Vulnerabilities (CVE)

CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-7213 1 Parallels 1 Parallels 2020-01-29 7.6 HIGH 7.5 HIGH
Parallels 13 uses cleartext HTTP as part of the update process, allowing man-in-the-middle attacks. Users of out-of-date versions are presented with a pop-up window for a parallels_updates.xml file on the http://update.parallels.com web site.
CVE-2020-7222 1 Amcrest 1 Web Server 2020-01-29 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in Amcrest Web Server 2.520.AC00.18.R 2017-06-29 WEB 3.2.1.453504. The login page responds with JavaScript when one tries to authenticate. An attacker who changes the result parameter (to true) in this JavaScript code can bypass authentication and achieve limited privileges (ability to see every option but not modify them).
CVE-2020-5223 1 Privatebin 1 Privatebin 2020-01-29 2.1 LOW 4.4 MEDIUM
In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3.2 & v1.2.2. Admins are urged to upgrade to these versions to protect the affected users.
CVE-2014-9630 1 Videolan 1 Vlc Media Player 2020-01-29 6.8 MEDIUM 7.8 HIGH
The rtp_packetize_xiph_config function in modules/stream_out/rtpfmt.c in VideoLAN VLC media player before 2.1.6 uses a stack-allocation approach with a size determined by arbitrary input data, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted length value.
CVE-2018-12415 1 Tibco 1 Enterprise Message Service 2020-01-29 6.8 MEDIUM 8.8 HIGH
The Central Administration server (emsca) component of TIBCO Software Inc.'s TIBCO Enterprise Message Service, TIBCO Enterprise Message Service - Community Edition, and TIBCO Enterprise Message Service - Developer Edition contains a vulnerability which may allow an attacker to perform cross-site request forgery (CSRF) attacks. Affected releases are TIBCO Software Inc.'s TIBCO Enterprise Message Service: versions 8.4.0 and below, TIBCO Enterprise Message Service - Community Edition: versions 8.4.0 and below, and TIBCO Enterprise Message Service - Developer Edition: versions 8.4.0 and below.
CVE-2011-3611 1 Usebb 1 Usebb 2020-01-29 9.0 HIGH 7.2 HIGH
A File Inclusion vulnerability exists in act parameter to admin.php in UseBB before 1.0.12.
CVE-2012-5190 1 Accusoft 1 Prizm Content Connect 2020-01-29 7.5 HIGH 9.8 CRITICAL
Prizm Content Connect 5.1 has an Arbitrary File Upload Vulnerability
CVE-2020-5851 1 F5 28 Big-ip 2800, Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager and 25 more 2020-01-29 2.1 LOW 4.6 MEDIUM
On impacted versions and platforms the Trusted Platform Module (TPM) system integrity check cannot detect modifications to specific system components. This issue only impacts specific engineering hotfixes and platforms. NOTE: This vulnerability does not affect any of the BIG-IP major, minor or maintenance releases you obtained from downloads.f5.com. The affected Engineering Hotfix builds are as follows: Hotfix-BIGIP-14.1.0.2.0.45.4-ENG Hotfix-BIGIP-14.1.0.2.0.62.4-ENG
CVE-2012-3490 1 Wisc 1 Htcondor 2020-01-29 9.0 HIGH 8.8 HIGH
The (1) my_popenv_impl and (2) my_spawnv functions in src/condor_utils/my_popen.cpp and the (3) systemCommand function in condor_vm-gahp/vmgahp_common.cpp in Condor 7.6.x before 7.6.10 and 7.8.x before 7.8.4 does not properly check the return value of setuid calls, which might cause a subprocess to be created with root privileges and allow remote attackers to gain privileges via unspecified vectors.
CVE-2019-12619 1 Cisco 8 Sd-wan Firmware, Vedge-100, Vedge-1000 and 5 more 2020-01-29 4.0 MEDIUM 6.5 MEDIUM
A vulnerability in the web interface for Cisco SD-WAN Solution vManage could allow an authenticated, remote attacker to impact the integrity of an affected system by executing arbitrary SQL queries. The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending crafted input that includes SQL statements to an affected system. A successful exploit could allow the attacker to modify entries in some database tables, affecting the integrity of the data.
CVE-2010-3282 3 Fedoraproject, Hp, Redhat 4 389 Directory Server, Hp-ux Directory Server, Directory Server and 1 more 2020-01-29 1.9 LOW 3.3 LOW
389 Directory Server before 1.2.7.1 (aka Red Hat Directory Server 8.2) and HP-UX Directory Server before B.08.10.03, when audit logging is enabled, logs the Directory Manager password (nsslapd-rootpw) in cleartext when changing cn=config:nsslapd-rootpw, which might allow local users to obtain sensitive information by reading the log.
CVE-2016-5311 1 Symantec 9 Endpoint Protection, Endpoint Protection Cloud, Norton 360 and 6 more 2020-01-29 6.9 MEDIUM 7.8 HIGH
A Privilege Escalation vulnerability exists in Symantec Norton Antivirus, Norton AntiVirus with Backup, Norton Security, Norton Security with Backup, Norton Internet Security, Norton 360, Endpoint Protection Small Business Edition Cloud, and Endpoint Protection Cloud Client due to a DLL-preloading without path restrictions, which could let a local malicious user obtain system privileges.
CVE-2011-5282 1 Mirc 1 Mirc 2020-01-29 5.0 MEDIUM 5.3 MEDIUM
mIRC prior to 7.22 has a message leak because chopping of outbound messages is mishandled.
CVE-2014-5007 1 Zohocorp 2 Manageengine Desktop Central, Manageengine Desktop Central Managed Service Providers 2020-01-29 10.0 HIGH 9.8 CRITICAL
Directory traversal vulnerability in the agentLogUploader servlet in ZOHO ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP) edition before 9 build 90055 allows remote attackers to write to and execute arbitrary files as SYSTEM via a .. (dot dot) in the filename parameter.
CVE-2020-7980 1 Intelliantech 1 Aptus Web 2020-01-29 10.0 HIGH 9.8 CRITICAL
Intellian Aptus Web 1.24 allows remote attackers to execute arbitrary OS commands via the Q field within JSON data to the cgi-bin/libagent.cgi URI. NOTE: a valid sid cookie for a login to the intellian default account might be needed.
CVE-2011-4322 1 Websitebaker 1 Websitebaker 2020-01-29 5.0 MEDIUM 7.5 HIGH
websitebaker prior to and including 2.8.1 has an authentication error in backup module.
CVE-2014-8563 1 Synacor 1 Zimbra Collaboration Server 2020-01-29 7.5 HIGH 9.8 CRITICAL
Synacor Zimbra Collaboration before 8.0.9 allows plaintext command injection during STARTTLS.
CVE-2020-7997 1 Asus 2 Rt-ac66u, Rt-ac66u Firmware 2020-01-29 4.3 MEDIUM 6.1 MEDIUM
ASUS WRT-AC66U 3 RT 3.0.0.4.372_67 devices allow XSS via the Client Name field to the Parental Control feature.
CVE-2019-20385 1 Logaritmo 1 Aware Callmanager 2020-01-29 6.5 MEDIUM 8.8 HIGH
The CSV upload feature in /supervisor/procesa_carga.php on Logaritmo Aware CallManager 2012 devices allows upload of .php files with a text/* content type. The PHP code can then be executed by visiting a /supervisor/csv/ URI.
CVE-2019-11998 1 Hpe 2 Superdome Flex Server, Superdome Flex Server Firmware 2020-01-29 5.0 MEDIUM 5.5 MEDIUM
HPE Superdome Flex Server is vulnerable to multiple remote vulnerabilities via improper input validation of administrator commands. This vulnerability could allow an Administrator to bypass security restrictions and access multiple remote vulnerabilities including information disclosure, or denial of service. HPE has provided firmware updates that address the above vulnerabilities for the HPE Superdome Flex Server starting with firmware version v3.20.186 (not available online) and v3.20.206 (available online). Apply v3.20.206 (4 December 2019) or a newer version to resolve this issue. Please visit HPE Support Center https://support.hpe.com/hpesc/public/home to obtain the updated firmware for your product.
CVE-2019-10770 1 Ratpack 1 Ratpack 2020-01-29 4.3 MEDIUM 6.1 MEDIUM
All versions of io.ratpack:ratpack-core from 0.9.10 inclusive and before 1.7.6 are vulnerable to Cross-site Scripting (XSS). This affects the development mode error handler when an exception message contains untrusted data. Note the production mode error handler is not vulnerable - so for this to be utilized in production it would require users to not disable development mode.
CVE-2013-0286 1 Pinboard Project 1 Pinboard 2020-01-29 3.5 LOW 5.4 MEDIUM
Pinboard 1.0.6 theme for Wordpress has XSS.
CVE-2020-1767 1 Otrs 1 Otrs 2020-01-29 3.5 LOW 4.3 MEDIUM
Agent A is able to save a draft (i.e. for customer reply). Then Agent B can open the draft, change the text completely and send it in the name of Agent A. For the customer it will not be visible that the message was sent by another agent. This issue affects: ((OTRS)) Community Edition 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions.
CVE-2018-13718 1 Futurxe 1 Futurxe 2020-01-29 5.0 MEDIUM 7.5 HIGH
The mintToken function of a smart contract implementation for FuturXe, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.
CVE-2019-15585 1 Gitlab 1 Gitlab 2020-01-29 7.5 HIGH 9.8 CRITICAL
Improper authentication exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) in the GitLab SAML integration had a validation issue that permitted an attacker to takeover another user's account.
CVE-2019-15578 1 Gitlab 1 Gitlab 2020-01-29 5.0 MEDIUM 5.3 MEDIUM
An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE). The path of a private project, that used to be public, would be disclosed in the unsubscribe email link of issues and merge requests.
CVE-2019-15581 1 Gitlab 1 Gitlab 2020-01-29 5.0 MEDIUM 5.3 MEDIUM
An IDOR exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a project owner or maintainer to see the members of any private group via merge request approval rules.
CVE-2019-15583 1 Gitlab 1 Gitlab 2020-01-29 5.0 MEDIUM 7.5 HIGH
An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE). When an issue was moved to a public project from a private one, the associated private labels and the private project namespace would be disclosed through the GitLab API.
CVE-2019-16517 1 Connectwise 1 Control 2020-01-28 7.5 HIGH 9.8 CRITICAL
An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. There is a CORS misconfiguration, which reflected the Origin provided by incoming requests. This allowed JavaScript running on any domain to interact with the server APIs and perform administrative actions, without the victim's knowledge.
CVE-2019-15586 1 Gitlab 1 Gitlab 2020-01-28 4.3 MEDIUM 6.1 MEDIUM
A XSS exists in Gitlab CE/EE < 12.1.10 in the Mermaid plugin.
CVE-2019-12427 1 Zimbra 1 Collaboration Server 2020-01-28 3.5 LOW 4.8 MEDIUM
Zimbra Collaboration before 8.8.15 Patch 1 is vulnerable to a non-persistent XSS via the Admin Console.
CVE-2019-8947 1 Zimbra 1 Collaboration Server 2020-01-28 4.3 MEDIUM 6.1 MEDIUM
Zimbra Collaboration 8.7.x - 8.8.11P2 contains non-persistent XSS.
CVE-2019-8946 1 Zimbra 1 Collaboration Server 2020-01-28 4.3 MEDIUM 6.1 MEDIUM
Zimbra Collaboration 8.7.x - 8.8.11P2 contains persistent XSS.
CVE-2019-8945 1 Zimbra 1 Collaboration Server 2020-01-28 4.3 MEDIUM 6.1 MEDIUM
Zimbra Collaboration 8.7.x - 8.8.11P2 contains persistent XSS.
CVE-2015-2249 1 Synacor 1 Zimbra Collaboration Server 2020-01-28 3.5 LOW 5.4 MEDIUM
Zimbra Collaboration before 8.6.0 patch5 has XSS.
CVE-2019-11318 1 Synacor 1 Zimbra Collaboration Server 2020-01-28 3.5 LOW 5.4 MEDIUM
Zimbra Collaboration before 8.8.12 Patch 1 has persistent XSS.
CVE-2014-5500 1 Synacor 1 Zimbra Collaboration Server 2020-01-28 4.3 MEDIUM 6.1 MEDIUM
Synacor Zimbra Collaboration before 8.0.8 has XSS.
CVE-2019-14767 1 Dimo-crm 1 Yellowbox Crm 2020-01-28 5.0 MEDIUM 7.5 HIGH
In DIMO YellowBox CRM before 6.3.4, Path Traversal in images/Apparence (dossier=../) and servletrecuperefichier (document=../) allows an unauthenticated user to download arbitrary files from the server.
CVE-2019-14766 1 Dimo-crm 1 Yellowbox Crm 2020-01-28 4.0 MEDIUM 6.5 MEDIUM
Path Traversal in the file browser of DIMO YellowBox CRM before 6.3.4 allows a standard authenticated user to browse the server filesystem.
CVE-2019-6036 1 F-revocrm 1 F-revocrm 2020-01-28 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting vulnerability in F-RevoCRM 6.0 to F-RevoCRM 6.5 patch6 (version 6 series) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2012-5389 1 Dart 1 Powertcp Webserver For Activex 2020-01-28 5.0 MEDIUM 7.5 HIGH
NULL Pointer Dereference in PowerTCP WebServer for ActiveX 1.9.2 and earlier allows remote attackers to cause a denial of service (application crash) via a crafted HTTP request.
CVE-2020-3131 2 Cisco, Microsoft 2 Webex Teams, Windows 2020-01-28 4.0 MEDIUM 6.5 MEDIUM
A vulnerability in the Cisco Webex Teams client for Windows could allow an authenticated, remote attacker to cause the client to crash, resulting in a denial of service (DoS) condition. The attacker needs a valid developer account to exploit this vulnerability. The vulnerability is due to insufficient input validation when processing received adaptive cards. The attacker could exploit this vulnerability by sending an adaptive card with malicious content to an existing user of the Cisco Webex Teams client for Windows. A successful exploit could allow the attacker to cause the targeted user's client to crash continuously. This vulnerability was introduced in Cisco Webex Teams client for Windows Release 3.0.13131.
CVE-2019-16015 1 Cisco 1 Data Center Analytics Framework 2020-01-28 4.3 MEDIUM 6.1 MEDIUM
A vulnerability in the web-based management interface of the Cisco Data Center Analytics Framework application could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface of an affected system. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information on the affected system.
CVE-2020-7231 1 Evoko 1 Home 2020-01-28 5.0 MEDIUM 5.3 MEDIUM
Evoko Home 1.31 devices provide different error messages for failed login requests depending on whether the username is valid.
CVE-2013-1594 1 Vivotek 2 Pt7135, Pt7135 Firmware 2020-01-28 5.0 MEDIUM 7.5 HIGH
An Information Disclosure vulnerability exists via a GET request in Vivotek PT7135 IP Camera 0300a and 0400a due to wireless keys and 3rd party credentials stored in clear text.
CVE-2012-5867 1 Ht Editor Project 1 Ht Editor 2020-01-28 7.5 HIGH 9.8 CRITICAL
HT Editor 2.0.20 has a Remote Stack Buffer Overflow Vulnerability
CVE-2012-6663 1 Ge 4 D200, D200 Firmware, D20me and 1 more 2020-01-28 5.0 MEDIUM 7.5 HIGH
General Electric D20ME devices are not properly configured and reveal plaintext passwords.
CVE-2020-5522 1 Fujixerox 1 Easy Netprint 2020-01-28 5.8 MEDIUM 7.4 HIGH
The kantan netprint App for Android 2.0.3 and earlier does not verify X.509 certificates from servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
CVE-2019-9195 1 Grin 1 Grin 2020-01-28 7.5 HIGH 9.8 CRITICAL
util/src/zip.rs in Grin before 1.0.2 mishandles suspicious files. An attacker can execute arbitrary code via directory traversal in a ZIP archive.
CVE-2019-18660 5 Canonical, Fedoraproject, Linux and 2 more 5 Ubuntu Linux, Fedora, Linux Kernel and 2 more 2020-01-28 1.9 LOW 4.7 MEDIUM
The Linux kernel before 5.4.1 on powerpc allows Information Exposure because the Spectre-RSB mitigation is not in place for all applicable CPUs, aka CID-39e72bf96f58. This is related to arch/powerpc/kernel/entry_64.S and arch/powerpc/kernel/security.c.