VYPR

CVEs

31,277 total · page 442 of 626

  • CVE-2020-7629CriApr 2, 2020
    risk 0.64cvss 9.8epss 0.04

    install-package through 0.4.0 is vulnerable to Command Injection. It allows execution of arbitrary commands via the options argument.

  • CVE-2020-7628CriApr 2, 2020
    risk 0.64cvss 9.8epss 0.02

    umount through 1.1.6 is vulnerable to Command Injection. The argument device can be controlled by users without any sanitization.

  • CVE-2020-7627CriApr 2, 2020
    risk 0.64cvss 9.8epss 0.04

    node-key-sender through 1.0.11 is vulnerable to Command Injection. It allows execution of arbitrary commands via the 'arrParams' argument in the 'execute()' function.

  • CVE-2020-7626CriApr 2, 2020
    risk 0.64cvss 9.8epss 0.04

    karma-mojo through 1.0.1 is vulnerable to Command Injection. It allows execution of arbitrary commands via the config argument.

  • CVE-2020-7625CriApr 2, 2020
    risk 0.00cvss 9.8epss 0.04

    op-browser through 1.0.6 is vulnerable to Command Injection. It allows execution of arbitrary commands via the url function.

  • CVE-2020-7624CriApr 2, 2020
    risk 0.64cvss 9.8epss 0.04

    effect through 1.0.4 is vulnerable to Command Injection. It allows execution of arbitrary command via the options argument.

  • CVE-2020-10515CriApr 2, 2020
    risk 0.64cvss 9.8epss 0.03

    STARFACE UCC Client before 6.7.1.204 on WIndows allows binary planting to execute code with System rights, aka usd-2020-0006.

  • CVE-2020-7623CriApr 2, 2020
    risk 0.64cvss 9.8epss 0.04

    jscover through 1.0.0 is vulnerable to Command Injection. It allows execution of arbitrary command via the source argument.

  • CVE-2020-7621CriApr 2, 2020
    risk 0.64cvss 9.8epss 0.03

    strong-nginx-controller through 1.0.2 is vulnerable to Command Injection. It allows execution of arbitrary command as part of the '_nginxCmd()' function.

  • CVE-2020-7620CriApr 2, 2020
    risk 0.64cvss 9.8epss 0.02

    pomelo-monitor through 0.3.7 is vulnerable to Command Injection.It allows injection of arbitrary commands as part of 'pomelo-monitor' params.

  • CVE-2020-7619CriApr 2, 2020
    risk 0.64cvss 9.8epss 0.02

    get-git-data through 1.3.1 is vulnerable to Command Injection. It is possible to inject arbitrary commands as part of the arguments provided to get-git-data.

  • CVE-2020-6852CriApr 2, 2020
    risk 0.64cvss 9.8epss 0.02

    CACAGOO Cloud Storage Intelligent Camera TV-288ZD-2MP with firmware 3.4.2.0919 has weak authentication of TELNET access, leading to root privileges without any password required.

  • CVE-2020-6009CriApr 1, 2020
    risk 0.64cvss 9.8epss 0.02

    LearnDash Wordpress plugin version below 3.1.6 is vulnerable to Unauthenticated SQL Injection.

  • CVE-2019-17564CriApr 1, 2020
    risk 0.60cvss 9.8epss 0.36

    Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. This issue affected Apache Dubbo…

  • CVE-2020-10948CriApr 1, 2020
    risk 0.64cvss 9.8epss 0.07

    Jon Hedley AlienForm2 (typically installed as af.cgi or alienform.cgi) 2.0.2 is vulnerable to Remote Command Execution via eval injection, a different issue than CVE-2002-0934. An unauthenticated, remote attacker can exploit this via a series of crafted requests.

  • CVE-2019-9163CriApr 1, 2020
    risk 0.64cvss 9.8epss 0.02

    The connection initiation process in March Networks Command Client before 2.7.2 allows remote attackers to execute arbitrary code via crafted XAML objects.

  • CVE-2020-3850CriApr 1, 2020
    risk 0.64cvss 9.8epss 0.03

    A memory corruption issue was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.3. A remote attacker may be able to cause unexpected application termination or arbitrary code execution.

  • CVE-2020-3849CriApr 1, 2020
    risk 0.64cvss 9.8epss 0.02

    A memory corruption issue was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.3. A remote attacker may be able to cause unexpected application termination or arbitrary code execution.

  • CVE-2020-3848CriApr 1, 2020
    risk 0.64cvss 9.8epss 0.02

    A memory corruption issue was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.3. A remote attacker may be able to cause unexpected application termination or arbitrary code execution.

  • CVE-2020-3847CriApr 1, 2020
    risk 0.64cvss 9.8epss 0.02

    An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.3. A remote attacker may be able to leak memory.

  • CVE-2020-9769CriApr 1, 2020
    risk 0.64cvss 9.8epss 0.01

    Multiple issues were addressed by updating to version 8.1.1850. This issue is fixed in macOS Catalina 10.15.4. Multiple issues in Vim.

  • CVE-2020-3911CriApr 1, 2020
    risk 0.64cvss 9.8epss 0.02

    A buffer overflow was addressed with improved bounds checking. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. Multiple issues in libxml2.

  • CVE-2020-3910CriApr 1, 2020
    risk 0.64cvss 9.8epss 0.02

    A buffer overflow was addressed with improved size validation. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. Multiple issues in libxml2.

  • CVE-2020-3909CriApr 1, 2020
    risk 0.64cvss 9.8epss 0.03

    A buffer overflow was addressed with improved bounds checking. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. Multiple issues in libxml2.

  • CVE-2020-10867CriApr 1, 2020
    risk 0.64cvss 9.8epss 0.02

    An issue was discovered in Avast Antivirus before 20. The aswTask RPC endpoint for the TaskEx library in the Avast Service (AvastSvc.exe) allows attackers to bypass intended access restrictions on tasks from an untrusted process, when Self Defense is enabled.

  • CVE-2018-11106CriApr 1, 2020
    risk 0.64cvss 9.8epss 0.03

    NETGEAR has released fixes for a pre-authentication command injection in request_handler.php security vulnerability on the following product models: WC7500, running firmware versions prior to 6.5.3.5; WC7520, running firmware versions prior to 2.5.0.46; WC7600v1, running…

  • CVE-2020-11455CriApr 1, 2020
    risk 0.11cvss 9.8epss 0.97

    LimeSurvey before 4.1.12+200324 contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileManager.php.

  • CVE-2020-7947CriApr 1, 2020
    risk 0.64cvss 9.8epss 0.03

    An issue was discovered in the Login by Auth0 plugin before 4.0.0 for WordPress. It has numerous fields that can contain data that is pulled from different sources. One issue with this is that the data isn't sanitized, and no input validation is performed, before the exporting…

  • CVE-2019-14880CriMar 31, 2020
    risk 0.59cvss 9.1epss 0.01

    A vulnerability was found in Moodle versions 3.7 before 3.7.3, 3.6 before 3.6.7, 3.5 before 3.5.9 and earlier. OAuth 2 providers who do not verify users' email address changes require additional verification during sign-up to reduce the risk of account compromise.

  • CVE-2020-6008CriMar 31, 2020
    risk 0.64cvss 9.8epss 0.04

    LifterLMS Wordpress plugin version below 3.37.15 is vulnerable to arbitrary file write leading to remote code execution

  • CVE-2020-4208CriMar 31, 2020
    risk 0.64cvss 9.8epss 0.02

    IBM Spectrum Protect Plus 10.1.0 through 10.1.5 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 174975.

  • CVE-2020-10595CriMar 31, 2020
    risk 0.00cvss 9.8epss 0.05

    pam-krb5 before 4.9 has a buffer overflow that might cause remote code execution in situations involving supplemental prompting by a Kerberos library. It may overflow a buffer provided by the underlying Kerberos library by a single '\0' byte if an attacker responds to a prompt…

  • CVE-2020-7611CriMar 30, 2020
    risk 0.57cvss 9.8epss 0.02

    All versions of io.micronaut:micronaut-http-client before 1.2.11 and all versions from 1.3.0 before 1.3.2 are vulnerable to HTTP Request Header Injection due to not validating request headers passed to the client.

  • CVE-2020-11105CriMar 30, 2020
    risk 0.64cvss 9.8epss 0.02

    An issue was discovered in USC iLab cereal through 1.3.0. It employs caching of std::shared_ptr values, using the raw pointer address as a unique identifier. This becomes problematic if an std::shared_ptr variable goes out of scope and is freed, and a new std::shared_ptr is…

  • CVE-2020-10374CriMar 30, 2020
    risk 0.64cvss 9.8epss 0.05

    A webserver component in Paessler PRTG Network Monitor 19.2.50 to PRTG 20.1.56 allows unauthenticated remote command execution via a crafted POST request or the what parameter of the screenshot function in the Contact Support form.

  • CVE-2019-19606CriMar 30, 2020
    risk 0.64cvss 9.8epss 0.02

    X-Plane before 11.41 has multiple improper path validations that could allow reading and writing files from/to arbitrary paths (or a leak of OS credentials to a remote system) via crafted network packets. This could be used to execute arbitrary commands on the system.

  • CVE-2019-19605CriMar 30, 2020
    risk 0.64cvss 9.8epss 0.02

    X-Plane before 11.41 allows Arbitrary Memory Write via crafted network packets, which could cause a denial of service or arbitrary code execution.

  • CVE-2020-5723CriMar 30, 2020
    risk 0.67cvss 9.8epss 0.06

    The UCM6200 series 1.0.20.22 and below stores unencrypted user passwords in an SQLite database. This could allow an attacker to retrieve all passwords and possibly gain elevated privileges.

  • CVE-2016-11024CriMar 30, 2020
    risk 0.64cvss 9.8epss 0.01

    odata4j 0.7.0 allows ExecuteJPQLQueryCommand.java SQL injection. NOTE: this product is apparently discontinued.

  • CVE-2016-11023CriMar 30, 2020
    risk 0.64cvss 9.8epss 0.01

    odata4j 0.7.0 allows ExecuteCountQueryCommand.java SQL injection. NOTE: this product is apparently discontinued.

  • CVE-2020-7610CriMar 30, 2020
    risk 0.57cvss 9.8epss 0.02

    All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.

  • CVE-2019-17560CriMar 30, 2020
    risk 0.59cvss 9.1epss 0.02

    The "Apache NetBeans" autoupdate system does not validate SSL certificates and hostnames for https based downloads. This allows an attacker to intercept downloads of autoupdates and modify the download, potentially injecting malicious code. “Apache NetBeans" versions up to and…

  • CVE-2020-10956CriMar 27, 2020
    risk 0.64cvss 9.8epss 0.01

    GitLab 8.10 and later through 12.9 is vulnerable to an SSRF in a project import note feature.

  • CVE-2015-5684CriMar 27, 2020
    risk 0.64cvss 9.8epss 0.04

    MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A buffer overflow vulnerability was reported, (fixed and publicly disclosed in 2015) in the Lenovo Service Engine (LSE), affecting various versions of BIOS for Lenovo Notebooks, that could allow…

  • CVE-2020-3936CriMar 27, 2020
    risk 0.65cvss 10.0epss 0.01

    UltraLog Express device management interface does not properly filter user inputted string in some specific parameters, attackers can inject arbitrary SQL command.

  • CVE-2020-10993CriMar 27, 2020
    risk 0.59cvss 9.1epss 0.01

    Osmand through 2.0.0 allow XXE because of binary/BinaryMapIndexReader.java.

  • CVE-2020-10992CriMar 27, 2020
    risk 0.64cvss 9.8epss 0.01

    Azkaban through 3.84.0 allows XXE, related to validator/XmlValidatorManager.java and user/XmlUserManager.java.

  • CVE-2020-10991CriMar 27, 2020
    risk 0.64cvss 9.8epss 0.01

    Mulesoft APIkit through 1.3.0 allows XXE because of validation/RestXmlSchemaValidator.java

  • CVE-2020-10990CriMar 27, 2020
    risk 0.00cvss 9.8epss 0.01

    An XXE issue exists in Accenture Mercury before 1.12.28 because of the platformlambda/core/serializers/SimpleXmlParser.java component.

  • CVE-2020-10828CriMar 26, 2020
    risk 0.65cvss 9.8epss 0.21

    A stack-based buffer overflow in cvmd on Draytek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1 allows remote attackers to achieve code execution via a remote HTTP request.