The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2020-1484 | An elevation of privilege vulnerability exists when the Windows Work Folders Service improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Work Folders Service handles memory. | MEDIUM | Aug 18, 2020 | n/a |
| CVE-2020-1483 | A remote code execution vulnerability exists in Microsoft Outlook when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Outlook software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file. Note that where severity is indicated as Critical in the Affected Products table, the Preview Pane is an attack vector. The security update addresses the vulnerability by correcting how Outlook handles objects in memory. | HIGH | Aug 18, 2020 | n/a |
| CVE-2020-1482 | <p>A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server.</p> <p>The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim\'s identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.</p> <p>The security update addresses the vulnerability by helping to ensure that SharePoint Server properly sanitizes web requests.</p> | MEDIUM | Sep 13, 2020 | n/a |
| CVE-2020-1481 | A remote code execution vulnerability exists in the ESLint extension for Visual Studio Code when it validates source code after opening a project, aka \'Visual Studio Code ESLint Extention Remote Code Execution Vulnerability\'. | HIGH | Jul 17, 2020 | n/a |
| CVE-2020-1480 | An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how GDI handles objects in memory and by preventing instances of unintended user-mode privilege elevation. | HIGH | Aug 18, 2020 | n/a |
| CVE-2020-1479 | An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how DirectX handles objects in memory. | HIGH | Aug 18, 2020 | n/a |
| CVE-2020-1478 | A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. | MEDIUM | Aug 19, 2020 | n/a |
| CVE-2020-1477 | A memory corruption vulnerability exists when Windows Media Foundation improperly handles objects in memory. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage. The security update addresses the vulnerability by correcting how Windows Media Foundation handles objects in memory. | MEDIUM | Aug 19, 2020 | n/a |
| CVE-2020-1476 | An elevation of privilege vulnerability exists when ASP.NET or .NET web applications running on IIS improperly allow access to cached files. An attacker who successfully exploited this vulnerability could gain access to restricted files. To exploit this vulnerability, an attacker would need to send a specially crafted request to an affected server. The update addresses the vulnerability by changing how ASP.NET and .NET handle requests. | LOW | Aug 18, 2020 | n/a |
| CVE-2020-1475 | An elevation of privilege vulnerability exists in the way that the srmsvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the srmsvc.dll properly handles objects in memory. | MEDIUM | Aug 18, 2020 | n/a |
| CVE-2020-1474 | An information disclosure vulnerability exists when the Windows Image Acquisition (WIA) Service improperly discloses contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit the vulnerability, an authenticated attacker could connect an imaging device (camera, scanner, cellular phone) to an affected system and run a specially crafted application to disclose information. The security update addresses the vulnerability by correcting how the WIA Service handles objects in memory. | LOW | Aug 18, 2020 | n/a |
| CVE-2020-1473 | A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. | MEDIUM | Aug 18, 2020 | n/a |
| CVE-2020-1472 | An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access. Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels. For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020). When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications. | HIGH | Aug 18, 2020 | n/a |
| CVE-2020-1471 | <p>An elevation of privilege vulnerability exists when Microsoft Windows CloudExperienceHost fails to check COM objects. An attacker who successfully exploited the vulnerability could gain elevated privileges on a targeted system.</p> <p>To exploit the vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application.</p> <p>The security update addresses the vulnerability by checking COM objects.</p> | MEDIUM | Sep 11, 2020 | n/a |
| CVE-2020-1470 | An elevation of privilege vulnerability exists when the Windows Work Folders Service improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how the Windows Work Folders Service handles memory. | MEDIUM | Aug 21, 2020 | n/a |
| CVE-2020-1469 | A denial of service vulnerability exists when the .NET implementation of Bond improperly parses input, aka \'Bond Denial of Service Vulnerability\'. | MEDIUM | Jul 17, 2020 | n/a |
| CVE-2020-1468 | An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka \'Windows GDI Information Disclosure Vulnerability\'. | MEDIUM | Jul 17, 2020 | n/a |
| CVE-2020-1467 | An elevation of privilege vulnerability exists when Windows improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows handles hard links. | HIGH | Aug 21, 2020 | n/a |
| CVE-2020-1466 | A denial of service vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an attacker connects to the target system using RDP and sends specially crafted requests. An attacker who successfully exploited this vulnerability could cause the RD Gateway service on the target system to stop responding. To exploit this vulnerability, an attacker would need to run a specially crafted application against a server which provides RD Gateway services. The update addresses the vulnerability by correcting how RD Gateway handles connection requests. | MEDIUM | Aug 18, 2020 | n/a |
| CVE-2020-1465 | An elevation of privilege vulnerability exists in Microsoft OneDrive that allows file deletion in arbitrary locations.To exploit the vulnerability, an attacker would first have to log on to the system, aka \'Microsoft OneDrive Elevation of Privilege Vulnerability\'. | HIGH | Jul 17, 2020 | n/a |
| CVE-2020-1464 | A spoofing vulnerability exists when Windows incorrectly validates file signatures. An attacker who successfully exploited this vulnerability could bypass security features and load improperly signed files. In an attack scenario, an attacker could bypass security features intended to prevent improperly signed files from being loaded. The update addresses the vulnerability by correcting how Windows validates file signatures. | LOW | Aug 21, 2020 | n/a |
| CVE-2020-1463 | An elevation of privilege vulnerability exists in the way that the SharedStream Library handles objects in memory, aka \'Windows SharedStream Library Elevation of Privilege Vulnerability\'. | MEDIUM | Jul 17, 2020 | n/a |
| CVE-2020-1462 | An information disclosure vulnerability exists when Skype for Business is accessed via Microsoft Edge (EdgeHTML-based), aka \'Skype for Business via Microsoft Edge (EdgeHTML-based) Information Disclosure Vulnerability\'. | MEDIUM | Jul 17, 2020 | n/a |
| CVE-2020-1461 | An elevation of privilege vulnerability exists when the MpSigStub.exe for Defender allows file deletion in arbitrary locations.To exploit the vulnerability, an attacker would first have to log on to the system, aka \'Microsoft Defender Elevation of Privilege Vulnerability\'. | LOW | Jul 17, 2020 | n/a |
| CVE-2020-1460 | <p>A remote code execution vulnerability exists in Microsoft SharePoint Server when it fails to properly identify and filter unsafe ASP.Net web controls. An authenticated attacker who successfully exploited the vulnerability could use a specially crafted page to perform actions in the security context of the SharePoint application pool process.</p> <p>To exploit the vulnerability, an authenticated user must create and invoke a specially crafted page on an affected version of Microsoft SharePoint Server.</p> <p>The security update addresses the vulnerability by correcting how Microsoft SharePoint Server handles processing of created content.</p> | MEDIUM | Sep 11, 2020 | n/a |
| CVE-2020-1459 | An information disclosure vulnerability exists on ARM implementations that use speculative execution in control flow via a side-channel analysis, aka "straight-line speculation." To exploit this vulnerability, an attacker with local privileges would need to run a specially crafted application. The security update addresses the vulnerability by bypassing the speculative execution. | LOW | Aug 21, 2020 | n/a |
| CVE-2020-1458 | A remote code execution vulnerability exists when Microsoft Office improperly validates input before loading dynamic link library (DLL) files, aka \'Microsoft Office Remote Code Execution Vulnerability\'. | HIGH | Jul 15, 2020 | n/a |
| CVE-2020-1457 | A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory, aka \'Microsoft Windows Codecs Library Remote Code Execution Vulnerability\'. This CVE ID is unique from CVE-2020-1425. | MEDIUM | Jul 27, 2020 | n/a |
| CVE-2020-1456 | A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka \'Microsoft Office SharePoint XSS Vulnerability\'. This CVE ID is unique from CVE-2020-1450, CVE-2020-1451. | LOW | Jul 15, 2020 | n/a |
| CVE-2020-1455 | A denial of service vulnerability exists when Microsoft SQL Server Management Studio (SSMS) improperly handles files. An attacker could exploit the vulnerability to trigger a denial of service. To exploit the vulnerability, an attacker would first require execution on the victim system. The security update addresses the vulnerability by ensuring Microsoft SQL Server Management Studio properly handles files. | LOW | Aug 21, 2020 | n/a |
| CVE-2020-1454 | This vulnerability is caused when SharePoint Server does not properly sanitize a specially crafted request to an affected SharePoint server.An authenticated attacker could exploit this vulnerability by sending a specially crafted request to an affected SharePoint server, aka \'Microsoft SharePoint Reflective XSS Vulnerability\'. | LOW | Jul 15, 2020 | n/a |
| CVE-2020-1453 | <p>A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.</p> <p>Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.</p> <p>The security update addresses the vulnerability by correcting how SharePoint checks the source markup of application packages.</p> | HIGH | Sep 13, 2020 | n/a |
| CVE-2020-1452 | <p>A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.</p> <p>Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.</p> <p>The security update addresses the vulnerability by correcting how SharePoint checks the source markup of application packages.</p> | HIGH | Sep 13, 2020 | n/a |
| CVE-2020-1451 | A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka \'Microsoft Office SharePoint XSS Vulnerability\'. This CVE ID is unique from CVE-2020-1450, CVE-2020-1456. | LOW | Jul 15, 2020 | n/a |
| CVE-2020-1450 | A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka \'Microsoft Office SharePoint XSS Vulnerability\'. This CVE ID is unique from CVE-2020-1451, CVE-2020-1456. | LOW | Jul 15, 2020 | n/a |
| CVE-2020-1449 | A remote code execution vulnerability exists in Microsoft Project software when the software fails to check the source markup of a file, aka \'Microsoft Project Remote Code Execution Vulnerability\'. | HIGH | Jul 15, 2020 | n/a |
| CVE-2020-1448 | A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory, aka \'Microsoft Word Remote Code Execution Vulnerability\'. This CVE ID is unique from CVE-2020-1446, CVE-2020-1447. | MEDIUM | Jul 15, 2020 | n/a |
| CVE-2020-1447 | A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory, aka \'Microsoft Word Remote Code Execution Vulnerability\'. This CVE ID is unique from CVE-2020-1446, CVE-2020-1448. | MEDIUM | Jul 15, 2020 | n/a |
| CVE-2020-1446 | A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory, aka \'Microsoft Word Remote Code Execution Vulnerability\'. This CVE ID is unique from CVE-2020-1447, CVE-2020-1448. | MEDIUM | Jul 15, 2020 | n/a |
| CVE-2020-1445 | An information disclosure vulnerability exists when Microsoft Office improperly discloses the contents of its memory, aka \'Microsoft Office Information Disclosure Vulnerability\'. This CVE ID is unique from CVE-2020-1342. | MEDIUM | Jul 15, 2020 | n/a |
| CVE-2020-1444 | A remote code execution vulnerability exists in the way Microsoft SharePoint software parses specially crafted email messages, aka \'Microsoft SharePoint Remote Code Execution Vulnerability\'. | MEDIUM | Jul 15, 2020 | n/a |
| CVE-2020-1443 | A spoofing vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka \'Microsoft SharePoint Spoofing Vulnerability\'. | LOW | Jul 15, 2020 | n/a |
| CVE-2020-1442 | A spoofing vulnerability exists when an Office Web Apps server does not properly sanitize a specially crafted request, aka \'Office Web Apps XSS Vulnerability\'. | MEDIUM | Jul 15, 2020 | n/a |
| CVE-2020-1440 | <p>A tampering vulnerability exists when Microsoft SharePoint Server fails to properly handle profile data. An attacker who successfully exploited this vulnerability could modify a targeted user\'s profile data.</p> <p>To exploit the vulnerability, an attacker would need to be authenticated on an affected SharePoint Server. The attacker would then need to send a specially modified request to the server, targeting a specific user.</p> <p>The security update addresses the vulnerability by modifying how Microsoft SharePoint Server handles profile data.</p> | MEDIUM | Sep 11, 2020 | n/a |
| CVE-2020-1439 | A remote code execution vulnerability exists in PerformancePoint Services for SharePoint Server when the software fails to check the source markup of XML file input, aka \'PerformancePoint Services Remote Code Execution Vulnerability\'. | MEDIUM | Jul 16, 2020 | n/a |
| CVE-2020-1438 | An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory, aka \'Windows Network Connections Service Elevation of Privilege Vulnerability\'. This CVE ID is unique from CVE-2020-1373, CVE-2020-1390, CVE-2020-1427, CVE-2020-1428. | MEDIUM | Jul 16, 2020 | n/a |
| CVE-2020-1437 | An elevation of privilege vulnerability exists in the way that the Windows Network Location Awareness Service handles objects in memory, aka \'Windows Network Location Awareness Service Elevation of Privilege Vulnerability\'. | MEDIUM | Jul 15, 2020 | n/a |
| CVE-2020-1436 | A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted fonts.For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely, aka \'Windows Font Library Remote Code Execution Vulnerability\'. | MEDIUM | Jul 15, 2020 | n/a |
| CVE-2020-1435 | A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory, aka \'GDI+ Remote Code Execution Vulnerability\'. | HIGH | Jul 15, 2020 | n/a |
| CVE-2020-1434 | An elevation of privilege vulnerability exists in the way that the Windows Sync Host Service handles objects in memory, aka \'Windows Sync Host Service Elevation of Privilege Vulnerability\'. | MEDIUM | Jul 15, 2020 | n/a |
