Total
100 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-29427 | 2 Gradle, Quarkus | 2 Gradle, Quarkus | 2023-12-10 | 6.0 MEDIUM | 7.2 HIGH |
In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Repository content filtering is a security control Gradle introduced to help users specify what repositories are used to resolve specific dependencies. This feature was introduced in the wake of the "A Confusing Dependency" blog post. In some cases, Gradle may ignore content filters and search all repositories for dependencies. This only occurs when repository content filtering is used from within a `pluginManagement` block in a settings file. This may change how dependencies are resolved for Gradle plugins and build scripts. For builds that are vulnerable, there are two risks: 1) Information disclosure: Gradle could make dependency requests to repositories outside your organization and leak internal package identifiers. 2) Dependency poisoning/Dependency confusion: Gradle could download a malicious binary from a repository outside your organization due to name squatting. For a full example and more details refer to the referenced GitHub Security Advisory. The problem has been patched and released with Gradle 7.0. Users relying on this feature should upgrade their build as soon as possible. As a workaround, users may use a company repository which has the right rules for fetching packages from public repositories, or use project level repository content filtering, inside `buildscript.repositories`. This option is available since Gradle 5.1 when the feature was introduced. | |||||
CVE-2021-30507 | 2 Fedoraproject, Google | 3 Fedora, Android, Chrome | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
Inappropriate implementation in Offline in Google Chrome on Android prior to 90.0.4430.212 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. | |||||
CVE-2021-29777 | 5 Hp, Ibm, Linux and 2 more | 6 Hp-ux, Aix, Db2 and 3 more | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5, under specific circumstance of a table being dropped while being accessed in another session, could allow an authenticated user to cause a denial of srevice IBM X-Force ID: 203031. | |||||
CVE-2021-32802 | 1 Nextcloud | 1 Nextcloud Server | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
Nextcloud server is an open source, self hosted personal cloud. Nextcloud supports rendering image previews for user provided file content. For some image types, the Nextcloud server was invoking a third-party library that wasn't suited for untrusted user-supplied content. There are several security concerns with passing user-generated content to this library, such as Server-Side-Request-Forgery, file disclosure or potentially executing code on the system. The risk depends on your system configuration and the installed library version. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4 or 22.1.0. These versions do not use this library anymore. As a workaround users may disable previews by setting `enable_previews` to `false` in `config.php`. | |||||
CVE-2021-20443 | 3 Ibm, Linux, Microsoft | 3 Maximo For Civil Infrastructure, Linux Kernel, Windows | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
IBM Maximo for Civil Infrastructure 7.6.2 includes executable functionality (such as a library) from a source that is outside of the intended control sphere. IBM X-Force ID: 196619. | |||||
CVE-2021-26272 | 2 Ckeditor, Oracle | 10 Ckeditor, Agile Plm, Application Express and 7 more | 2023-12-10 | 4.3 MEDIUM | 6.5 MEDIUM |
It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin). | |||||
CVE-2020-24985 | 1 Quadbase | 1 Espressdashboard | 2023-12-10 | 5.5 MEDIUM | 8.1 HIGH |
An issue was discovered in Quadbase EspressReports ES 7 Update 9. An authenticated user is able to navigate to the MenuPage section of the application, and change the frmsrc parameter value to retrieve and execute external files or payloads. | |||||
CVE-2021-20187 | 1 Moodle | 1 Moodle | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that it was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication. | |||||
CVE-2021-26271 | 2 Ckeditor, Oracle | 7 Ckeditor, Agile Plm, Application Express and 4 more | 2023-12-10 | 4.3 MEDIUM | 6.5 MEDIUM |
It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin). | |||||
CVE-2020-25788 | 1 Tt-rss | 1 Tiny Tiny Rss | 2023-12-10 | 6.8 MEDIUM | 8.1 HIGH |
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. imgproxy in plugins/af_proxy_http/init.php mishandles $_REQUEST["url"] in an error message. | |||||
CVE-2021-28162 | 1 Eclipse | 1 Theia | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
In Eclipse Theia versions up to and including 0.16.0, in the notification messages there is no HTML escaping, so Javascript code can run. | |||||
CVE-2020-13175 | 1 Teradici | 2 Cloud Access Connector, Cloud Access Connector Legacy | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
The Management Interface of the Teradici Cloud Access Connector and Cloud Access Connector Legacy for releases prior to April 20, 2020 (v15 and earlier for Cloud Access Connector) contains a local file inclusion vulnerability which allows an unauthenticated remote attacker to leak LDAP credentials via a specially crafted HTTP request. | |||||
CVE-2020-13977 | 2 Fedoraproject, Nagios | 2 Fedora, Nagios | 2023-12-10 | 4.0 MEDIUM | 4.9 MEDIUM |
Nagios 4.4.5 allows an attacker, who already has administrative access to change the "URL for JSON CGIs" configuration setting, to modify the Alert Histogram and Trends code via crafted versions of the archivejson.cgi, objectjson.cgi, and statusjson.cgi files. NOTE: this vulnerability has been mistakenly associated with CVE-2020-1408. | |||||
CVE-2020-10865 | 2 Avast, Microsoft | 2 Antivirus, Windows | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in Avast Antivirus before 20. The aswTask RPC endpoint for the TaskEx library in the Avast Service (AvastSvc.exe) allows attackers to make arbitrary changes to the Components section of the Stats.ini file via RPC from a Low Integrity process. | |||||
CVE-2020-5295 | 1 Octobercms | 1 October | 2023-12-10 | 4.0 MEDIUM | 4.9 MEDIUM |
In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to read local files of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the `cms.manage_assets` permission. Issue has been patched in Build 466 (v1.0.466). | |||||
CVE-2019-17014 | 1 Mozilla | 1 Firefox | 2023-12-10 | 4.3 MEDIUM | 7.4 HIGH |
If an image had not loaded correctly (such as when it is not actually an image), it could be dragged and dropped cross-domain, resulting in a cross-origin information leak. This vulnerability affects Firefox < 71. | |||||
CVE-2019-11742 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2023-12-10 | 4.3 MEDIUM | 6.5 MEDIUM |
A same-origin policy violation occurs allowing the theft of cross-origin images through a combination of SVG filters and a <canvas> element due to an error in how same-origin policy is applied to cached image content. The resulting same-origin policy violation could allow for data theft. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1. | |||||
CVE-2013-1945 | 1 Ruby-lang | 1 Ruby193 | 2023-12-10 | 2.1 LOW | 3.3 LOW |
ruby193 uses an insecure LD_LIBRARY_PATH setting. | |||||
CVE-2012-4919 | 1 Gallery Project | 1 Gallery | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Gallery Plugin1.4 for WordPress has a Remote File Include Vulnerability | |||||
CVE-2013-4582 | 1 Gitlab | 2 Gitlab, Gitlab-shell | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
The (1) create_branch, (2) create_tag, (3) import_project, and (4) fork_project functions in lib/gitlab_projects.rb in GitLab 5.0 before 5.4.2, Community Edition before 6.2.4, Enterprise Edition before 6.2.1 and gitlab-shell before 1.7.8 allows remote authenticated users to include information from local files into the metadata of a Git repository via the web interface. |