Vulnerabilities > Debian > Critical

DATE CVE VULNERABILITY TITLE RISK
2020-12-07 CVE-2020-29600 Path Traversal vulnerability in multiple products
In AWStats through 7.7, cgi-bin/awstats.pl?config= accepts an absolute pathname, even though it was intended to only read a file in the /etc/awstats/awstats.conf format.
network
low complexity
awstats debian fedoraproject CWE-22
critical
9.8
2020-11-19 CVE-2019-20933 Improper Authentication vulnerability in multiple products
InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).
network
low complexity
influxdata debian CWE-287
critical
9.8
2020-11-06 CVE-2020-25592 Improper Authentication vulnerability in multiple products
In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens.
network
low complexity
saltstack debian CWE-287
critical
9.8
2020-11-06 CVE-2020-16846 OS Command Injection vulnerability in multiple products
An issue was discovered in SaltStack Salt through 3002.
network
low complexity
saltstack debian fedoraproject CWE-78
critical
9.8
2020-11-05 CVE-2020-17510 Improper Authentication vulnerability in multiple products
Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
network
low complexity
apache debian CWE-287
critical
9.8
2020-11-02 CVE-2020-28039 is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine whether a meta key is considered protected.
network
low complexity
wordpress debian canonical
critical
9.1
2020-11-02 CVE-2020-28037 Improper Check for Unusual or Exceptional Conditions vulnerability in multiple products
is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might allow an attacker to perform a new installation, leading to remote code execution (as well as a denial of service for the old installation).
network
low complexity
wordpress fedoraproject debian CWE-754
critical
9.8
2020-11-02 CVE-2020-28036 Missing Authorization vulnerability in multiple products
wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2 allows attackers to gain privileges by using XML-RPC to comment on a post.
network
low complexity
wordpress fedoraproject debian CWE-862
critical
9.8
2020-11-02 CVE-2020-28035 WordPress before 5.5.2 allows attackers to gain privileges via XML-RPC.
network
low complexity
wordpress fedoraproject debian
critical
9.8
2020-11-02 CVE-2020-28032 Deserialization of Untrusted Data vulnerability in multiple products
WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.
network
low complexity
wordpress fedoraproject debian CWE-502
critical
9.8