LiveActive security incident?Get immediate response
CVE archive

November 2020

Browse CVE records published in November 2020, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 1371 matching CVEs · Page 1 of 28.

Unknown · CVSS Not scored

CVE-2020-24815: A Server-Side Request Forgery (SSRF) affecting the PDF generation in MicroStrategy 10.4, 2019 before Update...

A Server-Side Request Forgery (SSRF) affecting the PDF generation in MicroStrategy 10.4, 2019 before Update 6, and 2020 before Update 2 allows authenticated users to access the content of internal network resources or leak files from the local system via HTML containers embedded in a dossier/dashboard document. NOTE: 10.4., no fix will be released as version will reach end-of-life on 31/12/2020.

Published Nov 24, 2020 · Updated Jul 9, 2026

High · CVSS 7.5

CVE-2020-15783: A vulnerability has been identified in SIMATIC S7-300 CPU family (incl.

A vulnerability has been identified in SIMATIC S7-300 CPU family (incl. related ET200 CPUs and SIPLUS variants) (All versions), SIMATIC TDC CPU555 (All versions), SINUMERIK 840D sl (All versions). Sending multiple specially crafted packets to the affected devices could cause a Denial-of-Service on port 102. A cold restart is required to recover the service.

Published Nov 12, 2020 · Updated Jun 2, 2026

High · CVSS 7.1

CVE-2020-7567: A CWE-311: Missing Encryption of Sensitive Data vulnerability exists in Modicon M221 (all references, all v...

A CWE-311: Missing Encryption of Sensitive Data vulnerability exists in Modicon M221 (all references, all versions) that could allow the attacker to find the password hash when the attacker has captured the traffic between EcoStruxure Machine - Basic software and Modicon M221 controller and broke the encryption keys.

Published Nov 19, 2020 · Updated May 29, 2026

Medium · CVSS 6.3

CVE-2020-7564: A CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability exists in t...

A CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability exists in the Web Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy offers and their Communication Modules (see notification for details) which could cause write access and the execution of commands when uploading a specially crafted file on the controller over FTP.

Published Nov 18, 2020 · Updated May 29, 2026

Medium · CVSS 6.3

CVE-2020-7563: A CWE-787: Out-of-bounds Write vulnerability exists in the Web Server on Modicon M340, Modicon Quantum and...

A CWE-787: Out-of-bounds Write vulnerability exists in the Web Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy offers and their Communication Modules (see notification for details) which could cause corruption of data, a crash, or code execution when uploading a specially crafted file on the controller over FTP.

Published Nov 18, 2020 · Updated May 29, 2026

Medium · CVSS 6.3

CVE-2020-7562: A CWE-125: Out-of-Bounds Read vulnerability exists in the Web Server on Modicon M340, Modicon Quantum and M...

A CWE-125: Out-of-Bounds Read vulnerability exists in the Web Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy offers and their Communication Modules (see notification for details) which could cause a segmentation fault or a buffer overflow when uploading a specially crafted file on the controller over FTP.

Published Nov 18, 2020 · Updated May 29, 2026

High · CVSS 8.7

CVE-2020-36872: BACnet Test Server 1.01 Malformed BVLC Length DoS

BACnet Test Server versions up to and including 1.01 contains a remote denial of service vulnerability in its BACnet/IP BVLC packet handling. The server fails to properly validate the BVLC Length field in incoming UDP BVLC frames on the default BACnet port (47808/udp). A remote unauthenticated attacker can send a malformed BVLC Length value to trigger an access violation and crash the application, resulting in a denial of service.

Published Nov 26, 2025 · Updated May 14, 2026

High · CVSS 7.5

CVE-2020-25720: Samba: check attribute access rights for ldap adds of computers

A vulnerability was found in Samba where a delegated administrator with permission to create objects in Active Directory can write to all attributes of the newly created object, including security-sensitive attributes, even after the object's creation. This issue occurs because the administrator owns the object due to the lack of an Access Control List (ACL) at the time of creation and later being recognized as the 'creator owner.' The retained significant rights of the delegated administrator may not be well understood, potentially leading to unintended privilege escalation or security risks.

Published Nov 17, 2024 · Updated Apr 27, 2026

High · CVSS 8.7

CVE-2020-36871: ESCAM QD-900 Unauthenticated Configuration Disclosure

ESCAM QD-900 WIFI HD cameras contain an unauthenticated configuration disclosure vulnerability in the /web/cgi-bin/hi3510/backup.cgi endpoint. The endpoint allows remote download of a compressed configuration backup without requiring authentication or authorization. The exposed backup can include administrative credentials and other sensitive device settings, enabling an unauthenticated remote attacker to obtain information that may facilitate further compromise of the camera or connected network.

Published Nov 26, 2025 · Updated Apr 7, 2026

Critical · CVSS 9.8 · CISA KEV

CVE-2020-14750: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console).

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Published Nov 1, 2020 · Updated Jan 12, 2026

High · CVSS 8.7

CVE-2020-36874: ACE SECURITY WIP-90113 Unauthenticated Configuration Disclosure

ACE SECURITY WIP-90113 HD cameras contain an unauthenticated configuration disclosure vulnerability in the /web/cgi-bin/hi3510/backup.cgi endpoint. The endpoint permits remote download of a compressed configuration backup without requiring authentication or authorization. The exposed backup may include administrative credentials and other sensitive device settings, enabling an unauthenticated remote attacker to obtain information that could facilitate further compromise of the camera or connected network.

Published Nov 26, 2025 · Updated Nov 28, 2025

High · CVSS 8.7

CVE-2020-36873: Astak CM-818T3 Unauthenticated Configuration Disclosure

Astak CM-818T3 2.4GHz wireless security surveillance cameras contain an unauthenticated configuration disclosure vulnerability in the /web/cgi-bin/hi3510/backup.cgi endpoint. The endpoint permits remote download of a compressed configuration backup without requiring authentication or authorization. The exposed backup may include administrative credentials and other sensitive device settings, enabling an unauthenticated remote attacker to obtain information that could facilitate further compromise of the camera or connected network.

Published Nov 26, 2025 · Updated Nov 28, 2025

Critical · CVSS 9.2

CVE-2020-36870: Ruijie Gateway EG & NBR Models v11.1(6)B9P1 - 11.9(4)B12P1 RCE

Various Ruijie Gateway EG and NBR models firmware versions 11.1(6)B9P1 < 11.9(4)B12P1 contain a code execution vulnerability in the EWEB management system that can be abused via front-end functionality. Attackers can exploit front-end code when features such as guest authentication, local server authentication, or screen mirroring are enabled to gain access or execute commands on affected devices. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-02-05 UTC.

Published Nov 7, 2025 · Updated Nov 20, 2025

High · CVSS 7.5

CVE-2020-11926: An issue was discovered in Luvion Grand Elite 3 Connect through 2020-02-25.

An issue was discovered in Luvion Grand Elite 3 Connect through 2020-02-25. Clients can authenticate themselves to the device using a username and password. These credentials can be obtained through an unauthenticated web request, e.g., for a JavaScript file. Also, the disclosed information includes the SSID and WPA2 key for the Wi-Fi network the device is connected to.

Published Nov 7, 2024 · Updated Nov 4, 2025

High · CVSS 8.8

CVE-2020-11921: An issue was discovered in Lush 2 through 2020-02-25.

An issue was discovered in Lush 2 through 2020-02-25. Due to the lack of Bluetooth traffic encryption, it is possible to hijack an ongoing Bluetooth connection between the Lush 2 and a mobile phone. This allows an attacker to gain full control over the device.

Published Nov 7, 2024 · Updated Nov 4, 2025

Medium · CVSS 5.4

CVE-2020-11918: An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14.

An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. When a backup file is created through the web interface, information on all users, including passwords, can be found in cleartext in the backup file. An attacker capable of accessing the web interface can create the backup file.

Published Nov 7, 2024 · Updated Nov 4, 2025

Medium · CVSS 4.3

CVE-2020-11917: An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14.

An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. It uses a default SSID value, which makes it easier for remote attackers to discover the physical locations of many Siime Eye devices, violating the privacy of users who do not wish to disclose their ownership of this type of device. (Various resources such as wigle.net can be use for mapping of SSIDs to physical locations.)

Published Nov 7, 2024 · Updated Nov 4, 2025

Medium · CVSS 6.3

CVE-2020-11916: An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14.

An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. The password for the root user is hashed using an old and deprecated hashing technique. Because of this deprecated hashing, the success probability of an attacker in an offline cracking attack is greatly increased.

Published Nov 7, 2024 · Updated Nov 4, 2025

Critical · CVSS 9.8 · CISA KEV

CVE-2020-13927: The previous default setting for Airflow's Experimental API was to allow all API requests without authentic...

The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at https://airflow.apache.org/docs/1.10.11/security.html#api-authentication. Note this change fixes it for new installs but existing users need to change their config to default `[api]auth_backend = airflow.api.auth.backend.deny_all` as mentioned in the Updating Guide: https://github.com/apache/airflow/blob/1.10.11/UPDATING.md#experimental-api-will-deny-all-request-by-default

Published Nov 10, 2020 · Updated Oct 21, 2025

High · CVSS 8.8 · CISA KEV

CVE-2020-13671: Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being i...

Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.

Published Nov 20, 2020 · Updated Oct 21, 2025

Medium · CVSS 6.6

CVE-2020-36605: File Permissions Vulnerability in Hitachi Infrastructure Analytics Advisor, Hitachi Ops Center Analyzer, Hitachi Ops Center Viewpoint

Incorrect Default Permissions vulnerability in Hitachi Infrastructure Analytics Advisor on Linux (Analytics probe component), Hitachi Ops Center Analyzer on Linux (Analyzer probe component), Hitachi Ops Center Viewpoint on Linux (Viewpoint RAID Agent component) allows local users to read and write specific files. This issue affects Hitachi Infrastructure Analytics Advisor: from 2.0.0-00 through 4.4.0-00; Hitachi Ops Center Analyzer: from 10.0.0-00 before 10.9.0-00; Hitachi Ops Center Viewpoint: from 10.8.0-00 before 10.9.0-00.

Published Nov 1, 2022 · Updated May 5, 2025

High · CVSS 8.8

CVE-2020-12507: s::can moni::tools autheticated SQL injection

In s::can moni::tools before version 4.2 an authenticated attacker could get full access to the database through SQL injection. This may result in loss of confidentiality, loss of integrity and DoS.

Published Nov 7, 2022 · Updated May 1, 2025