apple — ios_and_ipados
|
The issue was addressed with improved validation when an iCloud Link is created. This issue is fixed in iOS 13.3 and iPadOS 13.3. Live Photo audio and video data may be shared via iCloud links even if Live Photo is disabled in the Share Sheet carousel. |
2020-10-27 |
not yet calculated |
CVE-2019-8857
MISC |
| apple — macos |
A logic issue was addressed with improved state management. This issue is fixed in macOS Catalina 10.15.2, Security Update 2019-002 Mojave, and Security Update 2019-007 High Sierra. A Mac may not lock immediately upon wake. |
2020-10-27 |
not yet calculated |
CVE-2019-8851
MISC |
| apple — macos |
A logic issue was addressed with improved validation. This issue is fixed in macOS Mojave 10.14.5, Security Update 2019-003 High Sierra, Security Update 2019-003 Sierra. A sandboxed process may be able to circumvent sandbox restrictions. |
2020-10-27 |
not yet calculated |
CVE-2019-8640
MISC |
|
apple — macos
|
A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS Mojave 10.14.5, Security Update 2019-003 High Sierra, Security Update 2019-003 Sierra, macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra. An application may be able to execute arbitrary code with system privileges. |
2020-10-27 |
not yet calculated |
CVE-2019-8569
MISC
MISC |
| apple — macos |
An issue existed in the handling of S-MIME certificates. This issue was addressed with improved validation of S-MIME certificates. This issue is fixed in macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra. Processing a maliciously crafted mail message may lead to S/MIME signature spoofing. |
2020-10-27 |
not yet calculated |
CVE-2019-8642
MISC |
apple — macos
|
A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Catalina 10.15.2, Security Update 2019-002 Mojave, and Security Update 2019-007 High Sierra. A remote attacker may be able to overwrite existing files. |
2020-10-27 |
not yet calculated |
CVE-2020-9782
MISC |
apple — macos
|
An issue existed in the handling of encrypted Mail. This issue was addressed with improved isolation of MIME in Mail. This issue is fixed in macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra. An attacker in a privileged network position may be able to intercept the contents of S/MIME-encrypted e-mail. |
2020-10-27 |
not yet calculated |
CVE-2019-8645
MISC |
apple — macos
|
A use after free issue was addressed with improved memory management. This issue is fixed in macOS Catalina 10.15.4, Security Update 2020-002 Mojave, Security Update 2020-002 High Sierra, macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra. An application may be able to gain elevated privileges. |
2020-10-27 |
not yet calculated |
CVE-2020-3851
MISC
MISC |
apple — macos
|
This was addressed with additional checks by Gatekeeper on files mounted through a network share. This issue is fixed in macOS Mojave 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra. Extracting a zip file containing a symbolic link to an endpoint in an NFS mount that is attacker controlled may bypass Gatekeeper. |
2020-10-27 |
not yet calculated |
CVE-2019-8656
MISC |
apple — macos
|
This issue is fixed in macOS Mojave 10.14. A permissions issue existed in DiskArbitration. This was addressed with additional ownership checks. |
2020-10-27 |
not yet calculated |
CVE-2018-4296
MISC |
apple — macos_catalina
|
A logic issue was addressed with improved state management. This issue is fixed in macOS Catalina 10.15.1, Security Update 2019-001, and Security Update 2019-006. A user who shares their screen may not be able to end screen sharing. |
2020-10-27 |
not yet calculated |
CVE-2019-8858
MISC |
apple — multiple_products
|
A memory corruption issue was addressed with improved validation. This issue is fixed in Safari 13.0.1, iOS 13.1 and iPadOS 13.1, tvOS 13. Processing maliciously crafted web content may lead to arbitrary code execution. |
2020-10-27 |
not yet calculated |
CVE-2020-9932
MISC
MISC
MISC |
apple — safari
|
A logic issue was addressed with improved validation. This issue is fixed in Safari 13.0.5. A URL scheme may be incorrectly ignored when determining multimedia permission for a website. |
2020-10-27 |
not yet calculated |
CVE-2020-3852
MISC |
apple — swift_for_ubuntu
|
This issue was addresses by updating incorrect URLSession file descriptors management logic to match Swift 5.0. This issue is fixed in Swift 5.1.1 for Ubuntu. Incorrect management of file descriptors in URLSession could lead to inadvertent data disclosure. |
2020-10-27 |
not yet calculated |
CVE-2019-8790
MISC |
apple — xcode
|
An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 11.3. Compiling with untrusted sources may lead to arbitrary code execution with user privileges. |
2020-10-27 |
not yet calculated |
CVE-2019-8840
MISC |
arista — cloudvision_exchange_server
|
Arista’s CloudVision eXchange (CVX) server before 4.21.12M, 4.22.x before 4.22.7M, 4.23.x before 4.23.5M, and 4.24.x before 4.24.2F allows remote attackers to cause a denial of service (crash and restart) in the ControllerOob agent via a malformed control-plane packet. |
2020-10-26 |
not yet calculated |
CVE-2020-13100
CONFIRM |
arista — eos
|
Arista EOS before 4.21.12M, 4.22.x before 4.22.7M, 4.23.x before 4.23.5M, and 4.24.x before 4.24.2F allows remote attackers to cause traffic loss or incorrect forwarding of traffic via a malformed link-state PDU to the IS-IS router. |
2020-10-26 |
not yet calculated |
CVE-2020-15897
CONFIRM |
basercms — basercms
|
baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. The issue affects the following components: Edit feed settings, Edit widget area, Sub site new registration, New category registration. Arbitrary JavaScript may be executed by entering specific characters in the account that can access the file upload function category list, subsite setting list, widget area edit, and feed list on the management screen. The issue was introduced in version 4.0.0. It is fixed in version 4.4.1. |
2020-10-30 |
not yet calculated |
CVE-2020-15273
MISC
CONFIRM
MISC |
basercms — basercms
|
baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. Arbitrary JavaScript may be executed by entering a crafted nickname in blog comments. The issue affects the blog comment component. It is fixed in version 4.4.1. |
2020-10-30 |
not yet calculated |
CVE-2020-15276
MISC
MISC
CONFIRM |
basercms — basercms
|
baserCMS before version 4.4.1 is affected by Remote Code Execution (RCE). Code may be executed by logging in as a system administrator and uploading an executable script file such as a PHP file. The Edit template component is vulnerable. The issue is fixed in version 4.4.1. |
2020-10-30 |
not yet calculated |
CVE-2020-15277
MISC
MISC
CONFIRM |
broadleaf_commerce — broadleaf_framework
|
Broadleaf Commerce 5.1.14-GA is affected by cross-site scripting (XSS) due to a slow HTTP post vulnerability. |
2020-10-29 |
not yet calculated |
CVE-2020-21266
MISC |
canonical — ubuntu
|
There is no input validation on the Locale property in an apt transaction. An unprivileged user can supply a full path to a writable directory, which lets aptd read a file as root. Having a symlink in place results in an error message if the file exists, and no error otherwise. This way an unprivileged user can check for the existence of any files on the system as root. |
2020-10-31 |
not yet calculated |
CVE-2020-15703
CONFIRM
MISC |
chart.js — chart.js
|
This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to a prototype pollution. |
2020-10-29 |
not yet calculated |
CVE-2020-7746
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM |
citadel — webcit
|
Citadel WebCit through 926 allows unauthenticated remote attackers to enumerate valid users within the platform. NOTE: this was reported to the vendor in a publicly archived “Multiple Security Vulnerabilities in WebCit 926” thread. |
2020-10-28 |
not yet calculated |
CVE-2020-27740
MISC
MISC |
citadel — webcit
|
Multiple cross-site scripting (XSS) vulnerabilities in Citadel WebCit through 926 allow remote attackers to inject arbitrary web script or HTML via multiple pages and parameters. NOTE: this was reported to the vendor in a publicly archived “Multiple Security Vulnerabilities in WebCit 926” thread. |
2020-10-28 |
not yet calculated |
CVE-2020-27741
MISC
MISC |
citadel — webcit
|
An Insecure Direct Object Reference vulnerability in Citadel WebCit through 926 allows authenticated remote attackers to read someone else’s emails via the msg_confirm_move template. NOTE: this was reported to the vendor in a publicly archived “Multiple Security Vulnerabilities in WebCit 926” thread. |
2020-10-28 |
not yet calculated |
CVE-2020-27742
MISC
MISC |
citadel — webcit
|
A Weak Session Management vulnerability in Citadel WebCit through 926 allows unauthenticated remote attackers to hijack recently logged-in users’ sessions. NOTE: this was reported to the vendor in a publicly archived “Multiple Security Vulnerabilities in WebCit 926” thread. |
2020-10-28 |
not yet calculated |
CVE-2020-27739
MISC
MISC |
click_studios — passwordstate
|
An issue was discovered in Click Studios Passwordstate 8.9 (Build 8973).If the user of the system has assigned himself a PIN code for entering from a mobile device using the built-in generator (4 digits), a remote attacker has the opportunity to conduct a brute force attack on this PIN code. As result, remote attacker retrieves all passwords from another systems, available for affected account. |
2020-10-29 |
not yet calculated |
CVE-2020-27747
MISC
MISC |
codemirror — codemirror
|
This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2. The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vulnerability of the regex is mainly due to the sub-pattern (s|/*.*?*/)* |
2020-10-30 |
not yet calculated |
CVE-2020-7760
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM |
commscope — ruckus
|
Ruckus through 1.5.1.0.21 is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint), injecting arbitrary commands that will be executed as root user via web.py. |
2020-10-26 |
not yet calculated |
CVE-2020-26878
MISC
MISC
MISC
CONFIRM
MISC
MISC |
commscope — rukus_vriot
|
Ruckus vRioT through 1.5.1.0.21 has an API backdoor that is hardcoded into validate_token.py. An unauthenticated attacker can interact with the service API by using a backdoor value as the Authorization header. |
2020-10-26 |
not yet calculated |
CVE-2020-26879
MISC
MISC
MISC
CONFIRM
MISC
MISC |
commvault — commcell
|
In CommCell in Commvault before 14.68, 15.x before 15.58, 16.x before 16.44, 17.x before 17.29, and 18.x before 18.13, Directory Traversal can occur such that an attempt to view a log file can instead view a file outside of the log-files folder. |
2020-10-29 |
not yet calculated |
CVE-2020-25780
MISC |
cyberark — privileged_session_manager
|
CyberArk Privileged Session Manager (PSM) 10.9.0.15 allows attackers to discover internal pathnames by reading an error popup message after two hours of idle time. |
2020-10-28 |
not yet calculated |
CVE-2020-25374
MISC
MISC |
dat.gui — dat.gui
|
All versions of package dat.gui are vulnerable to Regular Expression Denial of Service (ReDoS) via specifically crafted rgb and rgba values. |
2020-10-27 |
not yet calculated |
CVE-2020-7755
MISC
MISC |
debian — blueman
|
Blueman is a GTK+ Bluetooth Manager. In Blueman before 2.1.4, the DhcpClient method of the D-Bus interface to blueman-mechanism is prone to an argument injection vulnerability. The impact highly depends on the system configuration. If Polkit-1 is disabled and for versions lower than 2.0.6, any local user can possibly exploit this. If Polkit-1 is enabled for version 2.0.6 and later, a possible attacker needs to be allowed to use the `org.blueman.dhcp.client` action. That is limited to users in the wheel group in the shipped rules file that do have the privileges anyway. On systems with ISC DHCP client (dhclient), attackers can pass arguments to `ip link` with the interface name that can e.g. be used to bring down an interface or add an arbitrary XDP/BPF program. On systems with dhcpcd and without ISC DHCP client, attackers can even run arbitrary scripts by passing `-c/path/to/script` as an interface name. Patches are included in 2.1.4 and master that change the DhcpClient D-Bus method(s) to accept BlueZ network object paths instead of network interface names. A backport to 2.0(.8) is also available. As a workaround, make sure that Polkit-1-support is enabled and limit privileges for the `org.blueman.dhcp.client` action to users that are able to run arbitrary commands as root anyway in /usr/share/polkit-1/rules.d/blueman.rules. |
2020-10-27 |
not yet calculated |
CVE-2020-15238
MISC
MISC
MISC
CONFIRM
DEBIAN |
eyesofnetwork — eonweb
|
An issue was discovered in EyesOfNetwork eonweb 5.3-7 through 5.3-8. The eonweb web interface is prone to a SQL injection, allowing an unauthenticated attacker to exploit the username_available function of the includes/functions.php file (which is called by login.php). |
2020-10-29 |
not yet calculated |
CVE-2020-27886
MISC
MISC
MISC |
eyesofnetwork — eonweb
|
An issue was discovered in EyesOfNetwork 5.3 through 5.3-8. An authenticated web user with sufficient privileges could abuse the AutoDiscovery module to run arbitrary OS commands via the nmap_binary parameter to lilac/autodiscovery.php. |
2020-10-29 |
not yet calculated |
CVE-2020-27887
MISC
MISC
MISC |
| f5 — big-ip |
On BIG-IP LTM 15.1.0-15.1.0.5, 14.1.0-14.1.2.7, 13.1.0-13.1.3.4, and 12.1.0-12.1.5.1, the Traffic Management Microkernel (TMM) process may consume excessive resources when processing SSL traffic and client authentication are enabled on the client SSL profile. |
2020-10-29 |
not yet calculated |
CVE-2020-5936
MISC |
f5 — big-ip
|
On BIG-IP 13.1.0-13.1.3.4, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2, when negotiating IPSec tunnels with configured, authenticated peers, the peer may negotiate a different key length than the BIG-IP configuration would otherwise allow. |
2020-10-29 |
not yet calculated |
CVE-2020-5938
MISC |
f5 — big-ip
|
On BIG-IP AFM 15.1.0-15.1.0.5, the Traffic Management Microkernel (TMM) may produce a core file while processing layer 4 (L4) behavioral denial-of-service (DoS) traffic. |
2020-10-29 |
not yet calculated |
CVE-2020-5937
MISC |
f5 — big-ip
|
On BIG-IP 15.1.0-15.1.0.5, 14.1.0-14.1.2.3, 13.1.0-13.1.3.4, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2, Virtual servers with a OneConnect profile may incorrectly handle WebSockets related HTTP response headers, causing TMM to restart. |
2020-10-29 |
not yet calculated |
CVE-2020-5931
MISC |
f5 — big-ip
|
On BIG-IP ASM 15.1.0-15.1.0.5, a cross-site scripting (XSS) vulnerability exists in the BIG-IP ASM Configuration utility response and blocking pages. An authenticated user with administrative privileges can specify a response page with any content, including JavaScript code that will be executed when preview is opened. |
2020-10-29 |
not yet calculated |
CVE-2020-5932
MISC |
f5 — big-ip
|
On BIG-IP APM 15.1.0-15.1.0.5, 14.1.0-14.1.2.3, and 13.1.0-13.1.3.3, when multiple HTTP requests from the same client to configured SAML Single Logout (SLO) URL are passing through a TCP Keep-Alive connection, traffic to TMM can be disrupted. |
2020-10-29 |
not yet calculated |
CVE-2020-5934
MISC |
f5 — big-ip
|
On BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, FPS, GTM, Link Controller, PEM) versions 15.1.0-15.1.0.5, 14.1.0-14.1.2.3, and 13.1.0-13.1.3.3, when handling MQTT traffic through a BIG-IP virtual server associated with an MQTT profile and an iRule performing manipulations on that traffic, TMM may produce a core file. |
2020-10-29 |
not yet calculated |
CVE-2020-5935
MISC |
f5 — big-ip
|
On versions 15.1.0-15.1.0.5, 14.1.0-14.1.2.3, 13.1.0-13.1.3.4, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, when a BIG-IP system that has a virtual server configured with an HTTP compression profile processes compressed HTTP message payloads that require deflation, a Slowloris-style attack can trigger an out-of-memory condition on the BIG-IP system. |
2020-10-29 |
not yet calculated |
CVE-2020-5933
MISC |
facebook — hermes
|
An out-of-bounds read in the JavaScript Interpreter in Facebook Hermes prior to commit 8cb935cd3b2321c46aa6b7ed8454d95c75a7fca0 allows attackers to cause a denial of service attack or possible further memory corruption via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected. |
2020-10-26 |
not yet calculated |
CVE-2020-1915
CONFIRM
CONFIRM |
fastreport — fastreport
|
An issue was discovered in FastReport before 2020.4.0. It lacks a ScriptSecurity feature and therefore may mishandle (for example) GetType, typeof, TypeOf, DllImport, LoadLibrary, and GetProcAddress. |
2020-10-29 |
not yet calculated |
CVE-2020-27998
MISC
MISC
MISC |
firefly_iii — firefly_iii
|
An XSS vulnerability in the auto-complete function of the description field (for new or edited transactions) in Firefly III before 5.4.5 allows the user to execute JavaScript via suggested transaction titles. NOTE: this is exploitable only in a non-default configuration where Content Security Policy headers are disabled. |
2020-10-28 |
not yet calculated |
CVE-2020-27981
MISC
MISC |
genexis — platnium-4410-v2-1.28_devices
|
Genexis Platinum-4410 P4410-V2-1.28 devices allow stored XSS in the WLAN SSID parameter. This could allow an attacker to perform malicious actions in which the XSS popup will affect all privileged users. |
2020-10-28 |
not yet calculated |
CVE-2020-27980
MISC
MISC |
god_kings — god_kings
|
The God Kings application 0.60.1 for Android exposes a broadcast receiver to other apps called com.innogames.core.frontend.notifications.receivers.LocalNotificationBroadcastReceiver. The purpose of this broadcast receiver is to show an in-game push notification to the player. However, the application does not enforce any authorization schema on the broadcast receiver, allowing any application to send fully customizable in-game push notifications. |
2020-10-28 |
not yet calculated |
CVE-2020-25204
MISC |
hewlett_packard — storeserv_management_console
|
SSMC3.7.0.0 is vulnerable to remote authentication bypass. HPE StoreServ Management Console (SSMC) 3.7.0.0 is an off node multiarray manager web application and remains isolated from data on the managed arrays. HPE has provided an update to HPE StoreServ Management Console (SSMC) software 3.7.0.0* Upgrade to HPE 3PAR StoreServ Management Console 3.7.1.1 or later. |
2020-10-26 |
not yet calculated |
CVE-2020-7197
MISC |
hrsale — hrsale
|
Hrsale 2.0.0 allows download?type=files&filename=../ directory traversal to read arbitrary files. |
2020-10-29 |
not yet calculated |
CVE-2020-27993
MISC |
lookatme — lookatme
|
In lookatme (python/pypi package) versions prior to 2.3.0, the package automatically loaded the built-in “terminal” and “file_loader” extensions. Users that use lookatme to render untrusted markdown may have malicious shell commands automatically run on their system. This is fixed in version 2.3.0. As a workaround, the `lookatme/contrib/terminal.py` and `lookatme/contrib/file_loader.py` files may be manually deleted. Additionally, it is always recommended to be aware of what is being rendered with lookatme. |
2020-10-26 |
not yet calculated |
CVE-2020-15271
MISC
MISC
MISC
CONFIRM
MISC |
mediawiki — mediawiki
|
The RandomGameUnit extension for MediaWiki through 1.35 was not properly escaping various title-related data. When certain varieties of games were created within MediaWiki, their names or titles could be manipulated to generate stored XSS within the RandomGameUnit extension. |
2020-10-28 |
not yet calculated |
CVE-2020-27957
MISC
MISC |
micro_focus — multiple_products
|
Code execution with escalated privileges vulnerability in Micro Focus products Operation Bridge Manager and Operation Bridge (containerized). The vulneravility affects: 1.) Operation Bridge Manager versions: 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, 10.63,10.62, 10.61, 10.60, 10.12, 10.11, 10.10 and all earlier versions. 2.) Operations Bridge (containerized) versions: 2020.05, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05. 2018.02 and 2017.11. The vulnerability could allow local attackers to execute code with escalated privileges. |
2020-10-27 |
not yet calculated |
CVE-2020-11858
MISC
MISC
MISC |
micro_focus — multiple_products
|
Arbitrary code execution vlnerability in Operation bridge Manager, Application Performance Management and Operations Bridge (containerized) vulnerability in Micro Focus products products Operation Bridge Manager, Operation Bridge (containerized) and Application Performance Management. The vulneravility affects: 1.) Operation Bridge Manager versions 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, 10.63,10.62, 10.61, 10.60, 10.12, 10.11, 10.10 and all earlier versions. 2.) Operations Bridge (containerized) 2020.05, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05. 2018.02 and 2017.11. 3.) Application Performance Management versions 9,51, 9.50 and 9.40 with uCMDB 10.33 CUP 3. The vulnerability could allow Arbitrary code execution. |
2020-10-27 |
not yet calculated |
CVE-2020-11854
MISC
MISC
MISC
MISC |
mozilla — firefox
|
When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which leaked partial information about the nonce used during signature generation. Given an electro-magnetic trace of a few signature generations, the private key could have been computed. This vulnerability affects Firefox < 80 and Firefox for Android < 80. |
2020-10-28 |
not yet calculated |
CVE-2020-6829
MISC
MISC
MISC |
| nvida — dgx_servers |
NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30, contain a vulnerability in the AMI BMC firmware in which software allows an attacker to upload or transfer files that can be automatically processed within the product’s environment, which may lead to remote code execution. |
2020-10-29 |
not yet calculated |
CVE-2020-11486
CONFIRM |
nvida — dgx_servers
|
NVIDIA DGX servers, all BMC firmware versions prior to 3.38.30, contain a vulnerability in the AMI BMC firmware in which the Pseudo-Random Number Generator (PRNG) algorithm used in the JSOL package that implements the IPMI protocol is not cryptographically strong, which may lead to information disclosure. |
2020-10-29 |
not yet calculated |
CVE-2020-11616
CONFIRM |
nvida — dgx_servers
|
NVIDIA DGX servers, DGX-1 with BMC firmware versions prior to 3.38.30. DGX-2 with BMC firmware versions prior to 1.06.06 and all DGX A100 Servers with all BMC firmware versions, contains a vulnerability in the AMI BMC firmware in which the use of a hard-coded RSA 1024 key with weak ciphers may lead to information disclosure. |
2020-10-29 |
not yet calculated |
CVE-2020-11487
CONFIRM |
nvida — dgx_servers
|
NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30, contains a vulnerability in the AMI BMC firmware in which an attacker with administrative privileges can obtain the hash of the BMC/IPMI user password, which may lead to information disclosure. |
2020-10-29 |
not yet calculated |
CVE-2020-11484
CONFIRM |
nvida — dgx_servers
|
NVIDIA DGX servers, all BMC firmware versions prior to 3.38.30, contain a vulnerability in the AMI BMC firmware in which it uses a hard-coded RC4 cipher key, which may lead to information disclosure. |
2020-10-29 |
not yet calculated |
CVE-2020-11615
CONFIRM |
nvida — dgx_servers
|
NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30 and all DGX-2 with BMC firmware versions prior to 1.06.06, contain a vulnerability in the AMI BMC firmware in which default SNMP community strings are used, which may lead to information disclosure. |
2020-10-29 |
not yet calculated |
CVE-2020-11489
CONFIRM |
nvida — dgx_servers
|
NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30, contains a Cross-Site Request Forgery (CSRF) vulnerability in the AMI BMC firmware in which the web application does not sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request, which can lead to information disclosure or code execution. |
2020-10-29 |
not yet calculated |
CVE-2020-11485
CONFIRM |
nvida — dgx_servers
|
NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30 and all DGX-2 with BMC firmware versions prior to 1.06.06, contains a vulnerability in the AMI BMC firmware in which software does not validate the RSA 1024 public key used to verify the firmware signature, which may lead to information disclosure or code execution. |
2020-10-29 |
not yet calculated |
CVE-2020-11488
CONFIRM |
nvida — dgx_servers
|
NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30 and all DGX-2 with BMC firmware versions prior to 1.06.06, contains a vulnerability in the AMI BMC firmware in which the firmware includes hard-coded credentials, which may lead to elevation of privileges or information disclosure. |
2020-10-29 |
not yet calculated |
CVE-2020-11483
CONFIRM |
nvidia — cuda_toolkit
|
NVIDIA CUDA Toolkit, all versions prior to 11.1.1, contains a vulnerability in the NVJPEG library in which an out-of-bounds read or write operation may lead to code execution, denial of service, or information disclosure. |
2020-10-30 |
not yet calculated |
CVE-2020-5991
CONFIRM |
openrc — openrc
|
checkpath in OpenRC through 0.42.1 might allow local users to take ownership of arbitrary files because a non-terminal path component can be a symlink. |
2020-10-27 |
not yet calculated |
CVE-2018-21269
MISC |
pam_tacplus — libtac
|
libtac in pam_tacplus through 1.5.1 lacks a check for a failure of RAND_bytes()/RAND_pseudo_bytes(). This could lead to use of a non-random/predictable session_id. |
2020-10-26 |
not yet calculated |
CVE-2020-27743
MISC
MISC |
| pathval — pathval |
This affects all versions of package pathval. |
2020-10-26 |
not yet calculated |
CVE-2020-7751
MISC
MISC |
pimcore — pimcore
|
The package pimcore/pimcore from 6.7.2 and before 6.8.3 are vulnerable to SQL Injection in data classification functionality in ClassificationstoreController. This can be exploited by sending a specifically-crafted input in the relationIds parameter as demonstrated by the following request: http://vulnerable.pimcore.example/admin/classificationstore/relations?relationIds=[{“keyId”%3a”””,”groupId”%3a”‘asd’))+or+1%3d1+union+(select+1,2,3,4,5,6,name,8,password,”,11,12,”,14+from+users)+–+”}] |
2020-10-30 |
not yet calculated |
CVE-2020-7759
CONFIRM
CONFIRM |
pulse_secure — desktop_client
|
A vulnerability in the Pulse Secure Desktop Client < 9.1R9 could allow the attacker to perform a MITM Attack if end users are convinced to connect to a malicious server. |
2020-10-28 |
not yet calculated |
CVE-2020-8241
MISC |
pulse_secure — desktop_client
|
A vulnerability in the Pulse Secure Desktop Client < 9.1R9 allows a restricted user on an endpoint machine can use system-level privileges if the Embedded Browser is configured with Credential Provider. This vulnerability only affects Windows PDC if the Embedded Browser is configured with the Credential Provider. |
2020-10-28 |
not yet calculated |
CVE-2020-8240
MISC |
pulse_secure — desktop_client
|
A vulnerability in the Pulse Secure Desktop Client < 9.1R9 is vulnerable to the client registry privilege escalation attack. This fix also requires Server Side Upgrade due to Standalone Host Checker Client (Windows) and Windows PDC. |
2020-10-28 |
not yet calculated |
CVE-2020-8239
MISC |
pulse_secure — desktop_client
|
A vulnerability in the Pulse Secure Desktop Client (Linux) < 9.1R9 could allow local attackers to perform buffer overflow. |
2020-10-28 |
not yet calculated |
CVE-2020-8249
MISC |
pulse_secure — desktop_client
|
A vulnerability in the Pulse Secure Desktop Client < 9.1R9 has Remote Code Execution (RCE) if users can be convinced to connect to a malicious server. This vulnerability only affects Windows PDC.To improve the security of connections between Pulse clients and Pulse Connect Secure, see below recommendation(s):Disable Dynamic certificate trust for PDC. |
2020-10-28 |
not yet calculated |
CVE-2020-8254
MISC |
pulse_secure — pulse_connect_secure_and_pulse_policy_secure
|
An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows remote authenticated admins to conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. |
2020-10-27 |
not yet calculated |
CVE-2020-15352
MISC |
pulse_secure — pulse_connect_secure_and_pulse_policy_secure
|
A vulnerability in the Pulse Connect Secure / Pulse Policy Secure < 9.1R9 is vulnerable to arbitrary cookie injection. |
2020-10-28 |
not yet calculated |
CVE-2020-8261
MISC |
pulse_secure — pulse_connect_secure_and_pulse_policy_secure
|
A vulnerability in the Pulse Connect Secure / Pulse Policy Secure below 9.1R9 could allow attackers to conduct Cross-Site Scripting (XSS) and Open Redirection for authenticated user web interface. |
2020-10-28 |
not yet calculated |
CVE-2020-8262
MISC |
| qnap — qts |
If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code. QNAP has already fixed the issue in the following QTS versions. QTS 4.4.2.1231 on build 20200302; QTS 4.4.1.1201 on build 20200130; QTS 4.3.6.1218 on build 20200214; QTS 4.3.4.1190 on build 20200107; QTS 4.3.3.1161 on build 20200109; QTS 4.2.6 on build 20200109. |
2020-10-28 |
not yet calculated |
CVE-2018-19953
CONFIRM |
qnap — qts
|
If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code. QNAP has already fixed these issues in the following QTS versions. QTS 4.4.2.1270 build 20200410 and later QTS 4.4.1.1261 build 20200330 and later QTS 4.3.6.1263 build 20200330 and later QTS 4.3.4.1282 build 20200408 and later QTS 4.3.3.1252 build 20200409 and later QTS 4.2.6 build 20200421 and later |
2020-10-28 |
not yet calculated |
CVE-2018-19943
CONFIRM |
qnap — qts
|
If exploited, this command injection vulnerability could allow remote attackers to run arbitrary commands. QNAP has already fixed the issue in the following QTS versions. QTS 4.4.2.1231 on build 20200302; QTS 4.4.1.1201 on build 20200130; QTS 4.3.6.1218 on build 20200214; QTS 4.3.4.1190 on build 20200107; QTS 4.3.3.1161 on build 20200109; QTS 4.2.6 on build 20200109. |
2020-10-28 |
not yet calculated |
CVE-2018-19949
CONFIRM |
qsc — q-sys_core_manager
|
An issue was discovered in QSC Q-SYS Core Manager 8.2.1. By utilizing the TFTP service running on UDP port 69, a remote attacker can perform a directory traversal and obtain operating system files via a TFTP GET request, as demonstrated by reading /etc/passwd or /proc/version. |
2020-10-28 |
not yet calculated |
CVE-2020-24990
MISC
MISC
MISC |
rapid7 — metasploit
|
Rapid7’s Metasploit msfvenom framework handles APK files in a way that allows for a malicious user to craft and publish a file that would execute arbitrary commands on a victim’s machine. |
2020-10-29 |
not yet calculated |
CVE-2020-7384
MISC |
red_discord_bot — mod_module
|
Red Discord Bot before version 3.4.1 has an unauthorized privilege escalation exploit in the Mod module. This exploit allows Discord users with a high privilege level within the guild to bypass hierarchy checks when the application is in a specific condition that is beyond that user’s control. By abusing this exploit, it is possible to perform destructive actions within the guild the user has high privileges in. This exploit has been fixed in version 3.4.1. As a workaround, unloading the Mod module with unload mod or, disabling the massban command with command disable global massban can render this exploit not accessible. We still highly recommend updating to 3.4.1 to completely patch this issue. |
2020-10-28 |
not yet calculated |
CVE-2020-15278
MISC
MISC
CONFIRM |
red_hat — ansible
|
A flaw was found in Ansible Collection community.crypto. openssl_privatekey_info exposes private key in logs. This directly impacts confidentiality |
2020-10-29 |
not yet calculated |
CVE-2020-25646
MISC |
sal — sal
|
Sal is a multi-tenanted reporting dashboard for Munki with the ability to display information from Facter. In Sal through version 4.1.6 there is an XSS vulnerability on the machine_list view. |
2020-10-29 |
not yet calculated |
CVE-2020-26205
MISC
CONFIRM |
samba — winbind
|
A null pointer dereference flaw was found in samba’s Winbind service in versions before 4.11.15, before 4.12.9 and before 4.13.1. A local user could use this flaw to crash the winbind service causing denial of service. |
2020-10-29 |
not yet calculated |
CVE-2020-14323
MISC
MISC |
sec_consult — publixone
|
konzept-ix publiXone before 2020.015 allows attackers to take over arbitrary user accounts by crafting password-reset tokens. |
2020-10-27 |
not yet calculated |
CVE-2020-27179
MISC
MISC |
sectona — spectra
|
Sectona Spectra before 3.4.0 has a vulnerable SOAP API endpoint that leaks sensitive information about the configured assets without proper authentication. This could be used by unauthorized parties to get configured login credentials of the assets via a modified pAccountID value. |
2020-10-28 |
not yet calculated |
CVE-2020-25966
MISC
MISC |
shibboleth — identity_provider
|
Shibboleth Identify Provider 3.x before 3.4.6 has a denial of service flaw. A remote unauthenticated attacker can cause a login flow to trigger Java heap exhaustion due to the creation of objects in the Java Servlet container session. |
2020-10-28 |
not yet calculated |
CVE-2020-27978
MISC |
smartstorenet — smartstorenet
|
An issue was discovered in SmartStoreNET before 4.0.1. It does not properly consider the need for a CustomModelPartAttribute decoration in certain ModelBase.CustomProperties situations. |
2020-10-29 |
not yet calculated |
CVE-2020-27996
MISC
MISC |
sonicwall — global_vpn
|
SonicWall Global VPN client version 4.10.4.0314 and earlier allows unprivileged windows user to elevate privileges to SYSTEM through loaded process hijacking vulnerability. |
2020-10-28 |
not yet calculated |
CVE-2020-5144
CONFIRM |
sourcecodester — car_rental_management_system
|
An Arbitrary File Upload in the Upload Image component in SourceCodester Car Rental Management System 1.0 allows the user to conduct remote code execution via admin/index.php?page=manage_car because .php files can be uploaded to admin/assets/uploads/ (under the web root). |
2020-10-28 |
not yet calculated |
CVE-2020-27956
MISC
MISC |
sourceforge — dual_dhcp_dns_server
|
An issue was discovered in Dual DHCP DNS Server 7.40. Due to insufficient access restrictions in the default installation directory, an attacker can elevate privileges by replacing the DualServer.exe binary. |
2020-10-28 |
not yet calculated |
CVE-2020-26133
MISC
MISC |
sourceforge — home_dns_server
|
An issue was discovered in Home DNS Server 0.10. Due to insufficient access restrictions in the default installation directory, an attacker can elevate privileges by replacing the HomeDNSServer.exe binary. |
2020-10-28 |
not yet calculated |
CVE-2020-26132
MISC
MISC |
sourceforge — open_dhcp_server
|
Issues were discovered in Open DHCP Server (Regular) 1.75 and Open DHCP Server (LDAP Based) 0.1Beta. Due to insufficient access restrictions in the default installation directory, an attacker can elevate privileges by replacing the OpenDHCPServer.exe (Regular) or the OpenDHCPLdap.exe (LDAP Based) binary. |
2020-10-28 |
not yet calculated |
CVE-2020-26131
MISC
MISC |
sourceforge — open_tftp_server
|
Issues were discovered in Open TFTP Server multithreaded 1.66 and Open TFTP Server single port 1.66. Due to insufficient access restrictions in the default installation directory, an attacker can elevate privileges by replacing the OpenTFTPServerMT.exe or the OpenTFTPServerSP.exe binary. |
2020-10-28 |
not yet calculated |
CVE-2020-26130
MISC
MISC |
sourceforge — snap7
|
The Snap7 server component in version 1.4.1, when an attacker sends a crafted packet with COTP protocol the last-data-unit flag set to No and S7 writes a var function, the Snap7 server will be crashed. |
2020-10-28 |
not yet calculated |
CVE-2020-22552
MISC
MISC
MISC |
| synology — diskstation_manager
|
Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors. |
2020-10-29 |
not yet calculated |
CVE-2020-27656
CONFIRM |
synology — diskstation_manager
|
Synology DiskStation Manager (DSM) before 6.2.3-25426-2 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session. |
2020-10-29 |
not yet calculated |
CVE-2020-27650
CONFIRM |
synology — diskstation_manager
|
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors. |
2020-10-29 |
not yet calculated |
CVE-2020-27652
CONFIRM
MISC |
synology — diskstation_manager
|
Improper certificate validation vulnerability in OpenVPN client in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
2020-10-29 |
not yet calculated |
CVE-2020-27648
CONFIRM
MISC |
| synology — router_manager |
Synology Router Manager (SRM) before 1.2.4-8081 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. |
2020-10-29 |
not yet calculated |
CVE-2020-27658
CONFIRM
MISC |
| synology — router_manager |
Cleartext transmission of sensitive information vulnerability in DDNS in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors. |
2020-10-29 |
not yet calculated |
CVE-2020-27657
CONFIRM |
synology — router_manager
|
Improper certificate validation vulnerability in OpenVPN client in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
2020-10-29 |
not yet calculated |
CVE-2020-27649
CONFIRM
MISC |
synology — router_manager
|
Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp. |
2020-10-29 |
not yet calculated |
CVE-2020-27654
CONFIRM
MISC
MISC |
synology — router_manager
|
Synology Router Manager (SRM) before 1.2.4-8081 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session. |
2020-10-29 |
not yet calculated |
CVE-2020-27651
CONFIRM
MISC |
synology — router_manager
|
Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors. |
2020-10-29 |
not yet calculated |
CVE-2020-27653
CONFIRM
MISC |
synology — router_manager
|
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic. |
2020-10-29 |
not yet calculated |
CVE-2020-27655
CONFIRM |
| texas_instruments — cc2538_devices
|
The Zigbee protocol implementation on Texas Instruments CC2538 devices with Z-Stack 3.0.1 does not properly process a ZCL Read Reporting Configuration Response message. It crashes in zclHandleExternal(). |
2020-10-27 |
not yet calculated |
CVE-2020-27891
MISC
MISC |
| texas_instruments — cc2538_devices
|
The Zigbee protocol implementation on Texas Instruments CC2538 devices with Z-Stack 3.0.1 does not properly process a ZCL Discover Commands Received Response message or a ZCL Discover Commands Generated Response message. It crashes in zclParseInDiscCmdsRspCmd(). |
2020-10-27 |
not yet calculated |
CVE-2020-27892
MISC
MISC |
texas_instruments — cc2538_devices
|
The Zigbee protocol implementation on Texas Instruments CC2538 devices with Z-Stack 3.0.1 does not properly process a ZCL Write Attributes No Response message. It crashes in zclParseInWriteCmd() and does not update the specific attribute’s value. |
2020-10-27 |
not yet calculated |
CVE-2020-27890
MISC
MISC |
trend_micro — antivirus_for_mac
|
Trend Micro Antivirus for Mac 2020 (Consumer) contains an Error Message Information Disclosure vulnerability that if exploited, could allow kernel pointers and debug messages to leak to userland. An attacker must first obtain the ability to execute high-privileged code on the target system in order to exploit this vulnerability. |
2020-10-30 |
not yet calculated |
CVE-2020-27015
N/A
N/A |
trend_micro — antivirus_for_mac
|
Trend Micro Antivirus for Mac 2020 (Consumer) contains a race condition vulnerability in the Web Threat Protection Blocklist component, that if exploited, could allow an attacker to case a kernel panic or crash. An attacker must first obtain the ability to execute high-privileged code on the target system in order to exploit this vulnerability. |
2020-10-30 |
not yet calculated |
CVE-2020-27014
N/A
N/A |
|
ubiquiti — unifi_meshing_access_point_unifi_controller_devices
|
An issue was discovered on Ubiquiti UniFi Meshing Access Point UAP-AC-M 4.3.21.11325 and UniFi Controller 6.0.28 devices. Cached credentials are not erased from an access point returning wirelessly from a disconnected state. This may provide unintended network access. |
2020-10-27 |
not yet calculated |
CVE-2020-27888
MISC |
vbulletin — vbulletin
|
vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. ALSO NOTE: CVE-2020-7373 is a duplicate of CVE-2020-17496. CVE-2020-17496 is the preferred CVE ID to track this vulnerability. |
2020-10-30 |
not yet calculated |
CVE-2020-7373
MISC
MISC
MISC
MISC |
vmware — tanzu
|
Single Sign-On for Vmware Tanzu all versions prior to 1.11.3 ,1.12.x versions prior to 1.12.4 and 1.13.x prior to 1.13.1 are vulnerable to user impersonation attack.If two users are logged in to the SSO operator dashboard at the same time, with the same username, from two different identity providers, one can acquire the token of the other and thus operate with their permissions. Note: Foundation may be vulnerable only if: 1) The system zone is set up to use a SAML identity provider 2) There are internal users that have the same username as users in the external SAML provider 3) Those duplicate-named users have the scope to access the SSO operator dashboard 4) The vulnerability doesn’t appear with LDAP because of chained authentication. |
2020-10-31 |
not yet calculated |
CVE-2020-5425
CONFIRM |
western_digital — my_cloud_devices
|
Addressed multiple stack buffer overflow vulnerabilities that could allow an attacker to carry out escalation of privileges through unauthorized remote code execution in Western Digital My Cloud devices before 5.04.114. |
2020-10-27 |
not yet calculated |
CVE-2020-12830
MISC
CONFIRM |
western_digital — my_cloud_devices
|
Addressed remote code execution vulnerability in reg_device.php due to insufficient validation of user input.in Western Digital My Cloud Devices prior to 5.4.1140. |
2020-10-27 |
not yet calculated |
CVE-2020-25765
MISC
CONFIRM |
western_digital — my_cloud_nas_devices
|
Addressed remote code execution vulnerability in DsdkProxy.php due to insufficient sanitization and insufficient validation of user input in Western Digital My Cloud NAS devices prior to 5.04.114 |
2020-10-27 |
not yet calculated |
CVE-2020-27159
MISC
CONFIRM |
western_digital — my_cloud_nas_devices
|
Addressed remote code execution vulnerability in AvailableApps.php that allowed escalation of privileges in Western Digital My Cloud NAS devices prior to 5.04.114 (issue 3 of 3). |
2020-10-27 |
not yet calculated |
CVE-2020-27160
MISC
CONFIRM |
western_digital — my_cloud_nas_devices
|
Addressed remote code execution vulnerability in cgi_api.php that allowed escalation of privileges in Western Digital My Cloud NAS devices prior to 5.04.114. |
2020-10-27 |
not yet calculated |
CVE-2020-27158
MISC
CONFIRM |
western_digital — my_cloud_nas_devices
|
An issue was discovered on Western Digital My Cloud NAS devices before 5.04.114. They allow remote code execution with resultant escalation of privileges. |
2020-10-29 |
not yet calculated |
CVE-2020-27744
MISC |
| winston_privacy — winston_privacy |
Winston 1.5.4 devices do not enforce authorization. This is exploitable from the intranet, and can be combined with other vulnerabilities for remote exploitation. |
2020-10-28 |
not yet calculated |
CVE-2020-16260
MISC
MISC |
| winston_privacy — winston_privacy |
Winston 1.5.4 devices allow a U-Boot interrupt, resulting in local root access. |
2020-10-28 |
not yet calculated |
CVE-2020-16261
MISC
MISC |
| winston_privacy — winston_privacy |
Winston 1.5.4 devices have a local www-data user that is overly permissioned, resulting in root privilege escalation. |
2020-10-28 |
not yet calculated |
CVE-2020-16262
MISC
MISC |
winston_privacy — winston_privacy
|
Winston 1.5.4 devices have an SSH user account with access from bastion hosts. This is undocumented in device documents and is not announced to the user. |
2020-10-28 |
not yet calculated |
CVE-2020-16259
MISC
MISC |
winston_privacy — winston_privacy
|
Winston 1.5.4 devices make use of a Monit service (not managed during the normal user process) which is configured with default credentials. |
2020-10-28 |
not yet calculated |
CVE-2020-16258
MISC
MISC |
winston_privacy — winston_privacy
|
Winston 1.5.4 devices are vulnerable to command injection via the API. |
2020-10-28 |
not yet calculated |
CVE-2020-16257
MISC
MISC |
winston_privacy — winston_privacy
|
The API on Winston 1.5.4 devices is vulnerable to CSRF. |
2020-10-28 |
not yet calculated |
CVE-2020-16256
MISC
MISC |
winston_privacy — winston_privacy
|
Winston 1.5.4 devices have a CORS configuration that trusts arbitrary origins. This allows requests to be made and viewed by arbitrary origins. |
2020-10-28 |
not yet calculated |
CVE-2020-16263
MISC
MISC |
wire — wire
|
Wire before 2020-10-16 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a format string. This affects Wire AVS (Audio, Video, and Signaling) 5.3 through 6.x before 6.4, the Wire Secure Messenger application before 3.49.918 for Android, and the Wire Secure Messenger application before 3.61 for iOS. This occurs via the value parameter to sdp_media_set_lattr in peerflow/sdp.c. |
2020-10-27 |
not yet calculated |
CVE-2020-27853
MISC |
wso2 — api_manager
|
Cross-Site Scripting (XSS) vulnerability on WSO2 API Manager 3.1.0. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged-in user’s session by stealing cookies which means that a malicious hacker can change the logged-in user’s password and invalidate the session of the victim while the hacker maintains access. |
2020-10-29 |
not yet calculated |
CVE-2020-27885
MISC
MISC |
wso2 — enterprise_integrator
|
WSO2 Enterprise Integrator 6.6.0 or earlier contains a stored cross-site scripting (XSS) vulnerability in BPMN explorer tasks. |
2020-10-29 |
not yet calculated |
CVE-2020-25516
MISC
MISC |
| zohocorp — manageengine_applications_manager |
SQL Injection in Zoho ManageEngine Applications Manager 14 before 14560 allows an attacker to execute commands on the server via the MyPage.do template_resid parameter. |
2020-10-29 |
not yet calculated |
CVE-2020-27995
MISC |
Recent Comments