Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-2977 | 3 Debian, Netapp, Oracle | 10 Debian Linux, Active Iq Unified Manager, E-series Santricity Os Controller and 7 more | 2020-08-18 | 5.8 MEDIUM | 4.8 MEDIUM |
| Vulnerability in the Java SE product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Java SE: 11.0.4 and 13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 4.8 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L). | |||||
| CVE-2019-2987 | 4 Debian, Netapp, Oracle and 1 more | 12 Debian Linux, E-series Santricity Os Controller, E-series Santricity Storage Manager and 9 more | 2020-08-18 | 4.3 MEDIUM | 3.7 LOW |
| Vulnerability in the Java SE product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 11.0.4 and 13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). | |||||
| CVE-2020-7301 | 1 Mcafee | 1 Data Loss Prevention | 2020-08-18 | 3.5 LOW | 4.6 MEDIUM |
| Cross Site scripting vulnerability in McAfee Data Loss Prevention (DLP) ePO extension prior to 11.5.3 allows authenticated attackers to trigger alerts via the file upload tab in the DLP case management section. | |||||
| CVE-2020-12287 | 1 Intel | 1 Distribution Of Openvino Toolkit | 2020-08-18 | 4.6 MEDIUM | 7.8 HIGH |
| Incorrect permissions in the Intel(R) Distribution of OpenVINO(TM) Toolkit before version 2020.2 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2020-15652 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2020-08-18 | 4.3 MEDIUM | 6.5 MEDIUM |
| By observing the stack trace for JavaScript errors in web workers, it was possible to leak the result of a cross-origin redirect. This applied only to content that can be parsed as script. This vulnerability affects Firefox < 79, Firefox ESR < 68.11, Firefox ESR < 78.1, Thunderbird < 68.11, and Thunderbird < 78.1. | |||||
| CVE-2020-15653 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2020-08-18 | 4.3 MEDIUM | 6.5 MEDIUM |
| An iframe sandbox element with the allow-popups flag could be bypassed when using noopener links. This could have led to security issues for websites relying on sandbox configurations that allowed popups and hosted arbitrary content. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1. | |||||
| CVE-2020-15654 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2020-08-18 | 4.3 MEDIUM | 6.5 MEDIUM |
| When in an endless loop, a website specifying a custom cursor using CSS could make it look like the user is interacting with the user interface, when they are not. This could lead to a perceived broken state, especially when interactions with existing browser dialogs and warnings do not work. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1. | |||||
| CVE-2020-15656 | 2 Mozilla, Opensuse | 4 Firefox, Firefox Esr, Thunderbird and 1 more | 2020-08-18 | 9.3 HIGH | 8.8 HIGH |
| JIT optimizations involving the Javascript arguments object could confuse later optimizations. This risk was already mitigated by various precautions in the code, resulting in this bug rated at only moderate severity. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1. | |||||
| CVE-2020-15658 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2020-08-18 | 4.3 MEDIUM | 6.5 MEDIUM |
| The code for downloading files did not properly take care of special characters, which led to an attacker being able to cut off the file ending at an earlier position, leading to a different file type being downloaded than shown in the dialog. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1. | |||||
| CVE-2020-7302 | 1 Mcafee | 1 Data Loss Prevention | 2020-08-18 | 5.5 MEDIUM | 6.4 MEDIUM |
| Unrestricted Upload of File with Dangerous Type in McAfee Data Loss Prevention (DLP) ePO extension prior to 11.5.3 allows authenticated attackers to upload malicious files to the DLP case management section via lack of sanity checking. | |||||
| CVE-2020-8911 | 1 Amazon | 1 Aws S3 Crypto Sdk | 2020-08-18 | 2.1 LOW | 5.6 MEDIUM |
| A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files. | |||||
| CVE-2020-9404 | 1 Pactware | 1 Pactware | 2020-08-18 | 3.6 LOW | 7.1 HIGH |
| In PACTware before 4.1 SP6 and 5.x before 5.0.5.31, passwords are stored in an insecure manner, and may be modified by an attacker with no knowledge of the current passwords. | |||||
| CVE-2020-8918 | 1 Google | 1 Go-tpm | 2020-08-18 | 3.6 LOW | 7.1 HIGH |
| An improperly initialized 'migrationAuth' value in Google's go-tpm TPM1.2 library versions prior to 0.3.0 can lead an eavesdropping attacker to discover the auth value for a key created with CreateWrapKey. An attacker listening in on the channel can collect both 'encUsageAuth' and 'encMigrationAuth', and then can calculate 'usageAuth ^ encMigrationAuth' as the 'migrationAuth' can be guessed for all keys created with CreateWrapKey. TPM2.0 is not impacted by this. We recommend updating your library to 0.3.0 or later, or, if you cannot update, to call CreateWrapKey with a random 20-byte value for 'migrationAuth'. | |||||
| CVE-2020-9527 | 1 Hichip | 1 Shenzhen Hichip Vision Technology Firmware | 2020-08-18 | 7.5 HIGH | 9.8 CRITICAL |
| Firmware developed by Shenzhen Hichip Vision Technology (V6 through V20, after 2018-08-09 through 2020), as used by many different vendors in millions of Internet of Things devices, suffers from buffer overflow vulnerability that allows unauthenticated remote attackers to execute arbitrary code via the peer-to-peer (P2P) service. This affects products marketed under the following brand names: Accfly, Alptop, Anlink, Besdersec, BOAVISION, COOAU, CPVAN, Ctronics, D3D Security, Dericam, Elex System, Elite Security, ENSTER, ePGes, Escam, FLOUREON, GENBOLT, Hongjingtian (HJT), ICAMI, Iegeek, Jecurity, Jennov, KKMoon, LEFTEK, Loosafe, Luowice, Nesuniq, Nettoly, ProElite, QZT, Royallite, SDETER, SV3C, SY2L, Tenvis, ThinkValue, TOMLOV, TPTEK, WGCC, and ZILINK. | |||||
| CVE-2020-9528 | 1 Hichip | 1 Shenzhen Hichip Vision Technology Firmware | 2020-08-18 | 5.0 MEDIUM | 7.5 HIGH |
| Firmware developed by Shenzhen Hichip Vision Technology (V6 through V20), as used by many different vendors in millions of Internet of Things devices, suffers from cryptographic issues that allow remote attackers to access user session data, as demonstrated by eavesdropping on user video/audio streams, capturing credentials, and compromising devices. This affects products marketed under the following brand names: Accfly, Alptop, Anlink, Besdersec, BOAVISION, COOAU, CPVAN, Ctronics, D3D Security, Dericam, Elex System, Elite Security, ENSTER, ePGes, Escam, FLOUREON, GENBOLT, Hongjingtian (HJT), ICAMI, Iegeek, Jecurity, Jennov, KKMoon, LEFTEK, Loosafe, Luowice, Nesuniq, Nettoly, ProElite, QZT, Royallite, SDETER, SV3C, SY2L, Tenvis, ThinkValue, TOMLOV, TPTEK, WGCC, and ZILINK. | |||||
| CVE-2020-16118 | 1 Gnome | 1 Balsa | 2020-08-18 | 5.0 MEDIUM | 7.5 HIGH |
| In GNOME Balsa before 2.6.0, a malicious server operator or man in the middle can trigger a NULL pointer dereference and client crash by sending a PREAUTH response to imap_mbox_connect in libbalsa/imap/imap-handle.c. | |||||
| CVE-2020-8716 | 1 Intel | 153 Compute Module Hns2600bp Firmware, Compute Module Hns2600bpb, Compute Module Hns2600bpb24 and 150 more | 2020-08-17 | 2.1 LOW | 5.5 MEDIUM |
| Improper access control for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow an authenticated user to potentially enable denial of service via local access. | |||||
| CVE-2020-8717 | 1 Intel | 153 Compute Module Hns2600bp Firmware, Compute Module Hns2600bpb, Compute Module Hns2600bpb24 and 150 more | 2020-08-17 | 2.1 LOW | 5.5 MEDIUM |
| Improper input validation in a subsystem for some Intel Server Boards, Server Systems and Compute Modules before version 1.59 may allow an authenticated user to potentially enable denial of service via local access. | |||||
| CVE-2020-8718 | 1 Intel | 153 Compute Module Hns2600bp Firmware, Compute Module Hns2600bpb, Compute Module Hns2600bpb24 and 150 more | 2020-08-17 | 4.6 MEDIUM | 8.8 HIGH |
| Buffer overflow in a subsystem for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2020-8719 | 1 Intel | 153 Compute Module Hns2600bp Firmware, Compute Module Hns2600bpb, Compute Module Hns2600bpb24 and 150 more | 2020-08-17 | 4.6 MEDIUM | 8.2 HIGH |
| Buffer overflow in subsystem for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow a privileged user to potentially enable escalation of privilege via local access. | |||||
| CVE-2020-8721 | 1 Intel | 153 Compute Module Hns2600bp Firmware, Compute Module Hns2600bpb, Compute Module Hns2600bpb24 and 150 more | 2020-08-17 | 4.6 MEDIUM | 8.2 HIGH |
| Improper input validation for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow a privileged user to potentially enable escalation of privilege via local access. | |||||
| CVE-2020-8722 | 1 Intel | 153 Compute Module Hns2600bp Firmware, Compute Module Hns2600bpb, Compute Module Hns2600bpb24 and 150 more | 2020-08-17 | 4.6 MEDIUM | 8.2 HIGH |
| Buffer overflow in a subsystem for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow a privileged user to potentially enable escalation of privilege via local access. | |||||
| CVE-2020-8729 | 1 Intel | 153 Compute Module Hns2600bp Firmware, Compute Module Hns2600bpb, Compute Module Hns2600bpb24 and 150 more | 2020-08-17 | 4.6 MEDIUM | 7.8 HIGH |
| Buffer copy without checking size of input for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2020-8912 | 1 Amazon | 1 Aws S3 Crypto Sdk | 2020-08-17 | 2.1 LOW | 2.5 LOW |
| A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation. It is recommended to update your SDK to V2 or later, and re-encrypt your files. | |||||
| CVE-2020-8723 | 1 Intel | 153 Compute Module Hns2600bp Firmware, Compute Module Hns2600bpb, Compute Module Hns2600bpb24 and 150 more | 2020-08-17 | 5.4 MEDIUM | 6.3 MEDIUM |
| Cross-site scripting for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access. | |||||
| CVE-2020-8730 | 1 Intel | 153 Compute Module Hns2600bp Firmware, Compute Module Hns2600bpb, Compute Module Hns2600bpb24 and 150 more | 2020-08-17 | 4.6 MEDIUM | 8.8 HIGH |
| Heap-based overflow for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2018-10925 | 3 Canonical, Debian, Postgresql | 3 Ubuntu Linux, Debian Linux, Postgresql | 2020-08-17 | 5.5 MEDIUM | 8.1 HIGH |
| It was discovered that PostgreSQL versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 failed to properly check authorization on certain statements involved with "INSERT ... ON CONFLICT DO UPDATE". An attacker with "CREATE TABLE" privileges could exploit this to read arbitrary bytes server memory. If the attacker also had certain "INSERT" and limited "UPDATE" privileges to a particular table, they could exploit this to update other columns in the same table. | |||||
| CVE-2019-10208 | 1 Postgresql | 1 Postgresql | 2020-08-17 | 6.5 MEDIUM | 8.8 HIGH |
| A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5.x before 9.5.19, 9.6.x before 9.6.15, 10.x before 10.10 and 11.x before 11.5 where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function. | |||||
| CVE-2020-1720 | 2 Postgresql, Redhat | 4 Postgresql, Decision Manager, Enterprise Linux and 1 more | 2020-08-17 | 3.5 LOW | 6.5 MEDIUM |
| A flaw was found in PostgreSQL's "ALTER ... DEPENDS ON EXTENSION", where sub-commands did not perform authorization checks. An authenticated attacker could use this flaw in certain configurations to perform drop objects such as function, triggers, et al., leading to database corruption. This issue affects PostgreSQL versions before 12.2, before 11.7, before 10.12 and before 9.6.17. | |||||
| CVE-2020-7029 | 1 Avaya | 2 Aura Communication Manager, Aura Messaging | 2020-08-17 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the System Management Interface Web component of Avaya Aura Communication Manager and Avaya Aura Messaging. This vulnerability could allow an unauthenticated remote attacker to perform Web administration actions with the privileged level of the authenticated user. Affected versions of Communication Manager are 7.0.x, 7.1.x prior to 7.1.3.5 and 8.0.x. Affected versions of Messaging are 7.0.x, 7.1 and 7.1 SP1. | |||||
| CVE-2019-3772 | 2 Oracle, Vmware | 2 Retail Customer Management And Segmentation Foundation, Spring Integration | 2020-08-17 | 7.5 HIGH | 9.8 CRITICAL |
| Spring Integration (spring-integration-xml and spring-integration-ws modules), versions 4.3.18, 5.0.10, 5.1.1, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources. | |||||
| CVE-2020-16266 | 1 Mantisbt | 1 Mantisbt | 2020-08-17 | 3.5 LOW | 5.4 MEDIUM |
| An XSS issue was discovered in MantisBT before 2.24.2. Improper escaping on view_all_bug_page.php allows a remote attacker to inject arbitrary HTML into the page by saving it into a text Custom Field, leading to possible code execution in the browser of any user subsequently viewing the issue (if CSP settings allow it). | |||||
| CVE-2020-13278 | 1 Rosariosis | 1 Student Information System | 2020-08-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected Cross-Site Scripting vulnerability in Modules.php in RosarioSIS Student Information System < 6.5.1 allows remote attackers to execute arbitrary web script via embedding javascript or HTML tags in a GET request. | |||||
| CVE-2020-12648 | 1 Tiny | 1 Tinymce | 2020-08-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in TinyMCE 5.2.1 and earlier allows remote attackers to inject arbitrary web script when configured in classic editing mode. | |||||
| CVE-2016-8864 | 4 Debian, Isc, Netapp and 1 more | 11 Debian Linux, Bind, Data Ontap Edge and 8 more | 2020-08-17 | 5.0 MEDIUM | 7.5 HIGH |
| named in ISC BIND 9.x before 9.9.9-P4, 9.10.x before 9.10.4-P4, and 9.11.x before 9.11.0-P1 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a DNAME record in the answer section of a response to a recursive query, related to db.c and resolver.c. | |||||
| CVE-2020-17447 | 2020-08-17 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-15139. Reason: This candidate is a duplicate of CVE-2020-15139. Notes: All CVE users should reference CVE-2020-15139 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | |||||
| CVE-2020-8731 | 1 Intel | 153 Compute Module Hns2600bp Firmware, Compute Module Hns2600bpb, Compute Module Hns2600bpb24 and 150 more | 2020-08-17 | 4.6 MEDIUM | 8.8 HIGH |
| Incorrect execution-assigned permissions in the file system for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2020-8732 | 1 Intel | 153 Compute Module Hns2600bp Firmware, Compute Module Hns2600bpb, Compute Module Hns2600bpb24 and 150 more | 2020-08-17 | 5.8 MEDIUM | 8.8 HIGH |
| Heap-based buffer overflow in the firmware for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access. | |||||
| CVE-2020-22720 | 2020-08-17 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | |||||
| CVE-2012-0698 | 1 Trustedcomputinggroup | 1 Trousers | 2020-08-17 | 5.0 MEDIUM | N/A |
| tcsd in TrouSerS before 0.3.10 allows remote attackers to cause a denial of service (daemon crash) via a crafted type_offset value in a TCP packet to port 30003. | |||||
| CVE-2020-8720 | 1 Intel | 153 Compute Module Hns2600bp Firmware, Compute Module Hns2600bpb, Compute Module Hns2600bpb24 and 150 more | 2020-08-17 | 2.1 LOW | 5.5 MEDIUM |
| Buffer overflow in a subsystem for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow a privileged user to potentially enable denial of service via local access. | |||||
| CVE-2016-6498 | 2020-08-17 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2016. Notes: none. | |||||
| CVE-2016-6499 | 2020-08-17 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2016. Notes: none. | |||||
| CVE-2016-6502 | 2020-08-17 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2016. Notes: none. | |||||
| CVE-2017-8986 | 2020-08-17 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2017. Notes: none. | |||||
| CVE-2017-8995 | 2020-08-17 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2017. Notes: none. | |||||
| CVE-2017-8996 | 2020-08-17 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2017. Notes: none. | |||||
| CVE-2017-8997 | 2020-08-17 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2017. Notes: none. | |||||
| CVE-2017-8998 | 2020-08-17 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2017. Notes: none. | |||||
| CVE-2017-8999 | 2020-08-17 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2017. Notes: none. | |||||