Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-6583 | 1 Bigprof | 1 Online Invoicing System | 2020-01-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| BigProf Online Invoicing System (OIS) through 2.6 has XSS that can be leveraged for session hijacking. An attacker can exploit the XSS vulnerability, retrieve the session cookie from the administrator login, and take over the administrator account via the Name field in an Add New Client action. | |||||
| CVE-2020-5205 | 1 Powauth | 1 Pow | 2020-01-17 | 5.5 MEDIUM | 5.4 MEDIUM |
| In Pow (Hex package) before 1.0.16, the use of Plug.Session in Pow.Plug.Session is susceptible to session fixation attacks if a persistent session store is used for Plug.Session, such as Redis or a database. Cookie store, which is used in most Phoenix apps, doesn't have this vulnerability. | |||||
| CVE-2014-2650 | 1 Atos | 30 Openscape Desk Phone Ip 35g, Openscape Desk Phone Ip 35g Eco, Openscape Desk Phone Ip 35g Eco Firmware and 27 more | 2020-01-17 | 10.0 HIGH | 9.8 CRITICAL |
| Unify OpenStage / OpenScape Desk Phone IP before V3 R3.11.0 SIP has an OS command injection vulnerability in the web based management interface | |||||
| CVE-2019-16467 | 1 Adobe | 1 Experience Manager | 2020-01-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Adobe Experience Manager versions 6.5, 6.4, 6.3, 6.2, 6.1, and 6.0 have a reflected cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
| CVE-2018-19464 | 1 Dismall | 1 Discuz\! | 2020-01-17 | 3.5 LOW | 4.8 MEDIUM |
| Discuz! X3.4 allows XSS via admin.php because admincp/admincp_setting.php and template\default\common\footer.htm mishandles statcode field from third-party stats code. | |||||
| CVE-2013-4985 | 1 Vivotek | 6 Ip7160, Ip7160 Firmware, Ip7361 and 3 more | 2020-01-17 | 5.0 MEDIUM | 7.5 HIGH |
| Multiple Vivotek IP Cameras remote authentication bypass that could allow access to the video stream | |||||
| CVE-2019-16769 | 1 Verizon | 1 Serialize-javascript | 2020-01-17 | 3.5 LOW | 5.4 MEDIUM |
| The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability. | |||||
| CVE-2015-2230 | 1 Synacor | 1 Zimbra Collaboration Server | 2020-01-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Synacor Zimbra Collaboration Server 8.x before 8.7.0 has Reflected XSS in admin console. | |||||
| CVE-2018-11083 | 1 Cloud Foundry | 1 Bosh | 2020-01-17 | 6.8 MEDIUM | 8.1 HIGH |
| Cloud Foundry BOSH, versions v264 prior to v264.14.0 and v265 prior to v265.7.0 and v266 prior to v266.8.0 and v267 prior to v267.2.0, allows refresh tokens to be as access tokens when using UAA for authentication. A remote attacker with an admin refresh token given by UAA can be used to access BOSH resources without obtaining an access token, even if their user no longer has access to those resources. | |||||
| CVE-2018-6504 | 1 Microfocus | 1 Arcsight Management Center | 2020-01-17 | 6.8 MEDIUM | 8.8 HIGH |
| A potential Cross-Site Request Forgery (CSRF) vulnerability has been identified in ArcSight Management Center (ArcMC) in all versions prior to 2.81. This vulnerability could be exploited to allow for Cross-Site Request Forgery (CSRF). | |||||
| CVE-2010-0055 | 1 Apple | 2 Mac Os X, Mac Os X Server | 2020-01-17 | 10.0 HIGH | N/A |
| xar in Apple Mac OS X 10.5.8 does not properly validate package signatures, which allows attackers to have an unspecified impact via a modified package. | |||||
| CVE-2018-1002104 | 1 Kubernetes | 1 Nginx Ingress Controller | 2020-01-17 | 5.0 MEDIUM | 5.3 MEDIUM |
| Versions < 1.5 of the Kubernetes ingress default backend, which handles invalid ingress traffic, exposed prometheus metrics publicly. | |||||
| CVE-2020-0606 | 1 Microsoft | 10 .net Core, .net Framework, Windows 10 and 7 more | 2020-01-17 | 9.3 HIGH | 8.8 HIGH |
| A remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file.An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user, aka '.NET Framework Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0605. | |||||
| CVE-2011-3203 | 1 Jcow | 1 Jcow Cms | 2020-01-17 | 7.5 HIGH | 9.8 CRITICAL |
| A Code Execution vulnerability exists the attachment parameter to index.php in Jcow CMS 4.x to 4.2 and 5.2 to 5.2. | |||||
| CVE-2020-5196 | 1 Cerberusftp | 1 Ftp Server | 2020-01-17 | 5.5 MEDIUM | 8.1 HIGH |
| Cerberus FTP Server Enterprise Edition prior to versions 11.0.3 and 10.0.18 allows an authenticated attacker to create files, display hidden files, list directories, and list files without the permission to zip and download (or unzip and upload) files. There are multiple ways to bypass certain permissions by utilizing the zip and unzip features. As a result, users without permission can see files, folders, and hidden files, and can create directories without permission. | |||||
| CVE-2019-20146 | 1 Gitlab | 1 Gitlab | 2020-01-17 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 11.0 through 12.6. It allows Uncontrolled Resource Consumption. | |||||
| CVE-2018-16803 | 1 Cimtechniques | 1 Cimscan | 2020-01-16 | 10.0 HIGH | 9.8 CRITICAL |
| In CIMTechniques CIMScan 6.x through 6.2, the SOAP WSDL parser allows attackers to execute SQL code. | |||||
| CVE-2018-18246 | 1 Icinga | 1 Icinga Web 2 | 2020-01-16 | 4.3 MEDIUM | 6.5 MEDIUM |
| Icinga Web 2 before 2.6.2 has CSRF via /icingaweb2/config/moduledisable?name=monitoring to disable the monitoring module, or via /icingaweb2/config/moduleenable?name=setup to enable the setup module. | |||||
| CVE-2018-18247 | 1 Icinga | 1 Icinga Web 2 | 2020-01-16 | 3.5 LOW | 5.4 MEDIUM |
| Icinga Web 2 before 2.6.2 has XSS via the /icingaweb2/navigation/add icon parameter. | |||||
| CVE-2018-18248 | 1 Icinga | 1 Icinga Web 2 | 2020-01-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Icinga Web 2 has XSS via the /icingaweb2/monitoring/list/services dir parameter, the /icingaweb2/user/list query string, the /icingaweb2/monitoring/timeline query string, or the /icingaweb2/setup query string. | |||||
| CVE-2018-18249 | 1 Icinga | 1 Icinga Web 2 | 2020-01-16 | 7.5 HIGH | 9.8 CRITICAL |
| Icinga Web 2 before 2.6.2 allows injection of PHP ini-file directives via vectors involving environment variables as the channel to send information to the attacker, such as a name=${PATH}_${APACHE_RUN_DIR}_${APACHE_RUN_USER} parameter to /icingaweb2/navigation/add or /icingaweb2/dashboard/new-dashlet. | |||||
| CVE-2015-6591 | 1 Freereprintables | 1 Articlefr | 2020-01-16 | 2.1 LOW | 5.5 MEDIUM |
| Directory traversal vulnerability in application/templates/amelia/loadjs.php in Free Reprintables ArticleFR 3.0.7 and earlier allows local users to read arbitrary files via the s parameter. | |||||
| CVE-2013-3088 | 1 Belkin | 2 N900, N900 Firmware | 2020-01-16 | 9.3 HIGH | 9.8 CRITICAL |
| Belkin N900 router (F9K1104v1) contains an Authentication Bypass using "Javascript debugging". | |||||
| CVE-2019-17008 | 2 Mozilla, Opensuse | 4 Firefox, Firefox Esr, Thunderbird and 1 more | 2020-01-16 | 6.8 MEDIUM | 8.8 HIGH |
| When using nested workers, a use-after-free could occur during worker destruction. This resulted in a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71. | |||||
| CVE-2019-19833 | 1 Tautulli | 1 Tautulli | 2020-01-16 | 4.3 MEDIUM | 6.5 MEDIUM |
| In Tautulli 2.1.9, CSRF in the /shutdown URI allows an attacker to shut down the remote media server. (Also, anonymous access can be achieved in applications that do not have a user login area). | |||||
| CVE-2019-20204 | 1 Postieplugin | 1 Postie | 2020-01-16 | 3.5 LOW | 5.4 MEDIUM |
| The Postie plugin 1.9.40 for WordPress allows XSS, as demonstrated by a certain payload with jaVasCript:/* at the beginning and a crafted SVG element. | |||||
| CVE-2020-0601 | 1 Microsoft | 3 Windows 10, Windows Server 2016, Windows Server 2019 | 2020-01-16 | 5.8 MEDIUM | 8.1 HIGH |
| A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'. | |||||
| CVE-2009-3724 | 1 Python-markdown2 Project | 1 Python-markdown2 | 2020-01-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| python-markdown2 before 1.0.1.14 has multiple cross-site scripting (XSS) issues. | |||||
| CVE-2011-2706 | 1 Snewscms | 1 Snews | 2020-01-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-Site Scripting (XSS) vulnerability exists in the reorder administrator functions in sNews 1.71. | |||||
| CVE-2018-1002102 | 2 Fedoraproject, Kubernetes | 2 Fedora, Kubernetes | 2020-01-16 | 2.1 LOW | 2.6 LOW |
| Improper validation of URL redirection in the Kubernetes API server in versions prior to v1.14.0 allows an attacker-controlled Kubelet to redirect API server requests from streaming endpoints to arbitrary hosts. Impacted API servers will follow the redirect as a GET request with client-certificate credentials for authenticating to the Kubelet. | |||||
| CVE-2018-0719 | 1 Qnap | 1 Qts | 2020-01-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) vulnerability in NAS devices of QNAP Systems Inc. QTS allows attackers to inject javascript. This issue affects: QNAP Systems Inc. QTS version 4.2.6 and prior versions on build 20180711; version 4.3.3 and prior versions on build 20180725; version 4.3.4 and prior versions on build 20180710. | |||||
| CVE-2018-0721 | 1 Qnap | 1 Qts | 2020-01-16 | 10.0 HIGH | 9.8 CRITICAL |
| Buffer Overflow vulnerability in NAS devices. QTS allows attackers to run arbitrary code. This issue affects: QNAP Systems Inc. QTS version 4.2.6 and prior versions on build 20180711; version 4.3.3 and prior versions on build 20180725; version 4.3.4 and prior versions on build 20180710. | |||||
| CVE-2018-4842 | 1 Siemens | 6 Scalance X200, Scalance X200 Firmware, Scalance X200 Irt and 3 more | 2020-01-16 | 3.5 LOW | 4.8 MEDIUM |
| A vulnerability has been identified in SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions < V5.4.1), SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (All versions < V4.1.3). A remote, authenticated attacker with access to the configuration web server could be able to store script code on the web site, if the HRP redundancy option is set. This code could be executed in the web browser of victims visiting this web site (XSS), affecting its confidentiality, integrity and availability. User interaction is required for successful exploitation, as the user needs to visit the manipulated web site. At the stage of publishing this security advisory no public exploitation is known. The vendor has confirmed the vulnerability and provides mitigations to resolve it. | |||||
| CVE-2018-4848 | 1 Siemens | 6 Scalance X-200, Scalance X-200 Firmware, Scalance X-200 Irt and 3 more | 2020-01-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability has been identified in SCALANCE X-200 switch family (incl. SIPLUS NET variants) (All versions < V5.2.3), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions < V5.4.1), SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (All versions < V4.1.3). The integrated configuration web server of the affected Scalance X Switches could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into accessing a malicious link. User interaction is required for a successful exploitation. The user must be logged into the web interface in order for the exploitation to succeed. At the stage of publishing this security advisory no public exploitation is known. The vendor has confirmed the vulnerability and provides mitigations to resolve it. | |||||
| CVE-2011-3183 | 1 Portlandlabs | 1 Concrete Cms | 2020-01-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-Site Scripting (XSS) vulnerability exists in the rcID parameter in Concrete CMS 5.4.1.1 and earlier. | |||||
| CVE-2011-3202 | 1 Jcow | 1 Jcow Cms | 2020-01-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-Site Scripting (XSS) vulnerability exists in the g parameter to index.php in Jcow CMS 4.2 and earlier. | |||||
| CVE-2020-5841 | 1 Opservices | 1 Opmon | 2020-01-16 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in OpServices OpMon 9.3.1-1. Using password change parameters, an attacker could perform SQL injection without authentication. | |||||
| CVE-2019-17180 | 2 Microsoft, Valvesoftware | 2 Windows, Steam Client | 2020-01-16 | 7.2 HIGH | 7.8 HIGH |
| Valve Steam Client before 2019-09-12 allows placing or appending partially controlled filesystem content, as demonstrated by file modifications on Windows in the context of NT AUTHORITY\SYSTEM. This could lead to denial of service, elevation of privilege, or unspecified other impact. | |||||
| CVE-2016-1000022 | 2020-01-15 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2016-10539. Reason: This candidate is a duplicate of CVE-2016-10539. Notes: All CVE users should reference CVE-2016-10539 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | |||||
| CVE-2020-6847 | 1 Opentrade Project | 1 Opentrade | 2020-01-15 | 3.5 LOW | 5.4 MEDIUM |
| OpenTrade through 0.2.0 has a DOM-based XSS vulnerability that is executed when an administrator attempts to delete a message that contains JavaScript. | |||||
| CVE-2015-4553 | 1 Dedecms | 1 Dedecms | 2020-01-15 | 6.5 MEDIUM | 8.8 HIGH |
| A file upload issue exists in DeDeCMS before 5.7-sp1, which allows malicious users getshell. | |||||
| CVE-2014-5381 | 1 Granding | 2 Grand Ma300, Grand Ma300 Firmware | 2020-01-15 | 5.0 MEDIUM | 9.8 CRITICAL |
| Grand MA 300 allows a brute-force attack on the PIN. | |||||
| CVE-2019-16752 | 3 Dash, Officialdapscoin, Pivx | 3 Dash Core, Decentralized Anonymous Payment System, Private Instant Verified Transactions | 2020-01-15 | 4.3 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Decentralized Anonymous Payment System (DAPS) through 2019-08-26. It is possible to force wallets to send HTTP requests to arbitrary locations, both on the local network and on the internet. This is a serious threat to user privacy, since it can possibly leak their IP address and the fact that they are using the product. This also affects Dash Core through 0.14.0.3 and Private Instant Verified Transactions (PIVX) through 3.4.0. | |||||
| CVE-2014-5516 | 1 Konakart | 1 Konakart | 2020-01-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross-site request forgery (CSRF) vulnerability in the Storefront Application in DS Data Systems KonaKart before 7.3.0.0 allows remote attackers to hijack the authentication of administrators for requests that change a user email address via an unspecified GET request. | |||||
| CVE-2011-5266 | 1 Imperva | 1 Securesphere Web Application Firewall | 2020-01-15 | 7.5 HIGH | 9.8 CRITICAL |
| Imperva SecureSphere Web Application Firewall (WAF) before 12-august-2010 allows SQL injection filter bypass. | |||||
| CVE-2012-4030 | 1 Chamilo | 1 Chamilo Lms | 2020-01-15 | 6.4 MEDIUM | 7.5 HIGH |
| Chamilo before 1.8.8.6 does not adequately handle user supplied input by the index.php script, which could allow remote attackers to delete arbitrary files. | |||||
| CVE-2012-3824 | 1 Arialsoftware | 1 Campaign Enterprise | 2020-01-15 | 5.0 MEDIUM | 7.5 HIGH |
| In Arial Campaign Enterprise before 11.0.551, multiple pages are accessible without authentication or authorization. | |||||
| CVE-2014-3596 | 1 Apache | 1 Axis | 2020-01-15 | 5.8 MEDIUM | N/A |
| The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784. | |||||
| CVE-2017-1000376 | 2 Debian, Redhat | 4 Debian Linux, Enterprise Linux, Enterprise Virtualization Server and 1 more | 2020-01-15 | 6.9 MEDIUM | 7.0 HIGH |
| libffi requests an executable stack allowing attackers to more easily trigger arbitrary code execution by overwriting the stack. Please note that libffi is used by a number of other libraries. It was previously stated that this affects libffi version 3.2.1 but this appears to be incorrect. libffi prior to version 3.1 on 32 bit x86 systems was vulnerable, and upstream is believed to have fixed this issue in version 3.1. | |||||
| CVE-2018-20684 | 1 Winscp | 1 Winscp | 2020-01-15 | 6.4 MEDIUM | 7.5 HIGH |
| In WinSCP before 5.14 beta, due to missing validation, the scp implementation would accept arbitrary files sent by the server, potentially overwriting unrelated files. This affects TSCPFileSystem::SCPSink in core/ScpFileSystem.cpp. | |||||
