Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-25006 | 1 Heybbs Project | 1 Heybbs | 2020-09-04 | 7.5 HIGH | 9.8 CRITICAL |
| Heybbs v1.2 has a SQL injection vulnerability in login.php file via the username parameter which may allow a remote attacker to execute arbitrary code. | |||||
| CVE-2018-0313 | 1 Cisco | 72 Nexus 172tq-xl, Nexus 2148t, Nexus 2224tp Ge and 69 more | 2020-09-04 | 9.0 HIGH | 8.8 HIGH |
| A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an authenticated, remote attacker to send a malicious packet to the management interface on an affected system and execute a command-injection exploit. The vulnerability is due to incorrect input validation of user-supplied data to the NX-API subsystem. An attacker could exploit this vulnerability by sending a malicious HTTP or HTTPS packet to the management interface of an affected system that has the NX-API feature enabled. A successful exploit could allow the attacker to execute arbitrary commands with root privileges. Note: NX-API is disabled by default. This vulnerability affects MDS 9000 Series Multilayer Switches, Nexus 2000 Series Fabric Extenders, Nexus 3000 Series Switches, Nexus 3500 Platform Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, Nexus 7000 Series Switches, Nexus 7700 Series Switches, Nexus 9000 Series Switches in standalone NX-OS mode, Nexus 9500 R-Series Line Cards and Fabric Modules. Cisco Bug IDs: CSCvd47415, CSCve03216, CSCve03224, CSCve03234. | |||||
| CVE-2020-24241 | 1 Nasm | 1 Netwide Assembler | 2020-09-04 | 4.3 MEDIUM | 5.5 MEDIUM |
| In Netwide Assembler (NASM) 2.15rc10, there is heap use-after-free in saa_wbytes in nasmlib/saa.c. | |||||
| CVE-2018-0306 | 1 Cisco | 89 Mds 9132t, Mds 9148, Mds 9148s and 86 more | 2020-09-04 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability in the CLI parser of Cisco NX-OS Software could allow an authenticated, local attacker to perform a command-injection attack on an affected device. The vulnerability is due to insufficient input validation of command arguments. An attacker could exploit this vulnerability by injecting malicious command arguments into a vulnerable CLI command. A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the affected device. Note: This vulnerability requires that any feature license is uploaded to the device. The vulnerability does not require that the license be used. This vulnerability affects MDS 9000 Series Multilayer Switches, Nexus 1000V Series Switches, Nexus 1100 Series Cloud Services Platforms, Nexus 2000 Series Fabric Extenders, Nexus 3000 Series Switches, Nexus 3500 Platform Switches, Nexus 3600 Platform Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, Nexus 7000 Series Switches, Nexus 7700 Series Switches, Nexus 9000 Series Switches in standalone NX-OS mode, Nexus 9500 R-Series Line Cards and Fabric Modules. Cisco Bug IDs: CSCve51693, CSCve91634, CSCve91659, CSCve91663. | |||||
| CVE-2018-0302 | 1 Cisco | 13 Firepower 4110, Firepower 4120, Firepower 4140 and 10 more | 2020-09-04 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability in the CLI parser of Cisco FXOS Software and Cisco UCS Fabric Interconnect Software could allow an authenticated, local attacker to cause a buffer overflow on an affected device. The vulnerability is due to incorrect input validation in the CLI parser subsystem. An attacker could exploit this vulnerability by exceeding the expected length of user input. A successful exploit could allow the attacker to execute arbitrary code with root privileges on the affected system. This vulnerability affects Firepower 4100 Series Next-Generation Firewall, Firepower 9300 Security Appliance, UCS 6100 Series Fabric Interconnects, UCS 6200 Series Fabric Interconnects, UCS 6300 Series Fabric Interconnects. Cisco Bug IDs: CSCvb61099, CSCvb86743. | |||||
| CVE-2018-0307 | 1 Cisco | 65 Nexus 172tq-xl, Nexus 3016, Nexus 3048 and 62 more | 2020-09-04 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to perform a command-injection attack on an affected device. The vulnerability is due to insufficient input validation of command arguments. An attacker could exploit this vulnerability by injecting malicious command arguments into a vulnerable CLI command. A successful exploit could allow the attacker, authenticated as a privileged user, to execute arbitrary commands with root privileges. Note: On products that support multiple virtual device contexts (VDC), this vulnerability could allow an attacker to access files from any VDC. This vulnerability affects Nexus 2000 Series Fabric Extenders, Nexus 3000 Series Switches, Nexus 3500 Platform Switches, Nexus 3600 Platform Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, Nexus 7000 Series Switches, Nexus 7700 Series Switches, Nexus 9000 Series Switches in standalone NX-OS mode, Nexus 9500 R-Series Line Cards and Fabric Modules. Cisco Bug IDs: CSCve51704, CSCve91749, CSCve91768. | |||||
| CVE-2018-0338 | 1 Cisco | 1 Unified Computing System | 2020-09-04 | 4.6 MEDIUM | 7.8 HIGH |
| A vulnerability in the role-based access-checking mechanisms of Cisco Unified Computing System (UCS) Software could allow an authenticated, local attacker to execute arbitrary commands on an affected system. The vulnerability exists because the affected software lacks proper input and validation checks for certain file systems. An attacker could exploit this vulnerability by issuing crafted commands in the CLI of an affected system. A successful exploit could allow the attacker to cause other users to execute unwanted arbitrary commands on the affected system. Cisco Bug IDs: CSCvf52994. | |||||
| CVE-2018-0355 | 1 Cisco | 1 Unified Communications Manager | 2020-09-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web UI of Cisco Unified Communications Manager (Unified CM) could allow an unauthenticated, remote attacker to conduct a cross-frame scripting (XFS) attack against the user of the web UI of an affected system. The vulnerability is due to insufficient protections for HTML inline frames (iframes) by the web UI of the affected software. An attacker could exploit this vulnerability by persuading a user of the affected UI to navigate to an attacker-controlled web page that contains a malicious HTML iframe. A successful exploit could allow the attacker to conduct click-jacking or other client-side browser attacks on the affected system. Cisco Bug IDs: CSCvg19761. | |||||
| CVE-2018-0329 | 1 Cisco | 1 Wide Area Application Services | 2020-09-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability in the default configuration of the Simple Network Management Protocol (SNMP) feature of Cisco Wide Area Application Services (WAAS) Software could allow an unauthenticated, remote attacker to read data from an affected device via SNMP. The vulnerability is due to a hard-coded, read-only community string in the configuration file for the SNMP daemon. An attacker could exploit this vulnerability by using the static community string in SNMP version 2c queries to an affected device. A successful exploit could allow the attacker to read any data that is accessible via SNMP on the affected device. Note: The static credentials are defined in an internal configuration file and are not visible in the current operation configuration ('running-config') or the startup configuration ('startup-config'). Cisco Bug IDs: CSCvi40137. | |||||
| CVE-2018-0274 | 1 Cisco | 1 Network Services Orchestrator | 2020-09-04 | 9.0 HIGH | 8.8 HIGH |
| A vulnerability in the CLI parser of Cisco Network Services Orchestrator (NSO) could allow an authenticated, remote attacker to execute arbitrary shell commands with the privileges of the root user. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by injecting malicious arguments into vulnerable commands. A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the affected system. This vulnerability affects the following releases of Cisco Network Services Orchestrator (NSO): 4.1 through 4.1.6.0, 4.2 through 4.2.4.0, 4.3 through 4.3.3.0, 4.4 through 4.4.2.0. Cisco Bug IDs: CSCvf99982. | |||||
| CVE-2018-0263 | 1 Cisco | 1 Meeting Server | 2020-09-04 | 3.3 LOW | 7.4 HIGH |
| A vulnerability in Cisco Meeting Server (CMS) could allow an unauthenticated, adjacent attacker to access services running on internal device interfaces of an affected system. The vulnerability is due to incorrect default configuration of the device, which can expose internal interfaces and ports on the external interface of the system. A successful exploit could allow the attacker to gain unauthenticated access to configuration and database files and sensitive meeting information on an affected system. This vulnerability affects Cisco Meeting Server (CMS) 2000 Platforms that are running a CMS Software release prior to Release 2.2.13 or Release 2.3.4. Cisco Bug IDs: CSCvg76471. | |||||
| CVE-2020-2243 | 1 Jenkins | 1 Cadence Vmanager | 2020-09-04 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Cadence vManager Plugin 3.0.4 and earlier does not escape build descriptions in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Run/Update permission. | |||||
| CVE-2020-2245 | 1 Jenkins | 1 Valgrind | 2020-09-04 | 5.5 MEDIUM | 7.1 HIGH |
| Jenkins Valgrind Plugin 0.28 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2020-6279 | 2020-09-04 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none. | |||||
| CVE-2020-11879 | 1 Gnome | 1 Evolution | 2020-09-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in GNOME Evolution before 3.35.91. By using the proprietary (non-RFC6068) "mailto?attach=..." parameter, a website (or other source of mailto links) can make Evolution attach local files or directories to a composed email message without showing a warning to the user, as demonstrated by an attach=. value. | |||||
| CVE-2020-2244 | 1 Jenkins | 1 Build Failure Analyzer | 2020-09-04 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Build Failure Analyzer Plugin 1.27.0 and earlier does not escape matching text in a form validation response, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to provide console output for builds used to test build log indications. | |||||
| CVE-2020-10775 | 2 Oracle, Redhat | 2 Virtualization, Ovirt-engine | 2020-09-04 | 2.6 LOW | 5.3 MEDIUM |
| An Open redirect vulnerability was found in ovirt-engine versions 4.4 and earlier, where it allows remote attackers to redirect users to arbitrary web sites and attempt phishing attacks. Once the target has opened the malicious URL in their browser, the critical part of the URL is no longer visible. The highest threat from this vulnerability is on confidentiality. | |||||
| CVE-2020-2246 | 1 Jenkins | 1 Valgrind | 2020-09-04 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Valgrind Plugin 0.28 and earlier does not escape content in Valgrind XML reports, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control Valgrind XML report contents. | |||||
| CVE-2019-7091 | 1 Adobe | 1 Coldfusion | 2020-09-04 | 10.0 HIGH | 9.8 CRITICAL |
| ColdFusion versions Update 1 and earlier, Update 7 and earlier, and Update 15 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution. | |||||
| CVE-2019-7092 | 1 Adobe | 1 Coldfusion | 2020-09-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| ColdFusion versions Update 1 and earlier, Update 7 and earlier, and Update 15 and earlier have a cross site scripting vulnerability. Successful exploitation could lead to information disclosure . | |||||
| CVE-2019-7816 | 1 Adobe | 1 Coldfusion | 2020-09-04 | 10.0 HIGH | 9.8 CRITICAL |
| ColdFusion versions Update 2 and earlier, Update 9 and earlier, and Update 17 and earlier have a file upload restriction bypass vulnerability. Successful exploitation could lead to arbitrary code execution. | |||||
| CVE-2019-7838 | 1 Adobe | 1 Coldfusion | 2020-09-04 | 10.0 HIGH | 9.8 CRITICAL |
| ColdFusion versions Update 3 and earlier, Update 10 and earlier, and Update 18 and earlier have a file extension blacklist bypass vulnerability. Successful exploitation could lead to arbitrary code execution. | |||||
| CVE-2019-7839 | 1 Adobe | 1 Coldfusion | 2020-09-04 | 10.0 HIGH | 9.8 CRITICAL |
| ColdFusion versions Update 3 and earlier, Update 10 and earlier, and Update 18 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution. | |||||
| CVE-2019-7840 | 1 Adobe | 1 Coldfusion | 2020-09-04 | 10.0 HIGH | 9.8 CRITICAL |
| ColdFusion versions Update 3 and earlier, Update 10 and earlier, and Update 18 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution. | |||||
| CVE-2019-8073 | 1 Adobe | 1 Coldfusion | 2020-09-04 | 10.0 HIGH | 9.8 CRITICAL |
| ColdFusion 2018- update 4 and earlier and ColdFusion 2016- update 11 and earlier have a Command Injection via Vulnerable component vulnerability. Successful exploitation could lead to Arbitrary code execution in the context of the current user. | |||||
| CVE-2019-8074 | 1 Adobe | 1 Coldfusion | 2020-09-04 | 10.0 HIGH | 9.8 CRITICAL |
| ColdFusion 2018- update 4 and earlier and ColdFusion 2016- update 11 and earlier have a Path Traversal vulnerability. Successful exploitation could lead to Access Control Bypass in the context of the current user. | |||||
| CVE-2020-2247 | 1 Jenkins | 1 Klocwork Analysis | 2020-09-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Klocwork Analysis Plugin 2020.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2020-2249 | 1 Jenkins | 1 Team Foundation Server | 2020-09-04 | 2.1 LOW | 3.3 LOW |
| Jenkins Team Foundation Server Plugin 5.157.1 and earlier stores a webhook secret unencrypted in its global configuration file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system. | |||||
| CVE-2018-15957 | 1 Adobe | 1 Coldfusion | 2020-09-04 | 10.0 HIGH | 9.8 CRITICAL |
| Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution. | |||||
| CVE-2018-15958 | 1 Adobe | 1 Coldfusion | 2020-09-04 | 10.0 HIGH | 9.8 CRITICAL |
| Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution. | |||||
| CVE-2018-15959 | 1 Adobe | 1 Coldfusion | 2020-09-04 | 10.0 HIGH | 9.8 CRITICAL |
| Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution. | |||||
| CVE-2018-15960 | 1 Adobe | 1 Coldfusion | 2020-09-04 | 6.4 MEDIUM | 7.5 HIGH |
| Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have a use of a component with a known vulnerability vulnerability. Successful exploitation could lead to arbitrary file overwrite. | |||||
| CVE-2018-15961 | 1 Adobe | 1 Coldfusion | 2020-09-04 | 10.0 HIGH | 9.8 CRITICAL |
| Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unrestricted file upload vulnerability. Successful exploitation could lead to arbitrary code execution. | |||||
| CVE-2018-15962 | 1 Adobe | 1 Coldfusion | 2020-09-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have a directory listing vulnerability. Successful exploitation could lead to information disclosure. | |||||
| CVE-2018-15963 | 1 Adobe | 1 Coldfusion | 2020-09-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have a security bypass vulnerability. Successful exploitation could lead to arbitrary folder creation. | |||||
| CVE-2018-15964 | 1 Adobe | 1 Coldfusion | 2020-09-04 | 5.0 MEDIUM | 7.5 HIGH |
| Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have a use of a component with a known vulnerability vulnerability. Successful exploitation could lead to information disclosure. | |||||
| CVE-2018-15965 | 1 Adobe | 1 Coldfusion | 2020-09-04 | 10.0 HIGH | 9.8 CRITICAL |
| Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution. | |||||
| CVE-2020-2250 | 1 Jenkins | 1 Soapui Pro Functional Testing | 2020-09-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins SoapUI Pro Functional Testing Plugin 1.3 and earlier stores project passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by attackers with Extended Read permission, or access to the Jenkins controller file system. | |||||
| CVE-2014-9166 | 1 Adobe | 1 Coldfusion | 2020-09-04 | 5.0 MEDIUM | N/A |
| Adobe ColdFusion 10 before Update 15 and 11 before Update 3 allows attackers to cause a denial of service (resource consumption) via unspecified vectors. | |||||
| CVE-2015-0345 | 1 Adobe | 1 Coldfusion | 2020-09-04 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Adobe ColdFusion 10 before Update 16 and 11 before Update 5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2015-5255 | 2 Adobe, Hp | 4 Coldfusion, Livecycle Data Services, Xp7 Command View Advanced Edition and 1 more | 2020-09-04 | 4.3 MEDIUM | N/A |
| Adobe BlazeDS, as used in ColdFusion 10 before Update 18 and 11 before Update 7 and LiveCycle Data Services 3.0.x before 3.0.0.354175, 3.1.x before 3.1.0.354180, 4.5.x before 4.5.1.354177, 4.6.2.x before 4.6.2.354178, and 4.7.x before 4.7.0.354178, allows remote attackers to send HTTP traffic to intranet servers via a crafted XML document, related to a Server-Side Request Forgery (SSRF) issue. | |||||
| CVE-2015-8052 | 1 Adobe | 1 Coldfusion | 2020-09-04 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Adobe ColdFusion 10 before Update 18 and 11 before Update 7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-8053. | |||||
| CVE-2015-8053 | 1 Adobe | 1 Coldfusion | 2020-09-04 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Adobe ColdFusion 10 before Update 18 and 11 before Update 7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-8052. | |||||
| CVE-2016-4264 | 1 Adobe | 1 Coldfusion | 2020-09-04 | 6.4 MEDIUM | 8.6 HIGH |
| The Office Open XML (OOXML) feature in Adobe ColdFusion 10 before Update 21 and 11 before Update 10 allows remote attackers to read arbitrary files or send TCP requests to intranet servers via a crafted OOXML spreadsheet containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | |||||
| CVE-2020-2251 | 1 Jenkins | 2 Jenkins, Soapui Pro Functional Testing | 2020-09-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins SoapUI Pro Functional Testing Plugin 1.5 and earlier transmits project passwords in its configuration in plain text as part of job configuration forms, potentially resulting in their exposure. | |||||
| CVE-2020-2248 | 1 Jenkins | 1 Jsgames | 2020-09-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Jenkins JSGames Plugin 0.2 and earlier evaluates part of a URL as code, resulting in a reflected cross-site scripting (XSS) vulnerability. | |||||
| CVE-2012-5674 | 1 Adobe | 1 Coldfusion | 2020-09-04 | 7.1 HIGH | N/A |
| Unspecified vulnerability in Adobe ColdFusion 10 before Update 5, when Internet Information Services (IIS) is used, allows attackers to cause a denial of service via unknown vectors. | |||||
| CVE-2013-1387 | 1 Adobe | 1 Coldfusion | 2020-09-04 | 7.5 HIGH | N/A |
| Unspecified vulnerability in Adobe ColdFusion 9.0 before Update 10, 9.0.1 before Update 9, 9.0.2 before Update 4, and 10 before Update 9 allows attackers to impersonate users via unknown vectors. | |||||
| CVE-2013-1388 | 1 Adobe | 1 Coldfusion | 2020-09-04 | 7.5 HIGH | N/A |
| Unspecified vulnerability in Adobe ColdFusion 9.0 before Update 10, 9.0.1 before Update 9, 9.0.2 before Update 4, and 10 before Update 9 allows attackers to obtain administrator-console access via unknown vectors. | |||||
| CVE-2013-1389 | 1 Adobe | 1 Coldfusion | 2020-09-04 | 10.0 HIGH | N/A |
| Unspecified vulnerability in Adobe ColdFusion 9.0 before Update 11, 9.0.1 before Update 10, 9.0.2 before Update 5, and 10 before Update 10 allows remote attackers to execute arbitrary code via unknown vectors. | |||||