CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In February 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2020-9466 74 2020-02-28 2021-07-21
5.8
None Remote Medium Not required Partial Partial None
The Export Users to CSV plugin through 1.4.2 for WordPress allows CSV Injection.
2 CVE-2020-9465 89 Sql Bypass 2020-02-28 2020-03-04
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in EyesOfNetwork eonweb 5.1 through 5.3 before 5.3-3. The eonweb web interface is prone to a SQL injection, allowing an unauthenticated attacker to perform various tasks such as authentication bypass via the user_id field in a cookie.
3 CVE-2020-9463 78 Exec Code 2020-02-28 2020-03-03
9.0
None Remote Low ??? Complete Complete Complete
Centreon 19.10 allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the server_ip field in JSON data in an api/internal.php?object=centreon_configuration_remote request.
4 CVE-2020-9459 79 XSS 2020-02-28 2020-03-02
3.5
None Remote Medium ??? None Partial None
Multiple Stored Cross-site scripting (XSS) vulnerabilities in the Webnus Modern Events Calendar Lite plugin through 5.1.6 for WordPress allows remote authenticated users (with minimal permissions) to inject arbitrary JavaScript, HTML, or CSS via Ajax actions. This affects mec_save_notifications and import_settings.
5 CVE-2020-9449 330 2020-02-28 2020-03-04
6.5
None Remote Low ??? Partial Partial Partial
An insecure random number generation vulnerability in BlaB! AX, BlaB! AX Pro, BlaB! WS (client), and BlaB! WS Pro (client) version 19.11 allows an attacker (with a guest or user session cookie) to escalate privileges by retrieving the cookie salt value and creating a valid session cookie for an arbitrary user or admin.
6 CVE-2020-9447 79 XSS 2020-02-28 2020-03-16
4.3
None Remote Medium Not required None Partial None
There is an XSS (cross-site scripting) vulnerability in GwtUpload 1.0.3 in the file upload functionality. Someone can upload a file with a malicious filename, which contains JavaScript code, which would result in XSS. Cross-site scripting enables attackers to steal data, change the appearance of a website, and perform other malicious activities like phishing or drive-by hacking.
7 CVE-2020-9442 281 +Priv 2020-02-28 2020-03-03
7.2
None Local Low Not required Complete Complete Complete
OpenVPN Connect 3.1.0.361 on Windows has Insecure Permissions for %PROGRAMDATA%\OpenVPN Connect\drivers\tap\amd64\win10, which allows local users to gain privileges by copying a malicious drvstore.dll there.
8 CVE-2020-9434 295 2020-02-27 2020-02-28
6.4
None Remote Low Not required Partial Partial None
openssl_x509_check_ip_asc in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
9 CVE-2020-9433 295 2020-02-27 2020-02-28
6.4
None Remote Low Not required Partial Partial None
openssl_x509_check_email in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
10 CVE-2020-9432 295 2020-02-27 2020-02-28
6.4
None Remote Low Not required Partial Partial None
openssl_x509_check_host in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
11 CVE-2020-9431 400 2020-02-27 2021-07-21
5.0
None Remote Low Not required None None Partial
In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the LTE RRC dissector could leak memory. This was addressed in epan/dissectors/packet-lte-rrc.c by adjusting certain append operations.
12 CVE-2020-9430 20 2020-02-27 2021-02-09
5.0
None Remote Low Not required None None Partial
In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the WiMax DLMAP dissector could crash. This was addressed in plugins/epan/wimax/msg_dlmap.c by validating a length field.
13 CVE-2020-9429 476 2020-02-27 2020-07-27
5.0
None Remote Low Not required None None Partial
In Wireshark 3.2.0 to 3.2.1, the WireGuard dissector could crash. This was addressed in epan/dissectors/packet-wireguard.c by handling the situation where a certain data structure intentionally has a NULL value.
14 CVE-2020-9428 74 2020-02-27 2021-07-21
5.0
None Remote Low Not required None None Partial
In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the EAP dissector could crash. This was addressed in epan/dissectors/packet-eap.c by using more careful sscanf parsing.
15 CVE-2020-9407 200 +Info 2020-02-26 2021-07-21
5.0
None Remote Low Not required Partial None None
IBL Online Weather before 4.3.5a allows attackers to obtain sensitive information by reading the IWEBSERVICE_JSONRPC_COOKIE cookie.
16 CVE-2020-9406 74 2020-02-26 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
IBL Online Weather before 4.3.5a allows unauthenticated eval injection via the queryBCP method of the Auxiliary Service.
17 CVE-2020-9405 79 XSS 2020-02-26 2020-02-26
4.3
None Remote Medium Not required None Partial None
IBL Online Weather before 4.3.5a allows unauthenticated reflected XSS via the redirect page.
18 CVE-2020-9399 863 Bypass 2020-02-28 2021-07-21
4.3
None Remote Medium Not required None Partial None
The Avast AV parsing engine allows virus-detection bypass via a crafted ZIP archive. This affects versions before 12 definitions 200114-0 of Antivirus Pro, Antivirus Pro Plus, and Antivirus for Linux.
19 CVE-2020-9398 89 Sql 2020-02-25 2020-03-03
9.3
None Remote Medium Not required Complete Complete Complete
ISPConfig before 3.1.15p3, when the undocumented reverse_proxy_panel_allowed=sites option is manually enabled, allows SQL Injection.
20 CVE-2020-9394 352 CSRF 2020-02-25 2020-02-26
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress. It allows CSRF.
21 CVE-2020-9393 79 XSS 2020-02-25 2020-02-26
4.3
None Remote Medium Not required None Partial None
An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress. It allows XSS.
22 CVE-2020-9391 119 Overflow Mem. Corr. 2020-02-25 2021-07-21
2.1
None Local Low Not required None None Partial
An issue was discovered in the Linux kernel 5.4 and 5.5 through 5.5.6 on the AArch64 architecture. It ignores the top byte in the address passed to the brk system call, potentially moving the memory break downwards when the application expects it to move upwards, aka CID-dcde237319e6. This has been observed to cause heap corruption with the GNU C Library malloc implementation.
23 CVE-2020-9385 476 2020-02-25 2020-02-26
5.0
None Remote Low Not required None None Partial
A NULL Pointer Dereference exists in libzint in Zint 2.7.1 because multiple + characters are mishandled in add_on in upcean.c, when called from eanx in upcean.c during EAN barcode generation.
24 CVE-2020-9383 125 2020-02-25 2021-01-04
3.6
None Local Low Not required Partial None Partial
An issue was discovered in the Linux kernel 3.16 through 5.5.6. set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it, aka CID-2e90ca68b0d2.
25 CVE-2020-9382 732 2020-02-24 2021-07-21
5.5
None Remote Low ??? Partial Partial None
An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. Improper title sanitization allowed for the execution of any wiki page as a widget (as defined by this extension) via MediaWiki's {{#widget:}} parser function.
26 CVE-2020-9381 668 Exec Code 2020-02-24 2020-02-26
5.0
None Remote Low Not required None Partial None
controllers/admin.js in Total.js CMS 13 allows remote attackers to execute arbitrary code via a POST to the /admin/api/widgets/ URI. This can be exploited in conjunction with CVE-2019-15954.
27 CVE-2020-9379 863 2020-02-25 2021-07-21
4.0
None Remote Low ??? Partial None None
The Software Development Kit of the MiContact Center Business with Site Based Security 8.0 through 9.0.1.0 before KB496276 allows an authenticated user to access sensitive information. A successful exploit could allow unauthorized access to user conversations.
28 CVE-2020-9374 78 Exec Code 2020-02-24 2020-03-02
7.5
None Remote Low Not required Partial Partial Partial
On TP-Link TL-WR849N 0.9.1 4.16 devices, a remote command execution vulnerability in the diagnostics area can be exploited when an attacker sends specific shell metacharacters to the panel's traceroute feature.
29 CVE-2020-9369 400 DoS 2020-02-24 2020-12-24
5.0
None Remote Low Not required None None Partial
Sympa 6.2.38 through 6.2.52 allows remote attackers to cause a denial of service (disk consumption from temporary files, and a flood of notifications to listmasters) via a series of requests with malformed parameters.
30 CVE-2020-9366 120 Overflow 2020-02-24 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
A buffer overflow was found in the way GNU Screen before 4.8.0 treated the special escape OSC 49. Specially crafted output, or a special program, could corrupt memory and crash Screen or possibly have unspecified other impact.
31 CVE-2020-9365 125 2020-02-24 2020-11-16
5.0
None Remote Low Not required Partial None None
An issue was discovered in Pure-FTPd 1.0.49. An out-of-bounds (OOB) read has been detected in the pure_strcmp function in utils.c.
32 CVE-2020-9363 20 Bypass 2020-02-24 2021-07-21
6.8
None Remote Medium Not required Partial Partial Partial
The Sophos AV parsing engine before 2020-01-14 allows virus-detection bypass via a crafted ZIP archive. This affects Endpoint Protection, Cloud Optix, Mobile, Intercept X Endpoint, Intercept X for Server, and Secure Web Gateway. NOTE: the vendor feels that this does not apply to endpoint-protection products because the virus would be detected upon extraction.
33 CVE-2020-9362 20 Bypass 2020-02-24 2021-07-21
6.8
None Remote Medium Not required Partial Partial Partial
The Quick Heal AV parsing engine (November 2019) allows virus-detection bypass via a crafted GPFLAG in a ZIP archive. This affects Total Security, Home Security, Total Security Multi-Device, Internet Security, Total Security for Mac, AntiVirus Pro, AntiVirus for Server, and Total Security for Android.
34 CVE-2020-9355 269 2020-02-23 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
danfruehauf NetworkManager-ssh before 1.2.11 allows privilege escalation because extra options are mishandled.
35 CVE-2020-9354 776 2020-02-23 2021-07-21
6.4
None Remote Low Not required None Partial Partial
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) saveFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL allows an unauthenticated attacker to overwrite files via vectors involving an XML comment and /.. path traversal.
36 CVE-2020-9353 22 Dir. Trav. File Inclusion 2020-02-23 2020-02-24
5.0
None Remote Low Not required Partial None None
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) loadFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL is affected by unauthenticated Local File Inclusion via directory-traversal sequences in the elem XML element in the _transaction parameter.
37 CVE-2020-9352 776 2020-02-23 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the _transaction parameter.
38 CVE-2020-9351 200 +Info 2020-02-23 2021-07-21
5.0
None Remote Low Not required Partial None None
An issue was discovered in SmartClient 12.0. If an unauthenticated attacker makes a POST request to /tools/developerConsoleOperations.jsp or /isomorphic/IDACall with malformed XML data in the _transaction parameter, the server replies with a verbose error showing where the application resides (the absolute path).
39 CVE-2020-9350 79 XSS 2020-02-23 2020-02-24
3.5
None Remote Medium ??? None Partial None
Graph Builder in SAS Visual Analytics 8.5 allows XSS via a graph template that is accessed directly.
40 CVE-2020-9342 20 Bypass 2020-02-22 2021-07-21
4.3
None Remote Medium Not required None Partial None
The F-Secure AV parsing engine before 2020-02-05 allows virus-detection bypass via crafted Compression Method data in a GZIP archive. This affects versions before 17.0.605.474 (on Linux) of Cloud Protection For Salesforce, Email and Server Security, and Internet GateKeeper.
41 CVE-2020-9341 352 CSRF 2020-02-22 2020-02-24
6.8
None Remote Medium Not required Partial Partial Partial
CandidATS 2.1.0 is vulnerable to CSRF that allows for an administrator account to be added via the index.php?m=settings&a=addUser URI.
42 CVE-2020-9340 89 Sql 2020-02-22 2020-02-25
6.5
None Remote Low ??? Partial Partial Partial
fauzantrif eLection 2.0 has SQL Injection via the admin/ajax/op_kandidat.php id parameter.
43 CVE-2020-9339 79 XSS 2020-02-22 2020-02-24
3.5
None Remote Medium ??? None Partial None
SOPlanning 1.45 allows XSS via the Name or Comment to status.php.
44 CVE-2020-9338 79 XSS 2020-02-22 2020-02-24
3.5
None Remote Medium ??? None Partial None
SOPlanning 1.45 allows XSS via the "Your SoPlanning url" field.
45 CVE-2020-9337 522 2020-02-26 2021-07-21
4.0
None Remote Low ??? Partial None None
In GolfBuddy Course Manager 1.1, passwords are sent (with base64 encoding) via a GET request.
46 CVE-2020-9336 79 XSS 2020-02-22 2020-02-24
3.5
None Remote Medium ??? None Partial None
fauzantrif eLection 2.0 has XSS via the Admin Dashboard -> Settings -> Election -> "message if election is closed" field.
47 CVE-2020-9335 79 XSS 2020-02-25 2020-02-25
3.5
None Remote Medium ??? None Partial None
Multiple stored XSS vulnerabilities exist in the 10Web Photo Gallery plugin before 1.5.46 WordPress. Successful exploitation of this vulnerability would allow a authenticated admin user to inject arbitrary JavaScript code that is viewed by other users.
48 CVE-2020-9334 79 XSS 2020-02-25 2020-02-25
3.5
None Remote Medium ??? None Partial None
A stored XSS vulnerability exists in the Envira Photo Gallery plugin through 1.7.6 for WordPress. Successful exploitation of this vulnerability would allow a authenticated low-privileged user to inject arbitrary JavaScript code that is viewed by other users.
49 CVE-2020-9330 522 +Priv 2020-02-21 2021-07-21
4.0
None Remote Low ??? Partial None None
Certain Xerox WorkCentre printers before 073.xxx.000.02300 do not require the user to reenter or validate LDAP bind credentials when changing the LDAP connector IP address. A malicious actor who gains access to affected devices (e.g., by using default credentials) can change the LDAP connection IP address to a system owned by the actor without knowledge of the LDAP bind credentials. After changing the LDAP connection IP address, subsequent authentication attempts will result in the printer sending plaintext LDAP (Active Directory) credentials to the actor. Although the credentials may belong to a non-privileged user, organizations frequently use privileged service accounts to bind to Active Directory. The attacker gains a foothold on the Active Directory domain at a minimum, and may use the credentials to take over control of the Active Directory domain. This affects 3655*, 3655i*, 58XX*, 58XXi*, 59XX*, 59XXi*, 6655**, 6655i**, 72XX*, 72XXi*, 78XX**, 78XXi**, 7970**, 7970i**, EC7836**, and EC7856** devices.
50 CVE-2020-9329 362 2020-02-21 2020-02-25
4.3
None Remote Medium Not required None Partial None
Gogs through 0.11.91 allows attackers to violate the admin-specified repo-creation policy due to an internal/db/repo.go race condition.
Total number of vulnerabilities : 1395   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.