VYPR

CVEs

67,603 total · page 704 of 1,353

  • CVE-2021-3019HigJan 5, 2021
    risk 0.50cvss 7.5epss 0.19

    ffay lanproxy 0.1 allows Directory Traversal to read /../conf/config.properties to obtain credentials for a connection to the intranet.

  • CVE-2020-36158HigJan 5, 2021
    risk 0.50cvss 8.8epss 0.02

    mwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through 5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332.

  • CVE-2020-26297HigJan 4, 2021
    risk 0.46cvss 8.2epss 0.01

    mdBook is a utility to create modern online books from Markdown files and is written in Rust. In mdBook before version 0.4.5, there is a vulnerability affecting the search feature of mdBook, which could allow an attacker to execute arbitrary JavaScript code on the page. The…

  • CVE-2020-26294HigJan 4, 2021
    risk 0.41cvss 7.4epss 0.02

    Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig's `env`…

  • CVE-2020-36154HigJan 4, 2021
    risk 0.51cvss 7.8epss 0.00

    The Application Wrapper in Pearson VUE VTS Installer 2.3.1911 has Full Control permissions for Everyone in the "%SYSTEMDRIVE%\Pearson VUE" directory, which allows local users to obtain administrative privileges via a Trojan horse application.

  • CVE-2020-25275HigJan 4, 2021
    risk 0.49cvss 7.5epss 0.05

    Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash via a crafted email message with certain choices for ten thousand MIME parts.

  • CVE-2020-22550HigJan 4, 2021
    risk 0.49cvss 7.5epss 0.02

    Veno File Manager 3.5.6 is affected by a directory traversal vulnerability. Using the traversal allows an attacker to download sensitive files from the server.

  • CVE-2020-4942HigJan 4, 2021
    risk 0.57cvss 8.8epss 0.01

    IBM Curam Social Program Management 7.0.9 and 7.0.11 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 191942.

  • CVE-2020-4917HigJan 4, 2021
    risk 0.57cvss 8.8epss 0.00

    IBM Cloud Pak System 2.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 191391.

  • CVE-2020-4912HigJan 4, 2021
    risk 0.47cvss 7.2epss 0.01

    IBM Cloud Pak System 2.3 Self Service Console could allow a privilege escalation by capturing the user request URL when logged in as a privileged user. IBM X-Force ID: 191287.

  • CVE-2020-7771HigJan 4, 2021
    risk 0.42cvss 7.5epss 0.02

    The package asciitable.js before 1.0.3 are vulnerable to Prototype Pollution via the main function.

  • CVE-2021-21495HigJan 4, 2021
    risk 0.57cvss 8.8epss 0.01

    MK-AUTH through 19.01 K4.9 allows CSRF for password changes via the central/executar_central.php?acao=altsenha_princ URI.

  • CVE-2020-35965HigJan 4, 2021
    risk 0.42cvss 7.5epss 0.02

    decode_frame in libavcodec/exr.c in FFmpeg 4.3.1 has an out-of-bounds write because of errors in calculations of when to perform memset zero operations.

  • CVE-2020-35963HigJan 3, 2021
    risk 0.44cvss 7.8epss 0.01

    flb_gzip_compress in flb_gzip.c in Fluent Bit before 1.6.4 has an out-of-bounds write because it does not use the correct calculation of the maximum gzip data-size expansion.

  • CVE-2020-35962HigJan 3, 2021
    risk 0.49cvss 7.5epss 0.01

    The sellTokenForLRC function in the vault protocol in the smart contract implementation for Loopring (LRC), an Ethereum token, lacks access control for fee swapping and thus allows price manipulation.

  • CVE-2021-3006HigJan 3, 2021
    risk 0.49cvss 7.5epss 0.01

    The breed function in the smart contract implementation for Farm in Seal Finance (Seal), an Ethereum token, lacks access control and thus allows price manipulation, as exploited in the wild in December 2020 and January 2021.

  • CVE-2021-3004HigJan 3, 2021
    risk 0.49cvss 7.5epss 0.01

    The _deposit function in the smart contract implementation for Stable Yield Credit (yCREDIT), an Ethereum token, has certain incorrect calculations. An attacker can obtain more yCREDIT tokens than they should.

  • CVE-2020-28852HigJan 2, 2021
    risk 0.49cvss 7.5epss 0.02

    In x/text in Go before v0.3.5, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)

  • CVE-2020-28851HigJan 2, 2021
    risk 0.49cvss 7.5epss 0.02

    In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)

  • CVE-2020-35947HigJan 1, 2021
    risk 0.48cvss 7.4epss 0.01

    An issue was discovered in the PageLayer plugin before 1.1.2 for WordPress. Nearly all of the AJAX action endpoints lacked permission checks, allowing these actions to be executed by anyone authenticated on the site. This happened because nonces were used as a means of…

  • CVE-2020-35944HigJan 1, 2021
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in the PageLayer plugin before 1.1.2 for WordPress. The pagelayer_settings_page function is vulnerable to CSRF, which can lead to XSS.

  • CVE-2020-35939HigJan 1, 2021
    risk 0.49cvss 7.5epss 0.02

    PHP Object injection vulnerabilities in the Team Showcase plugin before 1.22.16 for WordPress allow remote authenticated attackers to inject arbitrary PHP objects due to insecure unserialization of data supplied in a remotely hosted crafted payload in the source parameter via…

  • CVE-2020-35938HigJan 1, 2021
    risk 0.49cvss 7.5epss 0.02

    PHP Object injection vulnerabilities in the Post Grid plugin before 2.0.73 for WordPress allow remote authenticated attackers to inject arbitrary PHP objects due to insecure unserialization of data supplied in a remotely hosted crafted payload in the source parameter via AJAX.…

  • CVE-2020-35937HigJan 1, 2021
    risk 0.49cvss 7.5epss 0.02

    Stored Cross-Site Scripting (XSS) vulnerabilities in the Team Showcase plugin before 1.22.16 for WordPress allow remote authenticated attackers to import layouts including JavaScript supplied via a remotely hosted crafted payload in the source parameter via AJAX. The action must…

  • CVE-2020-35936HigJan 1, 2021
    risk 0.49cvss 7.5epss 0.02

    Stored Cross-Site Scripting (XSS) vulnerabilities in the Post Grid plugin before 2.0.73 for WordPress allow remote authenticated attackers to import layouts including JavaScript supplied via a remotely hosted crafted payload in the source parameter via AJAX. The action must be…

  • CVE-2020-35935HigJan 1, 2021
    risk 0.49cvss 7.5epss 0.01

    The Advanced Access Manager plugin before 6.6.2 for WordPress allows privilege escalation on profile updates via the aam_user_roles POST parameter if Multiple Role support is enabled. (The mechanism for deciding whether a user was entitled to add a role did not work in various…

  • CVE-2020-35932HigJan 1, 2021
    risk 0.49cvss 7.5epss 0.02

    Insecure Deserialization in the Newsletter plugin before 6.8.2 for WordPress allows authenticated remote attackers with minimal privileges (such as subscribers) to use the tpnc_render AJAX action to inject arbitrary PHP objects via the options[inline_edits] parameter. NOTE:…

  • CVE-2019-25012HigJan 1, 2021
    risk 0.49cvss 7.5epss 0.01

    The Webform Report project 7.x-1.x-dev for Drupal allows remote attackers to view submissions by visiting the /rss.xml page. NOTE: This project is not covered by Drupal's security advisory policy.

  • CVE-2018-25002HigJan 1, 2021
    risk 0.57cvss 8.8epss 0.01

    uploader.php in the KCFinder integration project through 2018-06-01 for Drupal mishandles validation, aka SA-CONTRIB-2018-024. NOTE: This project is not covered by Drupal's security advisory policy.

  • CVE-2017-20001HigJan 1, 2021
    risk 0.49cvss 7.5epss 0.00

    The AES encryption project 7.x and 8.x for Drupal does not sufficiently prevent attackers from decrypting data, aka SA-CONTRIB-2017-027. NOTE: This project is not covered by Drupal's security advisory policy.

  • CVE-2016-20003HigJan 1, 2021
    risk 0.49cvss 7.5epss 0.01

    The REST/JSON project 7.x-1.x for Drupal allows user enumeration, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.

  • CVE-2016-20008HigJan 1, 2021
    risk 0.49cvss 7.5epss 0.01

    The REST/JSON project 7.x-1.x for Drupal allows session enumeration, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.

  • CVE-2016-20007HigJan 1, 2021
    risk 0.49cvss 7.5epss 0.01

    The REST/JSON project 7.x-1.x for Drupal allows session name guessing, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.

  • CVE-2016-20006HigJan 1, 2021
    risk 0.49cvss 7.5epss 0.01

    The REST/JSON project 7.x-1.x for Drupal allows blockage of user logins, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.

  • CVE-2020-35931HigDec 31, 2020
    risk 0.51cvss 7.8epss 0.02

    An issue was discovered in Foxit Reader before 10.1.1 (and before 4.1.1 on macOS) and PhantomPDF before 9.7.5 and 10.x before 10.1.1 (and before 4.1.1 on macOS). An attacker can spoof a certified PDF document via an Evil Annotation Attack because the products fail to consider a…

  • CVE-2020-26165HigDec 31, 2020
    risk 0.57cvss 8.8epss 0.03

    qdPM through 9.1 allows PHP Object Injection via timeReportActions::executeExport in core/apps/qdPM/modules/timeReport/actions/actions.class.php because unserialize is used.

  • CVE-2018-19944HigDec 31, 2020
    risk 0.49cvss 7.5epss 0.01

    A cleartext transmission of sensitive information vulnerability has been reported to affect certain QTS devices. If exploited, this vulnerability allows a remote attacker to gain access to sensitive information. QNAP have already fixed this vulnerability in the following…

  • CVE-2018-19941HigDec 31, 2020
    risk 0.49cvss 7.5epss 0.01

    A vulnerability has been reported to affect QNAP NAS. If exploited, this vulnerability allows an attacker to access sensitive information stored in cleartext inside cookies via certain widely-available tools. QNAP have already fixed this vulnerability in the following versions:…

  • CVE-2020-35896HigDec 31, 2020
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in the ws crate through 2020-09-25 for Rust. The outgoing buffer is not properly limited, leading to a remote memory-consumption attack.

  • CVE-2020-35894HigDec 31, 2020
    risk 0.42cvss 7.5epss 0.01

    An issue was discovered in the obstack crate before 0.1.4 for Rust. Unaligned references can occur.

  • CVE-2020-35893HigDec 31, 2020
    risk 0.42cvss 7.5epss 0.01

    An issue was discovered in the simple-slab crate before 0.3.3 for Rust. remove() has an off-by-one error, causing memory leakage and a drop of uninitialized memory.

  • CVE-2020-35891HigDec 31, 2020
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in the ordnung crate through 2020-09-03 for Rust. compact::Vec violates memory safety via a remove() double free.

  • CVE-2020-35890HigDec 31, 2020
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in the ordnung crate through 2020-09-03 for Rust. compact::Vec violates memory safety via out-of-bounds access for large capacity.

  • CVE-2020-35889HigDec 31, 2020
    risk 0.53cvss 8.1epss 0.01

    An issue was discovered in the crayon crate through 2020-08-31 for Rust. A TOCTOU issue has a resultant memory safety violation via HandleLike.

  • CVE-2020-35882HigDec 31, 2020
    risk 0.53cvss 8.1epss 0.01

    An issue was discovered in the rocket crate before 0.4.5 for Rust. LocalRequest::clone creates more than one mutable references to the same object, possibly causing a data race.

  • CVE-2020-35875HigDec 31, 2020
    risk 0.00cvss 7.5epss 0.01

    An issue was discovered in the tokio-rustls crate before 0.13.1 for Rust. Excessive memory usage may occur when data arrives quickly.

  • CVE-2020-35874HigDec 31, 2020
    risk 0.53cvss 8.1epss 0.01

    An issue was discovered in the internment crate through 2020-05-28 for Rust. ArcIntern::drop has a race condition and resultant use-after-free.

  • CVE-2020-35871HigDec 31, 2020
    risk 0.46cvss 8.1epss 0.01

    An issue was discovered in the rusqlite crate before 0.23.0 for Rust. Memory safety can be violated via an Auxdata API data race.

  • CVE-2020-35865HigDec 31, 2020
    risk 0.42cvss 7.5epss 0.01

    An issue was discovered in the os_str_bytes crate before 2.0.0 for Rust. It has false expectations about char::from_u32_unchecked behavior.

  • CVE-2020-35864HigDec 31, 2020
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in the flatbuffers crate through 2020-04-11 for Rust. read_scalar (and read_scalar_at) can transmute values without unsafe blocks.