The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2020-11845 | Cross Site Scripting vulnerability in Micro Focus Service Manager product. Affecting versions 9.50, 9.51, 9.52, 9.60, 9.61, 9.62, 9.63. The vulnerability could be exploited to allow remote attackers to inject arbitrary web script or HTML. | MEDIUM | May 19, 2020 |
| CVE-2020-11844 | Incorrect Authorization vulnerability in Micro Focus Container Deployment Foundation component affects products: - Hybrid Cloud Management. Versions 2018.05 to 2019.11. - ArcSight Investigate. versions 2.4.0, 3.0.0 and 3.1.0. - ArcSight Transformation Hub. versions 3.0.0, 3.1.0, 3.2.0. - ArcSight Interset. version 6.0.0. - ArcSight ESM (when ArcSight Fusion 1.0 is installed). version 7.2.1. - Service Management Automation (SMA). versions 2018.05 to 2020.02 - Operation Bridge Suite (Containerized). Versions 2018.05 to 2020.02. - Network Operation Management. versions 2017.11 to 2019.11. - Data Center Automation Containerized. versions 2018.05 to 2019.11 - Identity Intelligence. versions 1.1.0 and 1.1.1. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation. | HIGH | May 30, 2020 |
| CVE-2020-11842 | Information disclosure vulnerability in Micro Focus Verastream Host Integrator (VHI) product, affecting versions earlier than 7.8 Update 1 (7.8.49 or 7.8.0.49). The vulnerability allows an unauthenticated attackers to view information they may not have been authorized to view. | MEDIUM | May 4, 2020 |
| CVE-2020-11841 | Unauthorized information disclosure vulnerability in Micro Focus ArcSight Management Center product, Affecting versions 2.6.1, 2.7.x, 2.8.x, 2.9.x prior to 2.9.4. The vulnerabilities could be remotely exploited resulting unauthorized information disclosure. | MEDIUM | Jun 19, 2020 |
| CVE-2020-11840 | Unauthorized information disclosure vulnerability in Micro Focus ArcSight Management Center product, Affecting versions 2.6.1, 2.7.x, 2.8.x, 2.9.x prior to 2.9.4. The vulnerabilities could be remotely exploited resulting unauthorized information disclosure. | MEDIUM | Jun 19, 2020 |
| CVE-2020-11839 | Cross Site Scripting (XSS) vulnerability in Micro Focus ArcSight Logger product, affecting all version from 6.6.1 up to version 7.0.1. The vulnerabilities could be remotely exploited resulting in Cross-Site Scripting (XSS) or information disclosure. | MEDIUM | Jun 12, 2020 |
| CVE-2020-11838 | Cross Site Scripting (XSS) vulnerability in Micro Focus ArcSight Management Center product, Affecting versions 2.6.1, 2.7.x, 2.8.x, 2.9.x prior to 2.9.4. The vulnerabilities could be remotely exploited resulting in Cross-Site Scripting (XSS) or information disclosure. | LOW | Jun 19, 2020 |
| CVE-2020-11836 | OPPO Android Phone with MTK chipset and Android 8.1/9/10/11 versions have an information leak vulnerability. The “adb shell getprop ro.vendor.aee.enforcing” or “adb shell getprop ro.vendor.aee.enforcing” return no. | LOW | Feb 6, 2021 |
| CVE-2020-11835 | In /SM8250_Q_Master/android/vendor/oppo_charger/oppo/charger_ic/oppo_da9313.c, failure to check the parameter buf in the function proc_work_mode_write in proc_work_mode_write causes a vulnerability. | LOW | Dec 31, 2020 |
| CVE-2020-11834 | In /SM8250_Q_Master/android/vendor/oppo_charger/oppo/oppo_vooc.c, the function proc_fastchg_fw_update_write in proc_fastchg_fw_update_write does not check the parameter len, resulting in a vulnerability. | LOW | Dec 31, 2020 |
| CVE-2020-11833 | In /SM8250_Q_Master/android/vendor/oppo_charger/oppo/charger_ic/oppo_mp2650.c, the function mp2650_data_log_write in mp2650_data_log_write does not check the parameter len which causes a vulnerability. | LOW | Dec 31, 2020 |
| CVE-2020-11832 | In functions charging_limit_current_write and charging_limit_time_write in /SM8250_Q_Master/android/vendor/oppo_charger/oppo/oppo_charger.c have not checked the parameters, which causes a vulnerability. | LOW | Dec 31, 2020 |
| CVE-2020-11831 | OvoiceManager has system permission to write vulnerability reports for arbitrary files, affected product is com.oppo.ovoicemanager V2.0.1. | HIGH | Nov 19, 2020 |
| CVE-2020-11830 | QualityProtect has a vulnerability to execute arbitrary system commands, affected product is com.oppo.qualityprotect V2.0. | HIGH | Nov 19, 2020 |
| CVE-2020-11829 | Dynamic loading of services in the backup and restore SDK leads to elevated privileges, affected product is com.coloros.codebook V2.0.0_5493e40_200722. | HIGH | Nov 19, 2020 |
| CVE-2020-11828 | In ColorOS (oppo mobile phone operating system, based on AOSP frameworks/native code position/services/surfaceflinger surfaceflinger.CPP), RGB is defined on the stack but uninitialized, so when the screenShot function to RGB value assignment, will not initialize the value is returned to the attackers, leading to values on the stack information leakage, the vulnerability can be used to bypass attackers ALSR. | MEDIUM | Apr 21, 2020 |
| CVE-2020-11827 | In GOG Galaxy 1.2.67, there is a service that is vulnerable to weak file/service permissions: GalaxyClientService.exe. An attacker can put malicious code in a Trojan horse GalaxyClientService.exe. After that, the attacker can re-start this service as an unprivileged user to escalate his/her privileges and run commands on the machine with SYSTEM rights. | HIGH | Jul 17, 2020 |
| CVE-2020-11826 | Users can lock their notes with a password in Memono version 3.8. Thus, users needs to know a password to read notes. However, these notes are stored in a database without encryption and an attacker can read the password-protected notes without having the password. Notes are stored in the ZENTITY table in the memono.sqlite database. | MEDIUM | Apr 16, 2020 |
| CVE-2020-11825 | In Dolibarr 10.0.6, forms are protected with a CSRF token against CSRF attacks. The problem is any CSRF token in any user\'s session can be used in another user\'s session. CSRF tokens should not be valid in this situation. | MEDIUM | Apr 16, 2020 |
| CVE-2020-11823 | In Dolibarr 10.0.6, if USER_LOGIN_FAILED is active, there is a stored XSS vulnerability on the admin tools --> audit page. This may lead to stealing of the admin account. | LOW | Apr 16, 2020 |
| CVE-2020-11822 | In Rukovoditel 2.5.2, there is a stored XSS vulnerability on the application structure --> user access groups page. Thus, an attacker can inject malicious script to steal all users\' valuable data. | MEDIUM | May 4, 2020 |
| CVE-2020-11821 | In Rukovoditel 2.5.2, users\' passwords and usernames are stored in a cookie with URL encoding, base64 encoding, and hashing. Thus, an attacker can easily apply brute force on them. | MEDIUM | Apr 27, 2020 |
| CVE-2020-11820 | Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the entities_id parameter. | HIGH | Apr 16, 2020 |
| CVE-2020-11819 | In Rukovoditel 2.5.2, an attacker may inject an arbitrary .php file location instead of a language file and thus achieve command execution. | HIGH | Apr 16, 2020 |
| CVE-2020-11818 | In Rukovoditel 2.5.2 has a form_session_token value to prevent CSRF attacks. This protection mechanism can be bypassed with another user\'s valid token. Thus, an attacker can change the Admin password by using a CSRF attack and escalate his/her privileges. | MEDIUM | Apr 16, 2020 |
| CVE-2020-11817 | In Rukovoditel V2.5.2, attackers can upload an arbitrary file to the server just changing the the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs with the Maintenance Mode setting. | MEDIUM | May 5, 2020 |
| CVE-2020-11816 | Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the reports_id (POST) parameter. | HIGH | Apr 16, 2020 |
| CVE-2020-11815 | In Rukovoditel 2.5.2, attackers can upload arbitrary file to the server by just changing the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs without the Maintenance Mode setting. | MEDIUM | Apr 16, 2020 |
| CVE-2020-11814 | A Host Header Injection vulnerability in qdPM 9.1 may allow an attacker to spoof a particular header and redirect users to malicious websites. | MEDIUM | Apr 16, 2020 |
| CVE-2020-11813 | In Rukovoditel 2.5.2, there is a stored XSS vulnerability on the configuration page via the copyright text input. Thus, an attacker can inject a malicious script to steal all users\' valuable data. This copyright text is on every page so this attack vector can be very dangerous. | LOW | Apr 16, 2020 |
| CVE-2020-11812 | Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the filters[0][value] or filters[1][value] parameter. | HIGH | Apr 16, 2020 |
| CVE-2020-11811 | In qdPM 9.1, an attacker can upload a malicious .php file to the server by exploiting the Add Profile Photo capability with a crafted content-type value. After that, the attacker can execute an arbitrary command on the server using this malicious file. | HIGH | Apr 16, 2020 |
| CVE-2020-11810 | An issue was discovered in OpenVPN 2.4.x before 2.4.9. An attacker can inject a data channel v2 (P_DATA_V2) packet using a victim\'s peer-id. Normally such packets are dropped, but if this packet arrives before the data channel crypto parameters have been initialized, the victim\'s connection will be dropped. This requires careful timing due to the small time window (usually within a few seconds) between the victim client connection starting and the server PUSH_REPLY response back to the client. This attack will only work if Negotiable Cipher Parameters (NCP) is in use. | MEDIUM | Apr 27, 2020 |
| CVE-2020-11807 | Because of Unrestricted Upload of a File with a Dangerous Type, Sourcefabric Newscoop 4.4.7 allows an authenticated user to execute arbitrary PHP code (and sometimes terminal commands) on a server by making an avatar update and then visiting the avatar file under the /images/ path. | MEDIUM | May 20, 2020 |
| CVE-2020-11806 | In MailStore Outlook Add-in (and Email Archive Outlook Add-in) through 12.1.2, the login process does not validate the validity of the certificate presented by the server. | MEDIUM | Apr 23, 2020 |
| CVE-2020-11805 | Pexip Reverse Proxy and TURN Server before 6.1.0 has Incorrect UDP Access Control via TURN. | HIGH | Sep 25, 2020 |
| CVE-2020-11804 | An issue was discovered in Titan SpamTitan 7.07. Due to improper sanitization of the parameter quid, used in the page mailqueue.php, code injection can occur. The input for this parameter is provided directly by an authenticated user via an HTTP GET request. | MEDIUM | Sep 18, 2020 |
| CVE-2020-11803 | An issue was discovered in Titan SpamTitan 7.07. Improper sanitization of the parameter jaction when interacting with the page mailqueue.php could lead to PHP code evaluation server-side, because the user-provided input is passed directly to the php eval() function. The user has to be authenticated on the web platform before interacting with the page. | MEDIUM | Sep 18, 2020 |
| CVE-2020-11800 | Zabbix Server 2.2.x and 3.0.x before 3.0.31, and 3.2 allows remote attackers to execute arbitrary code. | HIGH | Oct 7, 2020 |
| CVE-2020-11799 | Z-Cron 5.6 Build 04 allows an unprivileged attacker to elevate privileges by modifying a privileged user\'s task. This can also affect all users who are signed in on the system if a shell is placed in a location that other unprivileged users have access to. | HIGH | Apr 15, 2020 |
| CVE-2020-11798 | A Directory Traversal vulnerability in the web conference component of Mitel MiCollab AWV before 8.1.2.4 and 9.x before 9.1.3 could allow an attacker to access arbitrary files from restricted directories of the server via a crafted URL, due to insufficient access validation. A successful exploit could allow an attacker to access sensitive information from the restricted directories. | MEDIUM | Jun 10, 2020 |
| CVE-2020-11797 | An Authentication Bypass vulnerability in the Published Area of the web conferencing component of Mitel MiCollab AWV before 8.1.2.4 and 9.x before 9.1.3 could allow an unauthenticated attacker to gain access to unauthorized information due to insufficient access validation. A successful exploit could allow an attacker to access sensitive shared files. | MEDIUM | Aug 26, 2020 |
| CVE-2020-11796 | In JetBrains Space through 2020-04-22, the password authentication implementation was insecure. | HIGH | Apr 22, 2020 |
| CVE-2020-11795 | In JetBrains Space through 2020-04-22, the session timeout period was configured improperly. | MEDIUM | Apr 22, 2020 |
| CVE-2020-11793 | A use-after-free issue exists in WebKitGTK before 2.28.1 and WPE WebKit before 2.28.1 via crafted web content that allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash). | HIGH | Apr 17, 2020 |
| CVE-2020-11792 | NETGEAR R8900, R9000, RAX120, and XR700 devices before 2020-01-20 are affected by Transport Layer Security (TLS) certificate private key disclosure. | MEDIUM | Apr 15, 2020 |
| CVE-2020-11791 | NETGEAR JGS516PE devices before 2.6.0.43 are affected by reflected XSS. | MEDIUM | Apr 15, 2020 |
| CVE-2020-11790 | NETGEAR R7800 devices before 1.0.2.68 are affected by remote code execution by unauthenticated attackers. | HIGH | Apr 15, 2020 |
| CVE-2020-11789 | Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects R6400v2 before 1.0.4.84, R6700 before 1.0.2.8, R6700v3 before 1.0.4.84, R6900 before 1.0.2.8, and R7900 before 1.0.3.10. | HIGH | Apr 15, 2020 |
| CVE-2020-11788 | Certain NETGEAR devices are affected by authentication bypass. This affects D6200 before 1.1.00.34, D7000 before 1.0.1.68, PR2000 before 1.0.0.28, R6050 before 1.0.1.18, JR6150 before 1.0.1.18, R6120 before 1.0.0.46, R6220 before 1.1.0.80, R6230 before 1.1.0.80, R6260 before 1.1.0.64, R6700v2 before 1.2.0.36, R6800 before 1.2.0.36, and R6900v2 before 1.2.0.36. | MEDIUM | Apr 15, 2020 |
