Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-35909 | 1 Protocol | 1 Multihash | 2021-01-14 | 7.8 HIGH | 7.5 HIGH |
| An issue was discovered in the multihash crate before 0.11.3 for Rust. The from_slice parsing code can panic via unsanitized data from a network server. | |||||
| CVE-2020-11995 | 1 Apache | 1 Dubbo | 2021-01-14 | 7.5 HIGH | 9.8 CRITICAL |
| A deserialization vulnerability existed in dubbo 2.7.5 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protool, during Hessian2 deserializing the HashMap object, some functions in the classes stored in HasMap will be executed after a series of program calls, however, those special functions may cause remote command execution. For example, the hashCode() function of the EqualsBean class in rome-1.7.0.jar will cause the remotely load malicious classes and execute malicious code by constructing a malicious request. This issue was fixed in Apache Dubbo 2.6.9 and 2.7.8. | |||||
| CVE-2021-23927 | 1 Open-xchange | 1 Open-xchange Appsuite | 2021-01-14 | 5.5 MEDIUM | 6.4 MEDIUM |
| OX App Suite through 7.10.4 allows SSRF via a URL with an @ character in an appsuite/api/oauth/proxy PUT request. | |||||
| CVE-2021-23928 | 1 Open-xchange | 1 Open-xchange Appsuite | 2021-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite through 7.10.3 allows XSS via the ajax/apps/manifests query string. | |||||
| CVE-2021-23929 | 1 Open-xchange | 1 Open-xchange Appsuite | 2021-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite through 7.10.4 allows XSS via a crafted Content-Disposition header in an uploaded HTML document to an ajax/share/<share-token>?delivery=view URI. | |||||
| CVE-2021-23930 | 1 Open-xchange | 1 Open-xchange Appsuite | 2021-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite through 7.10.4 allows XSS via use of the conversion API for a distributedFile. | |||||
| CVE-2021-23931 | 1 Open-xchange | 1 Open-xchange Appsuite | 2021-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite through 7.10.4 allows XSS via an inline binary file. | |||||
| CVE-2021-23932 | 1 Open-xchange | 1 Open-xchange Appsuite | 2021-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite through 7.10.4 allows XSS via an inline image with a crafted filename. | |||||
| CVE-2021-23933 | 1 Open-xchange | 1 Open-xchange Appsuite | 2021-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite through 7.10.4 allows XSS via JavaScript in a Note referenced by a mail:// URL. | |||||
| CVE-2021-23934 | 1 Open-xchange | 1 Open-xchange Appsuite | 2021-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite through 7.10.4 allows XSS via a contact whose name contains JavaScript code. | |||||
| CVE-2021-23935 | 1 Open-xchange | 1 Open-xchange Appsuite | 2021-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite through 7.10.4 allows XSS via an appointment in which the location contains JavaScript code. | |||||
| CVE-2021-23936 | 1 Open-xchange | 1 Open-xchange Appsuite | 2021-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| OX App Suite through 7.10.4 allows XSS via the subject of a task. | |||||
| CVE-2018-16042 | 5 Adobe, Apple, Iskysoft and 2 more | 8 Acrobat Dc, Acrobat Reader Dc, Reader and 5 more | 2021-01-14 | 6.4 MEDIUM | 6.5 MEDIUM |
| Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008.20080 and earlier, 2019.008.20081 and earlier, 2017.011.30106 and earlier version, 2017.011.30105 and earlier version, 2015.006.30457 and earlier, and 2015.006.30456 and earlier have a security bypass vulnerability. Successful exploitation could lead to information disclosure. | |||||
| CVE-2020-13922 | 1 Apache | 1 Dolphinscheduler | 2021-01-14 | 4.0 MEDIUM | 6.5 MEDIUM |
| Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface. | |||||
| CVE-2020-24003 | 1 Microsoft | 1 Skype | 2021-01-14 | 2.1 LOW | 3.3 LOW |
| Microsoft Skype through 8.59.0.77 on macOS has the disable-library-validation entitlement, which allows a local process (with the user's privileges) to obtain unprompted microphone and camera access by loading a crafted library and thereby inheriting Skype Client's microphone and camera access. | |||||
| CVE-2020-14005 | 1 Solarwinds | 2 Orion Network Performance Monitor, Orion Web Performance Monitor | 2021-01-14 | 9.0 HIGH | 8.8 HIGH |
| Solarwinds Orion (with Web Console WPM 2019.4.1, and Orion Platform HF4 or NPM HF2 2019.4) allows remote attackers to execute arbitrary code via a defined event. | |||||
| CVE-2020-23630 | 1 Zzcms | 1 Zzcms | 2021-01-14 | 6.5 MEDIUM | 8.8 HIGH |
| A blind SQL injection vulnerability exists in zzcms ver201910 based on time (cookie injection). | |||||
| CVE-2018-18688 | 11 Apple, Code-industry, Foxitsoftware and 8 more | 16 Macos, Master Pdf Editor, Foxit Reader and 13 more | 2021-01-14 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Portable Document Format (PDF) specification does not provide any information regarding the concrete procedure of how to validate signatures. Consequently, an Incremental Saving vulnerability exists in multiple products. When an attacker uses the Incremental Saving feature to add pages or annotations, Body Updates are displayed to the user without any action by the signature-validation logic. This affects Foxit Reader before 9.4 and PhantomPDF before 8.3.9 and 9.x before 9.4. It also affects LibreOffice, Master PDF Editor, Nitro Pro, Nitro Reader, Nuance Power PDF Standard, PDF Editor 6 Pro, PDFelement6 Pro, PDF Studio Viewer 2018, PDF Studio Pro, Perfect PDF 10 Premium, and Perfect PDF Reader. | |||||
| CVE-2021-1060 | 7 Citrix, Linux, Microsoft and 4 more | 7 Hypervisor, Linux Kernel, Windows and 4 more | 2021-01-14 | 3.6 LOW | 7.1 HIGH |
| NVIDIA vGPU software contains a vulnerability in the guest kernel mode driver and vGPU plugin, in which an input index is not validated, which may lead to tampering of data or denial of service. This affects vGPU version 8.x (prior to 8.6) and version 11.0 (prior to 11.3). | |||||
| CVE-2020-28396 | 1 Siemens | 6 Sicam A8000 Cp-8000, Sicam A8000 Cp-8000 Firmware, Sicam A8000 Cp-8021 and 3 more | 2021-01-14 | 4.9 MEDIUM | 7.3 HIGH |
| A vulnerability has been identified in SICAM A8000 CP-8000 (All versions < V16), SICAM A8000 CP-8021 (All versions < V16), SICAM A8000 CP-8022 (All versions < V16). A web server misconfiguration of the affected device can cause insecure ciphers usage by a user´s browser. An attacker in a privileged position could decrypt the communication and compromise confidentiality and integrity of the transmitted information. | |||||
| CVE-2020-36190 | 1 Rails Admin Project | 1 Rails Admin | 2021-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| RailsAdmin (aka rails_admin) before 1.4.3 and 2.x before 2.0.2 allows XSS via nested forms. | |||||
| CVE-2020-4079 | 1 Combodo | 1 Itop | 2021-01-14 | 4.0 MEDIUM | 7.7 HIGH |
| Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 2.8.0, when the ajax endpoint for the "excel export" portal functionality is called directly it allows getting data without scope filtering. This allows a user to access data they which they should not have access to. This is fixed in versions 2.7.2 and 3.0.0. | |||||
| CVE-2020-5805 | 1 Marvell | 1 Qconvergeconslole Gui | 2021-01-14 | 9.0 HIGH | 8.8 HIGH |
| In Marvell QConvergeConsole GUI <= 5.5.0.74, credentials are stored in cleartext in tomcat-users.xml. OS-level users on the QCC host who are not authorized to use QCC may use the plaintext credentials to login to QCC. | |||||
| CVE-2020-5146 | 1 Sonicwall | 2 Sma 100, Sma 100 Firmware | 2021-01-14 | 9.0 HIGH | 7.2 HIGH |
| A vulnerability in SonicWall SMA100 appliance allow an authenticated management-user to perform OS command injection using HTTP POST parameters. This vulnerability affected SMA100 Appliance version 10.2.0.2-20sv and earlier. | |||||
| CVE-2020-27262 | 1 Innokasmedical | 2 Vital Signs Monitor Vc150, Vital Signs Monitor Vc150 Firmware | 2021-01-14 | 3.5 LOW | 5.4 MEDIUM |
| Innokas Yhtymä Oy Vital Signs Monitor VC150 prior to Version 1.7.15 A stored cross-site scripting (XSS) vulnerability exists in the affected products that allow an attacker to inject arbitrary web script or HTML via the filename parameter to multiple update endpoints of the administrative web interface. | |||||
| CVE-2020-27260 | 1 Innokasmedical | 2 Vital Signs Monitor Vc150, Vital Signs Monitor Vc150 Firmware | 2021-01-14 | 2.1 LOW | 5.3 MEDIUM |
| Innokas Yhtymä Oy Vital Signs Monitor VC150 prior to Version 1.7.15 HL7 v2.x injection vulnerabilities exist in the affected products that allow physically proximate attackers with a connected barcode reader to inject HL7 v2.x segments into specific HL7 v2.x messages via multiple expected parameters. | |||||
| CVE-2020-25680 | 1 Redhat | 1 Jboss Core Services Httpd | 2021-01-14 | 5.5 MEDIUM | 5.4 MEDIUM |
| A flaw was found in JBCS httpd in version 2.4.37 SP3, where it uses a back-end worker SSL certificate with the keystore file's ID is 'unknown'. The validation of the certificate whether CN and hostname are matching stopped working and allow connecting to the back-end work. The highest threat from this vulnerability is to data integrity. | |||||
| CVE-2020-26294 | 1 Target | 1 Compiler | 2021-01-14 | 5.0 MEDIUM | 5.3 MEDIUM |
| Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig's `env` function to retrieve configuration information, see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading, it is recommended to rotate all secrets. | |||||
| CVE-2020-36167 | 1 Veritas | 1 Backup Exec | 2021-01-14 | 7.2 HIGH | 8.8 HIGH |
| An issue was discovered in the server in Veritas Backup Exec through 16.2, 20.6 before hotfix 298543, and 21.1 before hotfix 657517. On start-up, it loads the OpenSSL library from the Installation folder. This library in turn attempts to load the /usr/local/ssl/openssl.cnf configuration file, which may not exist. On Windows systems, this path could translate to <drive>:\usr\local\ssl\openssl.cnf. A low privileged user can create a :\usr\local\ssl\openssl.cnf configuration file to load a malicious OpenSSL engine, resulting in arbitrary code execution as SYSTEM when the service starts. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, access all installed applications, etc. If the system is also an Active Directory domain controller, then this can affect the entire domain. | |||||
| CVE-2020-26773 | 1 Restaurant Reservation System Project | 1 Restaurant Reservation System | 2021-01-14 | 6.5 MEDIUM | 8.8 HIGH |
| Restaurant Reservation System 1.0 suffers from an authenticated SQL injection vulnerability, which allows a remote, authenticated attacker to execute arbitrary SQL commands via the date parameter in includes/reservation.inc.php. | |||||
| CVE-2019-19935 | 1 Froala | 1 Froala Editor | 2021-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Froala Editor before 3.2.3 allows XSS. | |||||
| CVE-2021-21470 | 1 Sap | 1 Enterprise Performance Management | 2021-01-14 | 3.6 LOW | 4.4 MEDIUM |
| SAP EPM Add-in for Microsoft Office, version - 1010 and SAP EPM Add-in for SAP Analysis Office, version - 2.8, allows an authenticated attacker with user privileges to parse malicious XML files which could result in XXE-based attacks in applications that accept attacker-controlled XML configuration files. This occurs as logging service does not disable XML external entities when parsing configuration files and a successful exploit would result in limited impact on integrity and availability of the application. | |||||
| CVE-2019-25002 | 1 Sodiumoxide Project | 1 Sodiumoxide | 2021-01-14 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the sodiumoxide crate before 0.2.5 for Rust. generichash::Digest::eq compares itself to itself and thus has degenerate security properties. | |||||
| CVE-2020-10206 | 1 Amino | 12 Ak45x, Ak45x Firmware, Ak5xx and 9 more | 2021-01-14 | 3.6 LOW | 4.4 MEDIUM |
| Use of a Hard-coded Password in VNCserver in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series and Kami7B allows local attackers to view and interact with the video output of the device. | |||||
| CVE-2020-10207 | 1 Amino | 12 Ak45x, Ak45x Firmware, Ak5xx and 9 more | 2021-01-14 | 10.0 HIGH | 9.8 CRITICAL |
| Use of Hard-coded Credentials in EntoneWebEngine in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series and Kami7B allows remote attackers to retrieve and modify the device settings. | |||||
| CVE-2020-10210 | 1 Amino | 12 Ak45x, Ak45x Firmware, Ak5xx and 9 more | 2021-01-14 | 10.0 HIGH | 9.8 CRITICAL |
| Because of hard-coded SSH keys for the root user in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series, Kami7B, an attacker may remotely log in through SSH. | |||||
| CVE-2020-25476 | 1 Liferay | 1 Liferay Portal | 2021-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Liferay CMS Portal version 7.1.3 and 7.2.1 have a blind persistent cross-site scripting (XSS) vulnerability in the user name parameter to Calendar. An attacker can insert the malicious payload on the username, lastname or surname fields of its own profile, and the malicious payload will be injected and reflected in the calendar of the user who submitted the payload. An attacker could escalate its privileges in case an admin visits the calendar that injected the payload. | |||||
| CVE-2020-23960 | 1 Fork-cms | 1 Fork | 2021-01-14 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the Admin Console in Fork before 5.8.3 allows remote attackers to perform unauthorized actions as administrator to (1) approve the mass of the user's comments, (2) restoring a deleted user, (3) installing or running modules, (4) resetting the analytics, (5) pinging the mailmotor api, (6) uploading things to the media library, (7) exporting locale. | |||||
| CVE-2021-1054 | 2 Microsoft, Nvidia | 2 Windows, Gpu Driver | 2021-01-14 | 2.1 LOW | 5.5 MEDIUM |
| NVIDIA GPU Display Driver for Windows, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape in which the software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action, which may lead to denial of service. | |||||
| CVE-2021-1053 | 3 Linux, Microsoft, Nvidia | 3 Linux Kernel, Windows, Gpu Driver | 2021-01-14 | 2.1 LOW | 5.5 MEDIUM |
| NVIDIA GPU Display Driver for Windows and Linux, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape or IOCTL in which improper validation of a user pointer may lead to denial of service. | |||||
| CVE-2020-17503 | 1 Barco | 5 Transform N, Transform Ndn-210 Lite, Transform Ndn-210 Pro and 2 more | 2021-01-14 | 6.5 MEDIUM | 7.2 HIGH |
| The NDN-210 has a web administration panel which is made available over https. There is a command injection issue that will allow authenticated users to the administration panel to perform authenticated remote code execution. An issue exists in split_card_cmd.php in which the http parameter "locking" is not properly handled. The NDN-210 is part of Barco TransForm N solution and this vulnerability is patched from TransForm N version 3.8 onwards. | |||||
| CVE-2020-17504 | 1 Barco | 5 Transform N, Transform Ndn-210 Lite, Transform Ndn-210 Pro and 2 more | 2021-01-14 | 6.5 MEDIUM | 7.2 HIGH |
| The NDN-210 has a web administration panel which is made available over https. There is a command injection issue that will allow authenticated users to the administration panel to perform authenticated remote code execution. An issue exists in ngpsystemcmd.php in which the http parameters "x_modules" and "y_modules" are not properly handled. The NDN-210 is part of Barco TransForm N solution and this vulnerability is patched from TransForm N version 3.8 onwards. | |||||
| CVE-2020-35918 | 1 Hakobaito | 1 Branca | 2021-01-14 | 4.9 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in the branca crate before 0.10.0 for Rust. Decoding tokens (with invalid base62 data) can panic. | |||||
| CVE-2020-27835 | 1 Linux | 1 Infiniband Hfi1 Driver | 2021-01-14 | 4.9 MEDIUM | 4.4 MEDIUM |
| A use after free in the Linux kernel infiniband hfi1 driver in versions prior to 5.10-rc6 was found in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system. | |||||
| CVE-2021-3116 | 1 Proxy.py Project | 1 Proxy.py | 2021-01-14 | 5.0 MEDIUM | 7.5 HIGH |
| before_upstream_connection in AuthPlugin in http/proxy/auth.py in proxy.py before 2.3.1 accepts incorrect Proxy-Authorization header data because of a boolean confusion (and versus or). | |||||
| CVE-2020-26297 | 1 Rust-lang | 1 Mdbook | 2021-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| mdBook is a utility to create modern online books from Markdown files and is written in Rust. In mdBook before version 0.4.5, there is a vulnerability affecting the search feature of mdBook, which could allow an attacker to execute arbitrary JavaScript code on the page. The search feature of mdBook (introduced in version 0.1.4) was affected by a cross site scripting vulnerability that allowed an attacker to execute arbitrary JavaScript code on an user's browser by tricking the user into typing a malicious search query, or tricking the user into clicking a link to the search page with the malicious search query prefilled. mdBook 0.4.5 fixes the vulnerability by properly escaping the search query. Owners of websites built with mdBook have to upgrade to mdBook 0.4.5 or greater and rebuild their website contents with it. | |||||
| CVE-2018-17825 | 1 Adplug Project | 1 Adplug | 2021-01-14 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in AdPlug 2.3.1. There are several double-free vulnerabilities in the CEmuopl class in emuopl.cpp because of a destructor's two OPLDestroy calls, each of which frees TL_TABLE, SIN_TABLE, AMS_TABLE, and VIB_TABLE. | |||||
| CVE-2019-1020014 | 1 Docker | 1 Credential Helpers | 2021-01-14 | 2.1 LOW | 5.5 MEDIUM |
| docker-credential-helpers before 0.6.3 has a double free in the List functions. | |||||
| CVE-2019-14690 | 1 Adplug Project | 1 Adplug | 2021-01-14 | 6.8 MEDIUM | 8.8 HIGH |
| AdPlug 2.3.1 has a heap-based buffer overflow in CxadbmfPlayer::__bmf_convert_stream() in bmf.cpp. | |||||
| CVE-2019-14691 | 1 Adplug Project | 1 Adplug | 2021-01-14 | 6.8 MEDIUM | 8.8 HIGH |
| AdPlug 2.3.1 has a heap-based buffer overflow in CdtmLoader::load() in dtm.cpp. | |||||