Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-3212 | 1 Sccu | 1 Space Coast Credit Union | 2020-06-24 | 4.3 MEDIUM | 5.9 MEDIUM |
| The Space Coast Credit Union Mobile app 2.2 for iOS and 2.1.0.1104 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2015-7916 | 1 Sauter-controls | 1 Moduweb Vision | 2020-06-24 | 3.5 LOW | 6.5 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Sauter EY-WS505F0x0 moduWeb Vision before 1.6.0 allows remote authenticated users to inject arbitrary web script or HTML via a crafted query. | |||||
| CVE-2020-14475 | 1 Dolibarr | 1 Dolibarr | 2020-06-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in Dolibarr 11.0.3 allows remote attackers to inject arbitrary web script or HTML into public/notice.php (related to transphrase and transkey). | |||||
| CVE-2020-14926 | 1 Cmsmadesimple | 1 Cms Made Simple | 2020-06-24 | 3.5 LOW | 5.4 MEDIUM |
| CMS Made Simple 2.2.14 allows XSS via a Search Term to the admin/moduleinterface.php?mact=ModuleManager page. | |||||
| CVE-2020-14927 | 1 Naviwebs | 1 Navigate Cms | 2020-06-24 | 3.5 LOW | 4.8 MEDIUM |
| Navigate CMS 2.9 allows XSS via the Alias or Real URL field of the "Web Sites > Create > Aliases > Add" screen. | |||||
| CVE-2020-4281 | 1 Ibm | 2 Doors Next, Rational Doors Next Generation | 2020-06-24 | 3.5 LOW | 5.4 MEDIUM |
| IBM DOORS Next Generation (DNG/RRC) 6.0.2, 6.0.6, 6.0.6.1, and 7.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176141. | |||||
| CVE-2020-4295 | 1 Ibm | 2 Doors Next, Rational Doors Next Generation | 2020-06-24 | 3.5 LOW | 5.4 MEDIUM |
| IBM DOORS Next Generation (DNG/RRC) 6.0.2, 6.0.6, 6.0.6.1, and 7.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176408. | |||||
| CVE-2020-4297 | 1 Ibm | 2 Doors Next, Rational Doors Next Generation | 2020-06-24 | 3.5 LOW | 5.4 MEDIUM |
| IBM DOORS Next Generation (DNG/RRC) 6.0.2, 6.0.6, 6.0.6.1, and 7.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176474. | |||||
| CVE-2019-20803 | 1 Gilacms | 1 Gila Cms | 2020-06-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Gila CMS before 1.11.6 has reflected XSS via the admin/content/postcategory id parameter, which is mishandled for g_preview_theme. | |||||
| CVE-2016-11084 | 1 Mattermost | 1 Mattermost Server | 2020-06-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Mattermost Server before 2.1.0. It allows XSS via CSRF. | |||||
| CVE-2017-18918 | 1 Mattermost | 1 Mattermost Server | 2020-06-23 | 4.0 MEDIUM | 4.9 MEDIUM |
| An issue was discovered in Mattermost Server before 3.7.3 and 3.6.5. A System Administrator can place a SAML certificate at an arbitrary pathname. | |||||
| CVE-2016-11076 | 1 Mattermost | 1 Mattermost Server | 2020-06-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Mattermost Server before 3.0.0. It does not ensure that a cookie is used over SSL. | |||||
| CVE-2020-3241 | 1 Cisco | 1 Ucs Director | 2020-06-23 | 8.5 HIGH | 6.5 MEDIUM |
| A vulnerability in the orchestration tasks of Cisco UCS Director could allow an authenticated, remote attacker to perform a path traversal attack on an affected device. The vulnerability is due to insufficient validation of user-supplied input on the web-based management interface. An attacker could exploit this vulnerability by creating a task with specific configuration parameters. A successful exploit could allow the attacker to overwrite arbitrary files in the file system of an affected device. | |||||
| CVE-2020-3236 | 1 Cisco | 1 Enterprise Network Function Virtualization Infrastructure | 2020-06-23 | 7.2 HIGH | 6.7 MEDIUM |
| A vulnerability in the CLI of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, local attacker to gain root shell access to the underlying operating system and overwrite or read arbitrary files. The attacker would need valid administrative credentials. This vulnerability is due to improper input validation of CLI command arguments. An attacker could exploit this vulnerability by using path traversal techniques when executing a vulnerable command. A successful exploit could allow the attacker to gain root shell access to the underlying operating system and overwrite or read arbitrary files on an affected device. | |||||
| CVE-2020-3245 | 1 Cisco | 1 Smart Software Manager On-prem | 2020-06-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability in the web application of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to create arbitrary user accounts. The vulnerability is due to the lack of authorization controls in the web application. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to add user accounts to the configuration of an affected device. These accounts would not be administrator or operator accounts. | |||||
| CVE-2020-12023 | 1 Philips | 1 Intellibridge Enterprise | 2020-06-23 | 2.7 LOW | 4.5 MEDIUM |
| Philips IntelliBridge Enterprise (IBE), Versions B.12 and prior, IntelliBridge Enterprise system integration with SureSigns (VS4), EarlyVue (VS30) and IntelliVue Guardian (IGS). Unencrypted user credentials received in the IntelliBridge Enterprise (IBE) are logged within the transaction logs, which are secured behind the login based administrative web portal. The unencrypted user credentials sent from the affected products listed above, for the purpose of handshake or authentication with the Enterprise Systems, are logged as the payload in IntelliBridge Enterprise (IBE) within the transaction logs. An attacker with administrative privileges could exploit this vulnerability to read plain text credentials from log files. | |||||
| CVE-2020-14199 | 1 Satoshilabs | 4 Trezor Model T, Trezor Model T Firmware, Trezor One and 1 more | 2020-06-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| BIP-143 in the Bitcoin protocol specification mishandles the signing of a Segwit transaction, which allows attackers to trick a user into making two signatures in certain cases, potentially leading to a huge transaction fee. NOTE: this affects all hardware wallets. It was fixed in 1.9.1 for the Trezor One and 2.3.1 for the Trezor Model T. | |||||
| CVE-2020-14408 | 1 Agentejo | 1 Cockpit | 2020-06-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Agentejo Cockpit 0.10.2. Insufficient sanitization of the to parameter in the /auth/login route allows for injection of arbitrary JavaScript code into a web page's content, creating a Reflected XSS attack vector. | |||||
| CVE-2019-20870 | 1 Mattermost | 1 Mattermost Server | 2020-06-23 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Mattermost Server before 5.10.0. An attacker can bypass the intended appearance of the Edited flag after changing a post's file ID. | |||||
| CVE-2019-20872 | 1 Mattermost | 1 Mattermost Server | 2020-06-23 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. SSRF can attack local services. | |||||
| CVE-2020-5363 | 1 Dell | 36 Latitude 5300, Latitude 5300 2-in-1, Latitude 5300 2-in-1 Firmware and 33 more | 2020-06-23 | 7.2 HIGH | 6.7 MEDIUM |
| Select Dell Client Consumer and Commercial platforms include an issue that allows the BIOS Admin password to be changed through Dell's manageability interface without knowledge of the current BIOS Admin password. This could potentially allow an unauthorized actor, with physical access and/or OS administrator privileges to the device, to gain privileged access to the platform and the hard drive. | |||||
| CVE-2020-5362 | 1 Dell | 708 Chengming 3967, Chengming 3967 Firmware, Chengming 3977 and 705 more | 2020-06-23 | 2.1 LOW | 4.4 MEDIUM |
| Dell Client Consumer and Commercial platforms include an improper authorization vulnerability in the Dell Manageability interface for which an unauthorized actor, with local system access with OS administrator privileges, could bypass the BIOS Administrator authentication to restore BIOS Setup configuration to default values. | |||||
| CVE-2019-20889 | 1 Mattermost | 1 Mattermost Server | 2020-06-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It mishandles permissions for user-access token creation. | |||||
| CVE-2019-20882 | 1 Mattermost | 1 Mattermost Server | 2020-06-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Mattermost Server before 5.8.0. It does not honor the domain requirement when processing a join request for an open team. | |||||
| CVE-2011-3610 | 1 S9y | 1 Serendipity Event Freetag | 2020-06-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-site Scripting (XSS) vulnerability exists in the Serendipity freetag plugin before 3.30 in the tagcloud parameter to plugins/serendipity_event_freetag/tagcloud.swf. | |||||
| CVE-2020-10268 | 1 Kuka | 2 Kr C4, Kr C4 Firmware | 2020-06-23 | 3.6 LOW | 6.1 MEDIUM |
| Critical services for operation can be terminated from windows task manager, bringing the manipulator to a halt. After this a Re-Calibration of the brakes needs to be performed. Be noted that this only can be accomplished either by a Kuka technician or by Kuka issued calibration hardware that interfaces with the manipulator furthering the delay and increasing operational costs. | |||||
| CVE-2019-1003042 | 1 Jenkins | 1 Lockable Resources | 2020-06-23 | 3.5 LOW | 5.4 MEDIUM |
| A cross site scripting vulnerability in Jenkins Lockable Resources Plugin 2.4 and earlier allows attackers able to control resource names to inject arbitrary JavaScript in web pages rendered by the plugin. | |||||
| CVE-2019-1003046 | 1 Jenkins | 1 Fortify On Demand Uploader | 2020-06-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Fortify on Demand Uploader Plugin 3.0.10 and earlier allows attackers to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003058 | 1 Jenkins | 1 Ftp Publisher | 2020-06-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins FTP publisher Plugin in the FTPPublisher.DescriptorImpl#doLoginCheck method allows attackers to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003076 | 1 Jenkins | 1 Audit To Database | 2020-06-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Audit to Database Plugin in the DbAuditPublisherDescriptorImpl#doTestJdbcConnection form validation method allows attackers to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003078 | 1 Jenkins | 1 Vmware Lab Manager Slaves | 2020-06-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins VMware Lab Manager Slaves Plugin in the LabManager.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003080 | 1 Jenkins | 1 Openshift Deployer | 2020-06-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins OpenShift Deployer Plugin in the DeployApplication.DeployApplicationDescriptor#doCheckLogin form validation method allows attackers to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003082 | 1 Jenkins | 1 Gearman | 2020-06-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Gearman Plugin in the GearmanPluginConfig#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003084 | 1 Jenkins | 1 Zephyr Enterprise Test Management | 2020-06-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Zephyr Enterprise Test Management Plugin in the ZeeDescriptor#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003086 | 1 Jenkins | 1 Chef Sinatra | 2020-06-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003090 | 1 Jenkins | 1 Soasta Cloudtest | 2020-06-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins SOASTA CloudTest Plugin in the CloudTestServer.DescriptorImpl#doValidate form validation method allows attackers to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003092 | 1 Jenkins | 1 Nomad | 2020-06-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins Nomad Plugin in the NomadCloud.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003098 | 1 Jenkins | 1 Openid | 2020-06-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery vulnerability in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form validation method allows attackers to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-12460 | 1 Webport | 1 Web Port | 2020-06-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Web Port 1.19.1 allows XSS via the /access/setup type parameter. | |||||
| CVE-2019-12461 | 1 Webport | 1 Web Port | 2020-06-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Web Port 1.19.1 allows XSS via the /log type parameter. | |||||
| CVE-2020-14213 | 1 Zammad | 1 Zammad | 2020-06-23 | 5.5 MEDIUM | 5.4 MEDIUM |
| In Zammad before 3.3.1, a Customer has ticket access that should only be available to an Agent (e.g., read internal data, split, or merge). | |||||
| CVE-2020-4320 | 5 Hp, Ibm, Linux and 2 more | 6 Hp-ux, Aix, Mq and 3 more | 2020-06-23 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM MQ Appliance and IBM MQ AMQP Channels 8.0, 9.0 LTS, 9.1 LTS, and 9.1 CD do not correctly block or allow clients based on the certificate distinguished name SSLPEER setting. IBM X-Force ID: 177403. | |||||
| CVE-2020-12464 | 1 Linux | 1 Linux Kernel | 2020-06-22 | 7.2 HIGH | 6.7 MEDIUM |
| usb_sg_cancel in drivers/usb/core/message.c in the Linux kernel before 5.6.8 has a use-after-free because a transfer occurs without a reference, aka CID-056ad39ee925. | |||||
| CVE-2020-12826 | 3 Canonical, Linux, Redhat | 4 Ubuntu Linux, Linux Kernel, Enterprise Linux and 1 more | 2020-06-22 | 4.4 MEDIUM | 5.3 MEDIUM |
| A signal access-control issue was discovered in the Linux kernel before 5.6.5, aka CID-7395ea4e65c2. Because exec_id in include/linux/sched.h is only 32 bits, an integer overflow can interfere with a do_notify_parent protection mechanism. A child process can send an arbitrary signal to a parent process in a different security domain. Exploitation limitations include the amount of elapsed time before an integer overflow occurs, and the lack of scenarios where signals to a parent process present a substantial operational threat. | |||||
| CVE-2020-4052 | 1 Requarks | 1 Wiki.js | 2020-06-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Wiki.js before 2.4.107, there is a stored cross-site scripting through template injection. This vulnerability exists due to an insecure validation mechanism intended to insert v-pre tags into rendered HTML elements which contain curly-braces. By creating a crafted wiki page, a malicious Wiki.js user may stage a stored cross-site scripting attack. This allows the attacker to execute malicious JavaScript when the page is viewed by other users. This has been patched in 2.4.107. | |||||
| CVE-2020-12714 | 1 Ciphermail | 2 Gateway, Webmail Messenger | 2020-06-22 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered in CipherMail Community Gateway Virtual Appliances and Professional/Enterprise Gateway Virtual Appliances versions 1.0.1 through 4.7.1-0 and CipherMail Webmail Messenger Virtual Appliances 1.1.1 through 3.1.1-0. A Diffie-Hellman parameter of insufficient size could allow man-in-the-middle compromise of communications between CipherMail products and external SMTP clients. | |||||
| CVE-2019-16252 | 1 Nutfind | 1 Nutfind | 2020-06-22 | 4.3 MEDIUM | 5.9 MEDIUM |
| Missing SSL Certificate Validation in the Nutfind.com application through 3.9.12 for Android allows a man-in-the-middle attacker to sniff and manipulate all API requests, including login credentials and location data. | |||||
| CVE-2019-6173 | 1 Lenovo | 1 Installation Package | 2020-06-22 | 6.9 MEDIUM | 6.5 MEDIUM |
| A DLL search path vulnerability could allow privilege escalation in some Lenovo installation packages, prior to version 1.2.9.3, during installation if an attacker already has administrative privileges. | |||||
| CVE-2020-8336 | 1 Lenovo | 76 Thinkpad E14, Thinkpad E14 Firmware, Thinkpad E15 and 73 more | 2020-06-22 | 4.6 MEDIUM | 6.8 MEDIUM |
| Lenovo implemented Intel CSME Anti-rollback ARB protections on some ThinkPad models to prevent roll back of CSME Firmware in flash. | |||||
| CVE-2020-8321 | 1 Lenovo | 344 130-14ast, 130-14ast Firmware, 130-14ikb and 341 more | 2020-06-22 | 4.6 MEDIUM | 6.7 MEDIUM |
| A potential vulnerability in the SMI callback function used in the System Lock Preinstallation driver in some Lenovo Notebook and ThinkStation models may allow arbitrary code execution. | |||||