CVE-2020-17159: Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability
Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability
Published Dec 9, 2020 · Updated Jun 9, 2026
Browse CVE records published in December 2020, with severity, affected products, CWE, KEV, and source-backed vulnerability context.
Showing 50 of 1647 matching CVEs · Page 2 of 33.
Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability
Published Dec 9, 2020 · Updated Jun 9, 2026
Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability
Published Dec 9, 2020 · Updated Jun 9, 2026
Visual Studio Remote Code Execution Vulnerability
Published Dec 9, 2020 · Updated Jun 9, 2026
Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability
Published Dec 9, 2020 · Updated Jun 9, 2026
Visual Studio Code Remote Code Execution Vulnerability
Published Dec 9, 2020 · Updated Jun 9, 2026
Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability
Published Dec 9, 2020 · Updated Jun 9, 2026
Dynamics CRM Webclient Cross-site Scripting Vulnerability
Published Dec 9, 2020 · Updated Jun 9, 2026
Microsoft Exchange Remote Code Execution Vulnerability
Published Dec 9, 2020 · Updated Jun 9, 2026
Microsoft Exchange Server Information Disclosure Vulnerability
Published Dec 9, 2020 · Updated Jun 9, 2026
Microsoft Exchange Remote Code Execution Vulnerability
Published Dec 9, 2020 · Updated Jun 9, 2026
Microsoft Exchange Remote Code Execution Vulnerability
Published Dec 9, 2020 · Updated Jun 9, 2026
Windows Overlay Filter Security Feature Bypass Vulnerability
Published Dec 9, 2020 · Updated Jun 9, 2026
Windows Error Reporting Information Disclosure Vulnerability
Published Dec 9, 2020 · Updated Jun 9, 2026
DirectX Graphics Kernel Elevation of Privilege Vulnerability
Published Dec 9, 2020 · Updated Jun 9, 2026
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
Published Dec 9, 2020 · Updated Jun 9, 2026
Azure DevOps Server Spoofing Vulnerability
Published Dec 9, 2020 · Updated Jun 9, 2026
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
Published Dec 9, 2020 · Updated Jun 9, 2026
Microsoft Exchange Remote Code Execution Vulnerability
Published Dec 9, 2020 · Updated Jun 9, 2026
Microsoft Outlook Information Disclosure Vulnerability
Published Dec 9, 2020 · Updated Jun 9, 2026
Microsoft SharePoint Remote Code Execution Vulnerability
Published Dec 9, 2020 · Updated Jun 9, 2026
Microsoft Exchange Remote Code Execution Vulnerability
Published Dec 9, 2020 · Updated Jun 9, 2026
Windows Lock Screen Security Feature Bypass Vulnerability
Published Dec 9, 2020 · Updated Jun 9, 2026
Windows GDI+ Information Disclosure Vulnerability
Published Dec 9, 2020 · Updated Jun 9, 2026
Windows Digital Media Receiver Elevation of Privilege Vulnerability
Published Dec 9, 2020 · Updated Jun 9, 2026
Windows NTFS Remote Code Execution Vulnerability
Published Dec 9, 2020 · Updated Jun 9, 2026
Windows Hyper-V Remote Code Execution Vulnerability
Published Dec 9, 2020 · Updated Jun 9, 2026
Windows Error Reporting Information Disclosure Vulnerability
Published Dec 9, 2020 · Updated Jun 9, 2026
Windows Network Connections Service Elevation of Privilege Vulnerability
Published Dec 9, 2020 · Updated Jun 9, 2026
Microsoft SharePoint Elevation of Privilege Vulnerability
Published Dec 9, 2020 · Updated Jun 9, 2026
The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).
Published Dec 8, 2020 · Updated May 29, 2026
Sony IPELA Network Camera 1.82.01 contains a stack buffer overflow vulnerability in the ftpclient.cgi endpoint that allows remote attackers to execute arbitrary code. Attackers can exploit the vulnerability by sending a crafted POST request with oversized data to the FTP client functionality, potentially causing remote code execution or denial of service.
Published Dec 10, 2025 · Updated May 14, 2026
curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing.
Published Dec 14, 2020 · Updated Apr 16, 2026
A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.
Published Dec 14, 2020 · Updated Apr 16, 2026
curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used.
Published Dec 14, 2020 · Updated Apr 15, 2026
The Widget Settings Importer/Exporter Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wp_ajax_import_widget_dataparameter AJAX action in versions up to, and including, 1.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with subscriber-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published Dec 23, 2023 · Updated Apr 8, 2026
Eibiz i-Media Server Digital Signage 3.8.0 contains an authentication bypass vulnerability that allows unauthenticated attackers to create admin users through AMF-encoded object manipulation. Attackers can send crafted serialized objects to the /messagebroker/amf endpoint to create administrative users without authentication, bypassing security controls.
Published Dec 10, 2025 · Updated Apr 7, 2026
Eibiz i-Media Server Digital Signage 3.8.0 contains an unauthenticated privilege escalation vulnerability in the updateUser object that allows attackers to modify user roles. Attackers can exploit the /messagebroker/amf endpoint to elevate privileges and take over user accounts by manipulating role settings without authentication.
Published Dec 10, 2025 · Updated Apr 7, 2026
Flexsense DiskBoss 7.7.14 contains a local buffer overflow vulnerability in the 'Reports and Data Directory' field that allows an attacker to execute arbitrary code on the system.
Published Dec 5, 2025 · Updated Apr 7, 2026
ReQuest Serious Play Media Player 3.0 contains an unauthenticated file disclosure vulnerability when input passed through the 'file' parameter in and script is not properly verified before being used to read web log files. Attackers can exploit this to disclose contents of files from local resources.
Published Dec 5, 2025 · Updated Apr 7, 2026
ReQuest Serious Play F3 Media Server 7.0.3 contains an unauthenticated remote code execution vulnerability that allows attackers to execute arbitrary commands as the web server user. Attackers can upload PHP executable files via the Quick File Uploader page, resulting in remote code execution on the server.
Published Dec 5, 2025 · Updated Apr 7, 2026
ReQuest Serious Play F3 Media Server versions 7.0.3.4968 (Pro), 7.0.2.4954, 6.5.2.4954, 6.4.2.4681, 6.3.2.4203, and 2.0.1.823 allows unauthenticated attackers to disclose the webserver's Python debug log file containing system information, credentials, paths, processes and command arguments running on the device. Attackers can access sensitive information by visiting the message_log page.
Published Dec 5, 2025 · Updated Apr 7, 2026
A flaw was found in the Linux kernel’s futex implementation. This flaw allows a local attacker to corrupt system memory or escalate their privileges when creating a futex on a filesystem that is about to be unmounted. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Published Dec 3, 2020 · Updated Feb 25, 2026
An issue was discovered in Joomla! 2.5.0 through 3.9.22. The folder parameter of mod_random_image lacked input validation, leading to a path traversal vulnerability.
Published Dec 28, 2020 · Updated Feb 24, 2026
An issue was discovered in Joomla! 3.9.0 through 3.9.22. Improper handling of the username leads to a user enumeration attack vector in the backend login page.
Published Dec 28, 2020 · Updated Feb 24, 2026
An issue was discovered in Joomla! 2.5.0 through 3.9.22. The globlal configuration page does not remove secrets from the HTML output, disclosing the current values.
Published Dec 28, 2020 · Updated Feb 24, 2026
An issue was discovered in Joomla! 2.5.0 through 3.9.22. A missing token check in the emailexport feature of com_privacy causes a CSRF vulnerability.
Published Dec 28, 2020 · Updated Feb 24, 2026
An issue was discovered in Joomla! 3.0.0 through 3.9.22. Improper filter blacklist configuration leads to a SQL injection vulnerability in the backend user list.
Published Dec 28, 2020 · Updated Feb 24, 2026
An issue was discovered in Joomla! 1.7.0 through 3.9.22. Lack of input validation while handling ACL rulesets can cause write ACL violations.
Published Dec 28, 2020 · Updated Feb 24, 2026
An issue was discovered in Joomla! 2.5.0 through 3.9.22. The autosuggestion feature of com_finder did not respect the access level of the corresponding terms.
Published Dec 28, 2020 · Updated Feb 24, 2026
Selea CarPlateServer 4.0.1.6 contains an unquoted service path vulnerability in the Windows service configuration that allows local users to potentially execute code with elevated privileges. Attackers can exploit the service's unquoted binary path by inserting malicious code in the system root path that could execute with LocalSystem privileges during application startup or reboot.
Published Dec 31, 2025 · Updated Jan 2, 2026