| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-21378 | Cri | 0.64 | 9.8 | 0.02 | Dec 21, 2020 | SQL injection vulnerability in SeaCMS 10.1 (2020.02.08) via the id parameter in an edit action to admin_members_group.php. | ||
| CVE-2020-21377 | Cri | 0.64 | 9.8 | 0.01 | Dec 21, 2020 | SQL injection vulnerability in yunyecms V2.0.1 via the selcart parameter. | ||
| CVE-2020-4988 | Cri | 0.64 | 9.8 | 0.01 | Dec 21, 2020 | Loopback 8.0.0 contains a vulnerability that could allow an attacker to manipulate or pollute Javascript values and cause a denial of service or possibly execute code. IBM X-Force ID: 192706. | ||
| CVE-2020-27846 | — | Cri | 0.57 | 9.8 | 0.05 | Dec 21, 2020 | A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. | |
| CVE-2020-35276 | Cri | 0.64 | 9.8 | 0.02 | Dec 21, 2020 | EgavilanMedia ECM Address Book 1.0 is affected by SQL injection. An attacker can bypass the Admin Login panel through SQLi and get Admin access and add or remove any user. | ||
| CVE-2020-35590 | Cri | 0.64 | 9.8 | 0.04 | Dec 21, 2020 | LimitLoginAttempts.php in the limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows a bypass of (per IP address) rate limits because the X-Forwarded-For header can be forged. When the plugin is configured to accept an arbitrary header for the client source IP… | ||
| CVE-2020-7203 | Cri | 0.64 | 9.8 | 0.05 | Dec 18, 2020 | A potential security vulnerability has been identified in HPE iLO Amplifier Pack server version 1.70. The vulnerability could be exploited to allow remote code execution. | ||
| CVE-2020-7200 | Cri | 0.73 | 9.8 | 0.82 | Dec 18, 2020 | A potential security vulnerability has been identified in HPE Systems Insight Manager (SIM) version 7.6. The vulnerability could be exploited to allow remote code execution. | ||
| CVE-2020-14224 | Cri | 0.64 | 9.8 | 0.02 | Dec 18, 2020 | A vulnerability in the MIME message handling of the HCL Notes v9 client could potentially be exploited by an unauthenticated attacker resulting in a stack buffer overflow. This could allow a remote attacker to crash the Notes application or inject code into the system which… | ||
| CVE-2020-11974 | — | Cri | 0.64 | 9.8 | 0.08 | Dec 18, 2020 | In DolphinScheduler 1.2.0 and 1.2.1, with mysql connectorj a remote code execution vulnerability exists when choosing mysql as database. | |
| CVE-2020-20300 | Cri | 0.64 | 9.8 | 0.09 | Dec 18, 2020 | SQL injection vulnerability in the wp_where function in WeiPHP 5.0. | ||
| CVE-2020-20298 | Cri | 0.64 | 9.8 | 0.03 | Dec 18, 2020 | Eval injection vulnerability in the parserCommom method in the ParserTemplate class in zzz_template.php in zzzphp 1.7.2 allows remote attackers to execute arbitrary commands. | ||
| CVE-2020-20277 | Cri | 0.05 | 9.8 | 0.25 | Dec 18, 2020 | There are multiple unauthenticated directory traversal vulnerabilities in different FTP commands in uftpd FTP server versions 2.7 to 2.10 due to improper implementation of a chroot jail in common.c's compose_abspath function that can be abused to read or write to arbitrary files… | ||
| CVE-2020-20276 | Cri | 0.00 | 9.8 | 0.03 | Dec 18, 2020 | An unauthenticated stack-based buffer overflow vulnerability in common.c's handle_PORT in uftpd FTP server versions 2.10 and earlier can be abused to cause a crash and could potentially lead to remote code execution. | ||
| CVE-2020-25494 | Cri | 0.70 | 9.8 | 0.39 | Dec 18, 2020 | Xinuos (formerly SCO) Openserver v5 and v6 allows attackers to execute arbitrary commands via shell metacharacters in outputform or toclevels parameter to cgi-bin/printbook. | ||
| CVE-2020-35551 | Cri | 0.64 | 9.8 | 0.00 | Dec 18, 2020 | An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) (Exynos chipsets) software. They allow attackers to conduct RPMB state-change attacks because an unauthorized RPMB write operation can be replayed, a related issue to CVE-2020-13799. The Samsung… | ||
| CVE-2020-35550 | Cri | 0.64 | 9.8 | 0.01 | Dec 18, 2020 | An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), Q(10.0), and R(11.0) software. Attackers can bypass Factory Reset Protection (FRP) via StatusBar. The Samsung ID is SVE-2020-17888 (December 2020). | ||
| CVE-2020-27780 | Cri | 0.64 | 9.8 | 0.02 | Dec 18, 2020 | A flaw was found in Linux-Pam in versions prior to 1.5.1 in the way it handle empty passwords for non-existing users. When the user doesn't exist PAM try to authenticate with root and in the case of an empty password it successfully authenticate. | ||
| CVE-2020-13931 | — | Cri | 0.64 | 9.8 | 0.04 | Dec 18, 2020 | If Apache TomEE 8.0.0-M1 - 8.0.3, 7.1.0 - 7.1.3, 7.0.0-M1 - 7.0.8, 1.0.0 - 1.7.5 is configured to use the embedded ActiveMQ broker, and the broker config is misconfigured, a JMX port is opened on TCP port 1099, which does not include authentication. CVE-2020-11969 previously… | |
| CVE-2020-12522 | Cri | 0.65 | 10.0 | 0.03 | Dec 17, 2020 | The reported vulnerability allows an attacker who has network access to the device to execute code with specially crafted packets in WAGO Series PFC 100 (750-81xx/xxx-xxx), Series PFC 200 (750-82xx/xxx-xxx), Series Wago Touch Panel 600 Standard Line (762-4xxx), Series Wago Touch… | ||
| CVE-2020-8466 | Cri | 0.69 | 9.8 | 0.64 | Dec 17, 2020 | A command injection vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2, with the improved password hashing method enabled, could allow an unauthenticated attacker to execute certain commands by providing a manipulated password. | ||
| CVE-2020-8465 | Cri | 0.64 | 9.8 | 0.03 | Dec 17, 2020 | A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to manipulate system updates using a combination of CSRF bypass (CVE-2020-8461) and authentication bypass (CVE-2020-8464) to execute code as user root. | ||
| CVE-2020-35545 | Cri | 0.64 | 9.8 | 0.04 | Dec 17, 2020 | Time-based SQL injection exists in Spotweb 1.4.9 via the query string. | ||
| CVE-2020-26276 | Cri | 0.58 | 10.0 | 0.02 | Dec 17, 2020 | Fleet is an open source osquery manager. In Fleet before version 3.5.1, due to issues in Go's standard library XML parsing, a valid SAML response may be mutated by an attacker to modify the trusted document. This can result in allowing unverified logins from a SAML IdP. Users… | ||
| CVE-2020-35489 | Cri | 0.72 | 10.0 | 0.90 | Dec 17, 2020 | The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters. | ||
| CVE-2020-22083 | — | Cri | 0.64 | 9.8 | 0.06 | Dec 17, 2020 | jsonpickle through 1.4.1 allows remote code execution during deserialization of a malicious payload through the decode() function. Note: It has been argued that this is expected and clearly documented behaviour. pickle is known to be capable of causing arbitrary code execution,… | |
| CVE-2020-25011 | Cri | 0.64 | 9.8 | 0.02 | Dec 17, 2020 | A sensitive information disclosure vulnerability in Kyland KPS2204 6 Port Managed Din-Rail Programmable Serial Device Servers Software Version:R0002.P05 allows remote attackers to get username and password by request /cgi-bin/webadminget.cgi script via the browser. | ||
| CVE-2020-25010 | Cri | 0.64 | 9.8 | 0.02 | Dec 17, 2020 | An arbitrary code execution vulnerability in Kyland KPS2204 6 Port Managed Din-Rail Programmable Serial Device Servers Software Version:R0002.P05 allows remote attackers to upload a malicious script file by constructing a POST type request and writing a payload in the request… | ||
| CVE-2020-25094 | Cri | 0.64 | 9.8 | 0.03 | Dec 17, 2020 | LogRhythm Platform Manager 7.4.9 allows Command Injection. To exploit this, an attacker can inject arbitrary program names and arguments into a WebSocket. These are forwarded to any remote server with a LogRhythm Smart Response agent installed. By default, the commands are run… | ||
| CVE-2020-35197 | Cri | 0.64 | 9.8 | 0.02 | Dec 17, 2020 | The official memcached docker images before 1.5.11-alpine (Alpine specific) contain a blank password for a root user. System using the memcached docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank… | ||
| CVE-2020-35196 | Cri | 0.64 | 9.8 | 0.02 | Dec 17, 2020 | The official rabbitmq docker images before 3.7.13-beta.1-management-alpine (Alpine specific) contain a blank password for a root user. System using the rabbitmq docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access… | ||
| CVE-2020-35195 | Cri | 0.64 | 9.8 | 0.02 | Dec 17, 2020 | The official haproxy docker images before 1.8.18-alpine (Alpine specific) contain a blank password for a root user. System using the haproxy docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank… | ||
| CVE-2020-35192 | Cri | 0.64 | 9.8 | 0.03 | Dec 17, 2020 | The official vault docker images before 0.11.6 contain a blank password for a root user. System using the vault docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. | ||
| CVE-2020-35191 | Cri | 0.64 | 9.8 | 0.05 | Dec 17, 2020 | The official drupal docker images before 8.5.10-fpm-alpine (Alpine specific) contain a blank password for a root user. System using the drupal docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank… | ||
| CVE-2020-35190 | Cri | 0.64 | 9.8 | 0.02 | Dec 17, 2020 | The official plone Docker images before version of 4.3.18-alpine (Alpine specific) contain a blank password for a root user. System using the plone docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank… | ||
| CVE-2020-35186 | Cri | 0.64 | 9.8 | 0.03 | Dec 17, 2020 | The official adminer docker images before 4.7.0-fastcgi contain a blank password for a root user. System using the adminer docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. | ||
| CVE-2020-35184 | Cri | 0.64 | 9.8 | 0.03 | Dec 17, 2020 | The official composer docker images before 1.8.3 contain a blank password for a root user. System using the composer docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. | ||
| CVE-2020-35189 | Cri | 0.64 | 9.8 | 0.02 | Dec 17, 2020 | The official kong docker images before 1.0.2-alpine (Alpine specific) contain a blank password for a root user. System using the kong docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. | ||
| CVE-2020-35187 | Cri | 0.64 | 9.8 | 0.02 | Dec 17, 2020 | The official telegraf docker images before 1.9.4-alpine (Alpine specific) contain a blank password for a root user. System using the telegraf docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank… | ||
| CVE-2020-35185 | Cri | 0.64 | 9.8 | 0.03 | Dec 17, 2020 | The official ghost docker images before 2.16.1-alpine (Alpine specific) contain a blank password for a root user. System using the ghost docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. | ||
| CVE-2020-28929 | Cri | 0.64 | 9.8 | 0.01 | Dec 16, 2020 | Unrestricted access to the log downloader functionality in EPSON EPS TSE Server 8 (21.0.11) allows an unauthenticated attacker to remotely retrieve administrative hashed credentials via the maintenance/troubleshoot.php?download=1 URI. | ||
| CVE-2020-7781 | — | Cri | 0.00 | 9.8 | 0.02 | Dec 16, 2020 | This affects the package connection-tester before 0.2.1. The injection point is located in line 15 in index.js. The following PoC demonstrates the vulnerability: | |
| CVE-2019-14482 | Cri | 0.64 | 9.8 | 0.02 | Dec 16, 2020 | AdRem NetCrunch 10.6.0.4587 has a hardcoded SSL private key vulnerability in the NetCrunch web client. The same hardcoded SSL private key is used across different customers' installations when no other SSL certificate is installed, which allows remote attackers to defeat… | ||
| CVE-2019-14480 | Cri | 0.64 | 9.8 | 0.01 | Dec 16, 2020 | AdRem NetCrunch 10.6.0.4587 has an Improper Session Handling vulnerability in the NetCrunch web client, which can lead to an authentication bypass or escalation of privileges. | ||
| CVE-2020-35476 | — | Cri | 0.74 | 9.8 | 0.85 | Dec 16, 2020 | A remote code execution vulnerability occurs in OpenTSDB through 2.4.0 via command injection in the yrange parameter. The yrange value is written to a gnuplot file in the /tmp directory. This file is then executed via the mygnuplot.sh shell script. (tsd/GraphHandler.java… | |
| CVE-2020-35469 | Cri | 0.64 | 9.8 | 0.02 | Dec 16, 2020 | The Software AG Terracotta Server OSS Docker image 5.4.1 contains a blank password for the root user. Systems deployed using affected versions of the Terracotta Server OSS container may allow a remote attacker to achieve root access with a blank password. | ||
| CVE-2020-35468 | Cri | 0.64 | 9.8 | 0.02 | Dec 16, 2020 | The Appbase streams Docker image 2.1.2 contains a blank password for the root user. Systems deployed using affected versions of the streams container may allow a remote attacker to achieve root access with a blank password. | ||
| CVE-2020-35193 | Cri | 0.64 | 9.8 | 0.02 | Dec 16, 2020 | The official sonarqube docker images before alpine (Alpine specific) contain a blank password for a root user. System using the sonarqube docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. | ||
| CVE-2020-35467 | Cri | 0.64 | 9.8 | 0.02 | Dec 15, 2020 | The Docker Docs Docker image through 2020-12-14 contains a blank password for the root user. Systems deployed using affected versions of the Docker Docs container may allow a remote attacker to achieve root access with a blank password. | ||
| CVE-2020-35466 | Cri | 0.64 | 9.8 | 0.02 | Dec 15, 2020 | The Blackfire Docker image through 2020-12-14 contains a blank password for the root user. Systems deployed using affected versions of the Blackfire container may allow a remote attacker to achieve root access with a blank password. |
- risk 0.64cvss 9.8epss 0.02
SQL injection vulnerability in SeaCMS 10.1 (2020.02.08) via the id parameter in an edit action to admin_members_group.php.
- risk 0.64cvss 9.8epss 0.01
SQL injection vulnerability in yunyecms V2.0.1 via the selcart parameter.
- risk 0.64cvss 9.8epss 0.01
Loopback 8.0.0 contains a vulnerability that could allow an attacker to manipulate or pollute Javascript values and cause a denial of service or possibly execute code. IBM X-Force ID: 192706.
- risk 0.57cvss 9.8epss 0.05
A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
- risk 0.64cvss 9.8epss 0.02
EgavilanMedia ECM Address Book 1.0 is affected by SQL injection. An attacker can bypass the Admin Login panel through SQLi and get Admin access and add or remove any user.
- risk 0.64cvss 9.8epss 0.04
LimitLoginAttempts.php in the limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows a bypass of (per IP address) rate limits because the X-Forwarded-For header can be forged. When the plugin is configured to accept an arbitrary header for the client source IP…
- risk 0.64cvss 9.8epss 0.05
A potential security vulnerability has been identified in HPE iLO Amplifier Pack server version 1.70. The vulnerability could be exploited to allow remote code execution.
- risk 0.73cvss 9.8epss 0.82
A potential security vulnerability has been identified in HPE Systems Insight Manager (SIM) version 7.6. The vulnerability could be exploited to allow remote code execution.
- risk 0.64cvss 9.8epss 0.02
A vulnerability in the MIME message handling of the HCL Notes v9 client could potentially be exploited by an unauthenticated attacker resulting in a stack buffer overflow. This could allow a remote attacker to crash the Notes application or inject code into the system which…
- risk 0.64cvss 9.8epss 0.08
In DolphinScheduler 1.2.0 and 1.2.1, with mysql connectorj a remote code execution vulnerability exists when choosing mysql as database.
- risk 0.64cvss 9.8epss 0.09
SQL injection vulnerability in the wp_where function in WeiPHP 5.0.
- risk 0.64cvss 9.8epss 0.03
Eval injection vulnerability in the parserCommom method in the ParserTemplate class in zzz_template.php in zzzphp 1.7.2 allows remote attackers to execute arbitrary commands.
- risk 0.05cvss 9.8epss 0.25
There are multiple unauthenticated directory traversal vulnerabilities in different FTP commands in uftpd FTP server versions 2.7 to 2.10 due to improper implementation of a chroot jail in common.c's compose_abspath function that can be abused to read or write to arbitrary files…
- risk 0.00cvss 9.8epss 0.03
An unauthenticated stack-based buffer overflow vulnerability in common.c's handle_PORT in uftpd FTP server versions 2.10 and earlier can be abused to cause a crash and could potentially lead to remote code execution.
- risk 0.70cvss 9.8epss 0.39
Xinuos (formerly SCO) Openserver v5 and v6 allows attackers to execute arbitrary commands via shell metacharacters in outputform or toclevels parameter to cgi-bin/printbook.
- risk 0.64cvss 9.8epss 0.00
An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) (Exynos chipsets) software. They allow attackers to conduct RPMB state-change attacks because an unauthorized RPMB write operation can be replayed, a related issue to CVE-2020-13799. The Samsung…
- risk 0.64cvss 9.8epss 0.01
An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), Q(10.0), and R(11.0) software. Attackers can bypass Factory Reset Protection (FRP) via StatusBar. The Samsung ID is SVE-2020-17888 (December 2020).
- risk 0.64cvss 9.8epss 0.02
A flaw was found in Linux-Pam in versions prior to 1.5.1 in the way it handle empty passwords for non-existing users. When the user doesn't exist PAM try to authenticate with root and in the case of an empty password it successfully authenticate.
- risk 0.64cvss 9.8epss 0.04
If Apache TomEE 8.0.0-M1 - 8.0.3, 7.1.0 - 7.1.3, 7.0.0-M1 - 7.0.8, 1.0.0 - 1.7.5 is configured to use the embedded ActiveMQ broker, and the broker config is misconfigured, a JMX port is opened on TCP port 1099, which does not include authentication. CVE-2020-11969 previously…
- risk 0.65cvss 10.0epss 0.03
The reported vulnerability allows an attacker who has network access to the device to execute code with specially crafted packets in WAGO Series PFC 100 (750-81xx/xxx-xxx), Series PFC 200 (750-82xx/xxx-xxx), Series Wago Touch Panel 600 Standard Line (762-4xxx), Series Wago Touch…
- risk 0.69cvss 9.8epss 0.64
A command injection vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2, with the improved password hashing method enabled, could allow an unauthenticated attacker to execute certain commands by providing a manipulated password.
- risk 0.64cvss 9.8epss 0.03
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to manipulate system updates using a combination of CSRF bypass (CVE-2020-8461) and authentication bypass (CVE-2020-8464) to execute code as user root.
- risk 0.64cvss 9.8epss 0.04
Time-based SQL injection exists in Spotweb 1.4.9 via the query string.
- risk 0.58cvss 10.0epss 0.02
Fleet is an open source osquery manager. In Fleet before version 3.5.1, due to issues in Go's standard library XML parsing, a valid SAML response may be mutated by an attacker to modify the trusted document. This can result in allowing unverified logins from a SAML IdP. Users…
- risk 0.72cvss 10.0epss 0.90
The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters.
- risk 0.64cvss 9.8epss 0.06
jsonpickle through 1.4.1 allows remote code execution during deserialization of a malicious payload through the decode() function. Note: It has been argued that this is expected and clearly documented behaviour. pickle is known to be capable of causing arbitrary code execution,…
- risk 0.64cvss 9.8epss 0.02
A sensitive information disclosure vulnerability in Kyland KPS2204 6 Port Managed Din-Rail Programmable Serial Device Servers Software Version:R0002.P05 allows remote attackers to get username and password by request /cgi-bin/webadminget.cgi script via the browser.
- risk 0.64cvss 9.8epss 0.02
An arbitrary code execution vulnerability in Kyland KPS2204 6 Port Managed Din-Rail Programmable Serial Device Servers Software Version:R0002.P05 allows remote attackers to upload a malicious script file by constructing a POST type request and writing a payload in the request…
- risk 0.64cvss 9.8epss 0.03
LogRhythm Platform Manager 7.4.9 allows Command Injection. To exploit this, an attacker can inject arbitrary program names and arguments into a WebSocket. These are forwarded to any remote server with a LogRhythm Smart Response agent installed. By default, the commands are run…
- risk 0.64cvss 9.8epss 0.02
The official memcached docker images before 1.5.11-alpine (Alpine specific) contain a blank password for a root user. System using the memcached docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank…
- risk 0.64cvss 9.8epss 0.02
The official rabbitmq docker images before 3.7.13-beta.1-management-alpine (Alpine specific) contain a blank password for a root user. System using the rabbitmq docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access…
- risk 0.64cvss 9.8epss 0.02
The official haproxy docker images before 1.8.18-alpine (Alpine specific) contain a blank password for a root user. System using the haproxy docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank…
- risk 0.64cvss 9.8epss 0.03
The official vault docker images before 0.11.6 contain a blank password for a root user. System using the vault docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.
- risk 0.64cvss 9.8epss 0.05
The official drupal docker images before 8.5.10-fpm-alpine (Alpine specific) contain a blank password for a root user. System using the drupal docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank…
- risk 0.64cvss 9.8epss 0.02
The official plone Docker images before version of 4.3.18-alpine (Alpine specific) contain a blank password for a root user. System using the plone docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank…
- risk 0.64cvss 9.8epss 0.03
The official adminer docker images before 4.7.0-fastcgi contain a blank password for a root user. System using the adminer docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.
- risk 0.64cvss 9.8epss 0.03
The official composer docker images before 1.8.3 contain a blank password for a root user. System using the composer docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.
- risk 0.64cvss 9.8epss 0.02
The official kong docker images before 1.0.2-alpine (Alpine specific) contain a blank password for a root user. System using the kong docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.
- risk 0.64cvss 9.8epss 0.02
The official telegraf docker images before 1.9.4-alpine (Alpine specific) contain a blank password for a root user. System using the telegraf docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank…
- risk 0.64cvss 9.8epss 0.03
The official ghost docker images before 2.16.1-alpine (Alpine specific) contain a blank password for a root user. System using the ghost docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.
- risk 0.64cvss 9.8epss 0.01
Unrestricted access to the log downloader functionality in EPSON EPS TSE Server 8 (21.0.11) allows an unauthenticated attacker to remotely retrieve administrative hashed credentials via the maintenance/troubleshoot.php?download=1 URI.
- risk 0.00cvss 9.8epss 0.02
This affects the package connection-tester before 0.2.1. The injection point is located in line 15 in index.js. The following PoC demonstrates the vulnerability:
- risk 0.64cvss 9.8epss 0.02
AdRem NetCrunch 10.6.0.4587 has a hardcoded SSL private key vulnerability in the NetCrunch web client. The same hardcoded SSL private key is used across different customers' installations when no other SSL certificate is installed, which allows remote attackers to defeat…
- risk 0.64cvss 9.8epss 0.01
AdRem NetCrunch 10.6.0.4587 has an Improper Session Handling vulnerability in the NetCrunch web client, which can lead to an authentication bypass or escalation of privileges.
- risk 0.74cvss 9.8epss 0.85
A remote code execution vulnerability occurs in OpenTSDB through 2.4.0 via command injection in the yrange parameter. The yrange value is written to a gnuplot file in the /tmp directory. This file is then executed via the mygnuplot.sh shell script. (tsd/GraphHandler.java…
- risk 0.64cvss 9.8epss 0.02
The Software AG Terracotta Server OSS Docker image 5.4.1 contains a blank password for the root user. Systems deployed using affected versions of the Terracotta Server OSS container may allow a remote attacker to achieve root access with a blank password.
- risk 0.64cvss 9.8epss 0.02
The Appbase streams Docker image 2.1.2 contains a blank password for the root user. Systems deployed using affected versions of the streams container may allow a remote attacker to achieve root access with a blank password.
- risk 0.64cvss 9.8epss 0.02
The official sonarqube docker images before alpine (Alpine specific) contain a blank password for a root user. System using the sonarqube docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.
- risk 0.64cvss 9.8epss 0.02
The Docker Docs Docker image through 2020-12-14 contains a blank password for the root user. Systems deployed using affected versions of the Docker Docs container may allow a remote attacker to achieve root access with a blank password.
- risk 0.64cvss 9.8epss 0.02
The Blackfire Docker image through 2020-12-14 contains a blank password for the root user. Systems deployed using affected versions of the Blackfire container may allow a remote attacker to achieve root access with a blank password.