The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2020-15351 | IDrive before 6.7.3.19 on Windows installs by default to %PROGRAMFILES(X86)%\\IDriveWindows with weak folder permissions granting any user modify permission (i.e., NT AUTHORITY\\Authenticated Users:(OI)(CI)(M)) to the contents of the directory and its sub-folders. In addition, the program installs a service called IDriveService that runs as LocalSystem. Thus, any standard user can escalate privileges to NT AUTHORITY\\SYSTEM by substituting the service\'s binary with a malicious one. | HIGH | Jun 26, 2020 |
| CVE-2020-15350 | RIOT 2020.04 has a buffer overflow in the base64 decoder. The decoding function base64_decode() uses an output buffer estimation function to compute the required buffer capacity and validate against the provided buffer size. The base64_estimate_decode_size() function calculates the expected decoded size with an arithmetic round-off error and does not take into account possible padding bytes. Due to this underestimation, it may be possible to craft base64 input that causes a buffer overflow. | HIGH | Jul 7, 2020 |
| CVE-2020-15349 | BinaryNights ForkLift 3.x before 3.4 has a local privilege escalation vulnerability because the privileged helper tool implements an XPC interface that allows file operations to any process (copy, move, delete) as root and changing permissions. | HIGH | Nov 17, 2020 |
| CVE-2020-15348 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 allows use of live/CPEManager/AXCampaignManager/delete_cpes_by_ids?cpe_ids= for eval injection of Python code. | HIGH | Jun 26, 2020 |
| CVE-2020-15347 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has the q6xV4aW8bQ4cfD-b password for the axiros account. | -- | Sep 29, 2022 |
| CVE-2020-15346 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a /live/GLOBALS API with the CLOUDCNM key. | -- | Sep 29, 2022 |
| CVE-2020-15345 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has an unauthenticated zy_get_instances_for_update API. | -- | Sep 29, 2022 |
| CVE-2020-15344 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has an unauthenticated zy_get_user_id_and_key API. | -- | Sep 29, 2022 |
| CVE-2020-15343 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has an unauthenticated zy_install_user_key API. | -- | Sep 29, 2022 |
| CVE-2020-15342 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has an unauthenticated zy_install_user API. | -- | Sep 29, 2022 |
| CVE-2020-15341 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has an unauthenticated update_all_realm_license API. | -- | Sep 29, 2022 |
| CVE-2020-15340 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded opt/axess/AXAssets/default_axess/axess/TR69/Handlers/turbolink/sshkeys/id_rsa SSH key. | -- | Sep 29, 2022 |
| CVE-2020-15339 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 allows live/CPEManager/AXCampaignManager/handle_campaign_script_link?script_name= XSS. | -- | Sep 29, 2022 |
| CVE-2020-15338 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a Use of GET Request Method With Sensitive Query Strings issue for /cnr requests. | -- | Sep 29, 2022 |
| CVE-2020-15337 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a Use of GET Request Method With Sensitive Query Strings issue for /registerCpe requests. | -- | Sep 29, 2022 |
| CVE-2020-15336 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has no authentication for /cnr requests. | MEDIUM | Jun 26, 2020 |
| CVE-2020-15335 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has no authentication for /registerCpe requests. | MEDIUM | Jun 26, 2020 |
| CVE-2020-15334 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 allows escape-sequence injection into the /var/log/axxmpp.log file. | -- | Sep 29, 2022 |
| CVE-2020-15333 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 allows attackers to discover accounts via MySQL select * from Administrator_users and select * from Users_users requests. | -- | Sep 29, 2022 |
| CVE-2020-15332 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has weak /opt/axess/etc/default/axess permissions. | -- | Sep 29, 2022 |
| CVE-2020-15331 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded OAUTH_SECRET_KEY in /opt/axess/etc/default/axess. | -- | Sep 29, 2022 |
| CVE-2020-15330 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded APP_KEY in /opt/axess/etc/default/axess. | -- | Sep 29, 2022 |
| CVE-2020-15329 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has weak Data.fs permissions. | -- | Sep 29, 2022 |
| CVE-2020-15328 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has weak /opt/axess/var/blobstorage/ permissions. | -- | Sep 29, 2022 |
| CVE-2020-15327 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 uses ZODB storage without authentication. | -- | Sep 29, 2022 |
| CVE-2020-15326 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded certificate for Ejabberd in ejabberd.pem. | -- | Sep 29, 2022 |
| CVE-2020-15325 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded Erlang cookie for ejabberd replication. | -- | Sep 29, 2022 |
| CVE-2020-15324 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a world-readable axess/opt/axXMPPHandler/config/xmpp_config.py file that stores hardcoded credentials. | HIGH | Jul 6, 2020 |
| CVE-2020-15323 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has the cloud1234 password for the a1@chopin account default credentials. | HIGH | Jul 6, 2020 |
| CVE-2020-15322 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has the wbboEZ4BN3ssxAfM hardcoded password for the debian-sys-maint account. | HIGH | Jul 6, 2020 |
| CVE-2020-15321 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has the axzyxel password for the livedbuser account. | HIGH | Jul 6, 2020 |
| CVE-2020-15320 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has the axiros password for the root account. | HIGH | Jul 2, 2020 |
| CVE-2020-15319 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded RSA SSH key for the root account within the /opt/mysql chroot directory tree. | MEDIUM | Jul 2, 2020 |
| CVE-2020-15318 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded DSA SSH key for the root account within the /opt/mysql chroot directory tree. | MEDIUM | Jul 6, 2020 |
| CVE-2020-15317 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded RSA SSH key for the root account within the /opt/axess chroot directory tree. | MEDIUM | Jul 6, 2020 |
| CVE-2020-15316 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded ECDSA SSH key for the root account within the /opt/axess chroot directory tree. | MEDIUM | Jul 6, 2020 |
| CVE-2020-15315 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded DSA SSH key for the root account within the /opt/axess chroot directory tree. | MEDIUM | Jul 6, 2020 |
| CVE-2020-15314 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded RSA SSH key for the root account. | MEDIUM | Jul 2, 2020 |
| CVE-2020-15313 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded ECDSA SSH key for the root account. | MEDIUM | Jul 2, 2020 |
| CVE-2020-15312 | Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded DSA SSH key for the root account. | MEDIUM | Jul 2, 2020 |
| CVE-2020-15311 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-4080. Reason: This candidate is a duplicate of CVE-2008-4080.2. Notes: All CVE users should reference CVE-2008-4080.2 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage | HIGH | Jun 26, 2020 |
| CVE-2020-15309 | An issue was discovered in wolfSSL before 4.5.0, when single precision is not employed. Local attackers can conduct a cache-timing attack against public key operations. These attackers may already have obtained sensitive information if the affected system has been used for private key operations (e.g., signing with a private key). | MEDIUM | Aug 21, 2020 |
| CVE-2020-15308 | Support Incident Tracker (aka SiT! or SiTracker) 3.67 p2 allows post-authentication SQL injection via the site_edit.php typeid or site parameter, the search_incidents_advanced.php search_title parameter, or the report_qbe.php criteriafield parameter. | MEDIUM | Jun 26, 2020 |
| CVE-2020-15307 | Nozomi Guardian before 19.0.4 allows attackers to achieve stored XSS (in the web front end) by leveraging the ability to create a custom field with a crafted field name. | MEDIUM | Jun 30, 2020 |
| CVE-2020-15306 | An issue was discovered in OpenEXR before v2.5.2. Invalid chunkCount attributes could cause a heap buffer overflow in getChunkOffsetTableSize() in IlmImf/ImfMisc.cpp. | LOW | Jun 26, 2020 |
| CVE-2020-15305 | An issue was discovered in OpenEXR before 2.5.2. Invalid input could cause a use-after-free in DeepScanLineInputFile::DeepScanLineInputFile() in IlmImf/ImfDeepScanLineInputFile.cpp. | LOW | Jun 26, 2020 |
| CVE-2020-15304 | An issue was discovered in OpenEXR before 2.5.2. An invalid tiled input file could cause invalid memory access in TiledInputFile::TiledInputFile() in IlmImf/ImfTiledInputFile.cpp, as demonstrated by a NULL pointer dereference. | LOW | Jun 26, 2020 |
| CVE-2020-15303 | Infoblox NIOS before 8.5.2 allows entity expansion during an XML upload operation, a related issue to CVE-2003-1564. | MEDIUM | Jul 2, 2021 |
| CVE-2020-15302 | In Argent RecoveryManager before 0xdc350d09f71c48c5D22fBE2741e4d6A03970E192, the executeRecovery function does not require any signatures in the zero-guardian case, which allows attackers to cause a denial of service (locking) or a takeover. | MEDIUM | Jun 25, 2020 |
| CVE-2020-15301 | SuiteCRM through 7.11.13 allows CSV Injection via registration fields in the Accounts, Contacts, Opportunities, and Leads modules. These fields are mishandled during a Download Import File Template operation. | MEDIUM | Nov 19, 2020 |
