CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In June 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
251 CVE-2020-13910 125 2020-06-07 2020-06-10
6.4
None Remote Low Not required Partial None Partial
Pengutronix Barebox through v2020.05.0 has an out-of-bounds read in nfs_read_reply in net/nfs.c because a field of an incoming network packet is directly used as a length field without any bounds check.
252 CVE-2020-13909 2020-06-07 2021-12-02
7.5
None Remote Low Not required Partial Partial Partial
The Ignition component before 2.0.5 for Laravel mishandles globals, _get, _post, _cookie, and _env. NOTE: in the 1.x series, versions 1.16.15 and later are unaffected as a consequence of the CVE-2021-43996 fix.
253 CVE-2020-13906 2020-06-10 2020-06-17
6.8
None Remote Medium Not required Partial Partial Partial
IrfanView 4.54 allows a user-mode write access violation starting at FORMATS!GetPlugInInfo+0x0000000000038eb7.
254 CVE-2020-13905 2020-06-10 2020-06-17
6.8
None Remote Medium Not required Partial Partial Partial
IrfanView 4.54 allows a user-mode write access violation starting at FORMATS!GetPlugInInfo+0x0000000000038ed4.
255 CVE-2020-13904 416 2020-06-07 2021-01-04
4.3
None Remote Medium Not required None None Partial
FFmpeg 2.8 and 4.2.3 has a use-after-free via a crafted EXTINF duration in an m3u8 file because parse_playlist in libavformat/hls.c frees a pointer, and later that pointer is accessed in av_probe_input_format3 in libavformat/format.c.
256 CVE-2020-13902 125 2020-06-07 2020-06-10
5.8
None Remote Medium Not required Partial None Partial
ImageMagick 7.0.9-27 through 7.0.10-17 has a heap-based buffer over-read in BlobToStringInfo in MagickCore/string.c during TIFF image decoding.
257 CVE-2020-13901 787 Overflow 2020-06-10 2021-03-04
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in janus-gateway (aka Janus WebRTC Server) through 0.10.0. janus_sdp_merge in sdp.c has a stack-based buffer overflow.
258 CVE-2020-13900 476 2020-06-10 2021-03-04
5.0
None Remote Low Not required None None Partial
An issue was discovered in janus-gateway (aka Janus WebRTC Server) through 0.10.0. janus_sdp_preparse in sdp.c has a NULL pointer dereference.
259 CVE-2020-13899 909 2020-06-10 2021-07-21
5.0
None Remote Low Not required Partial None None
An issue was discovered in janus-gateway (aka Janus WebRTC Server) through 0.10.0. janus_process_incoming_request in janus.c discloses information from uninitialized stack memory.
260 CVE-2020-13898 476 2020-06-10 2021-03-04
5.0
None Remote Low Not required None None Partial
An issue was discovered in janus-gateway (aka Janus WebRTC Server) through 0.10.0. janus_sdp_process in sdp.c has a NULL pointer dereference.
261 CVE-2020-13897 79 XSS 2020-06-07 2020-06-09
4.3
None Remote Medium Not required None Partial None
HESK before 3.1.10 allows reflected XSS.
262 CVE-2020-13896 200 +Info 2020-06-29 2021-07-21
5.0
None Remote Low Not required Partial None None
The web interface of Maipu MP1800X-50 7.5.3.14(R) devices allows remote attackers to obtain sensitive information via the form/formDeviceVerGet URI, such as system id, hardware model, hardware version, bootloader version, software version, software image file, compilation time, and system uptime. This is similar to CVE-2019-1653.
263 CVE-2020-13895 347 2020-06-07 2020-06-15
6.8
None Remote Medium Not required Partial Partial Partial
Crypt::Perl::ECDSA in the Crypt::Perl (aka p5-Crypt-Perl) module before 0.32 for Perl fails to verify correct ECDSA signatures when r and s are small and when s = 1. This happens when using the curve secp256r1 (prime256v1). This could conceivably have a security-relevant impact if an attacker wishes to use public r and s values when guessing whether signature verification will fail.
264 CVE-2020-13894 276 2020-06-07 2020-06-11
5.0
None Remote Low Not required Partial None None
handler/upload_handler.jsp in DEXT5 Editor through 3.5.1402961 allows an attacker to download arbitrary files via the savefilepath field.
265 CVE-2020-13892 79 XSS 2020-06-09 2020-06-11
3.5
None Remote Medium ??? None Partial None
The SportsPress plugin before 2.7.2 for WordPress allows XSS.
266 CVE-2020-13891 200 +Info 2020-06-26 2021-07-21
5.0
None Remote Low Not required Partial None None
An issue was discovered in Mattermost Mobile Apps before 1.31.2 on iOS. Unintended third-party servers could sometimes obtain authorization tokens, aka MMSA-2020-0022.
267 CVE-2020-13890 79 XSS 2020-06-06 2020-06-10
3.5
None Remote Medium ??? None Partial None
The Neon theme 2.0 before 2020-06-03 for Bootstrap allows XSS via an Add Task Input operation in a dashboard.
268 CVE-2020-13889 79 XSS 2020-06-06 2020-06-09
3.5
None Remote Medium ??? None Partial None
showAlert() in the administration panel in Bludit 3.12.0 allows XSS.
269 CVE-2020-13888 79 XSS 2020-06-22 2020-06-26
3.5
None Remote Medium ??? None Partial None
Kordil EDMS through 2.2.60rc3 allows stored XSS in users_edit.php, users_management_edit.php, and user_management.php.
270 CVE-2020-13887 434 Exec Code 2020-06-22 2020-06-30
6.5
None Remote Low ??? Partial Partial Partial
documents_add.php in Kordil EDMS through 2.2.60rc3 allows Remote Command Execution because .php files can be uploaded to the documents folder.
271 CVE-2020-13885 276 +Priv 2020-06-08 2020-06-12
7.2
None Local Low Not required Complete Complete Complete
Citrix Workspace App before 1912 on Windows has Insecure Permissions which allows local users to gain privileges during the uninstallation of the application.
272 CVE-2020-13884 276 +Priv 2020-06-08 2020-06-12
7.2
None Local Low Not required Complete Complete Complete
Citrix Workspace App before 1912 on Windows has Insecure Permissions and an Unquoted Path vulnerability which allows local users to gain privileges during the uninstallation of the application.
273 CVE-2020-13883 611 2020-06-06 2020-06-10
6.5
None Remote Low ??? Partial Partial Partial
In WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, and WSO2 IS as Key Manager 5.9.0 and earlier, Management Console allows XXE during addition or update of a Lifecycle.
274 CVE-2020-13882 367 Bypass 2020-06-18 2020-07-03
3.7
None Local High Not required Partial Partial Partial
CISOfy Lynis before 3.0.0 has Incorrect Access Control because of a TOCTOU race condition. The routine to check the log and report file permissions was not working as intended and could be bypassed locally. Because of the race, an unprivileged attacker can set up a log and report file, and control that up to the point where the specific routine is doing its check. After that, the file can be removed, recreated, and used for additional attacks.
275 CVE-2020-13881 532 2020-06-06 2021-08-04
4.3
None Remote Medium Not required Partial None None
In support.c in pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared secret gets logged via syslog if the DEBUG loglevel and journald are used.
276 CVE-2020-13872 307 Bypass 2020-06-09 2020-06-12
3.3
None Local Network Low Not required Partial None None
Royal TS before 5 has a 0.0.0.0 listener, which makes it easier for attackers to bypass tunnel authentication via a brute-force approach.
277 CVE-2020-13871 416 2020-06-06 2021-06-14
5.0
None Remote Low Not required None None Partial
SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.
278 CVE-2020-13870 79 XSS 2020-06-05 2020-06-09
3.5
None Remote Medium ??? None Partial None
An issue was discovered in the Comments plugin before 1.5.5 for Craft CMS. There is stored XSS via an asset volume name.
279 CVE-2020-13869 79 XSS 2020-06-05 2020-06-09
3.5
None Remote Medium ??? None Partial None
An issue was discovered in the Comments plugin before 1.5.6 for Craft CMS. There is stored XSS via a guest name.
280 CVE-2020-13868 352 CSRF 2020-06-05 2020-06-09
4.3
None Remote Medium Not required None Partial None
An issue was discovered in the Comments plugin before 1.5.5 for Craft CMS. CSRF affects comment integrity.
281 CVE-2020-13867 276 2020-06-05 2020-08-30
2.1
None Local Low Not required Partial None None
Open-iSCSI targetcli-fb through 2.1.52 has weak permissions for /etc/target (and for the backup directory and backup files).
282 CVE-2020-13866 276 +Priv 2020-06-08 2021-07-21
7.2
None Local Low Not required Complete Complete Complete
WinGate v9.4.1.5998 has insecure permissions for the installation directory, which allows local users to gain privileges by replacing an executable file with a Trojan horse.
283 CVE-2020-13865 79 XSS 2020-06-05 2020-06-09
3.5
None Remote Medium ??? None Partial None
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes.
284 CVE-2020-13864 79 XSS 2020-06-05 2020-06-09
3.5
None Remote Medium ??? None Partial None
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from a stored XSS vulnerability. An author user can create posts that result in a stored XSS by using a crafted payload in custom links.
285 CVE-2020-13855 434 Exec Code 2020-06-11 2020-06-11
9.0
None Remote Low ??? Complete Complete Complete
Artica Pandora FMS 7.44 allows arbitrary file upload (leading to remote command execution) via the File Repository Manager feature.
286 CVE-2020-13854 269 2020-06-11 2020-06-11
10.0
None Remote Low Not required Complete Complete Complete
Artica Pandora FMS 7.44 allows privilege escalation.
287 CVE-2020-13853 79 XSS 2020-06-11 2020-06-11
3.5
None Remote Medium ??? None Partial None
Artica Pandora FMS 7.44 has persistent XSS in the Messages feature.
288 CVE-2020-13852 434 Exec Code 2020-06-11 2020-06-11
9.0
None Remote Low ??? Complete Complete Complete
Artica Pandora FMS 7.44 allows arbitrary file upload (leading to remote command execution) via the File Manager feature.
289 CVE-2020-13851 74 Exec Code 2020-06-11 2021-07-21
9.0
None Remote Low ??? Complete Complete Complete
Artica Pandora FMS 7.44 allows remote command execution via the events feature.
290 CVE-2020-13850 862 2020-06-11 2021-07-21
5.0
None Remote Low Not required Partial None None
Artica Pandora FMS 7.44 has inadequate access controls on a web folder.
291 CVE-2020-13849 400 DoS 2020-06-04 2020-06-10
5.0
None Remote Low Not required None None Partial
The MQTT protocol 3.1.1 requires a server to set a timeout value of 1.5 times the Keep-Alive value specified by a client, which allows remote attackers to cause a denial of service (loss of the ability to establish new connections), as demonstrated by SlowITe.
292 CVE-2020-13848 476 DoS 2020-06-04 2021-03-08
5.0
None Remote Low Not required None None Partial
Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c.
293 CVE-2020-13844 200 +Info 2020-06-08 2021-07-21
2.1
None Local Low Not required Partial None None
Arm Armv8-A core implementations utilizing speculative execution past unconditional changes in control flow may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka "straight-line speculation."
294 CVE-2020-13843 20 DoS 2020-06-05 2021-07-21
4.9
None Local Low Not required None None Complete
An issue was discovered on LG mobile devices with Android OS software before 2020-06-01. Local users can cause a denial of service because checking of the userdata partition is mishandled. The LG ID is LVE-SMP-200014 (June 2020).
295 CVE-2020-13842 2020-06-05 2020-06-11
4.6
None Local Low Not required Partial Partial Partial
An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). A dangerous AT command was made available even though it is unused. The LG ID is LVE-SMP-200010 (June 2020).
296 CVE-2020-13841 269 Bypass 2020-06-05 2021-07-21
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered on LG mobile devices with Android OS 9 and 10 (MTK chipsets). An AT command handler allows attackers to bypass intended access restrictions. The LG ID is LVE-SMP-200009 (June 2020).
297 CVE-2020-13840 120 Exec Code Overflow 2020-06-05 2020-06-11
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). Code execution can occur via an MTK AT command handler buffer overflow. The LG ID is LVE-SMP-200008 (June 2020).
298 CVE-2020-13839 120 Exec Code Overflow 2020-06-05 2020-06-11
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). Code execution can occur via a custom AT command handler buffer overflow. The LG ID is LVE-SMP-200007 (June 2020).
299 CVE-2020-13838 287 2020-06-04 2021-07-21
3.6
None Local Low Not required Partial Partial None
An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software. The DeX Lockscreen feature does not block access to Quick Panel and notifications. The Samsung ID is SVE-2020-17187 (June 2020).
300 CVE-2020-13837 287 2020-06-04 2021-07-21
3.6
None Local Low Not required Partial Partial None
An issue was discovered on Samsung mobile devices with Q(10.0) software. The Lockscreen feature does not block Quick Panel access to Music Share. The Samsung ID is SVE-2020-17145 (June 2020).
Total number of vulnerabilities : 1786   Page : 1 2 3 4 5 6 (This Page)7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.