Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-5939 | 1 F5 | 14 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 11 more | 2020-11-10 | 4.3 MEDIUM | 7.5 HIGH |
| In versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.3, 15.0.0-15.0.1.3, 14.1.0-14.1.2.6, and 13.1.0-13.1.3.4, BIG-IP Virtual Edition (VE) systems on VMware, with an Intel-based 85299 Network Interface Controller (NIC) card and Single Root I/O Virtualization (SR-IOV) enabled on vSphere, may fail and leave the Traffic Management Microkernel (TMM) in a state where it cannot transmit traffic. | |||||
| CVE-2020-5517 | 1 Blueonyx | 2 5209r, 5209r Firmware | 2020-11-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| CSRF in the /login URI in BlueOnyx 5209R allows an attacker to access the dashboard and perform scraping or other analysis. | |||||
| CVE-2020-28340 | 1 Google | 1 Android | 2020-11-10 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), Q(10.0), and R(11.0) software. Attackers can bypass Factory Reset Protection (FRP) via Secure Folder. The Samsung ID is SVE-2020-18546 (November 2020). | |||||
| CVE-2020-27689 | 1 Imomobile | 2 Verve Connect Vh510, Verve Connect Vh510 Firmware | 2020-11-10 | 5.0 MEDIUM | 9.8 CRITICAL |
| The Relish (Verve Connect) VH510 device with firmware before 1.0.1.6L0516 contains undocumented default admin credentials for the web management interface. A remote attacker could exploit this vulnerability to login and execute commands on the device, as well as upgrade the firmware image to a malicious version. | |||||
| CVE-2020-28341 | 2 Google, Samsung | 2 Android, Exynos 990 | 2020-11-10 | 4.6 MEDIUM | 7.8 HIGH |
| An issue was discovered on Samsung mobile devices with Q(10.0) (Exynos990 chipsets) software. The S3K250AF Secure Element CC EAL 5+ chip allows attackers to execute arbitrary code and obtain sensitive information via a buffer overflow. The Samsung ID is SVE-2020-18632 (November 2020). | |||||
| CVE-2020-28342 | 1 Google | 1 Android | 2020-11-10 | 6.8 MEDIUM | 7.8 HIGH |
| An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) (China / India) software. The S Secure application allows attackers to bypass authentication for a locked Gallery application via the Reminder application. The Samsung ID is SVE-2020-18689 (November 2020). | |||||
| CVE-2020-28343 | 2 Google, Samsung | 4 Android, Exynos 980, Exynos 9820 and 1 more | 2020-11-10 | 4.6 MEDIUM | 7.8 HIGH |
| An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) (Exynos 980, 9820, and 9830 chipsets) software. The NPU driver allows attackers to execute arbitrary code because of unintended write and read operations on memory. The Samsung ID is SVE-2020-18610 (November 2020). | |||||
| CVE-2015-9410 | 1 Blubrry | 1 Powerpress Podcasting | 2020-11-10 | 3.5 LOW | 5.4 MEDIUM |
| The Blubrry PowerPress Podcasting plugin 6.0.4 for WordPress has XSS via the tab parameter. | |||||
| CVE-2015-9537 | 1 Imagely | 1 Nextgen Gallery | 2020-11-10 | 3.5 LOW | 5.4 MEDIUM |
| The NextGEN Gallery plugin before 2.1.10 for WordPress has multiple XSS issues involving thumbnail_width, thumbnail_height, thumbwidth, thumbheight, wmXpos, and wmYpos, and template. | |||||
| CVE-2015-9538 | 1 Imagely | 1 Nextgen Gallery | 2020-11-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| The NextGEN Gallery plugin before 2.1.15 for WordPress allows ../ Directory Traversal in path selection. | |||||
| CVE-2015-9539 | 1 Fast Secure Contact Form Project | 1 Fast Secure Contact Form | 2020-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Fast Secure Contact Form plugin before 4.0.38 for WordPress allows fs_contact_form1[welcome] XSS. | |||||
| CVE-2015-9549 | 1 Ocportal | 1 Ocportal | 2020-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected Cross-site Scripting (XSS) vulnerability exists in OcPortal 9.0.20 via the OCF_EMOTICON_CELL.tpl FIELD_NAME field to data/emoticons.php. | |||||
| CVE-2017-14530 | 1 Crony Cronjob Manager Project | 1 Crony Cronjob Manager | 2020-11-10 | 6.0 MEDIUM | 8.0 HIGH |
| WP_Admin_UI in the Crony Cronjob Manager plugin before 0.4.7 for WordPress has CSRF via the name parameter in an action=manage&do=create operation, as demonstrated by inserting XSS sequences. | |||||
| CVE-2015-9229 | 1 Imagely | 1 Nextgen Gallery | 2020-11-10 | 3.5 LOW | 4.8 MEDIUM |
| In the nggallery-manage-gallery page in the Photocrati NextGEN Gallery plugin 2.1.15 for WordPress, XSS is possible for remote authenticated administrators via the images[1][alttext] parameter. | |||||
| CVE-2015-9230 | 1 Ait-pro | 1 Bulletproof Security | 2020-11-10 | 3.5 LOW | 4.8 MEDIUM |
| In the admin/db-backup-security/db-backup-security.php page in the BulletProof Security plugin before .52.5 for WordPress, XSS is possible for remote authenticated administrators via the DBTablePrefix parameter. | |||||
| CVE-2015-9260 | 1 Bedita | 1 Bedita | 2020-11-10 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in BEdita before 3.7.0. A cross-site scripting (XSS) attack occurs via a crafted pages/showObjects URI, as demonstrated by appending a payload to a pages/showObjects/2/0/0/leafs URI. | |||||
| CVE-2016-11014 | 1 Netgear | 2 Jnr1010, Jnr1010 Firmware | 2020-11-10 | 7.5 HIGH | 9.8 CRITICAL |
| NETGEAR JNR1010 devices before 1.0.0.32 have Incorrect Access Control because the ok value of the auth cookie is a special case. | |||||
| CVE-2016-11015 | 1 Netgear | 2 Jnr1010, Jnr1010 Firmware | 2020-11-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| NETGEAR JNR1010 devices before 1.0.0.32 allow cgi-bin/webproc CSRF via the :InternetGatewayDevice.X_TWSZ-COM_URL_Filter.BlackList.1.URL parameter. | |||||
| CVE-2016-11016 | 1 Netgear | 2 Jnr1010, Jnr1010 Firmware | 2020-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| NETGEAR JNR1010 devices before 1.0.0.32 allow webproc?getpage= XSS. | |||||
| CVE-2019-20364 | 1 Igniterealtime | 1 Openfire | 2020-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via cacheName to SystemCacheDetails.jsp. | |||||
| CVE-2019-20366 | 1 Igniterealtime | 1 Openfire | 2020-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via isTrustStore to Manage Store Contents. | |||||
| CVE-2019-20438 | 1 Wso2 | 1 Api Manager | 2020-11-10 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in WSO2 API Manager 2.6.0. A potential stored Cross-Site Scripting (XSS) vulnerability has been identified in the inline API documentation editor page of the API Publisher. | |||||
| CVE-2019-20440 | 1 Wso2 | 1 Api Manager | 2020-11-10 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in WSO2 API Manager 2.6.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the update API documentation feature of the API Publisher. | |||||
| CVE-2019-20441 | 1 Wso2 | 1 Api Manager | 2020-11-10 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in WSO2 API Manager 2.6.0. A potential Stored Cross-Site Scripting (XSS) vulnerability has been identified in the 'implement phase' of the API Publisher. | |||||
| CVE-2019-20442 | 1 Wso2 | 3 Api Manager, Enterprise Integrator, Identity Server | 2020-11-10 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. A potential stored Cross-Site Scripting (XSS) vulnerability in roleToAuthorize has been identified in the registry UI. | |||||
| CVE-2019-20443 | 1 Wso2 | 3 Api Manager, Enterprise Integrator, Identity Server | 2020-11-10 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. A potential stored Cross-Site Scripting (XSS) vulnerability in mediaType has been identified in the registry UI. | |||||
| CVE-2020-24601 | 1 Igniterealtime | 1 Openfire | 2020-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Ignite Realtime Openfire 4.5.1 a Stored Cross-site Vulnerability allows an attacker to execute an arbitrary malicious URL via the vulnerable POST parameter searchName", "alias" in the import certificate trusted page | |||||
| CVE-2020-5504 | 3 Debian, Phpmyadmin, Suse | 3 Debian Linux, Phpmyadmin, Suse Linux Enterprise Server | 2020-11-10 | 6.5 MEDIUM | 8.8 HIGH |
| In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server. | |||||
| CVE-2016-3022 | 1 Ibm | 6 Security Access Manager 9.0 Firmware, Security Access Manager For Mobile 8.0 Firmware, Security Access Manager For Mobile Appliance and 3 more | 2020-11-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM Security Access Manager for Web could allow an authenticated user to gain access to highly sensitive information due to incorrect file permissions. | |||||
| CVE-2017-11664 | 1 Mindwerks | 1 Wildmidi | 2020-11-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| The _WM_SetupMidiEvent function in internal_midi.c:2122 in WildMIDI 0.4.2 can cause a denial of service (invalid memory read and application crash) via a crafted mid file. | |||||
| CVE-2017-16783 | 1 Cmsmadesimple | 1 Cms Made Simple | 2020-11-10 | 7.5 HIGH | 9.8 CRITICAL |
| In CMS Made Simple 2.1.6, there is Server-Side Template Injection via the cntnt01detailtemplate parameter. | |||||
| CVE-2018-5950 | 4 Canonical, Debian, Gnu and 1 more | 9 Ubuntu Linux, Debian Linux, Mailman and 6 more | 2020-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the web UI in Mailman before 2.1.26 allows remote attackers to inject arbitrary web script or HTML via a user-options URL. | |||||
| CVE-2019-11057 | 1 Vtiger | 1 Vtiger Crm | 2020-11-10 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in Vtiger CRM before 7.1.0 hotfix3 allows authenticated users to execute arbitrary SQL commands. | |||||
| CVE-2019-16728 | 2 Cure53, Debian | 2 Dompurify, Debian Linux | 2020-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| DOMPurify before 2.0.1 allows XSS because of innerHTML mutation XSS (mXSS) for an SVG element or a MATH element, as demonstrated by Chrome and Safari. | |||||
| CVE-2019-20363 | 1 Igniterealtime | 1 Openfire | 2020-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via alias to Manage Store Contents. | |||||
| CVE-2019-20365 | 1 Igniterealtime | 1 Openfire | 2020-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via search to the Users/Group search page. | |||||
| CVE-2020-24602 | 1 Igniterealtime | 1 Openfire | 2020-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Ignite Realtime Openfire 4.5.1 has a reflected Cross-site scripting vulnerability which allows an attacker to execute arbitrary malicious URL via the vulnerable GET parameter searchName", "searchValue", "searchDescription", "searchDefaultValue","searchPlugin", "searchDescription" and "searchDynamic" in the Server Properties and Security Audit Viewer JSP page | |||||
| CVE-2020-24604 | 1 Igniterealtime | 1 Openfire | 2020-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Reflected XSS vulnerability was discovered in Ignite Realtime Openfire version 4.5.1. The XSS vulnerability allows remote attackers to inject arbitrary web script or HTML via the GET request "searchName", "searchValue", "searchDescription", "searchDefaultValue","searchPlugin", "searchDescription" and "searchDynamic" in server-properties.jsp and security-audit-viewer.jsp | |||||
| CVE-2019-19273 | 2 Google, Samsung | 5 Android, Exynos 8895, Galaxy Note8 and 2 more | 2020-11-10 | 7.2 HIGH | 7.8 HIGH |
| On Samsung mobile devices with O(8.0) and P(9.0) software and an Exynos 8895 chipset, RKP (aka the Samsung Hypervisor EL2 implementation) allows arbitrary memory write operations. The Samsung ID is SVE-2019-16265. | |||||
| CVE-2020-24409 | 2 Adobe, Microsoft | 2 Illustrator, Windows | 2020-11-10 | 6.8 MEDIUM | 7.8 HIGH |
| Adobe Illustrator version 24.2 (and earlier) is affected by an out-of-bounds read vulnerability when parsing crafted PDF files. This could result in a read past the end of an allocated memory structure, potentially resulting in arbitrary code execution in the context of the current user. This vulnerability requires user interaction to exploit. | |||||
| CVE-2019-19617 | 2 Debian, Phpmyadmin | 2 Debian Linux, Phpmyadmin | 2020-11-10 | 7.5 HIGH | 9.8 CRITICAL |
| phpMyAdmin before 4.9.2 does not escape certain Git information, related to libraries/classes/Display/GitRevision.php and libraries/classes/Footer.php. | |||||
| CVE-2020-14841 | 1 Oracle | 1 Weblogic Server | 2020-11-10 | 7.5 HIGH | 9.8 CRITICAL |
| Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | |||||
| CVE-2020-24410 | 2 Adobe, Microsoft | 2 Illustrator, Windows | 2020-11-10 | 6.8 MEDIUM | 7.8 HIGH |
| Adobe Illustrator version 24.2 (and earlier) is affected by an out-of-bounds read vulnerability when parsing crafted PDF files. This could result in a read past the end of an allocated memory structure, potentially resulting in arbitrary code execution in the context of the current user. This vulnerability requires user interaction to exploit. | |||||
| CVE-2020-24411 | 2 Adobe, Microsoft | 2 Illustrator, Windows | 2020-11-10 | 6.8 MEDIUM | 7.8 HIGH |
| Adobe Illustrator version 24.2 (and earlier) is affected by an out-of-bounds write vulnerability when handling crafted PDF files. This could result in a write past the end of an allocated memory structure, potentially resulting in arbitrary code execution in the context of the current user. This vulnerability requires user interaction to exploit. | |||||
| CVE-2018-5802 | 4 Canonical, Debian, Libraw and 1 more | 6 Ubuntu Linux, Debian Linux, Libraw and 3 more | 2020-11-10 | 6.8 MEDIUM | 8.8 HIGH |
| An error within the "kodak_radc_load_raw()" function (internal/dcraw_common.cpp) related to the "buf" variable in LibRaw versions prior to 0.18.7 can be exploited to cause an out-of-bounds read memory access and subsequently cause a crash. | |||||
| CVE-2018-5813 | 2 Canonical, Libraw | 2 Ubuntu Linux, Libraw | 2020-11-10 | 7.1 HIGH | 6.5 MEDIUM |
| An error within the "parse_minolta()" function (dcraw/dcraw.c) in LibRaw versions prior to 0.18.11 can be exploited to trigger an infinite loop via a specially crafted file. | |||||
| CVE-2016-9845 | 1 Qemu | 1 Qemu | 2020-11-10 | 2.1 LOW | 6.5 MEDIUM |
| QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET_INFO' command. A guest user/process could use this flaw to leak contents of the host memory bytes. | |||||
| CVE-2016-9916 | 2 Debian, Qemu | 2 Debian Linux, Qemu | 2020-11-10 | 4.9 MEDIUM | 6.5 MEDIUM |
| Memory leak in hw/9pfs/9p-proxy.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in the proxy backend. | |||||
| CVE-2017-5526 | 2 Debian, Qemu | 2 Debian Linux, Qemu | 2020-11-10 | 4.9 MEDIUM | 6.5 MEDIUM |
| Memory leak in hw/audio/es1370.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations. | |||||
| CVE-2017-5857 | 1 Qemu | 1 Qemu | 2020-11-10 | 4.9 MEDIUM | 6.5 MEDIUM |
| Memory leak in the virgl_cmd_resource_unref function in hw/display/virtio-gpu-3d.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_UNREF commands sent without detaching the backing storage beforehand. | |||||