Total
317931 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-11003 | 1 Fraction | 1 Oasis | 2024-11-21 | 5.8 MEDIUM | 4.8 MEDIUM |
| Oasis before version 2.15.0 has a potential DNS rebinding or CSRF vulnerability. If you're running a vulnerable application on your computer and an attacker can trick you into visiting a malicious website, they could use DNS rebinding and CSRF attacks to read/write to vulnerable applications. This has been patched in 2.15.0. | |||||
| CVE-2020-11002 | 1 Dropwizard | 1 Dropwizard Validation | 2024-11-21 | 9.0 HIGH | 8.0 HIGH |
| dropwizard-validation before versions 2.0.3 and 1.3.21 has a remote code execution vulnerability. A server-side template injection was identified in the self-validating feature enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. If you are using a self-validating bean an upgrade to Dropwizard 1.3.21/2.0.3 or later is strongly recommended. The changes introduced in Dropwizard 1.3.19 and 2.0.2 for CVE-2020-5245 unfortunately did not fix the underlying issue completely. The issue has been fixed in dropwizard-validation 1.3.21 and 2.0.3 or later. We strongly recommend upgrading to one of these versions. | |||||
| CVE-2020-11001 | 1 Torchbox | 1 Wagtail | 2024-11-21 | 3.5 LOW | 5.8 MEDIUM |
| In Wagtail before versions 2.8.1 and 2.7.2, a cross-site scripting (XSS) vulnerability exists on the page revision comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft a page revision history that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 2.7.2 (for the LTS 2.7 branch) and Wagtail 2.8.1 (for the current 2.8 branch). | |||||
| CVE-2020-11000 | 1 Greenbrowser Project | 1 Greenbrowser | 2024-11-21 | 4.3 MEDIUM | 5.7 MEDIUM |
| GreenBrowser before version 1.2 has a vulnerability where apps that rely on URL Parsing to verify that a given URL is pointing to a trust server may be susceptible to many different ways to get URL parsing and verification wrong, which allows an attacker to circumvent the access control. This problem has been patched in version 1.2. | |||||
| CVE-2020-10997 | 1 Percona | 1 Xtrabackup | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Percona XtraBackup before 2.4.20 unintentionally writes the command line to any resulting backup file output. This may include sensitive arguments passed at run time. In addition, when --history is passed at run time, this command line is also written to the PERCONA_SCHEMA.xtrabackup_history table. | |||||
| CVE-2020-10996 | 1 Percona | 1 Xtradb Cluster | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| An issue was discovered in Percona XtraDB Cluster before 5.7.28-31.41.2. A bundled script inadvertently sets a static transition_key for SST processes in place of the random key expected. | |||||
| CVE-2020-10995 | 4 Debian, Fedoraproject, Opensuse and 1 more | 5 Debian Linux, Fedora, Backports Sle and 2 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| PowerDNS Recursor from 4.1.0 up to and including 4.3.0 does not sufficiently defend against amplification attacks. An issue in the DNS protocol has been found that allow malicious parties to use recursive DNS services to attack third party authoritative name servers. The attack uses a crafted reply by an authoritative name server to amplify the resulting traffic between the recursive and other authoritative name servers. Both types of service can suffer degraded performance as an effect. This is triggered by random subdomains in the NSDNAME in NS records. PowerDNS Recursor 4.1.16, 4.2.2 and 4.3.1 contain a mitigation to limit the impact of this DNS protocol issue. | |||||
| CVE-2020-10994 | 3 Canonical, Fedoraproject, Python | 3 Ubuntu Linux, Fedora, Pillow | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file. | |||||
| CVE-2020-10993 | 1 Osmand | 1 Osmand | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| Osmand through 2.0.0 allow XXE because of binary/BinaryMapIndexReader.java. | |||||
| CVE-2020-10992 | 1 Azkaban Project | 1 Azkaban | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Azkaban through 3.84.0 allows XXE, related to validator/XmlValidatorManager.java and user/XmlUserManager.java. | |||||
| CVE-2020-10991 | 1 Mulesoft | 1 Aplkit | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Mulesoft APIkit through 1.3.0 allows XXE because of validation/RestXmlSchemaValidator.java | |||||
| CVE-2020-10990 | 1 Accenture | 1 Mercury | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An XXE issue exists in Accenture Mercury before 1.12.28 because of the platformlambda/core/serializers/SimpleXmlParser.java component. | |||||
| CVE-2020-10989 | 1 Tenda | 2 Ac15, Ac15 Firmware | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue in the /goform/WifiBasicSet endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute malicious payloads via the WifiName POST parameter. | |||||
| CVE-2020-10988 | 1 Tenda | 2 Ac15, Ac15 Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| A hard-coded telnet credential in the tenda_login binary of Tenda AC15 AC1900 version 15.03.05.19 allows unauthenticated remote attackers to start a telnetd service on the device. | |||||
| CVE-2020-10986 | 1 Tenda | 2 Ac15, Ac15 Firmware | 2024-11-21 | 7.1 HIGH | 6.5 MEDIUM |
| A CSRF issue in the /goform/SysToolReboot endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to reboot the device and cause denial of service via a payload hosted by an attacker-controlled web page. | |||||
| CVE-2020-10985 | 1 Gambio | 1 Gambio Gx | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| Gambio GX before 4.0.1.0 allows XSS in admin/coupon_admin.php. | |||||
| CVE-2020-10984 | 1 Gambio | 1 Gambio Gx | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Gambio GX before 4.0.1.0 allows admin/admin.php CSRF. | |||||
| CVE-2020-10983 | 1 Gambio | 1 Gambio Gx | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| Gambio GX before 4.0.1.0 allows SQL Injection in admin/mobile.php. | |||||
| CVE-2020-10982 | 1 Gambio | 1 Gambio Gx | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| Gambio GX before 4.0.1.0 allows SQL Injection in admin/gv_mail.php. | |||||
| CVE-2020-10981 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| GitLab EE/CE 9.0 to 12.9 allows a maintainer to modify other maintainers' pipeline trigger descriptions within the same project. | |||||