Show filters

Showing topic results for "CVE-2020-1170":

(1-10 of 11)

Sort by:
Attacker Value
Moderate

CVE-2020-1170

Disclosure Date: June 09, 2020 (last updated June 13, 2020)
An elevation of privilege vulnerability exists in Windows Defender that leads arbitrary file deletion on the system.To exploit the vulnerability, an attacker would first have to log on to the system, aka 'Microsoft Windows Defender Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1163.
Attack Vector: Local
1
Attacker Value
Unknown

CVE-2020-11709

Disclosure Date: April 12, 2020 (last updated June 05, 2020)
cpp-httplib through 0.5.8 does not filter \r\n in parameters passed into the set_redirect and set_header functions, which creates possibilities for CRLF injection and HTTP response splitting in some specific contexts.
Attack Vector: Network
0
Attacker Value
Unknown

CVE-2020-11707

Disclosure Date: April 12, 2020 (last updated June 05, 2020)
An issue was discovered in ProVide (formerly zFTPServer) through 13.1. It doesn't enforce permission over Windows Symlinks or Junctions. As a result, a low-privileged user (non-admin) can craft a Junction Link in a directory he has full control of, breaking out of the sandbox.
Attack Vector: Network
0
Attacker Value
Unknown

CVE-2020-11704

Disclosure Date: April 12, 2020 (last updated June 05, 2020)
An issue was discovered in ProVide (formerly zFTPServer) through 13.1. The Admin Web Interface has Multiple Stored and Reflected XSS. GetInheritedProperties is Reflected via the groups parameter. GetUserInfo is Reflected via POST data. SetUserInfo is Stored via the general parameter.
Attack Vector: Network
0
Attacker Value
Unknown

CVE-2020-11702

Disclosure Date: April 12, 2020 (last updated June 05, 2020)
An issue was discovered in ProVide (formerly zFTPServer) through 13.1. The User Web Interface has Multiple Stored and Reflected XSS issues. Collaborate is Reflected via the filename parameter. Collaborate is Stored via the displayname parameter. Deletemultiple is Reflected via the files parameter. Share is Reflected via the target parameter. Share is Stored via the displayname parameter. Waitedit is Reflected via the Host header.
Attack Vector: Network
0
Attacker Value
Unknown

CVE-2020-11705

Disclosure Date: April 12, 2020 (last updated June 05, 2020)
An issue was discovered in ProVide (formerly zFTPServer) through 13.1. /ajax/ImportCertificate allows an attacker to load an arbitrary certificate in .pfx format or overwrite arbitrary files via the fileName parameter.
Attack Vector: Network
0
Attacker Value
Unknown

CVE-2020-11706

Disclosure Date: April 12, 2020 (last updated June 05, 2020)
An issue was discovered in ProVide (formerly zFTPServer) through 13.1. The Admin Interface allows CSRF for actions such as: Change any username and password, admin ones included; Create/Delete users; Enable/Disable Services; Set a rogue update proxy; and Shutdown the server.
Attack Vector: Network
0
Attacker Value
Unknown

CVE-2020-11708

Disclosure Date: April 12, 2020 (last updated June 05, 2020)
An issue was discovered in ProVide (formerly zFTPServer) through 13.1. Privilege escalation can occur via the /ajax/SetUserInfo messages parameter because of the EXECUTE() feature, which is for executing programs when certain events are triggered.
Attack Vector: Network
0
Attacker Value
Unknown

CVE-2020-11703

Disclosure Date: April 12, 2020 (last updated June 05, 2020)
An issue was discovered in ProVide (formerly zFTPServer) through 13.1. /ajax/GetInheritedProperties allows HTTP Response Splitting via the language parameter.
Attack Vector: Network
0
Attacker Value
Unknown

CVE-2020-11701

Disclosure Date: April 12, 2020 (last updated June 05, 2020)
An issue was discovered in ProVide (formerly zFTPServer) through 13.1. CSRF exists in the User Web Interface, as demonstrated by granting filesystem access to the public for uploading and deleting files and directories.
Attack Vector: Network
0