The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
ID | Description | Priority | Modified date |
---|---|---|---|
CVE-2020-8616 | A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral. This has at least two potential effects: The performance of the recursing server can potentially be degraded by the additional work required to perform these fetches, and The attacker can exploit this behavior to use the recursing server as a reflector in a reflection attack with a high amplification factor. | MEDIUM | May 22, 2020 |
CVE-2020-8615 | A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for WordPress can result in an attacker approving themselves as an instructor and performing other malicious actions (such as blocking legitimate instructors). | LOW | Feb 6, 2020 |
CVE-2020-8614 | An issue was discovered on Askey AP4000W TDC_V1.01.003 devices. An attacker can perform Remote Code Execution (RCE) by sending a specially crafted network packer to the bd_svr service listening on TCP port 54188. | HIGH | Feb 13, 2020 |
CVE-2020-8612 | In Progress MOVEit Transfer 2019.1 before 2019.1.4 and 2019.2 before 2019.2.1, a REST API endpoint failed to adequately sanitize malicious input, which could allow an authenticated attacker to execute arbitrary code in a victim\'s browser, aka XSS. | MEDIUM | Feb 14, 2020 |
CVE-2020-8611 | In Progress MOVEit Transfer 2019.1 before 2019.1.4 and 2019.2 before 2019.2.1, multiple SQL Injection vulnerabilities have been found in the REST API that could allow an authenticated attacker to gain unauthorized access to MOVEit Transfer\'s database via the REST API. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or destroy database elements. | MEDIUM | Feb 14, 2020 |
CVE-2020-8608 | In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses snprintf return values, leading to a buffer overflow in later code. | HIGH | Feb 11, 2020 |
CVE-2020-8607 | An input validation vulnerability found in multiple Trend Micro products utilizing a particular version of a specific rootkit protection driver could allow an attacker in user-mode with administrator permissions to abuse the driver to modify a kernel address that may cause a system crash or potentially lead to code execution in kernel mode. An attacker must already have obtained administrator access on the target machine (either legitimately or via a separate unrelated attack) to exploit this vulnerability. | HIGH | Aug 5, 2020 |
CVE-2020-8606 | A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to bypass authentication on affected installations of Trend Micro InterScan Web Security Virtual Appliance. | HIGH | May 28, 2020 |
CVE-2020-8605 | A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to execute arbitrary code on affected installations. Authentication is required to exploit this vulnerability. | MEDIUM | May 28, 2020 |
CVE-2020-8604 | A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to disclose sensitive informatoin on affected installations. | MEDIUM | May 28, 2020 |
CVE-2020-8603 | A cross-site scripting vulnerability (XSS) in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow a remote attacker to tamper with the web interface of affected installations. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. | MEDIUM | May 28, 2020 |
CVE-2020-8602 | A vulnerability in the management consoles of Trend Micro Deep Security 10.0-12.0 and Trend Micro Vulnerability Protection 2.0 SP2 may allow an authenticated attacker with full control privileges to bypass file integrity checks, leading to remote code execution. | MEDIUM | Aug 28, 2020 |
CVE-2020-8601 | Trend Micro Vulnerability Protection 2.0 is affected by a vulnerability that could allow an attack to use the product installer to load other DLL files located in the same directory. | MEDIUM | Feb 25, 2020 |
CVE-2020-8600 | Trend Micro Worry-Free Business Security (9.0, 9.5, 10.0) is affected by a directory traversal vulnerability that could allow an attacker to manipulate a key file to bypass authentication. | HIGH | Mar 18, 2020 |
CVE-2020-8599 | Trend Micro Apex One (2019) and OfficeScan XG server contain a vulnerable EXE file that could allow a remote attacker to write arbitrary data to an arbitrary path on affected installations and bypass ROOT login. Authentication is not required to exploit this vulnerability. | HIGH | Mar 19, 2020 |
CVE-2020-8598 | Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (9.0, 9.5, 10.0) server contains a vulnerable service DLL file that could allow a remote attacker to execute arbitrary code on affected installations with SYSTEM level privileges. Authentication is not required to exploit this vulnerability. | HIGH | Mar 19, 2020 |
CVE-2020-8597 | eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the eap_request and eap_response functions. | HIGH | Feb 9, 2020 |
CVE-2020-8596 | participants-database.php in the Participants Database plugin 1.9.5.5 and previous versions for WordPress has a time-based SQL injection vulnerability via the ascdesc, list_filter_count, or sortBy parameters. It is possible to exfiltrate data and potentially execute code (if certain conditions are met). | MEDIUM | Feb 11, 2020 |
CVE-2020-8595 | Istio versions 1.2.10 (End of Life) and prior, 1.3 through 1.3.7, and 1.4 through 1.4.3 allows authentication bypass. The Authentication Policy exact-path matching logic can allow unauthorized access to HTTP paths even if they are configured to be only accessed after presenting a valid JWT token. For example, an attacker can add a ? or # character to a URI that would otherwise satisfy an exact-path match. | HIGH | Feb 14, 2020 |
CVE-2020-8594 | The Ninja Forms plugin 3.4.22 for WordPress has Multiple Stored XSS vulnerabilities via ninja_forms[recaptcha_site_key], ninja_forms[recaptcha_secret_key], ninja_forms[recaptcha_lang], or ninja_forms[date_format]. | LOW | Feb 14, 2020 |
CVE-2020-8592 | eG Manager 7.1.2 allows SQL Injection via the user parameter to com.eg.LoginHelperServlet (aka the Forgot Password feature). | HIGH | Feb 5, 2020 |
CVE-2020-8591 | eG Manager 7.1.2 allows authentication bypass via a com.egurkha.EgLoginServlet?uname=admin&upass=&accessKey=eGm0n1t0r request. | HIGH | Feb 6, 2020 |
CVE-2020-8590 | Clustered Data ONTAP versions prior to 9.1P18 and 9.3P12 are susceptible to a vulnerability which could allow an attacker to discover node names via AutoSupport bundles even when the –remove-private-data parameter is set to true. | LOW | Feb 12, 2021 |
CVE-2020-8589 | Clustered Data ONTAP versions prior to 9.3P20 and 9.5P15 are susceptible to a vulnerability which could allow unauthorized tenant users to discover the names of other Storage Virtual Machines (SVMs) and filenames on those SVMs. | LOW | Feb 3, 2021 |
CVE-2020-8588 | Clustered Data ONTAP versions prior to 9.3P20 and 9.5P15 are susceptible to a vulnerability which could allow unauthorized tenant users to discover the existence of data on other Storage Virtual Machines (SVMs). | LOW | Feb 3, 2021 |
CVE-2020-8587 | OnCommand System Manager 9.x versions prior to 9.3P20 and 9.4 prior to 9.4P3 are susceptible to a vulnerability that could allow HTTP clients to cache sensitive responses making them accessible to an attacker who has access to the system where the client runs. | LOW | Feb 12, 2021 |
CVE-2020-8586 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none | -- | Nov 7, 2023 |
CVE-2020-8585 | OnCommand Unified Manager Core Package versions prior to 5.2.5 may disclose sensitive account information to unauthorized users via the use of PuTTY Link (plink). | LOW | Jan 29, 2021 |
CVE-2020-8584 | Element OS versions prior to 1.8P1 and 12.2 are susceptible to a vulnerability that could allow an unauthenticated remote attacker to perform arbitrary code execution. | HIGH | Jan 8, 2021 |
CVE-2020-8583 | Element Software versions prior to 12.2 and HCI versions prior to 1.8P1 are susceptible to a vulnerability which could allow an attacker to discover sensitive information by intercepting its transmission within an https session. | MEDIUM | Nov 13, 2020 |
CVE-2020-8582 | Element Software versions prior to 12.2 and HCI versions prior to 1.8P1 are susceptible to a vulnerability which could allow an authenticated user to view sensitive information. | MEDIUM | Nov 13, 2020 |
CVE-2020-8581 | Clustered Data ONTAP versions prior to 9.3P20 and 9.5 are susceptible to a vulnerability which could allow an authenticated but unauthorized attacker to overwrite arbitrary data when VMware vStorage support is enabled. | LOW | Jan 19, 2021 |
CVE-2020-8580 | SANtricity OS Controller Software versions 11.30 and higher are susceptible to a vulnerability which allows an unauthenticated attacker with access to the system to cause a Denial of Service (DoS). | MEDIUM | Nov 6, 2020 |
CVE-2020-8579 | Clustered Data ONTAP versions 9.7 through 9.7P7 are susceptible to a vulnerability which allows an attacker with access to an intercluster LIF to cause a Denial of Service (DoS). | MEDIUM | Oct 27, 2020 |
CVE-2020-8578 | Clustered Data ONTAP versions prior to 9.3P20 are susceptible to a vulnerability which could allow an attacker to discover node names via AutoSupport bundles even when the –remove-private-data parameter is set to true. | LOW | Feb 12, 2021 |
CVE-2020-8577 | SANtricity OS Controller Software versions 11.50.1 and higher are susceptible to a vulnerability which could allow an attacker to discover sensitive information by intercepting its transmission within an https session. | MEDIUM | Nov 6, 2020 |
CVE-2020-8576 | Clustered Data ONTAP versions prior to 9.3P19, 9.5P14, 9.6P9 and 9.7 are susceptible to a vulnerability which when successfully exploited could lead to addition or modification of data or disclosure of sensitive information. | MEDIUM | Sep 2, 2020 |
CVE-2020-8575 | Active IQ Unified Manager for VMware vSphere and Windows versions prior to 9.5 are susceptible to a vulnerability which allows administrative users to cause Denial of Service (DoS). | LOW | Aug 9, 2020 |
CVE-2020-8574 | Active IQ Unified Manager for Linux versions prior to 9.6 ship with the Java Management Extension Remote Method Invocation (JMX RMI) service enabled allowing unauthorized code execution to local users. | MEDIUM | Aug 3, 2020 |
CVE-2020-8573 | The NetApp HCI H610C, H615C and H610S Baseboard Management Controllers (BMC) are shipped with a documented default account and password that should be changed during the initial node setup. During upgrades to Element 11.8 and 12.0 or the Compute Firmware Bundle 12.2.92 the BMC account password on the H610C, H615C and H610S platforms is reset to the default documented value which could allow remote attackers to cause a Denial of Service (DoS). | MEDIUM | Jun 29, 2020 |
CVE-2020-8572 | Element OS prior to version 12.0 and Element HealthTools prior to version 2020.04.01.04 are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information. | MEDIUM | May 21, 2020 |
CVE-2020-8571 | StorageGRID (formerly StorageGRID Webscale) versions 10.0.0 through 11.3 prior to 11.2.0.8 and 11.3.0.4 are susceptible to a vulnerability which allows an unauthenticated remote attacker to cause a Denial of Service (DoS). | MEDIUM | Mar 18, 2020 |
CVE-2020-8570 | Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code. | MEDIUM | Jan 21, 2021 |
CVE-2020-8569 | Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass. - The snapshot-controller crashes, is automatically restarted by Kubernetes, and processes the same VolumeSnapshot custom resource after the restart, entering an endless crashloop. Only the volume snapshot feature is affected by this vulnerability. When exploited, users can’t take snapshots of their volumes or delete the snapshots. All other Kubernetes functionality is not affected. | MEDIUM | Jan 21, 2021 |
CVE-2020-8568 | Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that contain other Kubernetes Secrets. | MEDIUM | Jan 21, 2021 |
CVE-2020-8567 | Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods. | MEDIUM | Jan 21, 2021 |
CVE-2020-8566 | In Kubernetes clusters using Ceph RBD as a storage provisioner, with logging level of at least 4, Ceph RBD admin secrets can be written to logs. This occurs in kube-controller-manager\'s logs during provisioning of Ceph RBD persistent claims. This affects < v1.19.3, < v1.18.10, < v1.17.13. | LOW | Oct 21, 2020 |
CVE-2020-8565 | In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2. | LOW | Oct 21, 2020 |
CVE-2020-8564 | In Kubernetes clusters using a logging level of at least 4, processing a malformed docker config file will result in the contents of the docker config file being leaked, which can include pull secrets or other registry credentials. This affects < v1.19.3, < v1.18.10, < v1.17.13. | LOW | Oct 21, 2020 |
CVE-2020-8563 | In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager\'s log. This affects < v1.19.3. | LOW | Oct 21, 2020 |