Vulnerabilities (CVE)

CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-4613 1 Ibm 1 Planning Analytics 2020-02-06 6.8 MEDIUM 8.8 HIGH
IBM Planning Analytics 2.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 168524.
CVE-2014-5236 1 Open-xchange 1 Open-xchange Appsuite 2020-02-06 5.0 MEDIUM 7.5 HIGH
Multiple absolute path traversal vulnerabilities in documentconverter in Open-Xchange (OX) AppSuite before 7.4.2-rev10 and 7.6.x before 7.6.0-rev10 allow remote attackers to read application files via a full pathname in a crafted (1) OLE Object or (2) image in an OpenDocument text file.
CVE-2020-7210 1 Umbraco 1 Umbraco Cms 2020-02-06 4.3 MEDIUM 4.3 MEDIUM
Umbraco CMS 8.2.2 allows CSRF to enable/disable or delete user accounts.
CVE-2020-8009 1 Motu 21 112d, 1248, 16a and 18 more 2020-02-06 5.0 MEDIUM 7.5 HIGH
AVB MOTU devices through 2020-01-22 allow /.. Directory Traversal, as demonstrated by reading the /etc/passwd file.
CVE-2020-7972 1 Gitlab 1 Gitlab 2020-02-06 5.0 MEDIUM 7.5 HIGH
GitLab EE 12.2 has Insecure Permissions (issue 2 of 2).
CVE-2020-8120 1 Nextcloud 1 Nextcloud 2020-02-06 4.3 MEDIUM 6.1 MEDIUM
A reflected Cross-Site Scripting vulnerability in Nextcloud Server 16.0.1 was discovered in the svg generation.
CVE-2019-18412 1 Jetbrains 1 Idetalk 2020-02-06 5.0 MEDIUM 7.5 HIGH
JetBrains IDETalk plugin before version 193.4099.10 allows XXE
CVE-2019-3682 1 Suse 1 Caas Platform 2020-02-06 4.6 MEDIUM 7.8 HIGH
The docker-kubic package in SUSE CaaS Platform 3.0 before 17.09.1_ce-7.6.1 provided access to an insecure API locally on the Kubernetes master node.
CVE-2020-8508 1 Norman 1 Malware Cleaner 2020-02-06 7.5 HIGH 9.8 CRITICAL
nsak64.sys in Norman Malware Cleaner 2.08.08 allows users to call arbitrary kernel functions because the passing of function pointers between user and kernel mode is mishandled.
CVE-2020-5235 1 Nanopb Project 1 Nanopb 2020-02-06 7.5 HIGH 9.8 CRITICAL
There is a potentially exploitable out of memory condition In Nanopb before 0.4.1, 0.3.9.5, and 0.2.9.4. When nanopb is compiled with PB_ENABLE_MALLOC, the message to be decoded contains a repeated string, bytes or message field and realloc() runs out of memory when expanding the array nanopb can end up calling `free()` on a pointer value that comes from uninitialized memory. Depending on platform this can result in a crash or further memory corruption, which may be exploitable in some cases. This problem is fixed in nanopb-0.4.1, nanopb-0.3.9.5, nanopb-0.2.9.4.
CVE-2020-8125 1 Klona Project 1 Klona 2020-02-06 7.5 HIGH 9.8 CRITICAL
Flaw in input validation in npm package klona version 1.1.0 and earlier may allow prototype pollution attack that may result in remote code execution or denial of service of applications using klona.
CVE-2020-5236 1 Agendaless 1 Waitress 2020-02-06 6.8 MEDIUM 6.5 MEDIUM
Waitress version 1.4.2 allows a DOS attack When waitress receives a header that contains invalid characters. When a header like "Bad-header: xxxxxxxxxxxxxxx\x10" is received, it will cause the regular expression engine to catastrophically backtrack causing the process to use 100% CPU time and blocking any other interactions. This allows an attacker to send a single request with an invalid header and take the service offline. This issue was introduced in version 1.4.2 when the regular expression was updated to attempt to match the behaviour required by errata associated with RFC7230. The regular expression that is used to validate incoming headers has been updated in version 1.4.3, it is recommended that people upgrade to the new version of Waitress as soon as possible.
CVE-2020-8123 1 Strapi 1 Strapi 2020-02-06 4.0 MEDIUM 4.9 MEDIUM
A denial of service exists in strapi v3.0.0-beta.18.3 and earlier that can be abused in the admin console using admin rights can lead to arbitrary restart of the application.
CVE-2019-4732 2 Ibm, Microsoft 3 Sdk, Websphere Application Server, Windows 2020-02-06 6.9 MEDIUM 6.5 MEDIUM
IBM SDK, Java Technology Edition Version 7.0.0.0 through 7.0.10.55, 7.1.0.0 through 7.1.4.55, and 8.0.0.0 through 8.0.6.0 could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. By placing a specially-crafted file in a compromised folder, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 172618.
CVE-2020-7967 1 Gitlab 1 Gitlab 2020-02-06 4.0 MEDIUM 4.3 MEDIUM
GitLab EE 8.0 through 12.7.2 has Insecure Permissions (issue 1 of 2).
CVE-2019-15618 1 Nextcloud 1 Nextcloud Server 2020-02-06 3.5 LOW 4.8 MEDIUM
Missing escaping of HTML in the Updater of Nextcloud 15.0.5 allowed a reflected XSS when starting the updater from a malicious location.
CVE-2019-4674 1 Ibm 1 Security Identity Manager 2020-02-06 4.0 MEDIUM 4.9 MEDIUM
IBM Security Identity Manager 7.0.1 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 171510.
CVE-2012-5686 1 Zpanelcp 1 Zpanel 2020-02-06 7.5 HIGH 9.8 CRITICAL
ZPanel 10.0.1 has insufficient entropy for its password reset process.
CVE-2018-13041 1 Linktoken Project 1 Linktoken 2020-02-06 5.0 MEDIUM 7.5 HIGH
The mint function of a smart contract implementation for Link Platform (LNK), an Ethereum ERC20 token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.
CVE-2020-8117 1 Nextcloud 1 Nextcloud Server 2020-02-06 4.0 MEDIUM 4.3 MEDIUM
Improper preservation of permissions in Nextcloud Server 14.0.3 causes the event details to be leaked when sharing a non-public event.
CVE-2019-4451 1 Ibm 1 Security Identity Manager 2020-02-06 3.5 LOW 5.4 MEDIUM
IBM Security Identity Manager 6.0.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 163493.
CVE-2018-13474 1 Fanschaintoken Project 1 Fanschaintoken 2020-02-06 5.0 MEDIUM 7.5 HIGH
The mintToken function of a smart contract implementation for FansChainToken, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.
CVE-2020-7973 1 Gitlab 1 Gitlab 2020-02-06 4.3 MEDIUM 6.1 MEDIUM
GitLab through 12.7.2 allows XSS.
CVE-2013-0725 1 Hexagongeospatial 1 Erdas Er Viewer 2020-02-06 6.9 MEDIUM 7.8 HIGH
ERDAS ER Viewer 13.0 has dwmapi.dll and irml.dll libraries arbitrary code execution vulnerabilities
CVE-2020-8510 1 Phpabook Project 1 Phpabook 2020-02-06 7.5 HIGH 9.8 CRITICAL
An issue was discovered in phpABook 0.9 Intermediate. On the login page, if one sets a userInfo cookie with the value of admin+1+en (user+perms+lang), one can login as any user without a password.
CVE-2019-11251 1 Kubernetes 1 Kubernetes 2020-02-06 4.3 MEDIUM 5.7 MEDIUM
The Kubernetes kubectl cp command in versions 1.1-1.12, and versions prior to 1.13.11, 1.14.7, and 1.15.4 allows a combination of two symlinks provided by tar output of a malicious container to place a file outside of the destination directory specified in the kubectl cp invocation. This could be used to allow an attacker to place a nefarious file using a symlink, outside of the destination tree.
CVE-2020-8545 1 Circl 1 Ail Framework 2020-02-06 5.0 MEDIUM 7.5 HIGH
Global.py in AIL framework 2.8 allows path traversal.
CVE-2013-2646 1 Tp-link 2 Tl-wr1043nd, Tl-wr1043nd Firmware 2020-02-06 5.0 MEDIUM 7.5 HIGH
TP-LINK TL-WR1043ND V1_120405 devices contain an unspecified denial of service vulnerability.
CVE-2020-7977 1 Gitlab 1 Gitlab 2020-02-06 4.3 MEDIUM 5.3 MEDIUM
GitLab EE 8.8 and later through 12.7.2 has Insecure Permissions.
CVE-2020-7978 1 Gitlab 1 Gitlab 2020-02-06 5.0 MEDIUM 7.5 HIGH
GitLab EE 12.6 and later through 12.7.2 allows Denial of Service.
CVE-2019-0189 1 Apache 1 Ofbiz 2020-02-06 7.5 HIGH 9.8 CRITICAL
The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is exposed by the "webtools/control/httpService" URL, and uses Java deserialization to perform code execution. In the HttpEngine, the value of the request parameter "serviceContext" is passed to the "deserialize" method of "XmlSerializer". Apache Ofbiz is affected via two different dependencies: "commons-beanutils" and an out-dated version of "commons-fileupload" Mitigation: Upgrade to 16.11.06 or manually apply the commits from OFBIZ-10770 and OFBIZ-10837 on branch 16
CVE-2019-10073 1 Apache 1 Ofbiz 2020-02-06 4.3 MEDIUM 6.1 MEDIUM
The "Blog", "Forum", "Contact Us" screens of the template "ecommerce" application bundled in Apache OFBiz are weak to Stored XSS attacks. Mitigation: Upgrade to 16.11.06 or manually apply the following commits on branch 16.11: 1858438, 1858543, 1860595 and 1860616
CVE-2019-19823 11 Ciktel, Coship, Fg-products and 8 more 36 Mesh Router, Mesh Router Firmware, Emta Ap and 33 more 2020-02-06 5.0 MEDIUM 7.5 HIGH
A certain router administration interface (that includes Realtek APMIB 0.11f for Boa 0.94.14rc21) stores cleartext administrative passwords in flash memory and in a file. This affects TOTOLINK A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0; Rutek RTK 11N AP through 2019-12-12; Sapido GR297n through 2019-12-12; CIK TELECOM MESH ROUTER through 2019-12-12; KCTVJEJU Wireless AP through 2019-12-12; Fibergate FGN-R2 through 2019-12-12; Hi-Wifi MAX-C300N through 2019-12-12; HCN MAX-C300N through 2019-12-12; T-broad GN-866ac through 2019-12-12; Coship EMTA AP through 2019-12-12; and IO-Data WN-AC1167R through 2019-12-12.
CVE-2020-8548 1 Masscode 1 Masscode 2020-02-06 4.3 MEDIUM 6.1 MEDIUM
massCode 1.0.0-alpha.6 allows XSS via crafted Markdown text, with resultant remote code execution (because nodeIntegration in webPreferences is true).
CVE-2013-6358 1 Prestashop 1 Prestashop 2020-02-06 9.0 HIGH 8.8 HIGH
PrestaShop 1.5.5 allows remote authenticated attackers to execute arbitrary code by uploading a crafted profile and then accessing it in the module/ directory.
CVE-2013-2571 1 Hcomm 1 Xpient Iris 2020-02-06 7.5 HIGH 9.8 CRITICAL
Iris 3.8 before build 1548, as used in Xpient point of sale (POS) systems, allows remote attackers to execute arbitrary commands via a crafted request to TCP port 7510, as demonstrated by opening the cash drawer.
CVE-2014-4859 1 Tianocore 1 Edk2 2020-02-06 7.2 HIGH 6.8 MEDIUM
Integer overflow in the Drive Execution Environment (DXE) phase in the Capsule Update feature in the UEFI implementation in EDK2 allows physically proximate attackers to bypass intended access restrictions via crafted data.
CVE-2014-3230 1 Lwp\ 1 \ 2020-02-06 4.3 MEDIUM 5.9 MEDIUM
The libwww-perl LWP::Protocol::https module 6.04 through 6.06 for Perl, when using IO::Socket::SSL as the SSL socket class, allows attackers to disable server certificate validation via the (1) HTTPS_CA_DIR or (2) HTTPS_CA_FILE environment variable.
CVE-2013-4187 1 Flippy Project 1 Flippy 2020-02-06 4.0 MEDIUM 6.5 MEDIUM
The Flippy module 7.x-1.x before 7.x-1.2 for Drupal does not properly restrict access to nodes, which allows remote authenticated users with the permission to access content to read a link or alias to a restricted node.
CVE-2015-0949 2 Dell, Hp 4 Latitude E6430, Latitude E6430 Firmware, Elitebook 850 G1 and 1 more 2020-02-06 4.6 MEDIUM 7.8 HIGH
The System Management Mode (SMM) implementation in Dell Latitude E6430 BIOS Revision A09, HP EliteBook 850 G1 BIOS revision L71 Ver. 01.09, and possibly other BIOS implementations does not ensure that function calls operate on SMRAM memory locations, which allows local users to bypass the Secure Boot protection mechanism and gain privileges by leveraging write access to physical memory.
CVE-2014-8338 1 Videowhisper 1 Webcam 2020-02-06 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in vwrooms/js/jsor-jcarousel/examples/special_textscroller.php in the VideoWhisper Webcam plugins for Drupal 7.x allows remote attackers to inject arbitrary web script or HTML via a URL to a crafted SVG file in the feed parameter.
CVE-2020-5232 1 Ens.domains 1 Ethereum Name Service 2020-02-06 4.9 MEDIUM 8.7 HIGH
A user who owns an ENS domain can set a trapdoor, allowing them to transfer ownership to another user, and later regain ownership without the new owners consent or awareness. A new ENS deployment is being rolled out that fixes this vulnerability in the ENS registry.
CVE-2017-3199 1 Graniteds 1 Graniteds 2020-02-06 6.8 MEDIUM 8.1 HIGH
The Java implementation of GraniteDS, version 3.1.1.GA, AMF3 deserializers derives class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI server connection may be able to send serialized Java objects that execute arbitrary code when deserialized.
CVE-2018-13122 1 Onefilecms 1 Onefilecms 2020-02-06 5.5 MEDIUM 6.5 MEDIUM
onefilecms.php in OneFileCMS through 2017-10-08 might allow attackers to delete arbitrary files via the Delete File(s) screen, as demonstrated by a ?i=var/www/html/&f=123.php&p=edit&p=deletefile URI.
CVE-2018-7475 1 Icewarp 1 Mail Server 2020-02-06 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability for webdav/ticket/ URIs in IceWarp Mail Server 12.0.3 allows remote attackers to inject arbitrary web script or HTML.
CVE-2011-1009 1 Vanillaforums 1 Vanilla 2020-02-06 4.3 MEDIUM 6.1 MEDIUM
Vanilla Forums 2.0.17.1 through 2.0.17.5 has XSS in /vanilla/index.php via the p parameter.
CVE-2011-1069 1 Phpshop 1 Phpshop 2020-02-06 4.3 MEDIUM 6.1 MEDIUM
PHPShop through 0.8.1 has XSS.
CVE-2010-4662 1 Pmwiki 1 Pmwiki 2020-02-06 4.3 MEDIUM 6.1 MEDIUM
PmWiki before 2.2.21 has XSS.
CVE-2011-4115 1 Cpan 1 Parallel\ 2020-02-05 6.4 MEDIUM 7.5 HIGH
Parallel::ForkManager module before 1.0.0 for Perl does not properly handle temporary files.
CVE-2011-4116 1 Cpan 1 File\ 2020-02-05 5.0 MEDIUM 7.5 HIGH
_is_safe in the File::Temp module for Perl does not properly handle symlinks.