Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-14973 | 1 Webtareas Project | 1 Webtareas | 2020-06-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| The loginForm within the general/login.php webpage in webTareas 2.0p8 suffers from a Reflected Cross Site Scripting (XSS) vulnerability via the query string. | |||||
| CVE-2017-18916 | 1 Mattermost | 1 Mattermost Server | 2020-06-25 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. API endpoint access control does not honor an integration permission restriction. | |||||
| CVE-2017-18919 | 1 Mattermost | 1 Mattermost Server | 2020-06-25 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Mattermost Server before 3.7.0 and 3.6.3. Attackers can use the API for unauthenticated team creation. | |||||
| CVE-2017-18914 | 1 Mattermost | 1 Mattermost Server | 2020-06-25 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. An external link can occur on an error page even if it is not on an allowlist. | |||||
| CVE-2019-19610 | 1 Halvotec | 1 Raquest | 2020-06-25 | 5.8 MEDIUM | 5.4 MEDIUM |
| An issue was discovered in Halvotec RaQuest 10.23.10801.0. It allows session fixation. Fixed in Release 24.2020.20608.0. | |||||
| CVE-2020-14962 | 1 Machothemes | 1 Image Photo Gallery Final Tiles Grid | 2020-06-25 | 3.5 LOW | 5.4 MEDIUM |
| Multiple XSS vulnerabilities in the Final Tiles Gallery plugin before 3.4.19 for WordPress allow remote attackers to inject arbitrary web script or HTML via the Title (aka imageTitle) or Caption (aka description) field of an image to wp-admin/admin-ajax.php. | |||||
| CVE-2020-14959 | 1 Goldplugins | 1 Easy Testimonials | 2020-06-25 | 3.5 LOW | 5.4 MEDIUM |
| Multiple XSS vulnerabilities in the Easy Testimonials plugin before 3.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the wp-admin/post.php Client Name, Position, Web Address, Other, Location Reviewed, Product Reviewed, Item Reviewed, or Rating parameter. | |||||
| CVE-2017-18893 | 1 Mattermost | 1 Mattermost Server | 2020-06-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. Display names allow XSS. | |||||
| CVE-2017-18902 | 1 Mattermost | 1 Mattermost Server | 2020-06-25 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints. | |||||
| CVE-2020-13427 | 1 Victorcms Project | 1 Victorcms | 2020-06-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Victor CMS 1.0 has Persistent XSS in admin/users.php?source=add_user via the user_name, user_firstname, or user_lastname parameter. | |||||
| CVE-2016-5845 | 1 Sap | 1 Sapcar | 2020-06-25 | 2.1 LOW | 5.5 MEDIUM |
| SAP SAPCAR does not check the return value of file operations when extracting files, which allows remote attackers to cause a denial of service (program crash) via an invalid file name in an archive file, aka SAP Security Note 2312905. | |||||
| CVE-2018-19286 | 1 Mubu | 1 Curtain | 2020-06-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| The server in mubu note 2018-11-11 has XSS by configuring an account with a crafted name value (along with an arbitrary username value), and then creating and sharing a note. | |||||
| CVE-2020-14455 | 1 Mattermost | 1 Mattermost Desktop | 2020-06-25 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Mattermost Desktop App before 4.4.0. Prompting for HTTP Basic Authentication is mishandled, allowing phishing, aka MMSA-2020-0007. | |||||
| CVE-2020-14454 | 1 Mattermost | 1 Mattermost Desktop | 2020-06-25 | 5.8 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Mattermost Desktop App before 4.4.0. Attackers can open web pages in the desktop application because server redirection is mishandled, aka MMSA-2020-0008. | |||||
| CVE-2019-20847 | 1 Mattermost | 1 Mattermost Server | 2020-06-25 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Mattermost Server before 5.18.0. An attacker can send a user_typing WebSocket event to any channel. | |||||
| CVE-2016-11075 | 1 Mattermost | 1 Mattermost Server | 2020-06-25 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Mattermost Server before 3.0.0. It allows attackers to obtain sensitive information about team URLs via an API. | |||||
| CVE-2016-11078 | 1 Mattermost | 1 Mattermost Server | 2020-06-25 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Mattermost Server before 3.0.0. It potentially allows attackers to obtain sensitive information (credential fields within config.json) via the System Console UI. | |||||
| CVE-2016-11079 | 1 Mattermost | 1 Mattermost Server | 2020-06-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a redirect URL. | |||||
| CVE-2016-11080 | 1 Mattermost | 1 Mattermost Server | 2020-06-25 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Mattermost Server before 3.0.0. It offers superfluous APIs for a Team Administrator to view account details. | |||||
| CVE-2016-11081 | 1 Mattermost | 1 Mattermost Server | 2020-06-25 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Mattermost Server before 2.2.0. It allows unintended access to information stored by a web browser. | |||||
| CVE-2016-11082 | 1 Mattermost | 1 Mattermost Server | 2020-06-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Mattermost Server before 2.2.0. It allows XSS via a crafted link. | |||||
| CVE-2016-11083 | 1 Mattermost | 1 Mattermost Server | 2020-06-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Mattermost Server before 2.2.0. It allows XSS because it configures files to be opened in a browser window. | |||||
| CVE-2017-18905 | 1 Mattermost | 1 Mattermost Server | 2020-06-25 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth 2.0 service provider, Session invalidation was mishandled. | |||||
| CVE-2016-11071 | 1 Mattermost | 1 Mattermost Server | 2020-06-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Mattermost Server before 3.1.0. It allows XSS because the noreferrer and noopener protection mechanisms were not in place. | |||||
| CVE-2017-18904 | 1 Mattermost | 1 Mattermost Server | 2020-06-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. It allows XSS via an uploaded file. | |||||
| CVE-2017-18910 | 1 Mattermost | 1 Mattermost Server | 2020-06-25 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. E-mail notifications can have spoofed links. | |||||
| CVE-2016-11063 | 1 Mattermost | 1 Mattermost Server | 2020-06-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Mattermost Server before 3.5.1. XSS can occur via file preview. | |||||
| CVE-2016-11070 | 1 Mattermost | 1 Mattermost Server | 2020-06-25 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Mattermost Server before 3.1.0. It allows XSS via theme color-code values. | |||||
| CVE-2016-11073 | 1 Mattermost | 1 Mattermost Server | 2020-06-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a Legal or Support setting. | |||||
| CVE-2020-8831 | 2 Apport Project, Canonical | 2 Apport, Ubuntu Linux | 2020-06-24 | 2.1 LOW | 5.5 MEDIUM |
| Apport creates a world writable lock file with root ownership in the world writable /var/lock/apport directory. If the apport/ directory does not exist (this is not uncommon as /var/lock is a tmpfs), it will create the directory, otherwise it will simply continue execution using the existing directory. This allows for a symlink attack if an attacker were to create a symlink at /var/lock/apport, changing apport's lock file location. This file could then be used to escalate privileges, for example. Fixed in versions 2.20.1-0ubuntu2.23, 2.20.9-0ubuntu7.14, 2.20.11-0ubuntu8.8 and 2.20.11-0ubuntu22. | |||||
| CVE-2020-8833 | 2 Apport Project, Canonical | 2 Apport, Ubuntu Linux | 2020-06-24 | 1.9 LOW | 4.7 MEDIUM |
| Time-of-check Time-of-use Race Condition vulnerability on crash report ownership change in Apport allows for a possible privilege escalation opportunity. If fs.protected_symlinks is disabled, this can be exploited between the os.open and os.chown calls when the Apport cron script clears out crash files of size 0. A symlink with the same name as the deleted file can then be created upon which chown will be called, changing the file owner to root. Fixed in versions 2.20.1-0ubuntu2.23, 2.20.9-0ubuntu7.14, 2.20.11-0ubuntu8.8 and 2.20.11-0ubuntu22. | |||||
| CVE-2016-11067 | 1 Mattermost | 1 Mattermost Server | 2020-06-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Mattermost Server before 3.2.0. It allowed crafted posts that could cause a web browser to hang. | |||||
| CVE-2017-18877 | 1 Mattermost | 1 Mattermost Server | 2020-06-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS attacks could occur against an OAuth 2.0 allow/deny page. | |||||
| CVE-2020-10750 | 1 Linuxfoundation | 1 Jaeger | 2020-06-24 | 2.1 LOW | 5.5 MEDIUM |
| Sensitive information written to a log file vulnerability was found in jaegertracing/jaeger before version 1.18.1 when the Kafka data store is used. This flaw allows an attacker with access to the container's log file to discover the Kafka credentials. | |||||
| CVE-2020-9495 | 1 Apache | 1 Archiva | 2020-06-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| Apache Archiva login service before 2.2.5 is vulnerable to LDAP injection. A attacker is able to retrieve user attribute data from the connected LDAP server by providing special values to the login form. With certain characters it is possible to modify the LDAP filter used to query the LDAP users. By measuring the response time for the login request, arbitrary attribute data can be retrieved from LDAP user objects. | |||||
| CVE-2016-11068 | 1 Mattermost | 1 Mattermost Server | 2020-06-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Mattermost Server before 3.2.0. Attackers could read LDAP fields via injection. | |||||
| CVE-2017-18907 | 1 Mattermost | 1 Mattermost Server | 2020-06-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. XSS could occur via a channel header. | |||||
| CVE-2017-18913 | 1 Mattermost | 1 Mattermost Server | 2020-06-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. XSS can occur via a link on an error page. | |||||
| CVE-2020-3337 | 1 Cisco | 1 Umbrella | 2020-06-24 | 5.8 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web server of Cisco Umbrella could allow an unauthenticated, remote attacker to redirect a user to an undesired web page. The vulnerability is due to improper input validation of the URL parameters in an HTTP request that is sent to an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request that could cause the web application to redirect the request to a specified malicious URL. A successful exploit could allow the attacker to redirect a user to a malicious website. | |||||
| CVE-2017-18921 | 1 Mattermost | 1 Mattermost Server | 2020-06-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Mattermost Server before 3.6.0 and 3.5.2. XSS can occur via a link on an error page. | |||||
| CVE-2020-3354 | 1 Cisco | 1 Data Center Network Manager | 2020-06-24 | 3.5 LOW | 4.8 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker with administrative credentials to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability is due to insufficient input validation by the web-based management interface. An attacker could exploit this vulnerability by inserting malicious data into a specific data field in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker would need administrative credentials on the affected device. | |||||
| CVE-2020-3355 | 1 Cisco | 1 Data Center Network Manager | 2020-06-24 | 3.5 LOW | 4.8 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker with administrative credentials to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability is due to insufficient input validation by the web-based management interface. An attacker could exploit this vulnerability by inserting malicious data into a specific data field in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker would need administrative credentials on the affected device. | |||||
| CVE-2020-3356 | 1 Cisco | 1 Data Center Network Manager | 2020-06-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability is due to insufficient input validation by the web-based management interface. An attacker could exploit this vulnerability by interacting with the interface in a way that injects malicious content in a log file. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | |||||
| CVE-2020-3364 | 1 Cisco | 1 Ios Xr | 2020-06-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability in the access control list (ACL) functionality of the standby route processor management interface of Cisco IOS XR Software could allow an unauthenticated, remote attacker to reach the configured IP addresses on the standby route processor management Gigabit Ethernet Management interface. The vulnerability is due to a logic error that was introduced in the Cisco IOS XR Software, which prevents the ACL from working when applied against the standby route processor management interface. An attacker could exploit this vulnerability by attempting to access the device through the standby route processor management interface. | |||||
| CVE-2020-13961 | 1 Strapi | 1 Strapi | 2020-06-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| Strapi before 3.0.2 could allow a remote authenticated attacker to bypass security restrictions because templates are stored in a global variable without any sanitation. By sending a specially crafted request, an attacker could exploit this vulnerability to update the email template for both password reset and account confirmation emails. | |||||
| CVE-2020-7932 | 1 Openmicroscopy | 1 Omero.web | 2020-06-24 | 3.5 LOW | 5.7 MEDIUM |
| OMERO.web before 5.6.3 optionally allows sensitive data elements (e.g., a session key) to be passed as URL query parameters. If an attacker tricks a user into clicking a malicious link in OMERO.web, the information in the query parameters may be exposed in the Referer header seen by the target. Information in the URL path such as object IDs may also be exposed. | |||||
| CVE-2018-19599 | 1 Monstra | 1 Monstra Cms | 2020-06-24 | 3.5 LOW | 5.4 MEDIUM |
| Monstra CMS 1.6 allows XSS via an uploaded SVG document to the admin/index.php?id=filesmanager&path=uploads/ URI. NOTE: this is a discontinued product. | |||||
| CVE-2020-7492 | 1 Schneider-electric | 1 Gp-pro Ex Firmware | 2020-06-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| A CWE-521: Weak Password Requirements vulnerability exists in the GP-Pro EX V1.00 to V4.09.100 which could cause the discovery of the password when the user is entering the password because it is not masqueraded. | |||||
| CVE-2017-5905 | 1 Dollar Bank | 1 Dollar Bank Mobile | 2020-06-24 | 4.3 MEDIUM | 5.9 MEDIUM |
| The Dollar Bank Mobile app 2.6.3 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2017-5902 | 1 Payquicker | 1 Mypayquicker | 2020-06-24 | 4.3 MEDIUM | 5.9 MEDIUM |
| The PayQuicker app 1.0.0 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||