Total
317637 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-11714 | 1 Etentech | 2 Psg-6528vm, Psg-6528vm Firmware | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| eten PSG-6528VM 1.1 devices allow XSS via System Contact or System Location. | |||||
| CVE-2020-11713 | 1 Wolfssl | 1 Wolfssl | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| wolfSSL 4.3.0 has mulmod code in wc_ecc_mulmod_ex in ecc.c that does not properly resist timing side-channel attacks. | |||||
| CVE-2020-11712 | 1 Open Upload Project | 1 Open Upload | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Open Upload through 0.4.3 allows XSS via index.php?action=u and the filename field. | |||||
| CVE-2020-11711 | 1 Stormshield | 1 Stormshield Network Security | 2024-11-21 | N/A | 4.8 MEDIUM |
| An issue was discovered in Stormshield SNS 3.8.0. Authenticated Stored XSS in the admin login panel leads to SSL VPN credential theft. A malicious disclaimer file can be uploaded from the admin panel. The resulting file is rendered on the authentication interface of the admin panel. It is possible to inject malicious HTML content in order to execute JavaScript inside a victim's browser. This results in a stored XSS on the authentication interface of the admin panel. Moreover, an unsecured authentication form is present on the authentication interface of the SSL VPN captive portal. Users are allowed to save their credentials inside the browser. If an administrator saves his credentials through this unsecured form, these credentials could be stolen via the stored XSS on the admin panel without user interaction. Another possible exploitation would be modification of the authentication form of the admin panel into a malicious form. | |||||
| CVE-2020-11710 | 1 Konghq | 1 Docker-kong | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| ** DISPUTED ** An issue was discovered in docker-kong (for Kong) through 2.0.3. The admin API port may be accessible on interfaces other than 127.0.0.1. NOTE: The vendor argue that this CVE is not a vulnerability because it has an inaccurate bug scope and patch links. “1) Inaccurate Bug Scope - The issue scope was on Kong's docker-compose template, and not Kong's docker image itself. In reality, this issue is not associated with any version of the Kong gateway. As such, the description stating ‘An issue was discovered in docker-kong (for Kong) through 2.0.3.’ is incorrect. This issue only occurs if a user decided to spin up Kong via docker-compose without following the security documentation. The docker-compose template is meant for users to quickly get started with Kong, and is meant for development purposes only. 2) Incorrect Patch Links - The CVE currently points to a documentation improvement as a “Patch” link: https://github.com/Kong/docs.konghq.com/commit/d693827c32144943a2f45abc017c1321b33ff611.This link actually points to an improvement Kong Inc made for fool-proofing. However, instructions for how to protect the admin API were already well-documented here: https://docs.konghq.com/2.0.x/secure-admin-api/#network-layer-access-restrictions , which was first published back in 2017 (as shown in this commit: https://github.com/Kong/docs.konghq.com/commit/e99cf875d875dd84fdb751079ac37882c9972949) Lastly, the hyperlink to https://github.com/Kong/kong (an unrelated Github Repo to this issue) on the Hyperlink list does not include any meaningful information on this topic.” | |||||
| CVE-2020-11708 | 1 Provideserver | 1 Provide Ftp Server | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in ProVide (formerly zFTPServer) through 13.1. Privilege escalation can occur via the /ajax/SetUserInfo messages parameter because of the EXECUTE() feature, which is for executing programs when certain events are triggered. | |||||
| CVE-2020-11707 | 1 Provideserver | 1 Provide Ftp Server | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in ProVide (formerly zFTPServer) through 13.1. It doesn't enforce permission over Windows Symlinks or Junctions. As a result, a low-privileged user (non-admin) can craft a Junction Link in a directory he has full control of, breaking out of the sandbox. | |||||
| CVE-2020-11706 | 1 Provideserver | 1 Provide Ftp Server | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in ProVide (formerly zFTPServer) through 13.1. The Admin Interface allows CSRF for actions such as: Change any username and password, admin ones included; Create/Delete users; Enable/Disable Services; Set a rogue update proxy; and Shutdown the server. | |||||
| CVE-2020-11705 | 1 Provideserver | 1 Provide Ftp Server | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in ProVide (formerly zFTPServer) through 13.1. /ajax/ImportCertificate allows an attacker to load an arbitrary certificate in .pfx format or overwrite arbitrary files via the fileName parameter. | |||||
| CVE-2020-11704 | 1 Provideserver | 1 Provide Ftp Server | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in ProVide (formerly zFTPServer) through 13.1. The Admin Web Interface has Multiple Stored and Reflected XSS. GetInheritedProperties is Reflected via the groups parameter. GetUserInfo is Reflected via POST data. SetUserInfo is Stored via the general parameter. | |||||
| CVE-2020-11703 | 1 Provideserver | 1 Provide Ftp Server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in ProVide (formerly zFTPServer) through 13.1. /ajax/GetInheritedProperties allows HTTP Response Splitting via the language parameter. | |||||
| CVE-2020-11702 | 1 Provideserver | 1 Provide Ftp Server | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in ProVide (formerly zFTPServer) through 13.1. The User Web Interface has Multiple Stored and Reflected XSS issues. Collaborate is Reflected via the filename parameter. Collaborate is Stored via the displayname parameter. Deletemultiple is Reflected via the files parameter. Share is Reflected via the target parameter. Share is Stored via the displayname parameter. Waitedit is Reflected via the Host header. | |||||
| CVE-2020-11701 | 1 Provideserver | 1 Provide Ftp Server | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in ProVide (formerly zFTPServer) through 13.1. CSRF exists in the User Web Interface, as demonstrated by granting filesystem access to the public for uploading and deleting files and directories. | |||||
| CVE-2020-11700 | 1 Titanhq | 1 Spamtitan | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Titan SpamTitan 7.07. Improper sanitization of the parameter fname, used on the page certs-x.php, would allow an attacker to retrieve the contents of arbitrary files. The user has to be authenticated before interacting with this page. | |||||
| CVE-2020-11699 | 1 Titanhq | 1 Spamtitan | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| An issue was discovered in Titan SpamTitan 7.07. Improper validation of the parameter fname on the page certs-x.php would allow an attacker to execute remote code on the target server. The user has to be authenticated before interacting with this page. | |||||
| CVE-2020-11698 | 1 Titanhq | 1 Spamtitan | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in Titan SpamTitan 7.07. Improper input sanitization of the parameter community on the page snmp-x.php would allow a remote attacker to inject commands into the file snmpd.conf that would allow executing commands on the target server. | |||||
| CVE-2020-11697 | 1 Combodo | 1 Itop | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Combodo iTop, dashboard ids can be exploited with a reflective XSS payload. This is fixed in all iTop packages (community, essential, professional) for version 2.7.0 and in iTop essential and iTop professional packages for version 2.6.4. | |||||
| CVE-2020-11696 | 1 Combodo | 1 Itop | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Combodo iTop a menu shortcut name can be exploited with a stored XSS payload. This is fixed in all iTop packages (community, essential, professional) in version 2.7.0 and iTop essential and iTop professional in version 2.6.4. | |||||
| CVE-2020-11694 | 2 Jetbrains, Microsoft | 2 Pycharm, Windows | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In JetBrains PyCharm 2019.2.5 and 2019.3 on Windows, Apple Notarization Service credentials were included. This is fixed in 2019.2.6 and 2019.3.3. | |||||
| CVE-2020-11693 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| JetBrains YouTrack before 2020.1.659 was vulnerable to DoS that could be caused by attaching a malformed TIFF file to an issue. | |||||