Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-2333 | 1 Oracle | 1 Xml Database | 2021-07-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| Vulnerability in the Oracle XML DB component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Easily exploitable vulnerability allows high privileged attacker having Alter User privilege with network access via Oracle Net to compromise Oracle XML DB. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle XML DB accessible data. CVSS 3.1 Base Score 4.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N). | |||||
| CVE-2020-35240 | 1 Fluxbb | 1 Fluxbb | 2021-07-21 | 3.5 LOW | 4.8 MEDIUM |
| FluxBB 1.5.11 is affected by cross-site scripting (XSS in the Blog Content component. This vulnerability can allow an attacker to inject the XSS payload in "Blog Content" and each time any user will visit the blog, the XSS triggers and the attacker can able to steal the cookie according to the crafted payload. | |||||
| CVE-2021-2457 | 1 Oracle | 1 Identity Manager | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: Request Management & Workflow). The supported version that is affected is 11.1.2.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Identity Manager. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Identity Manager accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). | |||||
| CVE-2021-2460 | 1 Oracle | 1 Application Express | 2021-07-21 | 4.9 MEDIUM | 5.4 MEDIUM |
| Vulnerability in the Oracle Application Express Data Reporter component of Oracle Database Server. The supported version that is affected is Prior to 21.1.0.00.04. Easily exploitable vulnerability allows low privileged attacker having Valid User Account privilege with network access via HTTP to compromise Oracle Application Express Data Reporter. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Express Data Reporter, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Express Data Reporter accessible data as well as unauthorized read access to a subset of Oracle Application Express Data Reporter accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). | |||||
| CVE-2021-2462 | 1 Oracle | 1 Commerce Service Center | 2021-07-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| Vulnerability in the Oracle Commerce Service Center product of Oracle Commerce (component: Commerce Service Center). Supported versions that are affected are 11.0.0, 11.1.0, 11.2.0 and 11.3.0-11.3.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Commerce Service Center. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Commerce Service Center, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Commerce Service Center accessible data as well as unauthorized read access to a subset of Oracle Commerce Service Center accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | |||||
| CVE-2020-36240 | 1 Atlassian | 1 Crowd | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The ResourceDownloadRewriteRule class in Crowd before version 4.0.4, and from version 4.1.0 before 4.1.2 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check. | |||||
| CVE-2020-26200 | 1 Kaspersky | 2 Endpoint Security, Rescue Disk | 2021-07-21 | 4.6 MEDIUM | 6.8 MEDIUM |
| A component of Kaspersky custom boot loader allowed loading of untrusted UEFI modules due to insufficient check of their authenticity. This component is incorporated in Kaspersky Rescue Disk (KRD) and was trusted by the Authentication Agent of Full Disk Encryption in Kaspersky Endpoint Security (KES). This issue allowed to bypass the UEFI Secure Boot security feature. An attacker would need physical access to the computer to exploit it. Otherwise, local administrator privileges would be required to modify the boot loader component. | |||||
| CVE-2020-12702 | 1 Coolkit | 1 Ewelink | 2021-07-21 | 2.1 LOW | 4.6 MEDIUM |
| Weak encryption in the Quick Pairing mode in the eWeLink mobile application (Android application V4.9.2 and earlier, iOS application V4.9.1 and earlier) allows physically proximate attackers to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during the pairing process. | |||||
| CVE-2020-22474 | 1 Weberp | 1 Weberp | 2021-07-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| In webERP 4.15, the ManualContents.php file allows users to specify the "Language" parameter, which can lead to local file inclusion. | |||||
| CVE-2020-11286 | 1 Qualcomm | 135 Apq8009, Apq8009w, Apq8017 and 132 more | 2021-07-21 | 4.6 MEDIUM | 6.8 MEDIUM |
| An Untrusted Pointer Dereference can occur while doing USB control transfers, if multiple requests of different standard request categories like device, interface & endpoint are made together. in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | |||||
| CVE-2020-11198 | 1 Qualcomm | 602 Aqt1000, Aqt1000 Firmware, Ar8031 and 599 more | 2021-07-21 | 7.2 HIGH | 6.7 MEDIUM |
| Key material used for TZ diag buffer encryption and other data related to log buffer is not wiped securely due to improper usage of memset in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | |||||
| CVE-2020-12668 | 1 Hubspot | 1 Jinjava | 2021-07-21 | 6.8 MEDIUM | 6.5 MEDIUM |
| Jinjava before 2.5.4 allow access to arbitrary classes by calling Java methods on objects passed into a Jinjava context. This could allow for abuse of the application class loader, including Arbitrary File Disclosure. | |||||
| CVE-2020-36252 | 1 Owncloud | 1 Owncloud | 2021-07-21 | 2.7 LOW | 5.7 MEDIUM |
| ownCloud Server 10.x before 10.3.1 allows an attacker, who has one outgoing share from a victim, to access any version of any file by sending a request for a predictable ID number. | |||||
| CVE-2020-36251 | 1 Owncloud | 1 Owncloud | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| ownCloud Server before 10.3.0 allows an attacker, who has received non-administrative access to a group share, to remove everyone else's access to that share. | |||||
| CVE-2020-36250 | 1 Owncloud | 1 Owncloud | 2021-07-21 | 2.1 LOW | 4.6 MEDIUM |
| In the ownCloud application before 2.15 for Android, the lock protection mechanism can be bypassed by moving the system date/time into the past. | |||||
| CVE-2020-12365 | 1 Intel | 1 Graphics Drivers | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| Untrusted pointer dereference in some Intel(R) Graphics Drivers before versions 15.33.51.5146, 15.45.32.5145, 15.36.39.5144 and 15.40.46.5143 may allow an authenticated user to potentially denial of service via local access. | |||||
| CVE-2020-24503 | 1 Intel | 10 Ethernet Network Adapter E810-cqda1, Ethernet Network Adapter E810-cqda1 For Ocp, Ethernet Network Adapter E810-cqda1 For Ocp 3.0 and 7 more | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers for Linux before version 1.0.4 may allow an authenticated user to potentially enable information disclosure via local access. | |||||
| CVE-2020-24497 | 1 Intel | 10 Ethernet Network Adapter E810-cqda1, Ethernet Network Adapter E810-cqda1 For Ocp, Ethernet Network Adapter E810-cqda1 For Ocp 3.0 and 7 more | 2021-07-21 | 2.1 LOW | 4.4 MEDIUM |
| Insufficient Access Control in the firmware for Intel(R) E810 Ethernet Controllers before version 1.4.1.13 may allow a privileged user to potentially enable denial of service via local access. | |||||
| CVE-2020-24495 | 1 Intel | 33 Ethernet Network Adapter 700 Firmware, Ethernet Network Adapter V710-at2, Ethernet Network Adapter X710-am2 and 30 more | 2021-07-21 | 2.1 LOW | 4.4 MEDIUM |
| Insufficient access control in the firmware for the Intel(R) 700-series of Ethernet Controllers before version 7.3 may allow a privileged user to potentially enable denial of service via local access. | |||||
| CVE-2020-24494 | 1 Intel | 4 Ethernet Network Adapter X722-da2, Ethernet Network Adapter X722-da2 Firmware, Ethernet Network Adapter X722-da4 and 1 more | 2021-07-21 | 2.1 LOW | 4.4 MEDIUM |
| Insufficient access control in the firmware for the Intel(R) 722 Ethernet Controllers before version 1.4.3 may allow a privileged user to potentially enable denial of service via local access. | |||||
| CVE-2020-24493 | 1 Intel | 33 Ethernet Network Adapter 700 Firmware, Ethernet Network Adapter V710-at2, Ethernet Network Adapter X710-am2 and 30 more | 2021-07-21 | 2.1 LOW | 4.4 MEDIUM |
| Insufficient access control in the firmware for the Intel(R) 700-series of Ethernet Controllers before version 8.0 may allow a privileged user to potentially enable denial of service via local access. | |||||
| CVE-2020-24492 | 1 Intel | 4 Ethernet Network Adapter X722-da2, Ethernet Network Adapter X722-da2 Firmware, Ethernet Network Adapter X722-da4 and 1 more | 2021-07-21 | 2.1 LOW | 4.4 MEDIUM |
| Insufficient access control in the firmware for the Intel(R) 722 Ethernet Controllers before version 1.5 may allow a privileged user to potentially enable a denial of service via local access. | |||||
| CVE-2020-24491 | 1 Intel | 3 Core I3, Core I5, Core I7 | 2021-07-21 | 1.9 LOW | 4.4 MEDIUM |
| Debug message containing addresses of memory transactions in some Intel(R) 10th Generation Core Processors supporting SGX may allow a privileged user to potentially enable information disclosure via local access. | |||||
| CVE-2020-12373 | 1 Intel | 48 Bmc Firmware, Hns2600bpb, Hns2600bpb24 and 45 more | 2021-07-21 | 4.6 MEDIUM | 6.7 MEDIUM |
| Expired pointer dereference in some Intel(R) Graphics Drivers before version 26.20.100.8141 may allow a privileged user to potentially enable a denial of service via local access. | |||||
| CVE-2020-12370 | 1 Intel | 1 Graphics Drivers | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| Untrusted pointer dereference in some Intel(R) Graphics Drivers before version 26.20.100.8141 may allow a privileged user to potentially enable a denial of service via local access. | |||||
| CVE-2020-0525 | 1 Intel | 6 Ethernet Controller I210-at, Ethernet Controller I210-cl, Ethernet Controller I210-cs and 3 more | 2021-07-21 | 2.1 LOW | 4.4 MEDIUM |
| Improper access control in firmware for the Intel(R) Ethernet I210 Controller series of network adapters before version 3.30 may allow a privileged user to potentially enable denial of service via local access. | |||||
| CVE-2020-0523 | 1 Intel | 6 Ethernet Controller I210-at, Ethernet Controller I210-cl, Ethernet Controller I210-cs and 3 more | 2021-07-21 | 2.1 LOW | 4.4 MEDIUM |
| Improper access control in the firmware for the Intel(R) Ethernet I210 Controller series of network adapters before version 3.30 may potentially allow a privileged user to enable a denial of service via local access. | |||||
| CVE-2020-35557 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2021-07-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software in all versions through 2.6.2. Inproper use of access validation allows a logged in user to see devices in the account he should not have access to. | |||||
| CVE-2020-25340 | 1 Nfstream | 1 Nfstream | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered in NFStream 5.2.0. Because some allocated modules are not correctly freed, if the nfstream object is directly destroyed without being used after it is created, it will cause a memory leak that may result in a local denial of service (DoS). | |||||
| CVE-2020-29451 | 1 Atlassian | 2 Data Center, Jira | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate Jira projects via an Information Disclosure vulnerability in the Jira Projects plugin report page. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.14.1. | |||||
| CVE-2020-36237 | 1 Atlassian | 2 Data Center, Jira | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field options via an Information Disclosure vulnerability in the /rest/api/2/customFieldOption/ endpoint. The affected versions are before version 8.15.0. | |||||
| CVE-2020-36235 | 1 Atlassian | 2 Jira, Jira Software Data Center | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field and custom SLA names via an Information Disclosure vulnerability in the mobile site view. The affected versions are before version 8.13.2, and from version 8.14.0 before 8.14.1. | |||||
| CVE-2020-4791 | 1 Ibm | 1 Security Identity Governance And Intelligence | 2021-07-21 | 1.8 LOW | 5.3 MEDIUM |
| IBM Security Identity Governance and Intelligence 5.2.6 could allow an attacker to obtain sensitive information using main in the middle attacks due to improper certificate validation. IBM X-Force ID: 189379. | |||||
| CVE-2020-13462 | 1 Tufin | 1 Securetrack | 2021-07-21 | 2.7 LOW | 5.7 MEDIUM |
| Insecure Direct Object Reference (IDOR) exists in Tufin SecureChange, affecting all versions prior to R20-2 GA. Fixed in version R20-2 GA. | |||||
| CVE-2020-36150 | 2 Fedoraproject, Symonics | 2 Fedora, Libmysofa | 2021-07-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Incorrect handling of input data in loudness function in the libmysofa library 0.5 - 1.1 will lead to heap buffer overflow and access to unallocated memory block. | |||||
| CVE-2020-11915 | 1 Svakom | 2 Siime Eye, Siime Eye Firmware | 2021-07-21 | 4.6 MEDIUM | 6.8 MEDIUM |
| An issue was discovered in Svakom Siime Eye 14.1.00000001.3.330.0.0.3.14. By sending a set_params.cgi?telnetd=1&save=1&reboot=1 request to the webserver, it is possible to enable the telnet interface on the device. The telnet interface can then be used to obtain access to the device with root privileges via a reecam4debug default password. This default telnet password is the same across all Siime Eye devices. In order for the attack to be exploited, an attacker must be physically close in order to connect to the device's Wi-Fi access point. | |||||
| CVE-2020-10858 | 1 Zulip | 1 Zulip Desktop | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Zulip Desktop before 5.0.0 allows attackers to perform recording via the webcam and microphone due to a missing permission request handler. | |||||
| CVE-2020-10375 | 1 Newmediacompany | 1 Smarty | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered in New Media Smarty before 9.10. Passwords are stored in the database in an obfuscated format that can be easily reversed. The file data.mdb contains these obfuscated passwords in the second column. NOTE: this is unrelated to the popular Smarty template engine product. | |||||
| CVE-2020-4832 | 1 Ibm | 2 Aix, Powerha | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| IBM PowerHA 7.2 could allow a local attacker to obtain sensitive information from temporary directories after a discovery failure occurs. IBM X-Force ID: 189969. | |||||
| CVE-2020-36241 | 2 Fedoraproject, Gnome | 2 Fedora, Gnome-autoar | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location. | |||||
| CVE-2020-10538 | 1 Epikur | 1 Epikur | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered in Epikur before 20.1.1. It stores the secret passwords of the users as MD5 hashes in the database. MD5 can be brute-forced efficiently and should not be used for such purposes. Additionally, since no salt is used, rainbow tables can speed up the attack. | |||||
| CVE-2020-16194 | 1 Store-opart | 1 Quote | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An Insecure Direct Object Reference (IDOR) vulnerability was found in Prestashop Opart devis < 4.0.2. Unauthenticated attackers can have access to any user's invoice and delivery address by exploiting an IDOR on the delivery_address and invoice_address fields. | |||||
| CVE-2019-16268 | 1 Zohocorp | 1 Manageengine Remote Access Plus | 2021-07-21 | 3.5 LOW | 4.8 MEDIUM |
| Zoho ManageEngine Remote Access Plus 10.0.259 allows HTML injection via the Description field on the Admin - User Administration userMgmt.do?actionToCall=ShowUser screen. | |||||
| CVE-2020-24490 | 2 Bluez, Linux | 2 Bluez, Linux Kernel | 2021-07-21 | 3.3 LOW | 6.5 MEDIUM |
| Improper buffer restrictions in BlueZ may allow an unauthenticated user to potentially enable denial of service via adjacent access. This affects all Linux kernel versions that support BlueZ. | |||||
| CVE-2020-14221 | 1 Hcltech | 1 Digital Experience | 2021-07-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| HCL Digital Experience 8.5, 9.0, and 9.5 exposes information about the server to unauthorized users. | |||||
| CVE-2019-25017 | 1 Mit | 1 Krb5-appl | 2021-07-21 | 5.8 MEDIUM | 5.9 MEDIUM |
| An issue was discovered in rcp in MIT krb5-appl through 1.0.3. Due to the rcp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the rcp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious rcp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rcp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file). This issue is similar to CVE-2019-6111 and CVE-2019-7283. NOTE: MIT krb5-appl is not supported upstream but is shipped by a few Linux distributions. The affected code was removed from the supported MIT Kerberos 5 (aka krb5) product many years ago, at version 1.8. | |||||
| CVE-2020-36231 | 1 Atlassian | 2 Jira, Jira Software Data Center | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view the metadata of boards they should not have access to via an Insecure Direct Object References (IDOR) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.2. | |||||
| CVE-2020-28493 | 2 Fedoraproject, Palletsprojects | 2 Fedora, Jinja | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory. | |||||
| CVE-2020-29538 | 1 Rsa | 1 Archer | 2021-07-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| Archer before 6.9 P1 (6.9.0.1) contains an improper access control vulnerability in an API. A remote authenticated malicious administrative user can potentially exploit this vulnerability to gather information about the system, and may use this information in subsequent attacks. | |||||
| CVE-2020-28406 | 1 Iris | 1 Star Practice Management | 2021-07-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| An improper authorization vulnerability exists in Star Practice Management Web version 2019.2.0.6, allowing an unauthorized user to access details about jobs he should not have access to via the Audit Trail Feature. | |||||