Total
65991 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-26294 | 1 Afterlogic | 2 Aurora, Webmail Pro | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in AfterLogic Aurora through 7.7.9 and WebMail Pro through 7.7.9. They allow directory traversal to read files (such as a data/settings/settings.xml file containing admin panel credentials), as demonstrated by dav/server.php/files/personal/%2e%2e when using the caldav_public_user account (with caldav_public_user as its password). | |||||
| CVE-2020-36165 | 2 Microsoft, Veritas | 2 Windows, Desktop And Laptop Option | 2023-12-10 | 7.2 HIGH | 8.8 HIGH |
| An issue was discovered in Veritas Desktop and Laptop Option (DLO) before 9.4. On start-up, it loads the OpenSSL library from /ReleaseX64/ssl. This library attempts to load the /ReleaseX64/ssl/openssl.cnf configuration file, which does not exist. By default, on Windows systems, users can create directories under C:\. A low privileged user can create a C:/ReleaseX64/ssl/openssl.cnf configuration file to load a malicious OpenSSL engine, resulting in arbitrary code execution as SYSTEM when the service starts. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, access all installed applications, etc. This impacts DLO server and client installations. | |||||
| CVE-2020-0475 | 1 Google | 1 Android | 2023-12-10 | 6.8 MEDIUM | 7.8 HIGH |
| In createInputConsumer of WindowManagerService.java, there is a possible way to block and intercept input events due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-162324374 | |||||
| CVE-2020-13537 | 1 Moxa | 1 Mxview | 2023-12-10 | 7.2 HIGH | 7.8 HIGH |
| An exploitable local privilege elevation vulnerability exists in the file system permissions of Moxa MXView series 3.1.8 installation. Depending on the vector chosen, an attacker can either add code to a script or replace a binary.By default MXViewService, which starts as a NT SYSTEM authority user executes a series of Node.Js scripts to start additional application functionality and among them the mosquitto executable is also run. | |||||
| CVE-2021-27142 | 1 Fiberhome | 2 Hg6245d, Hg6245d Firmware | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on FiberHome HG6245D devices through RP2613. The web management is done over HTTPS, using a hardcoded private key that has 0777 permissions. | |||||
| CVE-2021-25906 | 1 Basic Dsp Matrix Project | 1 Basic Dsp Matrix | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in the basic_dsp_matrix crate before 0.9.2 for Rust. When a TransformContent panic occurs, a double drop can be performed. | |||||
| CVE-2020-35890 | 1 Ordnung Project | 1 Ordnung | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in the ordnung crate through 2020-09-03 for Rust. compact::Vec violates memory safety via out-of-bounds access for large capacity. | |||||
| CVE-2020-13550 | 1 Advantech | 1 Webaccess\/scada | 2023-12-10 | 4.0 MEDIUM | 7.7 HIGH |
| A local file inclusion vulnerability exists in the installation functionality of Advantech WebAccess/SCADA 9.0.1. A specially crafted application can lead to information disclosure. An attacker can send an authenticated HTTP request to trigger this vulnerability. | |||||
| CVE-2020-28672 | 1 Monocms | 1 Monocms | 2023-12-10 | 9.0 HIGH | 7.2 HIGH |
| MonoCMS Blog 1.0 is affected by incorrect access control that can lead to remote arbitrary code execution. At monofiles/category.php:27, user input can be saved to category/[foldername]/index.php causing RCE. | |||||
| CVE-2019-7178 | 1 Pexip | 1 Pexip Infinity | 2023-12-10 | 9.0 HIGH | 7.2 HIGH |
| Pexip Infinity before 20.1 allows privilege escalation by restoring a system backup. | |||||
| CVE-2019-8675 | 1 Apple | 1 Mac Os X | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Mojave 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra. An attacker in a privileged network position may be able to execute arbitrary code. | |||||
| CVE-2020-28851 | 1 Golang | 1 Go | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.) | |||||
| CVE-2020-26511 | 1 Wpo365 | 1 Wordpress \+ Azure Ad \/ Microsoft Office 365 | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| The wpo365-login plugin before v11.7 for WordPress allows use of a symmetric algorithm to decrypt a JWT token. This leads to authentication bypass. | |||||
| CVE-2020-11635 | 1 Zscaler | 1 Client Connector | 2023-12-10 | 7.2 HIGH | 7.8 HIGH |
| The Zscaler Client Connector prior to 3.1.0 did not sufficiently validate RPC clients, which allows a local adversary to execute code with system privileges or perform limited actions for which they did not have privileges. | |||||
| CVE-2020-35894 | 1 Obstack Project | 1 Obstack | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in the obstack crate before 0.1.4 for Rust. Unaligned references can occur. | |||||
| CVE-2020-15849 | 1 Re-desk | 1 Re\ | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
| Re:Desk 2.3 has a blind authenticated SQL injection vulnerability in the SettingsController class, in the actionEmailTemplates() method. A malicious actor with access to an administrative account could abuse this vulnerability to recover sensitive data from the application's database, allowing for authorization bypass and taking over additional accounts by means of modifying password-reset tokens stored in the database. Remote command execution is also possible by leveraging this to abuse the Yii framework's bizRule functionality, allowing for arbitrary PHP code to be executed by the application. Remote command execution is also possible by using this together with a separate insecure file upload vulnerability (CVE-2020-15488). | |||||
| CVE-2020-35857 | 1 Trust-dns-server Project | 1 Trust-dns-server | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in the trust-dns-server crate before 0.18.1 for Rust. DNS MX and SRV null targets are mishandled, causing stack consumption. | |||||
| CVE-2021-28791 | 1 Swiftformat Project | 1 Swiftformat | 2023-12-10 | 6.8 MEDIUM | 7.8 HIGH |
| The unofficial SwiftFormat extension before 1.3.7 for Visual Studio Code allows remote attackers to execute arbitrary code by constructing a malicious workspace with a crafted swiftformat.path configuration value that triggers execution upon opening the workspace. | |||||
| CVE-2020-28362 | 3 Fedoraproject, Golang, Netapp | 4 Fedora, Go, Cloud Insights Telegraf Agent and 1 more | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service. | |||||
| CVE-2020-15266 | 1 Google | 1 Tensorflow | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| In Tensorflow before version 2.4.0, when the `boxes` argument of `tf.image.crop_and_resize` has a very large value, the CPU kernel implementation receives it as a C++ `nan` floating point value. Attempting to operate on this is undefined behavior which later produces a segmentation fault. The issue is patched in eccb7ec454e6617738554a255d77f08e60ee0808 and TensorFlow 2.4.0 will be released containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved. | |||||