Search
Total
9231 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-8607 | 3 Canonical, Debian, Perl | 3 Ubuntu Linux, Debian Linux, Pathtools | 2020-07-15 | 7.5 HIGH | 7.3 HIGH |
| The canonpath function in the File::Spec module in PathTools before 3.62, as used in Perl, does not properly preserve the taint attribute of data, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string. | |||||
| CVE-2018-12207 | 7 Canonical, Debian, F5 and 4 more | 1532 Ubuntu Linux, Debian Linux, Big-ip Access Policy Manager and 1529 more | 2020-07-15 | 4.9 MEDIUM | 6.5 MEDIUM |
| Improper invalidation for page table updates by a virtual guest operating system for multiple Intel(R) Processors may allow an authenticated user to potentially enable denial of service of the host system via local access. | |||||
| CVE-2020-7820 | 2 Microsoft, Nexaweb | 3 Windows, Nexacro 14, Nexacro 17 | 2020-07-14 | 7.5 HIGH | 9.8 CRITICAL |
| Nexacro14/17 ExtCommonApiV13 Library under 2019.9.6 version contain a vulnerability that could allow remote attacker to execute arbitrary code by setting the arguments to the vulnerable API. This can be leveraged for code execution by rebooting the victim’s PC | |||||
| CVE-2020-7821 | 2 Microsoft, Nexaweb | 3 Windows, Nexacro 14, Nexacro 17 | 2020-07-14 | 7.5 HIGH | 9.8 CRITICAL |
| Nexacro14/17 ExtCommonApiV13 Library under 2019.9.6 version contain a vulnerability that could allow remote attacker to execute arbitrary code by modifying the value of registry path. This can be leveraged for code execution by rebooting the victim’s PC | |||||
| CVE-2018-20127 | 1 Zzzcms | 1 Zzzphp | 2020-07-14 | 6.4 MEDIUM | 7.5 HIGH |
| An issue was discovered in zzzphp cms 1.5.8. del_file in /admin/save.php allows remote attackers to delete arbitrary files via a mixed-case extension and an extra '.' character, because (for example) "php" is blocked but path=F:/1.phP. succeeds. | |||||
| CVE-2020-8187 | 1 Citrix | 4 Application Delivery Controller, Application Delivery Controller Firmware, Netscaler Gateway and 1 more | 2020-07-13 | 5.0 MEDIUM | 7.5 HIGH |
| Improper input validation in Citrix ADC and Citrix Gateway versions before 11.1-63.9 and 12.0-62.10 allows unauthenticated users to perform a denial of service attack. | |||||
| CVE-2020-2110 | 1 Jenkins | 1 Script Security | 2020-07-13 | 6.5 MEDIUM | 8.8 HIGH |
| Sandbox protection in Jenkins Script Security Plugin 1.69 and earlier could be circumvented during the script compilation phase by applying AST transforming annotations to imports or by using them inside of other annotations. | |||||
| CVE-2020-2109 | 1 Jenkins | 1 Pipeline\ | 2020-07-13 | 6.5 MEDIUM | 8.8 HIGH |
| Sandbox protection in Jenkins Pipeline: Groovy Plugin 2.78 and earlier can be circumvented through default parameter expressions in CPS-transformed methods. | |||||
| CVE-2017-5226 | 1 Projectatomic | 1 Bubblewrap | 2020-07-10 | 7.5 HIGH | 10.0 CRITICAL |
| When executing a program via the bubblewrap sandbox, the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing an attacker to escape the sandbox. | |||||
| CVE-2020-5970 | 1 Nvidia | 1 Virtual Gpu Manager | 2020-07-10 | 3.6 LOW | 7.1 HIGH |
| NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin, in which an input data size is not validated, which may lead to tampering or denial of service. This affects vGPU version 8.x (prior to 8.4), version 9.x (prior to 9.4) and version 10.x (prior to 10.3). | |||||
| CVE-2018-19591 | 2 Fedoraproject, Gnu | 2 Fedora, Glibc | 2020-07-09 | 5.0 MEDIUM | 7.5 HIGH |
| In the GNU C Library (aka glibc or libc6) through 2.28, attempting to resolve a crafted hostname via getaddrinfo() leads to the allocation of a socket descriptor that is not closed. This is related to the if_nametoindex() function. | |||||
| CVE-2020-6485 | 1 Google | 2 Chrome, Chrome Os | 2020-07-08 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient data validation in media router in Google Chrome prior to 83.0.4103.61 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. | |||||
| CVE-2020-14957 | 1 Arswp | 1 Windows Cleanup Assistant | 2020-07-07 | 6.1 MEDIUM | 7.8 HIGH |
| In Windows cleaning assistant 3.2, the driver file (AtpKrnl.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x223CCD. | |||||
| CVE-2020-14956 | 1 Arswp | 1 Windows Cleanup Assistant | 2020-07-07 | 6.1 MEDIUM | 7.8 HIGH |
| In Windows cleaning assistant 3.2, the driver file (AtpKrnl.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x223CCA. | |||||
| CVE-2020-12033 | 1 Rockwellautomation | 1 Factorytalk Services Platform | 2020-07-06 | 5.8 MEDIUM | 8.8 HIGH |
| In Rockwell Automation FactoryTalk Services Platform, all versions, the redundancy host service (RdcyHost.exe) does not validate supplied identifiers, which could allow an unauthenticated, adjacent attacker to execute remote COM objects with elevated privileges. | |||||
| CVE-2020-3767 | 1 Adobe | 1 Coldfusion | 2020-07-01 | 4.3 MEDIUM | 6.5 MEDIUM |
| ColdFusion versions ColdFusion 2016, and ColdFusion 2018 have an insufficient input validation vulnerability. Successful exploitation could lead to application-level denial-of-service (dos). | |||||
| CVE-2020-14939 | 1 Freedroid | 1 Freedroidrpg | 2020-07-01 | 6.8 MEDIUM | 7.8 HIGH |
| An issue was discovered in savestruct_internal.c in FreedroidRPG 1.0rc2. Saved game files are composed of Lua scripts that recover a game's state. A file can be modified to put any Lua code inside, leading to arbitrary code execution while loading. | |||||
| CVE-2018-21264 | 1 Mattermost | 1 Mattermost Server | 2020-06-30 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. It did not enforce the expiration date of a SAML response. | |||||
| CVE-2018-21259 | 1 Mattermost | 1 Mattermost Server | 2020-06-30 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Mattermost Server before 4.10.1, 4.9.4, and 4.8.2. It allows attackers to cause a denial of service (application hang) via a malformed link in a channel. | |||||
| CVE-2017-18873 | 1 Mattermost | 1 Mattermost Server | 2020-06-29 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to cause a denial of service (channel invisibility) via a misformatted post. | |||||
| CVE-2019-20848 | 1 Mattermost | 1 Mattermost Mobile | 2020-06-29 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Mattermost Mobile Apps before 1.26.0. The Quick Reply feature mishandles crafted replies. | |||||
| CVE-2020-1727 | 1 Redhat | 1 Keycloak | 2020-06-29 | 5.5 MEDIUM | 5.4 MEDIUM |
| A vulnerability was found in Keycloak before 9.0.2, where every Authorization URL that points to an IDP server lacks proper input validation as it allows a wide range of characters. This flaw allows a malicious to craft deep links that introduce further attack scenarios on affected clients. | |||||
| CVE-2017-18890 | 1 Mattermost | 1 Mattermost Server | 2020-06-29 | 4.3 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows an attacker to create a button that, when pressed by a user, launches an API request. | |||||
| CVE-2017-18889 | 1 Mattermost | 1 Mattermost Server | 2020-06-26 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. An attacker could create fictive system-message posts via webhooks and slash commands, in the v3 or v4 REST API. | |||||
| CVE-2020-8102 | 1 Bitdefender | 1 Total Security 2020 | 2020-06-26 | 6.8 MEDIUM | 8.8 HIGH |
| Improper Input Validation vulnerability in the Safepay browser component of Bitdefender Total Security 2020 allows an external, specially crafted web page to run remote commands inside the Safepay Utility process. This issue affects Bitdefender Total Security 2020 versions prior to 24.0.20.116. | |||||
| CVE-2019-14047 | 1 Qualcomm | 30 Apq8053, Apq8053 Firmware, Apq8096au and 27 more | 2020-06-26 | 7.2 HIGH | 7.8 HIGH |
| While IPA driver processes route add rule IOCTL, there is no input validation of the rule ID prior to adding the rule to the IPA HW commit list in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8053, APQ8096AU, MDM9607, MSM8909W, MSM8996, MSM8996AU, QCN7605, QCS605, SC8180X, SDA845, SDX20, SDX24, SDX55, SM8150, SXR1130 | |||||
| CVE-2020-10374 | 1 Paessler | 1 Prtg Network Monitor | 2020-06-25 | 7.5 HIGH | 9.8 CRITICAL |
| A webserver component in Paessler PRTG Network Monitor 19.2.50 to PRTG 20.1.56 allows unauthenticated remote command execution via a crafted POST request or the what parameter of the screenshot function in the Contact Support form. | |||||
| CVE-2016-11067 | 1 Mattermost | 1 Mattermost Server | 2020-06-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Mattermost Server before 3.2.0. It allowed crafted posts that could cause a web browser to hang. | |||||
| CVE-2020-13961 | 1 Strapi | 1 Strapi | 2020-06-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| Strapi before 3.0.2 could allow a remote authenticated attacker to bypass security restrictions because templates are stored in a global variable without any sanitation. By sending a specially crafted request, an attacker could exploit this vulnerability to update the email template for both password reset and account confirmation emails. | |||||
| CVE-2020-11999 | 1 Rockwellautomation | 2 Factorytalk Linx, Rslinx Classic | 2020-06-24 | 5.5 MEDIUM | 8.1 HIGH |
| FactoryTalk Linx versions 6.00, 6.10, and 6.11, RSLinx Classic v4.11.00 and prior,Connected Components Workbench: Version 12 and prior, ControlFLASH: Version 14 and later, ControlFLASH Plus: Version 1 and later, FactoryTalk Asset Centre: Version 9 and later, FactoryTalk Linx CommDTM: Version 1 and later, Studio 5000 Launcher: Version 31 and later Stud, 5000 Logix Designer software: Version 32 and prior is vulnerable. An exposed API call allows users to provide files to be processed without sanitation. This may allow an attacker to specify a filename to execute unauthorized code and modify files or data. | |||||
| CVE-2019-20868 | 1 Mattermost | 1 Mattermost Server | 2020-06-23 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Mattermost Server before 5.11.0. Invite IDs were improperly generated. | |||||
| CVE-2019-20870 | 1 Mattermost | 1 Mattermost Server | 2020-06-23 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Mattermost Server before 5.10.0. An attacker can bypass the intended appearance of the Edited flag after changing a post's file ID. | |||||
| CVE-2018-21262 | 1 Mattermost | 1 Mattermost Server | 2020-06-20 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Mattermost Server before 4.7.3. It allows attackers to cause a denial of service (application crash) via invalid LaTeX text. | |||||
| CVE-2020-14459 | 1 Mattermost | 1 Mattermost Server | 2020-06-19 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Mattermost Server before 5.19.0. Attackers can rename a channel and cause a collision with a direct message, aka MMSA-2020-0002. | |||||
| CVE-2020-1825 | 1 Huawei | 1 Fusionaccess | 2020-06-18 | 4.0 MEDIUM | 6.5 MEDIUM |
| FusionAccess with versions earlier than 6.5.1.SPC002 have a Denial of Service (DoS) vulnerability. Due to insufficient verification on specific input, attackers can exploit this vulnerability by sending constructed messages to the affected device through another device on the same network. Successful exploit could cause affected devices to be abnormal. | |||||
| CVE-2015-7703 | 5 Debian, Netapp, Ntp and 2 more | 13 Debian Linux, Clustered Data Ontap, Data Ontap and 10 more | 2020-06-18 | 4.3 MEDIUM | 7.5 HIGH |
| The "pidfile" or "driftfile" directives in NTP ntpd 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77, when ntpd is configured to allow remote configuration, allows remote attackers with an IP address that is allowed to send configuration requests, and with knowledge of the remote configuration password to write to arbitrary files via the :config command. | |||||
| CVE-2016-7434 | 2 Hpe, Ntp | 2 Hpux-ntp, Ntp | 2020-06-18 | 4.3 MEDIUM | 7.5 HIGH |
| The read_mru_list function in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (crash) via a crafted mrulist query. | |||||
| CVE-2015-7702 | 5 Debian, Netapp, Ntp and 2 more | 13 Debian Linux, Clustered Data Ontap, Data Ontap and 10 more | 2020-06-18 | 4.0 MEDIUM | 6.5 MEDIUM |
| The crypto_xmit function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (crash). NOTE: This vulnerability exists due to an incomplete fix for CVE-2014-9750. | |||||
| CVE-2015-7692 | 5 Debian, Netapp, Ntp and 2 more | 13 Debian Linux, Clustered Data Ontap, Data Ontap and 10 more | 2020-06-18 | 5.0 MEDIUM | 7.5 HIGH |
| The crypto_xmit function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (crash). NOTE: This vulnerability exists due to an incomplete fix for CVE-2014-9750. | |||||
| CVE-2015-7691 | 5 Debian, Netapp, Ntp and 2 more | 13 Debian Linux, Clustered Data Ontap, Data Ontap and 10 more | 2020-06-18 | 5.0 MEDIUM | 7.5 HIGH |
| The crypto_xmit function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (crash) via crafted packets containing particular autokey operations. NOTE: This vulnerability exists due to an incomplete fix for CVE-2014-9750. | |||||
| CVE-2014-9750 | 4 Debian, Ntp, Oracle and 1 more | 6 Debian Linux, Ntp, Linux and 3 more | 2020-06-18 | 5.8 MEDIUM | N/A |
| ntp_crypto.c in ntpd in NTP 4.x before 4.2.8p1, when Autokey Authentication is enabled, allows remote attackers to obtain sensitive information from process memory or cause a denial of service (daemon crash) via a packet containing an extension field with an invalid value for the length of its value field. | |||||
| CVE-2015-7852 | 5 Debian, Netapp, Ntp and 2 more | 14 Debian Linux, Clustered Data Ontap, Data Ontap and 11 more | 2020-06-18 | 4.3 MEDIUM | 5.9 MEDIUM |
| ntpq in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (crash) via crafted mode 6 response packets. | |||||
| CVE-2020-7504 | 1 Schneider-electric | 2 Easergy T300, Easergy T300 Firmware | 2020-06-17 | 5.0 MEDIUM | 5.3 MEDIUM |
| A CWE-20: Improper Input Validation vulnerability exists in Easergy T300 (Firmware version 1.5.2 and older) which could allow an attacker to disable the webserver service on the device when specially crafted network packets are sent. | |||||
| CVE-2020-13170 | 1 Hashicorp | 1 Consul | 2020-06-17 | 5.0 MEDIUM | 7.5 HIGH |
| HashiCorp Consul and Consul Enterprise did not appropriately enforce scope for local tokens issued by a primary data center, where replication to a secondary data center was not enabled. Introduced in 1.4.0, fixed in 1.6.6 and 1.7.4. | |||||
| CVE-2016-4456 | 1 Gnu | 1 Gnutls | 2020-06-16 | 5.0 MEDIUM | 7.5 HIGH |
| The "GNUTLS_KEYLOGFILE" environment variable in gnutls 3.4.12 allows remote attackers to overwrite and corrupt arbitrary files in the filesystem. | |||||
| CVE-2017-6059 | 1 Zmartzone | 1 Mod Auth Openidc | 2020-06-16 | 5.0 MEDIUM | 7.5 HIGH |
| Mod_auth_openidc.c in the Ping Identity OpenID Connect authentication module for Apache (aka mod_auth_openidc) before 2.14 allows remote attackers to spoof page content via a malicious URL provided to the user, which triggers an invalid request. | |||||
| CVE-2019-20485 | 2 Debian, Redhat | 2 Debian Linux, Libvirt | 2020-06-16 | 2.7 LOW | 5.7 MEDIUM |
| qemu/qemu_driver.c in libvirt before 6.0.0 mishandles the holding of a monitor job during a query to a guest agent, which allows attackers to cause a denial of service (API blockage). | |||||
| CVE-2020-13646 | 1 Ijinshan | 1 Cheetah Free Wifi | 2020-06-15 | 6.1 MEDIUM | 7.8 HIGH |
| In Cheetah free WiFi 5.1, the driver file (liebaonat.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x830020f8, 0x830020E0, 0x830020E4, or 0x8300210c. | |||||
| CVE-2019-12439 | 1 Projectatomic | 1 Bubblewrap | 2020-06-15 | 4.6 MEDIUM | 7.8 HIGH |
| bubblewrap.c in Bubblewrap before 0.3.3 misuses temporary directories in /tmp as a mount point. In some particular configurations (related to XDG_RUNTIME_DIR), a local attacker may abuse this flaw to prevent other users from executing bubblewrap or potentially execute code. | |||||
| CVE-2020-0196 | 1 Google | 1 Android | 2020-06-15 | 3.3 LOW | 6.5 MEDIUM |
| In RegisterNotificationResponse::GetEvent of register_notification_packet.cc, there is a possible abort due to improper input validation. This could lead to remote denial of service of the Bluetooth service, over Bluetooth, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-144066833 | |||||