Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-4838 | 1 Ibm | 1 Api Connect | 2021-01-14 | 3.5 LOW | 5.4 MEDIUM |
| IBM API Connect 5.0.0.0 through 5.0.8.10 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 190036. | |||||
| CVE-2020-4674 | 1 Ibm | 1 Workload Automation | 2021-01-14 | 4.0 MEDIUM | 4.3 MEDIUM |
| IBM Workload Automation 9.5 stores the server path in URLs that could aid in further attacks against the system. IBM X-Force ID: 186287. | |||||
| CVE-2020-4673 | 1 Ibm | 1 Workload Automation | 2021-01-14 | 4.0 MEDIUM | 4.3 MEDIUM |
| IBM Workload Automation 9.5 stores sensitive information in HTML comments that could aid in further attacks against the system. IBM X-Force ID: 186286. | |||||
| CVE-2020-13116 | 1 Carbonite | 1 Server Backup Portal | 2021-01-14 | 3.5 LOW | 5.4 MEDIUM |
| OpenText Carbonite Server Backup Portal before 8.8.7 allows XSS by an authenticated user via policy creation. | |||||
| CVE-2020-35722 | 1 Quest | 1 Policy Authority For Unified Communications | 2021-01-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** CSRF in Web Compliance Manager in Quest Policy Authority 8.1.2.200 allows remote attackers to force user modification/creation via a specially crafted link to the submitUser.jsp file. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2020-4869 | 1 Ibm | 1 Mq Appliance | 2021-01-13 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM MQ Appliance 9.2 CD and 9.2 LTS is vulnerable to a denial of service, caused by a buffer overflow. A remote attacker could send a specially crafted SNMP query to cause the appliance to reload. IBM X-Force ID: 190831. | |||||
| CVE-2020-26800 | 1 Ethereum | 1 Aleth | 2021-01-13 | 4.3 MEDIUM | 5.5 MEDIUM |
| A stack overflow vulnerability in Aleth Ethereum C++ client version <= 1.8.0 using a specially crafted a config.json file may result in a denial of service. | |||||
| CVE-2020-23849 | 1 Jsoneditoronline | 1 Jsoneditor | 2021-01-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Stored XSS was discovered in the tree mode of jsoneditor before 9.0.2 through injecting and executing JavaScript. | |||||
| CVE-2020-29041 | 1 Sesame-system | 1 Web-sesame | 2021-01-13 | 5.0 MEDIUM | 5.3 MEDIUM |
| A misconfiguration in Web-Sesame 2020.1.1.3375 allows an unauthenticated attacker to download the source code of the application, facilitating its comprehension (code review). Specifically, JavaScript source maps were inadvertently included in the production Webpack configuration. These maps contain sources used to generate the bundle, configuration settings (e.g., API keys), and developers' comments. | |||||
| CVE-2021-0301 | 1 Google | 1 Android | 2021-01-13 | 4.6 MEDIUM | 6.7 MEDIUM |
| In ged, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android SoC; Android ID: A-172514667. | |||||
| CVE-2020-23644 | 1 Jizhicms | 1 Jizhicms | 2021-01-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS exists in JIZHICMS 1.7.1 via index.php/Error/index?msg={XSS] to Home/c/ErrorController.php. | |||||
| CVE-2020-23643 | 1 Jizhicms | 1 Jizhicms | 2021-01-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS exists in JIZHICMS 1.7.1 via index.php/Wechat/checkWeixin?signature=1&echostr={XSS] to Home/c/WechatController.php. | |||||
| CVE-2020-4892 | 1 Ibm | 1 Emptoris Contract Management | 2021-01-13 | 3.5 LOW | 5.4 MEDIUM |
| IBM Emptoris Contract Management 10.1.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 190979. | |||||
| CVE-2020-4897 | 1 Ibm | 2 Emptoris Contract Management, Emptoris Spend Analysis | 2021-01-13 | 5.0 MEDIUM | 5.3 MEDIUM |
| IBM Emptoris Contract Management and IBM Emptoris Spend Analysis 10.1.0, 10.1.1, and 10.1.3 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 190988. | |||||
| CVE-2021-0342 | 1 Google | 1 Android | 2021-01-13 | 4.6 MEDIUM | 6.7 MEDIUM |
| In tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges required. User interaction is not required for exploitation. Product: Android; Versions: Android kernel; Android ID: A-146554327. | |||||
| CVE-2021-0322 | 1 Google | 1 Android | 2021-01-13 | 1.9 LOW | 5.0 MEDIUM |
| In onCreate of SlicePermissionActivity.java, there is a possible misleading string displayed due to improper input validation. This could lead to local information disclosure with User execution privileges needed. User interaction is needed for exploitation.Product: Android; Versions: Android-10, Android-11, Android-9; Android ID: A-159145361. | |||||
| CVE-2021-0320 | 1 Google | 1 Android | 2021-01-13 | 1.9 LOW | 4.7 MEDIUM |
| In is_device_locked and set_device_locked of keystore_keymaster_enforcement.h, there is a possible bypass of lockscreen requirements for keyguard bound keys due to a race condition. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-10, Android-11; Android ID: A-169933423. | |||||
| CVE-2021-0321 | 1 Google | 1 Android | 2021-01-13 | 2.1 LOW | 5.5 MEDIUM |
| In enforceDumpPermissionForPackage of ActivityManagerService.java, there is a possible way to determine if a package is installed due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-11; Android ID: A-166667403. | |||||
| CVE-2020-35206 | 1 Quest | 1 Policy Authority For Unified Communications | 2021-01-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** Reflected XSS in Web Compliance Manager in Quest Policy Authority version 8.1.2.200 allows attackers to inject malicious code into the browser via a specially crafted link to the cConn.jsp file via the ur parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2021-0312 | 1 Google | 1 Android | 2021-01-13 | 7.1 HIGH | 6.5 MEDIUM |
| In WAVSource::read of WAVExtractor.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android; Versions: Android-8.1, Android-9, Android-10, Android-11, Android-8.0; Android ID: A-170583712. | |||||
| CVE-2021-0311 | 1 Google | 1 Android | 2021-01-13 | 7.1 HIGH | 6.5 MEDIUM |
| In ElementaryStreamQueue::dequeueAccessUnitH264() of ESQueue.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android; Versions: Android-9, Android-10, Android-11, Android-8.0, Android-8.1; Android ID: A-170240631. | |||||
| CVE-2021-21236 | 1 Courtbouillon | 1 Cairosvg | 2021-01-13 | 4.3 MEDIUM | 5.5 MEDIUM |
| CairoSVG is a Python (pypi) package. CairoSVG is an SVG converter based on Cairo. In CairoSVG before version 2.5.1, there is a regular expression denial of service (REDoS) vulnerability. When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS). If an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time. This is fixed in version 2.5.1. See Referenced GitHub advisory for more information. | |||||
| CVE-2021-0309 | 1 Google | 1 Android | 2021-01-13 | 4.9 MEDIUM | 5.5 MEDIUM |
| In onCreate of grantCredentialsPermissionActivity, there is a confused deputy. This could lead to local information disclosure and account access with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android; Versions: Android-8.1, Android-9, Android-10, Android-11, Android-8.0; Android ID: A-158480899. | |||||
| CVE-2019-12539 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2021-01-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in the Purchase component of Zoho ManageEngine ServiceDesk Plus. There is XSS via the SearchN.do search field, a different vulnerability than CVE-2019-12189. | |||||
| CVE-2020-2730 | 1 Oracle | 1 Revenue Management And Billing | 2021-01-13 | 4.9 MEDIUM | 5.4 MEDIUM |
| Vulnerability in the Oracle Financial Services Revenue Management and Billing product of Oracle Financial Services Applications (component: File Upload). Supported versions that are affected are 2.7.0.0, 2.7.0.1 and 2.8.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financial Services Revenue Management and Billing. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Financial Services Revenue Management and Billing, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Financial Services Revenue Management and Billing accessible data as well as unauthorized read access to a subset of Oracle Financial Services Revenue Management and Billing accessible data. CVSS 3.0 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). | |||||
| CVE-2020-14331 | 2 Linux, Redhat | 2 Linux Kernel, Enterprise Linux | 2021-01-13 | 7.2 HIGH | 6.6 MEDIUM |
| A flaw was found in the Linux kernel’s implementation of the invert video code on VGA consoles when a local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds write to occur. This flaw allows a local user with access to the VGA console to crash the system, potentially escalating their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | |||||
| CVE-2018-11006 | 1 K7computing | 4 Antivrius, Enterprise Security, Total Security and 1 more | 2021-01-12 | 8.8 HIGH | 5.5 MEDIUM |
| An Incorrect Access Control issue was discovered in K7Computing K7AntiVirus Premium 15.01.00.53. | |||||
| CVE-2018-11008 | 1 K7computing | 4 Antivrius, Enterprise Security, Total Security and 1 more | 2021-01-12 | 4.3 MEDIUM | 5.5 MEDIUM |
| An Incorrect Access Control issue was discovered in K7Computing K7AntiVirus Premium 15.01.00.53. | |||||
| CVE-2018-11007 | 1 K7computing | 4 Antivrius, Enterprise Security, Total Security and 1 more | 2021-01-12 | 4.3 MEDIUM | 5.5 MEDIUM |
| A Memory Leak issue was discovered in K7Computing K7AntiVirus Premium 15.01.00.53. | |||||
| CVE-2020-7032 | 1 Avaya | 2 Aura System Manager, Weblm | 2021-01-12 | 5.5 MEDIUM | 6.5 MEDIUM |
| An XML external entity (XXE) vulnerability in Avaya WebLM admin interface allows authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. Affected versions of Avaya WebLM include: 7.0 through 7.1.3.6 and 8.0 through 8.1.2. | |||||
| CVE-2018-11005 | 1 K7computing | 4 Antivrius, Enterprise Security, Total Security and 1 more | 2021-01-12 | 4.3 MEDIUM | 5.5 MEDIUM |
| A Memory Leak issue was discovered in K7Computing K7AntiVirus Premium 15.01.00.53. | |||||
| CVE-2020-26186 | 1 Dell | 2 Inspiron 5675, Inspiron 5675 Firmware | 2021-01-12 | 7.2 HIGH | 6.8 MEDIUM |
| Dell Inspiron 5675 BIOS versions prior to 1.4.1 contain a UEFI BIOS RuntimeServices overwrite vulnerability. A local attacker with access to system memory may exploit this vulnerability by overwriting the RuntimeServices structure to execute arbitrary code in System Management Mode (SMM). | |||||
| CVE-2021-23242 | 1 Mercusys | 2 Mercury X18g, Mercury X18g Firmware | 2021-01-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| MERCUSYS Mercury X18G 1.0.5 devices allow Directory Traversal via ../ to the UPnP server, as demonstrated by the /../../conf/template/uhttpd.json URI. | |||||
| CVE-2021-23241 | 1 Mercusys | 2 Mercury X18g, Mercury X18g Firmware | 2021-01-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| MERCUSYS Mercury X18G 1.0.5 devices allow Directory Traversal via ../ in conjunction with a loginLess or login.htm URI (for authentication bypass) to the web server, as demonstrated by the /loginLess/../../etc/passwd URI. | |||||
| CVE-2020-25950 | 1 Totalonlinesolutions | 1 Advanced Webhost Billing System | 2021-01-12 | 4.3 MEDIUM | 4.3 MEDIUM |
| Advanced Webhost Billing System 3.7.0 is affected by Cross Site Request Forgery (CSRF) attacks that can delete a contact from the My Additional Contact page. | |||||
| CVE-2020-35111 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2021-01-12 | 4.3 MEDIUM | 4.3 MEDIUM |
| When an extension with the proxy permission registered to receive <all_urls>, the proxy.onRequest callback was not triggered for view-source URLs. While web content cannot navigate to such URLs, a user opening View Source could have inadvertently leaked their IP address. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6. | |||||
| CVE-2020-26979 | 1 Mozilla | 1 Firefox | 2021-01-12 | 5.8 MEDIUM | 6.1 MEDIUM |
| When a user typed a URL in the address bar or the search bar and quickly hit the enter key, a website could sometimes capture that event and then redirect the user before navigation occurred to the desired, entered address. To construct a convincing spoof the attacker would have had to guess what the user was typing, perhaps by suggesting it. This vulnerability affects Firefox < 84. | |||||
| CVE-2020-8275 | 1 Citrix | 1 Secure Mail | 2021-01-12 | 4.3 MEDIUM | 4.3 MEDIUM |
| Citrix Secure Mail for Android before 20.11.0 suffers from improper access control allowing unauthenticated access to read limited calendar related data stored within Secure Mail. Note that a malicious app would need to be installed on the Android device or a threat actor would need to execute arbitrary code on the Android device. | |||||
| CVE-2020-26978 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2021-01-12 | 5.8 MEDIUM | 6.1 MEDIUM |
| Using techniques that built on the slipstream research, a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6. | |||||
| CVE-2020-26977 | 1 Mozilla | 1 Firefox | 2021-01-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| By attempting to connect a website using an unresponsive port, an attacker could have controlled the content of a tab while the URL bar displayed the original domain. *Note: This issue only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 84. | |||||
| CVE-2020-8823 | 1 Sockjs Project | 1 Sockjs | 2021-01-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| htmlfile in lib/transport/htmlfile.js in SockJS before 0.3.0 is vulnerable to Reflected XSS via the /htmlfile c (aka callback) parameter. | |||||
| CVE-2020-8274 | 1 Citrix | 1 Secure Mail | 2021-01-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| Citrix Secure Mail for Android before 20.11.0 suffers from Improper Control of Generation of Code ('Code Injection') by allowing unauthenticated access to read data stored within Secure Mail. Note that a malicious app would need to be installed on the Android device or a threat actor would need to execute arbitrary code on the Android device. | |||||
| CVE-2020-26975 | 1 Mozilla | 1 Firefox | 2021-01-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| When a malicious application installed on the user's device broadcast an Intent to Firefox for Android, arbitrary headers could have been specified, leading to attacks such as abusing ambient authority or session fixation. This was resolved by only allowing certain safe-listed headers. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 84. | |||||
| CVE-2020-16012 | 2 Google, Mozilla | 2 Chrome, Firefox | 2021-01-12 | 4.3 MEDIUM | 4.3 MEDIUM |
| Side-channel information leakage in graphics in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
| CVE-2020-29489 | 1 Dell | 3 Emc Unity Operating Environment, Emc Unity Vsa Operating Environment, Emc Unity Xt Operating Environment | 2021-01-12 | 4.6 MEDIUM | 6.7 MEDIUM |
| Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.0.4.0.5.012 contains a plain-text password storage vulnerability. A user credentials (including the Unisphere admin privilege user) password is stored in a plain text in a system file. A local authenticated attacker with access to the system files may use the exposed password to gain access with the privileges of the compromised user. | |||||
| CVE-2020-29490 | 1 Dell | 3 Emc Unity Operating Environment, Emc Unity Vsa Operating Environment, Emc Unity Xt Operating Environment | 2021-01-12 | 4.0 MEDIUM | 6.5 MEDIUM |
| Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.0.4.0.5.012 contain a Denial of Service vulnerability on NAS Servers with NFS exports. A remote authenticated attacker could potentially exploit this vulnerability and cause Denial of Service (Storage Processor Panic) by sending specially crafted UDP requests. | |||||
| CVE-2020-8160 | 1 Mendix | 1 Mendixsso | 2021-01-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| MendixSSO <= 2.1.1 contains endpoints that make use of the openid handler, which is suffering from a Cross-Site Scripting vulnerability via the URL path. This is caused by the reflection of user-supplied data without appropriate HTML escaping or output encoding. As a result, a JavaScript payload may be injected into the above endpoint causing it to be executed within the context of the victim's browser. | |||||
| CVE-2020-16027 | 1 Google | 1 Chrome | 2021-01-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient policy enforcement in developer tools in Google Chrome prior to 87.0.4280.66 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from the user's disk via a crafted Chrome Extension. | |||||
| CVE-2020-8264 | 1 Rubyonrails | 1 Rails | 2021-01-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application. This vulnerability is in the Actionable Exceptions middleware. | |||||
| CVE-2020-4606 | 2 Ibm, Microsoft | 2 Security Verify Privilege Manager, Windows | 2021-01-12 | 3.6 LOW | 4.4 MEDIUM |
| IBM Security Verify Privilege Manager 10.8 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A local attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 184883. | |||||