Total
1021 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-13539 | 1 Win911 | 1 Win-911 | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| An exploitable local privilege elevation vulnerability exists in the file system permissions of the Win-911 Enterprise V4.20.13 install directory via “WIN-911 Mobile Runtime” service. Depending on the vector chosen, an attacker can overwrite various executables which could lead to escalation of the privileges when executed. | |||||
| CVE-2020-13537 | 1 Moxa | 1 Mxview | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| An exploitable local privilege elevation vulnerability exists in the file system permissions of Moxa MXView series 3.1.8 installation. Depending on the vector chosen, an attacker can either add code to a script or replace a binary.By default MXViewService, which starts as a NT SYSTEM authority user executes a series of Node.Js scripts to start additional application functionality and among them the mosquitto executable is also run. | |||||
| CVE-2020-13536 | 1 Moxa | 1 Mxview | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| An exploitable local privilege elevation vulnerability exists in the file system permissions of Moxa MXView series 3.1.8 installation. Depending on the vector chosen, an attacker can either add code to a script or replace a binary. By default MXViewService, which starts as a NT SYSTEM authority user executes a series of Node.Js scripts to start additional application functionality. | |||||
| CVE-2020-13535 | 1 Kepware | 1 Linkmaster | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| A privilege escalation vulnerability exists in Kepware LinkMaster 3.0.94.0. In its default configuration, an attacker can globally overwrite service configuration to execute arbitrary code with NT SYSTEM privileges. | |||||
| CVE-2020-13534 | 1 Dreamreport | 1 Dream Report | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| A privilege escalation vulnerability exists in Dream Report 5 R20-2. COM Class Identifiers (CLSID), installed by Dream Report 5 20-2, reference LocalServer32 and InprocServer32 with weak privileges which can lead to privilege escalation when used. An attacker can provide a malicious file to trigger this vulnerability. | |||||
| CVE-2020-13533 | 1 Dreamreport | 1 Dream Report | 2024-11-21 | 4.4 MEDIUM | 7.8 HIGH |
| A privilege escalation vulnerability exists in Dream Report 5 R20-2. IIn the default configuration, the following registry keys, which reference binaries with weak permissions, can be abused by attackers to effectively ‘backdoor’ the installation files and escalate privileges when a new user logs in and uses the application. | |||||
| CVE-2020-13532 | 1 Dreamreport | 1 Dream Report | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| A privilege escalation vulnerability exists in Dream Report 5 R20-2. In the default configuration, the Syncfusion Dashboard Service service binary can be replaced by attackers to escalate privileges to NT SYSTEM. An attacker can provide a malicious file to trigger this vulnerability. | |||||
| CVE-2020-13468 | 1 Gigadevice | 2 Gd32f130, Gd32f130 Firmware | 2024-11-21 | 4.6 MEDIUM | 6.8 MEDIUM |
| Gigadevice GD32F130 devices allow physical attackers to escalate their debug interface permissions via fault injection into inter-IC bonding wires (which have insufficient physical protection). | |||||
| CVE-2020-13452 | 1 Thecodingmachine | 1 Gotenberg | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In Gotenberg through 6.2.1, insecure permissions for tini (writable by user gotenberg) potentially allow an attacker to overwrite the file, which can lead to denial of service or code execution. | |||||
| CVE-2020-13351 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 5.0 MEDIUM | 6.5 MEDIUM |
| Insufficient permission checks in scheduled pipeline API in GitLab CE/EE 13.0+ allows an attacker to read variable names and values for scheduled pipelines on projects visible to the attacker. Affected versions are >=13.0, <13.3.9,>=13.4.0, <13.4.5,>=13.5.0, <13.5.2. | |||||
| CVE-2020-13240 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| The DMS/ECM module in Dolibarr 11.0.4 allows users with the 'Setup documents directories' permission to rename uploaded files to have insecure file extensions. This bypasses the .noexe protection mechanism against XSS. | |||||
| CVE-2020-13149 | 1 Msi | 1 Dragon Center | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| Weak permissions on the "%PROGRAMDATA%\MSI\Dragon Center" folder in Dragon Center before 2.6.2003.2401, shipped with Micro-Star MSI Gaming laptops, allows local authenticated users to overwrite system files and gain escalated privileges. One attack method is to change the Recommended App binary within App.json. Another attack method is to use this part of %PROGRAMDATA% for mounting an RPC Control directory. | |||||
| CVE-2020-12834 | 1 Eq-3 | 4 Ccu3 Firmware, Homematic Ccu2, Homematic Ccu2 Firmware and 1 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| eQ-3 Homematic Central Control Unit (CCU)2 through 2.51.6 and CCU3 through 3.51.6 allow Remote Code Execution in the JSON API Method ReGa.runScript, by unauthenticated attackers with access to the web interface, due to the default auto-login feature being enabled during first-time setup (or factory reset). | |||||
| CVE-2020-12695 | 21 Asus, Broadcom, Canon and 18 more | 217 Rt-n11, Adsl, Selphy Cp1200 and 214 more | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
| The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue. | |||||
| CVE-2020-12608 | 1 Solarwinds | 1 Managed Service Provider Patch Management Engine | 2024-11-21 | 9.3 HIGH | 7.8 HIGH |
| An issue was discovered in SolarWinds MSP PME (Patch Management Engine) Cache Service before 1.1.15 in the Advanced Monitoring Agent. There are insecure file permissions for %PROGRAMDATA%\SolarWinds MSP\SolarWinds.MSP.CacheService\config\. This can lead to code execution by changing the CacheService.xml SISServerURL parameter. | |||||
| CVE-2020-12510 | 1 Beckhoff | 1 Twincat Extended Automation Runtime | 2024-11-21 | 6.0 MEDIUM | 7.3 HIGH |
| The default installation path of the TwinCAT XAR 3.1 software in all versions is underneath C:\TwinCAT. If the directory does not exist it and further subdirectories are created with permissions which allow every local user to modify the content. The default installation registers TcSysUI.exe for automatic execution upon log in of a user. If a less privileged user has a local account he or she can replace TcSysUI.exe. It will be executed automatically by another user during login. This is also true for users with administrative access. Consequently, a less privileged user can trick a higher privileged user into executing code he or she modified this way. By default Beckhoff’s IPCs are shipped with TwinCAT software installed this way and with just a single local user configured. Thus the vulnerability exists if further less privileged users have been added. | |||||
| CVE-2020-12424 | 2 Mozilla, Opensuse | 2 Firefox, Leap | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| When constructing a permission prompt for WebRTC, a URI was supplied from the content process. This URI was untrusted, and could have been the URI of an origin that was previously granted permission; bypassing the prompt. This vulnerability affects Firefox < 78. | |||||
| CVE-2020-12415 | 2 Mozilla, Opensuse | 2 Firefox, Leap | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| When "%2F" was present in a manifest URL, Firefox's AppCache behavior may have become confused and allowed a manifest to be served from a subdirectory. This could cause the appcache to be used to service requests for the top level directory. This vulnerability affects Firefox < 78. | |||||
| CVE-2020-12354 | 1 Intel | 1 Active Management Technology Software Development Kit | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| Incorrect default permissions in Windows(R) installer in Intel(R) AMT SDK versions before 14.0.0.1 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2020-12346 | 1 Intel | 1 Battery Life Diagnostic Tool | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| Improper permissions in the installer for the Intel(R) Battery Life Diagnostic Tool before version 1.0.7 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||