Total
317241 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-13261 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 5.3 MEDIUM |
| Amazon EKS credentials disclosure in GitLab CE/EE 12.6 and later through 13.0.1 allows other administrators to view Amazon EKS credentials via HTML source code | |||||
| CVE-2020-13260 | 1 Rad | 2 Secflow-1v, Secflow-1v Firmware | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of RAD SecFlow-1v through 2020-05-21 could allow an authenticated attacker to upload a JavaScript file, with a stored XSS payload, that will remain stored in the system as an OVPN file in Configuration-Services-Security-OpenVPN-Config or as the static key file in Configuration-Services-Security-OpenVPN-Static Keys. This payload will execute each time a user opens an affected web page. This could be exploited in conjunction with CVE-2020-13259. | |||||
| CVE-2020-13259 | 1 Rad | 2 Secflow-1v, Secflow-1v Firmware | 2024-11-21 | 9.3 HIGH | 8.8 HIGH |
| A vulnerability in the web-based management interface of RAD SecFlow-1v os-image SF_0290_2.3.01.26 could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. This could be exploited in conjunction with CVE-2020-13260. | |||||
| CVE-2020-13258 | 1 Contentful | 1 Python Example | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Contentful through 2020-05-21 for Python allows reflected XSS, as demonstrated by the api parameter to the-example-app.py. | |||||
| CVE-2020-13254 | 6 Canonical, Debian, Djangoproject and 3 more | 7 Ubuntu Linux, Debian Linux, Django and 4 more | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. | |||||
| CVE-2020-13253 | 3 Canonical, Debian, Qemu | 3 Ubuntu Linux, Debian Linux, Qemu | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read during sdhci_write() operations. A guest OS user can crash the QEMU process. | |||||
| CVE-2020-13252 | 1 Centreon | 1 Centreon | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Centreon before 19.04.15 allows remote attackers to execute arbitrary OS commands by placing shell metacharacters in RRDdatabase_status_path (via a main.get.php request) and then visiting the include/views/graphs/graphStatus/displayServiceStatus.php page. | |||||
| CVE-2020-13250 | 1 Hashicorp | 1 Consul | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| HashiCorp Consul and Consul Enterprise include an HTTP API (introduced in 1.2.0) and DNS (introduced in 1.4.3) caching feature that was vulnerable to denial of service. Fixed in 1.6.6 and 1.7.4. | |||||
| CVE-2020-13249 | 2 Mariadb, Opensuse | 2 Connector\/c, Leap | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| libmariadb/mariadb_lib.c in MariaDB Connector/C before 3.1.8 does not properly validate the content of an OK packet received from a server. NOTE: although mariadb_lib.c was originally based on code shipped for MySQL, this issue does not affect any MySQL components supported by Oracle. | |||||
| CVE-2020-13248 | 1 Boolebox | 1 Boolebox | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| BooleBox Secure File Sharing Utility before 4.2.3.0 allows stored XSS via a crafted avatar field within My Account JSON data to Account.aspx. | |||||
| CVE-2020-13247 | 1 Boolebox | 1 Boolebox | 2024-11-21 | 8.5 HIGH | 7.3 HIGH |
| BooleBox Secure File Sharing Utility before 4.2.3.0 allows CSV injection via a crafted user name that is mishandled during export from the activity logs in the Audit Area. | |||||
| CVE-2020-13246 | 1 Gitea | 1 Gitea | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Gitea through 1.11.5. An attacker can trigger a deadlock by initiating a transfer of a repository's ownership from one organization to another. | |||||
| CVE-2020-13245 | 1 Netgear | 28 R6120, R6120 Firmware, R6220 and 25 more | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| Certain NETGEAR devices are affected by Missing SSL Certificate Validation. This affects R7000 1.0.9.6_1.2.19 through 1.0.11.100_10.2.10, and possibly R6120, R7800, R6220, R8000, R6350, R9000, R6400, RAX120, R6400v2, RBR20, R6800, XR300, R6850, XR500, and R7000P. | |||||
| CVE-2020-13241 | 1 Microweber | 1 Microweber | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| Microweber 1.1.18 allows Unrestricted File Upload because admin/view:modules/load_module:users#edit-user=1 does not verify that the file extension (used with the Add Image option on the Edit User screen) corresponds to an image file. | |||||
| CVE-2020-13240 | 1 Dolibarr | 1 Dolibarr | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| The DMS/ECM module in Dolibarr 11.0.4 allows users with the 'Setup documents directories' permission to rename uploaded files to have insecure file extensions. This bypasses the .noexe protection mechanism against XSS. | |||||
| CVE-2020-13239 | 1 Dolibarr | 1 Dolibarr | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The DMS/ECM module in Dolibarr 11.0.4 renders user-uploaded .html files in the browser when the attachment parameter is removed from the direct download link. This causes XSS. | |||||
| CVE-2020-13238 | 1 Mitsubishielectric | 42 Melsec Iq-r00cpu, Melsec Iq-r00cpu Firmware, Melsec Iq-r01cpu and 39 more | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
| Mitsubishi MELSEC iQ-R Series PLCs with firmware 33 allow attackers to halt the industrial process by sending an unauthenticated crafted packet over the network, because this denial of service attack consumes excessive CPU time. After halting, physical access to the PLC is required in order to restore production. | |||||
| CVE-2020-13231 | 2 Cacti, Fedoraproject | 2 Cacti, Fedora | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| In Cacti before 1.2.11, auth_profile.php?action=edit allows CSRF for an admin email change. | |||||
| CVE-2020-13230 | 3 Cacti, Debian, Fedoraproject | 3 Cacti, Debian Linux, Fedora | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| In Cacti before 1.2.11, disabling a user account does not immediately invalidate any permissions granted to that account (e.g., permission to view logs). | |||||
| CVE-2020-13229 | 1 Sysax | 1 Multi Server | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Sysax Multi Server 6.90. A session can be hijacked if one observes the sid value in any /scgi URI, because it is an authentication token. | |||||