Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-1792 | 1 Huawei | 2 Honor V10, Honor V10 Firmware | 2020-03-04 | 7.1 HIGH | 5.5 MEDIUM |
| Honor V10 smartphones with versions earlier than BKL-AL20 10.0.0.156(C00E156R2P4) and versions earlier than BKL-L09 10.0.0.146(C432E4R1P4) have an out of bounds write vulnerability. The software writes data past the end of the intended buffer because of insufficient validation of certain parameter when initializing certain driver program. An attacker could trick the user into installing a malicious application, successful exploit could cause the device to reboot. | |||||
| CVE-2020-1875 | 1 Huawei | 6 Nip6800, Nip6800 Firmware, Secospace Usg6600 and 3 more | 2020-03-04 | 2.1 LOW | 5.5 MEDIUM |
| NIP6800;Secospace USG6600;USG9500 products versions of V500R001C30; V500R001C60SPC500; V500R005C00SPC100 have an invalid pointer access vulnerability. The software system access an invalid pointer when an abnormal condition occurs in certain operation. Successful exploit could cause certain process reboot. Affected product versions include:NIP6800 versions V500R001C30,V500R001C60SPC500;Secospace USG6600 versions V500R001C30SPC200,V500R001C30SPC600,V500R001C60SPC500;USG9500 versions V500R001C30SPC200,V500R001C30SPC600,V500R001C60SPC500. | |||||
| CVE-2019-17549 | 1 Eset | 1 Cyber Security | 2020-03-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| ESET Cyber Security before 6.8.1.0 is vulnerable to a denial-of-service allowing any user to stop (kill) ESET processes. An attacker can abuse this bug to stop the protection from ESET and launch his attack. | |||||
| CVE-2018-15820 | 1 Easyio | 2 Easyio 30p, Easyio 30p Firmware | 2020-03-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| EasyIO EasyIO-30P devices before 2.0.5.27 allow XSS via the dev.htm GDN parameter. | |||||
| CVE-2018-14384 | 1 Seopanel | 1 Seo Panel | 2020-03-04 | 3.5 LOW | 4.8 MEDIUM |
| The Website Manager module in SEO Panel 3.13.0 and earlier is affected by a stored Cross-Site Scripting (XSS) vulnerability, allowing remote authenticated attackers to inject arbitrary web script or HTML via the websites.php name parameter. | |||||
| CVE-2020-1874 | 1 Huawei | 6 Nip6800, Nip6800 Firmware, Secospace Usg6600 and 3 more | 2020-03-03 | 4.9 MEDIUM | 5.5 MEDIUM |
| NIP6800;Secospace USG6600;USG9500 products versions of V500R001C30; V500R001C60SPC500; V500R005C00SPC100 have a invalid pointer access vulnerability. The software system access an invalid pointer when operator logs in to the device and performs some operations. Successful exploit could cause certain process reboot. | |||||
| CVE-2020-1877 | 1 Huawei | 6 Nip6800, Nip6800 Firmware, Secospace Usg6600 and 3 more | 2020-03-03 | 4.9 MEDIUM | 4.4 MEDIUM |
| NIP6800;Secospace USG6600;USG9500 with versions of V500R001C30; V500R001C60SPC500; V500R005C00SPC100 have an invalid pointer access vulnerability. The software system access an invalid pointer when administrator log in to the device and performs some operations. Successful exploit could cause certain process reboot. | |||||
| CVE-2020-8127 | 1 Revealjs | 1 Reveal.js | 2020-03-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Insufficient validation in cross-origin communication (postMessage) in reveal.js version 3.9.1 and earlier allow attackers to perform cross-site scripting attacks. | |||||
| CVE-2020-3170 | 1 Cisco | 16 Mds 9132t, Mds 9148s, Mds 9148t and 13 more | 2020-03-03 | 4.3 MEDIUM | 5.3 MEDIUM |
| A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause an NX-API system process to unexpectedly restart. The vulnerability is due to incorrect validation of the HTTP header of a request that is sent to the NX-API. An attacker could exploit this vulnerability by sending a crafted HTTP request to the NX-API on an affected device. A successful exploit could allow the attacker to cause a denial of service (DoS) condition in the NX-API service; however, the Cisco NX-OS device itself would still be available and passing network traffic. Note: The NX-API feature is disabled by default. | |||||
| CVE-2020-3174 | 1 Cisco | 80 Mds 9132t, Mds 9148s, Mds 9148t and 77 more | 2020-03-03 | 3.3 LOW | 4.7 MEDIUM |
| A vulnerability in the anycast gateway feature of Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to cause a device to learn invalid Address Resolution Protocol (ARP) entries. The ARP entries are for nonlocal IP addresses for the subnet. The vulnerability is due to improper validation of a received gratuitous ARP (GARP) request. An attacker could exploit this vulnerability by sending a malicious GARP packet on the local subnet to cause the ARP table on the device to become corrupted. A successful exploit could allow the attacker to populate the ARP table with incorrect entries, which could lead to traffic disruptions. | |||||
| CVE-2020-5401 | 1 Cloudfoundry | 1 Routing Release | 2020-03-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| Cloud Foundry Routing Release, versions prior to 0.197.0, contains GoRouter, which allows malicious clients to send invalid headers, causing caching layers to reject subsequent legitimate clients trying to access the app. | |||||
| CVE-2017-11651 | 1 Nexusphp | 1 Nexusphp | 2020-03-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| NexusPHP V1.5 has XSS via a javascript: or data: URL in a UBBCode url tag. | |||||
| CVE-2017-11682 | 1 Hashtopolis | 1 Hashtopolis | 2020-03-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Stored Cross-site scripting vulnerability in Hashtopussy 0.4.0 allows remote attackers to inject arbitrary web script or HTML via the (1) version, (2) url, or (3) rootdir parameter in hashcat.php. | |||||
| CVE-2020-5326 | 1 Dell | 348 Chengming 3980, Chengming 3980 Firmware, Embedded Box Pc 5000 and 345 more | 2020-03-03 | 2.1 LOW | 5.3 MEDIUM |
| Affected Dell Client platforms contain a BIOS Setup configuration authentication bypass vulnerability in the pre-boot Intel Rapid Storage Response Technology (iRST) Manager menu. An attacker with physical access to the system could perform unauthorized changes to the BIOS Setup configuration settings without requiring the BIOS Admin password by selecting the Optimized Defaults option in the pre-boot iRST Manager. | |||||
| CVE-2020-3875 | 1 Apple | 5 Ipados, Iphone Os, Mac Os X and 2 more | 2020-03-03 | 4.3 MEDIUM | 5.5 MEDIUM |
| A validation issue was addressed with improved input sanitization. This issue is fixed in iOS 13.3.1 and iPadOS 13.3.1, macOS Catalina 10.15.3, tvOS 13.3.1, watchOS 6.1.2. An application may be able to read restricted memory. | |||||
| CVE-2020-3835 | 1 Apple | 1 Mac Os X | 2020-03-03 | 3.6 LOW | 4.4 MEDIUM |
| A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Catalina 10.15.3. A malicious application may be able to access restricted files. | |||||
| CVE-2018-19796 | 1 Ninjaforms | 1 Ninja Forms | 2020-03-03 | 5.8 MEDIUM | 6.1 MEDIUM |
| An open redirect in the Ninja Forms plugin before 3.3.19.1 for WordPress allows Remote Attackers to redirect a user via the lib/StepProcessing/step-processing.php (aka submissions download page) redirect parameter. | |||||
| CVE-2018-17572 | 1 Influxdata | 1 Influxdb | 2020-03-03 | 3.5 LOW | 4.8 MEDIUM |
| InfluxDB 0.9.5 has Reflected XSS in the Write Data module. | |||||
| CVE-2020-6804 | 1 Mozilla | 1 Webthings Gateway | 2020-03-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected XSS vulnerability exists within the gateway, allowing an attacker to craft a specialized URL which could steal the user's authentication token. When combined with CVE-2020-6803, an attacker could fully compromise the system. | |||||
| CVE-2020-4196 | 1 Ibm | 1 Tivoli Netcool\/omnibus | 2020-03-03 | 3.5 LOW | 5.4 MEDIUM |
| IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 174907. | |||||
| CVE-2020-4198 | 1 Ibm | 1 Tivoli Netcool\/omnibus | 2020-03-03 | 3.5 LOW | 5.4 MEDIUM |
| IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 174909. | |||||
| CVE-2020-9459 | 1 Webnus | 1 Modern Events Calendar Lite | 2020-03-02 | 3.5 LOW | 5.4 MEDIUM |
| Multiple Stored Cross-site scripting (XSS) vulnerabilities in the Webnus Modern Events Calendar Lite plugin through 5.1.6 for WordPress allows remote authenticated users (with minimal permissions) to inject arbitrary JavaScript, HTML, or CSS via Ajax actions. This affects mec_save_notifications and import_settings. | |||||
| CVE-2019-10797 | 1 Wso2 | 1 Transport-http | 2020-03-02 | 4.3 MEDIUM | 6.5 MEDIUM |
| Netty in WSO2 transport-http before v6.3.1 is vulnerable to HTTP Response Splitting due to HTTP Header validation being disabled. | |||||
| CVE-2019-19525 | 1 Linux | 1 Linux Kernel | 2020-03-02 | 4.9 MEDIUM | 4.6 MEDIUM |
| In the Linux kernel before 5.3.6, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/net/ieee802154/atusb.c driver, aka CID-7fd25e6fc035. | |||||
| CVE-2020-3833 | 1 Apple | 1 Safari | 2020-03-02 | 4.3 MEDIUM | 4.3 MEDIUM |
| An inconsistent user interface issue was addressed with improved state management. This issue is fixed in Safari 13.0.5. Visiting a malicious website may lead to address bar spoofing. | |||||
| CVE-2020-3839 | 1 Apple | 1 Mac Os X | 2020-03-02 | 2.1 LOW | 5.5 MEDIUM |
| A validation issue was addressed with improved input sanitization. This issue is fixed in macOS Catalina 10.15.3. An application may be able to read restricted memory. | |||||
| CVE-2017-8832 | 1 Allen Disk Project | 1 Allen Disk | 2020-03-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Allen Disk 1.6 has XSS in the id parameter to downfile.php. | |||||
| CVE-2017-8848 | 1 Allen Disk Project | 1 Allen Disk | 2020-03-02 | 4.3 MEDIUM | 6.5 MEDIUM |
| Allen Disk 1.6 has CSRF in setpass.php with an impact of changing a password. | |||||
| CVE-2017-9249 | 1 Allen Disk Project | 1 Allen Disk | 2020-03-02 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Allen Disk 1.6 allows remote authenticated users to inject arbitrary web script or HTML persistently by uploading a crafted HTML file. The attack vector is the content of this file, and the filename must be specified in the PATH_INFO to readfile.php. | |||||
| CVE-2016-10374 | 1 Perltidy Project | 1 Perltidy | 2020-03-02 | 2.1 LOW | 5.5 MEDIUM |
| perltidy through 20160302, as used by perlcritic, check-all-the-things, and other software, relies on the current working directory for certain output files and does not have a symlink-attack protection mechanism, which allows local users to overwrite arbitrary files by creating a symlink, as demonstrated by creating a perltidy.ERR symlink that the victim cannot delete. | |||||
| CVE-2020-3869 | 1 Apple | 2 Ipados, Iphone Os | 2020-03-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue existed in the handling of the local user's self-view. The issue was corrected with improved logic. This issue is fixed in iOS 13.3.1 and iPadOS 13.3.1. A remote FaceTime user may be able to cause the local user's camera self-view to display the incorrect camera. | |||||
| CVE-2018-20723 | 1 Cacti | 1 Cacti | 2020-03-01 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability exists in color_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Name field for a Color. | |||||
| CVE-2018-20724 | 1 Cacti | 1 Cacti | 2020-03-01 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability exists in pollers.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname for Data Collectors. | |||||
| CVE-2018-20725 | 1 Cacti | 1 Cacti | 2020-03-01 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability exists in graph_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Graph Vertical Label. | |||||
| CVE-2018-20726 | 1 Cacti | 1 Cacti | 2020-03-01 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname field for Devices. | |||||
| CVE-2019-17357 | 1 Cacti | 1 Cacti | 2020-03-01 | 4.0 MEDIUM | 6.5 MEDIUM |
| Cacti through 1.2.7 is affected by a graphs.php?template_id= SQL injection vulnerability affecting how template identifiers are handled when a string and id composite value are used to identify the template type and id. An authenticated attacker can exploit this to extract data from the database, or an unauthenticated remote attacker could exploit this via Cross-Site Request Forgery. | |||||
| CVE-2020-3169 | 1 Cisco | 16 Firepower 4110, Firepower 4115, Firepower 4120 and 13 more | 2020-02-28 | 7.2 HIGH | 6.7 MEDIUM |
| A vulnerability in the CLI of Cisco FXOS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with a privilege level of root on an affected device. The vulnerability is due to insufficient validation of arguments passed to a specific CLI command on the affected device. An attacker could exploit this vulnerability by including malicious input as the argument of an affected command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux operating system with root privileges. An attacker would need valid administrator credentials to exploit this vulnerability. | |||||
| CVE-2019-19865 | 1 Atos | 1 Unify Openscape Uc Web Client | 2020-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Atos Unify OpenScape UC Application V9 before version V9 R4.31.0 and V10 before version V10 R0.6.0 allows XSS. An attacker could exploit this by convincing an authenticated user to inject arbitrary JavaScript code in the Profile Name field. A browser would execute this stored XSS payload. | |||||
| CVE-2013-7324 | 1 Webkitgtk | 1 Webkitgtk | 2020-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| Webkit-GTK 2.x (any version with HTML5 audio/video support based on GStreamer) allows remote attackers to trigger unexpectedly high sound volume via malicious javascript. NOTE: this WebKit-GTK behavior complies with existing W3C standards and existing practices for GNOME desktop integration. | |||||
| CVE-2019-12825 | 1 Gitlab | 1 Gitlab | 2020-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
| Unauthorized Access to the Container Registry of other groups was discovered in GitLab Enterprise 12.0.0-pre. In other words, authenticated remote attackers can read Docker registries of other groups. When a legitimate user changes the path of a group, Docker registries are not adapted, leaving them in the old namespace. They are not protected and are available to all other users with no previous access to the repo. | |||||
| CVE-2015-4715 | 1 Owncloud | 1 Owncloud | 2020-02-28 | 4.0 MEDIUM | 4.9 MEDIUM |
| The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4 when an external Dropbox storage has been mounted, allows remote administrators of Dropbox.com to read arbitrary files via an @ (at sign) character in unspecified POST values. | |||||
| CVE-2019-14891 | 3 Fedoraproject, Kubernetes, Redhat | 3 Fedora, Cri-o, Openshift Container Platform | 2020-02-28 | 6.0 MEDIUM | 5.0 MEDIUM |
| A flaw was found in cri-o, as a result of all pod-related processes being placed in the same memory cgroup. This can result in container management (conmon) processes being killed if a workload process triggers an out-of-memory (OOM) condition for the cgroup. An attacker could abuse this flaw to get host network access on an cri-o host. | |||||
| CVE-2019-12512 | 1 Netgear | 2 Nighthawk X10-r9000, Nighthawk X10-r9000 Firmware | 2020-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| In NETGEAR Nighthawk X10-R900 prior to 1.0.4.24, an attacker may execute stored XSS attacks against this device by supplying a malicious X-Forwarded-For header while performing an incorrect login attempt. The value supplied by this header will be inserted into administrative logs, found at Advanced settings->Administration->Logs, and may trigger when the page is viewed. Although this value is inserted into a textarea tag, the attack simply needs to supply a closing textarea tag. | |||||
| CVE-2019-12513 | 1 Netgear | 2 Nighthawk X10-r9000, Nighthawk X10-r9000 Firmware | 2020-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| In NETGEAR Nighthawk X10-R900 prior to 1.0.4.24, by sending a DHCP discover request containing a malicious hostname field, an attacker may execute stored XSS attacks against this device. When the malicious DHCP request is received, the device will generate a log entry containing the malicious hostname. This log entry may then be viewed at Advanced settings->Administration->Logs to trigger the exploit. Although this value is inserted into a textarea tag, converted to all-caps, and limited in length, attacks are still possible. | |||||
| CVE-2015-2923 | 1 Freebsd | 1 Freebsd | 2020-02-28 | 3.3 LOW | 6.5 MEDIUM |
| The Neighbor Discovery (ND) protocol implementation in the IPv6 stack in FreeBSD through 10.1 allows remote attackers to reconfigure a hop-limit setting via a small hop_limit value in a Router Advertisement (RA) message. | |||||
| CVE-2020-7252 | 2 Mcafee, Microsoft | 2 Data Exchange Layer, Windows | 2020-02-28 | 1.9 LOW | 5.5 MEDIUM |
| Unquoted service executable path in DXL Broker in McAfee Data eXchange Layer (DXL) Framework 6.0.0 and earlier allows local users to cause a denial of service and malicious file execution via carefully crafted and named executable files. | |||||
| CVE-2019-4669 | 1 Ibm | 2 Business Automation Workflow, Business Process Manager | 2020-02-28 | 6.5 MEDIUM | 6.3 MEDIUM |
| IBM Business Process Manager 8.5.7.0 through 8.5.7.0 2017.06, 8.6.0.0 through 8.6.0.0 CF2018.03, and IBM Business Automation Workflow 18.0.0.1 through 19.0.0.3 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 171254. | |||||
| CVE-2019-12954 | 1 Solarwinds | 2 Network Performance Monitor Orion Platform 2018 Netpath, Network Performance Monitor Orion Platform 2018 Npm | 2020-02-28 | 3.5 LOW | 5.4 MEDIUM |
| SolarWinds Network Performance Monitor (Orion Platform 2018, NPM 12.3, NetPath 1.1.3) allows XSS by authenticated users via a crafted onerror attribute of a VIDEO element in an action for an ALERT. | |||||
| CVE-2013-5594 | 1 Mozilla | 1 Firefox | 2020-02-28 | 4.3 MEDIUM | 4.3 MEDIUM |
| Mozilla Firefox before 25 allows modification of anonymous content of pluginProblem.xml binding | |||||
| CVE-2018-20105 | 3 Opensuse, Suse, Yast2-rmt Project | 3 Leap, Suse Linux Enterprise Server, Yast2-rmt | 2020-02-27 | 2.1 LOW | 5.5 MEDIUM |
| A Inclusion of Sensitive Information in Log Files vulnerability in yast2-rmt of SUSE Linux Enterprise Server 15; openSUSE Leap allows local attackers to learn the password if they can access the log file. This issue affects: SUSE Linux Enterprise Server 15 yast2-rmt versions prior to 1.2.2. openSUSE Leap yast2-rmt versions prior to 1.2.2. | |||||