Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-11584 | 2 Linux, Plesk | 2 Linux Kernel, Onyx | 2020-08-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| A GET-based XSS reflected vulnerability in Plesk Onyx 17.8.11 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter. | |||||
| CVE-2020-16131 | 1 Tiki | 1 Tiki | 2020-08-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Tiki before 21.2 allows XSS because [\s\/"\'] is not properly considered in lib/core/TikiFilter/PreventXss.php. | |||||
| CVE-2020-13820 | 1 Extremenetworks | 1 Extreme Management Center | 2020-08-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Extreme Management Center 8.4.1.24 allows unauthenticated reflected XSS via a parameter in a GET request. | |||||
| CVE-2020-4560 | 1 Ibm | 1 Financial Transaction Manager | 2020-08-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM Financial Transaction Manager 3.2.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | |||||
| CVE-2020-4328 | 1 Ibm | 1 Financial Transaction Manager For Multiplatform | 2020-08-04 | 6.5 MEDIUM | 6.3 MEDIUM |
| IBM Financial Transaction Manager 3.2.4 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 177839. | |||||
| CVE-2011-1573 | 1 Linux | 1 Linux Kernel | 2020-08-04 | 4.3 MEDIUM | 5.9 MEDIUM |
| net/sctp/sm_make_chunk.c in the Linux kernel before 2.6.34, when addip_enable and auth_enable are used, does not consider the amount of zero padding during calculation of chunk lengths for (1) INIT and (2) INIT ACK chunks, which allows remote attackers to cause a denial of service (OOPS) via crafted packet data. | |||||
| CVE-2017-7950 | 1 Gonitro | 1 Nitro Pro | 2020-08-04 | 4.3 MEDIUM | 5.5 MEDIUM |
| Nitro Pro 11.0.3 and earlier allows remote attackers to cause a denial of service (application crash) via a crafted PCX file. | |||||
| CVE-2017-6314 | 3 Debian, Fedoraproject, Gnome | 3 Debian Linux, Fedora, Gdk-pixbuf | 2020-08-04 | 4.3 MEDIUM | 5.5 MEDIUM |
| The make_available_at_least function in io-tiff.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (infinite loop) via a large TIFF file. | |||||
| CVE-2017-6312 | 3 Debian, Fedoraproject, Gnome | 3 Debian Linux, Fedora, Gdk-pixbuf | 2020-08-04 | 4.3 MEDIUM | 5.5 MEDIUM |
| Integer overflow in io-ico.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (segmentation fault and application crash) via a crafted image entry offset in an ICO file, which triggers an out-of-bounds read, related to compiler optimizations. | |||||
| CVE-2019-1010091 | 1 Tiny | 1 Tinymce | 2020-08-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization of Input During Web Page Generation. The impact is: JavaScript code execution. The component is: Media element. The attack vector is: The victim must paste malicious content to media element's embed tab. | |||||
| CVE-2019-20032 | 1 Nec | 8 Sl1100, Sl1100 Firmware, Sl2100 and 5 more | 2020-08-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| An attacker with access to an InMail voicemail box equipped with the find me/follow me feature on Aspire-derived NEC PBXes, including all versions of SV8100, SV9100, SL1100 and SL2100 devices, may access the system's administration modem. | |||||
| CVE-2019-4589 | 1 Ibm | 1 Cognos Analytics | 2020-08-03 | 4.0 MEDIUM | 4.3 MEDIUM |
| IBM Cognos Analytics 11.0 and 11.1 is vulnerable to privlege escalation where the "My schedules and subscriptions" page is visible and accessible to a less privileged user. IBM X-Force ID: 167449. | |||||
| CVE-2018-1000549 | 1 Wekan Project | 1 Wekan | 2020-08-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| Wekan version 1.04.0 contains a Email / Username Enumeration vulnerability in Register' and 'Forgot your password?' pages that can result in A remote attacker could perform a brute force attack to obtain valid usernames and email addresses.. This attack appear to be exploitable via HTTP Request. | |||||
| CVE-2020-10945 | 1 Centreon | 2 Centreon, Widget-host-monitoring | 2020-08-03 | 3.3 LOW | 4.3 MEDIUM |
| Centreon before 19.10.7 exposes Session IDs in server responses. | |||||
| CVE-2019-12380 | 1 Linux | 1 Linux Kernel | 2020-08-03 | 2.1 LOW | 5.5 MEDIUM |
| **DISPUTED** An issue was discovered in the efi subsystem in the Linux kernel through 5.1.5. phys_efi_set_virtual_address_map in arch/x86/platform/efi/efi.c and efi_call_phys_prolog in arch/x86/platform/efi/efi_64.c mishandle memory allocation failures. NOTE: This id is disputed as not being an issue because “All the code touched by the referenced commit runs only at boot, before any user processes are started. Therefore, there is no possibility for an unprivileged user to control it.”. | |||||
| CVE-2019-19036 | 1 Linux | 1 Linux Kernel | 2020-08-03 | 4.3 MEDIUM | 5.5 MEDIUM |
| btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root->node) can be zero. | |||||
| CVE-2020-2078 | 1 Sick | 1 Package Analytics | 2020-08-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| Passwords are stored in plain text within the configuration of SICK Package Analytics software up to and including V04.1.1. An authorized attacker could access these stored plaintext credentials and gain access to the ftp service. Storing a password in plaintext allows attackers to easily gain access to systems, potentially compromising personal information or other sensitive information. | |||||
| CVE-2020-8202 | 1 Nextcloud | 1 Preferred Providers | 2020-08-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| Improper check of inputs in Nextcloud Preferred Providers app v1.6.0 allowed to perform a denial of service attack when using a very long password. | |||||
| CVE-2013-2128 | 1 Linux | 1 Linux Kernel | 2020-08-03 | 4.9 MEDIUM | 5.5 MEDIUM |
| The tcp_read_sock function in net/ipv4/tcp.c in the Linux kernel before 2.6.34 does not properly manage skb consumption, which allows local users to cause a denial of service (system crash) via a crafted splice system call for a TCP socket. | |||||
| CVE-2015-1350 | 2 Linux, Redhat | 3 Linux Kernel, Enterprise Linux, Enterprise Mrg | 2020-08-03 | 2.1 LOW | 5.5 MEDIUM |
| The VFS subsystem in the Linux kernel 3.x provides an incomplete set of requirements for setattr operations that underspecifies removing extended privilege attributes, which allows local users to cause a denial of service (capability stripping) via a failed invocation of a system call, as demonstrated by using chown to remove a capability from the ping or Wireshark dumpcap program. | |||||
| CVE-2017-1000193 | 1 Octobercms | 1 October | 2020-08-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| October CMS build 412 is vulnerable to stored WCI (a.k.a XSS) in brand logo image name resulting in JavaScript code execution in the victim's browser. | |||||
| CVE-2018-1999008 | 1 Octobercms | 1 October | 2020-08-03 | 3.5 LOW | 5.4 MEDIUM |
| October CMS version prior to build 437 contains a Cross Site Scripting (XSS) vulnerability in the Media module and create folder functionality that can result in an Authenticated user with media module permission creating arbitrary folder name with XSS content. This attack appear to be exploitable via an Authenticated user with media module permission who can create arbitrary folder name (XSS). This vulnerability appears to have been fixed in build 437. | |||||
| CVE-2018-7198 | 1 Octobercms | 1 October | 2020-08-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| October CMS through 1.0.431 allows XSS by entering HTML on the Add Posts page. | |||||
| CVE-2017-15284 | 1 Octobercms | 1 October | 2020-08-03 | 3.5 LOW | 5.4 MEDIUM |
| Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account. | |||||
| CVE-2018-1152 | 3 Canonical, Debian, Libjpeg-turbo | 3 Ubuntu Linux, Debian Linux, Libjpeg-turbo | 2020-07-31 | 4.3 MEDIUM | 6.5 MEDIUM |
| libjpeg-turbo 1.5.90 is vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted BMP image. | |||||
| CVE-2018-14498 | 5 Debian, Fedoraproject, Libjpeg-turbo and 2 more | 5 Debian Linux, Fedora, Libjpeg-turbo and 2 more | 2020-07-31 | 4.3 MEDIUM | 6.5 MEDIUM |
| get_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG through 3.3.1 allows attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted 8-bit BMP in which one or more of the color indices is out of range for the number of palette entries. | |||||
| CVE-2012-1798 | 4 Debian, Imagemagick, Opensuse and 1 more | 10 Debian Linux, Imagemagick, Opensuse and 7 more | 2020-07-31 | 4.3 MEDIUM | 6.5 MEDIUM |
| The TIFFGetEXIFProperties function in coders/tiff.c in ImageMagick before 6.7.6-3 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted EXIF IFD in a TIFF image. | |||||
| CVE-2015-8901 | 1 Imagemagick | 1 Imagemagick | 2020-07-31 | 4.3 MEDIUM | 6.5 MEDIUM |
| ImageMagick 6.x before 6.9.0-5 Beta allows remote attackers to cause a denial of service (infinite loop) via a crafted MIFF file. | |||||
| CVE-2015-8902 | 1 Imagemagick | 1 Imagemagick | 2020-07-31 | 4.3 MEDIUM | 6.5 MEDIUM |
| The ReadBlobByte function in coders/pdb.c in ImageMagick 6.x before 6.9.0-5 Beta allows remote attackers to cause a denial of service (infinite loop) via a crafted PDB file. | |||||
| CVE-2015-8903 | 1 Imagemagick | 1 Imagemagick | 2020-07-31 | 4.3 MEDIUM | 6.5 MEDIUM |
| The ReadVICARImage function in coders/vicar.c in ImageMagick 6.x before 6.9.0-5 Beta allows remote attackers to cause a denial of service (infinite loop) via a crafted VICAR file. | |||||
| CVE-2012-0259 | 4 Canonical, Debian, Imagemagick and 1 more | 4 Ubuntu Linux, Debian Linux, Imagemagick and 1 more | 2020-07-31 | 4.3 MEDIUM | 6.5 MEDIUM |
| The GetEXIFProperty function in magick/property.c in ImageMagick before 6.7.6-3 allows remote attackers to cause a denial of service (crash) via a zero value in the component count of an EXIF XResolution tag in a JPEG file, which triggers an out-of-bounds read. | |||||
| CVE-2012-0260 | 5 Canonical, Debian, Imagemagick and 2 more | 11 Ubuntu Linux, Debian Linux, Imagemagick and 8 more | 2020-07-31 | 4.3 MEDIUM | 6.5 MEDIUM |
| The JPEGWarningHandler function in coders/jpeg.c in ImageMagick before 6.7.6-3 allows remote attackers to cause a denial of service (memory consumption) via a JPEG image with a crafted sequence of restart markers. | |||||
| CVE-2012-1186 | 4 Canonical, Debian, Imagemagick and 1 more | 4 Ubuntu Linux, Debian Linux, Imagemagick and 1 more | 2020-07-31 | 4.3 MEDIUM | 5.5 MEDIUM |
| Integer overflow in the SyncImageProfiles function in profile.c in ImageMagick 6.7.5-8 and earlier allows remote attackers to cause a denial of service (infinite loop) via crafted IOP tag offsets in the IFD in an image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0248. | |||||
| CVE-2012-0248 | 4 Canonical, Debian, Imagemagick and 1 more | 10 Ubuntu Linux, Debian Linux, Imagemagick and 7 more | 2020-07-31 | 4.3 MEDIUM | 5.5 MEDIUM |
| ImageMagick 6.7.5-7 and earlier allows remote attackers to cause a denial of service (infinite loop and hang) via a crafted image whose IFD contains IOP tags that all reference the beginning of the IDF. | |||||
| CVE-2020-8204 | 1 Pulsesecure | 2 Pulse Connect Secure, Pulse Policy Secure | 2020-07-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross site scripting (XSS) vulnerability exists in Pulse Connect Secure <9.1R5 on the PSAL Page. | |||||
| CVE-2020-8217 | 1 Pulsesecure | 2 Pulse Connect Secure, Pulse Policy Secure | 2020-07-31 | 3.5 LOW | 5.4 MEDIUM |
| A cross site scripting (XSS) vulnerability in Pulse Connect Secure <9.1R8 allowed attackers to exploit in the URL used for Citrix ICA. | |||||
| CVE-2020-10985 | 1 Gambio | 1 Gambio Gx | 2020-07-31 | 3.5 LOW | 4.8 MEDIUM |
| Gambio GX before 4.0.1.0 allows XSS in admin/coupon_admin.php. | |||||
| CVE-2020-10983 | 1 Gambio | 1 Gambio Gx | 2020-07-31 | 4.0 MEDIUM | 4.9 MEDIUM |
| Gambio GX before 4.0.1.0 allows SQL Injection in admin/mobile.php. | |||||
| CVE-2020-13971 | 1 Shopware | 1 Shopware | 2020-07-31 | 3.5 LOW | 5.4 MEDIUM |
| In Shopware before 6.2.3, authenticated users are allowed to use the Mediabrowser fileupload feature to upload SVG images containing JavaScript. This leads to Persistent XSS. An uploaded image can be accessed without authentication. | |||||
| CVE-2020-10982 | 1 Gambio | 1 Gambio Gx | 2020-07-31 | 4.0 MEDIUM | 4.9 MEDIUM |
| Gambio GX before 4.0.1.0 allows SQL Injection in admin/gv_mail.php. | |||||
| CVE-2019-3902 | 3 Debian, Mercurial, Redhat | 3 Debian Linux, Mercurial, Enterprise Linux | 2020-07-31 | 5.8 MEDIUM | 5.9 MEDIUM |
| A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository. | |||||
| CVE-2015-8900 | 1 Imagemagick | 1 Imagemagick | 2020-07-31 | 4.3 MEDIUM | 5.5 MEDIUM |
| The ReadHDRImage function in coders/hdr.c in ImageMagick 6.x and 7.x allows remote attackers to cause a denial of service (infinite loop) via a crafted HDR file. | |||||
| CVE-2020-5612 | 1 Kujirahand | 1 Konawiki | 2020-07-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in KonaWiki 2.2.0 and earlier allows remote attackers to execute an arbitrary script via a specially crafted URL. | |||||
| CVE-2012-3552 | 2 Linux, Redhat | 2 Linux Kernel, Enterprise Linux Eus | 2020-07-31 | 7.1 HIGH | 5.9 MEDIUM |
| Race condition in the IP implementation in the Linux kernel before 3.0 might allow remote attackers to cause a denial of service (slab corruption and system crash) by sending packets to an application that sets socket options during the handling of network traffic. | |||||
| CVE-2011-2918 | 1 Linux | 1 Linux Kernel | 2020-07-31 | 4.9 MEDIUM | 5.5 MEDIUM |
| The Performance Events subsystem in the Linux kernel before 3.1 does not properly handle event overflows associated with PERF_COUNT_SW_CPU_CLOCK events, which allows local users to cause a denial of service (system hang) via a crafted application. | |||||
| CVE-2012-0879 | 4 Canonical, Debian, Linux and 1 more | 6 Ubuntu Linux, Debian Linux, Linux Kernel and 3 more | 2020-07-31 | 4.9 MEDIUM | 5.5 MEDIUM |
| The I/O implementation for block devices in the Linux kernel before 2.6.33 does not properly handle the CLONE_IO feature, which allows local users to cause a denial of service (I/O instability) by starting multiple processes that share an I/O context. | |||||
| CVE-2019-18618 | 3 Hp, Lenovo, Synaptics | 266 Elite Slice, Elite Slice Firmware, Elite X2 1012 G2 and 263 more | 2020-07-30 | 3.6 LOW | 6.0 MEDIUM |
| Incorrect access control in the firmware of Synaptics VFS75xx family fingerprint sensors that include external flash (all versions prior to 2019-11-15) allows a local administrator or physical attacker to compromise the confidentiality of sensor data via injection of an unverified partition table. | |||||
| CVE-2020-15954 | 2 Debian, Kde | 2 Debian Linux, Kmail | 2020-07-30 | 4.3 MEDIUM | 6.5 MEDIUM |
| KDE KMail 19.12.3 (aka 5.13.3) engages in unencrypted POP3 communication during times when the UI indicates that encryption is in use. | |||||
| CVE-2020-9689 | 1 Magento | 1 Magento | 2020-07-30 | 8.5 HIGH | 6.5 MEDIUM |
| Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a path traversal vulnerability. Successful exploitation could lead to arbitrary code execution. | |||||
| CVE-2020-9690 | 1 Magento | 1 Magento | 2020-07-30 | 3.5 LOW | 4.2 MEDIUM |
| Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have an observable timing discrepancy vulnerability. Successful exploitation could lead to signature verification bypass. | |||||