Total
94 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-28213 | 1 Schneider-electric | 1 Ecostruxure Control Expert | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| A CWE-494: Download of Code Without Integrity Check vulnerability exists in PLC Simulator on EcoStruxureª Control Expert (now Unity Pro) (all versions) that could cause unauthorized command execution when sending specially crafted requests over Modbus. | |||||
| CVE-2020-28332 | 1 Barco | 2 Wepresent Wipg-1600w, Wepresent Wipg-1600w Firmware | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| Barco wePresent WiPG-1600W devices download code without an Integrity Check. Affected Version(s): 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19. The Barco wePresent WiPG-1600W firmware does not perform verification of digitally signed firmware updates and is susceptible to processing and installing modified/malicious images. | |||||
| CVE-2020-7812 | 2 Kaoni, Microsoft | 2 Ezhttptrans, Windows | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| Ezhttptrans.ocx ActiveX Control in Kaoni ezHTTPTrans 1.0.0.70 and prior versions contain a vulnerability that could allow remote attacker to download arbitrary file by setting the arguments to the activex method. This can be leveraged for code execution by rebooting the victim’s PC. | |||||
| CVE-2020-4125 | 1 Ibm | 1 Marketing Operations | 2023-12-10 | 5.5 MEDIUM | 8.1 HIGH |
| Using HCL Marketing Operations 9.1.2.4, 10.1.x, 11.1.0.x, a malicious attacker could download files from the RHEL environment by doing some modification in the link, giving the attacker access to confidential information. | |||||
| CVE-2020-10926 | 1 Netgear | 2 R6700, R6700 Firmware | 2023-12-10 | 8.3 HIGH | 8.8 HIGH |
| This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6700 V1.0.4.84_10.0.58 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of firmware updates. The issue results from the lack of proper validation of the firmware image prior to performing an upgrade. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of root. Was ZDI-CAN-9648. | |||||
| CVE-2020-9474 | 1 Siedle | 2 Sg 150-0, Sg 150-0 Firmware | 2023-12-10 | 9.0 HIGH | 8.8 HIGH |
| The S. Siedle & Soehne SG 150-0 Smart Gateway before 1.2.4 allows remote code execution via the backup functionality in the web frontend. By using an exploit chain, an attacker with access to the network can get root access on the gateway. | |||||
| CVE-2020-7831 | 2 Inogard, Microsoft | 2 Ebiz4u, Windows | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability in the web-based contract management service interface Ebiz4u of INOGARD could allow an victim user to download any file. The attacker is able to use startup menu directory via directory traversal for automatic execution. The victim user need to reboot, however. | |||||
| CVE-2020-7505 | 1 Schneider-electric | 2 Easergy T300, Easergy T300 Firmware | 2023-12-10 | 9.0 HIGH | 7.2 HIGH |
| A CWE-494 Download of Code Without Integrity Check vulnerability exists in Easergy T300 (Firmware version 1.5.2 and older) which could allow an attacker to inject data with dangerous content into the firmware and execute arbitrary code on the system. | |||||
| CVE-2020-5867 | 2 F5, Netapp | 2 Nginx Controller, Cloud Backup | 2023-12-10 | 6.8 MEDIUM | 8.1 HIGH |
| In versions prior to 3.3.0, the NGINX Controller Agent installer script 'install.sh' uses HTTP instead of HTTPS to check and install packages | |||||
| CVE-2020-9759 | 1 Lg | 1 Webos | 2023-12-10 | 9.3 HIGH | 7.8 HIGH |
| A Vulnerability of LG Electronic web OS TV Emulator could allow an attacker to escalate privileges and overwrite certain files. This vulnerability is due to wrong environment setting. An attacker could exploit this vulnerability through crafted configuration files and executable files. | |||||
| CVE-2020-7817 | 2 Microsoft, Raonwiz | 2 Windows, K Upload | 2023-12-10 | 4.6 MEDIUM | 7.8 HIGH |
| MyBrowserPlus downloads the files needed to run the program through the setup file (Setup.inf). At this time, there is a vulnerability in downloading arbitrary files due to insufficient integrity verification of the files. | |||||
| CVE-2020-7813 | 1 Kaoni | 1 Ezhttptrans | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| Ezhttptrans.ocx ActiveX Control in Kaoni ezHTTPTrans 1.0.0.70 and prior versions contain a vulnerability that could allow remote attacker to download and execute arbitrary file by setting the arguments to the activex method. This can be leveraged for code execution. | |||||
| CVE-2019-19165 | 2 Inogard, Microsoft | 4 Activex, Windows 10, Windows 7 and 1 more | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
| AxECM.cab(ActiveX Control) in Inogard Ebiz4u contains a vulnerability that could allow remote files to be downloaded and executed by setting arguments to the activeX method. Download of Code Without Integrity Check vulnerability in ActiveX control of Inogard Co,,LTD Ebiz4u ActiveX of Inogard Co,,LTD(AxECM.cab) allows ATTACKER to cause a file download to Windows user's folder and execute. This issue affects: Inogard Co,,LTD Ebiz4u ActiveX of Inogard Co,,LTD(AxECM.cab) version 1.0.5.0 and later versions on windows 7/8/10. | |||||
| CVE-2020-7806 | 2 Microsoft, Tobesoft | 2 Windows, Xplatform | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| Tobesoft Xplatform 9.2.2.250 and earlier version have an arbitrary code execution vulnerability by using method supported by Xplatform ActiveX Control. It allows attacker to cause remote code execution. | |||||
| CVE-2020-7826 | 1 Eyesurfer | 1 Bflyinstallerx.ocx | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| EyeSurfer BflyInstallerX.ocx v1.0.0.16 and earlier versions contain a vulnerability that could allow remote files to be download by setting the arguments to the vulnerable method. This can be leveraged for code execution. When the vulnerable method is called, they fail to properly check the parameters that are passed to it. | |||||
| CVE-2020-5398 | 3 Netapp, Oracle, Vmware | 33 Data Availability Services, Snapcenter, Application Testing Suite and 30 more | 2023-12-10 | 7.6 HIGH | 7.5 HIGH |
| In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input. | |||||
| CVE-2020-9751 | 1 Naver | 1 Cloud Explorer | 2023-12-10 | 6.4 MEDIUM | 9.1 CRITICAL |
| Naver Cloud Explorer before 2.2.2.11 allows the system to download an arbitrary file from the attacker's server and execute it during the upgrade. | |||||
| CVE-2019-3977 | 1 Mikrotik | 1 Routeros | 2023-12-10 | 8.5 HIGH | 7.5 HIGH |
| RouterOS 6.45.6 Stable, RouterOS 6.44.5 Long-term, and below insufficiently validate where upgrade packages are download from when using the autoupgrade feature. Therefore, a remote attacker can trick the router into "upgrading" to an older version of RouterOS and possibly reseting all the system's usernames and passwords. | |||||
| CVE-2020-8809 | 1 Gurux | 1 Device Language Message Specification Director | 2023-12-10 | 6.8 MEDIUM | 8.1 HIGH |
| Gurux GXDLMS Director prior to 8.5.1905.1301 downloads updates to add-ins and OBIS code over an unencrypted HTTP connection. A man-in-the-middle attacker can prompt the user to download updates by modifying the contents of gurux.fi/obis/files.xml and gurux.fi/updates/updates.xml. Then, the attacker can modify the contents of downloaded files. In the case of add-ins (if the user is using those), this will lead to code execution. In case of OBIS codes (which the user is always using as they are needed to communicate with the energy meters), this can lead to code execution when combined with CVE-2020-8810. | |||||
| CVE-2019-14845 | 1 Redhat | 1 Openshift | 2023-12-10 | 2.9 LOW | 5.3 MEDIUM |
| A vulnerability was found in OpenShift builds, versions 4.1 up to 4.3. Builds that extract source from a container image, bypass the TLS hostname verification. An attacker can take advantage of this flaw by launching a man-in-the-middle attack and injecting malicious content. | |||||