Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-20934 | 1 Linux | 1 Linux Kernel | 2021-01-12 | 5.4 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c. | |||||
| CVE-2020-35933 | 1 Tribulant | 1 Newsletter | 2021-01-11 | 3.5 LOW | 6.5 MEDIUM |
| A Reflected Authenticated Cross-Site Scripting (XSS) vulnerability in the Newsletter plugin before 6.8.2 for WordPress allows remote attackers to trick a victim into submitting a tnpc_render AJAX request containing either JavaScript in an options parameter, or a base64-encoded JSON string containing JavaScript in the encoded_options parameter. | |||||
| CVE-2021-1061 | 5 Citrix, Nutanix, Nvidia and 2 more | 5 Hypervisor, Ahv, Virtual Gpu Manager and 2 more | 2021-01-11 | 3.3 LOW | 6.3 MEDIUM |
| NVIDIA vGPU manager contains a vulnerability in the vGPU plugin, in which a race condition may cause the vGPU plugin to continue using a previously validated resource that has since changed, which may lead to denial of service or information disclosure. This affects vGPU version 8.x (prior to 8.6) and version 11.0 (prior to 11.3). | |||||
| CVE-2020-5021 | 2 Ibm, Linux | 2 Spectrum Protect Plus, Linux Kernel | 2021-01-11 | 3.6 LOW | 4.4 MEDIUM |
| IBM Spectrum Protect Plus 10.1.0 through 10.1.6 does not invalidate session after a password reset which could allow a local user to impersonate another user on the system. IBM X-Force ID: 193657. | |||||
| CVE-2020-5020 | 2 Ibm, Linux | 2 Spectrum Protect Plus, Linux Kernel | 2021-01-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM Spectrum Protect Plus 10.1.0 through 10.1.6 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 193656. | |||||
| CVE-2020-5019 | 2 Ibm, Linux | 2 Spectrum Protect Plus, Linux Kernel | 2021-01-11 | 6.4 MEDIUM | 6.5 MEDIUM |
| IBM Spectrum Protect Plus 10.1.0 through 10.1.6 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. By sending a specially crafted HTTP request, a remote attacker could exploit this vulnerability to inject HTTP HOST header, which will allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 193655. | |||||
| CVE-2020-4667 | 1 Ibm | 1 Engineering Requirements Quality Assistant On-premises | 2021-01-11 | 4.0 MEDIUM | 4.3 MEDIUM |
| IBM Engineering Requirements Quality Assistant On-Premises could allow an authenticated user to obtain sensitive information due to improper input validation. IBM X-Force ID: 186282. | |||||
| CVE-2020-4697 | 1 Ibm | 13 Collaborative Lifecycle Management, Doors Next, Engineering Insights and 10 more | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Foundation products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 186790. | |||||
| CVE-2020-4733 | 1 Ibm | 13 Collaborative Lifecycle Management, Doors Next, Engineering Insights and 10 more | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Foundation products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 188127. | |||||
| CVE-2020-4487 | 1 Ibm | 13 Collaborative Lifecycle Management, Doors Next, Engineering Insights and 10 more | 2021-01-11 | 4.0 MEDIUM | 4.3 MEDIUM |
| IBM Jazz Foundation Products could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 181862. | |||||
| CVE-2020-4544 | 1 Ibm | 13 Collaborative Lifecycle Management, Doors Next, Engineering Insights and 10 more | 2021-01-11 | 4.0 MEDIUM | 4.3 MEDIUM |
| IBM Jazz Foundation Products could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 183189. | |||||
| CVE-2020-4691 | 1 Ibm | 13 Collaborative Lifecycle Management, Doors Next, Engineering Insights and 10 more | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| IBM Jazz Foundation Products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 186698. | |||||
| CVE-2020-4663 | 1 Ibm | 1 Engineering Requirements Quality Assistant On-premises | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| IBM Engineering Requirements Quality Assistant On-Premises is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 186234. | |||||
| CVE-2020-4664 | 1 Ibm | 1 Engineering Requirements Quality Assistant On-premises | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| IBM Engineering Requirements Quality Assistant On-Premises is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 186235. | |||||
| CVE-2020-4666 | 1 Ibm | 1 Engineering Requirements Quality Assistant On-premises | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| IBM Engineering Requirements Quality Assistant On-Premises is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 186281. | |||||
| CVE-2020-16036 | 1 Google | 1 Chrome | 2021-01-11 | 4.3 MEDIUM | 6.5 MEDIUM |
| Inappropriate implementation in cookies in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to bypass cookie restrictions via a crafted HTML page. | |||||
| CVE-2020-8280 | 1 Nextcloud | 1 Contacts | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| A missing file type check in Nextcloud Contacts 3.4.0 allows a malicious user to upload SVG files as PNG files to perform cross-site scripting (XSS) attacks. | |||||
| CVE-2020-8281 | 1 Nextcloud | 1 Contacts | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| A missing file type check in Nextcloud Contacts 3.3.0 allows a malicious user to upload malicious SVG files to perform cross-site scripting (XSS) attacks. | |||||
| CVE-2020-24903 | 1 Cutesoft | 1 Cute Editor | 2021-01-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cute Editor for ASP.NET 6.4 is vulnerable to reflected cross-site scripting (XSS) caused by improper validation of user supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. | |||||
| CVE-2020-26768 | 1 Formstone | 1 Formstone | 2021-01-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Formstone <=1.4.16 is vulnerable to a Reflected Cross-Site Scripting (XSS) vulnerability caused by improper validation of user supplied input in the upload-target.php and upload-chunked.php files. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's Web browser within the security context of the hosting Web site once the URL is clicked or visited. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials, force malware execution, user redirection and others. | |||||
| CVE-2020-29362 | 1 P11-kit Project | 1 P11-kit | 2021-01-11 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in p11-kit 0.21.1 through 0.23.21. A heap-based buffer over-read has been discovered in the RPC protocol used by thep11-kit server/remote commands and the client library. When the remote entity supplies a byte array through a serialized PKCS#11 function call, the receiving entity may allow the reading of up to 4 bytes of memory past the heap allocation. | |||||
| CVE-2020-16034 | 1 Google | 1 Chrome | 2021-01-11 | 4.3 MEDIUM | 4.3 MEDIUM |
| Inappropriate implementation in WebRTC in Google Chrome prior to 87.0.4280.66 allowed a local attacker to bypass policy restrictions via a crafted HTML page. | |||||
| CVE-2020-16033 | 1 Google | 1 Chrome | 2021-01-11 | 4.3 MEDIUM | 4.3 MEDIUM |
| Inappropriate implementation in WebUSB in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to spoof security UI via a crafted HTML page. | |||||
| CVE-2020-16031 | 1 Google | 1 Chrome | 2021-01-11 | 4.3 MEDIUM | 4.3 MEDIUM |
| Insufficient data validation in UI in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||||
| CVE-2020-16032 | 1 Google | 1 Chrome | 2021-01-11 | 4.3 MEDIUM | 4.3 MEDIUM |
| Insufficient data validation in sharing in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||||
| CVE-2020-4336 | 1 Ibm | 1 Websphere Extreme Scale | 2021-01-11 | 5.0 MEDIUM | 5.3 MEDIUM |
| IBM WebSphere eXtreme Scale 8.6.1 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 177932. | |||||
| CVE-2020-24900 | 1 Krpano | 1 Krpano | 2021-01-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The default installation of Krpano Panorama Viewer version <=1.20.8 is prone to Reflected XSS due to insecure XML load in file /viewer/krpano.html, parameter xml. | |||||
| CVE-2020-35726 | 1 Quest | 1 Policy Authority For Unified Communications | 2021-01-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the /WebCM/Applications/Reports/index.jsp file via the by parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2020-35727 | 1 Quest | 1 Policy Authority For Unified Communications | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the BrowseDirs.do file via the title parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2020-35724 | 1 Quest | 1 Policy Authority For Unified Communications | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the Error.jsp file via the err parameter (or indirectly via the cpr, tcp, or abs parameter). NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2020-35725 | 1 Quest | 1 Policy Authority For Unified Communications | 2021-01-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the /WebCM/index.jsp file via the msg parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2020-35723 | 1 Quest | 1 Policy Authority For Unified Communications | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the ReportPreview.do file via the referer parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2020-35721 | 1 Quest | 1 Policy Authority For Unified Communications | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the BrowseAssets.do file via the title parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2020-35720 | 1 Quest | 1 Policy Authority For Unified Communications | 2021-01-11 | 3.5 LOW | 5.4 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** Stored XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to store malicious code in multiple fields (first name, last name, and logon name) when creating or modifying a user via the submitUser.jsp file. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2020-35719 | 1 Quest | 1 Policy Authority For Unified Communications | 2021-01-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the /WebCM/Applications/Search/index.jsp file via the added parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2020-24902 | 1 Quixplorer Project | 1 Quixplorer | 2021-01-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Quixplorer <=2.4.1 is vulnerable to reflected cross-site scripting (XSS) caused by improper validation of user supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. | |||||
| CVE-2020-24901 | 1 Krpano | 1 Krpano | 2021-01-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The default installation of Krpano Panorama Viewer version <=1.20.8 is vulnerable to Reflected XSS due to insecure remote js load in file viewer/krpano.html, parameter plugin[test].url. | |||||
| CVE-2020-16030 | 1 Google | 1 Chrome | 2021-01-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Insufficient data validation in Blink in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. | |||||
| CVE-2020-36171 | 1 Elementor | 1 Website Builder | 2021-01-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Elementor Website Builder plugin before 3.0.14 for WordPress does not properly restrict SVG uploads. | |||||
| CVE-2020-35952 | 1 Php-fusion | 1 Php-fusion | 2021-01-11 | 4.0 MEDIUM | 6.5 MEDIUM |
| login.php in PHPFusion (aka PHP-Fusion) Andromeda 9.x before 2020-12-30 generates error messages that distinguish between incorrect username and incorrect password (i.e., not a single "Incorrect username or password" message in both cases), which might allow enumeration. | |||||
| CVE-2020-15095 | 2 Cli Project, Opensuse | 2 Cli, Leap | 2021-01-11 | 1.9 LOW | 4.4 MEDIUM |
| Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>". The password value is not redacted and is printed to stdout and also to any generated log files. | |||||
| CVE-2020-35262 | 1 Digisol | 2 Dg-hr3400, Dg-hr3400 Firmware | 2021-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Digisol DG-HR3400 can be exploited via the NTP server name in Time and date module and "Keyword" in URL Filter. | |||||
| CVE-2020-36172 | 1 Advancedcustomfields | 1 Advanced Custom Fields | 2021-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Advanced Custom Fields plugin before 5.8.12 for WordPress mishandles the escaping of strings in Select2 dropdowns, potentially leading to XSS. | |||||
| CVE-2020-27283 | 1 Redlion | 1 Crimson | 2021-01-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| An attacker could send a specially crafted message to Crimson 3.1 (Build versions prior to 3119.001) that could leak arbitrary memory locations. | |||||
| CVE-2020-25498 | 1 Beetel | 2 777vr1, 777vr1 Firmware | 2021-01-08 | 3.5 LOW | 4.8 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Beetel router 777VR1 can be exploited via the NTP server name in System Time and "Keyword" in URL Filter. | |||||
| CVE-2020-36170 | 1 Ultimatemember | 1 Ultimate Member | 2021-01-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Ultimate Member plugin before 2.1.13 for WordPress mishandles hidden name="timestamp" fields in forms. | |||||
| CVE-2020-4895 | 1 Ibm | 1 Emptoris Strategic Supply Management | 2021-01-08 | 3.5 LOW | 5.4 MEDIUM |
| IBM Emptoris Strategic Supply Management 10.1.0, 10.1.1, and 10.1.3 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 190986. | |||||
| CVE-2020-4893 | 1 Ibm | 1 Emptoris Strategic Supply Management | 2021-01-08 | 4.3 MEDIUM | 5.9 MEDIUM |
| IBM Emptoris Strategic Supply Management 10.1.0, 10.1.1, and 10.1.3 transmits sensitive information in HTTP GET request parameters. This may lead to information disclosure via man in the middle methods. IBM X-Force ID: 190984. | |||||
| CVE-2020-36174 | 1 Ninjaforms | 1 Ninja Forms | 2021-01-08 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Ninja Forms plugin before 3.4.27.1 for WordPress allows CSRF via services integration. | |||||
| CVE-2021-21235 | 1 Kamadak-exif Project | 1 Kamadak-exif | 2021-01-08 | 4.3 MEDIUM | 6.5 MEDIUM |
| kamadak-exif is an exif parsing library written in pure Rust. In kamadak-exif version 0.5.2, there is an infinite loop in parsing crafted PNG files. Specifically, reader::read_from_container can cause an infinite loop when a crafted PNG file is given. This is fixed in version 0.5.3. No workaround is available. Applications that do not pass files with the PNG signature to Reader::read_from_container are not affected. | |||||