Total
317551 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-11454 | 1 Microstrategy | 1 Microstrategy Web | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Microstrategy Web 10.4 is vulnerable to Stored XSS in the HTML Container and Insert Text features in the window, allowing for the creation of a new dashboard. In order to exploit this vulnerability, a user needs to get access to a shared dashboard or have the ability to create a dashboard on the application. | |||||
| CVE-2020-11453 | 1 Microstrategy | 1 Microstrategy Web | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| ** DISPUTED ** Microstrategy Web 10.4 is vulnerable to Server-Side Request Forgery in the Test Web Service functionality exposed through the path /MicroStrategyWS/. The functionality requires no authentication and, while it is not possible to pass parameters in the SSRF request, it is still possible to exploit it to conduct port scanning. An attacker could exploit this vulnerability to enumerate the resources allocated in the network (IP addresses and services exposed). NOTE: MicroStrategy is unable to reproduce the issue reported in any version of its product. | |||||
| CVE-2020-11452 | 1 Microstrategy | 1 Microstrategy Web | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Microstrategy Web 10.4 includes functionality to allow users to import files or data from external resources such as URLs or databases. By providing an external URL under attacker control, it's possible to send requests to external resources (aka SSRF) or leak files from the local system using the file:// stream wrapper. | |||||
| CVE-2020-11451 | 1 Microstrategy | 1 Microstrategy Web | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| The Upload Visualization plugin in the Microstrategy Web 10.4 admin panel allows an administrator to upload a ZIP archive containing files with arbitrary extensions and data. (This is also exploitable via SSRF). Note: The ability to upload visualization plugins requires administrator privileges. | |||||
| CVE-2020-11450 | 1 Microstrategy | 1 Microstrategy Web | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Microstrategy Web 10.4 exposes the JVM configuration, CPU architecture, installation folder, and other information through the URL /MicroStrategyWS/happyaxis.jsp. An attacker could use this vulnerability to learn more about the environment the application is running in. This issue has been mitigated in all versions of the product 11.0 and higher. | |||||
| CVE-2020-11449 | 1 Technicolor | 2 Tc7337, Tc7337 Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on Technicolor TC7337 8.89.17 devices. An attacker can discover admin credentials in the backup file, aka backupsettings.conf. | |||||
| CVE-2020-11448 | 1 Bell | 2 Home Hub 3000, Home Hub 3000 Firmware | 2024-11-21 | N/A | 6.1 MEDIUM |
| An issue was discovered on Bell HomeHub 3000 SG48222070 devices. There is XSS related to the email field and the login page. | |||||
| CVE-2020-11447 | 1 Bell | 2 Home Hub 3000, Home Hub 3000 Firmware | 2024-11-21 | N/A | 4.3 MEDIUM |
| An issue was discovered on Bell HomeHub 3000 SG48222070 devices. Remote authenticated users can retrieve the serial number via cgi/json-req - this is an information leak because the serial number is intended to prove an actor's physical access to the device. | |||||
| CVE-2020-11446 | 1 Eset | 8 Antivirus And Antispyware, Endpoint Antivirus, Endpoint Security and 5 more | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| ESET Antivirus and Antispyware Module module 1553 through 1560 allows a user with limited access rights to create hard links in some ESET directories and then force the product to write through these links into files that would normally not be write-able by the user, thus achieving privilege escalation. | |||||
| CVE-2020-11445 | 1 Tp-link | 30 Kc200, Kc200 Firmware, Kc300s2 and 27 more | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| TP-Link cloud cameras through 2020-02-09 allow remote attackers to bypass authentication and obtain sensitive information via vectors involving a Wi-Fi session with GPS enabled, aka CNVD-2020-04855. | |||||
| CVE-2020-11444 | 1 Sonatype | 1 Nexus | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Sonatype Nexus Repository Manager 3.x up to and including 3.21.2 has Incorrect Access Control. | |||||
| CVE-2020-11443 | 1 Zoom | 1 It Installer | 2024-11-21 | 8.5 HIGH | 8.1 HIGH |
| The Zoom IT installer for Windows (ZoomInstallerFull.msi) prior to version 4.6.10 deletes files located in %APPDATA%\Zoom before installing an updated version of the client. Standard users are able to write to this directory, and can write links to other directories on the machine. As the installer runs with SYSTEM privileges and follows these links, a user can cause the installer to delete files that otherwise cannot be deleted by the user. | |||||
| CVE-2020-11441 | 1 Phpmyadmin | 1 Phpmyadmin | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| ** DISPUTED ** phpMyAdmin 5.0.2 allows CRLF injection, as demonstrated by %0D%0Astring%0D%0A inputs to login form fields causing CRLF sequences to be reflected on an error page. NOTE: the vendor states "I don't see anything specifically exploitable." | |||||
| CVE-2020-11440 | 1 Windriver | 1 Vxworks | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| httpRpmFs in WebCLI in Wind River VxWorks 5.5 through 7 SR0640 has no check for an escape from the web root. | |||||
| CVE-2020-11439 | 1 Librehealth | 1 Librehealth Ehr | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| LibreHealth EMR v2.0.0 is affected by a Local File Inclusion issue allowing arbitrary PHP to be included and executed within the EMR application. | |||||
| CVE-2020-11438 | 1 Librehealth | 1 Librehealth Ehr | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| LibreHealth EMR v2.0.0 is affected by systemic CSRF. | |||||
| CVE-2020-11437 | 1 Librehealth | 1 Librehealth Ehr | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| LibreHealth EMR v2.0.0 is affected by SQL injection allowing low-privilege authenticated users to enumerate the database. | |||||
| CVE-2020-11436 | 1 Librehealth | 1 Librehealth Ehr | 2024-11-21 | 6.0 MEDIUM | 9.0 CRITICAL |
| LibreHealth EMR v2.0.0 is vulnerable to XSS that results in the ability to force arbitrary actions on behalf of other users including administrators. | |||||
| CVE-2020-11431 | 1 Inetsoftware | 3 Clear Reports, Helpdesk, Pdfc | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| The documentation component in i-net Clear Reports 16.0 to 19.2, HelpDesk 8.0 to 8.3, and PDFC 4.3 to 6.2 allows a remote unauthenticated attacker to read arbitrary system files and directories on the target server via Directory Traversal. | |||||
| CVE-2020-11420 | 2 Abb, Generex | 4 Cs141, Cs141 Firmware, Cs141 and 1 more | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| UPS Adapter CS141 before 1.90 allows Directory Traversal. An attacker with Admin or Engineer login credentials could exploit the vulnerability by manipulating variables that reference files and by doing this achieve access to files and directories outside the web root folder. An attacker may access arbitrary files and directories stored in the file system, but integrity of the files are not jeopardized as attacker have read access rights only. | |||||