Vulnerabilities (CVE)

CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-8503 1 Biscom 1 Secure File Transfer 2020-02-05 3.5 LOW 6.5 MEDIUM
Biscom Secure File Transfer (SFT) 5.0.1050 through 5.1.1067 and 6.0.1000 through 6.0.1003 allows Insecure Direct Object Reference (IDOR) by an authenticated sender because of an error in a file-upload feature. This is fixed in 5.1.1068 and 6.0.1004.
CVE-2014-3119 1 Web2project 1 Web2project 2020-02-05 6.5 MEDIUM 8.8 HIGH
Multiple SQL injection vulnerabilities in web2Project 3.1 and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) search_string parameter in the contacts module to index.php or allow remote attackers to execute arbitrary SQL commands via the updatekey parameter to (2) do_updatecontact.php or (3) updatecontact.php.
CVE-2014-8126 1 Wisc 1 Htcondor 2020-02-05 6.5 MEDIUM 8.8 HIGH
The scheduler in HTCondor before 8.2.6 allows remote authenticated users to execute arbitrary code.
CVE-2014-8799 1 Dukapress 1 Dukapress 2020-02-05 5.0 MEDIUM N/A
Directory traversal vulnerability in the dp_img_resize function in php/dp-functions.php in the DukaPress plugin before 2.5.4 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the src parameter to lib/dp_image.php.
CVE-2020-8093 1 Bitdefender 1 Antivirus 2020-02-05 4.6 MEDIUM 7.8 HIGH
A vulnerability in the AntivirusforMac binary as used in Bitdefender Antivirus for Mac allows an attacker to inject a library using DYLD environment variable to cause third-party code execution
CVE-2020-8092 1 Bitdefender 1 Antivirus 2020-02-05 2.1 LOW 5.5 MEDIUM
A privilege escalation vulnerability in BDLDaemon as used in Bitdefender Antivirus for Mac allows a local attacker to obtain authentication tokens for requests submitted to the Bitdefender Cloud. This issue affects: Bitdefender Bitdefender Antivirus for Mac versions prior to 8.0.0.
CVE-2019-3700 1 Suse 1 Yast2-security 2020-02-05 2.1 LOW 3.3 LOW
yast2-security didn't use secure defaults to protect passwords. This became a problem on 2019-10-07 when configuration files that set secure settings were moved to a different location. As of the 20191022 snapshot the insecure default settings were used until yast2-security switched to stronger defaults in 4.2.6 and used the new configuration file locations. Password created during this time used DES password encryption and are not properly protected against attackers that are able to access the password hashes.
CVE-2020-7240 1 Meinbergglobal 4 Lantime M1000, Lantime M1000 Firmware, Lantime M300 and 1 more 2020-02-05 9.0 HIGH 8.8 HIGH
** DISPUTED ** Meinberg Lantime M300 and M1000 devices allow attackers (with privileges to configure a device) to execute arbitrary OS commands by editing the /config/netconf.cmd script (aka Extended Network Configuration). Note: According to the description, the vulnerability requires a fully authenticated super-user account using a webUI function that allows super users to edit a script supposed to execute OS commands. The given weakness enumeration (CWE-78) is not applicable in this case as it refers to abusing functions/input fields not supposed to be accepting OS commands by using 'Special Elements.'
CVE-2020-7984 1 Solarwinds 1 N-central 2020-02-05 5.0 MEDIUM 7.5 HIGH
SolarWinds N-central before 12.1 SP1 HF5 and 12.2 before SP1 HF2 allows remote attackers to retrieve cleartext domain admin credentials from the Agent & Probe settings, and obtain other sensitive information. The attacker can use a customer ID to self register and read any aspects of the agent/appliance configuration.
CVE-2018-12476 1 Suse 3 Obs-service-tar Scm, Opensuse Factory, Suse Linux Enterprise Server 2020-02-05 6.4 MEDIUM 7.5 HIGH
Relative Path Traversal vulnerability in obs-service-tar_scm of SUSE Linux Enterprise Server 15; openSUSE Factory allows remote attackers with control over a repository to overwrite files on the machine of the local user if a malicious service is executed. This issue affects: SUSE Linux Enterprise Server 15 obs-service-tar_scm versions prior to 0.9.2.1537788075.fefaa74:. openSUSE Factory obs-service-tar_scm versions prior to 0.9.2.1537788075.fefaa74.
CVE-2018-16836 1 Rubedo Project 1 Rubedo 2020-02-05 7.5 HIGH 9.8 CRITICAL
Rubedo through 3.4.0 contains a Directory Traversal vulnerability in the theme component, allowing unauthenticated attackers to read and execute arbitrary files outside of the service root path, as demonstrated by a /theme/default/img/%2e%2e/..//etc/passwd URI.
CVE-2013-2748 1 Belkin 2 Wemo Switch, Wemo Switch Firmware 2020-02-05 7.5 HIGH 9.8 CRITICAL
Belkin Wemo Switch before WeMo_US_2.00.2176.PVT could allow remote attackers to upload arbitrary files onto the system.
CVE-2019-19825 1 Totolink 16 A3002ru, A3002ru Firmware, A702r and 13 more 2020-02-05 7.5 HIGH 9.8 CRITICAL
On certain TOTOLINK Realtek SDK based routers, the CAPTCHA text can be retrieved via an {"topicurl":"setting/getSanvas"} POST to the boafrm/formLogin URI, leading to a CAPTCHA bypass. (Also, the CAPTCHA text is not needed once the attacker has determined valid credentials. The attacker can perform router actions via HTTP requests with Basic Authentication.) This affects A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0.
CVE-2013-7390 1 Zohocorp 1 Manageengine Desktop Central 2020-02-05 7.5 HIGH 9.8 CRITICAL
Unrestricted file upload vulnerability in AgentLogUploadServlet in ManageEngine DesktopCentral 7.x and 8.0.0 before build 80293 allows remote attackers to execute arbitrary code by uploading a file with a jsp extension, then accessing it via a direct request to the file in the webroot.
CVE-2019-19824 1 Totolink 16 A3002ru, A3002ru Firmware, A702r and 13 more 2020-02-05 9.0 HIGH 8.8 HIGH
On certain TOTOLINK Realtek SDK based routers, an authenticated attacker may execute arbitrary OS commands via the sysCmd parameter to the boafrm/formSysCmd URI, even if the GUI (syscmd.htm) is not available. This allows for full control over the device's internals. This affects A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0.
CVE-2014-3719 1 Exlibrisgroup 1 Aleph 500 2020-02-05 7.5 HIGH 9.8 CRITICAL
Multiple SQL injection vulnerabilities in cgi-bin/review_m.cgi in Ex Libris ALEPH 500 (Integrated library management system) 18.1 and 20 allow remote attackers to execute arbitrary SQL commands via the (1) find, (2) lib, or (3) sid parameter.
CVE-2016-2033 2020-02-05 N/A N/A
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was associated with multiple vulnerabilities. Notes: none
CVE-2011-4937 1 Joomla 1 Joomla\! 2020-02-05 5.0 MEDIUM 7.5 HIGH
Joomla! 1.7.1 has core information disclosure due to inadequate error checking.
CVE-2011-3629 1 Joomla 1 Joomla\! 2020-02-05 5.0 MEDIUM 7.5 HIGH
Joomla! core 1.7.1 allows information disclosure due to weak encryption
CVE-2019-4540 1 Ibm 1 Security Directory Server 2020-02-05 5.0 MEDIUM 7.5 HIGH
IBM Security Directory Server 6.4.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 165813.
CVE-2019-4548 1 Ibm 1 Security Directory Server 2020-02-05 4.3 MEDIUM 6.1 MEDIUM
IBM Security Directory Server 6.4.0 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 165950.
CVE-2019-10195 2 Fedoraproject, Freeipa 2 Fedora, Freeipa 2020-02-05 4.0 MEDIUM 6.5 MEDIUM
A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x versions before 4.7.4 and all 4.8.x versions before 4.8.3, in the way that FreeIPA's batch processing API logged operations. This included passing user passwords in clear text on FreeIPA masters. Batch processing of commands with passwords as arguments or options is not performed by default in FreeIPA but is possible by third-party components. An attacker having access to system logs on FreeIPA masters could use this flaw to produce log file content with passwords exposed.
CVE-2019-14867 2 Fedoraproject, Freeipa 2 Fedora, Freeipa 2020-02-05 6.8 MEDIUM 8.8 HIGH
A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x versions before 4.7.4 and all 4.8.x versions before 4.8.3, in the way the internal function ber_scanf() was used in some components of the IPA server, which parsed kerberos key data. An unauthenticated attacker who could trigger parsing of the krb principal key could cause the IPA server to crash or in some conditions, cause arbitrary code to be executed on the server hosting the IPA server.
CVE-2019-5636 1 Beckhoff 1 Twincat 2020-02-04 5.0 MEDIUM 7.5 HIGH
When a Beckhoff TwinCAT Runtime receives a malformed UDP packet, the ADS Discovery Service shuts down. Note that the TwinCAT devices are still performing as normal. This issue affects TwinCAT 2 version 2304 (and prior) and TwinCAT 3.1 version 4204.0 (and prior).
CVE-2019-5637 1 Beckhoff 3 Twincat, Twincat Cx2030, Twincat Cx5140 2020-02-04 5.0 MEDIUM 7.5 HIGH
When Beckhoff TwinCAT is configured to use the Profinet driver, a denial of service of the controller could be reached by sending a malformed UDP packet to the device. This issue affects TwinCAT 2 version 2304 (and prior) and TwinCAT 3.1 version 4204.0 (and prior).
CVE-2019-4551 1 Ibm 1 Security Directory Server 2020-02-04 5.0 MEDIUM 5.3 MEDIUM
IBM Security Directory Server 6.4.0 does not perform an authentication check for a critical resource or functionality allowing anonymous users access to protected areas. IBM X-Force ID: 165953.
CVE-2019-17100 1 Bitdefender 1 Total Security 2020 2020-02-04 4.4 MEDIUM 6.5 MEDIUM
An Untrusted Search Path vulnerability in bdserviceshost.exe as used in Bitdefender Total Security 2020 allows an attacker to execute arbitrary code. This issue does not affect: Bitdefender Total Security versions prior to 24.0.12.69.
CVE-2013-4582 1 Gitlab 2 Gitlab, Gitlab-shell 2020-02-04 4.0 MEDIUM 6.5 MEDIUM
The (1) create_branch, (2) create_tag, (3) import_project, and (4) fork_project functions in lib/gitlab_projects.rb in GitLab 5.0 before 5.4.2, Community Edition before 6.2.4, Enterprise Edition before 6.2.1 and gitlab-shell before 1.7.8 allows remote authenticated users to include information from local files into the metadata of a Git repository via the web interface.
CVE-2019-4562 1 Ibm 1 Security Directory Server 2020-02-04 5.0 MEDIUM 5.3 MEDIUM
IBM Security Directory Server 6.4.0 stores sensitive information in URLs. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referer header or browser history. IBM X-Force ID: 166623.
CVE-2017-14806 1 Suse 2 Studio Onsite, Susestudio-ui-server 2020-02-04 4.3 MEDIUM 5.9 MEDIUM
A Improper Certificate Validation vulnerability in susestudio-common of SUSE Studio onsite allows remote attackers to MITM connections to the repositories, which allows the modification of packages received over these connections. This issue affects: SUSE Studio onsite susestudio-common version 1.3.17-56.6.3 and prior versions.
CVE-2017-14807 1 Suse 2 Studio Onsite, Susestudio-ui-server 2020-02-04 5.5 MEDIUM 8.1 HIGH
An Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in susestudio-ui-server of SUSE Studio onsite allows remote attackers with admin privileges in Studio to alter SQL statements, allowing for extraction and modification of data. This issue affects: SUSE Studio onsite susestudio-ui-server version 1.3.17-56.6.3 and prior versions.
CVE-2013-3960 1 Easytimestudio 1 Easy File Manager 2020-02-04 8.7 HIGH 9.9 CRITICAL
Easytime Studio Easy File Manager 1.1 has a HTTP request security bypass
CVE-2013-6785 1 Supermicro 1 Intelligent Platform Management Interface 2020-02-04 4.0 MEDIUM 4.3 MEDIUM
Directory traversal vulnerability in url_redirect.cgi in Supermicro IPMI before SMT_X9_315 allows authenticated attackers to read arbitrary files via the url_name parameter.
CVE-2013-7051 1 D-link 2 Dir-100, Dir-100 Firmware 2020-02-04 6.8 MEDIUM 8.8 HIGH
D-Link DIR-100 4.03B07: cli.cgi security bypass due to failure to check authentication parameters
CVE-2012-6610 1 Polycom 3 Hdx 8000, Hdx Video End Points, Uc Apl 2020-02-04 9.0 HIGH 8.8 HIGH
Polycom HDX Video End Points before 3.0.4 and UC APL before 2.7.1.J allows remote authenticated users to execute arbitrary commands as demonstrated by a ; (semicolon) to the ping command feature.
CVE-2013-7052 1 D-link 2 Dir-100, Dir-100 Firmware 2020-02-04 5.0 MEDIUM 9.8 CRITICAL
D-Link DIR-100 4.03B07: security bypass via an error in the cliget.cgi script
CVE-2020-8086 2 Debian, Prosody 3 Debian Linux, Mod Auth Ldap, Mod Auth Ldap2 2020-02-04 6.8 MEDIUM 9.8 CRITICAL
The mod_auth_ldap and mod_auth_ldap2 Community Modules through 2020-01-27 for Prosody incompletely verify the XMPP address passed to the is_admin() function. This grants remote entities admin-only functionality if their username matches the username of a local admin.
CVE-2013-7055 1 D-link 2 Dir-100, Dir-100 Firmware 2020-02-04 5.0 MEDIUM 9.8 CRITICAL
D-Link DIR-100 4.03B07 has PPTP and poe information disclosure
CVE-2014-2896 1 Wolfssl 1 Wolfssl 2020-02-04 7.5 HIGH 9.8 CRITICAL
The DoAlert function in the (1) TLS and (2) DTLS implementations in wolfSSL CyaSSL before 2.9.4 allows remote attackers to have unspecified impact and vectors, which trigger memory corruption or an out-of-bounds read.
CVE-2014-2897 1 Wolfssl 1 Wolfssl 2020-02-04 7.5 HIGH 9.8 CRITICAL
The SSL 3 HMAC functionality in wolfSSL CyaSSL 2.5.0 before 2.9.4 does not check the padding length when verification fails, which allows remote attackers to have unspecified impact via a crafted HMAC, which triggers an out-of-bounds read.
CVE-2014-2898 1 Wolfssl 1 Wolfssl 2020-02-04 7.5 HIGH 9.8 CRITICAL
wolfSSL CyaSSL before 2.9.4 allows remote attackers to have unspecified impact via multiple calls to the CyaSSL_read function which triggers an out-of-bounds read when an error occurs, related to not checking the return code and MAC verification failure.
CVE-2012-6609 1 Polycom 3 Hdx 8000, Hdx Video End Points, Uc Apl 2020-02-04 5.0 MEDIUM 7.5 HIGH
Directory traversal vulnerability in a_getlog.cgi in Polycom HDX Video End Points before 3.0.4 and UC APL before 2.7.1.J allows remote attackers to read arbitrary files via a .. (dot dot) in the name parameter.
CVE-2014-2277 1 Perltidy Project 1 Perltidy 2020-02-04 3.6 LOW 7.1 HIGH
The make_temporary_filename function in perltidy 20120701-1 and earlier allows local users to obtain sensitive information or write to arbitrary files via a symlink attack, related to use of the tmpnam function.
CVE-2008-2470 1 Macrovision 1 Flexnet Connect 2020-02-04 9.3 HIGH N/A
The InstallShield Update Service Agent ActiveX control in isusweb.dll allows remote attackers to cause a denial of service (memory corruption and browser crash) and possibly execute arbitrary code via a call to ExecuteRemote with a URL that results in a 404 error response.
CVE-2013-2574 1 Foscam 2 Fi8620, Fi8620 Firmware 2020-02-04 5.0 MEDIUM 7.5 HIGH
An Access vulnerability exists in FOSCAM IP Camera FI8620 due to insufficient access restrictions in the /tmpfs/ and /log/ directories, which could let a malicious user obtain sensitive information.
CVE-2013-1600 1 Dlink 4 Dcs-2102, Dcs-2102 Firmware, Dcs-2121 and 1 more 2020-02-04 5.0 MEDIUM 5.3 MEDIUM
An Authentication Bypass vulnerability exists in upnp/asf-mp4.asf when streaming live video in D-Link TESCO DCS-2121 1.05_TESCO, TESCO DCS-2102 1.05_TESCO, DCS-2121 1.06_FR, 1.06, and 1.05_RU, DCS-2102 1.06_FR. 1.06, and 1.05_RU, which could let a malicious user obtain sensitive information.
CVE-2014-2843 1 Infoware 1 Mapsuite 2020-02-04 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in infoware MapSuite MapAPI 1.0.x before 1.0.36 and 1.1.x before 1.1.49 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2013-7053 1 D-link 2 Dir-100, Dir-100 Firmware 2020-02-04 6.8 MEDIUM 8.8 HIGH
D-Link DIR-100 4.03B07: cli.cgi CSRF
CVE-2013-7054 1 D-link 2 Dir-100, Dir-100 Firmware 2020-02-04 4.3 MEDIUM 6.1 MEDIUM
D-Link DIR-100 4.03B07: cli.cgi XSS
CVE-2013-1437 2 Fedoraproject, Module-metadata Project 2 Fedora, Module-metadata 2020-02-04 7.5 HIGH 9.8 CRITICAL
Eval injection vulnerability in the Module-Metadata module before 1.000015 for Perl allows remote attackers to execute arbitrary Perl code via the $Version value.