VYPR

CVEs

1,631 total · page 20 of 33

  • CVE-2020-17530KEVDec 11, 2020
    risk 0.23cvss epss 0.96

    Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.

  • CVE-2020-17144KEVDec 9, 2020
    risk 0.19cvss epss 0.37

    Microsoft Exchange Remote Code Execution Vulnerability

  • CVE-2020-27930KEVDec 8, 2020
    risk 0.16cvss epss 0.22

    A memory corruption issue was addressed with improved input validation. This issue is fixed in macOS Big Sur 11.0.1, watchOS 7.1, iOS 12.4.9, watchOS 6.2.9, Security Update 2020-006 High Sierra, Security Update 2020-006 Mojave, iOS 14.2 and iPadOS 14.2, watchOS 5.3.9, macOS…

  • CVE-2020-27950KEVDec 8, 2020
    risk 0.16cvss epss 0.17

    A memory initialization issue was addressed. This issue is fixed in macOS Big Sur 11.0.1, watchOS 7.1, iOS 12.4.9, watchOS 6.2.9, Security Update 2020-006 High Sierra, Security Update 2020-006 Mojave, iOS 14.2 and iPadOS 14.2, watchOS 5.3.9, macOS Catalina 10.15.7 Supplemental…

  • CVE-2020-27932KEVDec 8, 2020
    risk 0.13cvss epss 0.10

    A type confusion issue was addressed with improved state handling. This issue is fixed in macOS Big Sur 11.0.1, watchOS 7.1, iOS 12.4.9, watchOS 6.2.9, Security Update 2020-006 High Sierra, Security Update 2020-006 Mojave, iOS 14.2 and iPadOS 14.2, watchOS 5.3.9, macOS Catalina…

  • CVE-2020-4006KEVNov 23, 2020
    risk 0.13cvss epss 0.24

    VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a command injection vulnerability.

  • CVE-2020-13671KEVNov 20, 2020
    risk 0.12cvss epss 0.04

    Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0…

  • CVE-2020-28949KEVNov 19, 2020
    risk 0.15cvss epss 0.85

    Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.

  • CVE-2020-17087KEVNov 11, 2020
    risk 0.14cvss epss 0.05

    Windows Kernel Local Elevation of Privilege Vulnerability

  • CVE-2020-13927KEVNov 10, 2020
    risk 0.16cvss epss 1.00

    The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at…

  • CVE-2020-16846KEVNov 6, 2020
    risk 0.23cvss epss 1.00

    An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.

  • CVE-2020-16010KEVNov 3, 2020
    risk 0.14cvss epss 0.06

    Heap buffer overflow in UI in Google Chrome on Android prior to 86.0.4240.185 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

  • CVE-2020-16009KEVNov 3, 2020
    risk 0.19cvss epss 0.49

    Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.183 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

  • CVE-2020-15999KEVNov 3, 2020
    risk 0.19cvss epss 0.51

    Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

  • CVE-2020-14750KEVNov 1, 2020
    risk 0.23cvss epss 0.99

    Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with…

  • CVE-2018-19949KEVOct 28, 2020
    risk 0.22cvss epss 0.24

    If exploited, this command injection vulnerability could allow remote attackers to run arbitrary commands. QNAP has already fixed the issue in the following QTS versions. QTS 4.4.2.1231 on build 20200302; QTS 4.4.1.1201 on build 20200130; QTS 4.3.6.1218 on build 20200214; QTS…

  • CVE-2018-19953KEVOct 28, 2020
    risk 0.21cvss epss 0.24

    If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code. QNAP has already fixed the issue in the following QTS versions. QTS 4.4.2.1231 on build 20200302; QTS 4.4.1.1201 on build 20200130; QTS 4.3.6.1218 on build 20200214; QTS…

  • CVE-2018-19943KEVOct 28, 2020
    risk 0.19cvss epss 0.18

    If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code. QNAP has already fixed these issues in the following QTS versions. QTS 4.4.2.1270 build 20200410 and later QTS 4.4.1.1261 build 20200330 and later QTS 4.3.6.1263 build…

  • CVE-2020-8260KEVOct 28, 2020
    risk 0.21cvss epss 0.96

    A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction.

  • CVE-2020-3580KEVOct 21, 2020
    risk 0.25cvss epss 0.85

    Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web…

  • CVE-2020-14883KEVOct 21, 2020
    risk 0.23cvss epss 0.98

    Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows high privileged attacker with…

  • CVE-2020-14882KEVOct 21, 2020
    risk 0.23cvss epss 1.00

    Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with…

  • CVE-2020-14864KEVOct 21, 2020
    risk 0.23cvss epss 0.97

    Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Installation). Supported versions that are affected are 5.5.0.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker…

  • CVE-2020-14871KEVOct 21, 2020
    risk 0.22cvss epss 0.80

    Vulnerability in the Oracle Solaris product of Oracle Systems (component: Pluggable authentication module). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to…

  • CVE-2020-3992KEVOct 20, 2020
    risk 0.25cvss epss 0.83

    OpenSLP as used in VMware ESXi (7.0 before ESXi_7.0.1-0.0.16850804, 6.7 before ESXi670-202010401-SG, 6.5 before ESXi650-202010401-SG) has a use-after-free issue. A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to…

  • CVE-2020-9934KEVOct 16, 2020
    risk 0.15cvss epss 0.03

    An issue existed in the handling of environment variables. This issue was addressed with improved validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6. A local user may be able to view sensitive user information.

  • CVE-2020-9907KEVOct 16, 2020
    risk 0.12cvss epss 0.04

    A memory corruption issue was addressed by removing the vulnerable code. This issue is fixed in iOS 13.6 and iPadOS 13.6, tvOS 13.4.8. An application may be able to execute arbitrary code with kernel privileges.

  • CVE-2020-5135KEVOct 12, 2020
    risk 0.14cvss epss 0.27

    A buffer overflow vulnerability in SonicOS allows a remote attacker to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a malicious request to the firewall. This vulnerability affected SonicOS Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv…

  • CVE-2020-26919KEVOct 9, 2020
    risk 0.20cvss epss 0.57

    NETGEAR JGS516PE devices before 2.6.0.43 are affected by lack of access control at the function level.

  • CVE-2020-8243KEVSep 29, 2020
    risk 0.14cvss epss 0.91

    A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to upload custom template to perform an arbitrary code execution.

  • CVE-2020-25223KEVSep 25, 2020
    risk 0.23cvss epss 0.97

    A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM before v9.705 MR5, v9.607 MR7, and v9.511 MR11

  • CVE-2020-3569KEVSep 23, 2020
    risk 0.12cvss epss 0.03

    Multiple vulnerabilities in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to either immediately crash the Internet Group Management Protocol (IGMP) process or make it consume available…

  • CVE-2020-0878KEVSep 11, 2020
    risk 0.18cvss epss 0.03

    A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully…

  • CVE-2020-25213KEVSep 9, 2020
    risk 0.23cvss epss 0.97

    The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder…

  • CVE-2020-25078KEVSep 2, 2020
    risk 0.20cvss epss 0.98

    An issue was discovered on D-Link DCS-2530L before 1.06.01 Hotfix and DCS-2670L through 2.02 devices. The unauthenticated /config/getuser endpoint allows for remote administrator password disclosure.

  • CVE-2020-25079KEVSep 2, 2020
    risk 0.15cvss epss 0.53

    An issue was discovered on D-Link DCS-2530L before 1.06.01 Hotfix and DCS-2670L through 2.02 devices. cgi-bin/ddns_enc.cgi allows authenticated command injection.

  • CVE-2020-24557KEVSep 1, 2020
    risk 0.12cvss epss 0.03

    A vulnerability in Trend Micro Apex One and Worry-Free Business Security 10.0 SP1 on Microsoft Windows may allow an attacker to manipulate a particular product folder to disable the security temporarily, abuse a specific Windows function and attain privilege escalation. An…

  • CVE-2020-24363KEVAug 31, 2020
    risk 0.16cvss epss 0.21

    TP-Link TL-WA855RE V5 20200415-rel37464 devices allow an unauthenticated attacker (on the same network) to submit a TDDP_RESET POST request for a factory reset and reboot. The attacker can then obtain incorrect access control by setting a new administrative password.

  • CVE-2020-3566KEVAug 29, 2020
    risk 0.12cvss epss 0.04

    A vulnerability in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to exhaust process memory of an affected device. The vulnerability is due to insufficient queue management for Internet…

  • CVE-2020-9715HigKEVAug 19, 2020
    risk 0.69cvss 7.8epss 0.48

    Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523 and earlier have an use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution .

  • CVE-2020-1472KEVAug 17, 2020
    risk 0.29cvss epss 1.00

    An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially…

  • CVE-2020-1464KEVAug 17, 2020
    risk 0.13cvss epss 0.41

    A spoofing vulnerability exists when Windows incorrectly validates file signatures. An attacker who successfully exploited this vulnerability could bypass security features and load improperly signed files. In an attack scenario, an attacker could bypass security features…

  • CVE-2020-1380KEVAug 17, 2020
    risk 0.19cvss epss 0.24

    A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker…

  • CVE-2020-3433KEVAug 17, 2020
    risk 0.21cvss epss 0.10

    A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack. To exploit this vulnerability, the attacker would need to have valid credentials…

  • CVE-2019-5591KEVAug 14, 2020
    risk 0.16cvss epss 0.19

    A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.

  • CVE-2020-17463KEVAug 13, 2020
    risk 0.13cvss epss 0.90

    FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.

  • CVE-2020-17496KEVAug 12, 2020
    risk 0.23cvss epss 0.88

    vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.

  • CVE-2020-8218KEVJul 30, 2020
    risk 0.19cvss epss 0.33

    A code injection vulnerability exists in Pulse Connect Secure <9.1R8 that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface.

  • CVE-2020-12812KEVJul 24, 2020
    risk 0.21cvss epss 0.49

    An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.

  • CVE-2020-3452KEVJul 22, 2020
    risk 0.23cvss epss 1.00

    A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted…