The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
ID | Description | Priority | Modified date | Fixed Release |
---|---|---|---|---|
CVE-2020-24433 | Adobe Acrobat Reader DC versions 2020.012.20048 (and earlier), 2020.001.30005 (and earlier) and 2017.011.30175 (and earlier) are affected by a local privilege escalation vulnerability that could enable a user without administrator privileges to delete arbitrary files and potentially execute arbitrary code as SYSTEM. Exploitation of this issue requires an attacker to socially engineer a victim, or the attacker must already have some access to the environment. | HIGH | Nov 9, 2020 | n/a |
CVE-2020-24432 | Acrobat Reader DC versions 2020.012.20048 (and earlier), 2020.001.30005 (and earlier) and 2017.011.30175 (and earlier) and Adobe Acrobat Pro DC 2017.011.30175 (and earlier) are affected by an improper input validation vulnerability that could result in arbitrary JavaScript execution in the context of the current user. To exploit this issue, an attacker must acquire and then modify a certified PDF document that is trusted by the victim. The attacker then needs to convince the victim to open the document. | MEDIUM | Nov 9, 2020 | n/a |
CVE-2020-24431 | Acrobat Reader DC versions 2020.012.20048 (and earlier), 2020.001.30005 (and earlier) and 2017.011.30175 (and earlier) for macOS are affected by a security feature bypass that could result in dynamic library code injection by the Adobe Reader process. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | MEDIUM | Nov 9, 2020 | n/a |
CVE-2020-24430 | Acrobat Reader DC versions 2020.012.20048 (and earlier), 2020.001.30005 (and earlier) and 2017.011.30175 (and earlier) are affected by a use-after-free vulnerability when handling malicious JavaScript. This vulnerability could result in arbitrary code execution in the context of the current user. Exploitation requires user interaction in that a victim must open a malicious file. | MEDIUM | Nov 9, 2020 | n/a |
CVE-2020-24429 | Acrobat Reader DC versions 2020.012.20048 (and earlier), 2020.001.30005 (and earlier) and 2017.011.30175 (and earlier) for macOS are affected by a signature verification bypass that could result in local privilege escalation. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | MEDIUM | Nov 9, 2020 | n/a |
CVE-2020-24428 | Acrobat Reader DC versions 2020.012.20048 (and earlier), 2020.001.30005 (and earlier) and 2017.011.30175 (and earlier) for macOS are affected by a time-of-check time-of-use (TOCTOU) race condition vulnerability that could result in local privilege escalation. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | MEDIUM | Nov 9, 2020 | n/a |
CVE-2020-24427 | Acrobat Reader versions 2020.012.20048 (and earlier), 2020.001.30005 (and earlier) and 2017.011.30175 (and earlier) are affected by an input validation vulnerability when decoding a crafted codec that could result in the disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | MEDIUM | Nov 9, 2020 | n/a |
CVE-2020-24426 | Acrobat Reader DC versions 2020.012.20048 (and earlier), 2020.001.30005 (and earlier) and 2017.011.30175 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | MEDIUM | Nov 9, 2020 | n/a |
CVE-2020-24425 | Dreamweaver version 20.2 (and earlier) is affected by an uncontrolled search path element vulnerability that could lead to privilege escalation. Successful exploitation could result in a local user with permissions to write to the file system running system commands with administrator privileges. | HIGH | Oct 22, 2020 | n/a |
CVE-2020-24424 | Adobe Premiere Pro version 14.4 (and earlier) is affected by an uncontrolled search path element that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | MEDIUM | Oct 22, 2020 | n/a |
CVE-2020-24423 | Adobe Media Encoder version 14.4 (and earlier) for Windows is affected by an uncontrolled search path vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | MEDIUM | Oct 22, 2020 | n/a |
CVE-2020-24422 | Adobe Creative Cloud Desktop Application version 5.2 (and earlier) and 2.1 (and earlier) for Windows is affected by an uncontrolled search path vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | MEDIUM | Oct 21, 2020 | n/a |
CVE-2020-24421 | Adobe InDesign version 15.1.2 (and earlier) is affected by a NULL pointer dereference bug that occurs when handling a malformed .indd file. The impact is limited to causing a denial-of-service of the client application. User interaction is required to exploit this issue. | MEDIUM | Oct 22, 2020 | n/a |
CVE-2020-24420 | Adobe Photoshop for Windows version 21.2.1 (and earlier) is affected by an uncontrolled search path element vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | MEDIUM | Oct 22, 2020 | n/a |
CVE-2020-24419 | Adobe After Effects version 17.1.1 (and earlier) for Windows is affected by an uncontrolled search path vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | MEDIUM | Oct 22, 2020 | n/a |
CVE-2020-24418 | Adobe After Effects version 17.1.1 (and earlier) is affected by an out-of-bounds read vulnerability when parsing a crafted .aepx file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. This vulnerability requires user interaction to exploit. | HIGH | Oct 22, 2020 | n/a |
CVE-2020-24416 | Marketo Sales Insight plugin version 1.4355 (and earlier) is affected by a blind stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | MEDIUM | Oct 22, 2020 | n/a |
CVE-2020-24415 | Adobe Illustrator version 24.1.2 (and earlier) is affected by a memory corruption vulnerability that occurs when parsing a specially crafted .svg file. This could result in arbitrary code execution in the context of the current user. This vulnerability requires user interaction to exploit. | MEDIUM | Oct 21, 2020 | n/a |
CVE-2020-24414 | Adobe Illustrator version 24.1.2 (and earlier) is affected by a memory corruption vulnerability that occurs when parsing a specially crafted .svg file. This could result in arbitrary code execution in the context of the current user. This vulnerability requires user interaction to exploit. | MEDIUM | Oct 21, 2020 | n/a |
CVE-2020-24413 | Adobe Illustrator version 24.1.2 (and earlier) is affected by a memory corruption vulnerability that occurs when parsing a specially crafted .svg file. This could result in arbitrary code execution in the context of the current user. This vulnerability requires user interaction to exploit. | MEDIUM | Oct 21, 2020 | n/a |
CVE-2020-24412 | Adobe Illustrator version 24.1.2 (and earlier) is affected by a memory corruption vulnerability that occurs when parsing a specially crafted .svg file. This could result in arbitrary code execution in the context of the current user. This vulnerability requires user interaction to exploit. | MEDIUM | Oct 21, 2020 | n/a |
CVE-2020-24411 | Adobe Illustrator version 24.2 (and earlier) is affected by an out-of-bounds write vulnerability when handling crafted PDF files. This could result in a write past the end of an allocated memory structure, potentially resulting in arbitrary code execution in the context of the current user. This vulnerability requires user interaction to exploit. | MEDIUM | Oct 22, 2020 | n/a |
CVE-2020-24410 | Adobe Illustrator version 24.2 (and earlier) is affected by an out-of-bounds read vulnerability when parsing crafted PDF files. This could result in a read past the end of an allocated memory structure, potentially resulting in arbitrary code execution in the context of the current user. This vulnerability requires user interaction to exploit. | MEDIUM | Oct 22, 2020 | n/a |
CVE-2020-24409 | Adobe Illustrator version 24.2 (and earlier) is affected by an out-of-bounds read vulnerability when parsing crafted PDF files. This could result in a read past the end of an allocated memory structure, potentially resulting in arbitrary code execution in the context of the current user. This vulnerability requires user interaction to exploit. | MEDIUM | Oct 22, 2020 | n/a |
CVE-2020-24408 | Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by a persistent XSS vulnerability that allows users to upload malicious JavaScript via the file upload component. This vulnerability could be abused by an unauthenticated attacker to execute XSS attacks against other Magento users. This vulnerability requires a victim to browse to the uploaded file. | MEDIUM | Oct 16, 2020 | n/a |
CVE-2020-24407 | Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an unsafe file upload vulnerability that could result in arbitrary code execution. This vulnerability could be abused by authenticated users with administrative permissions to the System/Data and Transfer/Import components. | HIGH | Nov 9, 2020 | n/a |
CVE-2020-24406 | When in maintenance mode, Magento version 2.4.0 and 2.3.4 (and earlier) are affected by an information disclosure vulnerability that could expose the installation path during build deployments. This information could be helpful to attackers if they are able to identify other exploitable vulnerabilities in the environment. | MEDIUM | Nov 9, 2020 | n/a |
CVE-2020-24405 | Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions issue vulnerability in the Inventory module. This vulnerability could be abused by authenticated users to modify inventory stock data without authorization. | MEDIUM | Nov 9, 2020 | n/a |
CVE-2020-24404 | Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability within the Integrations component. This vulnerability could be abused by users with permissions to the Pages resource to delete cms pages via the REST API without authorization. | MEDIUM | Nov 9, 2020 | n/a |
CVE-2020-24403 | Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect user permissions vulnerability within the Inventory component. This vulnerability could be abused by authenticated users with Inventory and Source permissions to make unauthorized changes to inventory source data via the REST API. | MEDIUM | Nov 9, 2020 | n/a |
CVE-2020-24402 | Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability in the Integrations component. This vulnerability could be abused by authenticated users with permissions to the Resource Access API to delete customer details via the REST API without authorization. | MEDIUM | Nov 9, 2020 | n/a |
CVE-2020-24401 | Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect authorization vulnerability. A user can still access resources provisioned under their old role after an administrator removes the role or disables the user\'s account. | MEDIUM | Nov 9, 2020 | n/a |
CVE-2020-24400 | Magento versions 2.4.0 and 2.3.5 (and earlier) are affected by an SQL Injection vulnerability that could lead to sensitive information disclosure. This vulnerability could be exploited by an authenticated user with permissions to the product listing page to read data from the database. | MEDIUM | Nov 9, 2020 | n/a |
CVE-2020-24397 | An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.0.SP-534. An attacker-controlled server can trigger an integer overflow in InternetSendRequestEx and InternetSendRequestByBitrate that leads to a heap-based buffer overflow and Remote Code Execution with SYSTEM privileges. | HIGH | Oct 9, 2020 | n/a |
CVE-2020-24396 | homee Brain Cube v2 (2.28.2 and 2.28.4) devices have sensitive SSH keys within downloadable and unencrypted firmware images. This allows remote attackers to use the support server as a SOCKS proxy. | MEDIUM | May 20, 2021 | n/a |
CVE-2020-24395 | The USB firmware update script of homee Brain Cube v2 (2.28.2 and 2.28.4) devices allows an attacker with physical access to install compromised firmware. This occurs because of insufficient validation of the firmware image file and can lead to code execution on the device. | HIGH | May 20, 2021 | n/a |
CVE-2020-24394 | In the Linux kernel before 5.7.8, fs/nfsd/vfs.c (in the NFS server) can set incorrect permissions on new filesystem objects when the filesystem lacks ACL support, aka CID-22cf8419f131. This occurs because the current umask is not considered. | MEDIUM | Aug 19, 2020 | n/a |
CVE-2020-24393 | TweetStream 2.6.1 uses the library eventmachine in an insecure way that does not have TLS hostname validation. This allows an attacker to perform a man-in-the-middle attack. | MEDIUM | Feb 20, 2021 | n/a |
CVE-2020-24392 | In voloko twitter-stream 0.1.10, missing TLS hostname validation allows an attacker to perform a man-in-the-middle attack against users of the library (because eventmachine is misused). | MEDIUM | Feb 20, 2021 | n/a |
CVE-2020-24391 | mongo-express before 1.0.0 offers support for certain advanced syntax but implements this in an unsafe way. NOTE: this may overlap CVE-2019-10769. | HIGH | Apr 2, 2021 | n/a |
CVE-2020-24390 | eonweb in EyesOfNetwork before 5.3-7 does not properly escape the username on the /module/admin_logs page, which might allow pre-authentication stored XSS during login/logout logs recording. | MEDIUM | Aug 27, 2020 | n/a |
CVE-2020-24388 | An issue was discovered in the _send_secure_msg() function of yubihsm-shell through 2.0.2. The function does not validate the embedded length field of a message received from the device. This could lead to an oversized memcpy() call that will crash the running process. This could be used by an attacker to cause a denial of service. | MEDIUM | Oct 19, 2020 | n/a |
CVE-2020-24387 | An issue was discovered in the yh_create_session() function of yubihsm-shell through 2.0.2. The function does not explicitly check the returned session id from the device. An invalid session id would lead to out-of-bounds read and write operations in the session array. This could be used by an attacker to cause a denial of service attack. | MEDIUM | Oct 19, 2020 | n/a |
CVE-2020-24386 | An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users\' email messages (and path disclosure). | MEDIUM | Jan 10, 2021 | n/a |
CVE-2020-24385 | In MidnightBSD before 1.2.6 and 1.3 before August 2020, and FreeBSD before 7, a NULL pointer dereference was found in the Linux emulation layer that allows attackers to crash the running kernel. During binary interaction, td->td_emuldata in sys/compat/linux/linux_emul.h is not getting initialized and returns NULL from em_find(). | MEDIUM | Sep 3, 2020 | n/a |
CVE-2020-24384 | A10 Networks ACOS and aGalaxy management Graphical User Interfaces (GUIs) have an unauthenticated Remote Code Execution (RCE) vulnerability that could be used to compromise affected ACOS systems. ACOS versions 3.2.x (including and after 3.2.2), 4.x, and 5.1.x are affected. aGalaxy versions 3.0.x, 3.2.x, and 5.0.x are affected. | HIGH | Nov 10, 2020 | n/a |
CVE-2020-24383 | An issue was discovered in FNET through 4.6.4. The code for processing resource records in mDNS queries doesn\'t check for proper \'\\0\' termination of the resource record name string, leading to an out-of-bounds read, and potentially causing information leak or Denial-or-Service. | MEDIUM | Dec 11, 2020 | n/a |
CVE-2020-24381 | GUnet Open eClass Platform (aka openeclass) before 3.11 might allow remote attackers to read students\' submitted assessments because it does not ensure that the web server blocks directory listings, and the data directory is inside the web root by default. | MEDIUM | Aug 19, 2020 | n/a |
CVE-2020-24379 | WebDAV implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to XXE injection. | MEDIUM | Sep 9, 2020 | n/a |
CVE-2020-24377 | A DNS rebinding vulnerability in the Freebox OS web interface in Freebox Server before 4.2.3. | MEDIUM | Sep 16, 2020 | n/a |