VYPR

CVEs

101,963 total · page 1425 of 2,040

  • CVE-2020-26546HigOct 12, 2020
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in HelpDeskZ 1.0.2. The feature to auto-login a user, via the RememberMe functionality, is prone to SQL injection. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

  • CVE-2020-25825HigOct 12, 2020
    risk 0.49cvss 7.5epss 0.02

    In Octopus Deploy 3.1.0 to 2020.4.0, certain scripts can reveal sensitive information to the user in the task logs.

  • CVE-2020-9123HigOct 12, 2020
    risk 0.51cvss 7.8epss 0.01

    HUAWEI P30 Pro versions earlier than 10.1.0.160(C00E160R2P8) and versions earlier than 10.1.0.160(C01E160R2P8) have a buffer overflow vulnerability. An attacker induces users to install malicious applications and sends specially constructed packets to affected devices after…

  • CVE-2020-9090HigOct 12, 2020
    risk 0.51cvss 7.8epss 0.00

    FusionAccess version 6.5.1 has an improper authorization vulnerability. A command is authorized with incorrect privilege. Attackers with other privilege can execute the command to exploit this vulnerability. This may compromise normal service of the affected product.

  • CVE-2020-4388HigOct 12, 2020
    risk 0.53cvss 8.2epss 0.01

    IBM Cognos Analytics 11.0 and 11.1 could be vulnerable to a denial of service attack by failing to catch exceptions in a servlet also exposing debug information could also be used in future attacks. IBM X-Force ID: 179270.

  • CVE-2020-4302HigOct 12, 2020
    risk 0.51cvss 7.8epss 0.02

    IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to execute arbitrary code on the system, caused by a CSV injection. By persuading a victim to open a specially-crafted excel file, an attacker could exploit this vulnerability to execute arbitrary code on the…

  • CVE-2020-26869HigOct 12, 2020
    risk 0.49cvss 7.5epss 0.02

    ARC Informatique PcVue prior to version 12.0.17 is vulnerable to information exposure, allowing unauthorized users to access session data of legitimate users. This issue also affects third-party systems based on the Web Services Toolkit.

  • CVE-2020-26868HigOct 12, 2020
    risk 0.49cvss 7.5epss 0.02

    ARC Informatique PcVue prior to version 12.0.17 is vulnerable to a denial-of-service attack due to the ability of an unauthorized user to modify information used to validate messages sent by legitimate web clients. This issue also affects third-party systems based on the Web…

  • CVE-2020-4779HigOct 12, 2020
    risk 0.53cvss 8.1epss 0.01

    A HTTP Verb Tampering vulnerability may impact IBM Curam Social Program Management 7.0.9 and 7.0.10. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass security access controls. IBM X-Force ID: 189156.

  • CVE-2020-4778HigOct 12, 2020
    risk 0.49cvss 7.5epss 0.01

    IBM Curam Social Program Management 7.0.9 and 7.0.10 uses MD5 algorithm for hashing token in a single instance which less safe than default SHA-256 cryptographic algorithm used throughout the Cúram application. IBM X-Force ID: 189156.

  • CVE-2020-4776HigOct 12, 2020
    risk 0.49cvss 7.5epss 0.02

    A path traversal vulnerability may impact IBM Curam Social Program Management 7.0.9 and 7.0.10, which could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted file path in URL request to view arbitrary files on the system.…

  • CVE-2020-4772HigOct 12, 2020
    risk 0.53cvss 8.1epss 0.01

    An XML External Entity Injection (XXE) vulnerability may impact IBM Curam Social Program Management 7.0.9 and 7.0.10. A remote attacker could exploit this vulnerability to expose sensitive information, denial of service, server side request forgery or consume memory resources.…

  • CVE-2020-5140HigOct 12, 2020
    risk 0.49cvss 7.5epss 0.02

    A vulnerability in SonicOS allows a remote unauthenticated attacker to cause Denial of Service (DoS) on the firewall SSLVPN service by sending a malicious HTTP request that leads to memory addresses leak. This vulnerability affected SonicOS Gen 5 version 5.9.1.7, 5.9.1.13, Gen 6…

  • CVE-2020-5139HigOct 12, 2020
    risk 0.49cvss 7.5epss 0.02

    A vulnerability in SonicOS SSLVPN service allows a remote unauthenticated attacker to cause Denial of Service (DoS) due to the release of Invalid pointer and leads to a firewall crash. This vulnerability affected SonicOS Gen 5 version 5.9.1.7, 5.9.1.13, Gen 6 version 6.5.4.7,…

  • CVE-2020-5138HigOct 12, 2020
    risk 0.49cvss 7.5epss 0.02

    A Heap Overflow vulnerability in the SonicOS allows a remote unauthenticated attacker to cause Denial of Service (DoS) on the firewall SSLVPN service and leads to SonicOS crash. This vulnerability affected SonicOS Gen 5 version 5.9.1.7, 5.9.1.13, Gen 6 version 6.5.4.7, 6.5.1.12,…

  • CVE-2020-5137HigOct 12, 2020
    risk 0.49cvss 7.5epss 0.02

    A buffer overflow vulnerability in SonicOS allows a remote unauthenticated attacker to cause Denial of Service (DoS) on the firewall SSLVPN service and leads to firewall crash. This vulnerability affected SonicOS Gen 5 version 5.9.1.7, 5.9.1.13, Gen 6 version 6.5.4.7, 6.5.1.12,…

  • CVE-2020-5133HigOct 12, 2020
    risk 0.49cvss 7.5epss 0.02

    A vulnerability in SonicOS allows a remote unauthenticated attacker to cause Denial of Service due to buffer overflow, which leads to a firewall crash. This vulnerability affected SonicOS Gen 6 version 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version 7.0.0.0.

  • CVE-2020-26947HigOct 10, 2020
    risk 0.00cvss 7.8epss 0.00

    monero-wallet-gui in Monero GUI before 0.17.1.0 includes the . directory in an embedded RPATH (with a preference ahead of /usr/lib), which allows local users to gain privileges via a Trojan horse library in the current working directory.

  • CVE-2020-26945HigOct 10, 2020
    risk 0.00cvss 8.1epss 0.02

    MyBatis before 3.5.6 mishandles deserialization of object streams.

  • CVE-2020-26929HigOct 9, 2020
    risk 0.48cvss 7.3epss 0.01

    Certain NETGEAR devices are affected by command injection by an authenticated user. This affects R6220 before 1.1.0.100 and R6230 before 1.1.0.100.

  • CVE-2020-26921HigOct 9, 2020
    risk 0.54cvss 8.3epss 0.01

    Certain NETGEAR devices are affected by authentication bypass. This affects GS110EMX before 1.0.1.7, GS810EMX before 1.7.1.3, XS512EM before 1.0.1.3, and XS724EM before 1.0.1.3.

  • CVE-2020-26920HigOct 9, 2020
    risk 0.57cvss 8.8epss 0.01

    Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects SRK60 before 2.5.3.110, SRR60 before 2.5.3.110, and SRS60 before 2.5.3.110.

  • CVE-2020-26912HigOct 9, 2020
    risk 0.49cvss 7.5epss 0.01

    Certain NETGEAR devices are affected by CSRF. This affects D6200 before 1.1.00.38, D7000 before 1.0.1.78, JR6150 before 1.0.1.24, R6020 before 1.0.0.42, R6050 before 1.0.1.24, R6080 before 1.0.0.42, R6120 before 1.0.0.66, R6220 before 1.1.0.100, R6260 before 1.1.0.64, R6700v2…

  • CVE-2020-26911HigOct 9, 2020
    risk 0.54cvss 8.3epss 0.01

    Certain NETGEAR devices are affected by lack of access control at the function level. This affects D6200 before 1.1.00.38, D7000 before 1.0.1.78, JR6150 before 1.0.1.24, R6020 before 1.0.0.42, R6050 before 1.0.1.24, R6080 before 1.0.0.42, R6120 before 1.0.0.66, R6220 before…

  • CVE-2020-26910HigOct 9, 2020
    risk 0.55cvss 8.4epss 0.01

    Certain NETGEAR devices are affected by command injection by an authenticated user. This affects CBR40 before 2.5.0.10, RBK752 before 3.2.15.25, RBR750 before 3.2.15.25, RBS750 before 3.2.15.25, RBK852 before 3.2.15.25, RBR850 before 3.2.15.25, and RBS850 before 3.2.15.25.

  • CVE-2020-26909HigOct 9, 2020
    risk 0.57cvss 8.8epss 0.02

    Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects D7800 before 1.0.1.58 and R7500v2 before 1.0.3.48.

  • CVE-2020-26522HigOct 9, 2020
    risk 0.57cvss 8.8epss 0.01

    A cross-site request forgery (CSRF) vulnerability in mod/user/act_user.php in Garfield Petshop through 2020-10-01 allows remote attackers to hijack the authentication of administrators for requests that create new administrative accounts.

  • CVE-2020-15838HigOct 9, 2020
    risk 0.57cvss 8.8epss 0.01

    The Agent Update System in ConnectWise Automate before 2020.8 allows Privilege Escalation because the _LTUPDATE folder has weak permissions.

  • CVE-2019-19115HigOct 8, 2020
    risk 0.51cvss 7.8epss 0.01

    An escalation of privilege vulnerability in Nahimic APO Software Component Driver 1.4.2, 1.5.0, 1.5.1, 1.6.1 and 1.6.2 allows an attacker to execute code with SYSTEM privileges.

  • CVE-2020-26894HigOct 8, 2020
    risk 0.00cvss 7.8epss 0.00

    LiveCode v9.6.1 on Windows allows local, low-privileged users to gain privileges by creating a malicious "cmd.exe" in the folder of the vulnerable LiveCode application. If the application is using LiveCode's "shell()" function, it will attempt to search for "cmd.exe" in the…

  • CVE-2020-9048HigOct 8, 2020
    risk 0.46cvss 7.1epss 0.01

    A vulnerability in specified versions of American Dynamics victor Web Client and Software House CCURE Web Client could allow a remote unauthenticated attacker on the network to delete arbitrary files on the system or render the system unusable by conducting a Denial of Service…

  • CVE-2020-26802HigOct 8, 2020
    risk 0.57cvss 8.8epss 0.01

    forma.lms 2.3.0.2 is affected by Cross Site Request Forgery (CSRF) in formalms/appCore/index.php?r=lms/profile/show&ap=saveinfo via a GET request to change the admin email address in order to accomplish an account takeover.

  • CVE-2020-10816HigOct 8, 2020
    risk 0.49cvss 7.5epss 0.05

    Zoho ManageEngine Applications Manager 14780 and before allows a remote unauthenticated attacker to register managed servers via AAMRequestProcessor servlet.

  • CVE-2020-4799HigOct 8, 2020
    risk 0.51cvss 7.8epss 0.00

    IBM Informix spatial 14.10 could allow a local user to execute commands as a privileged user due to an out of bounds write vulnerability. IBM X-Force ID: 189460.

  • CVE-2020-4280HigOct 8, 2020
    risk 0.63cvss 8.8epss 0.73

    IBM QRadar SIEM 7.3 and 7.4 could allow a remote attacker to execute arbitrary commands on the system, caused by insecure deserialization of user-supplied content by the Java deserialization function. By sending a malicious serialized Java object, an attacker could exploit this…

  • CVE-2020-13340HigOct 8, 2020
    risk 0.62cvss 8.7epss 0.69

    An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2: Stored XSS in CI Job Log

  • CVE-2019-4545HigOct 8, 2020
    risk 0.49cvss 7.5epss 0.02

    IBM QRadar SIEM 7.3 and 7.4 when configured to use Active Directory Authentication may be susceptible to spoofing attacks. IBM X-Force ID: 165877.

  • CVE-2020-2286HigOct 8, 2020
    risk 0.57cvss 8.8epss 0.01

    Jenkins Role-based Authorization Strategy Plugin 3.0 and earlier does not properly invalidate a permission cache when the configuration is changed, resulting in permissions being granted based on an outdated configuration.

  • CVE-2020-25263HigOct 8, 2020
    risk 0.46cvss 7.1epss 0.01

    PyroCMS 3.7 is vulnerable to cross-site request forgery (CSRF) via the admin/addons/uninstall/anomaly.module.blocks URI: an arbitrary plugin will be deleted.

  • CVE-2020-3544HigOct 8, 2020
    risk 0.57cvss 8.8epss 0.01

    A vulnerability in the Cisco Discovery Protocol implementation for Cisco Video Surveillance 8000 Series IP Cameras could allow an unauthenticated, adjacent attacker to execute arbitrary code on an affected device or cause the device to reload. This vulnerability is due to…

  • CVE-2020-3535HigOct 8, 2020
    risk 0.51cvss 7.8epss 0.01

    A vulnerability in the loading mechanism of specific DLLs in the Cisco Webex Teams client for Windows could allow an authenticated, local attacker to load a malicious library. To exploit this vulnerability, the attacker needs valid credentials on the Windows system. The…

  • CVE-2020-3467HigOct 8, 2020
    risk 0.50cvss 7.7epss 0.01

    A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to modify parts of the configuration on an affected device. The vulnerability is due to improper enforcement of role-based access control…

  • CVE-2020-15177HigOct 7, 2020
    risk 0.00cvss 8.0epss 0.01

    In GLPI before version 9.5.2, the `install/install.php` endpoint insecurely stores user input into the database as `url_base` and `url_base_api`. These settings are referenced throughout the application and allow for vulnerabilities like Cross-Site Scripting and Insecure…

  • CVE-2020-15176HigOct 7, 2020
    risk 0.00cvss 8.7epss 0.01

    In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur. Leveraging this vulnerability an attacker is able to exfiltrate sensitive information like passwords,…

  • CVE-2020-15175HigOct 7, 2020
    risk 0.06cvss 7.4epss 0.71

    In GLPI before version 9.5.2, the `​pluginimage.send.php​` endpoint allows a user to specify an image from a plugin. The parameters can be maliciously crafted to instead delete the .htaccess file for the files directory. Any user becomes able to read all the files and…

  • CVE-2020-26880HigOct 7, 2020
    risk 0.51cvss 7.8epss 0.00

    Sympa through 6.2.57b.2 allows a local privilege escalation from the sympa user account to full root access by modifying the sympa.conf configuration file (which is owned by sympa) and parsing it through the setuid sympa_newaliases-wrapper executable.

  • CVE-2020-26876HigOct 7, 2020
    risk 0.49cvss 7.5epss 0.09

    The wp-courses plugin through 2.0.27 for WordPress allows remote attackers to bypass the intended payment step (for course videos and materials) by using the /wp-json REST API, as exploited in the wild in September 2020. This occurs because show_in_rest is enabled for custom…

  • CVE-2020-26596HigOct 7, 2020
    risk 0.58cvss 8.8epss 0.06

    The Dynamic OOO widget for the Elementor Pro plugin through 3.0.5 for WordPress allows remote authenticated users to execute arbitrary code because only the Editor role is needed to upload executable PHP code via the PHP Raw snippet. NOTE: this issue can be mitigated by removing…

  • CVE-2020-24246HigOct 7, 2020
    risk 0.49cvss 7.5epss 0.01

    Peplink Balance before 8.1.0rc1 allows an unauthenticated attacker to download PHP configuration files (/filemanager/php/connector.php) from Web Admin.

  • CVE-2019-16160HigOct 7, 2020
    risk 0.49cvss 7.5epss 0.03

    An integer underflow in the SMB server of MikroTik RouterOS before 6.45.5 allows remote unauthenticated attackers to crash the service.