CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2020(Gain Information)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2020-35876 772 +Info 2020-12-31 2021-01-07
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in the rio crate through 2020-05-11 for Rust. A struct can be leaked, allowing attackers to obtain sensitive information, cause a use-after-free, or cause a data race.
2 CVE-2020-35859 770 Mem. Corr. +Info 2020-12-31 2021-01-06
6.4
None Remote Low Not required Partial None Partial
An issue was discovered in the lucet-runtime-internals crate before 0.5.1 for Rust. It mishandles sigstack allocation. Guest programs may be able to obtain sensitive information, or guest programs can experience memory corruption.
3 CVE-2020-35804 200 +Info 2020-12-30 2020-12-31
2.1
None Local Low Not required Partial None None
Certain NETGEAR devices are affected by disclosure of sensitive information. This affects D7800 before 1.0.1.58, R7800 before 1.0.2.74, R8900 before 1.0.5.18, R9000 before 1.0.5.18, and XR700 before 1.0.1.34.
4 CVE-2020-35802 200 +Info 2020-12-30 2021-01-03
5.0
None Remote Low Not required Partial None None
Certain NETGEAR devices are affected by disclosure of sensitive information. This affects CBR40 before 2.5.0.14, RBW30 before 2.6.1.4, RAX75 before 1.0.3.102, RAX80 before 1.0.3.102, RBK752 before 3.2.16.6, RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 before 3.2.16.6, RBR850 before 3.2.16.6, RBS850 before 3.2.16.6, RBK842 before 3.2.16.6, RBR840 before 3.2.16.6, RBS840 before 3.2.16.6, and RBS40V before 2.6.1.4.
5 CVE-2020-35710 200 +Info 2020-12-25 2020-12-30
5.0
None Remote Low Not required Partial None None
Parallels Remote Application Server (RAS) 18 allows remote attackers to discover an intranet IP address because submission of the login form (even with blank credentials) provides this address to the attacker's client for use as a "host" value. In other words, after an attacker's web browser sent a request to the login form, it would automatically send a second request to a RASHTML5Gateway/socket.io URI with something like "host":"192.168.###.###" in the POST data.
6 CVE-2020-35614 200 +Info 2020-12-28 2020-12-30
5.0
None Remote Low Not required Partial None None
An issue was discovered in Joomla! 3.9.0 through 3.9.22. Improper handling of the username leads to a user enumeration attack vector in the backend login page.
7 CVE-2020-35611 200 +Info 2020-12-28 2020-12-30
5.0
None Remote Low Not required Partial None None
An issue was discovered in Joomla! 2.5.0 through 3.9.22. The globlal configuration page does not remove secrets from the HTML output, disclosing the current values.
8 CVE-2020-35584 +Info 2020-12-23 2020-12-23
4.3
None Remote Medium Not required Partial None None
In Solstice Pod before 3.0.3, the web services allow users to connect to them over unencrypted channels via the Browser Look-in feature. An attacker suitably positioned to view a legitimate user's network traffic could record and monitor their interactions with the web services and obtain any information the user supplies, including Administrator passwords and screen keys.
9 CVE-2020-35552 +Info 2020-12-18 2020-12-18
5.0
None Remote Low Not required Partial None None
An issue was discovered in the GPS daemon on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) (non-Qualcomm chipsets) software. Attackers can obtain sensitive location information because the configuration file is incorrect. The Samsung ID is SVE-2020-18678 (December 2020).
10 CVE-2020-35497 200 +Info 2020-12-21 2020-12-22
4.0
None Remote Low ??? Partial None None
A flaw was found in ovirt-engine 4.4.3 and earlier allowing an authenticated user to read other users' personal information, including name, email and public SSH key.
11 CVE-2020-35480 200 +Info 2020-12-18 2020-12-27
5.0
None Remote Low Not required Partial None None
An issue was discovered in MediaWiki before 1.35.1. Missing users (accounts that don't exist) and hidden users (accounts that have been explicitly hidden due to being abusive, or similar) that the viewer cannot see are handled differently, exposing sensitive information about the hidden status to unprivileged viewers. This exists on various code paths.
12 CVE-2020-35388 +Info 2020-12-26 2020-12-29
5.0
None Remote Low Not required Partial None None
rainrocka xinhu 2.1.9 allows remote attackers to obtain sensitive information via an index.php?a=gettotal request in which the ajaxbool value is manipulated to be true.
13 CVE-2020-35177 200 +Info 2020-12-17 2021-02-03
5.0
None Remote Low Not required Partial None None
HashiCorp Vault and Vault Enterprise 1.4.1 and newer allowed the enumeration of users via the LDAP auth method. Fixed in 1.5.6 and 1.6.1.
14 CVE-2020-29656 200 +Info 2020-12-09 2020-12-10
5.0
None Remote Low Not required Partial None None
An information disclosure vulnerability exists in RT-AC88U Download Master before 3.1.0.108. A direct access to /downloadmaster/dm_apply.cgi?action_mode=initial&download_type=General&special_cgi=get_language makes it possible to reach "unknown functionality" in a "known to be easy" manner via an unspecified "public exploit."
15 CVE-2020-29569 252 +Info 2020-12-15 2021-03-15
7.2
None Local Low Not required Complete Complete Complete
An issue was discovered in the Linux kernel through 5.10.1, as used with Xen through 4.14.x. The Linux kernel PV block backend expects the kernel thread handler to reset ring->xenblkd to NULL when stopped. However, the handler may not have time to run if the frontend quickly toggles between the states connect and disconnect. As a consequence, the block backend may re-use a pointer after it was freed. A misbehaving guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. Privilege escalation and information leaks cannot be ruled out. This only affects systems with a Linux blkback.
16 CVE-2020-28583 200 +Info 2020-12-01 2020-12-02
5.0
None Remote Low Not required Partial None None
An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal version, build and patch information.
17 CVE-2020-28582 200 +Info 2020-12-01 2020-12-02
5.0
None Remote Low Not required Partial None None
An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal number of managed agents.
18 CVE-2020-28577 200 +Info 2020-12-01 2020-12-02
5.0
None Remote Low Not required Partial None None
An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal server hostname and db names.
19 CVE-2020-28576 200 +Info 2020-12-01 2020-12-02
5.0
None Remote Low Not required Partial None None
An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal version and build information.
20 CVE-2020-28573 200 +Info 2020-12-01 2020-12-02
5.0
None Remote Low Not required Partial None None
An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal the total agents managed by the server.
21 CVE-2020-28368 203 +Info 2020-11-10 2020-12-05
2.1
None Local Low Not required Partial None None
Xen through 4.14.x allows guest OS administrators to obtain sensitive information (such as AES keys from outside the guest) via a side-channel attack on a power/energy monitoring interface, aka a "Platypus" attack. NOTE: there is only one logically independent fix: to change the access control for each such interface in Xen.
22 CVE-2020-28341 120 Exec Code Overflow +Info 2020-11-08 2020-11-10
4.6
None Local Low Not required Partial Partial Partial
An issue was discovered on Samsung mobile devices with Q(10.0) (Exynos990 chipsets) software. The S3K250AF Secure Element CC EAL 5+ chip allows attackers to execute arbitrary code and obtain sensitive information via a buffer overflow. The Samsung ID is SVE-2020-18632 (November 2020).
23 CVE-2020-28054 200 Bypass +Info 2020-11-19 2020-12-03
5.0
None Remote Low Not required Partial None None
JamoDat TSMManager Collector version up to 6.5.0.21 is vulnerable to an Authorization Bypass because the Collector component is not properly validating an authenticated session with the Viewer. If the Viewer has been modified (binary patched) and the Bypass Login functionality is being used, an attacker can request every Collector's functionality as if they were a properly logged-in user: administrating connected instances, reviewing logs, editing configurations, accessing the instances' consoles, accessing hardware configurations, etc.Exploiting this vulnerability won't grant an attacker access nor control on remote ISP servers as no credentials is sent with the request.
24 CVE-2020-27900 200 +Info 2020-12-08 2021-03-11
4.3
None Remote Medium Not required Partial None None
An issue existed in the handling of snapshots. The issue was resolved with improved permissions logic. This issue is fixed in macOS Big Sur 11.0.1. A malicious application may be able to preview files it does not have access to.
25 CVE-2020-27895 200 +Info 2020-12-08 2020-12-09
4.3
None Remote Medium Not required Partial None None
An information disclosure issue existed in the transition of program state. This issue was addressed with improved state handling. This issue is fixed in iTunes 12.11 for Windows. A malicious application may be able to access local users Apple IDs.
26 CVE-2020-27825 362 DoS +Info 2020-12-11 2021-05-21
5.4
None Local Medium Not required Partial None Complete
A use-after-free flaw was found in kernel/trace/ring_buffer.c in Linux kernel (before 5.10-rc1). There was a race problem in trace_open and resize of cpu buffer running parallely on different cpus, may cause a denial of service problem (DOS). This flaw could even allow a local attacker with special user privilege to a kernel information leak threat.
27 CVE-2020-27658 732 +Info 2020-10-29 2020-11-03
4.3
None Remote Medium Not required None Partial None
Synology Router Manager (SRM) before 1.2.4-8081 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.
28 CVE-2020-27653 327 +Info 2020-10-29 2021-05-12
5.1
None Remote High Not required Partial Partial Partial
Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
29 CVE-2020-27652 327 +Info 2020-10-29 2021-05-12
5.1
None Remote High Not required Partial Partial Partial
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
30 CVE-2020-27649 295 +Info 2020-10-29 2020-11-09
6.8
None Remote Medium Not required Partial Partial Partial
Improper certificate validation vulnerability in OpenVPN client in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
31 CVE-2020-27648 295 +Info 2020-10-29 2020-11-09
6.8
None Remote Medium Not required Partial Partial Partial
Improper certificate validation vulnerability in OpenVPN client in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
32 CVE-2020-27623 +Info 2020-11-16 2020-11-30
5.0
None Remote Low Not required Partial None None
JetBrains IdeaVim before version 0.58 might have caused an information leak in limited circumstances.
33 CVE-2020-27612 200 +Info 2020-10-21 2020-10-29
4.0
None Remote Low ??? Partial None None
Greenlight in BigBlueButton through 2.2.28 places usernames in room URLs, which may represent an unintended information leak to users in a room, or an information leak to outsiders if any user publishes a screenshot of a browser window.
34 CVE-2020-27610 200 +Info 2020-10-21 2020-10-29
5.0
None Remote Low Not required Partial None None
The installation procedure in BigBlueButton before 2.2.28 (or earlier) exposes certain network services to external interfaces, and does not automatically set up a firewall configuration to block external access.
35 CVE-2020-27554 319 +Info 2020-11-17 2020-12-01
5.0
None Remote Low Not required Partial None None
Cleartext Transmission of Sensitive Information vulnerability in BASETech GE-131 BT-1837836 firmware 20180921 exists which could leak sensitive information transmitted between the mobile app and the camera device.
36 CVE-2020-27483 129 Exec Code +Info 2020-11-16 2020-12-02
6.5
None Remote Low ??? Partial Partial Partial
Garmin Forerunner 235 before 8.20 is affected by: Array index error. The component is: ConnectIQ TVM. The attack vector is: To exploit the vulnerability, the attacker must upload a malicious ConnectIQ application to the ConnectIQ store. The ConnectIQ program interpreter trusts the offset provided for the stack value duplication instruction, DUP. The offset is unchecked and memory prior to the start of the execution stack can be read and treated as a TVM object. A successful exploit could use the vulnerability to leak runtime information such as the heap handle or pointer for a number of TVM context variables. Some reachable values may be controlled enough to forge a TVM object on the stack, leading to possible remote code execution.
37 CVE-2020-27255 122 Overflow Bypass +Info 2020-11-26 2020-11-30
5.0
None Remote Low Not required Partial None None
A heap overflow vulnerability exists within FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to send malicious set attribute requests, which could result in the leaking of sensitive information. This information disclosure could lead to the bypass of address space layout randomization (ASLR).
38 CVE-2020-27254 287 +Info 2020-12-21 2020-12-22
5.0
None Remote Low Not required Partial None None
Emerson Rosemount X-STREAM Gas AnalyzerX-STREAM enhanced XEGP, XEGK, XEFD, XEXF – all revisions, The affected products are vulnerable to improper authentication for accessing log and backup data, which could allow an attacker with a specially crafted URL to obtain access to sensitive information.
39 CVE-2020-27183 200 +Info 2020-10-27 2020-10-27
7.5
None Remote Low Not required Partial Partial Partial
A RemoteFunctions endpoint with missing access control in konzept-ix publiXone before 2020.015 allows attackers to disclose sensitive user information, send arbitrary e-mails, escalate the privileges of arbitrary user accounts, and have unspecified other impact.
40 CVE-2020-27180 200 +Info 2020-10-27 2020-10-27
5.0
None Remote Low Not required Partial None None
konzept-ix publiXone before 2020.015 allows attackers to download files by iterating over the IXCopy fileID parameter.
41 CVE-2020-27032 200 +Info 2020-12-15 2020-12-16
2.1
None Local Low Not required Partial None None
In getRadioAccessFamily of PhoneInterfaceManager.java, there is a possible read of privileged data due to a missing permission check. This could lead to local information disclosure of radio data with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-150857259
42 CVE-2020-27026 200 +Info 2020-12-15 2020-12-16
4.3
None Remote Medium Not required Partial None None
During boot, the device unlock interface behaves differently depending on if a fingerprint registered to the device is present. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-79776455
43 CVE-2020-27025 200 Bypass +Info 2020-12-15 2020-12-16
2.1
None Local Low Not required Partial None None
In EapFailureNotifier.java and SimRequiredNotifier.java, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-156008365
44 CVE-2020-27023 200 Bypass +Info 2020-12-15 2020-12-15
2.1
None Local Low Not required Partial None None
In setErrorPlaybackState of BluetoothMediaBrowserService.java, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-156009462
45 CVE-2020-27019 200 +Info 2020-11-09 2020-11-18
2.1
None Local Low Not required Partial None None
Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to an information disclosure vulnerability which could allow an attacker to access a specific database and key.
46 CVE-2020-27015 209 Exec Code +Info 2020-10-30 2020-11-05
2.1
None Local Low Not required Partial None None
Trend Micro Antivirus for Mac 2020 (Consumer) contains an Error Message Information Disclosure vulnerability that if exploited, could allow kernel pointers and debug messages to leak to userland. An attacker must first obtain the ability to execute high-privileged code on the target system in order to exploit this vulnerability.
47 CVE-2020-26966 +Info 2020-12-09 2020-12-10
4.3
None Remote Medium Not required Partial None None
Searching for a single word from the address bar caused an mDNS request to be sent on the local network searching for a hostname consisting of that string; resulting in an information leak. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.*. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5.
48 CVE-2020-26939 203 +Info 2020-11-02 2021-05-28
5.0
None Remote Low Not required Partial None None
In Legion of the Bouncy Castle BC before 1.61 and BC-FJA before 1.0.1.2, attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.
49 CVE-2020-26931 200 +Info 2020-10-09 2020-10-16
3.3
None Local Network Low Not required Partial None None
Certain NETGEAR devices are affected by disclosure of sensitive information. This affects WC7500 before 6.5.5.24, WC7600 before 6.5.5.24, WC7600v2 before 6.5.5.24, and WC9500 before 6.5.5.24.
50 CVE-2020-26924 200 +Info 2020-10-09 2020-10-19
3.3
None Local Network Low Not required Partial None None
Certain NETGEAR devices are affected by disclosure of sensitive information. This affects WAC720 before 3.9.1.13 and WAC730 before 3.9.1.13.
Total number of vulnerabilities : 1345   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.