Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-8754 | 1 Apple | 1 Mac Os X | 2020-10-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-origin issue existed with "iframe" elements. This was addressed with improved tracking of security origins. This issue is fixed in macOS Catalina 10.15.1, Security Update 2019-001, and Security Update 2019-006. A malicious HTML document may be able to render iframes with sensitive user information. | |||||
| CVE-2020-9111 | 1 Huawei | 4 E6878-370, E6878-370 Firmware, E6878-870 and 1 more | 2020-10-29 | 2.7 LOW | 4.5 MEDIUM |
| E6878-370 versions 10.0.3.1(H557SP27C233),10.0.3.1(H563SP21C233) and E6878-870 versions 10.0.3.1(H557SP27C233),10.0.3.1(H563SP11C233) have a denial of service vulnerability. The system does not properly check some events, an attacker could launch the events continually, successful exploit could cause reboot of the process. | |||||
| CVE-2020-27606 | 1 Bigbluebutton | 1 Bigbluebutton | 2020-10-29 | 5.0 MEDIUM | 5.3 MEDIUM |
| BigBlueButton before 2.2.28 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session. | |||||
| CVE-2020-27607 | 1 Bigbluebutton | 1 Bigbluebutton | 2020-10-29 | 6.4 MEDIUM | 6.5 MEDIUM |
| In BigBlueButton before 2.2.28 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or transmit it to one or more meeting participants or other third parties. | |||||
| CVE-2020-25820 | 1 Bigbluebutton | 1 Bigbluebutton | 2020-10-29 | 4.0 MEDIUM | 6.5 MEDIUM |
| BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploaded Office document that has a crafted URL in an ODF xlink field. | |||||
| CVE-2020-27608 | 1 Bigbluebutton | 1 Bigbluebutton | 2020-10-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| In BigBlueButton before 2.2.28 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document. | |||||
| CVE-2020-27609 | 1 Bigbluebutton | 1 Bigbluebutton | 2020-10-29 | 5.0 MEDIUM | 5.3 MEDIUM |
| BigBlueButton through 2.2.28 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant. | |||||
| CVE-2019-8736 | 1 Apple | 1 Mac Os X | 2020-10-29 | 4.0 MEDIUM | 6.5 MEDIUM |
| An input validation issue was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.1, Security Update 2019-001, and Security Update 2019-006, macOS Catalina 10.15. An attacker in a privileged network position may be able to leak sensitive user information. | |||||
| CVE-2019-8737 | 1 Apple | 1 Mac Os X | 2020-10-29 | 4.0 MEDIUM | 6.5 MEDIUM |
| A denial of service issue was addressed with improved validation. This issue is fixed in macOS Catalina 10.15.1, Security Update 2019-001, and Security Update 2019-006, macOS Catalina 10.15. An attacker in a privileged position may be able to perform a denial of service attack. | |||||
| CVE-2019-8668 | 1 Apple | 3 Iphone Os, Tvos, Watchos | 2020-10-29 | 4.3 MEDIUM | 5.5 MEDIUM |
| A denial of service issue was addressed with improved validation. This issue is fixed in iOS 12.4, tvOS 12.4, watchOS 5.3. Processing a maliciously crafted image may lead to a denial of service. | |||||
| CVE-2019-8538 | 1 Apple | 3 Iphone Os, Mac Os X, Watchos | 2020-10-29 | 4.3 MEDIUM | 5.5 MEDIUM |
| A denial of service issue was addressed with improved validation. This issue is fixed in watchOS 5.2, macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra, iOS 12.2. Processing a maliciously crafted vcf file may lead to a denial of service. | |||||
| CVE-2020-27612 | 1 Bigbluebutton | 1 Bigbluebutton | 2020-10-29 | 4.0 MEDIUM | 4.3 MEDIUM |
| Greenlight in BigBlueButton through 2.2.28 places usernames in room URLs, which may represent an unintended information leak to users in a room, or an information leak to outsiders if any user publishes a screenshot of a browser window. | |||||
| CVE-2019-8664 | 1 Apple | 2 Iphone Os, Watchos | 2020-10-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| An input validation issue was addressed with improved input validation. This issue is fixed in iOS 12.3, watchOS 5.2.1. Processing a maliciously crafted message may lead to a denial of service. | |||||
| CVE-2019-8534 | 1 Apple | 1 Mac Os X | 2020-10-29 | 7.2 HIGH | 6.7 MEDIUM |
| A logic issue existed resulting in memory corruption. This was addressed with improved state management. This issue is fixed in macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra. A malicious application may be able to execute arbitrary code with kernel privileges. | |||||
| CVE-2019-8528 | 1 Apple | 3 Iphone Os, Mac Os X, Watchos | 2020-10-29 | 7.2 HIGH | 6.7 MEDIUM |
| A use after free issue was addressed with improved memory management. This issue is fixed in watchOS 5.2, macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra, iOS 12.2. An application may be able to execute arbitrary code with kernel privileges. | |||||
| CVE-2019-7291 | 1 Apple | 1 Airport Base Station Firmware | 2020-10-29 | 4.0 MEDIUM | 6.5 MEDIUM |
| A denial of service issue was addressed with improved memory handling. This issue is fixed in AirPort Base Station Firmware Update 7.8.1, AirPort Base Station Firmware Update 7.9.1. An attacker in a privileged position may be able to perform a denial of service attack. | |||||
| CVE-2020-3515 | 1 Cisco | 1 Firepower Management Center | 2020-10-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. | |||||
| CVE-2020-14444 | 1 Wso2 | 2 Identity Server, Identity Server As Key Manager | 2020-10-28 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in WSO2 Identity Server through 5.9.0 and WSO2 IS as Key Manager through 5.9.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console Policy Administration user interface. | |||||
| CVE-2020-14445 | 1 Wso2 | 2 Identity Server, Identity Server As Key Manager | 2020-10-28 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in WSO2 Identity Server through 5.9.0 and WSO2 IS as Key Manager through 5.9.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console Basic Policy Editor user Interface. | |||||
| CVE-2020-14446 | 1 Wso2 | 2 Identity Server, Identity Server As Key Manager | 2020-10-28 | 5.8 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in WSO2 Identity Server through 5.10.0 and WSO2 IS as Key Manager through 5.10.0. An open redirect exists. | |||||
| CVE-2020-3553 | 1 Cisco | 1 Firepower Management Center | 2020-10-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. | |||||
| CVE-2020-3558 | 1 Cisco | 1 Firepower Management Center | 2020-10-28 | 5.8 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. The vulnerability is due to improper input validation of the parameters of an HTTP request. An attacker could exploit this vulnerability by intercepting an HTTP request from a user. A successful exploit could allow the attacker to modify the HTTP request to cause the interface to redirect the user to a specific, malicious URL. This type of vulnerability is known as an open redirect attack and is used in phishing attacks that get users to unknowingly visit malicious sites. | |||||
| CVE-2020-3557 | 1 Cisco | 1 Firepower Management Center | 2020-10-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability in the host input API daemon of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper certificate validation. An attacker could exploit this vulnerability by sending a crafted data stream to the host input daemon of the affected device. A successful exploit could allow the attacker to cause the host input daemon to restart. The attacker could use repeated attacks to cause the daemon to continuously reload, creating a DoS condition for the API. | |||||
| CVE-2020-7364 | 1 Ucweb | 1 Uc Browser | 2020-10-28 | 4.3 MEDIUM | 4.3 MEDIUM |
| User Interface (UI) Misrepresentation of Critical Information vulnerability in the address bar of UCWeb's UC Browser allows an attacker to obfuscate the true source of data as presented in the browser. This issue affects UCWeb's UC Browser version 13.0.8 and prior versions. | |||||
| CVE-2020-7363 | 1 Ucweb | 1 Uc Browser | 2020-10-28 | 4.3 MEDIUM | 4.3 MEDIUM |
| User Interface (UI) Misrepresentation of Critical Information vulnerability in the address bar of UCWeb's UC Browser allows an attacker to obfuscate the true source of data as presented in the browser. This issue affects UCWeb's UC Browser version 13.0.8 and prior versions. | |||||
| CVE-2020-15797 | 1 Siemens | 2 Dca Vantage Analyzer, Dca Vantage Analyzer Firmware | 2020-10-28 | 7.2 HIGH | 6.8 MEDIUM |
| A vulnerability has been identified in DCA Vantage Analyzer (All versions < V4.5 are affected by CVE-2020-7590. In addition, serial numbers < 40000 running software V4.4.0 are also affected by CVE-2020-15797). Improper Access Control could allow an unauthenticated attacker to escape from the restricted environment (“kiosk mode”) and access the underlying operating system. Successful exploitation requires direct physical access to the system. | |||||
| CVE-2020-12779 | 1 Combodo | 1 Itop | 2020-10-28 | 3.5 LOW | 5.4 MEDIUM |
| Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script. | |||||
| CVE-2020-1665 | 1 Juniper | 17 Ex9200, Junos, Mx10 and 14 more | 2020-10-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| On Juniper Networks MX Series and EX9200 Series, in a certain condition the IPv6 Distributed Denial of Service (DDoS) protection might not take affect when it reaches the threshold condition. The DDoS protection allows the device to continue to function while it is under DDoS attack, protecting both the Routing Engine (RE) and the Flexible PIC Concentrator (FPC) during the DDoS attack. When this issue occurs, the RE and/or the FPC can become overwhelmed, which could disrupt network protocol operations and/or interrupt traffic. This issue does not affect IPv4 DDoS protection. This issue affects MX Series and EX9200 Series with Trio-based PFEs (Packet Forwarding Engines). Please refer to https://kb.juniper.net/KB25385 for the list of Trio-based PFEs. This issue affects Juniper Networks Junos OS on MX series and EX9200 Series: 17.2 versions prior to 17.2R3-S4; 17.2X75 versions prior to 17.2X75-D102, 17.2X75-D110; 17.3 versions prior to 17.3R3-S8; 17.4 versions prior to 17.4R2-S11, 17.4R3-S2; 18.2 versions prior to 18.2R2-S7, 18.2R3, 18.2R3-S3; 18.2X75 versions prior to 18.2X75-D30; 18.3 versions prior to 18.3R2-S4, 18.3R3-S2. | |||||
| CVE-2020-1680 | 1 Juniper | 16 Junos, Mx10, Mx10000 and 13 more | 2020-10-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| On Juniper Networks MX Series with MS-MIC or MS-MPC card configured with NAT64 configuration, receipt of a malformed IPv6 packet may crash the MS-PIC component on MS-MIC or MS-MPC. This issue occurs when a multiservice card is translating the malformed IPv6 packet to IPv4 packet. An unauthenticated attacker can continuously send crafted IPv6 packets through the device causing repetitive MS-PIC process crashes, resulting in an extended Denial of Service condition. This issue affects Juniper Networks Junos OS on MX Series: 15.1 versions prior to 15.1R7-S7; 15.1X53 versions prior to 15.1X53-D593; 16.1 versions prior to 16.1R7-S8; 17.2 versions prior to 17.2R3-S4; 17.3 versions prior to 17.3R3-S6; 17.4 versions prior to 17.4R2-S11, 17.4R3; 18.1 versions prior to 18.1R3-S11; 18.2 versions prior to 18.2R3-S6; 18.2X75 versions prior to 18.2X75-D41, 18.2X75-D430, 18.2X75-D53, 18.2X75-D65; 18.3 versions prior to 18.3R2-S4, 18.3R3; 18.4 versions prior to 18.4R2-S5, 18.4R3; 19.1 versions prior to 19.1R2; 19.2 versions prior to 19.2R1-S5, 19.2R2; 19.3 versions prior to 19.3R2. | |||||
| CVE-2020-1685 | 1 Juniper | 8 Junos, Qfx5100, Qfx5110 and 5 more | 2020-10-28 | 5.0 MEDIUM | 5.8 MEDIUM |
| When configuring stateless firewall filters in Juniper Networks EX4600 and QFX 5000 Series devices using Virtual Extensible LAN protocol (VXLAN), the discard action will fail to discard traffic under certain conditions. Given a firewall filter configuration similar to: family ethernet-switching { filter L2-VLAN { term ALLOW { from { user-vlan-id 100; } then { accept; } } term NON-MATCH { then { discard; } } when there is only one term containing a 'user-vlan-id' match condition, and no other terms in the firewall filter except discard, the discard action for non-matching traffic will only discard traffic with the same VLAN ID specified under 'user-vlan-id'. Other traffic (e.g. VLAN ID 200) will not be discarded. This unexpected behavior can lead to unintended traffic passing through the interface where the firewall filter is applied. This issue only affects systems using VXLANs. This issue affects Juniper Networks Junos OS on QFX5K Series: 18.1 versions prior to 18.1R3-S7, except 18.1R3; 18.2 versions prior to 18.2R2-S7, 18.2R3-S1; 18.3 versions prior to 18.3R1-S5, 18.3R2-S4, 18.3R3; 18.4 versions prior to 18.4R1-S7, 18.4R2-S1, 18.4R3; 19.1 versions prior to 19.1R1-S5, 19.1R2; 19.2 versions prior to 19.2R1-S5, 19.2R2. | |||||
| CVE-2019-13633 | 1 Blinger | 1 Blinger | 2020-10-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Blinger.io v.1.0.2519 is vulnerable to Blind/Persistent XSS. An attacker can send arbitrary JavaScript code via a built-in communication channel, such as Telegram, WhatsApp, Viber, Skype, Facebook, Vkontakte, or Odnoklassniki. This is mishandled within the administration panel for conversations/all, conversations/inbox, conversations/unassigned, and conversations/closed. | |||||
| CVE-2019-8582 | 1 Apple | 5 Icloud, Iphone Os, Itunes and 2 more | 2020-10-28 | 4.3 MEDIUM | 5.5 MEDIUM |
| An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in iCloud for Windows 7.12, tvOS 12.3, iTunes 12.9.5 for Windows, macOS Mojave 10.14.5, Security Update 2019-003 High Sierra, Security Update 2019-003 Sierra, iOS 12.3. Processing a maliciously crafted font may result in the disclosure of process memory. | |||||
| CVE-2018-4339 | 1 Apple | 1 Iphone Os | 2020-10-28 | 2.1 LOW | 5.5 MEDIUM |
| This issue was addressed with a new entitlement. This issue is fixed in iOS 12.1. A local user may be able to read a persistent device identifier. | |||||
| CVE-2020-25859 | 1 Qualcomm | 1 Qcmap | 2020-10-28 | 7.2 HIGH | 6.7 MEDIUM |
| The QCMAP_CLI utility in the Qualcomm QCMAP software suite prior to versions released in October 2020 uses a system() call without validating the input, while handling a SetGatewayUrl() request. A local attacker with shell access can pass shell metacharacters and run arbitrary commands. If QCMAP_CLI can be run via sudo or setuid, this also allows elevating privileges to root. This version of QCMAP is used in many kinds of networking devices, primarily mobile hotspots and LTE routers. | |||||
| CVE-2020-9772 | 1 Apple | 5 Ipad Os, Iphone Os, Mac Os X and 2 more | 2020-10-28 | 2.1 LOW | 5.5 MEDIUM |
| A logic issue was addressed with improved restrictions. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2. A sandboxed process may be able to circumvent sandbox restrictions. | |||||
| CVE-2019-14718 | 1 Verifone | 2 Mx900, Mx900 Firmware | 2020-10-28 | 4.6 MEDIUM | 6.7 MEDIUM |
| Verifone MX900 series Pinpad Payment Terminals with OS 30251000 have Insecure Permissions, with resultant svc_netcontrol arbitrary command injection and privilege escalation. | |||||
| CVE-2020-25470 | 1 Antsword Project | 1 Antsword | 2020-10-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| AntSword 2.1.8.1 contains a cross-site scripting (XSS) vulnerability in the View Site funtion. When viewing an added site, an XSS payload can be injected in cookies view which can lead to remote code execution. | |||||
| CVE-2019-14713 | 1 Verifone | 2 Mx900, Mx900 Firmware | 2020-10-28 | 2.1 LOW | 5.5 MEDIUM |
| Verifone MX900 series Pinpad Payment Terminals with OS 30251000 allow installation of unsigned packages. | |||||
| CVE-2020-27388 | 1 Yourls | 1 Yourls | 2020-10-28 | 3.5 LOW | 5.4 MEDIUM |
| Multiple Stored Cross Site Scripting (XSS) vulnerabilities exist in the YOURLS Admin Panel, Versions 1.5 - 1.7.10. An authenticated user must modify a PHP plugin with a malicious payload and upload it, resulting in multiple stored XSS issues. | |||||
| CVE-2020-9787 | 1 Apple | 5 Ipad Os, Iphone Os, Mac Os X and 2 more | 2020-10-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| A logic issue was addressed with improved restrictions. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2. Some websites may not have appeared in Safari Preferences. | |||||
| CVE-2020-9810 | 1 Apple | 1 Mac Os X | 2020-10-28 | 4.6 MEDIUM | 6.8 MEDIUM |
| A logic issue was addressed with improved restrictions. This issue is fixed in macOS Catalina 10.15.5. A person with physical access to a Mac may be able to bypass Login Window. | |||||
| CVE-2020-17373 | 1 Sugarcrm | 1 Sugarcrm | 2020-10-28 | 3.5 LOW | 5.3 MEDIUM |
| SugarCRM before 10.1.0 (Q3 2020) allows SQL Injection. | |||||
| CVE-2020-7126 | 1 Arubanetworks | 1 Airwave Glass | 2020-10-27 | 5.0 MEDIUM | 5.8 MEDIUM |
| A remote server-side request forgery (ssrf) vulnerability was discovered in Aruba Airwave Software version(s): Prior to 1.3.2. | |||||
| CVE-2020-5650 | 1 Tipsandtricks-hq | 1 Simple Download Monitor | 2020-10-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Simple Download Monitor 3.8.8 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2020-24847 | 1 Fruitywifi Project | 1 Fruitywifi | 2020-10-27 | 4.3 MEDIUM | 4.3 MEDIUM |
| A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticated attacker can change the newSSID and hostapd_wpa_passphrase. | |||||
| CVE-2018-8062 | 1 Comtrend | 2 Ar-5387un, Ar-5387un Firmware | 2020-10-27 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability on Comtrend AR-5387un devices with A731-410JAZ-C04_R02.A2pD035g.d23i firmware allows remote attackers to inject arbitrary web script or HTML via the Service Description parameter while creating a WAN service. | |||||
| CVE-2020-27642 | 1 Bigbluebutton | 1 Greenlight | 2020-10-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability exists in the 'merge account' functionality in admins.js in BigBlueButton Greenlight 2.7.6. | |||||
| CVE-2020-24375 | 1 Free | 3 Freebox Server, Freebox V5, Freebox V5 Firmware | 2020-10-27 | 4.3 MEDIUM | 6.5 MEDIUM |
| A DNS rebinding vulnerability in the UPnP MediaServer implementation in Freebox Server before 4.2.3. | |||||
| CVE-2020-14299 | 1 Redhat | 3 Jboss Enterprise Application Platform, Openshift Application Runtimes, Single Sign-on | 2020-10-27 | 6.3 MEDIUM | 6.5 MEDIUM |
| A flaw was found in JBoss EAP, where the authentication configuration is set-up using a legacy SecurityRealm, to delegate to a legacy PicketBox SecurityDomain, and then reloaded to admin-only mode. This flaw allows an attacker to perform a complete authentication bypass by using an arbitrary user and password. The highest threat to vulnerability is to system availability. | |||||
| CVE-2020-26584 | 1 Sagedpw | 1 Sage Dpw | 2020-10-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Sage DPW 2020_06_x before 2020_06_002. The search field "Kurs suchen" on the page Kurskatalog is vulnerable to Reflected XSS. If the attacker can lure a user into clicking a crafted link, he can execute arbitrary JavaScript code in the user's browser. The vulnerability can be used to change the contents of the displayed site, redirect to other sites, or steal user credentials. Additionally, users are potential victims of browser exploits and JavaScript malware. | |||||