version 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
2434 CVE-2020-6224 200 +Info 2020-04-14 2021-07-21
3.5
None Remote Medium ??? Partial None None
SAP NetWeaver AS Java (HTTP Service), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker with administrator privileges to access user sensitive data such as passwords in trace files, when the user logs in and sends request with login credentials, leading to Information Disclosure.
2435 CVE-2020-6222 79 XSS 2020-04-14 2020-04-15
3.5
None Remote Medium ??? None Partial None
SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface), versions 4.1, 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
2436 CVE-2020-6221 79 XSS 2020-04-14 2020-04-15
3.5
None Remote Medium ??? None Partial None
Web Intelligence HTML interface in SAP Business Objects Business Intelligence Platform, versions 4.1, 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
2437 CVE-2020-6200 79 XSS 2020-03-10 2020-03-11
3.5
None Remote Medium ??? None Partial None
The SAP Commerce (SmartEdit Extension), versions- 6.6, 6.7, 1808, 1811, is vulnerable to client-side angularjs template injection, a variant of Cross-Site-Scripting (XSS) that exploits the templating facilities of the angular framework.
2438 CVE-2020-6185 79 XSS 2020-02-12 2020-02-19
3.5
None Remote Medium ??? None Partial None
Under certain conditions ABAP Online Community in SAP NetWeaver (SAP_BASIS version 7.40) and SAP S/4HANA (SAP_BASIS versions 7.50, 7.51, 7.52, 7.53, 7.54), allows an authenticated attacker to store a malicious payload which results in Stored Cross Site Scripting vulnerability.
2439 CVE-2020-6022 2020-10-27 2020-10-27
3.6
None Local Low Not required None Partial Partial
Check Point ZoneAlarm before version 15.8.139.18543 allows a local actor to delete arbitrary files while restoring files in Anti-Ransomware.
2440 CVE-2020-5988 416 DoS 2020-10-02 2021-07-21
3.6
None Local Low Not required Partial None Partial
NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin, in which allocated memory can be freed twice, which may lead to information disclosure or denial of service. This affects vGPU version 8.x (prior to 8.5), version 10.x (prior to 10.4) and version 11.0.
2441 CVE-2020-5985 20 DoS 2020-10-02 2020-10-14
3.6
None Local Low Not required None Partial Partial
NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin, in which an input data length is not validated, which may lead to tampering or denial of service. This affects vGPU version 8.x (prior to 8.5), version 10.x (prior to 10.4) and version 11.0.
2442 CVE-2020-5983 787 DoS 2020-10-02 2020-10-14
3.6
None Local Low Not required Partial None Partial
NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin and the host driver kernel module, in which the potential exists to write to a memory location that is outside the intended boundary of the frame buffer memory allocated to guest operating systems, which may lead to denial of service or information disclosure. This affects vGPU version 8.x (prior to 8.5), version 10.x (prior to 10.4) and version 11.0.
2443 CVE-2020-5972 763 DoS 2020-06-30 2020-07-09
3.6
None Local Low Not required None Partial Partial
NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin, in which local pointer variables are not initialized and may be freed later, which may lead to tampering or denial of service. This affects vGPU version 8.x (prior to 8.4), version 9.x (prior to 9.4) and version 10.x (prior to 10.3).
2444 CVE-2020-5970 20 DoS 2020-06-30 2020-07-10
3.6
None Local Low Not required None Partial Partial
NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin, in which an input data size is not validated, which may lead to tampering or denial of service. This affects vGPU version 8.x (prior to 8.4), version 9.x (prior to 9.4) and version 10.x (prior to 10.3).
2445 CVE-2020-5969 362 DoS 2020-06-30 2020-07-10
3.3
None Local Medium Not required Partial None Partial
NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin, in which it validates a shared resource before using it, creating a race condition which may lead to denial of service or information disclosure. This affects vGPU version 8.x (prior to 8.4), version 9.x (prior to 9.4) and version 10.x (prior to 10.3).
2446 CVE-2020-5940 79 XSS 2020-11-05 2020-11-12
3.5
None Remote Medium ??? None Partial None
In versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, and 14.1.0-14.1.2.3, a stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Traffic Management User Interface (TMUI), also known as the BIG-IP Configuration utility.
2447 CVE-2020-5934 2020-10-29 2020-11-09
3.3
None Local Network Low Not required None None Partial
On BIG-IP APM 15.1.0-15.1.0.5, 14.1.0-14.1.2.3, and 13.1.0-13.1.3.3, when multiple HTTP requests from the same client to configured SAML Single Logout (SLO) URL are passing through a TCP Keep-Alive connection, traffic to TMM can be disrupted.
2448 CVE-2020-5932 79 Exec Code XSS 2020-10-29 2020-11-09
3.5
None Remote Medium ??? None Partial None
On BIG-IP ASM 15.1.0-15.1.0.5, a cross-site scripting (XSS) vulnerability exists in the BIG-IP ASM Configuration utility response and blocking pages. An authenticated user with administrative privileges can specify a response page with any content, including JavaScript code that will be executed when preview is opened.
2449 CVE-2020-5928 352 CSRF 2020-08-26 2020-09-02
3.3
None Local Medium Not required None Partial Partial
In versions 15.1.0-15.1.0.4, 15.0.0-15.0.1.3, 14.1.0-14.1.2.6, 13.1.0-13.1.3.4, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, BIG-IP ASM Configuration utility CSRF protection token can be reused multiple times.
2450 CVE-2020-5912 20 2020-08-26 2021-07-21
3.6
None Local Low Not required None Partial Partial
In BIG-IP versions 15.1.0-15.1.0.4, 15.0.0-15.0.1.3, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the restjavad process's dump command does not follow current best coding practices and may overwrite arbitrary files.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.