| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-36333 | Cri | 0.59 | 9.1 | 0.03 | May 5, 2021 | themegrill-demo-importer before 1.6.2 does not require authentication for wiping the database, because of a reset_wizard_actions hook. | ||
| CVE-2021-32020 | Cri | 0.00 | 9.8 | 0.01 | May 3, 2021 | The kernel in Amazon Web Services FreeRTOS before 10.4.3 has insufficient bounds checking during management of heap memory. | ||
| CVE-2020-23083 | Cri | 0.64 | 9.8 | 0.04 | May 3, 2021 | Unrestricted File Upload in JEECG v4.0 and earlier allows remote attackers to execute arbitrary code or gain privileges by uploading a crafted file to the component "jeecgFormDemoController.do?commonUpload". | ||
| CVE-2020-35758 | Cri | 0.64 | 9.8 | 0.02 | May 3, 2021 | An issue was discovered on Libre Wireless LS9 LS1.5/p7040 devices. There is a Authentication Bypass in the Web Interface. This interface does not properly restrict access to internal functionality. Despite presenting a password login page on first access, authentication is not… | ||
| CVE-2020-35757 | Cri | 0.64 | 9.8 | 0.02 | May 3, 2021 | An issue was discovered on Libre Wireless LS9 LS1.5/p7040 devices. There is Unauthenticated Root ADB Access Over TCP. The LS9 web interface provides functionality to access ADB over TCP. This is not enabled by default, but can be enabled by sending a crafted request to a web… | ||
| CVE-2021-29369 | — | Cri | 0.57 | 9.8 | 0.02 | May 3, 2021 | The gnuplot package prior to version 0.1.0 for Node.js allows code execution via shell metacharacters in Gnuplot commands. | |
| CVE-2021-28860 | — | Cri | 0.52 | 9.1 | 0.02 | May 3, 2021 | In Node.js mixme, prior to v0.5.1, an attacker can add or alter properties of an object via '__proto__' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at… | |
| CVE-2021-28959 | Cri | 0.65 | 9.8 | 0.17 | Apr 30, 2021 | Zoho ManageEngine Eventlog Analyzer through 12147 is vulnerable to unauthenticated directory traversal via an entry in a ZIP archive. This leads to remote code execution. | ||
| CVE-2020-24918 | Cri | 0.64 | 9.8 | 0.04 | Apr 30, 2021 | A buffer overflow in the RTSP service of the Ambarella Oryx RTSP Server 2020-01-07 allows an unauthenticated attacker to send a crafted RTSP request, with a long digest authentication header, to execute arbitrary code in parse_authentication_header() in libamprotocol-rtsp.so.1… | ||
| CVE-2021-31873 | Cri | 0.00 | 9.8 | 0.02 | Apr 30, 2021 | An issue was discovered in klibc before 2.0.9. Additions in the malloc() function may result in an integer overflow and a subsequent heap buffer overflow. | ||
| CVE-2021-31872 | Cri | 0.00 | 9.8 | 0.02 | Apr 30, 2021 | An issue was discovered in klibc before 2.0.9. Multiple possible integer overflows in the cpio command on 32-bit systems may result in a buffer overflow or other security impact. | ||
| CVE-2021-31870 | Cri | 0.00 | 9.8 | 0.02 | Apr 30, 2021 | An issue was discovered in klibc before 2.0.9. Multiplication in the calloc() function may result in an integer overflow and a subsequent heap buffer overflow. | ||
| CVE-2020-18070 | Cri | 0.59 | 9.1 | 0.02 | Apr 30, 2021 | Path Traversal in iCMS v7.0.13 allows remote attackers to delete folders by injecting commands into a crafted HTTP request to the "do_del()" method of the component "database.admincp.php". | ||
| CVE-2021-30492 | cri | 0.52 | — | 0.00 | Apr 29, 2021 | ### Impact Lack of input validation of the Zendesk subdomain could expose users of the library to Server Side Request Forgery (SSRF). ### Resolution Validate the provided Zendesk subdomain to be a valid subdomain in: * getAuthUrl * getAccessToken | ||
| CVE-2020-22807 | Cri | 0.64 | 9.8 | 0.01 | Apr 29, 2021 | An issue was dicovered in vtiger crm 7.2. Union sql injection in the calendar exportdata feature. | ||
| CVE-2020-35430 | Cri | 0.64 | 9.8 | 0.01 | Apr 29, 2021 | SQL Injection in com/inxedu/OS/edu/controller/letter/AdminMsgSystemController in Inxedu v2.0.6 via the ids parameter to admin/letter/delsystem. | ||
| CVE-2020-21452 | Cri | 0.64 | 9.8 | 0.01 | Apr 29, 2021 | An issue was discovered in uniview ISC2500-S. This is an upload vulnerability where an attacker can upload malicious code via /Interface/DevManage/EC.php?cmd=upload | ||
| CVE-2021-30234 | Cri | 0.64 | 9.8 | 0.03 | Apr 29, 2021 | The api/ZRIGMP/set_MLD_PROXY interface in China Mobile An Lianbao WF-1 router 1.0.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the MLD_PROXY_WAN_CONNECT parameter. | ||
| CVE-2021-30233 | Cri | 0.64 | 9.8 | 0.03 | Apr 29, 2021 | The api/ZRIptv/setIptvInfo interface in China Mobile An Lianbao WF-1 router 1.0.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the iptv_vlan parameter. | ||
| CVE-2021-30232 | Cri | 0.64 | 9.8 | 0.03 | Apr 29, 2021 | The api/ZRIGMP/set_IGMP_PROXY interface in China Mobile An Lianbao WF-1 router 1.0.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the IGMP_PROXY_WAN_CONNECT parameter. | ||
| CVE-2021-30231 | Cri | 0.64 | 9.8 | 0.03 | Apr 29, 2021 | The api/zrDm/set_ZRElink interface in China Mobile An Lianbao WF-1 router 1.0.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the bssaddr, abiaddr, devtoken, devid, elinksync, or elink_proc_enable parameter. | ||
| CVE-2021-30230 | Cri | 0.64 | 9.8 | 0.03 | Apr 29, 2021 | The api/ZRFirmware/set_time_zone interface in China Mobile An Lianbao WF-1 router 1.0.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the zonename parameter. | ||
| CVE-2021-30228 | Cri | 0.64 | 9.8 | 0.03 | Apr 29, 2021 | The api/ZRAndlink/set_ZRAndlink interface in China Mobile An Lianbao WF-1 router 1.0.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the iandlink_proc_enable parameter. | ||
| CVE-2021-25812 | Cri | 0.64 | 9.8 | 0.03 | Apr 29, 2021 | Command injection vulnerability in China Mobile An Lianbao WF-1 1.01 via the 'ip' parameter with a POST request to /api/ZRQos/set_online_client. | ||
| CVE-2021-27651 | Cri | 0.68 | 9.8 | 0.54 | Apr 29, 2021 | In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks. | ||
| CVE-2021-20090 | Cri | 0.84 | 9.8 | 1.00 | KEV | Apr 29, 2021 | A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication. | |
| CVE-2020-21995 | Cri | 0.64 | 9.8 | 0.02 | Apr 29, 2021 | Inim Electronics Smartliving SmartLAN/G/SI <=6.x uses default hardcoded credentials. An attacker could exploit this to gain Telnet, SSH and FTP access to the system. | ||
| CVE-2021-29145 | Cri | 0.64 | 9.8 | 0.02 | Apr 29, 2021 | A remote server side request forgery (SSRF) remote code execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that address this security vulnerability. | ||
| CVE-2021-31875 | Cri | 0.00 | 9.8 | 0.02 | Apr 29, 2021 | In mjs_json.c in Cesanta MongooseOS mJS 1.26, a maliciously formed JSON string can trigger an off-by-one heap-based buffer overflow in mjs_json_parse, which can potentially lead to redirection of control flow. NOTE: the original reporter disputes the significance of this finding… | ||
| CVE-2021-29483 | Cri | 0.00 | 9.4 | 0.01 | Apr 28, 2021 | ManageWiki is an extension to the MediaWiki project. The 'wikiconfig' API leaked the value of private configuration variables set through the ManageWiki variable to all users. This has been patched by https://github.com/miraheze/ManageWiki/compare/99f3b2c8af18...befb83c66f5b.patc… | ||
| CVE-2020-21994 | Cri | 0.64 | 9.8 | 0.04 | Apr 28, 2021 | AVE DOMINAplus <=1.10.x suffers from clear-text credentials disclosure vulnerability that allows an unauthenticated attacker to issue a request to an unprotected directory that hosts an XML file '/xml/authClients.xml' and obtain administrative login information that allows for a… | ||
| CVE-2020-21991 | Cri | 0.64 | 9.8 | 0.03 | Apr 28, 2021 | AVE DOMINAplus <=1.10.x suffers from an authentication bypass vulnerability due to missing control check when directly calling the autologin GET parameter in changeparams.php script. Setting the autologin value to 1 allows an unauthenticated attacker to permanently disable the… | ||
| CVE-2020-18020 | Cri | 0.64 | 9.8 | 0.04 | Apr 28, 2021 | SQL Injection in PHPSHE Mall System v1.7 allows remote attackers to execute arbitrary code by injecting SQL commands into the "user_phone" parameter of a crafted HTTP request to the "admin.php" component. | ||
| CVE-2021-22514 | Cri | 0.64 | 9.8 | 0.02 | Apr 28, 2021 | An arbitrary code execution vulnerability exists in Micro Focus Application Performance Management, affecting versions 9.40, 9.50 and 9.51. The vulnerability could allow remote attackers to execute arbitrary code on affected installations of APM. | ||
| CVE-2021-30168 | Cri | 0.64 | 9.8 | 0.02 | Apr 28, 2021 | The sensitive information of webcam device is not properly protected. Remote attackers can unauthentically grant administrator’s credential and further control the devices. | ||
| CVE-2021-30167 | Cri | 0.64 | 9.8 | 0.02 | Apr 28, 2021 | The manage users profile services of the network camera device allows an authenticated. Remote attackers can modify URL parameters and further amend user’s information and escalate privileges to control the devices. | ||
| CVE-2021-27648 | Cri | 0.59 | 9.0 | 0.03 | Apr 28, 2021 | Externally controlled reference to a resource in another sphere in quarantine functionality in Synology Antivirus Essential before 1.4.8-2801 allows remote authenticated users to obtain privilege via unspecified vectors. | ||
| CVE-2021-31856 | Cri | 0.06 | 9.8 | 0.75 | Apr 28, 2021 | A SQL Injection vulnerability in the REST API in Layer5 Meshery 0.5.2 allows an attacker to execute arbitrary SQL commands via the /experimental/patternfiles endpoint (order parameter in GetMesheryPatterns in models/meshery_pattern_persister.go). | ||
| CVE-2020-36326 | — | Cri | 0.57 | 9.8 | 0.03 | Apr 28, 2021 | PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by… | |
| CVE-2021-20716 | Cri | 0.64 | 9.8 | 0.03 | Apr 28, 2021 | Hidden functionality in multiple Buffalo network devices (BHR-4RV firmware Ver.2.55 and prior, FS-G54 firmware Ver.2.04 and prior, WBR2-B11 firmware Ver.2.32 and prior, WBR2-G54 firmware Ver.2.32 and prior, WBR2-G54-KD firmware Ver.2.32 and prior, WBR-B11 firmware Ver.2.23 and… | ||
| CVE-2021-29476 | — | Cri | 0.57 | 9.8 | 0.02 | Apr 27, 2021 | Requests is a HTTP library written in PHP. Requests mishandles deserialization in FilteredIterator. The issue has been patched and users of `Requests` 1.6.0, 1.6.1 and 1.7.0 should update to version 1.8.0. | |
| CVE-2021-30128 | Cri | 0.70 | 9.8 | 0.81 | Apr 27, 2021 | Apache OFBiz has unsafe deserialization prior to 17.12.07 version | ||
| CVE-2021-29200 | Cri | 0.68 | 9.8 | 0.55 | Apr 27, 2021 | Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack | ||
| CVE-2020-22001 | Cri | 0.64 | 9.8 | 0.03 | Apr 27, 2021 | HomeAutomation 3.3.2 suffers from an authentication bypass vulnerability when spoofing client IP address using the X-Forwarded-For header with the local (loopback) IP address value allowing remote control of the smart home solution. | ||
| CVE-2021-30642 | Cri | 0.64 | 9.8 | 0.03 | Apr 27, 2021 | An input validation flaw in the Symantec Security Analytics web UI 7.2 prior 7.2.7, 8.1, prior to 8.1.3-NSR3, 8.2, prior to 8.2.1-NSR2 or 8.2.2 allows a remote, unauthenticated attacker to execute arbitrary OS commands on the target with elevated privileges. | ||
| CVE-2021-27480 | Cri | 0.64 | 9.8 | 0.01 | Apr 27, 2021 | Delta Industrial Automation COMMGR Versions 1.12 and prior are vulnerable to a stack-based buffer overflow, which may allow an attacker to execute remote code. | ||
| CVE-2019-25042 | Cri | 0.64 | 9.8 | 0.02 | Apr 27, 2021 | Unbound before 1.9.5 allows an out-of-bounds write via a compressed name in rdata_copy. NOTE: The vendor disputes that this is a vulnerability. Although the code may be vulnerable, a running Unbound installation cannot be remotely or locally exploited | ||
| CVE-2019-25039 | Cri | 0.57 | 9.8 | 0.02 | Apr 27, 2021 | Unbound before 1.9.5 allows an integer overflow in a size calculation in respip/respip.c. NOTE: The vendor disputes that this is a vulnerability. Although the code may be vulnerable, a running Unbound installation cannot be remotely or locally exploited | ||
| CVE-2019-25038 | Cri | 0.57 | 9.8 | 0.02 | Apr 27, 2021 | Unbound before 1.9.5 allows an integer overflow in a size calculation in dnscrypt/dnscrypt.c. NOTE: The vendor disputes that this is a vulnerability. Although the code may be vulnerable, a running Unbound installation cannot be remotely or locally exploited | ||
| CVE-2019-25035 | Cri | 0.57 | 9.8 | 0.02 | Apr 27, 2021 | Unbound before 1.9.5 allows an out-of-bounds write in sldns_bget_token_par. NOTE: The vendor disputes that this is a vulnerability. Although the code may be vulnerable, a running Unbound installation cannot be remotely or locally exploited |
- risk 0.59cvss 9.1epss 0.03
themegrill-demo-importer before 1.6.2 does not require authentication for wiping the database, because of a reset_wizard_actions hook.
- risk 0.00cvss 9.8epss 0.01
The kernel in Amazon Web Services FreeRTOS before 10.4.3 has insufficient bounds checking during management of heap memory.
- risk 0.64cvss 9.8epss 0.04
Unrestricted File Upload in JEECG v4.0 and earlier allows remote attackers to execute arbitrary code or gain privileges by uploading a crafted file to the component "jeecgFormDemoController.do?commonUpload".
- risk 0.64cvss 9.8epss 0.02
An issue was discovered on Libre Wireless LS9 LS1.5/p7040 devices. There is a Authentication Bypass in the Web Interface. This interface does not properly restrict access to internal functionality. Despite presenting a password login page on first access, authentication is not…
- risk 0.64cvss 9.8epss 0.02
An issue was discovered on Libre Wireless LS9 LS1.5/p7040 devices. There is Unauthenticated Root ADB Access Over TCP. The LS9 web interface provides functionality to access ADB over TCP. This is not enabled by default, but can be enabled by sending a crafted request to a web…
- risk 0.57cvss 9.8epss 0.02
The gnuplot package prior to version 0.1.0 for Node.js allows code execution via shell metacharacters in Gnuplot commands.
- risk 0.52cvss 9.1epss 0.02
In Node.js mixme, prior to v0.5.1, an attacker can add or alter properties of an object via '__proto__' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at…
- risk 0.65cvss 9.8epss 0.17
Zoho ManageEngine Eventlog Analyzer through 12147 is vulnerable to unauthenticated directory traversal via an entry in a ZIP archive. This leads to remote code execution.
- risk 0.64cvss 9.8epss 0.04
A buffer overflow in the RTSP service of the Ambarella Oryx RTSP Server 2020-01-07 allows an unauthenticated attacker to send a crafted RTSP request, with a long digest authentication header, to execute arbitrary code in parse_authentication_header() in libamprotocol-rtsp.so.1…
- risk 0.00cvss 9.8epss 0.02
An issue was discovered in klibc before 2.0.9. Additions in the malloc() function may result in an integer overflow and a subsequent heap buffer overflow.
- risk 0.00cvss 9.8epss 0.02
An issue was discovered in klibc before 2.0.9. Multiple possible integer overflows in the cpio command on 32-bit systems may result in a buffer overflow or other security impact.
- risk 0.00cvss 9.8epss 0.02
An issue was discovered in klibc before 2.0.9. Multiplication in the calloc() function may result in an integer overflow and a subsequent heap buffer overflow.
- risk 0.59cvss 9.1epss 0.02
Path Traversal in iCMS v7.0.13 allows remote attackers to delete folders by injecting commands into a crafted HTTP request to the "do_del()" method of the component "database.admincp.php".
- risk 0.52cvss —epss 0.00
### Impact Lack of input validation of the Zendesk subdomain could expose users of the library to Server Side Request Forgery (SSRF). ### Resolution Validate the provided Zendesk subdomain to be a valid subdomain in: * getAuthUrl * getAccessToken
- risk 0.64cvss 9.8epss 0.01
An issue was dicovered in vtiger crm 7.2. Union sql injection in the calendar exportdata feature.
- risk 0.64cvss 9.8epss 0.01
SQL Injection in com/inxedu/OS/edu/controller/letter/AdminMsgSystemController in Inxedu v2.0.6 via the ids parameter to admin/letter/delsystem.
- risk 0.64cvss 9.8epss 0.01
An issue was discovered in uniview ISC2500-S. This is an upload vulnerability where an attacker can upload malicious code via /Interface/DevManage/EC.php?cmd=upload
- risk 0.64cvss 9.8epss 0.03
The api/ZRIGMP/set_MLD_PROXY interface in China Mobile An Lianbao WF-1 router 1.0.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the MLD_PROXY_WAN_CONNECT parameter.
- risk 0.64cvss 9.8epss 0.03
The api/ZRIptv/setIptvInfo interface in China Mobile An Lianbao WF-1 router 1.0.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the iptv_vlan parameter.
- risk 0.64cvss 9.8epss 0.03
The api/ZRIGMP/set_IGMP_PROXY interface in China Mobile An Lianbao WF-1 router 1.0.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the IGMP_PROXY_WAN_CONNECT parameter.
- risk 0.64cvss 9.8epss 0.03
The api/zrDm/set_ZRElink interface in China Mobile An Lianbao WF-1 router 1.0.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the bssaddr, abiaddr, devtoken, devid, elinksync, or elink_proc_enable parameter.
- risk 0.64cvss 9.8epss 0.03
The api/ZRFirmware/set_time_zone interface in China Mobile An Lianbao WF-1 router 1.0.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the zonename parameter.
- risk 0.64cvss 9.8epss 0.03
The api/ZRAndlink/set_ZRAndlink interface in China Mobile An Lianbao WF-1 router 1.0.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the iandlink_proc_enable parameter.
- risk 0.64cvss 9.8epss 0.03
Command injection vulnerability in China Mobile An Lianbao WF-1 1.01 via the 'ip' parameter with a POST request to /api/ZRQos/set_online_client.
- risk 0.68cvss 9.8epss 0.54
In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks.
- risk 0.84cvss 9.8epss 1.00
A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication.
- risk 0.64cvss 9.8epss 0.02
Inim Electronics Smartliving SmartLAN/G/SI <=6.x uses default hardcoded credentials. An attacker could exploit this to gain Telnet, SSH and FTP access to the system.
- risk 0.64cvss 9.8epss 0.02
A remote server side request forgery (SSRF) remote code execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that address this security vulnerability.
- risk 0.00cvss 9.8epss 0.02
In mjs_json.c in Cesanta MongooseOS mJS 1.26, a maliciously formed JSON string can trigger an off-by-one heap-based buffer overflow in mjs_json_parse, which can potentially lead to redirection of control flow. NOTE: the original reporter disputes the significance of this finding…
- risk 0.00cvss 9.4epss 0.01
ManageWiki is an extension to the MediaWiki project. The 'wikiconfig' API leaked the value of private configuration variables set through the ManageWiki variable to all users. This has been patched by https://github.com/miraheze/ManageWiki/compare/99f3b2c8af18...befb83c66f5b.patc…
- risk 0.64cvss 9.8epss 0.04
AVE DOMINAplus <=1.10.x suffers from clear-text credentials disclosure vulnerability that allows an unauthenticated attacker to issue a request to an unprotected directory that hosts an XML file '/xml/authClients.xml' and obtain administrative login information that allows for a…
- risk 0.64cvss 9.8epss 0.03
AVE DOMINAplus <=1.10.x suffers from an authentication bypass vulnerability due to missing control check when directly calling the autologin GET parameter in changeparams.php script. Setting the autologin value to 1 allows an unauthenticated attacker to permanently disable the…
- risk 0.64cvss 9.8epss 0.04
SQL Injection in PHPSHE Mall System v1.7 allows remote attackers to execute arbitrary code by injecting SQL commands into the "user_phone" parameter of a crafted HTTP request to the "admin.php" component.
- risk 0.64cvss 9.8epss 0.02
An arbitrary code execution vulnerability exists in Micro Focus Application Performance Management, affecting versions 9.40, 9.50 and 9.51. The vulnerability could allow remote attackers to execute arbitrary code on affected installations of APM.
- risk 0.64cvss 9.8epss 0.02
The sensitive information of webcam device is not properly protected. Remote attackers can unauthentically grant administrator’s credential and further control the devices.
- risk 0.64cvss 9.8epss 0.02
The manage users profile services of the network camera device allows an authenticated. Remote attackers can modify URL parameters and further amend user’s information and escalate privileges to control the devices.
- risk 0.59cvss 9.0epss 0.03
Externally controlled reference to a resource in another sphere in quarantine functionality in Synology Antivirus Essential before 1.4.8-2801 allows remote authenticated users to obtain privilege via unspecified vectors.
- risk 0.06cvss 9.8epss 0.75
A SQL Injection vulnerability in the REST API in Layer5 Meshery 0.5.2 allows an attacker to execute arbitrary SQL commands via the /experimental/patternfiles endpoint (order parameter in GetMesheryPatterns in models/meshery_pattern_persister.go).
- risk 0.57cvss 9.8epss 0.03
PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by…
- risk 0.64cvss 9.8epss 0.03
Hidden functionality in multiple Buffalo network devices (BHR-4RV firmware Ver.2.55 and prior, FS-G54 firmware Ver.2.04 and prior, WBR2-B11 firmware Ver.2.32 and prior, WBR2-G54 firmware Ver.2.32 and prior, WBR2-G54-KD firmware Ver.2.32 and prior, WBR-B11 firmware Ver.2.23 and…
- risk 0.57cvss 9.8epss 0.02
Requests is a HTTP library written in PHP. Requests mishandles deserialization in FilteredIterator. The issue has been patched and users of `Requests` 1.6.0, 1.6.1 and 1.7.0 should update to version 1.8.0.
- risk 0.70cvss 9.8epss 0.81
Apache OFBiz has unsafe deserialization prior to 17.12.07 version
- risk 0.68cvss 9.8epss 0.55
Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack
- risk 0.64cvss 9.8epss 0.03
HomeAutomation 3.3.2 suffers from an authentication bypass vulnerability when spoofing client IP address using the X-Forwarded-For header with the local (loopback) IP address value allowing remote control of the smart home solution.
- risk 0.64cvss 9.8epss 0.03
An input validation flaw in the Symantec Security Analytics web UI 7.2 prior 7.2.7, 8.1, prior to 8.1.3-NSR3, 8.2, prior to 8.2.1-NSR2 or 8.2.2 allows a remote, unauthenticated attacker to execute arbitrary OS commands on the target with elevated privileges.
- risk 0.64cvss 9.8epss 0.01
Delta Industrial Automation COMMGR Versions 1.12 and prior are vulnerable to a stack-based buffer overflow, which may allow an attacker to execute remote code.
- risk 0.64cvss 9.8epss 0.02
Unbound before 1.9.5 allows an out-of-bounds write via a compressed name in rdata_copy. NOTE: The vendor disputes that this is a vulnerability. Although the code may be vulnerable, a running Unbound installation cannot be remotely or locally exploited
- risk 0.57cvss 9.8epss 0.02
Unbound before 1.9.5 allows an integer overflow in a size calculation in respip/respip.c. NOTE: The vendor disputes that this is a vulnerability. Although the code may be vulnerable, a running Unbound installation cannot be remotely or locally exploited
- risk 0.57cvss 9.8epss 0.02
Unbound before 1.9.5 allows an integer overflow in a size calculation in dnscrypt/dnscrypt.c. NOTE: The vendor disputes that this is a vulnerability. Although the code may be vulnerable, a running Unbound installation cannot be remotely or locally exploited
- risk 0.57cvss 9.8epss 0.02
Unbound before 1.9.5 allows an out-of-bounds write in sldns_bget_token_par. NOTE: The vendor disputes that this is a vulnerability. Although the code may be vulnerable, a running Unbound installation cannot be remotely or locally exploited