Total
318379 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-14049 | 1 Rakuten | 1 Viber | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Viber for Windows up to 13.2.0.39 does not properly quote its custom URI handler. A malicious website could launch Viber with arbitrary parameters, forcing a victim to send an NTLM authentication request, and either relay the request or capture the hash for offline password cracking. NOTE: this issue exists because of an incomplete fix for CVE-2019-12569. | |||||
| CVE-2020-14048 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Zoho ManageEngine ServiceDesk Plus before 11.1 build 11115 allows remote unauthenticated attackers to change the installation status of deployed agents. | |||||
| CVE-2020-14044 | 1 Codiad | 1 Codiad | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| ** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** A Server-Side Request Forgery (SSRF) vulnerability was found in Codiad v1.7.8 and later. A user with admin privileges could use the plugin install feature to make the server request any URL via components/market/class.market.php. This could potentially result in remote code execution. NOTE: the vendor states "Codiad is no longer under active maintenance by core contributors." | |||||
| CVE-2020-14043 | 1 Codiad | 1 Codiad | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| ** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** A Cross Side Request Forgery (CSRF) vulnerability was found in Codiad v1.7.8 and later. The request to download a plugin from the marketplace is only available to admin users and it isn't CSRF protected in components/market/controller.php. This might cause admins to make a vulnerable request without them knowing and result in remote code execution. NOTE: the vendor states "Codiad is no longer under active maintenance by core contributors." | |||||
| CVE-2020-14042 | 1 Codiad | 1 Codiad | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** A Cross Site Scripting (XSS) vulnerability was found in Codiad v1.7.8 and later. The vulnerability occurs because of improper sanitization of the folder's name $path variable in components/filemanager/class.filemanager.php. NOTE: the vendor states "Codiad is no longer under active maintenance by core contributors." | |||||
| CVE-2020-14040 | 2 Fedoraproject, Golang | 2 Fedora, Text | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String. | |||||
| CVE-2020-14039 | 1 Golang | 1 Go | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows). Thus, X.509 certificate verification is incomplete. | |||||
| CVE-2020-14034 | 1 Meetecho | 1 Janus | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in janus-gateway (aka Janus WebRTC Server) through 0.10.0. janus_get_codec_from_pt in utils.c has a Buffer Overflow via long value in an SDP Offer packet. | |||||
| CVE-2020-14033 | 1 Meetecho | 1 Janus | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in janus-gateway (aka Janus WebRTC Server) through 0.10.0. janus_streaming_rtsp_parse_sdp in plugins/janus_streaming.c has a Buffer Overflow via a crafted RTSP server. | |||||
| CVE-2020-14032 | 1 Asrock | 1 Box-r1000 Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| ASRock 4x4 BOX-R1000 before BIOS P1.40 allows privilege escalation via code execution in the SMM. | |||||
| CVE-2020-14031 | 1 Ozeki | 1 Ozeki Ng Sms Gateway | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. The outbox functionality of the TXT File module can be used to delete all/most files in a folder. Because the product usually runs as NT AUTHORITY\SYSTEM, the only files that will not be deleted are those currently being run by the system and/or files that have special security attributes (e.g., Windows Defender files). | |||||
| CVE-2020-14030 | 1 Ozeki | 1 Ozeki Ng Sms Gateway | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. It stores SMS messages in .NET serialized format on the filesystem. By generating (and writing to the disk) malicious .NET serialized files, an attacker can trick the product into deserializing them, resulting in arbitrary code execution. | |||||
| CVE-2020-14029 | 1 Ozeki | 1 Ozeki Ng Sms Gateway | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. The RSS To SMS module processes XML files in an unsafe manner. This opens the application to an XML External Entity attack that can be used to perform SSRF or read arbitrary local files. | |||||
| CVE-2020-14028 | 1 Ozeki | 1 Ozeki Ng Sms Gateway | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. By leveraging a path traversal vulnerability in the Autoreply module's Script Name, an attacker may write to or overwrite arbitrary files, with arbitrary content, usually with NT AUTHORITY\SYSTEM privileges. | |||||
| CVE-2020-14027 | 1 Ozeki | 1 Ozeki Ng Sms Gateway | 2024-11-21 | 3.5 LOW | 5.3 MEDIUM |
| An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. The database connection strings accept custom unsafe arguments, such as ENABLE_LOCAL_INFILE, that can be leveraged by attackers to enable MySQL Load Data Local (rogue MySQL server) attacks. | |||||
| CVE-2020-14026 | 1 Ozeki | 1 Ozeki Ng Sms Gateway | 2024-11-21 | 9.3 HIGH | 8.8 HIGH |
| CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the Export Of Contacts feature in Ozeki NG SMS Gateway through 4.17.6 via a value that is mishandled in a CSV export. | |||||
| CVE-2020-14025 | 1 Ozeki | 1 Ozeki Ng Sms Gateway | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Ozeki NG SMS Gateway through 4.17.6 has multiple CSRF vulnerabilities. For example, an administrator, by following a link, can be tricked into making unwanted changes such as installing new modules or changing a password. | |||||
| CVE-2020-14024 | 1 Ozeki | 1 Ozeki Ng Sms Gateway | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Ozeki NG SMS Gateway through 4.17.6 has multiple authenticated stored and/or reflected XSS vulnerabilities via the (1) Receiver or Recipient field in the Mailbox feature, (2) OZFORM_GROUPNAME field in the Group configuration of addresses, (3) listname field in the Defining address lists configuration, or (4) any GET Parameter in the /default URL of the application. | |||||
| CVE-2020-14023 | 1 Ozeki | 1 Ozeki Ng Sms Gateway | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| Ozeki NG SMS Gateway through 4.17.6 allows SSRF via SMS WCF or RSS To SMS. | |||||
| CVE-2020-14022 | 1 Ozeki | 1 Ozeki Ng Sms Gateway | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Ozeki NG SMS Gateway 4.17.1 through 4.17.6 does not check the file type when bulk importing new contacts ("Import Contacts" functionality) from a file. It is possible to upload an executable or .bat file that can be executed with the help of a functionality (E.g. the "Application Starter" module) within the application. | |||||