Search
Total
21119 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-29041 | 1 Sesame-system | 1 Web-sesame | 2021-01-13 | 5.0 MEDIUM | 5.3 MEDIUM |
| A misconfiguration in Web-Sesame 2020.1.1.3375 allows an unauthenticated attacker to download the source code of the application, facilitating its comprehension (code review). Specifically, JavaScript source maps were inadvertently included in the production Webpack configuration. These maps contain sources used to generate the bundle, configuration settings (e.g., API keys), and developers' comments. | |||||
| CVE-2019-18642 | 1 Sparkdevnetwork | 1 Rock Rms | 2021-01-13 | 7.5 HIGH | 9.8 CRITICAL |
| Rock RMS version before 8.6 is vulnerable to account takeover by tampering with the user ID parameter in the profile update feature. The lack of validation and use of sequential user IDs allows any user to change account details of any other user. This vulnerability could be used to change the email address of another account, even the administrator account. Upon changing another account's email address, performing a password reset to the new email address could allow an attacker to take over any account. | |||||
| CVE-2018-7206 | 1 Jupyter | 1 Oauthenticator | 2021-01-13 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Project Jupyter JupyterHub OAuthenticator 0.6.x before 0.6.2 and 0.7.x before 0.7.3. When using JupyterHub with GitLab group whitelisting for access control, group membership was not checked correctly, allowing members not in the whitelisted groups to create accounts on the Hub. (Users were not allowed to access other users' accounts, but could create their own accounts on the Hub linked to their GitLab account. GitLab authentication not using gitlab_group_whitelist is unaffected. No other Authenticators are affected.) | |||||
| CVE-2019-19282 | 1 Siemens | 6 Openpcs 7, Simatic Batch, Simatic Net Pc and 3 more | 2021-01-12 | 7.1 HIGH | 7.5 HIGH |
| A vulnerability has been identified in OpenPCS 7 V8.1 (All versions), OpenPCS 7 V8.2 (All versions), OpenPCS 7 V9.0 (All versions < V9.0 Upd3), SIMATIC BATCH V8.1 (All versions), SIMATIC BATCH V8.2 (All versions), SIMATIC BATCH V9.0 (All versions < V9.0 SP1 Upd5), SIMATIC NET PC Software (All versions < V16 Update 1), SIMATIC PCS 7 V8.1 (All versions), SIMATIC PCS 7 V8.2 (All versions), SIMATIC PCS 7 V9.0 (All versions < V9.0 SP3), SIMATIC Route Control V8.1 (All versions), SIMATIC Route Control V8.2 (All versions), SIMATIC Route Control V9.0 (All versions < V9.0 Upd4), SIMATIC WinCC (TIA Portal) V13 (All versions < V13 SP2), SIMATIC WinCC (TIA Portal) V14 (All versions < V14 SP1 Update 10), SIMATIC WinCC (TIA Portal) V15.1 (All versions < V15.1 Update 5), SIMATIC WinCC (TIA Portal) V16 (All versions < V16 Update 1), SIMATIC WinCC V7.3 (All versions), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Update 14), SIMATIC WinCC V7.5 (All versions < V7.5 SP1 Update 1). Through specially crafted messages, when encrypted communication is enabled, an attacker with network access could use the vulnerability to compromise the availability of the system by causing a Denial-of-Service condition. Successful exploitation requires no system privileges and no user interaction. | |||||
| CVE-2020-2894 | 1 Oracle | 1 Vm Virtualbox | 2021-01-12 | 4.6 MEDIUM | 8.2 HIGH |
| Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.40, prior to 6.0.20 and prior to 6.1.6. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 6.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N). | |||||
| CVE-2020-36166 | 2 Microsoft, Veritas | 5 Windows, Infoscale, Infoscale Operations Manager and 2 more | 2021-01-12 | 7.2 HIGH | 8.8 HIGH |
| An issue was discovered in Veritas InfoScale 7.x through 7.4.2 on Windows, Storage Foundation through 6.1 on Windows, Storage Foundation HA through 6.1 on Windows, and InfoScale Operations Manager (aka VIOM) Windows Management Server 7.x through 7.4.2. On start-up, it loads the OpenSSL library from \usr\local\ssl. This library attempts to load the \usr\local\ssl\openssl.cnf configuration file, which may not exist. On Windows systems, this path could translate to <drive>:\usr\local\ssl\openssl.cnf, where <drive> could be the default Windows installation drive such as C:\ or the drive where a Veritas product is installed. By default, on Windows systems, users can create directories under any top-level directory. A low privileged user can create a <drive>:\usr\local\ssl\openssl.cnf configuration file to load a malicious OpenSSL engine, resulting in arbitrary code execution as SYSTEM when the service starts. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, access all installed applications, etc. | |||||
| CVE-2020-35112 | 2 Microsoft, Mozilla | 4 Windows, Firefox, Firefox Esr and 1 more | 2021-01-12 | 6.8 MEDIUM | 8.8 HIGH |
| If a user downloaded a file lacking an extension on Windows, and then "Open"-ed it from the downloads panel, if there was an executable file in the downloads directory with the same name but with an executable extension (such as .bat or .exe) that executable would have been launched instead. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.*. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6. | |||||
| CVE-2020-35111 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2021-01-12 | 4.3 MEDIUM | 4.3 MEDIUM |
| When an extension with the proxy permission registered to receive <all_urls>, the proxy.onRequest callback was not triggered for view-source URLs. While web content cannot navigate to such URLs, a user opening View Source could have inadvertently leaked their IP address. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6. | |||||
| CVE-2020-26978 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2021-01-12 | 5.8 MEDIUM | 6.1 MEDIUM |
| Using techniques that built on the slipstream research, a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6. | |||||
| CVE-2020-26977 | 1 Mozilla | 1 Firefox | 2021-01-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| By attempting to connect a website using an unresponsive port, an attacker could have controlled the content of a tab while the URL bar displayed the original domain. *Note: This issue only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 84. | |||||
| CVE-2020-36165 | 2 Microsoft, Veritas | 2 Windows, Desktop And Laptop Option | 2021-01-12 | 7.2 HIGH | 8.8 HIGH |
| An issue was discovered in Veritas Desktop and Laptop Option (DLO) before 9.4. On start-up, it loads the OpenSSL library from /ReleaseX64/ssl. This library attempts to load the /ReleaseX64/ssl/openssl.cnf configuration file, which does not exist. By default, on Windows systems, users can create directories under C:\. A low privileged user can create a C:/ReleaseX64/ssl/openssl.cnf configuration file to load a malicious OpenSSL engine, resulting in arbitrary code execution as SYSTEM when the service starts. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, access all installed applications, etc. This impacts DLO server and client installations. | |||||
| CVE-2020-36161 | 2 Microsoft, Veritas | 2 Windows, Aptare It Analytics | 2021-01-12 | 7.2 HIGH | 8.8 HIGH |
| An issue was discovered in Veritas APTARE 10.4 before 10.4P9 and 10.5 before 10.5P3. By default, on Windows systems, users can create directories under C:\. A low privileged user can create a directory at the configuration file locations. When the Windows system restarts, a malicious OpenSSL engine could exploit arbitrary code execution as SYSTEM. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, access all installed applications, etc. | |||||
| CVE-2020-26975 | 1 Mozilla | 1 Firefox | 2021-01-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| When a malicious application installed on the user's device broadcast an Intent to Firefox for Android, arbitrary headers could have been specified, leading to attacks such as abusing ambient authority or session fixation. This was resolved by only allowing certain safe-listed headers. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 84. | |||||
| CVE-2020-16012 | 2 Google, Mozilla | 2 Chrome, Firefox | 2021-01-12 | 4.3 MEDIUM | 4.3 MEDIUM |
| Side-channel information leakage in graphics in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
| CVE-2020-28672 | 1 Monocms | 1 Monocms | 2021-01-12 | 9.0 HIGH | 7.2 HIGH |
| MonoCMS Blog 1.0 is affected by incorrect access control that can lead to remote arbitrary code execution. At monofiles/category.php:27, user input can be saved to category/[foldername]/index.php causing RCE. | |||||
| CVE-2020-16020 | 1 Google | 2 Chrome, Chrome Os | 2021-01-12 | 6.8 MEDIUM | 8.8 HIGH |
| Inappropriate implementation in cryptohome in Google Chrome on ChromeOS prior to 87.0.4280.66 allowed a remote attacker who had compromised the browser process to bypass discretionary access control via a malicious file. | |||||
| CVE-2020-16019 | 1 Google | 2 Chrome, Chrome Os | 2021-01-12 | 6.8 MEDIUM | 8.8 HIGH |
| Inappropriate implementation in filesystem in Google Chrome on ChromeOS prior to 87.0.4280.66 allowed a remote attacker who had compromised the browser process to bypass noexec restrictions via a malicious file. | |||||
| CVE-2020-26973 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2021-01-11 | 6.8 MEDIUM | 8.8 HIGH |
| Certain input to the CSS Sanitizer confused it, resulting in incorrect components being removed. This could have been used as a sanitizer bypass. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6. | |||||
| CVE-2020-36162 | 2 Microsoft, Veritas | 3 Windows, Cloudpoint, Netbackup Cloudpoint | 2021-01-11 | 7.2 HIGH | 8.8 HIGH |
| An issue was discovered in Veritas CloudPoint before 8.3.0.1+hotfix. The CloudPoint Windows Agent leverages OpenSSL. This OpenSSL library attempts to load the \usr\local\ssl\openssl.cnf configuration file, which does not exist. By default, on Windows systems users can create directories under <drive>:\. A low privileged user can create a <drive>:\usr\local\ssl\openssl.cnf configuration file to load a malicious OpenSSL engine, which may result in arbitrary code execution. This would give the attacker administrator access on the system, allowing the attacker (by default) to access all data, access all installed applications, etc. | |||||
| CVE-2020-36164 | 2 Microsoft, Veritas | 2 Windows, Enterprise Vault | 2021-01-11 | 7.2 HIGH | 8.8 HIGH |
| An issue was discovered in Veritas Enterprise Vault through 14.0. On start-up, it loads the OpenSSL library. The OpenSSL library then attempts to load the openssl.cnf configuration file (which does not exist) at the following locations in both the System drive (typically C:\) and the product's installation drive (typically not C:\): \Isode\etc\ssl\openssl.cnf (on SMTP Server) or \user\ssl\openssl.cnf (on other affected components). By default, on Windows systems, users can create directories under C:\. A low privileged user can create a openssl.cnf configuration file to load a malicious OpenSSL engine, resulting in arbitrary code execution as SYSTEM when the service starts. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, access all installed applications, etc. This vulnerability only affects a server with MTP Server, SMTP Archiving IMAP Server, IMAP Archiving, Vault Cloud Adapter, NetApp File server, or File System Archiving for NetApp as File Server. | |||||
| CVE-2020-36163 | 2 Microsoft, Veritas | 3 Windows, Netbackup, Opscenter | 2021-01-11 | 7.2 HIGH | 8.8 HIGH |
| An issue was discovered in Veritas NetBackup and OpsCenter through 8.3.0.1. NetBackup processes using Strawberry Perl attempt to load and execute libraries from paths that do not exist by default on the Windows operating system. By default, on Windows systems, users can create directories under C:\. If a low privileged user on the Windows system creates an affected path with a library that NetBackup attempts to load, they can execute arbitrary code as SYSTEM or Administrator. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, access all installed applications, etc. This affects NetBackup master servers, media servers, clients, and OpsCenter servers on the Windows platform. The system is vulnerable during an install or upgrade on all systems and post-install on Master, Media, and OpsCenter servers during normal operations. | |||||
| CVE-2020-36160 | 2 Microsoft, Veritas | 2 Windows, System Recovery | 2021-01-11 | 7.2 HIGH | 8.8 HIGH |
| An issue was discovered in Veritas System Recovery before 21.2. On start-up, it loads the OpenSSL library from \usr\local\ssl. This library attempts to load the from \usr\local\ssl\openssl.cnf configuration file, which does not exist. By default, on Windows systems, users can create directories under C:\. A low privileged user can create a C:\usr\local\ssl\openssl.cnf configuration file to load a malicious OpenSSL engine, resulting in arbitrary code execution as SYSTEM when the service starts. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data and installed applications, etc. If the system is also an Active Directory domain controller, then this can affect the entire domain. | |||||
| CVE-2020-36169 | 2 Microsoft, Veritas | 3 Windows, Netbackup, Opscenter | 2021-01-11 | 7.2 HIGH | 8.8 HIGH |
| An issue was discovered in Veritas NetBackup through 8.3.0.1 and OpsCenter through 8.3.0.1. Processes using OpenSSL attempt to load and execute libraries from paths that do not exist by default on the Windows operating system. By default, on Windows systems, users can create directories under the top level of any drive. If a low privileged user creates an affected path with a library that the Veritas product attempts to load, they can execute arbitrary code as SYSTEM or Administrator. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, access all installed applications, etc. This vulnerability affects master servers, media servers, clients, and OpsCenter servers on the Windows platform. The system is vulnerable during an install or upgrade and post-install during normal operations. | |||||
| CVE-2020-36168 | 1 Veritas | 1 Resiliency Platform | 2021-01-11 | 7.2 HIGH | 8.8 HIGH |
| An issue was discovered in Veritas Resiliency Platform 3.4 and 3.5. It leverages OpenSSL on Windows systems when using the Managed Host addon. On start-up, it loads the OpenSSL library. This library may attempt to load the openssl.cnf configuration file, which does not exist. By default, on Windows systems, users can create directories under C:\. A low privileged user can create a C:\usr\local\ssl\openssl.cnf configuration file to load a malicious OpenSSL engine, resulting in arbitrary code execution as SYSTEM when the service starts. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, access all installed applications, etc. | |||||
| CVE-2012-5568 | 2 Apache, Opensuse | 2 Tomcat, Opensuse | 2021-01-11 | 5.0 MEDIUM | N/A |
| Apache Tomcat through 7.0.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris. | |||||
| CVE-2020-16036 | 1 Google | 1 Chrome | 2021-01-11 | 4.3 MEDIUM | 6.5 MEDIUM |
| Inappropriate implementation in cookies in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to bypass cookie restrictions via a crafted HTML page. | |||||
| CVE-2020-16034 | 1 Google | 1 Chrome | 2021-01-11 | 4.3 MEDIUM | 4.3 MEDIUM |
| Inappropriate implementation in WebRTC in Google Chrome prior to 87.0.4280.66 allowed a local attacker to bypass policy restrictions via a crafted HTML page. | |||||
| CVE-2020-16035 | 1 Google | 2 Chrome, Chrome Os | 2021-01-11 | 6.8 MEDIUM | 8.8 HIGH |
| Insufficient data validation in cros-disks in Google Chrome on ChromeOS prior to 87.0.4280.66 allowed a remote attacker who had compromised the browser process to bypass noexec restrictions via a malicious file. | |||||
| CVE-2020-16016 | 1 Google | 1 Chrome | 2021-01-11 | 6.8 MEDIUM | 9.6 CRITICAL |
| Inappropriate implementation in base in Google Chrome prior to 86.0.4240.193 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | |||||
| CVE-2020-35952 | 1 Php-fusion | 1 Php-fusion | 2021-01-11 | 4.0 MEDIUM | 6.5 MEDIUM |
| login.php in PHPFusion (aka PHP-Fusion) Andromeda 9.x before 2020-12-30 generates error messages that distinguish between incorrect username and incorrect password (i.e., not a single "Incorrect username or password" message in both cases), which might allow enumeration. | |||||
| CVE-2020-36170 | 1 Ultimatemember | 1 Ultimate Member | 2021-01-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Ultimate Member plugin before 2.1.13 for WordPress mishandles hidden name="timestamp" fields in forms. | |||||
| CVE-2020-29478 | 2 Broadcom, Microsoft | 2 Ca Service Catalog, Windows | 2021-01-08 | 5.0 MEDIUM | 7.5 HIGH |
| CA Service Catalog 17.2 and 17.3 contain a vulnerability in the default configuration of the Setup Utility that may allow a remote attacker to cause a denial of service condition. | |||||
| CVE-2021-3022 | 1 Google | 1 Android | 2021-01-08 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered on LG mobile devices with Android OS 10 software. There was no write protection for the MTK protect2 partition. The LG ID is LVE-SMP-200028 (January 2021). | |||||
| CVE-2021-22494 | 2 Google, Samsung | 2 Android, Galaxy Note 20 | 2021-01-08 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in the fingerprint scanner on Samsung Note20 mobile devices with Q(10.0) software. When a screen protector is used, the required image compensation is not present. Consequently, inversion can occur during fingerprint enrollment, and a high False Recognition Rate (FRR) can occur. The Samsung ID is SVE-2020-19216 (January 2021). | |||||
| CVE-2020-36159 | 1 Veritas | 1 Desktop And Laptop Option | 2021-01-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| Veritas Desktop and Laptop Option (DLO) before 9.5 disclosed operational information on the backup processing status through a URL that did not require authentication. | |||||
| CVE-2020-25850 | 1 Hgiga | 2 Msr45 Isherlock-user, Ssr45 Isherlock-user | 2021-01-08 | 5.0 MEDIUM | 7.5 HIGH |
| The function, view the source code, of HGiga MailSherlock does not validate specific characters. Remote attackers can use this flaw to download arbitrary system files. | |||||
| CVE-2021-3005 | 1 Mk-auth | 1 Mk-auth | 2021-01-07 | 4.0 MEDIUM | 4.3 MEDIUM |
| MK-AUTH through 19.01 K4.9 allows remote attackers to obtain sensitive information (e.g., a CPF number) via a modified titulo (aka invoice number) value to the central/recibo.php URI. | |||||
| CVE-2020-36066 | 1 Gjson Project | 1 Gjson | 2021-01-07 | 5.0 MEDIUM | 7.5 HIGH |
| GJSON <1.6.5 allows attackers to cause a denial of service (remote) via crafted JSON. | |||||
| CVE-2020-35864 | 1 Google | 1 Flatbuffers | 2021-01-07 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in the flatbuffers crate through 2020-04-11 for Rust. read_scalar (and read_scalar_at) can transmute values without unsafe blocks. | |||||
| CVE-2020-28841 | 1 Drivergenius | 1 Drivergenius Firmware | 2021-01-07 | 7.1 HIGH | 5.5 MEDIUM |
| MyDrivers64.sys in DriverGenius 9.61.3708.3054 allows attackers to cause a system crash via the ioctl command 0x9c402000 to \\.\MyDrivers0_0_1. | |||||
| CVE-2016-20006 | 1 Rest\/json Project | 1 Rest\/json | 2021-01-07 | 5.0 MEDIUM | 7.5 HIGH |
| The REST/JSON project 7.x-1.x for Drupal allows blockage of user logins, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy. | |||||
| CVE-2020-35865 | 1 Os Str Bytes Project | 1 Os Str Bytes | 2021-01-07 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in the os_str_bytes crate before 2.0.0 for Rust. It has false expectations about char::from_u32_unchecked behavior. | |||||
| CVE-2020-35879 | 1 Rulinalg Project | 1 Rulinalg | 2021-01-07 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the rulinalg crate through 2020-02-11 for Rust. There are incorrect lifetime-boundary definitions for RowMut::raw_slice and RowMut::raw_slice_mut. | |||||
| CVE-2020-35880 | 1 Bigint Project | 1 Bigint | 2021-01-07 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the bigint crate through 2020-05-07 for Rust. It allows a soundness violation. | |||||
| CVE-2019-25004 | 1 Google | 1 Flatbuffers | 2021-01-06 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the flatbuffers crate before 0.6.1 for Rust. Arbitrary bytes can be reinterpreted as a bool, defeating soundness. | |||||
| CVE-2020-35904 | 1 Crossbeam-channel Project | 1 Crossbeam-channel | 2021-01-06 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered in the crossbeam-channel crate before 0.4.4 for Rust. It has incorrect expectations about the relationship between the memory allocation and how many iterator elements there are. | |||||
| CVE-2020-7771 | 1 Asciitable.js Project | 1 Asciitable.js | 2021-01-06 | 7.5 HIGH | 9.8 CRITICAL |
| The package asciitable.js before 1.0.3 are vulnerable to Prototype Pollution via the main function. | |||||
| CVE-2020-35919 | 1 Net2 Project | 1 Net2 | 2021-01-06 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered in the net2 crate before 0.2.36 for Rust. It has false expectations about the std::net::SocketAddr memory representation. | |||||
| CVE-2020-35920 | 1 Rust-lang | 1 Socket2 | 2021-01-06 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered in the socket2 crate before 0.3.16 for Rust. It has false expectations about the std::net::SocketAddr memory representation. | |||||
| CVE-2020-35921 | 1 Miow Project | 1 Miow | 2021-01-06 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered in the miow crate before 0.3.6 for Rust. It has false expectations about the std::net::SocketAddr memory representation. | |||||