Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-14170 | 1 Atlassian | 1 Bitbucket | 2020-07-15 | 4.0 MEDIUM | 4.3 MEDIUM |
| Webhooks in Atlassian Bitbucket Server from version 5.4.0 before version 7.3.1 allow remote attackers to access the content of internal network resources via a Server-Side Request Forgery (SSRF) vulnerability. | |||||
| CVE-2020-14171 | 1 Atlassian | 1 Bitbucket | 2020-07-15 | 5.8 MEDIUM | 6.5 MEDIUM |
| Atlassian Bitbucket Server from version 4.9.0 before version 7.2.4 allows remote attackers to intercept unencrypted repository import requests via a Man-in-the-Middle (MITM) attack. | |||||
| CVE-2020-5366 | 1 Dell | 2 Idrac9, Idrac9 Firmware | 2020-07-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| Dell EMC iDRAC9 versions prior to 4.20.20.20 contain a Path Traversal Vulnerability. A remote authenticated malicious user with low privileges could potentially exploit this vulnerability by manipulating input parameters to gain unauthorized read access to the arbitrary files. | |||||
| CVE-2020-6286 | 1 Sap | 1 Netweaver Application Server Java | 2020-07-15 | 5.0 MEDIUM | 5.3 MEDIUM |
| The insufficient input path validation of certain parameter in the web service of SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to exploit a method to download zip files to a specific directory, leading to Path Traversal. | |||||
| CVE-2020-5607 | 1 Ss-proj | 1 Shirasagi | 2020-07-15 | 5.8 MEDIUM | 6.1 MEDIUM |
| Open redirect vulnerability in SHIRASAGI v1.13.1 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | |||||
| CVE-2020-11882 | 1 Telefonica | 1 O2 Business | 2020-07-15 | 5.8 MEDIUM | 6.1 MEDIUM |
| The O2 Business application 1.2.0 for Android exposes the canvasm.myo2.SplashActivity activity to other applications. The purpose of this activity is to handle deeplinks that can be delivered either via links or by directly calling the activity. However, the deeplink format is not properly validated. This can be abused by an attacker to redirect a user to any page and deliver any content to the user. | |||||
| CVE-2019-4324 | 1 Hcltech | 1 Appscan | 2020-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| "HCL AppScan Enterprise is susceptible to Cross-Site Scripting while importing a specially crafted test policy." | |||||
| CVE-2019-4323 | 1 Hcltech | 1 Appscan | 2020-07-15 | 4.3 MEDIUM | 4.3 MEDIUM |
| "HCL AppScan Enterprise advisory API documentation is susceptible to clickjacking, which could allow an attacker to embed the contents of untrusted web pages in a frame." | |||||
| CVE-2020-4042 | 1 Bareos | 1 Bareos | 2020-07-15 | 4.3 MEDIUM | 6.8 MEDIUM |
| Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to the director itself leading to the director responding to the replayed challenge. The response obtained is then a valid reply to the directors original challenge. This is fixed in version 19.2.8. | |||||
| CVE-2020-10040 | 1 Siemens | 6 Sicam Mmu, Sicam Mmu Firmware, Sicam Sgu and 3 more | 2020-07-15 | 2.1 LOW | 5.5 MEDIUM |
| A vulnerability has been identified in SICAM MMU (All versions < V2.05), SICAM SGU (All versions), SICAM T (All versions < V2.18). An attacker with local access to the device might be able to retrieve some passwords in clear text. | |||||
| CVE-2018-15740 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2020-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine ADManager Plus 6.5.7 has XSS on the "Workflow Delegation" "Requester Roles" screen. | |||||
| CVE-2020-10041 | 1 Siemens | 6 Sicam Mmu, Sicam Mmu Firmware, Sicam Sgu and 3 more | 2020-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability has been identified in SICAM MMU (All versions < V2.05), SICAM SGU (All versions), SICAM T (All versions < V2.18). A stored Cross-Site-Scripting (XSS) vulnerability is present in different locations of the web application. An attacker might be able to take over a session of a legitimate user. | |||||
| CVE-2020-10043 | 1 Siemens | 6 Sicam Mmu, Sicam Mmu Firmware, Sicam Sgu and 3 more | 2020-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability has been identified in SICAM MMU (All versions < V2.05), SICAM SGU (All versions), SICAM T (All versions < V2.18). The web server could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into accessing a malicious link. | |||||
| CVE-2020-14477 | 1 Philips | 16 Affiniti 50, Affiniti 50 Firmware, Affiniti 70 and 13 more | 2020-07-15 | 3.6 LOW | 4.4 MEDIUM |
| In Philips Ultrasound ClearVue Versions 3.2 and prior, Ultrasound CX Versions 5.0.2 and prior, Ultrasound EPIQ/Affiniti Versions VM5.0 and prior, Ultrasound Sparq Version 3.0.2 and prior and Ultrasound Xperius all versions, an attacker may use an alternate path or channel that does not require authentication of the alternate service login to view or modify information. | |||||
| CVE-2018-12240 | 1 Symantec | 1 Norton Password Manager | 2020-07-15 | 4.3 MEDIUM | 5.9 MEDIUM |
| The Norton Identity Safe product prior to 5.3.0.976 may be susceptible to a privilege escalation issue via a hard coded IV, which is a type of vulnerability that can potentially increase the likelihood of encrypted data being recovered without adequate credentials. | |||||
| CVE-2020-2208 | 1 Jenkins | 1 Slack Upload | 2020-07-15 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Slack Upload Plugin 1.7 and earlier stores a secret unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2020-2216 | 1 Jenkins | 1 Zephyr For Jira Test Management | 2020-07-15 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified username and password. | |||||
| CVE-2020-2204 | 1 Jenkins | 1 Fortify On Demand | 2020-07-15 | 5.5 MEDIUM | 5.4 MEDIUM |
| A missing permission check in Jenkins Fortify on Demand Plugin 5.0.1 and earlier allows attackers with Overall/Read permission to connect to the globally configured Fortify on Demand endpoint using attacker-specified credentials IDs. | |||||
| CVE-2020-2202 | 1 Jenkins | 1 Fortify On Demand | 2020-07-15 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins Fortify on Demand Plugin 6.0.0 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. | |||||
| CVE-2019-1003097 | 1 Jenkins | 1 Crowd Integration | 2020-07-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Crowd Integration Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||||
| CVE-2019-1003096 | 1 Jenkins | 1 Testfairy | 2020-07-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins TestFairy Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2019-1003099 | 1 Jenkins | 1 Openid | 2020-07-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003085 | 1 Jenkins | 1 Zephyr Enterprise Test Management | 2020-07-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins Zephyr Enterprise Test Management Plugin in the ZeeDescriptor#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003083 | 1 Jenkins | 1 Gearman | 2020-07-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins Gearman Plugin in the GearmanPluginConfig#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003079 | 1 Jenkins | 1 Vmware Lab Manager Slaves | 2020-07-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins VMware Lab Manager Slaves Plugin in the LabManager.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003093 | 1 Jenkins | 1 Nomad | 2020-07-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins Nomad Plugin in the NomadCloud.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003091 | 1 Jenkins | 1 Soasta Cloudtest | 2020-07-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins SOASTA CloudTest Plugin in the CloudTestServer.DescriptorImpl#doValidate form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003087 | 1 Jenkins | 1 Chef Sinatra | 2020-07-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003081 | 1 Jenkins | 1 Openshift Deployer | 2020-07-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins OpenShift Deployer Plugin in the DeployApplication.DeployApplicationDescriptor#doCheckLogin form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | |||||
| CVE-2020-10989 | 1 Tenda | 2 Ac15, Ac15 Firmware | 2020-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue in the /goform/WifiBasicSet endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute malicious payloads via the WifiName POST parameter. | |||||
| CVE-2017-12610 | 1 Apache | 1 Kafka | 2020-07-15 | 4.9 MEDIUM | 6.8 MEDIUM |
| In Apache Kafka 0.10.0.0 to 0.10.2.1 and 0.11.0.0 to 0.11.0.1, authenticated Kafka clients may use impersonation via a manually crafted protocol message with SASL/PLAIN or SASL/SCRAM authentication when using the built-in PLAIN or SCRAM server implementations in Apache Kafka. | |||||
| CVE-2018-1000004 | 1 Linux | 1 Linux Kernel | 2020-07-15 | 7.1 HIGH | 5.9 MEDIUM |
| In the Linux kernel 4.12, 3.10, 2.6 and possibly earlier versions a race condition vulnerability exists in the sound system, this can lead to a deadlock and denial of service condition. | |||||
| CVE-2018-10872 | 1 Redhat | 4 Enterprise Linux, Enterprise Linux Desktop, Enterprise Linux Server and 1 more | 2020-07-15 | 4.9 MEDIUM | 5.5 MEDIUM |
| A flaw was found in the way the Linux kernel handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, processor does not deliver interrupts and exceptions, they are delivered once the first instruction after the stack switch is executed. An unprivileged system user could use this flaw to crash the system kernel resulting in DoS. This CVE-2018-10872 was assigned due to regression of CVE-2018-8897 in Red Hat Enterprise Linux 6.10 GA kernel. No other versions are affected by this CVE. | |||||
| CVE-2018-12207 | 7 Canonical, Debian, F5 and 4 more | 1532 Ubuntu Linux, Debian Linux, Big-ip Access Policy Manager and 1529 more | 2020-07-15 | 4.9 MEDIUM | 6.5 MEDIUM |
| Improper invalidation for page table updates by a virtual guest operating system for multiple Intel(R) Processors may allow an authenticated user to potentially enable denial of service of the host system via local access. | |||||
| CVE-2020-14946 | 1 Globalradar | 1 Bsa Radar | 2020-07-14 | 4.0 MEDIUM | 4.3 MEDIUM |
| downloadFile.ashx in the Administrator section of the Surveillance module in Global RADAR BSA Radar 1.6.7234.24750 and earlier allows users to download transaction files. When downloading the files, a user is able to view local files on the web server by manipulating the FileName and FilePath parameters in the URL, or while using a proxy. This vulnerability could be used to view local sensitive files or configuration files. | |||||
| CVE-2020-4510 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2020-07-14 | 5.5 MEDIUM | 5.5 MEDIUM |
| IBM QRadar SIEM 7.3 and 7.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 182365. | |||||
| CVE-2020-4364 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2020-07-14 | 3.5 LOW | 5.4 MEDIUM |
| IBM QRadar SIEM 7.3 and 7.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 178961. | |||||
| CVE-2020-4511 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2020-07-14 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM QRadar SIEM 7.3 and 7.4 could allow an authenticated user to cause a denial of service of the qflow process by sending a malformed sflow command. IBM X-Force ID: 182366. | |||||
| CVE-2020-4513 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2020-07-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM QRadar SIEM 7.3 and 7.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 182368. | |||||
| CVE-2020-6290 | 1 Sap | 1 Disclosure Management | 2020-07-14 | 6.8 MEDIUM | 6.3 MEDIUM |
| SAP Disclosure Management, version 10.1, is vulnerable to Session Fixation attacks wherein the attacker tricks the user into using a specific session ID. | |||||
| CVE-2020-1982 | 1 Paloaltonetworks | 1 Pan-os | 2020-07-14 | 5.8 MEDIUM | 4.8 MEDIUM |
| Certain communication between PAN-OS and cloud-delivered services inadvertently use TLS 1.0, which is known to be a cryptographically weak protocol. These cloud services include Cortex Data Lake, the Customer Support Portal, and the Prisma Access infrastructure. Conditions required for exploitation of known TLS 1.0 weaknesses do not exist for the communication between PAN-OS and cloud-delivered services. We do not believe that any communication is impacted as a result of known attacks against TLS 1.0. This issue impacts: All versions of PAN-OS 8.0; PAN-OS 8.1 versions earlier than PAN-OS 8.1.14; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 9.1 versions earlier than PAN-OS 9.1.3. PAN-OS 7.1 is not impacted by this issue. | |||||
| CVE-2020-2031 | 1 Paloaltonetworks | 1 Pan-os | 2020-07-14 | 6.8 MEDIUM | 4.9 MEDIUM |
| An integer underflow vulnerability in the dnsproxyd component of the PAN-OS management interface allows authenticated administrators to issue a command from the command line interface that causes the component to stop responding. Repeated attempts to send this request result in denial of service to all PAN-OS services by restarting the device and putting it into maintenance mode. This issue impacts: PAN-OS 9.1 versions earlier than PAN-OS 9.1.3. This issue does not impact PAN-OS 8.1, PAN-OS 9.0, or Prisma Access services. | |||||
| CVE-2020-15513 | 1 Mittwald | 1 Typo3 Forum | 2020-07-14 | 5.0 MEDIUM | 5.3 MEDIUM |
| The typo3_forum extension before 1.2.1 for TYPO3 has Incorrect Access Control. | |||||
| CVE-2020-12035 | 1 Baxter | 4 Prismaflex, Prismaflex Firmware, Prismax and 1 more | 2020-07-14 | 3.6 LOW | 4.9 MEDIUM |
| Baxter PrismaFlex all versions, PrisMax all versions prior to 3.x, The PrismaFlex device contains a hard-coded service password that provides access to biomedical information, device settings, calibration settings, and network configuration. This could allow an attacker to modify device settings and calibration. | |||||
| CVE-2018-8580 | 1 Microsoft | 1 Sharepoint Server | 2020-07-14 | 4.3 MEDIUM | 4.3 MEDIUM |
| An information disclosure vulnerability exists where certain modes of the search function in Microsoft SharePoint Server are vulnerable to cross-site search attacks (a variant of cross-site request forgery, CSRF), aka "Microsoft SharePoint Information Disclosure Vulnerability." This affects Microsoft SharePoint. | |||||
| CVE-2018-20185 | 3 Canonical, Debian, Graphicsmagick | 3 Ubuntu Linux, Debian Linux, Graphicsmagick | 2020-07-14 | 2.6 LOW | 5.3 MEDIUM |
| In GraphicsMagick 1.4 snapshot-20181209 Q8 on 32-bit platforms, there is a heap-based buffer over-read in the ReadBMPImage function of bmp.c, which allows attackers to cause a denial of service via a crafted bmp image file. This only affects GraphicsMagick installations with customized BMP limits. | |||||
| CVE-2018-20307 | 1 Pulsesecure | 1 Virtual Traffic Manager | 2020-07-14 | 4.0 MEDIUM | 4.3 MEDIUM |
| Pulse Secure Virtual Traffic Manager 9.9 versions prior to 9.9r2 and 10.4r1 allow a remote authenticated user to obtain sensitive historical activity information by leveraging incorrect permission validation. | |||||
| CVE-2020-6278 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2020-07-14 | 3.5 LOW | 5.4 MEDIUM |
| SAP Business Objects Business Intelligence Platform (BI Launchpad and CMC), versions 4.1, 4.2, allows to an attacker to embed malicious scripts in the application while uploading images, which gets executed when the victim opens these files, leading to Stored Cross Site Scripting | |||||
| CVE-2020-6276 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2020-07-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP Business Objects Business Intelligence Platform (bipodata), version 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability. | |||||
| CVE-2020-6281 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2020-07-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP Business Objects Business Intelligence Platform (BI Launchpad), version 4.2, does not sufficiently encode user-controlled inputs, resulting reflected in Cross-Site Scripting. | |||||