Vulnerabilities (CVE)

Total 315159 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-26122 1 Inspur 30 Nf5180m5, Nf5180m5 Firmware, Nf5260m5 and 27 more 2024-11-21 6.5 MEDIUM 7.2 HIGH
Inspur NF5266M5 through 3.21.2 and other server M5 devices allow remote code execution via administrator privileges. The Baseboard Management Controller (BMC) program of INSPUR server is weak in checking the firmware and lacks the signature verification mechanism, the attacker who obtains the administrator's rights can control the BMC by inserting malicious code into the firmware program and bypassing the current verification mechanism to upgrade the BMC.
CVE-2020-26121 2 Fedoraproject, Mediawiki 2 Fedora, Mediawiki 2024-11-21 5.0 MEDIUM 7.5 HIGH
An issue was discovered in the FileImporter extension for MediaWiki before 1.34.4. An attacker can import a file even when the target page is protected against "page creation" and the attacker should not be able to create it. This occurs because of a mishandled distinction between an upload restriction and a create restriction. An attacker cannot leverage this to overwrite anything, but can leverage this to force a wiki to have a page with a disallowed title.
CVE-2020-26120 2 Fedoraproject, Mediawiki 2 Fedora, Mediawiki 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
XSS exists in the MobileFrontend extension for MediaWiki before 1.34.4 because section.line is mishandled during regex section line replacement from PageGateway. Using crafted HTML, an attacker can elicit an XSS attack via jQuery's parseHTML method, which can cause image callbacks to fire even without the element being appended to the DOM.
CVE-2020-26118 1 Smartbear 1 Collaborator 2024-11-21 9.0 HIGH 8.8 HIGH
In SmartBear Collaborator Server through 13.3.13302, use of the Google Web Toolkit (GWT) API introduces a post-authentication Java deserialization vulnerability. The application's UpdateMemento class accepts a serialized Java object directly from the user without properly sanitizing it. A malicious object can be submitted to the server via an authenticated attacker to execute commands on the underlying system.
CVE-2020-26117 3 Debian, Opensuse, Tigervnc 3 Debian Linux, Leap, Tigervnc 2024-11-21 5.8 MEDIUM 8.1 HIGH
In rfb/CSecurityTLS.cxx and rfb/CSecurityTLS.java in TigerVNC before 1.11.0, viewers mishandle TLS certificate exceptions. They store the certificates as authorities, meaning that the owner of a certificate could impersonate any server after a client had added an exception.
CVE-2020-26116 7 Canonical, Debian, Fedoraproject and 4 more 9 Ubuntu Linux, Debian Linux, Fedora and 6 more 2024-11-21 6.4 MEDIUM 7.2 HIGH
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.
CVE-2020-26115 1 Cpanel 1 Cpanel 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
cPanel before 90.0.10 allows self XSS via the Cron Editor interface (SEC-574).
CVE-2020-26114 1 Cpanel 1 Cpanel 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
cPanel before 90.0.10 allows self XSS via the Cron Jobs interface (SEC-573).
CVE-2020-26113 1 Cpanel 1 Cpanel 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
cPanel before 90.0.10 allows self XSS via WHM Manage API Tokens interfaces (SEC-569).
CVE-2020-26112 1 Cpanel 1 Cpanel 2024-11-21 5.0 MEDIUM 7.5 HIGH
The email quota cache in cPanel before 90.0.10 allows overwriting of files.
CVE-2020-26111 1 Cpanel 1 Cpanel 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
cPanel before 90.0.10 allows self XSS via the WHM Edit DNS Zone interface (SEC-566).
CVE-2020-26110 1 Cpanel 1 Cpanel 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
cPanel before 88.0.13 allows self XSS via DNS Zone Manager DNSSEC interfaces (SEC-564).
CVE-2020-26109 1 Cpanel 1 Cpanel 2024-11-21 5.0 MEDIUM 7.5 HIGH
cPanel before 88.0.13 allows bypass of a protection mechanism that attempted to restrict package modification (SEC-557).
CVE-2020-26108 1 Cpanel 1 Cpanel 2024-11-21 7.5 HIGH 9.8 CRITICAL
cPanel before 88.0.13 mishandles file-extension dispatching, leading to code execution (SEC-488).
CVE-2020-26107 1 Cpanel 1 Cpanel 2024-11-21 5.0 MEDIUM 7.5 HIGH
cPanel before 88.0.3, upon an upgrade, establishes predictable PowerDNS API keys (SEC-561).
CVE-2020-26106 1 Cpanel 1 Cpanel 2024-11-21 5.0 MEDIUM 7.5 HIGH
cPanel before 88.0.3 has weak permissions (world readable) for the proxy subdomains log file (SEC-558).
CVE-2020-26105 1 Cpanel 1 Cpanel 2024-11-21 5.0 MEDIUM 9.8 CRITICAL
In cPanel before 88.0.3, insecure chkservd test credentials are used on a templated VM (SEC-554).
CVE-2020-26104 1 Cpanel 1 Cpanel 2024-11-21 5.0 MEDIUM 7.5 HIGH
In cPanel before 88.0.3, an insecure SRS secret is used on a templated VM (SEC-552).
CVE-2020-26103 1 Cpanel 1 Cpanel 2024-11-21 5.0 MEDIUM 7.5 HIGH
In cPanel before 88.0.3, an insecure site password is used for Mailman on a templated VM (SEC-551).
CVE-2020-26102 1 Cpanel 1 Cpanel 2024-11-21 5.0 MEDIUM 7.5 HIGH
In cPanel before 88.0.3, an insecure auth policy API key is used by Dovecot on a templated VM (SEC-550).