Search
Total
17685 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-2651 | 1 Atos | 28 Openscape Desk Phone Ip 35g, Openscape Desk Phone Ip 35g Eco, Openscape Desk Phone Ip 35g Eco Firmware and 25 more | 2020-01-21 | 10.0 HIGH | 9.8 CRITICAL |
| Unify OpenStage/OpenScape Desk Phone IP SIP before V3 R3.11.0 has an authentication bypass in the default mode of the Workpoint Interface | |||||
| CVE-2019-19740 | 1 Octeth | 1 Oempro | 2020-01-21 | 7.5 HIGH | 9.8 CRITICAL |
| Octeth Oempro 4.7 and 4.8 allow SQL injection. The parameter CampaignID in Campaign.Get is vulnerable. | |||||
| CVE-2020-6835 | 1 Bftpd Project | 1 Bftpd | 2020-01-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Bftpd before 5.4. There is a heap-based off-by-one error during file-transfer error checking. | |||||
| CVE-2005-4891 | 1 Simplemachines | 1 Simple Machine Forum | 2020-01-21 | 7.5 HIGH | 9.8 CRITICAL |
| Simple Machine Forum (SMF) versions 1.0.4 and earlier have an SQL injection vulnerability that allows remote attackers to inject arbitrary SQL statements. | |||||
| CVE-2020-6958 | 1 Yet Another Java Service Wrapper Project | 1 Yet Another Java Service Wrapper | 2020-01-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| An XXE vulnerability in JnlpSupport in Yet Another Java Service Wrapper (YAJSW) 12.14, as used in NSA Ghidra and other products, allows attackers to exfiltrate data from remote hosts and potentially cause denial-of-service. | |||||
| CVE-2015-8366 | 1 Libraw | 1 Libraw | 2020-01-21 | 7.5 HIGH | 9.8 CRITICAL |
| Array index error in smal_decode_segment function in LibRaw before 0.17.1 allows context-dependent attackers to cause memory errors and possibly execute arbitrary code via vectors related to indexes. | |||||
| CVE-2017-11462 | 2 Fedoraproject, Mit | 2 Fedora, Kerberos 5 | 2020-01-21 | 7.5 HIGH | 9.8 CRITICAL |
| Double free vulnerability in MIT Kerberos 5 (aka krb5) allows attackers to have unspecified impact via vectors involving automatic deletion of security contexts on error. | |||||
| CVE-2019-19518 | 1 Broadcom | 1 Ca Automic Sysload | 2020-01-17 | 7.5 HIGH | 9.8 CRITICAL |
| CA Automic Sysload 5.6.0 through 6.1.2 contains a vulnerability, related to a lack of authentication on the File Server port, that potentially allows remote attackers to execute arbitrary commands. | |||||
| CVE-2019-11994 | 1 Hp | 16 Simplivity 2600 Gen10, Simplivity 2600 Gen10 Firmware, Simplivity 380 Gen10 and 13 more | 2020-01-17 | 7.5 HIGH | 9.8 CRITICAL |
| A security vulnerability has been identified in HPE SimpliVity 380 Gen 9, HPE SimpliVity 380 Gen 10, HPE SimpliVity 380 Gen 10 G, HPE SimpliVity 2600 Gen 10, SimpliVity OmniCube, SimpliVity OmniStack for Cisco, SimpliVity OmniStack for Lenovo and SimpliVity OmniStack for Dell nodes. An API is used to execute a command manifest file during upgrade does not correctly prevent directory traversal and so can be used to execute manifest files in arbitrary locations on the node. The API does not require user authentication and is accessible over the management network, resulting in the potential for unauthenticated remote execution of manifest files. For all customers running HPE OmniStack version 3.7.9 and earlier. HPE recommends upgrading the OmniStack software to version 3.7.10 or later, which contains a permanent resolution. Customers and partners who can upgrade to 3.7.10 should upgrade at the earliest convenience. For all customers and partners unable to upgrade their environments to the recommended version 3.7.10, HPE has created a Temporary Workaround https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=mmr_sf-EN_US000061901&withFrame for you to implement. All customer should upgrade to the recommended 3.7.10 or later version at the earliest convenience. | |||||
| CVE-2013-6225 | 1 Livezilla | 1 Livezilla | 2020-01-17 | 7.5 HIGH | 9.8 CRITICAL |
| LiveZilla 5.0.1.4 has a Remote Code Execution vulnerability | |||||
| CVE-2014-2072 | 1 3ds | 1 Catia | 2020-01-17 | 7.5 HIGH | 9.8 CRITICAL |
| Dassault Systemes Catia V5-6R2013: Stack Buffer Overflow due to inadequate boundary checks | |||||
| CVE-2014-2650 | 1 Atos | 30 Openscape Desk Phone Ip 35g, Openscape Desk Phone Ip 35g Eco, Openscape Desk Phone Ip 35g Eco Firmware and 27 more | 2020-01-17 | 10.0 HIGH | 9.8 CRITICAL |
| Unify OpenStage / OpenScape Desk Phone IP before V3 R3.11.0 SIP has an OS command injection vulnerability in the web based management interface | |||||
| CVE-2011-3203 | 1 Jcow | 1 Jcow Cms | 2020-01-17 | 7.5 HIGH | 9.8 CRITICAL |
| A Code Execution vulnerability exists the attachment parameter to index.php in Jcow CMS 4.x to 4.2 and 5.2 to 5.2. | |||||
| CVE-2018-16803 | 1 Cimtechniques | 1 Cimscan | 2020-01-16 | 10.0 HIGH | 9.8 CRITICAL |
| In CIMTechniques CIMScan 6.x through 6.2, the SOAP WSDL parser allows attackers to execute SQL code. | |||||
| CVE-2018-18249 | 1 Icinga | 1 Icinga Web 2 | 2020-01-16 | 7.5 HIGH | 9.8 CRITICAL |
| Icinga Web 2 before 2.6.2 allows injection of PHP ini-file directives via vectors involving environment variables as the channel to send information to the attacker, such as a name=${PATH}_${APACHE_RUN_DIR}_${APACHE_RUN_USER} parameter to /icingaweb2/navigation/add or /icingaweb2/dashboard/new-dashlet. | |||||
| CVE-2013-3088 | 1 Belkin | 2 N900, N900 Firmware | 2020-01-16 | 9.3 HIGH | 9.8 CRITICAL |
| Belkin N900 router (F9K1104v1) contains an Authentication Bypass using "Javascript debugging". | |||||
| CVE-2018-0721 | 1 Qnap | 1 Qts | 2020-01-16 | 10.0 HIGH | 9.8 CRITICAL |
| Buffer Overflow vulnerability in NAS devices. QTS allows attackers to run arbitrary code. This issue affects: QNAP Systems Inc. QTS version 4.2.6 and prior versions on build 20180711; version 4.3.3 and prior versions on build 20180725; version 4.3.4 and prior versions on build 20180710. | |||||
| CVE-2020-5841 | 1 Opservices | 1 Opmon | 2020-01-16 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in OpServices OpMon 9.3.1-1. Using password change parameters, an attacker could perform SQL injection without authentication. | |||||
| CVE-2014-5381 | 1 Granding | 2 Grand Ma300, Grand Ma300 Firmware | 2020-01-15 | 5.0 MEDIUM | 9.8 CRITICAL |
| Grand MA 300 allows a brute-force attack on the PIN. | |||||
| CVE-2011-5266 | 1 Imperva | 1 Securesphere Web Application Firewall | 2020-01-15 | 7.5 HIGH | 9.8 CRITICAL |
| Imperva SecureSphere Web Application Firewall (WAF) before 12-august-2010 allows SQL injection filter bypass. | |||||
| CVE-2020-5519 | 1 Litespeedtech | 1 Openlitespeed | 2020-01-15 | 7.5 HIGH | 9.8 CRITICAL |
| The WebAdmin Console in OpenLiteSpeed before v1.6.5 does not strictly check request URLs, as demonstrated by the "Server Configuration > External App" screen. | |||||
| CVE-2019-20343 | 1 Mojohaus | 1 Exec Maven | 2020-01-15 | 7.5 HIGH | 9.8 CRITICAL |
| The MojoHaus Exec Maven plugin 1.1.1 for Maven allows code execution via a crafted XML document because a configuration element (within a plugin element) can specify an arbitrary program in an executable element (and can also specify arbitrary command-line arguments in an arguments element). | |||||
| CVE-2012-5878 | 1 Bulbsecurity | 1 Smartphone Pentest Framework | 2020-01-15 | 10.0 HIGH | 9.8 CRITICAL |
| Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allows remote attackers to execute arbitrary commands via shell metacharacters in the hostingPath parameter to (1) SEAttack.pl or (2) CSAttack.pl in frameworkgui/ or the (3) appURLPath parameter to frameworkgui/attachMobileModem.pl. | |||||
| CVE-2020-5499 | 1 Apache | 1 Rust Sgx Sdk | 2020-01-15 | 7.5 HIGH | 9.8 CRITICAL |
| Baidu Rust SGX SDK through 1.0.8 has an enclave ID race. There are non-deterministic results in which, sometimes, two global IDs are the same. | |||||
| CVE-2019-14837 | 1 Redhat | 2 Keycloak, Single Sign-on | 2020-01-15 | 6.4 MEDIUM | 9.1 CRITICAL |
| A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be 'service-account-test@placeholder.org'. | |||||
| CVE-2014-8337 | 1 Helpdezk | 1 Helpdezk | 2020-01-15 | 7.5 HIGH | 9.8 CRITICAL |
| Unrestricted file upload vulnerability in includes/classes/uploadify-v2.1.4/uploadify.php in HelpDEZk 1.0.1 and earlier allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in the directory specified by the folder parameter. | |||||
| CVE-2014-8516 | 1 Cloudfastpath | 1 Netcharts Server | 2020-01-15 | 10.0 HIGH | 9.8 CRITICAL |
| Unrestricted file upload vulnerability in Visual Mining NetCharts Server allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via unspecified vectors. | |||||
| CVE-2013-4982 | 1 Avtech | 2 Avn801 Dvr, Avn801 Dvr Firmware | 2020-01-15 | 7.5 HIGH | 9.8 CRITICAL |
| AVTECH AVN801 DVR has a security bypass via the administration login captcha | |||||
| CVE-2019-19950 | 1 Graphicsmagick | 1 Graphicsmagick | 2020-01-15 | 7.5 HIGH | 9.8 CRITICAL |
| In GraphicsMagick 1.4 snapshot-20190403 Q8, there is a use-after-free in ThrowException and ThrowLoggedException of magick/error.c. | |||||
| CVE-2019-19953 | 1 Graphicsmagick | 1 Graphicsmagick | 2020-01-15 | 6.4 MEDIUM | 9.1 CRITICAL |
| In GraphicsMagick 1.4 snapshot-20191208 Q8, there is a heap-based buffer over-read in the function EncodeImage of coders/pict.c. | |||||
| CVE-2019-19951 | 1 Graphicsmagick | 1 Graphicsmagick | 2020-01-15 | 7.5 HIGH | 9.8 CRITICAL |
| In GraphicsMagick 1.4 snapshot-20190423 Q8, there is a heap-based buffer overflow in the function ImportRLEPixels of coders/miff.c. | |||||
| CVE-2019-18622 | 3 Fedoraproject, Opensuse, Phpmyadmin | 4 Fedora, Backports Sle, Leap and 1 more | 2020-01-14 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in phpMyAdmin before 4.9.2. A crafted database/table name can be used to trigger a SQL injection attack through the designer feature. | |||||
| CVE-2016-11017 | 1 Akips | 1 Network Monitor | 2020-01-14 | 10.0 HIGH | 9.8 CRITICAL |
| The application login page in AKIPS Network Monitor 15.37 through 16.5 allows a remote unauthenticated attacker to execute arbitrary OS commands via shell metacharacters in the username parameter (a failed login attempt returns the command-injection output to a limited login failure field). This is fixed in 16.6. | |||||
| CVE-2012-2226 | 1 Invisioncommunity | 1 Invision Power Board | 2020-01-14 | 7.5 HIGH | 9.8 CRITICAL |
| Invision Power Board before 3.3.1 fails to sanitize user-supplied input which could allow remote attackers to obtain sensitive information or execute arbitrary code by uploading a malicious file. | |||||
| CVE-2004-2776 | 1 Goscript Project | 1 Goscript | 2020-01-14 | 7.5 HIGH | 9.8 CRITICAL |
| go.cgi in GoScript 2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) query string or (2) artarchive parameter. | |||||
| CVE-2014-0011 | 1 Tigervnc | 1 Tigervnc | 2020-01-14 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple heap-based buffer overflows in the ZRLE_DECODE function in common/rfb/zrleDecode.h in TigerVNC before 1.3.1, when NDEBUG is enabled, allow remote VNC servers to cause a denial of service (vncviewer crash) and possibly execute arbitrary code via vectors related to screen image rendering. | |||||
| CVE-2019-4651 | 1 Ibm | 1 Jazz Reporting Service | 2020-01-14 | 7.5 HIGH | 9.8 CRITICAL |
| IBM Jazz Reporting Service (JRS) 6.0.6.1 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 170962. | |||||
| CVE-2013-7380 | 1 Ep Imageconvert Project | 1 Ep Imageconvert | 2020-01-14 | 7.5 HIGH | 9.8 CRITICAL |
| The Etherpad Lite ep_imageconvert Plugin has a Remote Command Injection Vulnerability | |||||
| CVE-2014-3449 | 1 Bss Continuity Cms Project | 1 Bss Continuty Cms | 2020-01-14 | 7.5 HIGH | 9.8 CRITICAL |
| BSS Continuity CMS 4.2.22640.0 has an Authentication Bypass vulnerability | |||||
| CVE-2014-3448 | 1 Bss Continuity Cms Project | 1 Bss Continuty Cms | 2020-01-14 | 7.5 HIGH | 9.8 CRITICAL |
| BSS Continuity CMS 4.2.22640.0 has a Remote Code Execution vulnerability due to unauthenticated file upload | |||||
| CVE-2014-1860 | 1 Contao | 1 Contao Cms | 2020-01-14 | 7.5 HIGH | 9.8 CRITICAL |
| Contao CMS through 3.2.4 has PHP Object Injection Vulnerabilities | |||||
| CVE-2014-5093 | 1 Status2k | 1 Status2k | 2020-01-14 | 5.0 MEDIUM | 9.8 CRITICAL |
| Status2k does not remove the install directory allowing credential reset. | |||||
| CVE-2011-5020 | 1 Online Tv Database Project | 1 Online Tv Database | 2020-01-14 | 7.5 HIGH | 9.8 CRITICAL |
| An SQL Injection vulnerability exists in the ID parameter in Online TV Database 2011. | |||||
| CVE-2011-1933 | 1 Jifty\ | 1 \ | 2020-01-13 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in Jifty::DBI before 0.68. | |||||
| CVE-2020-6838 | 1 Mruby | 1 Mruby | 2020-01-13 | 7.5 HIGH | 9.8 CRITICAL |
| In mruby 2.1.0, there is a use-after-free in hash_values_at in mrbgems/mruby-hash-ext/src/hash-ext.c. | |||||
| CVE-2020-6839 | 1 Mruby | 1 Mruby | 2020-01-13 | 7.5 HIGH | 9.8 CRITICAL |
| In mruby 2.1.0, there is a stack-based buffer overflow in mrb_str_len_to_dbl in string.c. | |||||
| CVE-2020-6840 | 1 Mruby | 1 Mruby | 2020-01-13 | 7.5 HIGH | 9.8 CRITICAL |
| In mruby 2.1.0, there is a use-after-free in hash_slice in mrbgems/mruby-hash-ext/src/hash-ext.c. | |||||
| CVE-2012-3807 | 1 Samsung | 1 Kies | 2020-01-13 | 7.5 HIGH | 9.8 CRITICAL |
| Samsung Kies before 2.5.0.12094_27_11 has arbitrary file execution. | |||||
| CVE-2019-10777 | 1 Amazon | 1 Aws Lambda | 2020-01-13 | 7.5 HIGH | 9.8 CRITICAL |
| In aws-lambda versions prior to version 1.0.5, the "config.FunctioName" is used to construct the argument used within the "exec" function without any sanitization. It is possible for a user to inject arbitrary commands to the "zipCmd" used within "config.FunctionName". | |||||
| CVE-2019-17076 | 1 Jamf | 1 Jamf | 2020-01-13 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Jamf Pro 9.x and 10.x before 10.15.1. Deserialization of untrusted data when parsing JSON in several APIs may cause Denial of Service (DoS), remote code execution (RCE), and/or deletion of files on the Jamf Pro server. | |||||