VYPR

CVEs

31,277 total · page 446 of 626

  • CVE-2020-10119CriMar 17, 2020
    risk 0.64cvss 9.8epss 0.02

    cPanel before 84.0.20 allows a demo account to achieve remote code execution via a cpsrvd rsync shell (SEC-544).

  • CVE-2020-10118CriMar 17, 2020
    risk 0.59cvss 9.1epss 0.01

    cPanel before 84.0.20 allows a demo account to modify files via Branding API calls (SEC-543).

  • CVE-2020-10117CriMar 17, 2020
    risk 0.59cvss 9.1epss 0.01

    cPanel before 84.0.20 mishandles enforcement of demo checks in the Market UAPI namespace (SEC-542).

  • CVE-2019-20498CriMar 17, 2020
    risk 0.64cvss 9.8epss 0.02

    cPanel before 82.0.18 allows WebDAV authentication bypass because the connection-sharing logic is incorrect (SEC-534).

  • CVE-2020-10380CriMar 17, 2020
    risk 0.64cvss 9.8epss 0.01

    RMySQL through 0.10.19 allows SQL Injection.

  • CVE-2020-9347CriMar 16, 2020
    risk 0.64cvss 9.8epss 0.08

    Zoho ManageEngine Password Manager Pro through 10.x has a CSV Excel Macro Injection vulnerability via a crafted name that is mishandled by the Export Passwords feature. NOTE: the vendor disputes the significance of this report because they expect CSV risk mitigation to be…

  • CVE-2020-8786CriMar 16, 2020
    risk 0.64cvss 9.8epss 0.01

    SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 4 of 4).

  • CVE-2020-8785CriMar 16, 2020
    risk 0.64cvss 9.8epss 0.01

    SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 3 of 4).

  • CVE-2020-8784CriMar 16, 2020
    risk 0.64cvss 9.8epss 0.01

    SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 2 of 4).

  • CVE-2020-8783CriMar 16, 2020
    risk 0.64cvss 9.8epss 0.01

    SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 1 of 4).

  • CVE-2019-19212CriMar 16, 2020
    risk 0.64cvss 9.8epss 0.04

    Dolibarr ERP/CRM 3.0 through 10.0.3 allows XSS via the qty parameter to product/fournisseurs.php (product price screen).

  • CVE-2020-5847CriKEVMar 16, 2020
    risk 0.86cvss 9.8epss 0.96

    Unraid through 6.8.0 allows Remote Code Execution.

  • CVE-2020-6990CriMar 16, 2020
    risk 0.64cvss 9.8epss 0.04

    Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, The cryptographic key utilized to help protect the account password is hard coded into the…

  • CVE-2020-10243CriMar 16, 2020
    risk 0.64cvss 9.8epss 0.02

    An issue was discovered in Joomla! before 3.9.16. The lack of type casting of a variable in a SQL statement leads to a SQL injection vulnerability in the Featured Articles frontend menutype.

  • CVE-2020-10230CriMar 16, 2020
    risk 0.68cvss 9.8epss 0.15

    CentOS-WebPanel.com (aka CWP) CentOS Web Panel (for CentOS 6 and 7) allows SQL Injection via the /cwp_{SESSION_HASH}/admin/loader_ajax.php term parameter.

  • CVE-2019-19208CriMar 16, 2020
    risk 0.68cvss 9.8epss 0.19

    Codiad Web IDE through 2.8.4 allows PHP Code injection.

  • CVE-2019-14887CriMar 16, 2020
    risk 0.59cvss 9.1epss 0.01

    A flaw was found when an OpenSSL security provider is used with Wildfly, the 'enabled-protocols' value in the Wildfly configuration isn't honored. An attacker could target the traffic sent from Wildfly and downgrade the connection to a weaker version of TLS, potentially breaking…

  • CVE-2020-5547CriMar 16, 2020
    risk 0.64cvss 9.8epss 0.02

    Resource Management Errors vulnerability in TCP function included in the firmware of Mitsubishi Electric MELQIC IU1 series IU1-1M20-D firmware version 1.0.7 and earlier allows remote attackers to stop the network functions or execute malware via a specially crafted packet.

  • CVE-2020-5545CriMar 16, 2020
    risk 0.64cvss 9.8epss 0.02

    TCP function included in the firmware of Mitsubishi Electric MELQIC IU1 series IU1-1M20-D firmware version 1.0.7 and earlier allows remote attackers to bypass access restriction and to stop the network functions or execute malware via a specially crafted packet.

  • CVE-2020-5544CriMar 16, 2020
    risk 0.64cvss 9.8epss 0.02

    Null Pointer Dereference vulnerability in TCP function included in the firmware of Mitsubishi Electric MELQIC IU1 series IU1-1M20-D firmware version 1.0.7 and earlier allows remote attackers to stop the network functions or execute malware via a specially crafted packet.

  • CVE-2020-5543CriMar 16, 2020
    risk 0.64cvss 9.8epss 0.02

    TCP function included in the firmware of Mitsubishi Electric MELQIC IU1 series IU1-1M20-D firmware version 1.0.7 and earlier does not properly manage sessions, which allows remote attackers to stop the network functions or execute malware via a specially crafted packet.

  • CVE-2020-5542CriMar 16, 2020
    risk 0.64cvss 9.8epss 0.02

    Buffer error vulnerability in TCP function included in the firmware of Mitsubishi Electric MELQIC IU1 series IU1-1M20-D firmware version 1.0.7 and earlier allows remote attackers to stop the network functions or execute malware via a specially crafted packet.

  • CVE-2020-7607CriMar 15, 2020
    risk 0.64cvss 9.8epss 0.03

    gulp-styledocco through 0.0.3 allows execution of arbitrary commands. The argument 'options' of the exports function in 'index.js' can be controlled by users without any sanitization.

  • CVE-2020-7606CriMar 15, 2020
    risk 0.64cvss 9.8epss 0.03

    docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within 'index.js' of the package, the function 'exec(serviceName, cmd, fnStdout, fnStderr, fnExit)' uses the variable 'serviceName' which can be controlled by users without any sanitization.

  • CVE-2020-7605CriMar 15, 2020
    risk 0.64cvss 9.8epss 0.03

    gulp-tape through 1.0.0 allows execution of arbitrary commands. It is possible to inject arbitrary commands as part of 'gulp-tape' options.

  • CVE-2020-7604CriMar 15, 2020
    risk 0.64cvss 9.8epss 0.03

    pulverizr through 0.7.0 allows execution of arbitrary commands. Within "lib/job.js", the variable "filename" can be controlled by the attacker. This function uses the variable "filename" to construct the argument of the exec call without any sanitization. In order to…

  • CVE-2020-7603CriMar 15, 2020
    risk 0.64cvss 9.8epss 0.03

    closure-compiler-stream through 0.1.15 allows execution of arbitrary commands. The argument "options" of the exports function in "index.js" can be controlled by users without any sanitization.

  • CVE-2020-7602CriMar 15, 2020
    risk 0.64cvss 9.8epss 0.03

    node-prompt-here through 1.0.1 allows execution of arbitrary commands. The "runCommand()" is called by "getDevices()" function in file "linux/manager.js", which is required by the "index. process.env.NM_CLI" in the file "linux/manager.js". This function is used to construct the…

  • CVE-2020-7601CriMar 15, 2020
    risk 0.64cvss 9.8epss 0.03

    gulp-scss-lint through 1.0.0 allows execution of arbitrary commands. It is possible to inject arbitrary commands to the "exec" function located in "src/command.js" via the provided options.

  • CVE-2020-10594CriMar 15, 2020
    risk 0.52cvss 9.1epss 0.01

    An issue was discovered in drf-jwt 1.15.x before 1.15.1. It allows attackers with access to a notionally invalidated token to obtain a new, working token via the refresh endpoint, because the blacklist protection mechanism is incompatible with the token-refresh feature. NOTE:…

  • CVE-2020-0086CriMar 15, 2020
    risk 0.64cvss 9.8epss 0.01

    In readCString of Parcel.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to arbitrary code execution if IntSan were not enabled, which it is by default. No additional execution privileges are required. User interaction is not needed for…

  • CVE-2020-10574CriMar 14, 2020
    risk 0.00cvss 9.8epss 0.01

    An issue was discovered in Janus through 0.9.1. janus.c tries to use a string that doesn't actually exist during a "query_logger" Admin API request, because of a typo in the JSON validation.

  • CVE-2020-10571CriMar 14, 2020
    risk 0.57cvss 9.8epss 0.02

    An issue was discovered in psd-tools before 1.9.4. The Cython implementation of RLE decoding did not check for malicious data.

  • CVE-2020-10567CriMar 14, 2020
    risk 0.65cvss 9.8epss 0.19

    An issue was discovered in Responsive Filemanager through 9.14.0. In the ajax_calls.php file in the save_img action in the name parameter, there is no validation of what kind of extension is sent. This makes it possible to execute PHP code if a legitimate JPEG image contains…

  • CVE-2020-10564CriMar 13, 2020
    risk 0.64cvss 9.8epss 0.09

    An issue was discovered in the File Upload plugin before 4.13.0 for WordPress. A directory traversal can lead to remote code execution by uploading a crafted txt file into the lib directory, because of a wfu_include_lib call.

  • CVE-2020-10563CriMar 13, 2020
    risk 0.00cvss 9.8epss 0.02

    An issue was discovered in DEVOME GRR before 3.4.1c. frmcontactlist.php mishandles a SQL query.

  • CVE-2019-18578CriMar 13, 2020
    risk 0.59cvss 9.0epss 0.01

    Dell EMC XtremIO XMS versions prior to 6.3.0 contain a stored cross-site scripting vulnerability. A low-privileged malicious remote user of XtremIO may exploit this vulnerability to store malicious HTML or JavaScript code in application fields. When victim users access the…

  • CVE-2019-14310CriMar 13, 2020
    risk 0.64cvss 9.8epss 0.02

    Ricoh SP C250DN 1.05 devices allow denial of service (issue 2 of 3). Unauthenticated crafted packets to the IPP service will cause a vulnerable device to crash. A memory corruption has been identified in the way of how the embedded device parsed the IPP packets

  • CVE-2019-14299CriMar 13, 2020
    risk 0.64cvss 9.8epss 0.01

    Ricoh SP C250DN 1.05 devices have an Authentication Method Vulnerable to Brute Force Attacks. Some Ricoh printers did not implement account lockout. Therefore, it was possible to obtain the local account credentials by brute force.

  • CVE-2019-13202CriMar 13, 2020
    risk 0.64cvss 9.8epss 0.03

    Some Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) were affected by a buffer overflow vulnerability in the okhtmlfile and failhtmlfile parameters of several functionalities of the web application that would allow an unauthenticated attacker to perform a Denial…

  • CVE-2019-13201CriMar 13, 2020
    risk 0.64cvss 9.8epss 0.03

    Some Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) were affected by a buffer overflow vulnerability in the LPD service. This would allow an unauthenticated attacker to cause a Denial of Service (DoS) in the LPD service and potentially execute arbitrary code on…

  • CVE-2019-13197CriMar 13, 2020
    risk 0.64cvss 9.8epss 0.03

    Some Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) were affected by a buffer overflow vulnerability in the URI paths of the web application that would allow an unauthenticated attacker to perform a Denial of Service attack, crashing the device, or potentially…

  • CVE-2019-13192CriMar 13, 2020
    risk 0.64cvss 9.8epss 0.04

    Some Brother printers (such as the HL-L8360CDW v1.20) were affected by a heap buffer overflow vulnerability as the IPP service did not parse attribute names properly. This would allow an attacker to execute arbitrary code on the device.

  • CVE-2019-13172CriMar 13, 2020
    risk 0.64cvss 9.8epss 0.03

    Some Xerox printers (such as the Phaser 3320 V53.006.16.000) were affected by a buffer overflow vulnerability in the Authentication Cookie of the web application that would allow an attacker to execute arbitrary code on the device.

  • CVE-2019-13171CriMar 13, 2020
    risk 0.64cvss 9.8epss 0.03

    Some Xerox printers (such as the Phaser 3320 V53.006.16.000) were affected by one or more stack-based buffer overflow vulnerabilities in the Google Cloud Print implementation that would allow an unauthenticated attacker to execute arbitrary code on the device. This was caused by…

  • CVE-2019-13169CriMar 13, 2020
    risk 0.64cvss 9.8epss 0.03

    Some Xerox printers (such as the Phaser 3320 V53.006.16.000) were affected by a buffer overflow vulnerability in the Content-Type HTTP Header of the web application that would allow an attacker to execute arbitrary code on the device.

  • CVE-2019-13168CriMar 13, 2020
    risk 0.64cvss 9.8epss 0.03

    Some Xerox printers (such as the Phaser 3320 V53.006.16.000) were affected by a buffer overflow vulnerability in the attributes parser of the IPP service. This would allow an unauthenticated attacker to cause a Denial of Service (DoS) and potentially execute arbitrary code on…

  • CVE-2019-13165CriMar 13, 2020
    risk 0.64cvss 9.8epss 0.03

    Some Xerox printers (such as the Phaser 3320 V53.006.16.000) were affected by a buffer overflow vulnerability in the request parser of the IPP service. This would allow an unauthenticated attacker to cause a Denial of Service (DoS) and potentially execute arbitrary code on the…

  • CVE-2020-10077CriMar 13, 2020
    risk 0.64cvss 9.8epss 0.01

    GitLab EE 3.0 through 12.8.1 allows SSRF. An internal investigation revealed that a particular deprecated service was creating a server side request forgery risk.

  • CVE-2020-10074CriMar 13, 2020
    risk 0.64cvss 9.8epss 0.01

    GitLab 10.1 through 12.8.1 has Incorrect Access Control. A scenario was discovered in which a GitLab account could be taken over through an expired link.