| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-3019 | Hig | 0.50 | 7.5 | 0.19 | Jan 5, 2021 | ffay lanproxy 0.1 allows Directory Traversal to read /../conf/config.properties to obtain credentials for a connection to the intranet. | ||
| CVE-2020-36158 | Hig | 0.50 | 8.8 | 0.02 | Jan 5, 2021 | mwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through 5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332. | ||
| CVE-2020-26297 | — | Hig | 0.46 | 8.2 | 0.01 | Jan 4, 2021 | mdBook is a utility to create modern online books from Markdown files and is written in Rust. In mdBook before version 0.4.5, there is a vulnerability affecting the search feature of mdBook, which could allow an attacker to execute arbitrary JavaScript code on the page. The… | |
| CVE-2020-26294 | — | Hig | 0.41 | 7.4 | 0.02 | Jan 4, 2021 | Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig's `env`… | |
| CVE-2020-36154 | Hig | 0.51 | 7.8 | 0.00 | Jan 4, 2021 | The Application Wrapper in Pearson VUE VTS Installer 2.3.1911 has Full Control permissions for Everyone in the "%SYSTEMDRIVE%\Pearson VUE" directory, which allows local users to obtain administrative privileges via a Trojan horse application. | ||
| CVE-2020-25275 | Hig | 0.49 | 7.5 | 0.05 | Jan 4, 2021 | Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash via a crafted email message with certain choices for ten thousand MIME parts. | ||
| CVE-2020-22550 | Hig | 0.49 | 7.5 | 0.02 | Jan 4, 2021 | Veno File Manager 3.5.6 is affected by a directory traversal vulnerability. Using the traversal allows an attacker to download sensitive files from the server. | ||
| CVE-2020-4942 | Hig | 0.57 | 8.8 | 0.01 | Jan 4, 2021 | IBM Curam Social Program Management 7.0.9 and 7.0.11 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 191942. | ||
| CVE-2020-4917 | Hig | 0.57 | 8.8 | 0.00 | Jan 4, 2021 | IBM Cloud Pak System 2.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 191391. | ||
| CVE-2020-4912 | Hig | 0.47 | 7.2 | 0.01 | Jan 4, 2021 | IBM Cloud Pak System 2.3 Self Service Console could allow a privilege escalation by capturing the user request URL when logged in as a privileged user. IBM X-Force ID: 191287. | ||
| CVE-2020-7771 | — | Hig | 0.42 | 7.5 | 0.02 | Jan 4, 2021 | The package asciitable.js before 1.0.3 are vulnerable to Prototype Pollution via the main function. | |
| CVE-2021-21495 | Hig | 0.57 | 8.8 | 0.01 | Jan 4, 2021 | MK-AUTH through 19.01 K4.9 allows CSRF for password changes via the central/executar_central.php?acao=altsenha_princ URI. | ||
| CVE-2020-35965 | Hig | 0.42 | 7.5 | 0.02 | Jan 4, 2021 | decode_frame in libavcodec/exr.c in FFmpeg 4.3.1 has an out-of-bounds write because of errors in calculations of when to perform memset zero operations. | ||
| CVE-2020-35963 | Hig | 0.44 | 7.8 | 0.01 | Jan 3, 2021 | flb_gzip_compress in flb_gzip.c in Fluent Bit before 1.6.4 has an out-of-bounds write because it does not use the correct calculation of the maximum gzip data-size expansion. | ||
| CVE-2020-35962 | Hig | 0.49 | 7.5 | 0.01 | Jan 3, 2021 | The sellTokenForLRC function in the vault protocol in the smart contract implementation for Loopring (LRC), an Ethereum token, lacks access control for fee swapping and thus allows price manipulation. | ||
| CVE-2021-3006 | Hig | 0.49 | 7.5 | 0.01 | Jan 3, 2021 | The breed function in the smart contract implementation for Farm in Seal Finance (Seal), an Ethereum token, lacks access control and thus allows price manipulation, as exploited in the wild in December 2020 and January 2021. | ||
| CVE-2021-3004 | Hig | 0.49 | 7.5 | 0.01 | Jan 3, 2021 | The _deposit function in the smart contract implementation for Stable Yield Credit (yCREDIT), an Ethereum token, has certain incorrect calculations. An attacker can obtain more yCREDIT tokens than they should. | ||
| CVE-2020-28852 | Hig | 0.49 | 7.5 | 0.02 | Jan 2, 2021 | In x/text in Go before v0.3.5, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.) | ||
| CVE-2020-28851 | Hig | 0.49 | 7.5 | 0.02 | Jan 2, 2021 | In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.) | ||
| CVE-2020-35947 | Hig | 0.48 | 7.4 | 0.01 | Jan 1, 2021 | An issue was discovered in the PageLayer plugin before 1.1.2 for WordPress. Nearly all of the AJAX action endpoints lacked permission checks, allowing these actions to be executed by anyone authenticated on the site. This happened because nonces were used as a means of… | ||
| CVE-2020-35944 | Hig | 0.57 | 8.8 | 0.01 | Jan 1, 2021 | An issue was discovered in the PageLayer plugin before 1.1.2 for WordPress. The pagelayer_settings_page function is vulnerable to CSRF, which can lead to XSS. | ||
| CVE-2020-35939 | Hig | 0.49 | 7.5 | 0.02 | Jan 1, 2021 | PHP Object injection vulnerabilities in the Team Showcase plugin before 1.22.16 for WordPress allow remote authenticated attackers to inject arbitrary PHP objects due to insecure unserialization of data supplied in a remotely hosted crafted payload in the source parameter via… | ||
| CVE-2020-35938 | Hig | 0.49 | 7.5 | 0.02 | Jan 1, 2021 | PHP Object injection vulnerabilities in the Post Grid plugin before 2.0.73 for WordPress allow remote authenticated attackers to inject arbitrary PHP objects due to insecure unserialization of data supplied in a remotely hosted crafted payload in the source parameter via AJAX.… | ||
| CVE-2020-35937 | Hig | 0.49 | 7.5 | 0.02 | Jan 1, 2021 | Stored Cross-Site Scripting (XSS) vulnerabilities in the Team Showcase plugin before 1.22.16 for WordPress allow remote authenticated attackers to import layouts including JavaScript supplied via a remotely hosted crafted payload in the source parameter via AJAX. The action must… | ||
| CVE-2020-35936 | Hig | 0.49 | 7.5 | 0.02 | Jan 1, 2021 | Stored Cross-Site Scripting (XSS) vulnerabilities in the Post Grid plugin before 2.0.73 for WordPress allow remote authenticated attackers to import layouts including JavaScript supplied via a remotely hosted crafted payload in the source parameter via AJAX. The action must be… | ||
| CVE-2020-35935 | Hig | 0.49 | 7.5 | 0.01 | Jan 1, 2021 | The Advanced Access Manager plugin before 6.6.2 for WordPress allows privilege escalation on profile updates via the aam_user_roles POST parameter if Multiple Role support is enabled. (The mechanism for deciding whether a user was entitled to add a role did not work in various… | ||
| CVE-2020-35932 | Hig | 0.49 | 7.5 | 0.02 | Jan 1, 2021 | Insecure Deserialization in the Newsletter plugin before 6.8.2 for WordPress allows authenticated remote attackers with minimal privileges (such as subscribers) to use the tpnc_render AJAX action to inject arbitrary PHP objects via the options[inline_edits] parameter. NOTE:… | ||
| CVE-2019-25012 | Hig | 0.49 | 7.5 | 0.01 | Jan 1, 2021 | The Webform Report project 7.x-1.x-dev for Drupal allows remote attackers to view submissions by visiting the /rss.xml page. NOTE: This project is not covered by Drupal's security advisory policy. | ||
| CVE-2018-25002 | Hig | 0.57 | 8.8 | 0.01 | Jan 1, 2021 | uploader.php in the KCFinder integration project through 2018-06-01 for Drupal mishandles validation, aka SA-CONTRIB-2018-024. NOTE: This project is not covered by Drupal's security advisory policy. | ||
| CVE-2017-20001 | Hig | 0.49 | 7.5 | 0.00 | Jan 1, 2021 | The AES encryption project 7.x and 8.x for Drupal does not sufficiently prevent attackers from decrypting data, aka SA-CONTRIB-2017-027. NOTE: This project is not covered by Drupal's security advisory policy. | ||
| CVE-2016-20003 | Hig | 0.49 | 7.5 | 0.01 | Jan 1, 2021 | The REST/JSON project 7.x-1.x for Drupal allows user enumeration, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy. | ||
| CVE-2016-20008 | Hig | 0.49 | 7.5 | 0.01 | Jan 1, 2021 | The REST/JSON project 7.x-1.x for Drupal allows session enumeration, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy. | ||
| CVE-2016-20007 | Hig | 0.49 | 7.5 | 0.01 | Jan 1, 2021 | The REST/JSON project 7.x-1.x for Drupal allows session name guessing, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy. | ||
| CVE-2016-20006 | Hig | 0.49 | 7.5 | 0.01 | Jan 1, 2021 | The REST/JSON project 7.x-1.x for Drupal allows blockage of user logins, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy. | ||
| CVE-2020-35931 | Hig | 0.51 | 7.8 | 0.02 | Dec 31, 2020 | An issue was discovered in Foxit Reader before 10.1.1 (and before 4.1.1 on macOS) and PhantomPDF before 9.7.5 and 10.x before 10.1.1 (and before 4.1.1 on macOS). An attacker can spoof a certified PDF document via an Evil Annotation Attack because the products fail to consider a… | ||
| CVE-2020-26165 | Hig | 0.57 | 8.8 | 0.03 | Dec 31, 2020 | qdPM through 9.1 allows PHP Object Injection via timeReportActions::executeExport in core/apps/qdPM/modules/timeReport/actions/actions.class.php because unserialize is used. | ||
| CVE-2018-19944 | Hig | 0.49 | 7.5 | 0.01 | Dec 31, 2020 | A cleartext transmission of sensitive information vulnerability has been reported to affect certain QTS devices. If exploited, this vulnerability allows a remote attacker to gain access to sensitive information. QNAP have already fixed this vulnerability in the following… | ||
| CVE-2018-19941 | Hig | 0.49 | 7.5 | 0.01 | Dec 31, 2020 | A vulnerability has been reported to affect QNAP NAS. If exploited, this vulnerability allows an attacker to access sensitive information stored in cleartext inside cookies via certain widely-available tools. QNAP have already fixed this vulnerability in the following versions:… | ||
| CVE-2020-35896 | — | Hig | 0.49 | 7.5 | 0.01 | Dec 31, 2020 | An issue was discovered in the ws crate through 2020-09-25 for Rust. The outgoing buffer is not properly limited, leading to a remote memory-consumption attack. | |
| CVE-2020-35894 | — | Hig | 0.42 | 7.5 | 0.01 | Dec 31, 2020 | An issue was discovered in the obstack crate before 0.1.4 for Rust. Unaligned references can occur. | |
| CVE-2020-35893 | — | Hig | 0.42 | 7.5 | 0.01 | Dec 31, 2020 | An issue was discovered in the simple-slab crate before 0.3.3 for Rust. remove() has an off-by-one error, causing memory leakage and a drop of uninitialized memory. | |
| CVE-2020-35891 | — | Hig | 0.49 | 7.5 | 0.01 | Dec 31, 2020 | An issue was discovered in the ordnung crate through 2020-09-03 for Rust. compact::Vec violates memory safety via a remove() double free. | |
| CVE-2020-35890 | — | Hig | 0.49 | 7.5 | 0.01 | Dec 31, 2020 | An issue was discovered in the ordnung crate through 2020-09-03 for Rust. compact::Vec violates memory safety via out-of-bounds access for large capacity. | |
| CVE-2020-35889 | — | Hig | 0.53 | 8.1 | 0.01 | Dec 31, 2020 | An issue was discovered in the crayon crate through 2020-08-31 for Rust. A TOCTOU issue has a resultant memory safety violation via HandleLike. | |
| CVE-2020-35882 | — | Hig | 0.53 | 8.1 | 0.01 | Dec 31, 2020 | An issue was discovered in the rocket crate before 0.4.5 for Rust. LocalRequest::clone creates more than one mutable references to the same object, possibly causing a data race. | |
| CVE-2020-35875 | — | Hig | 0.00 | 7.5 | 0.01 | Dec 31, 2020 | An issue was discovered in the tokio-rustls crate before 0.13.1 for Rust. Excessive memory usage may occur when data arrives quickly. | |
| CVE-2020-35874 | — | Hig | 0.53 | 8.1 | 0.01 | Dec 31, 2020 | An issue was discovered in the internment crate through 2020-05-28 for Rust. ArcIntern::drop has a race condition and resultant use-after-free. | |
| CVE-2020-35871 | — | Hig | 0.46 | 8.1 | 0.01 | Dec 31, 2020 | An issue was discovered in the rusqlite crate before 0.23.0 for Rust. Memory safety can be violated via an Auxdata API data race. | |
| CVE-2020-35865 | — | Hig | 0.42 | 7.5 | 0.01 | Dec 31, 2020 | An issue was discovered in the os_str_bytes crate before 2.0.0 for Rust. It has false expectations about char::from_u32_unchecked behavior. | |
| CVE-2020-35864 | — | Hig | 0.49 | 7.5 | 0.01 | Dec 31, 2020 | An issue was discovered in the flatbuffers crate through 2020-04-11 for Rust. read_scalar (and read_scalar_at) can transmute values without unsafe blocks. |
- risk 0.50cvss 7.5epss 0.19
ffay lanproxy 0.1 allows Directory Traversal to read /../conf/config.properties to obtain credentials for a connection to the intranet.
- risk 0.50cvss 8.8epss 0.02
mwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through 5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332.
- risk 0.46cvss 8.2epss 0.01
mdBook is a utility to create modern online books from Markdown files and is written in Rust. In mdBook before version 0.4.5, there is a vulnerability affecting the search feature of mdBook, which could allow an attacker to execute arbitrary JavaScript code on the page. The…
- risk 0.41cvss 7.4epss 0.02
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig's `env`…
- risk 0.51cvss 7.8epss 0.00
The Application Wrapper in Pearson VUE VTS Installer 2.3.1911 has Full Control permissions for Everyone in the "%SYSTEMDRIVE%\Pearson VUE" directory, which allows local users to obtain administrative privileges via a Trojan horse application.
- risk 0.49cvss 7.5epss 0.05
Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash via a crafted email message with certain choices for ten thousand MIME parts.
- risk 0.49cvss 7.5epss 0.02
Veno File Manager 3.5.6 is affected by a directory traversal vulnerability. Using the traversal allows an attacker to download sensitive files from the server.
- risk 0.57cvss 8.8epss 0.01
IBM Curam Social Program Management 7.0.9 and 7.0.11 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 191942.
- risk 0.57cvss 8.8epss 0.00
IBM Cloud Pak System 2.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 191391.
- risk 0.47cvss 7.2epss 0.01
IBM Cloud Pak System 2.3 Self Service Console could allow a privilege escalation by capturing the user request URL when logged in as a privileged user. IBM X-Force ID: 191287.
- risk 0.42cvss 7.5epss 0.02
The package asciitable.js before 1.0.3 are vulnerable to Prototype Pollution via the main function.
- risk 0.57cvss 8.8epss 0.01
MK-AUTH through 19.01 K4.9 allows CSRF for password changes via the central/executar_central.php?acao=altsenha_princ URI.
- risk 0.42cvss 7.5epss 0.02
decode_frame in libavcodec/exr.c in FFmpeg 4.3.1 has an out-of-bounds write because of errors in calculations of when to perform memset zero operations.
- risk 0.44cvss 7.8epss 0.01
flb_gzip_compress in flb_gzip.c in Fluent Bit before 1.6.4 has an out-of-bounds write because it does not use the correct calculation of the maximum gzip data-size expansion.
- risk 0.49cvss 7.5epss 0.01
The sellTokenForLRC function in the vault protocol in the smart contract implementation for Loopring (LRC), an Ethereum token, lacks access control for fee swapping and thus allows price manipulation.
- risk 0.49cvss 7.5epss 0.01
The breed function in the smart contract implementation for Farm in Seal Finance (Seal), an Ethereum token, lacks access control and thus allows price manipulation, as exploited in the wild in December 2020 and January 2021.
- risk 0.49cvss 7.5epss 0.01
The _deposit function in the smart contract implementation for Stable Yield Credit (yCREDIT), an Ethereum token, has certain incorrect calculations. An attacker can obtain more yCREDIT tokens than they should.
- risk 0.49cvss 7.5epss 0.02
In x/text in Go before v0.3.5, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)
- risk 0.49cvss 7.5epss 0.02
In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)
- risk 0.48cvss 7.4epss 0.01
An issue was discovered in the PageLayer plugin before 1.1.2 for WordPress. Nearly all of the AJAX action endpoints lacked permission checks, allowing these actions to be executed by anyone authenticated on the site. This happened because nonces were used as a means of…
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in the PageLayer plugin before 1.1.2 for WordPress. The pagelayer_settings_page function is vulnerable to CSRF, which can lead to XSS.
- risk 0.49cvss 7.5epss 0.02
PHP Object injection vulnerabilities in the Team Showcase plugin before 1.22.16 for WordPress allow remote authenticated attackers to inject arbitrary PHP objects due to insecure unserialization of data supplied in a remotely hosted crafted payload in the source parameter via…
- risk 0.49cvss 7.5epss 0.02
PHP Object injection vulnerabilities in the Post Grid plugin before 2.0.73 for WordPress allow remote authenticated attackers to inject arbitrary PHP objects due to insecure unserialization of data supplied in a remotely hosted crafted payload in the source parameter via AJAX.…
- risk 0.49cvss 7.5epss 0.02
Stored Cross-Site Scripting (XSS) vulnerabilities in the Team Showcase plugin before 1.22.16 for WordPress allow remote authenticated attackers to import layouts including JavaScript supplied via a remotely hosted crafted payload in the source parameter via AJAX. The action must…
- risk 0.49cvss 7.5epss 0.02
Stored Cross-Site Scripting (XSS) vulnerabilities in the Post Grid plugin before 2.0.73 for WordPress allow remote authenticated attackers to import layouts including JavaScript supplied via a remotely hosted crafted payload in the source parameter via AJAX. The action must be…
- risk 0.49cvss 7.5epss 0.01
The Advanced Access Manager plugin before 6.6.2 for WordPress allows privilege escalation on profile updates via the aam_user_roles POST parameter if Multiple Role support is enabled. (The mechanism for deciding whether a user was entitled to add a role did not work in various…
- risk 0.49cvss 7.5epss 0.02
Insecure Deserialization in the Newsletter plugin before 6.8.2 for WordPress allows authenticated remote attackers with minimal privileges (such as subscribers) to use the tpnc_render AJAX action to inject arbitrary PHP objects via the options[inline_edits] parameter. NOTE:…
- risk 0.49cvss 7.5epss 0.01
The Webform Report project 7.x-1.x-dev for Drupal allows remote attackers to view submissions by visiting the /rss.xml page. NOTE: This project is not covered by Drupal's security advisory policy.
- risk 0.57cvss 8.8epss 0.01
uploader.php in the KCFinder integration project through 2018-06-01 for Drupal mishandles validation, aka SA-CONTRIB-2018-024. NOTE: This project is not covered by Drupal's security advisory policy.
- risk 0.49cvss 7.5epss 0.00
The AES encryption project 7.x and 8.x for Drupal does not sufficiently prevent attackers from decrypting data, aka SA-CONTRIB-2017-027. NOTE: This project is not covered by Drupal's security advisory policy.
- risk 0.49cvss 7.5epss 0.01
The REST/JSON project 7.x-1.x for Drupal allows user enumeration, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.
- risk 0.49cvss 7.5epss 0.01
The REST/JSON project 7.x-1.x for Drupal allows session enumeration, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.
- risk 0.49cvss 7.5epss 0.01
The REST/JSON project 7.x-1.x for Drupal allows session name guessing, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.
- risk 0.49cvss 7.5epss 0.01
The REST/JSON project 7.x-1.x for Drupal allows blockage of user logins, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.
- risk 0.51cvss 7.8epss 0.02
An issue was discovered in Foxit Reader before 10.1.1 (and before 4.1.1 on macOS) and PhantomPDF before 9.7.5 and 10.x before 10.1.1 (and before 4.1.1 on macOS). An attacker can spoof a certified PDF document via an Evil Annotation Attack because the products fail to consider a…
- risk 0.57cvss 8.8epss 0.03
qdPM through 9.1 allows PHP Object Injection via timeReportActions::executeExport in core/apps/qdPM/modules/timeReport/actions/actions.class.php because unserialize is used.
- risk 0.49cvss 7.5epss 0.01
A cleartext transmission of sensitive information vulnerability has been reported to affect certain QTS devices. If exploited, this vulnerability allows a remote attacker to gain access to sensitive information. QNAP have already fixed this vulnerability in the following…
- risk 0.49cvss 7.5epss 0.01
A vulnerability has been reported to affect QNAP NAS. If exploited, this vulnerability allows an attacker to access sensitive information stored in cleartext inside cookies via certain widely-available tools. QNAP have already fixed this vulnerability in the following versions:…
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in the ws crate through 2020-09-25 for Rust. The outgoing buffer is not properly limited, leading to a remote memory-consumption attack.
- risk 0.42cvss 7.5epss 0.01
An issue was discovered in the obstack crate before 0.1.4 for Rust. Unaligned references can occur.
- risk 0.42cvss 7.5epss 0.01
An issue was discovered in the simple-slab crate before 0.3.3 for Rust. remove() has an off-by-one error, causing memory leakage and a drop of uninitialized memory.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in the ordnung crate through 2020-09-03 for Rust. compact::Vec violates memory safety via a remove() double free.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in the ordnung crate through 2020-09-03 for Rust. compact::Vec violates memory safety via out-of-bounds access for large capacity.
- risk 0.53cvss 8.1epss 0.01
An issue was discovered in the crayon crate through 2020-08-31 for Rust. A TOCTOU issue has a resultant memory safety violation via HandleLike.
- risk 0.53cvss 8.1epss 0.01
An issue was discovered in the rocket crate before 0.4.5 for Rust. LocalRequest::clone creates more than one mutable references to the same object, possibly causing a data race.
- risk 0.00cvss 7.5epss 0.01
An issue was discovered in the tokio-rustls crate before 0.13.1 for Rust. Excessive memory usage may occur when data arrives quickly.
- risk 0.53cvss 8.1epss 0.01
An issue was discovered in the internment crate through 2020-05-28 for Rust. ArcIntern::drop has a race condition and resultant use-after-free.
- risk 0.46cvss 8.1epss 0.01
An issue was discovered in the rusqlite crate before 0.23.0 for Rust. Memory safety can be violated via an Auxdata API data race.
- risk 0.42cvss 7.5epss 0.01
An issue was discovered in the os_str_bytes crate before 2.0.0 for Rust. It has false expectations about char::from_u32_unchecked behavior.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in the flatbuffers crate through 2020-04-11 for Rust. read_scalar (and read_scalar_at) can transmute values without unsafe blocks.