The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2020-24825 | A vulnerability in the line_table::line_table function of Libelfin v0.3 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted ELF file. | MEDIUM | Aug 4, 2021 | n/a |
| CVE-2020-24824 | A global buffer overflow issue in the dwarf::line_table::line_table function of Libelfin v0.3 allows attackers to cause a denial of service (DOS). | MEDIUM | Aug 4, 2021 | n/a |
| CVE-2020-24823 | A vulnerability in the dwarf::to_string function of Libelfin v0.3 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted ELF file. | MEDIUM | Aug 4, 2021 | n/a |
| CVE-2020-24822 | A vulnerability in the dwarf::cursor::uleb function of Libelfin v0.3 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted ELF file. | MEDIUM | Aug 4, 2021 | n/a |
| CVE-2020-24821 | A vulnerability in the dwarf::cursor::skip_form function of Libelfin v0.3 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted ELF file. | MEDIUM | Aug 4, 2021 | n/a |
| CVE-2020-24815 | A Server-Side Request Forgery (SSRF) affecting the PDF generation in MicroStrategy 10.4, 2019 before Update 6, and 2020 before Update 2 allows authenticated users to access the content of internal network resources or leak files from the local system via HTML containers embedded in a dossier/dashboard document. NOTE: 10.4., no fix will be released as version will reach end-of-life on 31/12/2020. | MEDIUM | Nov 24, 2020 | n/a |
| CVE-2020-24807 | The socket.io-file package through 2.0.31 for Node.js relies on client-side validation of file types, which allows remote attackers to execute arbitrary code by uploading an executable file via a modified JSON name field. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | MEDIUM | Oct 6, 2020 | n/a |
| CVE-2020-24804 | Plaintext Password vulnerability in AddAdmin.py in cms-dev/cms v1.4.rc1, allows attackers to gain sensitive information via audit logs. | -- | Aug 11, 2023 | n/a |
| CVE-2020-24794 | Cross Site Scripting (XSS) vulnerability in Kentico before 12.0.75. | MEDIUM | Sep 9, 2020 | n/a |
| CVE-2020-24791 | FUEL CMS 1.4.8 allows SQL injection via the \'fuel_replace_id\' parameter in pages/replace/1. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. | HIGH | Mar 12, 2021 | n/a |
| CVE-2020-24786 | An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService Plus before build number 5817, DataSecurity Plus before build number 6033, RecoverManager Plus before build number 6017, EventLog Analyzer before build number 12136, ADAudit Plus before build number 6052, O365 Manager Plus before build number 4334, Cloud Security Plus before build number 4110, ADManager Plus before build number 7055, and Log360 before build number 5166. The remotely accessible Java servlet com.manageengine.ads.fw.servlet.UpdateProductDetails is prone to an authentication bypass. System integration properties can be modified and lead to full ManageEngine suite compromise. | HIGH | Aug 31, 2020 | n/a |
| CVE-2020-24772 | In Dreamacro Clash for Windows v0.11.4, an attacker could embed a malicious iframe in a website with a crafted URL that would launch the Clash Windows client and force it to open a remote SMB share. Windows will perform NTLM authentication when opening the SMB share and that request can be relayed (using a tool like responder) for code execution (or captured for hash cracking). | MEDIUM | Mar 23, 2022 | n/a |
| CVE-2020-24771 | Incorrect access control in NexusPHP 1.5.beta5.20120707 allows unauthorized attackers to access published content. | MEDIUM | Apr 5, 2022 | n/a |
| CVE-2020-24770 | SQL injection vulnerability in modrules.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the id parameter. | HIGH | Apr 5, 2022 | n/a |
| CVE-2020-24769 | SQL injection vulnerability in takeconfirm.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the classes parameter. | HIGH | Apr 5, 2022 | n/a |
| CVE-2020-24765 | InterMind iMind Server through 3.13.65 allows remote unauthenticated attackers to read the self-diagnostic archive via a direct api/rs/monitoring/rs/api/system/dump-diagnostic-info?server=127.0.0.1 request. | MEDIUM | Oct 22, 2020 | n/a |
| CVE-2020-24755 | In Ubiquiti UniFi Video v3.10.13, when the executable starts, its first library validation is in the current directory. This allows the impersonation and modification of the library to execute code on the system. This was tested in (Windows 7 x64/Windows 10 x64). | MEDIUM | May 18, 2021 | n/a |
| CVE-2020-24753 | A memory corruption vulnerability in Objective Open CBOR Run-time (oocborrt) in versions before 2020-08-12 could allow an attacker to execute code via crafted Concise Binary Object Representation (CBOR) input to the cbor2json decoder. An uncaught error while decoding CBOR Major Type 3 text strings leads to the use of an attacker-controllable uninitialized stack value. This can be used to modify memory, causing a crash or potentially exploitable heap corruption. | HIGH | Sep 17, 2020 | n/a |
| CVE-2020-24750 | FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration. | MEDIUM | Sep 17, 2020 | n/a |
| CVE-2020-24743 | An issue was found in /showReports.do Zoho ManageEngine Applications Manager up to 14550, allows attackers to gain escalated privileges via the resourceid parameter. | HIGH | Nov 5, 2021 | n/a |
| CVE-2020-24742 | An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files. | MEDIUM | Aug 12, 2021 | n/a |
| CVE-2020-24741 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-0570. Reason: This candidate is a duplicate of CVE-2020-0570. A typo caused the wrong ID to be used. Notes: All CVE users should reference CVE-2020-0570 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage | MEDIUM | Aug 12, 2021 | n/a |
| CVE-2020-24740 | An issue was discovered in Pluck 4.7.10-dev2. There is a CSRF vulnerability that can editpage via a /admin.php?action=editpage | MEDIUM | May 18, 2021 | n/a |
| CVE-2020-24739 | A CSRF vulnerability was found in iCMS v7.0.0 in the background deletion administrator account. When missing the CSRF_TOKEN and can still request normally, all administrators except the initial administrator will be deleted. | MEDIUM | Sep 10, 2020 | n/a |
| CVE-2020-24736 | Buffer Overflow vulnerability found in SQLite3 v.3.27.1 and before allows a local attacker to cause a denial of service via a crafted script. | LOW | Apr 11, 2023 | n/a |
| CVE-2020-24723 | Cross Site Scripting (XSS) vulnerability in the Registration page of the admin panel in PHPGurukul User Registration & Login and User Management System With admin panel 2.1. | LOW | Nov 18, 2020 | n/a |
| CVE-2020-24722 | An issue was discovered in the GAEN (aka Google/Apple Exposure Notifications) protocol through 2020-10-05, as used in COVID-19 applications on Android and iOS. The encrypted metadata block with a TX value lacks a checksum, allowing bitflipping to amplify a contamination attack. This can cause metadata deanonymization and risk-score inflation. NOTE: the vendor\'s position is We do not believe that TX power authentication would be a useful defense against relay attacks. | LOW | Oct 7, 2020 | n/a |
| CVE-2020-24721 | An issue was discovered in the GAEN (aka Google/Apple Exposure Notifications) protocol through 2020-09-29, as used in COVID-19 applications on Android and iOS. It allows a user to be put in a position where he or she can be coerced into proving or disproving an exposure notification, because of the persistent state of a private framework. | LOW | Oct 7, 2020 | n/a |
| CVE-2020-24719 | Exposed Erlang Cookie could lead to Remote Command Execution (RCE) attack. Communication between Erlang nodes is done by exchanging a shared secret (aka magic cookie). There are cases where the magic cookie is included in the content of the logs. An attacker can use the cookie to attach to an Erlang node and run OS level commands on the system running the Erlang node. Affects version: 6.5.1. Fix version: 6.6.0. | HIGH | Nov 13, 2020 | n/a |
| CVE-2020-24718 | bhyve, as used in FreeBSD through 12.1 and illumos (e.g., OmniOS CE through r151034 and OpenIndiana through Hipster 2020.04), does not properly restrict VMCS and VMCB read/write operations, as demonstrated by a root user in a container on an Intel system, who can gain privileges by modifying VMCS_HOST_RIP. | HIGH | Sep 25, 2020 | n/a |
| CVE-2020-24717 | OpenZFS before 2.0.0-rc1, when used on FreeBSD, misinterprets group permissions as user permissions, as demonstrated by mode 0770 being equivalent to mode 0777. | HIGH | Aug 27, 2020 | n/a |
| CVE-2020-24716 | OpenZFS before 2.0.0-rc1, when used on FreeBSD, allows execute permissions for all directories. | MEDIUM | Aug 27, 2020 | n/a |
| CVE-2020-24715 | The Scalyr Agent before 2.1.10 has Missing SSL Certificate Validation because, in some circumstances, native Python code is used that lacks a comparison of the hostname to commonName and subjectAltName. | MEDIUM | Aug 28, 2020 | n/a |
| CVE-2020-24714 | The Scalyr Agent before 2.1.10 has Missing SSL Certificate Validation because, in some circumstances, the openssl binary is called without the -verify_hostname option. | MEDIUM | Aug 28, 2020 | n/a |
| CVE-2020-24713 | Gophish through 0.10.1 does not invalidate the gophish cookie upon logout. | MEDIUM | Oct 30, 2020 | n/a |
| CVE-2020-24712 | Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the IMAP Host field on the account settings page. | LOW | Oct 30, 2020 | n/a |
| CVE-2020-24711 | The Reset button on the Account Settings page in Gophish before 0.11.0 allows attackers to cause a denial of service via a clickjacking attack | MEDIUM | Oct 30, 2020 | n/a |
| CVE-2020-24710 | Gophish before 0.11.0 allows SSRF attacks. | MEDIUM | Oct 30, 2020 | n/a |
| CVE-2020-24709 | Cross Site Scripting (XSS) vulnerability in Gophish through 0.10.1 via a crafted landing page or email template. | LOW | Oct 29, 2020 | n/a |
| CVE-2020-24708 | Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the Host field on the send profile form. | LOW | Oct 29, 2020 | n/a |
| CVE-2020-24707 | Gophish before 0.11.0 allows the creation of CSV sheets that contain malicious content. | HIGH | Oct 30, 2020 | n/a |
| CVE-2020-24706 | An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager through 3.1.0, API Manager Analytics 2.5.0, IS as Key Manager through 5.10.0, Identity Server through 5.10.0, Identity Server Analytics through 5.6.0, and IoT Server 3.1.0. | MEDIUM | Aug 27, 2020 | n/a |
| CVE-2020-24705 | An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager through 3.1.0, API Manager Analytics 2.5.0, IS as Key Manager through 5.10.0, Identity Server through 5.10.0, Identity Server Analytics through 5.6.0, and IoT Server 3.1.0. | MEDIUM | Aug 27, 2020 | n/a |
| CVE-2020-24704 | An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator through 6.6.0, IS as Key Manager 5.5.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, and IoT Server 3.3.0 and 3.3.1. | MEDIUM | Aug 27, 2020 | n/a |
| CVE-2020-24703 | An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator through 6.6.0, IS as Key Manager 5.5.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, and IoT Server 3.3.0 and 3.3.1. | MEDIUM | Aug 27, 2020 | n/a |
| CVE-2020-24701 | OX App Suite through 7.10.4 allows XSS via the app loading mechanism (the PATH_INFO to the /appsuite URI). | MEDIUM | Jan 14, 2021 | n/a |
| CVE-2020-24700 | OX App Suite through 7.10.3 allows SSRF because GET requests are sent to arbitrary domain names with an initial autoconfig. substring. | MEDIUM | Jan 14, 2021 | n/a |
| CVE-2020-24699 | The Chamber Dashboard Business Directory plugin 3.2.8 for WordPress allows XSS. | MEDIUM | Sep 4, 2020 | n/a |
| CVE-2020-24698 | An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. A remote, unauthenticated attacker might be able to cause a double-free, leading to a crash or possibly arbitrary code execution. by sending crafted queries with a GSS-TSIG signature. | MEDIUM | Oct 8, 2020 | n/a |
| CVE-2020-24697 | An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. A remote, unauthenticated attacker can cause a denial of service by sending crafted queries with a GSS-TSIG signature. | MEDIUM | Oct 8, 2020 | n/a |
