Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2013-3722 | 1 Opensips | 1 Opensips | 2020-02-20 | 5.0 MEDIUM | 7.5 HIGH |
| A Denial of Service (infinite loop) exists in OpenSIPS before 1.10 in lookup.c. | |||||
| CVE-2014-9606 | 1 Netsweeper | 1 Netsweeper | 2020-02-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) server parameter to remotereporter/load_logfiles.php, (2) customctid parameter to webadmin/policy/category_table_ajax.php, (3) urllist parameter to webadmin/alert/alert.php, (4) QUERY_STRING to webadmin/ajaxfilemanager/ajax_get_file_listing.php, or (5) PATH_INFO to webadmin/policy/policy_table_ajax.php/. | |||||
| CVE-2016-8390 | 1 Cryptic-apps | 1 Hopper Disassembler | 2020-02-20 | 6.8 MEDIUM | 7.8 HIGH |
| An exploitable out of bounds write vulnerability exists in the parsing of ELF Section Headers of Hopper Disassembler 3.11.20. A specially crafted ELF file can cause attacker controlled pointer arithmetic resulting in a partially controlled out of bounds write. An attacker can craft an ELF file with specific section headers to trigger this vulnerability. | |||||
| CVE-2018-13087 | 1 Coinstar Myadvancedtoken Project | 1 Coinstar Myadvancedtoken | 2020-02-20 | 5.0 MEDIUM | 7.5 HIGH |
| The mintToken function of a smart contract implementation for Coinstar (CSTR), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. | |||||
| CVE-2014-9609 | 1 Netsweeper | 1 Netsweeper | 2020-02-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| Directory traversal vulnerability in webadmin/reporter/view_server_log.php in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to list directory contents via a .. (dot dot) in the log parameter in a stats action. | |||||
| CVE-2018-13088 | 1 Tokenerc20 Project | 1 Tokenerc20 | 2020-02-20 | 5.0 MEDIUM | 7.5 HIGH |
| The mintToken function of a smart contract implementation for Futures Pease (FP), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. | |||||
| CVE-2017-16115 | 1 Timespan Project | 1 Timespan | 2020-02-20 | 5.0 MEDIUM | 7.5 HIGH |
| The timespan module is vulnerable to regular expression denial of service. Given 50k characters of untrusted user input it will block the event loop for around 10 seconds. | |||||
| CVE-2014-9612 | 1 Netsweeper | 1 Netsweeper | 2020-02-20 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in remotereporter/load_logfiles.php in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to execute arbitrary SQL commands via the server parameter. | |||||
| CVE-2014-4981 | 1 Xorux | 1 Lpar2rrd | 2020-02-20 | 10.0 HIGH | 9.8 CRITICAL |
| LPAR2RRD in 3.5 and earlier allows remote attackers to execute arbitrary commands due to insufficient input sanitization of the web GUI parameters. | |||||
| CVE-2020-8595 | 2 Istio, Redhat | 3 Istio, Enterprise Linux, Openshift Service Mesh | 2020-02-20 | 7.5 HIGH | 7.3 HIGH |
| Istio versions 1.2.10 (End of Life) and prior, 1.3 through 1.3.7, and 1.4 through 1.4.3 allows authentication bypass. The Authentication Policy exact-path matching logic can allow unauthorized access to HTTP paths even if they are configured to be only accessed after presenting a valid JWT token. For example, an attacker can add a ? or # character to a URI that would otherwise satisfy an exact-path match. | |||||
| CVE-2014-2595 | 1 Barracuda | 1 Web Application Firewall | 2020-02-20 | 7.5 HIGH | 9.8 CRITICAL |
| Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string. | |||||
| CVE-2014-7236 | 1 Twiki | 1 Twiki | 2020-02-20 | 6.4 MEDIUM | 9.1 CRITICAL |
| Eval injection vulnerability in lib/TWiki/Plugins.pm in TWiki before 6.0.1 allows remote attackers to execute arbitrary Perl code via the debugenableplugins parameter to do/view/Main/WebHome. | |||||
| CVE-2017-2314 | 1 Juniper | 1 Junos | 2020-02-20 | 5.0 MEDIUM | 7.5 HIGH |
| Receipt of a malformed BGP OPEN message may cause the routing protocol daemon (rpd) process to crash and restart. By continuously sending specially crafted BGP OPEN messages, an attacker can repeatedly crash the rpd process causing prolonged denial of service. No other Juniper Networks products or platforms are affected by this issue. Affected releases are Juniper Networks Junos OS 12.3 prior to 12.3R12-S4, 12.3R13, 12.3R3-S4; 12.3X48 prior to 12.3X48-D50; 13.3 prior to 13.3R4-S11, 13.3R10; 14.1 prior to 14.1R8-S3, 14.1R9; 14.1X53 prior to 14.1X53-D40; 14.1X55 prior to 14.1X55-D35; 14.2 prior to 14.2R4-S7, 14.2R6-S4, 14.2R7; 15.1 prior to 15.1F2-S11, 15.1F4-S1-J1, 15.1F5-S3, 15.1F6, 15.1R4; 15.1X49 prior to 15.1X49-D100; 15.1X53 prior to 15.1X53-D33, 15.1X53-D50. | |||||
| CVE-2014-9608 | 1 Netsweeper | 1 Netsweeper | 2020-02-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in webadmin/policy/group_table_ajax.php/ in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO. | |||||
| CVE-2014-8089 | 3 Fedoraproject, Redhat, Zend | 3 Fedora, Enterprise Linux, Zend Framework | 2020-02-20 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in Zend Framework before 1.12.9, 2.2.x before 2.2.8, and 2.3.x before 2.3.3, when using the sqlsrv PHP extension, allows remote attackers to execute arbitrary SQL commands via a null byte. | |||||
| CVE-2020-1842 | 1 Huawei | 10 Hege-560, Hege-560 Firmware, Osca-550 and 7 more | 2020-02-20 | 4.6 MEDIUM | 6.8 MEDIUM |
| Huawei HEGE-560 version 1.0.1.20(SP2); OSCA-550 and OSCA-550A version 1.0.0.71(SP1); and OSCA-550AX and OSCA-550X version 1.0.0.71(SP2) have an insufficient authentication vulnerability. An attacker can access the device physically and perform specific operations to exploit this vulnerability. Successful exploitation may cause the attacker obtain high privilege. | |||||
| CVE-2020-8612 | 2 Progess, Progress | 2 Moveit Transfer, Moveit Transfer | 2020-02-20 | 6.0 MEDIUM | 9.0 CRITICAL |
| In Progress MOVEit Transfer 2019.1 before 2019.1.4 and 2019.2 before 2019.2.1, a REST API endpoint failed to adequately sanitize malicious input, which could allow an authenticated attacker to execute arbitrary code in a victim's browser, aka XSS. | |||||
| CVE-2018-12263 | 1 Portfoliocms Project | 1 Portfoliocms | 2020-02-20 | 6.5 MEDIUM | 8.8 HIGH |
| portfolioCMS 1.0.5 allows upload of arbitrary .php files via the admin/portfolio.php?newpage=true URI. | |||||
| CVE-2020-6183 | 1 Sap | 1 Host Agent | 2020-02-20 | 6.4 MEDIUM | 6.5 MEDIUM |
| SAP Host Agent, version 7.21, allows an unprivileged user to read the shared memory or write to the shared memory by sending request to the main SAPOSCOL process and receive responses that may contain data read with user root privileges e.g. size of any directory, system hardware and OS details, leading to Missing Authorization Check vulnerability. | |||||
| CVE-2019-12246 | 1 Silverstripe | 1 Silverstripe | 2020-02-20 | 4.3 MEDIUM | 4.3 MEDIUM |
| SilverStripe through 4.3.3 allows a Denial of Service on flush and development URL tools. | |||||
| CVE-2019-12437 | 1 Silverstripe | 1 Silverstripe | 2020-02-20 | 6.8 MEDIUM | 8.8 HIGH |
| In SilverStripe through 4.3.3, the previous fix for SS-2018-007 does not completely mitigate the risk of CSRF in GraphQL mutations, | |||||
| CVE-2012-1932 | 1 Wolfcms | 1 Wolf Cms | 2020-02-20 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Wolf CMS 0.75 and earlier allows remote attackers to inject arbitrary web script or HTML via the setting[admin_email] parameter to admin/setting. | |||||
| CVE-2020-8981 | 1 Mantisbt | 1 Source Integration | 2020-02-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability was discovered in the Source Integration plugin before 1.6.2 and 2.x before 2.3.1 for MantisBT. The repo_delete.php Delete Repository page allows execution of arbitrary code via a repo name (if CSP settings permit it). This is related to CVE-2018-16362. | |||||
| CVE-2012-0951 | 1 Nvidia | 1 Display Driver | 2020-02-19 | 4.6 MEDIUM | 7.8 HIGH |
| A Memory Corruption Vulnerability exists in NVIDIA Graphics Drivers 29549 due to an unknown function in the file proc/driver/nvidia/registry. | |||||
| CVE-2020-8611 | 2 Progess, Progress | 2 Moveit Transfer, Moveit Transfer | 2020-02-19 | 6.5 MEDIUM | 8.8 HIGH |
| In Progress MOVEit Transfer 2019.1 before 2019.1.4 and 2019.2 before 2019.2.1, multiple SQL Injection vulnerabilities have been found in the REST API that could allow an authenticated attacker to gain unauthorized access to MOVEit Transfer's database via the REST API. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or destroy database elements. | |||||
| CVE-2020-6188 | 1 Sap | 2 Erp, S\/4 Hana | 2020-02-19 | 6.5 MEDIUM | 8.8 HIGH |
| VAT Pro-Rata reports in SAP ERP (SAP_APPL versions 600, 602, 603, 604, 605, 606, 616 and SAP_FIN versions 617, 618, 700, 720, 730) and SAP S/4 HANA (versions 100, 101, 102, 103, 104) do not perform necessary authorization checks for an authenticated user leading to Missing Authorization Check. | |||||
| CVE-2020-1853 | 1 Huawei | 1 Gaussdb 200 | 2020-02-19 | 4.0 MEDIUM | 6.5 MEDIUM |
| GaussDB 200 with version of 6.5.1 have a path traversal vulnerability. Due to insufficient input path validation, an authenticated attacker can traverse directories and download files to a specific directory. Successful exploit may cause information leakage. | |||||
| CVE-2020-8815 | 1 Iktm | 1 Bearftp | 2020-02-19 | 5.0 MEDIUM | 7.5 HIGH |
| Improper connection handling in the base connection handler in IKTeam BearFTP before v0.3.1 allows a remote attacker to achieve denial of service via a Slowloris approach by sending a large volume of small packets. | |||||
| CVE-2014-3488 | 1 Netty | 1 Netty | 2020-02-19 | 5.0 MEDIUM | N/A |
| The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message. | |||||
| CVE-2020-6184 | 1 Sap | 2 Netweaver, S\/4hana | 2020-02-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Under certain conditions, ABAP Online Community in SAP NetWeaver (SAP_BASIS version 7.40) and SAP S/4HANA (SAP_BASIS versions 7.50, 7.51, 7.52, 7.53, 7.54), does not sufficiently encode user-controlled inputs, resulting in Reflected Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2013-1924 | 1 Skill | 1 Commerce Skrill | 2020-02-19 | 5.0 MEDIUM | 7.5 HIGH |
| Commerce Skrill (Formerly Moneybookers) has an Access bypass vulnerability in all versions prior to 7.x-1.2 | |||||
| CVE-2020-6185 | 1 Sap | 2 Netweaver, S\/4hana | 2020-02-19 | 3.5 LOW | 5.4 MEDIUM |
| Under certain conditions ABAP Online Community in SAP NetWeaver (SAP_BASIS version 7.40) and SAP S/4HANA (SAP_BASIS versions 7.50, 7.51, 7.52, 7.53, 7.54), allows an authenticated attacker to store a malicious payload which results in Stored Cross Site Scripting vulnerability. | |||||
| CVE-2020-6177 | 1 Sap | 1 Mobile Platform | 2020-02-19 | 4.0 MEDIUM | 4.3 MEDIUM |
| SAP Mobile Platform, version 3.0, does not sufficiently validate an XML document accepted from an untrusted source which could lead to partial denial of service. Since SAP Mobile Platform does not allow External-Entity resolving, there is no issue of leaking content of files on the server. | |||||
| CVE-2013-3685 | 2 Lg, Spritesoftware | 45 E971, E973, E975 and 42 more | 2020-02-19 | 6.9 MEDIUM | 7.0 HIGH |
| A Privilege Escalation Vulnerability exists in Sprite Software Spritebud 1.3.24 and 1.3.28 and Backup 2.5.4105 and 2.5.4108 on LG Android smartphones due to a race condition in the spritebud daemon, which could let a local malicious user obtain root privileges. | |||||
| CVE-2020-6186 | 1 Sap | 1 Host Agent | 2020-02-19 | 5.0 MEDIUM | 7.5 HIGH |
| SAP Host Agent, version 7.21, allows an attacker to cause a slowdown in processing of username/password-based authentication requests of the SAP Host Agent, leading to Denial of Service. | |||||
| CVE-2014-4968 | 1 Boatmob | 1 Boat Browser | 2020-02-19 | 6.8 MEDIUM | 8.8 HIGH |
| The WebView class and use of the WebView.addJavascriptInterface method in the Boat Browser application 8.0 and 8.0.1 for Android allow remote attackers to execute arbitrary code via a crafted web site, a related issue to CVE-2012-6636. | |||||
| CVE-2020-8950 | 2 Amd, Microsoft | 2 User Experience Program, Windows | 2020-02-19 | 7.2 HIGH | 7.8 HIGH |
| The AUEPLauncher service in Radeon AMD User Experience Program Launcher through 1.0.0.1 on Windows allows elevation of privilege by placing a crafted file in %PROGRAMDATA%\AMD\PPC\upload and then creating a symbolic link in %PROGRAMDATA%\AMD\PPC\temp that points to an arbitrary folder with an arbitrary file name. | |||||
| CVE-2018-5986 | 1 Easycarscript | 1 Easycarscript | 2020-02-19 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection exists in Easy Car Script 2014 via the s_order or s_row parameter to site_search.php. | |||||
| CVE-2020-6187 | 1 Sap | 1 Netweaver Guided Procedures | 2020-02-19 | 4.0 MEDIUM | 4.9 MEDIUM |
| SAP NetWeaver (Guided Procedures), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate an XML document input from a compromised admin, leading to Denial of Service. | |||||
| CVE-2018-6180 | 1 Themashabrand | 1 Online Voting Platform | 2020-02-19 | 5.0 MEDIUM | 9.8 CRITICAL |
| A flaw in the profile section of Online Voting System 1.0 allows an unauthenticated user to set an arbitrary password for other accounts. | |||||
| CVE-2014-3919 | 1 Netgear | 2 Cg3100, Cg3100 Firmware | 2020-02-19 | 4.3 MEDIUM | 9.3 CRITICAL |
| A vulnerability exists in Netgear CG3100 devices before 3.9.2421.13.mp3 V0027 via an embed malicious script in an unspecified page, which could let a malicious user obtain sensitive information. | |||||
| CVE-2020-8858 | 1 Moxa | 4 Mgate 5105-mb-eip, Mgate 5105-mb-eip-t, Mgate 5105-mb-eip-t Firmware and 1 more | 2020-02-19 | 9.0 HIGH | 8.8 HIGH |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of Moxa MGate 5105-MB-EIP firmware version 4.1. Authentication is required to exploit this vulnerability. The specific flaw exists within the DestIP parameter within MainPing.asp. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9552. | |||||
| CVE-2014-4170 | 1 Freereprintables | 1 Articlefr | 2020-02-19 | 7.5 HIGH | 9.8 CRITICAL |
| A Privilege Escalation Vulnerability exists in Free Reprintables ArticleFR 11.06.2014 due to insufficient access restrictions in the data.php script, which could let a remote malicious user obtain access or modify or delete database information. | |||||
| CVE-2014-4198 | 1 Bssys | 1 Rbs Bs-client. Retail Client | 2020-02-19 | 6.4 MEDIUM | 9.1 CRITICAL |
| A Two-Factor Authentication Bypass Vulnerability exists in BS-Client Private Client 2.4 and 2.5 via an XML request that neglects the use of ADPswID and AD parameters, which could let a malicious user access privileged function. | |||||
| CVE-2020-9020 | 1 Iteris | 2 Vantage Velocity, Vantage Velocity Firmware | 2020-02-19 | 10.0 HIGH | 9.8 CRITICAL |
| Iteris Vantage Velocity Field Unit 2.3.1, 2.4.2, and 3.0 devices allow the injection of OS commands into cgi-bin/timeconfig.py via shell metacharacters in the NTP Server field. | |||||
| CVE-2011-2343 | 1 Google | 1 Android | 2020-02-19 | 2.1 LOW | 2.4 LOW |
| The Bluetooth stack in Android before 2.3.6 allows a physically proximate attacker to obtain contact information via an AT phonebook transfer. | |||||
| CVE-2020-6190 | 1 Sap | 1 Netweaver Application Server Java | 2020-02-19 | 5.0 MEDIUM | 5.8 MEDIUM |
| Certain vulnerable endpoints in SAP NetWeaver AS Java (Heap Dump Application), versions 7.30, 7.31, 7.40, 7.50, provide valuable information about the system like hostname, server node and installation path that could be misused by an attacker leading to Information Disclosure. | |||||
| CVE-2020-6193 | 1 Sap | 1 Netweaver Knowledge Management | 2020-02-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP NetWeaver (Knowledge Management ICE Service), versions 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to execute malicious scripts leading to Reflected Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2020-6192 | 1 Sap | 1 Landscape Management | 2020-02-19 | 9.0 HIGH | 7.2 HIGH |
| SAP Landscape Management, version 3.0, allows an attacker with admin privileges to execute malicious commands with root privileges in SAP Host Agent via SAP Landscape Management. | |||||
| CVE-2020-9022 | 1 Cambiumnetworks | 8 Xh2-120, Xh2-120 Firmware, Xr2436 and 5 more | 2020-02-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered on Xirrus XR520, XR620, XR2436, and XH2-120 devices. The cgi-bin/ViewPage.cgi user parameter allows XSS. | |||||