VYPR

CVEs

31,781 total · page 432 of 636

  • CVE-2020-25105CriSep 3, 2020
    risk 0.64cvss 9.8epss 0.01

    eramba c2.8.1 and Enterprise before e2.19.3 has a weak password recovery token (createHash has only a million possibilities).

  • CVE-2020-4693CriSep 2, 2020
    risk 0.64cvss 9.8epss 0.03

    IBM Spectrum Protect Operations Center 7.1.0.000 through 7.1.10 and 8.1.0.000 through 8.1.9 may allow an attacker to execute arbitrary code on the system, caused by improper validation of data prior to export. IBM X-Force ID: 186782.

  • CVE-2020-24030CriSep 2, 2020
    risk 0.64cvss 9.8epss 0.03

    ForLogic Qualiex v1 and v3 has weak token expiration. This allows remote unauthenticated privilege escalation and access to sensitive data via token reuse. NOTE: as of 2025-10-14, the Supplier's perspective is that this is "not exploitable in the current implementation. Tokens…

  • CVE-2020-24029CriSep 2, 2020
    risk 0.64cvss 9.8epss 0.02

    Because of unauthenticated password changes in ForLogic Qualiex v1 and v3, customer and admin permissions and data can be accessed via a simple request. NOTE: as of 2025-10-14, the Supplier's perspective is that this is "corrected in all maintained versions. Password reset…

  • CVE-2020-13802CriSep 2, 2020
    risk 0.64cvss 9.8epss 0.07

    Rebar3 versions 3.0.0-beta.3 to 3.13.2 are vulnerable to OS command injection via URL parameter of dependency specification.

  • CVE-2020-24355CriSep 2, 2020
    risk 0.64cvss 9.8epss 0.02

    Zyxel VMG5313-B30B router on firmware 5.13(ABCJ.6)b3_1127, and possibly older versions of firmware are affected by insecure permissions which allows regular and other users to create new users with elevated privileges. This is done by changing "FirstIndex" field in JSON that is…

  • CVE-2020-6874CriSep 1, 2020
    risk 0.59cvss 9.1epss 0.00

    A ZTE product is impacted by the cryptographic issues vulnerability. The encryption algorithm is not properly used, so remote attackers could use this vulnerability for account credential enumeration attack or brute-force attack for password guessing. This affects: ZXIPTV,…

  • CVE-2020-6151CriSep 1, 2020
    risk 0.64cvss 9.8epss 0.02

    A memory corruption vulnerability exists in the TIFF handle_COMPRESSION_PACKBITS functionality of Accusoft ImageGear 19.7. A specially crafted malformed file can cause a memory corruption. An attacker can provide a malicious file to trigger this vulnerability.

  • CVE-2020-6144CriSep 1, 2020
    risk 0.64cvss 9.8epss 0.06

    A remote code execution vulnerability exists in the install functionality of OS4Ed openSIS 7.4. The username variable which is set at line 121 in install/Step5.php allows for injection of PHP code into the Data.php file that it writes. An attacker can send an HTTP request to…

  • CVE-2020-6143CriSep 1, 2020
    risk 0.64cvss 9.8epss 0.06

    A remote code execution vulnerability exists in the install functionality of OS4Ed openSIS 7.4. The password variable which is set at line 122 in install/Step5.php allows for injection of PHP code into the Data.php file that it writes. An attacker can send an HTTP request to…

  • CVE-2020-6142CriSep 1, 2020
    risk 0.64cvss 9.8epss 0.09

    A remote code execution vulnerability exists in the Modules.php functionality of OS4Ed openSIS 7.3. A specially crafted HTTP request can cause local file inclusion. An attacker can send an HTTP request to trigger this vulnerability.

  • CVE-2020-6140CriSep 1, 2020
    risk 0.64cvss 9.8epss 0.03

    SQL injection vulnerability exists in the password reset functionality of OS4Ed openSIS 7.3. The password_stf_email parameter in the password reset page /opensis/ResetUserInfo.php is vulnerable to SQL injection. An attacker can send an HTTP request to trigger this vulnerability.

  • CVE-2020-6139CriSep 1, 2020
    risk 0.64cvss 9.8epss 0.03

    SQL injection vulnerability exists in the password reset functionality of OS4Ed openSIS 7.3. The username_stf_email parameter in the password reset page /opensis/ResetUserInfo.php is vulnerable to SQL injection. An attacker can send an HTTP request to trigger this vulnerability.

  • CVE-2020-6138CriSep 1, 2020
    risk 0.64cvss 9.8epss 0.03

    SQL injection vulnerability exists in the password reset functionality of OS4Ed openSIS 7.3. The uname parameter in the password reset page /opensis/ResetUserInfo.php is vulnerable to SQL injection An attacker can send an HTTP request to trigger this vulnerability.

  • CVE-2020-6137CriSep 1, 2020
    risk 0.64cvss 9.8epss 0.03

    SQL injection vulnerability exists in the password reset functionality of OS4Ed openSIS 7.3. The password_stf_email parameter in the password reset page /opensis/ResetUserInfo.php is vulnerable to SQL injection. An attacker can send an HTTP request to trigger this vulnerability.

  • CVE-2020-5777CriSep 1, 2020
    risk 0.59cvss 9.8epss 0.24

    MAGMI versions prior to 0.7.24 are vulnerable to a remote authentication bypass due to allowing default credentials in the event there is a database connection failure. A remote attacker can trigger this connection failure if the Mysql setting max_connections (default 151) is…

  • CVE-2020-25069CriSep 1, 2020
    risk 0.64cvss 9.8epss 0.02

    USVN (aka User-friendly SVN) before 1.0.10 allows attackers to execute arbitrary code in the commit view.

  • CVE-2020-16210CriSep 1, 2020
    risk 0.59cvss 9.0epss 0.03

    The affected product is vulnerable to reflected cross-site scripting, which may allow an attacker to remotely execute arbitrary code and perform actions in the context of an attacked user on the N-Tron 702-W / 702M12-W (all versions).

  • CVE-2020-16206CriSep 1, 2020
    risk 0.59cvss 9.0epss 0.03

    The affected product is vulnerable to stored cross-site scripting, which may allow an attacker to remotely execute arbitrary code to gain access to sensitive data on the N-Tron 702-W / 702M12-W (all versions).

  • CVE-2020-16204CriSep 1, 2020
    risk 0.64cvss 9.8epss 0.05

    The affected product is vulnerable due to an undocumented interface found on the device, which may allow an attacker to execute commands as root on the device on the N-Tron 702-W / 702M12-W (all versions).

  • CVE-2020-6141CriSep 1, 2020
    risk 0.64cvss 9.8epss 0.04

    An exploitable SQL injection vulnerability exists in the login functionality of OS4Ed openSIS 7.3. A specially crafted HTTP request can lead to SQL injection. An attacker can send an HTTP request to trigger this vulnerability.

  • CVE-2020-15150CriSep 1, 2020
    risk 0.52cvss 9.0epss 0.03

    There is a vulnerability in Paginator (Elixir/Hex package) which makes it susceptible to Remote Code Execution (RCE) attacks via input parameters to the paginate() function. This will potentially affect all current users of Paginator prior to version 1.0.0. The vulnerability has…

  • CVE-2017-16034criSep 1, 2020
    risk 0.59cvss epss 0.00

    Affected versions of `pidusage` pass unsanitized input to `child_process.exec()`, resulting in arbitrary code execution in the `ps` method. This package is vulnerable to this PoC on Darwin, SunOS, FreeBSD, and AIX. Windows and Linux are not vulnerable. ## Proof of Concept…

  • CVE-2016-1000226criSep 1, 2020
    risk 0.52cvss epss 0.01

    Affected versions of `swagger-ui` are vulnerable to cross-site scripting in both the `consumes` and `produces` parameters of the swagger JSON document for a given API. Additionally, `swagger-ui` allows users to load arbitrary swagger JSON documents via the query string…

  • CVE-2016-1000225criSep 1, 2020
    risk 0.52cvss epss 0.07

    Affected versions of `sequelize` are vulnerable to SQL Injection in Models that have fields with the `GEOMETRY` DataType. This vulnerability occurs because single quotes in document values are not escaped for GeoJSON documents using `ST_GeomFromGeoJSON`, and MySQL GeoJSON…

  • CVE-2015-7982criSep 1, 2020
    risk 0.52cvss epss 0.01

    Versions of `gm` prior to 1.21.1 are affected by a command injection vulnerability. The vulnerability is triggered when user input is passed into `gm.compare()`, which fails to sanitize input correctly before calling the graphics magic binary. ## Recommendation Update to…

  • CVE-2020-7727CriSep 1, 2020
    risk 0.64cvss 9.8epss 0.02

    All versions of package gedi are vulnerable to Prototype Pollution via the set function.

  • CVE-2020-7726CriSep 1, 2020
    risk 0.64cvss 9.8epss 0.02

    All versions of package safe-object2 are vulnerable to Prototype Pollution via the setter function.

  • CVE-2020-7725CriSep 1, 2020
    risk 0.64cvss 9.8epss 0.02

    All versions of package worksmith are vulnerable to Prototype Pollution via the setValue function.

  • CVE-2020-7724CriSep 1, 2020
    risk 0.57cvss 9.8epss 0.02

    All versions of package tiny-conf are vulnerable to Prototype Pollution via the set function.

  • CVE-2020-7723CriSep 1, 2020
    risk 0.64cvss 9.8epss 0.02

    All versions of package promisehelpers are vulnerable to Prototype Pollution via the insert function.

  • CVE-2020-7722CriSep 1, 2020
    risk 0.57cvss 9.8epss 0.02

    All versions of package nodee-utils are vulnerable to Prototype Pollution via the deepSet function.

  • CVE-2020-7721CriSep 1, 2020
    risk 0.64cvss 9.8epss 0.02

    All versions of package node-oojs are vulnerable to Prototype Pollution via the setPath function.

  • CVE-2020-7720CriSep 1, 2020
    risk 0.57cvss 9.8epss 0.03

    The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.

  • CVE-2020-7719CriSep 1, 2020
    risk 0.57cvss 9.8epss 0.03

    Versions of package locutus before 2.0.12 are vulnerable to prototype Pollution via the php.strings.parse_str function.

  • CVE-2020-7718CriSep 1, 2020
    risk 0.64cvss 9.8epss 0.02

    All versions of package gammautils are vulnerable to Prototype Pollution via the deepSet and deepMerge functions.

  • CVE-2020-7717CriSep 1, 2020
    risk 0.64cvss 9.8epss 0.02

    All versions of package dot-notes are vulnerable to Prototype Pollution via the create function.

  • CVE-2020-7716CriSep 1, 2020
    risk 0.64cvss 9.8epss 0.02

    All versions of package deeps are vulnerable to Prototype Pollution via the set function.

  • CVE-2020-7715CriSep 1, 2020
    risk 0.57cvss 9.8epss 0.02

    All versions of package deep-get-set are vulnerable to Prototype Pollution via the main function.

  • CVE-2020-7714CriSep 1, 2020
    risk 0.64cvss 9.8epss 0.02

    All versions of package confucious are vulnerable to Prototype Pollution via the set function.

  • CVE-2020-7713CriSep 1, 2020
    risk 0.57cvss 9.8epss 0.02

    All versions of package arr-flatten-unflatten are vulnerable to Prototype Pollution via the constructor.

  • CVE-2020-25067CriSep 1, 2020
    risk 0.63cvss 9.6epss 0.02

    NETGEAR R8300 devices before 1.0.2.134 are affected by command injection by an unauthenticated attacker.

  • CVE-2015-4130criAug 31, 2020
    risk 0.59cvss epss 0.01

    Versions of `ungit` prior to 0.9.0 are affected by a command injection vulnerability in the `url` parameter. ## Recommendation Update version 0.9.0 or later.

  • CVE-2020-25062CriAug 31, 2020
    risk 0.64cvss 9.8epss 0.00

    An issue was discovered on LG mobile devices with Android OS 9 and 10 software. LGTelephonyProvider allows a bypass of intended privilege restrictions. The LG ID is LVE-SMP-200017 (July 2020).

  • CVE-2020-25061CriAug 31, 2020
    risk 0.64cvss 9.8epss 0.00

    An issue was discovered on LG mobile devices with Android OS 9 and 10 software on the VZW network. lge_property allows property overwrites. The LG ID is LVE-SMP-200016 (July 2020).

  • CVE-2020-25058CriAug 31, 2020
    risk 0.64cvss 9.8epss 0.00

    An issue was discovered on LG mobile devices with Android OS 8.0, 8.1, 9, and 10 software. The network_management service does not properly restrict configuration changes. The LG ID is LVE-SMP-200012 (July 2020).

  • CVE-2020-25057CriAug 31, 2020
    risk 0.64cvss 9.8epss 0.00

    An issue was discovered on LG mobile devices with Android OS 10 software. MDMService does not properly restrict APK installations. The LG ID is LVE-SMP-200011 (July 2020).

  • CVE-2020-25055CriAug 31, 2020
    risk 0.64cvss 9.8epss 0.00

    An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. The persona service allows attackers (who control an unprivileged SecureFolder process) to bypass admin restrictions in KnoxContainer. The Samsung ID is SVE-2020-18133 (August 2020).

  • CVE-2020-25054CriAug 31, 2020
    risk 0.59cvss 9.1epss 0.01

    An issue was discovered on Samsung mobile devices with software through 2020-04-02 (Exynos modem chipsets). There is a heap-based buffer over-read in the Shannon baseband. The Samsung ID is SVE-2020-17239 (August 2020).

  • CVE-2020-25053CriAug 31, 2020
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered on Samsung mobile devices with Q(10.0) (exynos9830 chipsets) software. RKP allows arbitrary code execution. The Samsung ID is SVE-2020-17435 (August 2020).