CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In August 2020

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2020-25065 203 2020-08-31 2020-09-01
7.8
None Remote Low Not required Complete None None
An issue was discovered on LG mobile devices with Android OS 4.4, 5.0, 5.1, 6.0, 7.0, 7.1, 8.0, 8.1, 9.0, and 10 software. Key logging may occur because of an obsolete API. The LG ID is LVE-SMP-170010 (August 2020).
2 CVE-2020-25064 2020-08-31 2020-09-01
5.0
None Remote Low Not required None Partial None
An issue was discovered on LG mobile devices with Android OS 4.4, 5.0, 5.1, 6.0, 7.0, 7.1, 8.0, 8.1, 9.0, and 10 software. Certain automated testing is mishandled. The LG ID is LVE-SMP-200019 (August 2020).
3 CVE-2020-25063 20 2020-08-31 2020-09-01
5.0
None Remote Low Not required None None Partial
An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 software. An application crash can occur because of incorrect application-level input validation. The LG ID is LVE-SMP-200018 (July 2020).
4 CVE-2020-25062 269 Bypass 2020-08-31 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered on LG mobile devices with Android OS 9 and 10 software. LGTelephonyProvider allows a bypass of intended privilege restrictions. The LG ID is LVE-SMP-200017 (July 2020).
5 CVE-2020-25061 2020-08-31 2020-09-01
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered on LG mobile devices with Android OS 9 and 10 software on the VZW network. lge_property allows property overwrites. The LG ID is LVE-SMP-200016 (July 2020).
6 CVE-2020-25060 269 +Priv 2020-08-31 2021-07-21
4.6
None Local Low Not required Partial Partial Partial
An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 software. Local users can gain privileges because of LAF and SBL1 flaws. The LG ID is LVE-SMP-200015 (July 2020).
7 CVE-2020-25059 20 2020-08-31 2020-09-01
5.0
None Remote Low Not required None None Partial
An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 software. A service crash may occur because of incorrect input validation. The LG ID is LVE-SMP-200013 (July 2020).
8 CVE-2020-25058 2020-08-31 2020-09-01
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered on LG mobile devices with Android OS 8.0, 8.1, 9, and 10 software. The network_management service does not properly restrict configuration changes. The LG ID is LVE-SMP-200012 (July 2020).
9 CVE-2020-25057 2020-08-31 2020-09-01
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered on LG mobile devices with Android OS 10 software. MDMService does not properly restrict APK installations. The LG ID is LVE-SMP-200011 (July 2020).
10 CVE-2020-25056 754 2020-08-31 2020-09-03
5.0
None Remote Low Not required None Partial None
An issue was discovered on Samsung mobile devices with Q(10.0) (Galaxy S20) software. Because HAL improperly checks versions, bootloading by the S.LSI NFC chipset is mishandled. The Samsung ID is SVE-2020-16169 (August 2020).
11 CVE-2020-25055 863 Bypass 2020-08-31 2020-09-03
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. The persona service allows attackers (who control an unprivileged SecureFolder process) to bypass admin restrictions in KnoxContainer. The Samsung ID is SVE-2020-18133 (August 2020).
12 CVE-2020-25054 20 2020-08-31 2021-07-21
6.4
None Remote Low Not required Partial None Partial
An issue was discovered on Samsung mobile devices with software through 2020-04-02 (Exynos modem chipsets). There is a heap-based buffer over-read in the Shannon baseband. The Samsung ID is SVE-2020-17239 (August 2020).
13 CVE-2020-25053 Exec Code 2020-08-31 2020-09-03
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered on Samsung mobile devices with Q(10.0) (exynos9830 chipsets) software. RKP allows arbitrary code execution. The Samsung ID is SVE-2020-17435 (August 2020).
14 CVE-2020-25052 20 DoS Exec Code Mem. Corr. 2020-08-31 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered on Samsung mobile devices with Q(10.0) (exynos9830 chipsets) software. H-Arx allows attackers to execute arbitrary code or cause a denial of service (memory corruption) because indexes are mishandled. The Samsung ID is SVE-2020-17426 (August 2020).
15 CVE-2020-25051 Bypass 2020-08-31 2020-09-03
5.0
None Remote Low Not required None Partial None
An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software. Attackers can bypass Factory Reset Protection (FRP) via AppInfo. The Samsung ID is SVE-2020-17758 (August 2020).
16 CVE-2020-25050 +Info 2020-08-31 2020-09-03
5.0
None Remote Low Not required Partial None None
An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software. The CMC service allows attackers to obtain sensitive information. The Samsung ID is SVE-2020-17288 (August 2020).
17 CVE-2020-25049 863 2020-08-31 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software. StatusBarService has insufficient DEX access control. The Samsung ID is SVE-2020-17797 (August 2020).
18 CVE-2020-25048 74 2020-08-31 2021-07-21
2.1
None Local Low Not required Partial None None
An issue was discovered on Samsung mobile devices with Q(10.0) (with ONEUI 2.1) software. In the Lockscreen state, the Quick Share feature allows unauthenticated downloads, aka file injection. The Samsung ID is SVE-2020-17760 (August 2020).
19 CVE-2020-25047 2020-08-31 2020-09-03
2.1
None Local Low Not required Partial None None
An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) (released in China and India) software. The S Secure application does not enforce the intended password requirement for a locked application. The Samsung IDs are SVE-2020-16746, SVE-2020-16764 (August 2020).
20 CVE-2020-25046 532 +Info 2020-08-31 2020-09-03
2.1
None Local Low Not required Partial None None
An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. The USB driver leaks address information via kernel logging. The Samsung IDs are SVE-2020-17602, SVE-2020-17603, SVE-2020-17604 (August 2020).
21 CVE-2020-25033 79 XSS 2020-08-31 2020-09-04
4.3
None Remote Medium Not required None Partial None
The Blubrry subscribe-sidebar (aka Subscribe Sidebar) plugin 1.3.1 for WordPress allows subscribe_sidebar.php&status= reflected XSS.
22 CVE-2020-25032 1188 Dir. Trav. 2020-08-31 2021-07-21
5.0
None Remote Low Not required Partial None None
An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.
23 CVE-2020-25031 59 2020-08-31 2020-09-04
7.2
None Local Low Not required Complete Complete Complete
checkinstall 1.6.2, when used to create a package that contains a symlink, may trigger the creation of a mode 0777 executable file.
24 CVE-2020-25020 611 2020-08-29 2021-01-20
7.5
None Remote Low Not required Partial Partial Partial
MPXJ through 8.1.3 allows XXE attacks. This affects the GanttProjectReader and PhoenixReader components.
25 CVE-2020-25019 345 2020-08-29 2020-09-03
4.3
None Remote Medium Not required None Partial None
jitsi-meet-electron (aka Jitsi Meet Electron) before 2.3.0 calls the Electron shell.openExternal function without verifying that the URL is for an http or https resource, in some circumstances.
26 CVE-2020-25016 2020-08-29 2021-07-21
6.4
None Remote Low Not required Partial Partial None
A safety violation was discovered in the rgb crate before 0.8.20 for Rust, leading to (for example) dereferencing of arbitrary pointers or disclosure of uninitialized memory. This occurs because structs can be treated as bytes for read and write operations.
27 CVE-2020-24972 116 Exec Code 2020-08-29 2020-10-28
6.5
None Remote Low ??? Partial Partial Partial
The Kleopatra component before 3.1.12 (and before 20.07.80) for GnuPG allows remote attackers to execute arbitrary code because openpgp4fpr: URLs are supported without safe handling of command-line options. The Qt platformpluginpath command-line option can be used to load an arbitrary DLL.
28 CVE-2020-24928 200 +Info 2020-08-29 2021-07-21
5.0
None Remote Low Not required Partial None None
managers/socketManager.ts in PreMiD through 2.1.3 has a locally hosted socketio web server (port 3020) open to all origins, which allows attackers to obtain sensitive Discord user information.
29 CVE-2020-24917 79 XSS 2020-08-30 2020-09-03
4.3
None Remote Medium Not required None Partial None
osTicket before 1.14.3 allows XSS via a crafted filename to DraftAjaxAPI::_uploadInlineImage() in include/ajax.draft.php.
30 CVE-2020-24898 918 2020-08-29 2020-09-04
4.0
None Remote Low ??? Partial None None
The Table Filter and Charts for Confluence Server app before 5.3.26 (for Atlassian Confluence) allows SSRF via the "Table from CSV" macro (URL parameter).
31 CVE-2020-24897 79 XSS 2020-08-29 2020-09-04
3.5
None Remote Medium ??? None Partial None
The Table Filter and Charts for Confluence Server app before 5.3.25 (for Atlassian Confluence) allow remote attackers to inject arbitrary HTML or JavaScript via cross site scripting (XSS) through the provided Markdown markup to the "Table from CSV" macro.
32 CVE-2020-24786 287 Bypass 2020-08-31 2020-09-10
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService Plus before build number 5817, DataSecurity Plus before build number 6033, RecoverManager Plus before build number 6017, EventLog Analyzer before build number 12136, ADAudit Plus before build number 6052, O365 Manager Plus before build number 4334, Cloud Security Plus before build number 4110, ADManager Plus before build number 7055, and Log360 before build number 5166. The remotely accessible Java servlet com.manageengine.ads.fw.servlet.UpdateProductDetails is prone to an authentication bypass. System integration properties can be modified and lead to full ManageEngine suite compromise.
33 CVE-2020-24717 276 2020-08-27 2020-09-04
7.2
None Local Low Not required Complete Complete Complete
OpenZFS before 2.0.0-rc1, when used on FreeBSD, misinterprets group permissions as user permissions, as demonstrated by mode 0770 being equivalent to mode 0777.
34 CVE-2020-24716 732 2020-08-27 2021-07-21
4.6
None Local Low Not required Partial Partial Partial
OpenZFS before 2.0.0-rc1, when used on FreeBSD, allows execute permissions for all directories.
35 CVE-2020-24715 295 2020-08-27 2020-09-03
6.8
None Remote Medium Not required Partial Partial Partial
The Scalyr Agent before 2.1.10 has Missing SSL Certificate Validation because, in some circumstances, native Python code is used that lacks a comparison of the hostname to commonName and subjectAltName.
36 CVE-2020-24714 295 2020-08-27 2020-09-03
6.8
None Remote Medium Not required Partial Partial Partial
The Scalyr Agent before 2.1.10 has Missing SSL Certificate Validation because, in some circumstances, the openssl binary is called without the -verify_hostname option.
37 CVE-2020-24706 79 XSS 2020-08-27 2020-09-04
4.3
None Remote Medium Not required None Partial None
An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager through 3.1.0, API Manager Analytics 2.5.0, IS as Key Manager through 5.10.0, Identity Server through 5.10.0, Identity Server Analytics through 5.6.0, and IoT Server 3.1.0.
38 CVE-2020-24705 2020-08-27 2020-09-08
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager through 3.1.0, API Manager Analytics 2.5.0, IS as Key Manager through 5.10.0, Identity Server through 5.10.0, Identity Server Analytics through 5.6.0, and IoT Server 3.1.0.
39 CVE-2020-24704 79 XSS 2020-08-27 2020-09-08
4.3
None Remote Medium Not required None Partial None
An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator through 6.6.0, IS as Key Manager 5.5.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, and IoT Server 3.3.0 and 3.3.1.
40 CVE-2020-24703 2020-08-27 2020-09-08
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator through 6.6.0, IS as Key Manager 5.5.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, and IoT Server 3.3.0 and 3.3.1.
41 CVE-2020-24699 79 XSS 2020-08-31 2020-09-04
4.3
None Remote Medium Not required None Partial None
The Chamber Dashboard Business Directory plugin 3.2.8 for WordPress allows XSS.
42 CVE-2020-24661 295 2020-08-26 2020-09-08
2.6
None Remote High Not required Partial None None
GNOME Geary before 3.36.3 mishandles pinned TLS certificate verification for IMAP and SMTP services using invalid TLS certificates (e.g., self-signed certificates) when the client system is not configured to use a system-provided PKCS#11 store. This allows a meddler in the middle to present a different invalid certificate to intercept incoming and outgoing mail.
43 CVE-2020-24656 611 2020-08-26 2020-09-03
4.3
None Remote Medium Not required Partial None None
Maltego before 4.2.12 allows XXE attacks.
44 CVE-2020-24653 2020-08-26 2020-09-03
6.8
None Remote Medium Not required Partial Partial Partial
secure-store in Expo through 2.16.1 on iOS provides the insecure kSecAttrAccessibleAlwaysThisDeviceOnly policy when WHEN_UNLOCKED_THIS_DEVICE_ONLY is used.
45 CVE-2020-24622 200 +Info 2020-08-25 2021-07-21
4.0
None Remote Low ??? Partial None None
In Sonatype Nexus Repository 3.26.1, an S3 secret key can be exposed by an admin user.
46 CVE-2020-24618 863 2020-08-27 2021-07-21
4.0
None Remote Low ??? Partial None None
In JetBrains YouTrack versions before 2020.3.4313, 2020.2.11008, 2020.1.11011, 2019.1.65514, 2019.2.65515, and 2019.3.65516, an attacker can retrieve an issue description without appropriate access.
47 CVE-2020-24616 502 2020-08-25 2021-10-20
6.8
None Remote Medium Not required Partial Partial Partial
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).
48 CVE-2020-24614 94 Exec Code 2020-08-25 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
Fossil before 2.10.2, 2.11.x before 2.11.2, and 2.12.x before 2.12.1 allows remote authenticated users to execute arbitrary code. An attacker must have check-in privileges on the repository.
49 CVE-2020-24613 295 2020-08-24 2020-09-01
4.9
None Remote Medium ??? Partial Partial None
wolfSSL before 4.5.0 mishandles TLS 1.3 server data in the WAIT_CERT_CR state, within SanityCheckTls13MsgReceived() in tls13.c. This is an incorrect implementation of the TLS 1.3 client state machine. This allows attackers in a privileged network position to completely impersonate any TLS 1.3 servers, and read or modify potentially sensitive information between clients using the wolfSSL library and these TLS servers.
50 CVE-2020-24612 287 Bypass 2020-08-24 2020-09-01
1.9
None Local Medium Not required Partial None None
An issue was discovered in the selinux-policy (aka Reference Policy) package 3.14 through 2020-08-24 because the .config/Yubico directory is mishandled. Consequently, when SELinux is in enforced mode, pam-u2f is not allowed to read the user's U2F configuration file. If configured with the nouserok option (the default when configured by the authselect tool), and that file cannot be read, the second factor is disabled. An attacker with only the knowledge of the password can then log in, bypassing 2FA.
Total number of vulnerabilities : 1155   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.