Total
82305 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-7791 | 1 I18n Project | 1 I18n | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| This affects the package i18n before 2.1.15. Vulnerability arises out of insufficient handling of erroneous language tags in src/i18n/Concrete/TextLocalizer.cs and src/i18n/LocalizedApplication.cs. | |||||
| CVE-2020-7788 | 2 Debian, Ini Project | 2 Debian Linux, Ini | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
| This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context. | |||||
| CVE-2020-7787 | 1 React-adal Project | 1 React-adal | 2024-11-21 | 5.0 MEDIUM | 8.2 HIGH |
| This affects all versions of package react-adal. It is possible for a specially crafted JWT token and request URL can cause the nonce, session and refresh values to be incorrectly validated, causing the application to treat an attacker-generated JWT token as authentic. The logical defect is caused by how the nonce, session and refresh values are stored in the browser local storage or session storage. Each key is automatically appended by ||. When the received nonce and session keys are generated, the list of values is stored in the browser storage, separated by ||, with || always appended to the end of the list. Since || will always be the last 2 characters of the stored values, an empty string ("") will always be in the list of the valid values. Therefore, if an empty session parameter is provided in the callback URL, and a specially-crafted JWT token contains an nonce value of "" (empty string), then adal.js will consider the JWT token as authentic. | |||||
| CVE-2020-7778 | 1 Systeminformation | 1 Systeminformation | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
| This affects the package systeminformation before 4.30.2. The attacker can overwrite the properties and functions of an object, which can lead to executing OS commands. | |||||
| CVE-2020-7777 | 1 Jsen Project | 1 Jsen | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| This affects all versions of package jsen. If an attacker can control the schema file, it could run arbitrary JavaScript code on the victim machine. In the module description and README file there is no mention about the risks of untrusted schema files, so I assume that this is applicable. In particular the required field of the schema is not properly sanitized. The resulting string that is build based on the schema definition is then passed to a Function.apply();, leading to an Arbitrary Code Execution. | |||||
| CVE-2020-7776 | 1 Phpoffice | 1 Phpspreadsheet | 2024-11-21 | 3.5 LOW | 7.1 HIGH |
| This affects the package phpoffice/phpspreadsheet from 0.0.0. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is returned as HTML. A fix for this issue is available on commit 0ed5b800be2136bcb8fa9c1bdf59abc957a98845/master branch. | |||||
| CVE-2020-7774 | 3 Oracle, Siemens, Y18n Project | 3 Graalvm, Sinec Infrastructure Network Services, Y18n | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
| The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution. | |||||
| CVE-2020-7772 | 1 Doc-path Project | 1 Doc-path | 2024-11-21 | 10.0 HIGH | 7.5 HIGH |
| This affects the package doc-path before 2.1.2. | |||||
| CVE-2020-7771 | 1 Asciitable.js Project | 1 Asciitable.js | 2024-11-21 | 7.5 HIGH | 7.5 HIGH |
| The package asciitable.js before 1.0.3 are vulnerable to Prototype Pollution via the main function. | |||||
| CVE-2020-7769 | 1 Nodemailer | 1 Nodemailer | 2024-11-21 | 7.5 HIGH | 8.6 HIGH |
| This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails. | |||||
| CVE-2020-7768 | 1 Grpc | 1 Grpc | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition. | |||||
| CVE-2020-7766 | 1 Json-ptr Project | 1 Json-ptr | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
| This affects all versions of package json-ptr. The issue occurs in the set operation (https://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.htmlset) when the force flag is set to true. The function recursively set the property in the target object, however it does not properly check the key being set, leading to a prototype pollution. | |||||
| CVE-2020-7763 | 1 Jsreport | 1 Phantom-html-to-pdf | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| This affects the package phantom-html-to-pdf before 0.6.1. | |||||
| CVE-2020-7758 | 1 Browserless | 1 Chrome | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| This affects versions of package browserless-chrome before 1.40.2-chrome-stable. User input flowing from the workspace endpoint gets used to create a file path filePath and this is fetched and then sent back to a user. This can be escaped to fetch arbitrary files from a server. | |||||
| CVE-2020-7754 | 1 Npmjs | 1 Npm-user-validate | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters. | |||||
| CVE-2020-7753 | 1 Trim Project | 1 Trim | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim(). | |||||
| CVE-2020-7752 | 1 Systeminformation | 1 Systeminformation | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl's parameters to overwrite Javascript files and then execute any OS commands. | |||||
| CVE-2020-7749 | 1 Osm-static-maps Project | 1 Osm-static-maps | 2024-11-21 | 6.5 MEDIUM | 7.6 HIGH |
| This affects all versions of package osm-static-maps. User input given to the package is passed directly to a template without escaping ({{{ ... }}}). As such, it is possible for an attacker to inject arbitrary HTML/JS code and depending on the context. It will be outputted as an HTML on the page which gives opportunity for XSS or rendered on the server (puppeteer) which also gives opportunity for SSRF and Local File Read. | |||||
| CVE-2020-7746 | 1 Chartjs | 1 Chart.js | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to a prototype pollution. | |||||
| CVE-2020-7745 | 1 Mintegral | 1 Mintegraladsdk | 2024-11-21 | 10.0 HIGH | 7.1 HIGH |
| This affects the package MintegralAdSDK before 6.6.0.0. The SDK distributed by the company contains malicious functionality that acts as a backdoor. Mintegral and their partners (advertisers) can remotely execute arbitrary code on a user device. | |||||