Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-13313 | 1 Gitlab | 1 Gitlab | 2020-09-16 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. An unauthorized project maintainer could edit the subgroup badges due to the lack of authorization control. | |||||
| CVE-2020-13284 | 1 Gitlab | 1 Gitlab | 2020-09-16 | 5.5 MEDIUM | 6.5 MEDIUM |
| A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. API Authorization Using Outdated CI Job Token | |||||
| CVE-2020-13314 | 1 Gitlab | 1 Gitlab | 2020-09-16 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab Omniauth endpoint allowed a malicious user to submit content to be displayed back to the user within error messages. | |||||
| CVE-2020-5780 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2020-09-16 | 5.0 MEDIUM | 5.3 MEDIUM |
| Missing Authentication for Critical Function in Icegram Email Subscribers & Newsletters Plugin for WordPress prior to version 4.5.6 allows a remote, unauthenticated attacker to conduct unauthenticated email forgery/spoofing. | |||||
| CVE-2020-24739 | 1 Idreamsoft | 1 Icms | 2020-09-16 | 4.3 MEDIUM | 6.5 MEDIUM |
| A CSRF vulnerability was found in iCMS v7.0.0 in the background deletion administrator account. When missing the CSRF_TOKEN and can still request normally, all administrators except the initial administrator will be deleted. | |||||
| CVE-2018-15437 | 2 Cisco, Microsoft | 3 Advanced Malware Protection For Endpoints, Immunet For Endpoints, Windows | 2020-09-16 | 2.1 LOW | 5.5 MEDIUM |
| A vulnerability in the system scanning component of Cisco Immunet and Cisco Advanced Malware Protection (AMP) for Endpoints running on Microsoft Windows could allow a local attacker to disable the scanning functionality of the product. This could allow executable files to be launched on the system without being analyzed for threats. The vulnerability is due to improper process resource handling. An attacker could exploit this vulnerability by gaining local access to a system running Microsoft Windows and protected by Cisco Immunet or Cisco AMP for Endpoints and executing a malicious file. A successful exploit could allow the attacker to prevent the scanning services from functioning properly and ultimately prevent the system from being protected from further intrusion. | |||||
| CVE-2020-24655 | 1 Twilio | 1 Authy 2-factor Authentication | 2020-09-16 | 1.9 LOW | 5.1 MEDIUM |
| A race condition in the Twilio Authy 2-Factor Authentication application before 24.3.7 for Android allows a user to potentially approve/deny an access request prior to unlocking the application with a PIN on older Android devices (effectively bypassing the PIN requirement). | |||||
| CVE-2020-9742 | 1 Adobe | 1 Experience Manager | 2020-09-16 | 3.5 LOW | 5.4 MEDIUM |
| AEM versions 6.5.5.0 (and below), 6.4.8.1 (and below) and 6.3.3.8 (and below) are affected by a stored XSS vulnerability that allows users with 'Author' privileges to store malicious scripts in fields associated with the Inbox calendar feature. These scripts may be executed in a victim’s browser when they open the page containing the vulnerable field. | |||||
| CVE-2020-15709 | 1 Canonical | 1 Add-apt-repository | 2020-09-16 | 2.1 LOW | 5.5 MEDIUM |
| Versions of add-apt-repository before 0.98.9.2, 0.96.24.32.14, 0.96.20.10, and 0.92.37.8ubuntu0.1~esm1, printed a PPA (personal package archive) description to the terminal as-is, which allowed PPA owners to provide ANSI terminal escapes to modify terminal contents in unexpected ways. | |||||
| CVE-2018-15423 | 1 Cisco | 1 Hyperflex Hx Data Platform | 2020-09-16 | 4.3 MEDIUM | 4.7 MEDIUM |
| A vulnerability in the web UI of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to affect the integrity of a device via a clickjacking attack. The vulnerability is due to insufficient input validation of iFrame data in HTTP requests that are sent to an affected device. An attacker could exploit this vulnerability by sending crafted HTTP packets with malicious iFrame data. A successful exploit could allow the attacker to perform a clickjacking attack where the user is tricked into clicking a malicious link. | |||||
| CVE-2020-3547 | 1 Cisco | 4 Asyncos, Content Security Management Appliance, Email Security Appliance and 1 more | 2020-09-16 | 4.0 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the web-based management interface of Cisco AsyncOS software for Cisco Email Security Appliance (ESA), Cisco Content Security Management Appliance (SMA), and Cisco Web Security Appliance (WSA) could allow an authenticated, remote attacker to access sensitive information on an affected device. The vulnerability exists because an insecure method is used to mask certain passwords on the web-based management interface. An attacker could exploit this vulnerability by looking at the raw HTML code that is received from the interface. A successful exploit could allow the attacker to obtain some of the passwords configured throughout the interface. | |||||
| CVE-2018-15424 | 1 Cisco | 1 Identity Services Engine | 2020-09-16 | 6.5 MEDIUM | 4.7 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device with the privileges of the web server. | |||||
| CVE-2018-15425 | 1 Cisco | 1 Identity Services Engine | 2020-09-16 | 6.5 MEDIUM | 4.7 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device with the privileges of the web server. | |||||
| CVE-2017-15947 | 1 Aspsource | 1 Simple Asc Content Management System | 2020-09-16 | 3.5 LOW | 5.4 MEDIUM |
| Simple ASC Content Management System v1.2 has XSS in the location field in the sign function, related to guestbook.asp, formgb.asp, and msggb.asp. | |||||
| CVE-2018-13980 | 1 Zeta-producer | 1 Zeta Producer | 2020-09-16 | 2.1 LOW | 5.5 MEDIUM |
| The websites that were built from Zeta Producer Desktop CMS before 14.2.1 are vulnerable to unauthenticated file disclosure if the plugin "filebrowser" is installed, because of assets/php/filebrowser/filebrowser.main.php?file=../ directory traversal. | |||||
| CVE-2020-4530 | 1 Ibm | 2 Business Automation Workflow, Business Process Manager | 2020-09-16 | 3.5 LOW | 5.4 MEDIUM |
| IBM Business Automation Workflow C.D.0 and IBM Business Process Manager 8.0, 8.5, and 8.6 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-ForceID: 182714. | |||||
| CVE-2019-4671 | 1 Ibm | 1 Maximo Asset Management | 2020-09-16 | 6.5 MEDIUM | 6.3 MEDIUM |
| IBM Maximo Asset Management 7.6.0 and 7.6.1 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 171437. | |||||
| CVE-2020-4526 | 1 Ibm | 1 Maximo Asset Management | 2020-09-16 | 4.3 MEDIUM | 4.3 MEDIUM |
| IBM Maximo Asset Management 7.6.0 and 7.6.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 182436. | |||||
| CVE-2020-4711 | 1 Ibm | 1 Spectrum Protect Plus | 2020-09-16 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM Spectrum Protect Plus 10.1.0 through 10.1.6 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 187501. | |||||
| CVE-2019-19947 | 1 Linux | 1 Linux Kernel | 2020-09-15 | 2.1 LOW | 4.6 MEDIUM |
| In the Linux kernel through 5.4.6, there are information leaks of uninitialized memory to a USB device in the drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c driver, aka CID-da2311a6385c. | |||||
| CVE-2020-2039 | 1 Paloaltonetworks | 1 Pan-os | 2020-09-15 | 5.0 MEDIUM | 5.3 MEDIUM |
| An uncontrolled resource consumption vulnerability in Palo Alto Networks PAN-OS allows for a remote unauthenticated user to upload temporary files through the management web interface that are not properly deleted after the request is finished. It is possible for an attacker to disrupt the availability of the management web interface by repeatedly uploading files until available disk space is exhausted. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.16; PAN-OS 9.0 versions earlier than PAN-OS 9.0.10; PAN-OS 9.1 versions earlier than PAN-OS 9.1.4; PAN-OS 10.0 versions earlier than PAN-OS 10.0.1. | |||||
| CVE-2020-24198 | 1 Stock Management System Project | 1 Stock Management System | 2020-09-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| A persistent cross-site scripting vulnerability in Sourcecodester Stock Management System v1.0 allows remote attackers to inject arbitrary web script or HTML via the 'Brand Name.' | |||||
| CVE-2019-20918 | 1 Inspircd | 1 Inspircd | 2020-09-15 | 6.8 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in InspIRCd 3 before 3.1.0. The silence module contains a use after free vulnerability. This vulnerability can be used for remote crashing of an InspIRCd server by any user able to fully connect to a server. | |||||
| CVE-2019-7654 | 1 Wowza | 1 Streaming Engine | 2020-09-14 | 4.3 MEDIUM | 6.5 MEDIUM |
| Wowza Streaming Engine 4.8.0 and earlier suffers from multiple CSRF vulnerabilities. For example, an administrator, by following a link, can be tricked into making unwanted changes such as adding another admin user via enginemanager/server/user/edit.htm in the Server->Users component. This issue was resolved in Wowza Streaming Engine 4.8.5. | |||||
| CVE-2020-12872 | 1 Yaws | 1 Yaws | 2020-09-14 | 2.1 LOW | 5.5 MEDIUM |
| yaws_config.erl in Yaws through 2.0.2 and/or 2.0.7 loads obsolete TLS ciphers, as demonstrated by ones that allow Sweet32 attacks, if running on an Erlang/OTP virtual machine with a version less than 21.0. | |||||
| CVE-2020-15788 | 1 Siemens | 1 Polarion Subversion Webclient | 2020-09-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability has been identified in Polarion Subversion Webclient (All versions). The Polarion subversion web application does not filter user input in a way that prevents Cross-Site Scripting. If a user is enticed into passing specially crafted, malicious input to the web client (e.g. by clicking on a malicious URL with embedded JavaScript), then JavaScript code can be returned and may then be executed by the user’s client. Various actions could be triggered by running malicious JavaScript code. | |||||
| CVE-2020-24194 | 1 Daily Tracker System Project | 1 Daily Tracker System | 2020-09-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-site scripting (XSS) vulnerability in 'user-profile.php' in SourceCodester Daily Tracker System v1.0 allows remote attackers to inject arbitrary web script or HTML via the 'fullname' parameter. | |||||
| CVE-2020-15790 | 1 Siemens | 1 Spectrum Power 4 | 2020-09-14 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability has been identified in Spectrum Power 4 (All versions < V4.70 SP8). If configured in an insecure manner, the web server might be susceptible to a directory listing attack. | |||||
| CVE-2020-15784 | 1 Siemens | 1 Spectrum Power 4 | 2020-09-14 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability has been identified in Spectrum Power 4 (All versions < V4.70 SP8). Insecure storage of sensitive information in the configuration files could allow the retrieval of user names. | |||||
| CVE-2016-9401 | 3 Debian, Gnu, Redhat | 8 Debian Linux, Bash, Enterprise Linux Desktop and 5 more | 2020-09-14 | 2.1 LOW | 5.5 MEDIUM |
| popd in bash might allow local users to bypass the restricted shell and cause a use-after-free via a crafted address. | |||||
| CVE-2020-9736 | 1 Adobe | 1 Experience Manager | 2020-09-14 | 3.5 LOW | 4.8 MEDIUM |
| AEM versions 6.5.5.0 (and below), 6.4.8.1 (and below), 6.3.3.8 (and below) and 6.2 SP1-CFP20 (and below) are affected by a stored XSS vulnerability that allows users with access to the Content Repository Development Environment to store malicious scripts in certain node fields. These scripts may be executed in a victim’s browser when browsing to the page containing the vulnerable field. | |||||
| CVE-2020-9738 | 1 Adobe | 1 Experience Manager | 2020-09-14 | 3.5 LOW | 4.8 MEDIUM |
| AEM versions 6.5.5.0 (and below), 6.4.8.1 (and below), 6.3.3.8 (and below) and 6.2 SP1-CFP20 (and below) are affected by a stored XSS vulnerability that allows users with access to the Content Repository Development Environment to store malicious scripts in certain node fields. These scripts may be executed in a victim’s browser when visiting the page containing the vulnerable field. | |||||
| CVE-2020-9740 | 1 Adobe | 1 Experience Manager | 2020-09-14 | 3.5 LOW | 5.4 MEDIUM |
| AEM versions 6.5.5.0 (and below), 6.4.8.1 (and below), 6.3.3.8 (and below) and 6.2 SP1-CFP20 (and below) are affected by a stored XSS vulnerability that allows users with 'Author' privileges to store malicious scripts in fields associated with the Design Importer. These scripts may be executed in a victim’s browser when they open the page containing the vulnerable field. | |||||
| CVE-2020-5627 | 1 Yodobashi | 1 Yodobashi | 2020-09-14 | 5.8 MEDIUM | 6.1 MEDIUM |
| Yodobashi App for Android versions 1.8.7 and earlier allows remote attackers to lead a user to access an arbitrary website via the vulnerable App. As a result, the user may become a victim of a phishing attack. | |||||
| CVE-2020-6326 | 1 Sap | 1 Netweaver Knowledge Management | 2020-09-14 | 3.5 LOW | 5.4 MEDIUM |
| SAP NetWeaver (Knowledge Management), version-7.30,7.31,7.40,7.50, allows an authenticated attacker to create malicious links in the UI, when clicked by victim, will execute arbitrary java scripts thus extracting or modifying information otherwise restricted leading to Stored Cross Site Scripting. | |||||
| CVE-2020-9741 | 1 Adobe | 1 Experience Manager | 2020-09-14 | 3.5 LOW | 5.4 MEDIUM |
| The AEM forms add-on for versions 6.5.5.0 (and below) and 6.4.8.2 (and below) is affected by a stored XSS vulnerability that allows users with 'Author' privileges to store malicious scripts in fields associated with the Forms component. These scripts may be executed in a victim’s browser when they open the page containing the vulnerable field. | |||||
| CVE-2020-9735 | 1 Adobe | 1 Experience Manager | 2020-09-14 | 3.5 LOW | 4.8 MEDIUM |
| AEM versions 6.5.5.0 (and below), 6.4.8.1 (and below), 6.3.3.8 (and below) and 6.2 SP1-CFP20 (and below) are affected by a stored XSS vulnerability that allows users with access to the Content Repository Development Environment to store malicious scripts in certain node fields. These scripts may be executed in a victim’s browser when search queries return the page containing the vulnerable field. | |||||
| CVE-2020-9734 | 1 Adobe | 1 Experience Manager | 2020-09-14 | 3.5 LOW | 5.4 MEDIUM |
| The AEM Forms add-on for versions 6.5.5.0 (and below) and 6.4.8.1 (and below) is affected by a stored XSS vulnerability that allows users with 'Author' privileges to store malicious scripts in fields associated with the Forms component. These scripts may be executed in a victim’s browser when they open the page containing the vulnerable field. | |||||
| CVE-2020-7324 | 1 Mcafee | 1 Mvision Endpoint | 2020-09-14 | 3.6 LOW | 6.1 MEDIUM |
| Improper Access Control vulnerability in McAfee MVISION Endpoint prior to 20.9 Update allows local users to bypass security mechanisms and deny access to the SYSTEM folder via incorrectly applied permissions. | |||||
| CVE-2020-24794 | 1 Kentico | 1 Kentico | 2020-09-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Kentico before 12.0.75. | |||||
| CVE-2019-14025 | 1 Qualcomm | 20 Kamorta, Kamorta Firmware, Qcs404 and 17 more | 2020-09-14 | 2.1 LOW | 5.5 MEDIUM |
| u'When a new session is created, Object is returned that contains TZ addresses and it get passed to HLOS as an handle to refer to a particular session and can cause TZ to jump to a invalid address' in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking in Kamorta, QCS404, QCS610, Rennell, SC7180, SDX55, SM6150, SM7150, SM8250, SXR2130 | |||||
| CVE-2020-15701 | 1 Canonical | 2 Apport, Ubuntu Linux | 2020-09-14 | 2.1 LOW | 5.5 MEDIUM |
| An unhandled exception in check_ignored() in apport/report.py can be exploited by a local attacker to cause a denial of service. If the mtime attribute is a string value in apport-ignore.xml, it will trigger an unhandled exception, resulting in a crash. Fixed in 2.20.1-0ubuntu2.24, 2.20.9-0ubuntu7.16, 2.20.11-0ubuntu27.6. | |||||
| CVE-2020-5379 | 1 Dell | 2 Inspiron 7352, Inspiron 7352 Bios | 2020-09-14 | 7.2 HIGH | 6.8 MEDIUM |
| Dell Inspiron 7352 BIOS versions prior to A12 contain a UEFI BIOS Boot Services overwrite vulnerability. A local attacker with access to system memory may exploit this vulnerability by overwriting the EFI_BOOT_SERVICES structure to execute arbitrary code in System Management Mode (SMM). | |||||
| CVE-2020-5378 | 1 Dell | 2 G7 17 7790, G7 17 7790 Bios | 2020-09-14 | 7.2 HIGH | 6.8 MEDIUM |
| Dell G7 17 7790 BIOS versions prior to 1.13.2 contain a UEFI BIOS Boot Services overwrite vulnerability. A local attacker with access to system memory may exploit this vulnerability by overwriting the EFI_BOOT_SERVICES structure to execute arbitrary code in System Management Mode (SMM). | |||||
| CVE-2020-5376 | 1 Dell | 2 Inspiron 7347, Inspiron 7347 Bios | 2020-09-14 | 7.2 HIGH | 6.8 MEDIUM |
| Dell Inspiron 7347 BIOS versions prior to A13 contain a UEFI BIOS Boot Services overwrite vulnerability. A local attacker with access to system memory may exploit this vulnerability by overwriting the EFI_BOOT_SERVICES structure to execute arbitrary code in System Management Mode (SMM). | |||||
| CVE-2016-7142 | 2 Debian, Inspircd | 2 Debian Linux, Inspircd | 2020-09-14 | 4.3 MEDIUM | 5.9 MEDIUM |
| The m_sasl module in InspIRCd before 2.0.23, when used with a service that supports SASL_EXTERNAL authentication, allows remote attackers to spoof certificate fingerprints and consequently log in as another user via a crafted SASL message. | |||||
| CVE-2020-24582 | 1 Zulipchat | 1 Zulip Desktop | 2020-09-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zulip Desktop before 5.4.3 allows XSS because string escaping is mishandled during composition of the HTML for the user interface. | |||||
| CVE-2020-24963 | 1 Appsbd | 1 Best Support System | 2020-09-11 | 3.5 LOW | 5.4 MEDIUM |
| An Authenticated Persistent XSS vulnerability was discovered in the Best Support System, tested version v3.0.4. | |||||
| CVE-2019-11928 | 1 Whatsapp | 1 Whatsapp Desktop | 2020-09-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| An input validation issue in WhatsApp Desktop versions prior to v0.3.4932 could have allowed cross-site scripting upon clicking on a link from a specially crafted live location message. | |||||
| CVE-2020-4047 | 1 Wordpress | 1 Wordpress | 2020-09-11 | 3.5 LOW | 6.8 MEDIUM |
| In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34). | |||||