Total
141 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-20843 | 2 Ntt-west, Yamaha | 16 Biz Box Nvr510, Biz Box Nvr510 Firmware, Biz Box Nvr700w and 13 more | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
Cross-site script inclusion vulnerability in the Web GUI of RTX830 Rev.15.02.17 and earlier, NVR510 Rev.15.01.18 and earlier, NVR700W Rev.15.00.19 and earlier, and RTX1210 Rev.14.01.38 and earlier allows a remote authenticated attacker to alter the settings of the product via a specially crafted web page. | |||||
CVE-2021-20443 | 3 Ibm, Linux, Microsoft | 3 Maximo For Civil Infrastructure, Linux Kernel, Windows | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
IBM Maximo for Civil Infrastructure 7.6.2 includes executable functionality (such as a library) from a source that is outside of the intended control sphere. IBM X-Force ID: 196619. | |||||
CVE-2021-20187 | 1 Moodle | 1 Moodle | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that it was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication. | |||||
CVE-2020-5295 | 1 Octobercms | 1 October | 2024-11-21 | 4.0 MEDIUM | 4.8 MEDIUM |
In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to read local files of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the `cms.manage_assets` permission. Issue has been patched in Build 466 (v1.0.466). | |||||
CVE-2020-4561 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2024-11-21 | 7.5 HIGH | 10.0 CRITICAL |
IBM Cognos Analytics 11.0 and 11.1 DQM API allows submitting of all control requests in unauthenticated sessions. This allows a remote attacker who can access a valid CA endpoint to read and write files to the Cognos Analytics system. IBM X-Force ID: 183903. | |||||
CVE-2020-25788 | 1 Tt-rss | 1 Tiny Tiny Rss | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. imgproxy in plugins/af_proxy_http/init.php mishandles $_REQUEST["url"] in an error message. | |||||
CVE-2020-25414 | 1 Monstra | 1 Monstra | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
A local file inclusion vulnerability was discovered in the captcha function in Monstra 3.0.4 which allows remote attackers to execute arbitrary PHP code. | |||||
CVE-2020-24985 | 1 Quadbase | 1 Espressdashboard | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
An issue was discovered in Quadbase EspressReports ES 7 Update 9. An authenticated user is able to navigate to the MenuPage section of the application, and change the frmsrc parameter value to retrieve and execute external files or payloads. | |||||
CVE-2020-16152 | 1 Extremenetworks | 1 Aerohive Netconfig | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
The NetConfig UI administrative interface in Extreme Networks ExtremeWireless Aerohive HiveOS and IQ Engine through 10.0r8a allows attackers to execute PHP code as the root user via remote HTTP requests that insert this code into a log file and then traverse to that file. | |||||
CVE-2020-13175 | 1 Teradici | 2 Cloud Access Connector, Cloud Access Connector Legacy | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
The Management Interface of the Teradici Cloud Access Connector and Cloud Access Connector Legacy for releases prior to April 20, 2020 (v15 and earlier for Cloud Access Connector) contains a local file inclusion vulnerability which allows an unauthenticated remote attacker to leak LDAP credentials via a specially crafted HTTP request. | |||||
CVE-2020-10865 | 2 Avast, Microsoft | 2 Antivirus, Windows | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in Avast Antivirus before 20. The aswTask RPC endpoint for the TaskEx library in the Avast Service (AvastSvc.exe) allows attackers to make arbitrary changes to the Components section of the Stats.ini file via RPC from a Low Integrity process. | |||||
CVE-2019-8154 | 1 Magento | 1 Magento | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to modify product catalogs can trigger PHP file inclusion through a crafted XML file that specifies product design update. | |||||
CVE-2019-5479 | 1 Larvit | 1 Larvitbase | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
An unintended require vulnerability in <v0.5.5 larvitbase-api may allow an attacker to load arbitrary non-production code (JavaScript file). | |||||
CVE-2019-4263 | 1 Ibm | 1 Content Navigator | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
IBM Content Navigator 3.0CD is vulnerable to local file inclusion, allowing an attacker to access a configuration file in the ICN server. IBM X-Force ID: 160015. | |||||
CVE-2019-17014 | 1 Mozilla | 1 Firefox | 2024-11-21 | 4.3 MEDIUM | 7.4 HIGH |
If an image had not loaded correctly (such as when it is not actually an image), it could be dragged and dropped cross-domain, resulting in a cross-origin information leak. This vulnerability affects Firefox < 71. | |||||
CVE-2019-13589 | 1 Anjlab | 1 Paranoid2 | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
The paranoid2 gem 1.1.6 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. The current version, without this backdoor, is 1.1.5. | |||||
CVE-2019-11742 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
A same-origin policy violation occurs allowing the theft of cross-origin images through a combination of SVG filters and a <canvas> element due to an error in how same-origin policy is applied to cached image content. The resulting same-origin policy violation could allow for data theft. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1. | |||||
CVE-2019-11591 | 1 Web-dorado | 1 Contact Form | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
The WebDorado Contact Form plugin before 1.13.5 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $_POST['action'] value and the $_GET['action'] value, and the latter is unsanitized. | |||||
CVE-2019-11590 | 1 10web | 1 Form Maker | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
The 10Web Form Maker plugin before 1.13.5 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $_POST['action'] value and the $_GET['action'] value, and the latter is unsanitized. | |||||
CVE-2018-8351 | 1 Microsoft | 9 Edge, Internet Explorer, Windows 10 and 6 more | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
An information disclosure vulnerability exists when affected Microsoft browsers improperly allow cross-frame interaction, aka "Microsoft Browser Information Disclosure Vulnerability." This affects Internet Explorer 11, Microsoft Edge, Internet Explorer 10. |