Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-7912 | 1 Jetbrains | 1 Youtrack | 2020-02-01 | 5.0 MEDIUM | 5.3 MEDIUM |
| In JetBrains YouTrack before 2019.2.59309, SMTP/Jabber settings could be accessed using backups. | |||||
| CVE-2020-7994 | 1 Dolibarr | 1 Dolibarr | 2020-01-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 10.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) label[libelle] parameter to the /htdocs/admin/dict.php?id=3 page; the (2) name[constname] parameter to the /htdocs/admin/const.php?mainmenu=home page; the (3) note[note] parameter to the /htdocs/admin/dict.php?id=10 page; the (4) zip[MAIN_INFO_SOCIETE_ZIP] or email[mail] parameter to the /htdocs/admin/company.php page; the (5) url[defaulturl], field[defaultkey], or value[defaultvalue] parameter to the /htdocs/admin/defaultvalues.php page; the (6) key[transkey] or key[transvalue] parameter to the /htdocs/admin/translation.php page; or the (7) [main_motd] or [main_home] parameter to the /htdocs/admin/ihm.php page. | |||||
| CVE-2012-6133 | 1 Roundup-tracker | 1 Roundup | 2020-01-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Roundup before 1.4.20 allow remote attackers to inject arbitrary web script or HTML via the (1) @ok_message or (2) @error_message parameter to issue*. | |||||
| CVE-2013-2294 | 1 Viewgit Project | 1 Viewgit | 2020-01-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in ViewGit before 0.0.7 allow remote repository users to inject arbitrary web script or HTML via a (1) tag name to the Shortlog table in templates/shortlog.php or branch name to the (2) Shortlog table in templates/shortlog.php or (3) Heads table in plates/summary.php. | |||||
| CVE-2020-5225 | 1 Simplesamlphp | 1 Simplesamlphp | 2020-01-31 | 5.5 MEDIUM | 5.4 MEDIUM |
| Log injection in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script, which receives error reports and sends them via email to the system administrator, did not properly sanitize the report identifier obtained from the request. This allows an attacker, under specific circumstances, to inject new log lines by manually crafting this report ID. When configured to use the file logging handler, SimpleSAMLphp will output all its logs by appending each log line to a given file. Since the reportID parameter received in a request sent to www/errorreport.php was not properly sanitized, it was possible to inject newline characters into it, effectively allowing a malicious user to inject new log lines with arbitrary content. | |||||
| CVE-2013-0294 | 2 Fedoraproject, Pyrad Project | 2 Fedora, Pyrad | 2020-01-31 | 4.3 MEDIUM | 5.9 MEDIUM |
| packet.py in pyrad before 2.1 uses weak random numbers to generate RADIUS authenticators and hash passwords, which makes it easier for remote attackers to obtain sensitive information via a brute force attack. | |||||
| CVE-2013-1596 | 1 Vivotek | 2 Pt7135, Pt7135 Firmware | 2020-01-31 | 5.0 MEDIUM | 5.3 MEDIUM |
| An Authentication Bypass Vulnerability exists in Vivotek PT7135 IP Camera 0300a and 0400a via specially crafted RTSP packets to TCP port 554. | |||||
| CVE-2020-3121 | 1 Cisco | 90 Sf350-48, Sf350-48 Firmware, Sf350-48mp and 87 more | 2020-01-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link and access a specific page. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | |||||
| CVE-2019-19632 | 1 Bigswitch | 3 Big Cloud Fabric, Big Monitoring Fabric, Multi-cloud Director | 2020-01-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Big Switch Big Monitoring Fabric 6.2 through 6.2.4, 6.3 through 6.3.9, 7.0 through 7.0.3, and 7.1 through 7.1.3; Big Cloud Fabric 4.5 through 4.5.5, 4.7 through 4.7.7, 5.0 through 5.0.1, and 5.1 through 5.1.4; and Multi-Cloud Director through 1.1.0. An unauthenticated attacker may inject stored arbitrary JavaScript (XSS), and execute it in the content of authenticated administrators. | |||||
| CVE-2020-7910 | 1 Jetbrains | 1 Teamcity | 2020-01-31 | 3.5 LOW | 5.4 MEDIUM |
| JetBrains TeamCity before 2019.2 was vulnerable to a stored XSS attack by a user with the developer role. | |||||
| CVE-2020-7911 | 1 Jetbrains | 1 Teamcity | 2020-01-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| In JetBrains TeamCity before 2019.2, several user-level pages were vulnerable to XSS. | |||||
| CVE-2020-7913 | 1 Jetbrains | 1 Youtrack | 2020-01-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| JetBrains YouTrack 2019.2 before 2019.2.59309 was vulnerable to XSS via an issue description. | |||||
| CVE-2006-7246 | 3 Gnome, Opensuse, Suse | 4 Networkmanager, Opensuse, Linux Enterprise Desktop and 1 more | 2020-01-31 | 3.2 LOW | 6.8 MEDIUM |
| NetworkManager 0.9.x does not pin a certificate's subject to an ESSID when 802.11X authentication is used. | |||||
| CVE-2014-8161 | 2 Debian, Postgresql | 2 Debian Linux, Postgresql | 2020-01-31 | 4.0 MEDIUM | 4.3 MEDIUM |
| PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message. | |||||
| CVE-2019-16026 | 1 Cisco | 4 Asr 5000, Asr 5500, Asr 5700 and 1 more | 2020-01-31 | 4.3 MEDIUM | 5.9 MEDIUM |
| A vulnerability in the implementation of the Stream Control Transmission Protocol (SCTP) on Cisco Mobility Management Entity (MME) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an eNodeB that is connected to an affected device. The vulnerability is due to insufficient input validation of SCTP traffic. An attacker could exploit this vulnerability by leveraging a man-in-the-middle position between the eNodeB and the MME and then sending a crafted SCTP message to the MME. A successful exploit would cause the MME to stop sending SCTP messages to the eNodeB, triggering a DoS condition. | |||||
| CVE-2013-3320 | 1 Netapp | 1 Oncommand System Manager | 2020-01-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) vulnerability in NetApp OnCommand System Manager before 2.2 allows remote attackers to inject arbitrary web script or HTML via the 'full-name' and 'comment' fields. | |||||
| CVE-2020-8426 | 1 Elementor | 1 Elementor Page Builder | 2020-01-31 | 3.5 LOW | 5.4 MEDIUM |
| The Elementor plugin before 2.8.5 for WordPress suffers from a reflected XSS vulnerability on the elementor-system-info page. These can be exploited by targeting an authenticated user. | |||||
| CVE-2012-5776 | 1 Dokeos | 1 Dokeos | 2020-01-31 | 3.5 LOW | 5.4 MEDIUM |
| Dokeos 2.1.1 has multiple XSS issues involving "extra_" parameters in main/auth/profile.php. | |||||
| CVE-2013-0738 | 1 Chamilo | 1 Chamilo | 2020-01-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| Chamilo 1.9.4 has Multiple XSS and HTML Injection Vulnerabilities: blog.php and announcements.php. | |||||
| CVE-2013-0739 | 1 Chamilo | 1 Chamilo | 2020-01-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| Chamilo 1.9.4 has XSS due to improper validation of user-supplied input by the chat.php script. | |||||
| CVE-2019-17554 | 1 Apache | 1 Olingo | 2020-01-31 | 4.3 MEDIUM | 5.5 MEDIUM |
| The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks. | |||||
| CVE-2013-0161 | 1 Havalite | 1 Havalite | 2020-01-30 | 3.5 LOW | 5.4 MEDIUM |
| Havalite CMS 1.1.7 has a stored XSS vulnerability | |||||
| CVE-2020-3715 | 1 Magento | 1 Magento | 2020-01-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
| CVE-2020-3717 | 1 Magento | 1 Magento | 2020-01-30 | 5.0 MEDIUM | 5.3 MEDIUM |
| Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a path traversal vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
| CVE-2020-3758 | 1 Magento | 1 Magento | 2020-01-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
| CVE-2020-5226 | 1 Simplesamlphp | 1 Simplesamlphp | 2020-01-30 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script allows error reports to be submitted and sent to the system administrator. Starting with SimpleSAMLphp 1.18.0, a new SimpleSAML\Utils\EMail class was introduced to handle sending emails, implemented as a wrapper of an external dependency. This new wrapper allows us to use Twig templates in order to create the email sent with an error report. Since Twig provides automatic escaping of variables, manual escaping of the free-text field in www/errorreport.php was removed to avoid double escaping. However, for those not using the new user interface yet, an email template is hardcoded into the class itself in plain PHP. Since no escaping is provided in this template, it is then possible to inject HTML inside the template by manually crafting the contents of the free-text field. | |||||
| CVE-2015-3154 | 1 Zend | 1 Zend Framework | 2020-01-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email. | |||||
| CVE-2013-6455 | 1 Mediawiki | 1 Mediawiki | 2020-01-30 | 5.0 MEDIUM | 5.3 MEDIUM |
| The CentralAuth extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain usernames via vectors related to writing the names to the DOM of a page. | |||||
| CVE-2012-6494 | 1 Rapid7 | 1 Nexpose | 2020-01-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Rapid7 Nexpose before 5.5.4 contains a session hijacking vulnerability which allows remote attackers to capture a user's session and gain unauthorized access. | |||||
| CVE-2013-6451 | 1 Mediawiki | 1 Mediawiki | 2020-01-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in MediaWiki 1.19.9 before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via unspecified CSS values. | |||||
| CVE-2020-2107 | 1 Jenkins | 1 Fortify | 2020-01-30 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Fortify Plugin 19.1.29 and earlier stores proxy server passwords unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2018-5686 | 2 Artifex, Debian | 2 Mupdf, Debian Linux | 2020-01-30 | 4.3 MEDIUM | 5.5 MEDIUM |
| In MuPDF 1.12.0, there is an infinite loop vulnerability and application hang in the pdf_parse_array function (pdf/pdf-parse.c) because EOF is not considered. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted pdf file. | |||||
| CVE-2018-16271 | 1 Samsung | 20 Galaxy Gear, Galaxy Gear Firmware, Gear 2 and 17 more | 2020-01-30 | 3.3 LOW | 6.5 MEDIUM |
| The wemail_consumer_service (from the built-in application wemail) in Samsung Galaxy Gear series allows an unprivileged process to manipulate a user's mailbox, due to improper D-Bus security policy configurations. An arbitrary email can also be sent from the mailbox via the paired smartphone. This affects Tizen-based firmwares including Samsung Galaxy Gear series before build RE2. | |||||
| CVE-2013-2714 | 1 Podpress Project | 1 Podpress | 2020-01-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) in WordPress podPress Plugin 8.8.10.13 could allow remote attackers to inject arbitrary web script or html via the 'playerID' parameter. | |||||
| CVE-2013-2764 | 1 United-security-providers | 1 Secure Entry Server | 2020-01-30 | 5.8 MEDIUM | 6.1 MEDIUM |
| Secure Entry Server before 4.7.0 contains a URI Redirection vulnerability which could allow remote attackers to conduct phishing attacks due to HSP_AbsoluteRedirects being disabled by default. | |||||
| CVE-2014-8490 | 1 Tennisconnect | 1 Components | 2020-01-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in TennisConnect COMPONENTS 9.927 allows remote attackers to inject arbitrary web script or HTML via the pid parameter to index.cfm. | |||||
| CVE-2019-16515 | 1 Connectwise | 1 Control | 2020-01-30 | 6.4 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. Certain HTTP security headers are not used. | |||||
| CVE-2020-2106 | 1 Jenkins | 1 Code Coverage Api | 2020-01-30 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Code Coverage API Plugin 1.1.2 and earlier does not escape the filename of the coverage report used in its view, resulting in a stored XSS vulnerability exploitable by users able to change job configurations. | |||||
| CVE-2019-4631 | 1 Ibm | 1 Security Secret Server | 2020-01-30 | 5.8 MEDIUM | 6.1 MEDIUM |
| IBM Security Secret Server 10.7 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 170001. | |||||
| CVE-2019-4637 | 1 Ibm | 1 Security Secret Server | 2020-01-30 | 4.0 MEDIUM | 4.3 MEDIUM |
| IBM Security Secret Server 10.7 uses incomplete blacklisting for input validation which allows attackers to bypass application controls resulting in direct impact to the system and data integrity. IBM X-Force ID: 170043. | |||||
| CVE-2012-4863 | 1 Ibm | 1 Websphere Mq | 2020-01-30 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM WebSphere MQ 7.1 and 7.5: Queue manager has a DoS vulnerability | |||||
| CVE-2019-4633 | 1 Ibm | 1 Security Secret Server | 2020-01-30 | 4.3 MEDIUM | 4.3 MEDIUM |
| IBM Security Secret Server 10.7 could allow an attacker to obtain sensitive information due to an overly permissive CORS policy. IBM X-Force ID: 170007. | |||||
| CVE-2019-4632 | 1 Ibm | 1 Security Secret Server | 2020-01-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM Security Secret Server 10.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 170004. | |||||
| CVE-2020-1787 | 1 Huawei | 2 Mate 20, Mate 20 Firmware | 2020-01-29 | 7.2 HIGH | 6.6 MEDIUM |
| HUAWEI Mate 20 smartphones versions earlier than 9.1.0.139(C00E133R3P1) have an improper authentication vulnerability. The system has a logic error under certain scenario, successful exploit could allow the attacker who gains the privilege of guest user to access to the host user's desktop in an instant, without unlocking the screen lock of the host user. | |||||
| CVE-2020-0003 | 1 Google | 1 Android | 2020-01-29 | 3.7 LOW | 6.7 MEDIUM |
| In onCreate of InstallStart.java, there is a possible package validation bypass due to a time-of-check time-of-use vulnerability. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android Versions: Android-8.0 Android ID: A-140195904 | |||||
| CVE-2014-2050 | 1 Owncloud | 1 Owncloud | 2020-01-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross-site request forgery (CSRF) vulnerability in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to hijack the authentication of users for requests that reset passwords via a crafted HTTP Host header. | |||||
| CVE-2018-5376 | 1 Discuz | 1 Discuzx | 2020-01-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Discuz! DiscuzX X3.4 has XSS via the include\spacecp\spacecp_upload.php op parameter. | |||||
| CVE-2012-6448 | 1 Cpanel | 1 Webhost Manager | 2020-01-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) in cPanel WebHost Manager (WHM) 11.34.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2013-4770 | 1 Eucalyptus | 1 Eucalyptus Management Console | 2020-01-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Eucalyptus Management Console (EMC) 4.0.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2020-8090 | 1 A1 | 2 Wlan Box Adb Vv2220, Wlan Box Adb Vv2220 Firmware | 2020-01-29 | 3.5 LOW | 4.8 MEDIUM |
| The Username field in the Storage Service settings of A1 WLAN Box ADB VV2220v2 devices allows stored XSS (after a successful Administrator login). | |||||