Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-7964 | 1 Mirumee | 1 Saleor | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Mirumee Saleor 2.x before 2.9.1. Incorrect access control in the checkoutCustomerAttach mutations allows attackers to attach their checkouts to any user ID and consequently leak user data (e.g., name, address, and previous orders of any other customer). | |||||
| CVE-2020-7052 | 1 Codesys | 15 Control For Beaglebone, Control For Empc-a\/imx6, Control For Iot2000 and 12 more | 2021-07-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| CODESYS Control V3, Gateway V3, and HMI V3 before 3.5.15.30 allow uncontrolled memory allocation which can result in a remote denial of service condition. | |||||
| CVE-2019-19894 | 1 Ixpdata | 1 Easyinstall | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| In IXP EasyInstall 6.2.13723, it is possible to temporarily disable UAC by using the Agent Service on a client system. An authenticated attacker (non-admin) can disable UAC for other users by renaming and replacing %SYSTEMDRIVE%\IXP\DATA\IXPAS.IXP. | |||||
| CVE-2019-5593 | 1 Fortinet | 1 Fortios | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| Improper permission or value checking in the CLI console may allow a non-privileged user to obtain Fortinet FortiOS plaint text private keys of system's builtin local certificates via unsetting the keys encryption password in FortiOS 6.2.0, 6.0.0 to 6.0.6, 5.6.10 and below or for user uploaded local certificates via setting an empty password in FortiOS 6.2.1, 6.2.0, 6.0.6 and below. | |||||
| CVE-2019-19837 | 1 Ruckuswireless | 17 C110, E510, H320 and 14 more | 2021-07-21 | 7.8 HIGH | 5.3 MEDIUM |
| Incorrect access control in the web interface in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remote information disclosure of bin/web.conf via HTTP requests. | |||||
| CVE-2019-20399 | 1 Parity | 1 Libsecp256k1 | 2021-07-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack. | |||||
| CVE-2019-20396 | 1 Cesnet | 1 Libyang | 2021-07-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| A segmentation fault is present in yyparse in libyang before v1.0-r1 due to a malformed pattern statement value during lys_parse_path parsing. | |||||
| CVE-2020-6857 | 1 Taskautomation | 1 Carbonftp | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| CarbonFTP v1.4 uses insecure proprietary password encryption with a hard-coded weak encryption key. The key for local FTP server passwords is hard-coded in the binary. | |||||
| CVE-2019-20384 | 1 Gentoo | 1 Portage | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| Gentoo Portage through 2.3.84 allows local users to place a Trojan horse plugin in the /usr/lib64/nagios/plugins directory by leveraging access to the nagios user account, because this directory is writable in between a call to emake and a call to fowners. | |||||
| CVE-2020-0863 | 1 Microsoft | 2 Windows 10, Windows Server 2016 | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| An information vulnerability exists when Windows Connected User Experiences and Telemetry Service improperly discloses file information, aka 'Connected User Experiences and Telemetry Service Information Disclosure Vulnerability'. | |||||
| CVE-2020-0859 | 1 Microsoft | 6 Windows 10, Windows 8.1, Windows Rt 8.1 and 3 more | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| An information vulnerability exists when Windows Modules Installer Service improperly discloses file information, aka 'Windows Modules Installer Service Information Disclosure Vulnerability'. | |||||
| CVE-2020-0853 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2021-07-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| An information disclosure vulnerability exists in Windows when the Windows Imaging Component fails to properly handle objects in memory, aka 'Windows Imaging Component Information Disclosure Vulnerability'. | |||||
| CVE-2020-0820 | 1 Microsoft | 3 Windows 10, Windows Server 2016, Windows Server 2019 | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory, aka 'Media Foundation Information Disclosure Vulnerability'. | |||||
| CVE-2020-0775 | 1 Microsoft | 3 Windows 10, Windows Server 2016, Windows Server 2019 | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| An information disclosure vulnerability exists when Windows Error Reporting improperly handles file operations.To exploit this vulnerability, an attacker would first have to gain execution on the victim system, aka 'Windows Error Reporting Information Disclosure Vulnerability'. | |||||
| CVE-2020-0774 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2021-07-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka 'Windows GDI Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2020-0874, CVE-2020-0879, CVE-2020-0880, CVE-2020-0882. | |||||
| CVE-2020-0765 | 1 Microsoft | 1 Remote Desktop Connection Manager | 2021-07-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| An information disclosure vulnerability exists in the Remote Desktop Connection Manager (RDCMan) application when it improperly parses XML input containing a reference to an external entity, aka 'Remote Desktop Connection Manager Information Disclosure Vulnerability'. | |||||
| CVE-2020-10460 | 1 Chadhaajay | 1 Phpkb | 2021-07-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| admin/include/operations.php (via admin/email-harvester.php) in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject untrusted input inside CSV files via the POST parameter data. | |||||
| CVE-2020-7598 | 1 Substack | 1 Minimist | 2021-07-21 | 6.8 MEDIUM | 5.6 MEDIUM |
| minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload. | |||||
| CVE-2019-5135 | 1 Wago | 4 Pfc100, Pfc100 Firmware, Pfc200 and 1 more | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An exploitable timing discrepancy vulnerability exists in the authentication functionality of the Web-Based Management (WBM) web application on WAGO PFC100/200 controllers. The WBM application makes use of the PHP crypt() function which can be exploited to disclose hashed user credentials. This affects WAGO PFC200 Firmware version 03.00.39(12) and version 03.01.07(13), and WAGO PFC100 Firmware version 03.00.39(12). | |||||
| CVE-2019-5106 | 1 Wago | 1 E\!cockpit | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| A hard-coded encryption key vulnerability exists in the authentication functionality of WAGO e!Cockpit version 1.5.1.1. An attacker with access to communications between e!Cockpit and CoDeSyS Gateway can trivially recover the password of any user attempting to log in, in plain text. | |||||
| CVE-2020-6178 | 1 Sap | 1 Enable Now | 2021-07-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| SAP Enable Now, before version 1911, sends the Session ID cookie value in URL. This might be stolen from the browser history or log files, leading to Information Disclosure. | |||||
| CVE-2020-0087 | 1 Google | 1 Android | 2021-07-21 | 1.9 LOW | 5.5 MEDIUM |
| In getProcessPss of ActivityManagerService.java, there is a possible side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-127989044 | |||||
| CVE-2020-0066 | 1 Google | 1 Android | 2021-07-21 | 6.9 MEDIUM | 6.4 MEDIUM |
| In the netlink driver, there is a possible out of bounds write due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-65025077 | |||||
| CVE-2020-0052 | 1 Google | 1 Android | 2021-07-21 | 1.9 LOW | 4.3 MEDIUM |
| In smsSelected of AnswerFragment.java, there is a way to send an SMS from the lock screen due to a permissions bypass. This could lead to local escalation of privilege on the lock screen with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-137102479 | |||||
| CVE-2020-0050 | 1 Google | 1 Android | 2021-07-21 | 4.6 MEDIUM | 6.7 MEDIUM |
| In nfa_hciu_send_msg of nfa_hci_utils.cc, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege in the NFC server with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-124521372 | |||||
| CVE-2020-0045 | 1 Google | 1 Android | 2021-07-21 | 6.9 MEDIUM | 6.4 MEDIUM |
| In StatsService::command of StatsService.cpp, there is possible memory corruption due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-141243101 | |||||
| CVE-2020-0061 | 1 Google | 1 Android | 2021-07-21 | 4.9 MEDIUM | 5.5 MEDIUM |
| In Pixel Recorder, there is a possible permissions bypass allowing arbitrary apps to record audio. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-145504977 | |||||
| CVE-2020-0035 | 1 Google | 1 Android | 2021-07-21 | 4.9 MEDIUM | 5.5 MEDIUM |
| In query of TelephonyProvider.java, there is a possible access to SIM card info due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9Android ID: A-140622024 | |||||
| CVE-2019-13006 | 1 Gitlab | 1 Gitlab | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition 9.0 and through 12.0.2. Users with access to issues, but not the repository were able to view the number of related merge requests on an issue. It has Incorrect Access Control. | |||||
| CVE-2019-13002 | 1 Gitlab | 1 Gitlab | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition 11.10 through 12.0.2. Unauthorized users were able to read pipeline information of the last merge request. It has Incorrect Access Control. | |||||
| CVE-2019-12429 | 1 Gitlab | 1 Gitlab | 2021-07-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition 11.9 through 11.11. Unprivileged users were able to access labels, status and merge request counts of confidential issues via the milestone details page. It has Improper Access Control. | |||||
| CVE-2020-10249 | 1 Meinbwa | 2 Direx-pro, Direx-pro Firmware | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| BWA DiREX-Pro 1.2181 devices allow full path disclosure via an invalid name array parameter to val_soft.php3. | |||||
| CVE-2020-9517 | 1 Microfocus | 1 Service Manager | 2021-07-21 | 4.9 MEDIUM | 5.4 MEDIUM |
| There is an improper restriction of rendered UI layers or frames vulnerability in Micro Focus Service Manager Release Control versions 9.50 and 9.60. The vulnerability may result in the ability of malicious users to perform UI redress attacks. | |||||
| CVE-2020-10237 | 1 Froxlor | 1 Froxlor | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered in Froxlor through 0.10.15. The installer wrote configuration parameters including passwords into files in /tmp, setting proper permissions only after writing the sensitive data. A local attacker could have disclosed the information if he read the file at the right time, because of _createUserdataConf in install/lib/class.FroxlorInstall.php. | |||||
| CVE-2019-10806 | 1 Vega Project | 1 Vega | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| vega-util prior to 1.13.1 allows manipulation of object prototype. The 'vega.mergeConfig' method within vega-util could be tricked into adding or modifying properties of the Object.prototype. | |||||
| CVE-2020-8439 | 1 Monstra | 1 Monstra | 2021-07-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Monstra CMS through 3.0.4 allows remote authenticated users to take over arbitrary user accounts via a modified login parameter to an edit URI, as demonstrated by login=victim to the users/21/edit URI. | |||||
| CVE-2020-9530 | 1 Mi | 1 Miui Firmware | 2021-07-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered on Xiaomi MIUI V11.0.5.0.QFAEUXM devices. The export component of GetApps(com.xiaomi.mipicks) mishandles the functionality of opening other components. Attackers need to induce users to open specific web pages in a specific network environment. By jumping to the WebView component of Messaging(com.android.MMS) and loading malicious web pages, information leakage can occur. This is fixed on version: 2001122; 11.0.1.54. | |||||
| CVE-2020-8994 | 1 Mi | 2 Mdz-25-dt, Mdz-25-dt Firmware | 2021-07-21 | 7.2 HIGH | 6.8 MEDIUM |
| An issue was discovered on XIAOMI AI speaker MDZ-25-DT 1.34.36, and 1.40.14. Attackers can get root shell by accessing the UART interface and then they can read Wi-Fi SSID or password, read the dialogue text files between users and XIAOMI AI speaker, use Text-To-Speech tools pretend XIAOMI speakers' voice achieve social engineering attacks, eavesdrop on users and record what XIAOMI AI speaker hears, delete the entire XIAOMI AI speaker system, modify system files, stop voice assistant service, start the XIAOMI AI speaker’s SSH service as a backdoor | |||||
| CVE-2020-10105 | 1 Zammad | 1 Zammad | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Zammad 3.0 through 3.2. It returns source code of static resources when submitting an OPTIONS request, rather than a GET request. Disclosure of source code allows for an attacker to formulate more precise attacks. Source code was disclosed for the file 404.html (/zammad/public/404.html) | |||||
| CVE-2020-10100 | 1 Zammad | 1 Zammad | 2021-07-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Zammad 3.0 through 3.2. It allows for users to view ticket customer details associated with specific customers. However, the application does not properly implement access controls related to this functionality. As such, users of one company are able to access ticket data from other companies. Due to the multi-tenant nature of this application, users who can access ticket details from one organization to the next allows for users to exfiltrate potentially sensitive data of other companies. | |||||
| CVE-2020-8664 | 1 Cncf | 1 Envoy | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| CNCF Envoy through 1.13.0 has incorrect Access Control when using SDS with Combined Validation Context. Using the same secret (e.g. trusted CA) across many resources together with the combined validation context could lead to the “static” part of the validation context to be not applied, even though it was visible in the active config dump. | |||||
| CVE-2019-18863 | 1 Mitel | 16 6863i, 6863i Firmware, 6865i and 13 more | 2021-07-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| A key length vulnerability in the implementation of the SRTP 128-bit key on Mitel 6800 and 6900 SIP series phones, versions 5.1.0.2051 SP2 and earlier, could allow an attacker to launch a man-in-the-middle attack when SRTP is used in a call. A successful exploit may allow the attacker to intercept sensitive information. | |||||
| CVE-2020-4292 | 1 Ibm | 1 Security Information Queue | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, and 1.0.4 uses a cross-domain policy file that includes domains that should not be trusted which could disclose sensitive information. IBM X-Force ID: 176335. | |||||
| CVE-2020-9466 | 1 Export Users To Csv Project | 1 Export Users To Csv | 2021-07-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| The Export Users to CSV plugin through 1.4.2 for WordPress allows CSV Injection. | |||||
| CVE-2020-1861 | 1 Huawei | 2 Cloudengine 12800, Cloudengine 12800 Firmware | 2021-07-21 | 2.1 LOW | 4.4 MEDIUM |
| CloudEngine 12800 with versions of V200R001C00SPC600,V200R001C00SPC700,V200R002C01,V200R002C50SPC800,V200R002C50SPC800PWE,V200R003C00SPC810,V200R003C00SPC810PWE,V200R005C00SPC600,V200R005C00SPC800,V200R005C00SPC800PWE,V200R005C10,V200R005C10SPC300 have an information leakage vulnerability in some Huawei products. In some special cases, an authenticated attacker can exploit this vulnerability because the software processes data improperly. Successful exploitation may lead to information leakage. | |||||
| CVE-2020-9399 | 1 Avast | 3 Antivirus For Linux, Antivirus Pro, Antivirus Pro Plus | 2021-07-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| The Avast AV parsing engine allows virus-detection bypass via a crafted ZIP archive. This affects versions before 12 definitions 200114-0 of Antivirus Pro, Antivirus Pro Plus, and Antivirus for Linux. | |||||
| CVE-2020-5188 | 1 Dnnsoftware | 1 Dotnetnuke | 2021-07-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| DNN (formerly DotNetNuke) through 9.4.4 has Insecure Permissions. | |||||
| CVE-2020-9351 | 1 Smartclient | 1 Smartclient | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in SmartClient 12.0. If an unauthenticated attacker makes a POST request to /tools/developerConsoleOperations.jsp or /isomorphic/IDACall with malformed XML data in the _transaction parameter, the server replies with a verbose error showing where the application resides (the absolute path). | |||||
| CVE-2020-9342 | 1 F-secure | 3 Cloud Protection For Salesforce, Email And Server Security, Internet Gatekeeper | 2021-07-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| The F-Secure AV parsing engine before 2020-02-05 allows virus-detection bypass via crafted Compression Method data in a GZIP archive. This affects versions before 17.0.605.474 (on Linux) of Cloud Protection For Salesforce, Email and Server Security, and Internet GateKeeper. | |||||
| CVE-2019-19694 | 2 Microsoft, Trendmicro | 6 Windows, Antivirus \+ Security 2019, Internet Security 2019 and 3 more | 2021-07-21 | 1.9 LOW | 4.7 MEDIUM |
| The Trend Micro Security 2019 (15.0.0.1163 and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the entire product completely.. | |||||