Total
583 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-21503 | 1 Waimai Super Cms Project | 1 Waimai Super Cms | 2021-10-14 | 5.0 MEDIUM | 7.5 HIGH |
| waimai Super Cms 20150505 has a logic flaw allowing attackers to modify a price, before form submission, by observing data in a packet capture. By setting the index.php?m=gift&a=addsave credit parameter to -1, the product is sold for free. | |||||
| CVE-2020-14130 | 1 Mi | 1 Xiaomi | 2021-09-27 | 5.0 MEDIUM | 5.3 MEDIUM |
| Some js interfaces in the Xiaomi community were exposed, causing sensitive functions to be maliciously called on Xiaomi community app Affected Version <3.0.210809 | |||||
| CVE-2021-23034 | 1 F5 | 11 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 8 more | 2021-09-27 | 7.1 HIGH | 7.5 HIGH |
| On BIG-IP version 16.x before 16.1.0 and 15.1.x before 15.1.3.1, when a DNS profile using a DNS cache resolver is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2020-11582 | 4 Apple, Linux, Oracle and 1 more | 5 Macos, Linux Kernel, Solaris and 2 more | 2021-09-16 | 3.3 LOW | 8.8 HIGH |
| An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06. The applet in tncc.jar, executed on macOS, Linux, and Solaris clients when a Host Checker policy is enforced, launches a TCP server that accepts local connections on a random port. This can be reached by local HTTP clients, because up to 25 invalid lines are ignored, and because DNS rebinding can occur. (This server accepts, for example, a setcookie command that might be relevant to CVE-2020-11581 exploitation.) | |||||
| CVE-2019-3569 | 1 Facebook | 1 Hhvm | 2021-09-14 | 5.0 MEDIUM | 7.5 HIGH |
| HHVM, when used with FastCGI, would bind by default to all available interfaces. This behavior could allow a malicious individual unintended direct access to the application, which could result in information disclosure. This issue affects versions 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, versions 3.30.5 and below, and all versions in the 4.0, 4.1, and 4.2 series. | |||||
| CVE-2001-0893 | 1 Acme | 1 Mini Httpd | 2021-09-13 | 5.0 MEDIUM | N/A |
| Acme mini_httpd before 1.16 allows remote attackers to view sensitive files under the document root (such as .htpasswd) via a GET request with a trailing /. | |||||
| CVE-2001-0892 | 1 Acme | 1 Thttpd | 2021-09-13 | 5.0 MEDIUM | N/A |
| Acme Thttpd Secure Webserver before 2.22, with the chroot option enabled, allows remote attackers to view sensitive files under the document root (such as .htpasswd) via a GET request with a trailing /. | |||||
| CVE-2020-24511 | 3 Debian, Intel, Netapp | 5 Debian Linux, Microcode, Fas\/aff Bios and 2 more | 2021-09-09 | 2.1 LOW | 6.5 MEDIUM |
| Improper isolation of shared resources in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. | |||||
| CVE-2020-27361 | 1 Akkadianlabs | 1 Akkadian Provisioning Manager | 2021-09-09 | 5.0 MEDIUM | 7.5 HIGH |
| An issue exists within Akkadian Provisioning Manager 4.50.02 which allows attackers to view sensitive information within the /pme subdirectories. | |||||
| CVE-2020-18972 | 1 Podofo Project | 1 Podofo | 2021-09-07 | 4.3 MEDIUM | 5.5 MEDIUM |
| Exposure of Sensitive Information to an Unauthorized Actor in PoDoFo v0.9.6 allows attackers to obtain sensitive information via 'IsNextToken' in the component 'src/base/PdfToenizer.cpp'. | |||||
| CVE-2021-29280 | 1 Tp-link | 2 Tl-wr840n, Tl-wr840n Firmware | 2021-08-26 | 4.3 MEDIUM | 6.4 MEDIUM |
| In TP-Link Wireless N Router WR840N an ARP poisoning attack can cause buffer overflow | |||||
| CVE-2021-38712 | 1 Onenav | 1 Onenav | 2021-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| OneNav 0.9.12 allows Information Disclosure of the onenav.db3 contents. NOTE: the vendor's recommended solution is to block the access via an NGINX configuration file. | |||||
| CVE-2020-21356 | 1 Popojicms | 1 Popojicms | 2021-08-13 | 5.0 MEDIUM | 5.3 MEDIUM |
| An information disclosure vulnerability in upload.php of PopojiCMS 1.2 leads to physical path disclosure of the host when 'name = "file" is deleted during file uploads. | |||||
| CVE-2021-32788 | 1 Discourse | 1 Discourse | 2021-08-05 | 4.0 MEDIUM | 4.3 MEDIUM |
| Discourse is an open source discussion platform. In versions prior to 2.7.7 there are two bugs which led to the post creator of a whisper post being revealed to non-staff users. 1: Staff users that creates a whisper post in a personal message is revealed to non-staff participants of the personal message even though the whisper post cannot be seen by them. 2: When a whisper post is before the last post in a post stream, deleting the last post will result in the creator of the whisper post to be revealed to non-staff users as the last poster of the topic. | |||||
| CVE-2020-16268 | 1 1e | 1 Client | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| The MSI installer in 1E Client 4.1.0.267 and 5.0.0.745 allows remote authenticated users and local users to gain elevated privileges via the repair option. This applies to installations that have a TRANSFORM (MST) with the option to disable the installation of the Nomad module. An attacker may craft a .reg file in a specific location that will be able to write to any registry key as an elevated user. | |||||
| CVE-2020-25040 | 2 Opensuse, Sylabs | 2 Leap, Singularity | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| Sylabs Singularity through 3.6.2 has Insecure Permissions on temporary directories used in explicit and implicit container build operations, a different vulnerability than CVE-2020-25039. | |||||
| CVE-2019-5159 | 1 Wago | 1 E\!cockpit | 2021-07-21 | 6.8 MEDIUM | 7.8 HIGH |
| An exploitable improper input validation vulnerability exists in the firmware update functionality of WAGO e!COCKPIT automation software v1.6.0.7. A specially crafted firmware update file can allow an attacker to write arbitrary files to arbitrary locations on WAGO controllers as a part of executing a firmware update, potentially resulting in code execution. An attacker can create a malicious firmware update package file using any zip utility. The user must initiate a firmware update through e!COCKPIT and choose the malicious wup file using the file browser to trigger the vulnerability. | |||||
| CVE-2020-11610 | 1 Cross Domain Local Storage Project | 1 Cross Domain Local Storage | 2021-07-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in xdLocalStorage through 2.0.5. The postData() function in xdLocalStoragePostMessageApi.js specifies the wildcard (*) as the targetOrigin when calling the postMessage() function on the parent object. Therefore any domain can load the application hosting the "magical iframe" and receive the messages that the "magical iframe" sends. | |||||
| CVE-2020-25039 | 2 Opensuse, Sylabs | 2 Leap, Singularity | 2021-07-21 | 5.5 MEDIUM | 8.1 HIGH |
| Sylabs Singularity 3.2.0 through 3.6.2 has Insecure Permissions on temporary directories used in fakeroot or user namespace container execution. | |||||
| CVE-2020-15816 | 1 Westerndigital | 1 Wd Discovery | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| In Western Digital WD Discovery before 4.0.251.0, a malicious application running with standard user permissions could potentially execute code in the application's process through library injection by using DYLD environment variables. | |||||