Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-15083 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2020-05-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Default installations of Zoho ManageEngine ServiceDesk Plus 10.0 before 10500 are vulnerable to XSS injected by a workstation local administrator. Using the installed program names of the computer as a vector, the local administrator can execute code on the Manage Engine ServiceDesk administrator side. At "Asset Home > Server > <workstation> > software" the administrator of ManageEngine can control what software is installed on the workstation. This table shows all the installed program names in the Software column. In this field, a remote attacker can inject malicious code in order to execute it when the ManageEngine administrator visualizes this page. | |||||
| CVE-2020-13094 | 1 Dolibarr | 1 Dolibarr | 2020-05-19 | 3.5 LOW | 5.4 MEDIUM |
| Dolibarr before 11.0.4 allows XSS. | |||||
| CVE-2020-1939 | 1 Apache | 1 Nuttx | 2020-05-19 | 5.1 MEDIUM | 9.8 CRITICAL |
| The Apache NuttX (Incubating) project provides an optional separate "apps" repository which contains various optional components and example programs. One of these, ftpd, had a NULL pointer dereference bug. The NuttX RTOS itself is not affected. Users of the optional apps repository are affected only if they have enabled ftpd. Versions 6.15 to 8.2 are affected. | |||||
| CVE-2020-11071 | 1 Simpleledger | 1 Slpjs | 2020-05-19 | 5.0 MEDIUM | 8.6 HIGH |
| SLPJS (npm package slpjs) before version 0.27.2, has a vulnerability where users could experience false-negative validation outcomes for MINT transaction operations. A poorly implemented SLP wallet could allow spending of the affected tokens which would result in the destruction of a user's minting baton. This is fixed in version 0.27.2. | |||||
| CVE-2020-1998 | 1 Paloaltonetworks | 1 Pan-os | 2020-05-19 | 6.5 MEDIUM | 8.8 HIGH |
| An improper authorization vulnerability in PAN-OS that mistakenly uses the permissions of local linux users instead of the intended SAML permissions of the account when the username is shared for the purposes of SSO authentication. This can result in authentication bypass and unintended resource access for the user. This issue affects: PAN-OS 7.1 versions earlier than 7.1.26; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.6; PAN-OS 9.1 versions earlier than 9.1.1; All versions of PAN-OS 8.0. | |||||
| CVE-2020-11072 | 1 Simpleledger | 1 Slp-validate | 2020-05-19 | 5.0 MEDIUM | 8.6 HIGH |
| In SLP Validate (npm package slp-validate) before version 1.2.1, users could experience false-negative validation outcomes for MINT transaction operations. A poorly implemented SLP wallet could allow spending of the affected tokens which would result in the destruction of a user's minting baton. This has been fixed in slp-validate in version 1.2.1. Additonally, slpjs version 0.27.2 has a related fix under related CVE-2020-11071. | |||||
| CVE-2020-2002 | 1 Paloaltonetworks | 1 Pan-os | 2020-05-19 | 6.8 MEDIUM | 8.1 HIGH |
| An authentication bypass by spoofing vulnerability exists in the authentication daemon and User-ID components of Palo Alto Networks PAN-OS by failing to verify the integrity of the Kerberos key distribution center (KDC) before authenticating users. This affects all forms of authentication that use a Kerberos authentication profile. A man-in-the-middle type of attacker with the ability to intercept communication between PAN-OS and KDC can login to PAN-OS as an administrator. This issue affects: PAN-OS 7.1 versions earlier than 7.1.26; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.6; All version of PAN-OS 8.0. | |||||
| CVE-2019-19169 | 2 Microsoft, Raonwiz | 2 Activex, Dext5 | 2020-05-19 | 7.5 HIGH | 9.8 CRITICAL |
| Dext5.ocx ActiveX 5.0.0.116 and eariler versions contain a vulnerability, which could allow remote attacker to download arbitrary file by setting the arguments to the activex method. This can be leveraged for code execution. | |||||
| CVE-2019-19168 | 2 Microsoft, Raonwiz | 2 Activex, Dext5 | 2020-05-19 | 7.5 HIGH | 9.8 CRITICAL |
| Dext5.ocx ActiveX 5.0.0.116 and eariler versions contain a vulnerability, which could allow remote attacker to download and execute remote arbitrary file by setting the arguments to the activex method. This can be leveraged for code execution. | |||||
| CVE-2011-2788 | 2 Apple, Google | 4 Iphone Os, Itunes, Safari and 1 more | 2020-05-19 | 6.8 MEDIUM | N/A |
| Buffer overflow in the inspector serialization functionality in Google Chrome before 13.0.782.107 allows user-assisted remote attackers to have an unspecified impact via unknown vectors. | |||||
| CVE-2011-2787 | 1 Google | 1 Chrome | 2020-05-19 | 4.3 MEDIUM | N/A |
| Google Chrome before 13.0.782.107 does not properly address re-entrancy issues associated with the GPU lock, which allows remote attackers to cause a denial of service (application crash) via unspecified vectors. | |||||
| CVE-2020-2007 | 1 Paloaltonetworks | 1 Pan-os | 2020-05-19 | 9.0 HIGH | 7.2 HIGH |
| An OS command injection vulnerability in the management server component of PAN-OS allows an authenticated user to potentially execute arbitrary commands with root privileges. This issue affects: All PAN-OS 7.1 versions; PAN-OS 8.1 versions earlier than 8.1.14; PAN-OS 9.0 versions earlier than 9.0.7. | |||||
| CVE-2020-13128 | 1 Gwtupload Project | 1 Gwtupload | 2020-05-19 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Manolo GWTUpload 1.0.3. server/UploadServlet.java (the servlet for handling file upload) accepts a delay parameter that causes a thread to sleep. It can be abused to cause all of a server's threads to sleep, leading to denial of service. | |||||
| CVE-2011-2839 | 2 Google, Linux | 2 Chrome, Linux Kernel | 2020-05-19 | 7.5 HIGH | N/A |
| The PDF implementation in Google Chrome before 13.0.782.215 on Linux does not properly use the memset library function, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. | |||||
| CVE-2011-2806 | 2 Google, Microsoft | 2 Chrome, Windows | 2020-05-19 | 10.0 HIGH | N/A |
| Google Chrome before 13.0.782.215 on Windows does not properly handle vertex data, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. | |||||
| CVE-2013-7421 | 4 Canonical, Debian, Linux and 1 more | 4 Ubuntu Linux, Debian Linux, Linux Kernel and 1 more | 2020-05-19 | 2.1 LOW | N/A |
| The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a module name in the salg_name field, a different vulnerability than CVE-2014-9644. | |||||
| CVE-2020-11931 | 2 Canonical, Pulseaudio | 2 Ubuntu Linux, Pulseaudio | 2020-05-19 | 2.1 LOW | 3.3 LOW |
| An Ubuntu-specific modification to Pulseaudio to provide security mediation for Snap-packaged applications was found to have a bypass of intended access restriction for snaps which plugs any of pulseaudio, audio-playback or audio-record via unloading the pulseaudio snap policy module. This issue affects: pulseaudio 1:8.0 versions prior to 1:8.0-0ubuntu3.12; 1:11.1 versions prior to 1:11.1-1ubuntu7.7; 1:13.0 versions prior to 1:13.0-1ubuntu1.2; 1:13.99.1 versions prior to 1:13.99.1-1ubuntu3.2; | |||||
| CVE-2020-1758 | 1 Redhat | 2 Keycloak, Openstack | 2020-05-19 | 4.3 MEDIUM | 5.9 MEDIUM |
| A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack. | |||||
| CVE-2020-11930 | 1 Gtranslate | 1 Translate Wordpress With Gtranslate | 2020-05-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| The GTranslate plugin before 2.8.52 for WordPress has Reflected XSS via a crafted link. This requires use of the hreflang tags feature within a sub-domain or sub-directory paid option. | |||||
| CVE-2020-2009 | 1 Paloaltonetworks | 1 Pan-os | 2020-05-19 | 9.0 HIGH | 7.2 HIGH |
| An external control of filename vulnerability in the SD WAN component of Palo Alto Networks PAN-OS Panorama allows an authenticated administrator to send a request that results in the creation and write of an arbitrary file on all firewalls managed by the Panorama. In some cases this results in arbitrary code execution with root permissions. This issue affects: All versions of PAN-OS 7.1; PAN-OS 8.1 versions earlier than 8.1.14; PAN-OS 9.0 versions earlier than 9.0.7. | |||||
| CVE-2020-9073 | 1 Huawei | 2 P20, P20 Firmware | 2020-05-19 | 2.1 LOW | 2.4 LOW |
| Huawei P20 smartphones with versions earlier than 10.0.0.156(C00E156R1P4) have an improper authentication vulnerability. The vulnerability is due to that when an user wants to do certain operation, the software insufficiently validate the user's identity. Attackers need to physically access the smartphone to exploit this vulnerability. Successful exploit could allow the attacker to bypass the limit of student mode function. | |||||
| CVE-2011-2824 | 1 Google | 1 Chrome | 2020-05-19 | 7.5 HIGH | N/A |
| Use-after-free vulnerability in Google Chrome before 13.0.782.215 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving counter nodes. | |||||
| CVE-2011-2821 | 4 Apple, Debian, Google and 1 more | 8 Iphone Os, Mac Os X, Debian Linux and 5 more | 2020-05-19 | 7.5 HIGH | N/A |
| Double free vulnerability in libxml2, as used in Google Chrome before 13.0.782.215, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted XPath expression. | |||||
| CVE-2020-12889 | 1 Misp | 1 Misp-maltego | 2020-05-19 | 7.5 HIGH | 9.8 CRITICAL |
| MISP MISP-maltego 1.4.4 incorrectly shares a MISP connection across users in a remote-transform use case. | |||||
| CVE-2011-2829 | 1 Google | 1 Chrome | 2020-05-19 | 7.5 HIGH | N/A |
| Integer overflow in Google Chrome before 13.0.782.215 on 32-bit platforms allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving uniform arrays. | |||||
| CVE-2011-2826 | 1 Google | 1 Chrome | 2020-05-19 | 7.5 HIGH | N/A |
| Google Chrome before 13.0.782.215 allows remote attackers to bypass the Same Origin Policy via vectors related to empty origins. | |||||
| CVE-2011-2827 | 2 Apple, Google | 4 Iphone Os, Itunes, Safari and 1 more | 2020-05-19 | 7.5 HIGH | N/A |
| Use-after-free vulnerability in Google Chrome before 13.0.782.215 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to text searching. | |||||
| CVE-2011-2825 | 2 Apple, Google | 4 Iphone Os, Itunes, Safari and 1 more | 2020-05-19 | 9.3 HIGH | N/A |
| Use-after-free vulnerability in Google Chrome before 13.0.782.215 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving custom fonts. | |||||
| CVE-2011-2823 | 2 Apple, Google | 4 Iphone Os, Itunes, Safari and 1 more | 2020-05-19 | 7.5 HIGH | N/A |
| Use-after-free vulnerability in Google Chrome before 13.0.782.215 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving a line box. | |||||
| CVE-2010-4685 | 1 Cisco | 1 Ios | 2020-05-19 | 4.0 MEDIUM | N/A |
| Cisco IOS before 15.0(1)XA1 does not clear the public key cache upon a change to a certificate map, which allows remote authenticated users to bypass a certificate ban by connecting with a banned certificate that had previously been valid, aka Bug ID CSCta79031. | |||||
| CVE-2018-19321 | 1 Gigabyte | 4 Aorus Graphics Engine, App Center, Oc Guru Ii and 1 more | 2020-05-19 | 7.2 HIGH | 7.8 HIGH |
| The GPCIDrv and GDrv low-level drivers in GIGABYTE APP Center v1.05.21 and earlier, AORUS GRAPHICS ENGINE before 1.57, XTREME GAMING ENGINE before 1.26, and OC GURU II v2.08 expose functionality to read and write arbitrary physical memory. This could be leveraged by a local attacker to elevate privileges. | |||||
| CVE-2018-19322 | 1 Gigabyte | 4 Aorus Graphics Engine, App Center, Oc Guru Ii and 1 more | 2020-05-19 | 4.6 MEDIUM | 7.8 HIGH |
| The GPCIDrv and GDrv low-level drivers in GIGABYTE APP Center v1.05.21 and earlier, AORUS GRAPHICS ENGINE before 1.57, XTREME GAMING ENGINE before 1.26, and OC GURU II v2.08 expose functionality to read/write data from/to IO ports. This could be leveraged in a number of ways to ultimately run code with elevated privileges. | |||||
| CVE-2018-19323 | 1 Gigabyte | 4 Aorus Graphics Engine, Gigabyte App Center, Oc Guru Ii and 1 more | 2020-05-19 | 9.0 HIGH | 9.8 CRITICAL |
| The GDrv low-level driver in GIGABYTE APP Center v1.05.21 and earlier, AORUS GRAPHICS ENGINE before 1.57, XTREME GAMING ENGINE before 1.26, and OC GURU II v2.08 exposes functionality to read and write Machine Specific Registers (MSRs). | |||||
| CVE-2019-7630 | 1 Gigabyte | 1 App Center | 2020-05-19 | 9.0 HIGH | 7.2 HIGH |
| An issue was discovered in gdrv.sys in Gigabyte APP Center before 19.0227.1. The vulnerable driver exposes a wrmsr instruction via IOCTL 0xC3502580 and does not properly filter the target Model Specific Register (MSR). Allowing arbitrary MSR writes can lead to Ring-0 code execution and escalation of privileges. | |||||
| CVE-2020-12677 | 1 Progress | 1 Moveit Automation | 2020-05-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Progress MOVEit Automation Web Admin. A Web Admin application endpoint failed to adequately sanitize malicious input, which could allow an unauthenticated attacker to execute arbitrary code in a victim's browser, aka XSS. This affects 2018 - 2018.0 prior to 2018.0.3, 2018 SP1 - 2018.2 prior to 2018.2.3, 2018 SP2 - 2018.3 prior to 2018.3.7, 2019 - 2019.0 prior to 2019.0.3, 2019.1 - 2019.1 prior to 2019.1.2, and 2019.2 - 2019.2 prior to 2019.2.2. | |||||
| CVE-2011-2828 | 1 Google | 1 Chrome | 2020-05-19 | 7.5 HIGH | N/A |
| Google V8, as used in Google Chrome before 13.0.782.215, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that trigger an out-of-bounds write. | |||||
| CVE-2020-9524 | 1 Microfocus | 2 Enterprise Developer, Enterprise Server | 2020-05-19 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site scripting vulnerability on Micro Focus Enterprise Server and Enterprise developer, affecting all versions prior to version 5.0 Patch Update 8. The vulnerability could allow an attacker to trigger administrative actions when an administrator viewed malicious data left by the attacker (stored XSS) or followed a malicious link (reflected XSS). | |||||
| CVE-2020-8100 | 1 Bitdefender | 1 Engines | 2020-05-19 | 5.0 MEDIUM | 7.5 HIGH |
| Improper Input Validation vulnerability in the cevakrnl.rv0 module as used in the Bitdefender Engines allows an attacker to trigger a denial of service while scanning a specially-crafted sample. This issue affects: Bitdefender Bitdefender Engines versions prior to 7.84063. | |||||
| CVE-2019-15429 | 1 Panasonic | 2 Eluga I9, Eluga I9 Firmware | 2020-05-19 | 7.2 HIGH | 7.8 HIGH |
| The Panasonic ELUGA_I9 Android device with a build fingerprint of Panasonic/ELUGA_I9/ELUGA_I9:7.0/NRD90M/1501740649:user/release-keys contains a pre-installed app with a package name of com.ovvi.modem app (versionCode=1, versionName=1) that allows unauthorized attacker-controlled at command via a confused deputy attack. This capability can be accessed by any app co-located on the device. | |||||
| CVE-2020-12257 | 1 Rconfig | 1 Rconfig | 2020-05-18 | 6.8 MEDIUM | 8.8 HIGH |
| rConfig 3.9.4 is vulnerable to cross-site request forgery (CSRF) because it lacks implementation of CSRF protection such as a CSRF token. An attacker can leverage this vulnerability by creating a form (add a user, delete a user, or edit a user). | |||||
| CVE-2020-12256 | 1 Rconfig | 1 Rconfig | 2020-05-18 | 3.5 LOW | 5.4 MEDIUM |
| rConfig 3.9.4 is vulnerable to reflected XSS. The devicemgmnt.php file improperly validates user input. An attacker can exploit this by crafting arbitrary JavaScript in the deviceId GET parameter to devicemgmnt.php. | |||||
| CVE-2020-12259 | 1 Rconfig | 1 Rconfig | 2020-05-18 | 3.5 LOW | 5.4 MEDIUM |
| rConfig 3.9.4 is vulnerable to reflected XSS. The configDevice.php file improperly validates user input. An attacker can exploit this vulnerability by crafting arbitrary JavaScript in the rid GET parameter of devicemgmnt.php. | |||||
| CVE-2020-1997 | 1 Paloaltonetworks | 1 Pan-os | 2020-05-18 | 5.8 MEDIUM | 6.1 MEDIUM |
| An open redirection vulnerability in the GlobalProtect component of Palo Alto Networks PAN-OS allows an attacker to specify an arbitrary redirection target away from the trusted GlobalProtect gateway. If the user then successfully authenticates it will cause them to access an unexpected and potentially malicious website. This issue affects: PAN-OS 7.1 versions earlier than 7.1.26; PAN-OS 8.0 versions earlier than 8.0.14. | |||||
| CVE-2020-1994 | 1 Paloaltonetworks | 1 Pan-os | 2020-05-18 | 4.9 MEDIUM | 4.4 MEDIUM |
| A predictable temporary file vulnerability in PAN-OS allows a local authenticated user with shell access to corrupt arbitrary system files affecting the integrity of the system. This issue affects: All versions of PAN-OS 7.1 and 8.0; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.7. | |||||
| CVE-2020-13126 | 1 Elementor | 1 Elementor Page Builder | 2020-05-18 | 6.5 MEDIUM | 9.9 CRITICAL |
| An issue was discovered in the Elementor Pro plugin before 2.9.4 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13125. An attacker with the Subscriber role can upload arbitrary executable files to achieve remote code execution. NOTE: the free Elementor plugin is unaffected. | |||||
| CVE-2019-20390 | 1 Intelliants | 1 Subrion | 2020-05-18 | 5.8 MEDIUM | 8.1 HIGH |
| A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Subrion CMS 4.2.1 that allows a remote attacker to remove files on the server without a victim's knowledge, by enticing an authenticated user to visit an attacker's web page. The application fails to validate the CSRF token for a GET request. An attacker can craft a panel/uploads/read.json?cmd=rm URL (removing this token) and send it to the victim. | |||||
| CVE-2019-20389 | 1 Intelliants | 1 Subrion | 2020-05-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was identified on the Subrion CMS 4.2.1 /panel/configuration/general settings page. A remote attacker can inject arbitrary JavaScript code in the v[language_switch] parameter (within multipart/form-data), which is reflected back within a user's browser without proper output encoding. | |||||
| CVE-2020-7267 | 1 Mcafee | 1 Virusscan Enterprise | 2020-05-18 | 3.6 LOW | 8.4 HIGH |
| Privilege Escalation vulnerability in McAfee VirusScan Enterprise (VSE) for Linux prior to 2.0.3 Hotfix 2635000 allows local users to delete files the user would otherwise not have access to via manipulating symbolic links to redirect a McAfee delete action to an unintended file. This is achieved through running a malicious script or program on the target machine. | |||||
| CVE-2020-12685 | 1 Redhat | 1 Interchange | 2020-05-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS in the admin help system admin/help.html and admin/quicklinks.html in Interchange 4.7.0 through 5.11.x allows remote attackers to steal credentials or data via browser JavaScript. | |||||
| CVE-2020-7266 | 1 Mcafee | 1 Virusscan Enterprise | 2020-05-18 | 3.6 LOW | 8.4 HIGH |
| Privilege Escalation vulnerability in McAfee VirusScan Enterprise (VSE) for Windows prior to 8.8 Patch 14 Hotfix 116778 allows local users to delete files the user would otherwise not have access to via manipulating symbolic links to redirect a McAfee delete action to an unintended file. This is achieved through running a malicious script or program on the target machine. | |||||