The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2020-17450 | PHP-Fusion 9.03 allows XSS on the preview page. | MEDIUM | Aug 13, 2020 |
| CVE-2020-17451 | flatCore before 1.5.7 allows XSS by an admin via the acp/acp.php?tn=pages&sub=edit&editpage=1 page_linkname, page_title, page_content, or page_extracontent parameter, or the acp/acp.php?tn=system&sub=sys_pref prefs_pagename, prefs_pagetitle, or prefs_pagesubtitle parameter. | LOW | Aug 9, 2020 |
| CVE-2020-17452 | flatCore before 1.5.7 allows upload and execution of a .php file by an admin. | HIGH | Aug 9, 2020 |
| CVE-2020-17453 | WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter. | MEDIUM | Apr 5, 2021 |
| CVE-2020-17454 | WSO2 API Manager 3.1.0 and earlier has reflected XSS on the publisher component\'s admin interface. More precisely, it is possible to inject an XSS payload into the owner POST parameter, which does not filter user inputs. By putting an XSS payload in place of a valid Owner Name, a modal box appears that writes an error message concatenated to the injected payload (without any form of data encoding). This can also be exploited via CSRF. | MEDIUM | Oct 22, 2020 |
| CVE-2020-17456 | SEOWON INTECH SLC-130 And SLR-120S devices allow Remote Code Execution via the ipAddr parameter to the system_log.cgi page. | HIGH | Aug 22, 2020 |
| CVE-2020-17457 | Fujitsu ServerView Suite iRMC before 9.62F allows XSS. An authenticated attacker can store an XSS payload in the PSCU_FILE_INIT field of a Save Configuration XML document. The payload is triggered in the HTTP error response pages. | LOW | Mar 18, 2021 |
| CVE-2020-17458 | A post-authenticated stored XSS was found in MultiUx v.3.1.12.0 via the /multiux/SaveMailbox LastName field. | LOW | Sep 2, 2020 |
| CVE-2020-17462 | CMS Made Simple 2.2.14 allows Authenticated Arbitrary File Upload because the File Manager does not block .ptar files, a related issue to CVE-2017-16798. | MEDIUM | Aug 14, 2020 |
| CVE-2020-17463 | FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items. | HIGH | Aug 13, 2020 |
| CVE-2020-17464 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none | -- | Nov 7, 2023 |
| CVE-2020-17465 | Dashboards and progressiveProfileForms in ForgeRock Identity Manager before 7.0.0 are vulnerable to stored XSS. The vulnerability affects versions 6.5.0.4, 6.0.0.6. | MEDIUM | Sep 4, 2020 |
| CVE-2020-17466 | Turcom TRCwifiZone through 2020-08-10 allows authentication bypass by visiting manage/control.php and ignoring 302 Redirect responses. | HIGH | Aug 13, 2020 |
| CVE-2020-17467 | An issue was discovered in FNET through 4.6.4. The code for processing the hostname from an LLMNR request doesn\'t check for \'\\0\' termination. Therefore, the deduced length of the hostname doesn\'t reflect the correct length of the actual data. This may lead to Information Disclosure in _fnet_llmnr_poll in fnet_llmnr.c during a response to a malicious request of the DNS class IN. | MEDIUM | Dec 11, 2020 |
| CVE-2020-17468 | An issue was discovered in FNET through 4.6.4. The code for processing the hop-by-hop header (in the IPv6 extension headers) doesn\'t check for a valid length of an extension header, and therefore an out-of-bounds read can occur in _fnet_ip6_ext_header_handler_options in fnet_ip6.c, leading to Denial-of-Service. | MEDIUM | Dec 11, 2020 |
| CVE-2020-17469 | An issue was discovered in FNET through 4.6.4. The code for IPv6 fragment reassembly tries to access a previous fragment starting from a network incoming fragment that still doesn\'t have a reference to the previous one (which supposedly resides in the reassembly list). When faced with an incoming fragment that belongs to a non-empty fragment list, IPv6 reassembly must check that there are no empty holes between the fragments: this leads to an uninitialized pointer dereference in _fnet_ip6_reassembly in fnet_ip6.c, and causes Denial-of-Service. | MEDIUM | Dec 11, 2020 |
| CVE-2020-17470 | An issue was discovered in FNET through 4.6.4. The code that initializes the DNS client interface structure does not set sufficiently random transaction IDs (they are always set to 1 in _fnet_dns_poll in fnet_dns.c). This significantly simplifies DNS cache poisoning attacks. | MEDIUM | Dec 11, 2020 |
| CVE-2020-17473 | Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server. | MEDIUM | Aug 14, 2020 |
| CVE-2020-17474 | A token-reuse vulnerability in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to create arbitrary new users, elevate users to administrators, delete users, and download user faces from the database. | HIGH | Aug 14, 2020 |
| CVE-2020-17475 | Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000. | MEDIUM | Aug 14, 2020 |
| CVE-2020-17476 | Mibew Messenger before 3.2.7 allows XSS via a crafted user name. | MEDIUM | Aug 10, 2020 |
| CVE-2020-17477 | Incorrect LDAP ACLs in ucs-school-ldap-acls-master in UCS@school before 4.4v5-errata allow remote teachers, staff, and school administrators to read LDAP password hashes (sambaNTPassword, krb5Key, sambaPasswordHistory, and pwhistory) via LDAP search requests. For example, a teacher can gain administrator access via an NTLM hash. | -- | Oct 26, 2023 |
| CVE-2020-17478 | ECDSA/EC/Point.pm in Crypt::Perl before 0.33 does not properly consider timing attacks against the EC point multiplication algorithm. | MEDIUM | Aug 12, 2020 |
| CVE-2020-17479 | jpv (aka Json Pattern Validator) before 2.2.2 does not properly validate input, as demonstrated by a corrupted array. | HIGH | Aug 13, 2020 |
| CVE-2020-17480 | TinyMCE before 4.9.7 and 5.x before 5.1.4 allows XSS in the core parser, the paste plugin, and the visualchars plugin by using the clipboard or APIs to insert content into the editor. | MEDIUM | Aug 11, 2020 |
| CVE-2020-17482 | An issue has been found in PowerDNS Authoritative Server before 4.3.1 where an authorized user with the ability to insert crafted records into a zone might be able to leak the content of uninitialized memory. | MEDIUM | Oct 2, 2020 |
| CVE-2020-17483 | An improper access control vulnerability exists in Uffizio\'s GPS Tracker all versions that lead to sensitive information disclosure of all the connected devices. By visiting the vulnerable host at port 9000, we see it responds with a JSON body that has all the details about the devices which have been deployed. | -- | Dec 18, 2023 |
| CVE-2020-17484 | An Open Redirection vulnerability exists in Uffizio\'s GPS Tracker all versions allows an attacker to construct a URL within the application that causes a redirection to an arbitrary external domain. | -- | Dec 18, 2023 |
| CVE-2020-17485 | A Remote Code Execution vulnerability exist in Uffizio\'s GPS Tracker all versions. The web server can be compromised by uploading and executing a web/reverse shell. An attacker could then run commands, browse system files, and browse local resources | -- | Dec 18, 2023 |
| CVE-2020-17487 | radare2 4.5.0 misparses signature information in PE files, causing a segmentation fault in r_x509_parse_algorithmidentifier in libr/util/x509.c. This is due to a malformed object identifier in IMAGE_DIRECTORY_ENTRY_SECURITY. | MEDIUM | Aug 11, 2020 |
| CVE-2020-17489 | An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible for a brief moment upon a logout. (If the password were never shown in cleartext, only the password length is revealed.) | LOW | Aug 12, 2020 |
| CVE-2020-17490 | The TLS module within SaltStack Salt through 3002 creates certificates with weak file permissions. | MEDIUM | Nov 7, 2020 |
| CVE-2020-17494 | Untangle Firewall NG before 16.0 uses MD5 for passwords. | MEDIUM | Nov 13, 2020 |
| CVE-2020-17495 | django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database. | MEDIUM | Aug 14, 2020 |
| CVE-2020-17496 | vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. | HIGH | Aug 12, 2020 |
| CVE-2020-17497 | eapol.c in iNet wireless daemon (IWD) through 1.8 allows attackers to trigger a PTK reinstallation by retransmitting EAPOL Msg4/4. | MEDIUM | Aug 12, 2020 |
| CVE-2020-17498 | In Wireshark 3.2.0 to 3.2.5, the Kafka protocol dissector could crash. This was addressed in epan/dissectors/packet-kafka.c by avoiding a double free during LZ4 decompression. | MEDIUM | Aug 13, 2020 |
| CVE-2020-17500 | Barco TransForm NDN-210 Lite, NDN-210 Pro, NDN-211 Lite, and NDN-211 Pro before 3.8 allows Command Injection (issue 1 of 4). The NDN-210 has a web administration panel which is made available over https. The logon method is basic authentication. There is a command injection issue that will result in unauthenticated remote code execution in the username and password fields of the logon prompt. The NDN-210 is part of Barco TransForm N solution and includes the patch from TransForm N version 3.8 onwards. | HIGH | Jan 7, 2021 |
| CVE-2020-17502 | Barco TransForm N before 3.8 allows Command Injection (issue 2 of 4). The NDN-210 has a web administration panel which is made available over https. There is a command injection issue that will allow authenticated users of the administration panel to perform authenticated remote code execution. An issue exists in split_card_cmd.php in which the http parameters xmodules, ymodules and savelocking are not properly handled. The NDN-210 is part of Barco TransForm N solution and includes the patch from TransForm N version 3.8 onwards. | MEDIUM | Jan 8, 2021 |
| CVE-2020-17503 | The NDN-210 has a web administration panel which is made available over https. There is a command injection issue that will allow authenticated users to the administration panel to perform authenticated remote code execution. An issue exists in split_card_cmd.php in which the http parameter locking is not properly handled. The NDN-210 is part of Barco TransForm N solution and this vulnerability is patched from TransForm N version 3.8 onwards. | MEDIUM | Jan 8, 2021 |
| CVE-2020-17504 | The NDN-210 has a web administration panel which is made available over https. There is a command injection issue that will allow authenticated users to the administration panel to perform authenticated remote code execution. An issue exists in ngpsystemcmd.php in which the http parameters x_modules and y_modules are not properly handled. The NDN-210 is part of Barco TransForm N solution and this vulnerability is patched from TransForm N version 3.8 onwards. | MEDIUM | Jan 8, 2021 |
| CVE-2020-17505 | Artica Web Proxy 4.30.000000 allows an authenticated remote attacker to inject commands via the service-cmds parameter in cyrus.php. These commands are executed with root privileges via service_cmds_peform. | HIGH | Aug 12, 2020 |
| CVE-2020-17506 | Artica Web Proxy 4.30.00000000 allows remote attacker to bypass privilege detection and gain web backend administrator privileges through SQL injection of the apikey parameter in fw.login.php. | HIGH | Aug 14, 2020 |
| CVE-2020-17507 | An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read. | HIGH | Aug 16, 2020 |
| CVE-2020-17508 | The ATS ESI plugin has a memory disclosure vulnerability. If you are running the plugin please upgrade. Apache Traffic Server versions 7.0.0 to 7.1.11 and 8.0.0 to 8.1.0 are affected. | MEDIUM | Jan 14, 2021 |
| CVE-2020-17509 | ATS negative cache option is vulnerable to a cache poisoning attack. If you have this option enabled, please upgrade or disable this feature. Apache Traffic Server versions 7.0.0 to 7.1.11 and 8.0.0 to 8.1.0 are affected. | MEDIUM | Jan 15, 2021 |
| CVE-2020-17510 | Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. | HIGH | Nov 6, 2020 |
| CVE-2020-17511 | In Airflow versions prior to 1.10.13, when creating a user using airflow CLI, the password gets logged in plain text in the Log table in Airflow Metadatase. Same happened when creating a Connection with a password field. | MEDIUM | Dec 15, 2020 |
| CVE-2020-17513 | In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack. | MEDIUM | Dec 15, 2020 |
| CVE-2020-17514 | Apache Fineract prior to 1.5.0 disables HTTPS hostname verification in ProcessorHelper in the configureClient method. Under typical deployments, a man in the middle attack could be successful. | MEDIUM | May 27, 2021 |
