Weekly Vulnerabilities Reports > December 28, 2020 to January 3, 2021

Overview

353 new vulnerabilities reported during this period, including 82 critical vulnerabilities and 118 high severity vulnerabilities. This weekly summary report vulnerabilities in 380 products from 171 vendors including Netgear, Zammad, Huawei, Rusqlite Project, and Rest Json Project. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "Use After Free", "SQL Injection", and "Race Condition".

  • 285 reported vulnerabilities are remotely exploitables.
  • 14 reported vulnerabilities have public exploit available.
  • 125 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 191 reported vulnerabilities are exploitable by an anonymous user.
  • Netgear has the most reported vulnerabilities, with 66 reported vulnerabilities.
  • Rusqlite Project has the most reported critical vulnerabilities, with 7 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

82 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-01-01 CVE-2020-35951 Expresstech Missing Authentication for Critical Function vulnerability in Expresstech Quiz and Survey Master

An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress.

9.9
2020-12-31 CVE-2020-17363 Usvn OS Command Injection vulnerability in Usvn

USVN (aka User-friendly SVN) before 1.0.9 allows remote code execution via shell metacharacters in the number_start or number_end parameter to LastHundredRequest (aka lasthundredrequestAction) in the Timeline module.

9.9
2020-12-30 CVE-2020-10208 Amino Injection vulnerability in Amino products

Command Injection in EntoneWebEngine in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series and Kami7B allows authenticated remote attackers to execute arbitrary commands with root user privileges.

9.9
2021-01-01 CVE-2020-35949 Expresstech Unrestricted Upload of File with Dangerous Type vulnerability in Expresstech Quiz and Survey Master

An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress.

9.8
2021-01-01 CVE-2016-20005 Rest Json Project Incorrect Authorization vulnerability in Rest/Json Project Rest/Json

The REST/JSON project 7.x-1.x for Drupal allows user registration bypass, aka SA-CONTRIB-2016-033.

9.8
2021-01-01 CVE-2016-20004 Rest Json Project Incorrect Authorization vulnerability in Rest/Json Project Rest/Json

The REST/JSON project 7.x-1.x for Drupal allows field access bypass, aka SA-CONTRIB-2016-033.

9.8
2021-01-01 CVE-2016-20002 Rest Json Project Incorrect Authorization vulnerability in Rest/Json Project Rest/Json

The REST/JSON project 7.x-1.x for Drupal allows comment access bypass, aka SA-CONTRIB-2016-033.

9.8
2021-01-01 CVE-2016-20001 Rest Json Project Incorrect Authorization vulnerability in Rest/Json Project Rest/Json

The REST/JSON project 7.x-1.x for Drupal allows node access bypass, aka SA-CONTRIB-2016-033.

9.8
2020-12-31 CVE-2020-35895 Stack Project Out-of-bounds Write vulnerability in Stack Project Stack

An issue was discovered in the stack crate before 0.3.1 for Rust.

9.8
2020-12-31 CVE-2020-35888 ARR Project Use of Uninitialized Resource vulnerability in ARR Project ARR

An issue was discovered in the arr crate through 2020-08-25 for Rust.

9.8
2020-12-31 CVE-2020-35887 ARR Project Classic Buffer Overflow vulnerability in ARR Project ARR

An issue was discovered in the arr crate through 2020-08-25 for Rust.

9.8
2020-12-31 CVE-2020-35885 Alpm RS Project Double Free vulnerability in Alpm-Rs Project Alpm-Rs

An issue was discovered in the alpm-rs crate through 2020-08-20 for Rust.

9.8
2020-12-31 CVE-2020-35881 Traitobject Project Out-of-bounds Write vulnerability in Traitobject Project Traitobject

An issue was discovered in the traitobject crate through 2020-06-01 for Rust.

9.8
2020-12-31 CVE-2020-35880 Bigint Project Unspecified vulnerability in Bigint Project Bigint

An issue was discovered in the bigint crate through 2020-05-07 for Rust.

9.8
2020-12-31 CVE-2020-35879 Rulinalg Project Unspecified vulnerability in Rulinalg Project Rulinalg 0.4.1

An issue was discovered in the rulinalg crate through 2020-02-11 for Rust.

9.8
2020-12-31 CVE-2020-35878 Ozone Project Use of Uninitialized Resource vulnerability in Ozone Project Ozone 0.0.1/0.1.0

An issue was discovered in the ozone crate through 2020-07-04 for Rust.

9.8
2020-12-31 CVE-2020-35877 Ozone Project Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Ozone Project Ozone 0.0.1/0.1.0

An issue was discovered in the ozone crate through 2020-07-04 for Rust.

9.8
2020-12-31 CVE-2020-35876 RIO Project Missing Release of Resource after Effective Lifetime vulnerability in RIO Project RIO

An issue was discovered in the rio crate through 2020-05-11 for Rust.

9.8
2020-12-31 CVE-2020-35873 Rusqlite Project Use After Free vulnerability in Rusqlite Project Rusqlite

An issue was discovered in the rusqlite crate before 0.23.0 for Rust.

9.8
2020-12-31 CVE-2020-35872 Rusqlite Project Unspecified vulnerability in Rusqlite Project Rusqlite

An issue was discovered in the rusqlite crate before 0.23.0 for Rust.

9.8
2020-12-31 CVE-2020-35870 Rusqlite Project Use After Free vulnerability in Rusqlite Project Rusqlite

An issue was discovered in the rusqlite crate before 0.23.0 for Rust.

9.8
2020-12-31 CVE-2020-35869 Rusqlite Project Use of Externally-Controlled Format String vulnerability in Rusqlite Project Rusqlite

An issue was discovered in the rusqlite crate before 0.23.0 for Rust.

9.8
2020-12-31 CVE-2020-35868 Rusqlite Project Unspecified vulnerability in Rusqlite Project Rusqlite

An issue was discovered in the rusqlite crate before 0.23.0 for Rust.

9.8
2020-12-31 CVE-2020-35867 Rusqlite Project Unspecified vulnerability in Rusqlite Project Rusqlite

An issue was discovered in the rusqlite crate before 0.23.0 for Rust.

9.8
2020-12-31 CVE-2020-35866 Rusqlite Project Unspecified vulnerability in Rusqlite Project Rusqlite

An issue was discovered in the rusqlite crate before 0.23.0 for Rust.

9.8
2020-12-31 CVE-2020-35863 Hyper HTTP Request Smuggling vulnerability in Hyper

An issue was discovered in the hyper crate before 0.12.34 for Rust.

9.8
2020-12-31 CVE-2020-35862 Bitvec Project Use After Free vulnerability in Bitvec Project Bitvec

An issue was discovered in the bitvec crate before 0.17.4 for Rust.

9.8
2020-12-31 CVE-2020-35860 Cbox Project NULL Pointer Dereference vulnerability in Cbox Project Cbox

An issue was discovered in the cbox crate through 2020-03-19 for Rust.

9.8
2020-12-31 CVE-2020-35858 Prost Project Out-of-bounds Write vulnerability in Prost Project Prost

An issue was discovered in the prost crate before 0.6.1 for Rust.

9.8
2020-12-31 CVE-2019-25010 Failure Project Type Confusion vulnerability in Failure Project Failure

An issue was discovered in the failure crate through 2019-11-13 for Rust.

9.8
2020-12-31 CVE-2019-25009 Hyper Double Free vulnerability in Hyper Http

An issue was discovered in the http crate before 0.1.20 for Rust.

9.8
2020-12-31 CVE-2019-25004 Google Unspecified vulnerability in Google Flatbuffers 0.4.0/0.5.0/0.6.0

An issue was discovered in the flatbuffers crate before 0.6.1 for Rust.

9.8
2020-12-31 CVE-2019-25002 Sodiumoxide Project Unspecified vulnerability in Sodiumoxide Project Sodiumoxide

An issue was discovered in the sodiumoxide crate before 0.2.5 for Rust.

9.8
2020-12-31 CVE-2020-35926 Nanorand Project Incorrect Conversion between Numeric Types vulnerability in Nanorand Project Nanorand

An issue was discovered in the nanorand crate before 0.5.1 for Rust.

9.8
2020-12-31 CVE-2020-35902 Actix Use After Free vulnerability in Actix Actix-Codec

An issue was discovered in the actix-codec crate before 0.3.0-beta.1 for Rust.

9.8
2020-12-31 CVE-2020-35851 Hgiga OS Command Injection vulnerability in Hgiga Msr45 Isherlock-User and Ssr45 Isherlock-User

HGiga MailSherlock does not validate specific parameters properly.

9.8
2020-12-31 CVE-2020-25848 Hgiga Improper Authentication vulnerability in Hgiga products

HGiga MailSherlock contains weak authentication flaw that attackers grant privilege remotely with default password generation mechanism.

9.8
2020-12-31 CVE-2020-25844 Panorama Out-of-bounds Write vulnerability in Panorama Nhiservisignadapter 1.0.20.0218

The digest generation function of NHIServiSignAdapter has not been verified for parameter’s length, which leads to a stack overflow loophole.

9.8
2020-12-31 CVE-2020-25843 Panorama Out-of-bounds Write vulnerability in Panorama Nhiservisignadapter 1.0.20.0218

NHIServiSignAdapter fails to verify the length of digital credential files’ path which leads to a heap overflow loophole.

9.8
2020-12-31 CVE-2019-7726 Nukeviet SQL Injection vulnerability in Nukeviet

modules/banners/funcs/click.php in NukeViet before 4.3.04 has a SQL INSERT statement with raw header data from an HTTP request (e.g., Referer and User-Agent).

9.8
2020-12-31 CVE-2019-7725 Nukeviet Deserialization of Untrusted Data vulnerability in Nukeviet

includes/core/is_user.php in NukeViet before 4.3.04 deserializes the untrusted nvloginhash cookie (i.e., the code relies on PHP's serialization format when JSON can be used to eliminate the risk).

9.8
2020-12-31 CVE-2018-14067 Greenpacket Command Injection vulnerability in Greenpacket Dv-360 Firmware 2.10.14G1.0.6.1

Green Packet WiMax DV-360 2.10.14-g1.0.6.1 devices allow Command Injection, with unauthenticated remote command execution, via a crafted payload to the HTTPS port, because lighttpd listens on all network interfaces (including the external Internet) by default.

9.8
2020-12-31 CVE-2016-9026 Exponentcms Improper Input Validation vulnerability in Exponentcms Exponent CMS

Exponent CMS before 2.6.0 has improper input validation in fileController.php.

9.8
2020-12-31 CVE-2016-9025 Exponentcms Improper Input Validation vulnerability in Exponentcms Exponent CMS

Exponent CMS before 2.6.0 has improper input validation in purchaseOrderController.php.

9.8
2020-12-31 CVE-2016-9023 Exponentcms Improper Input Validation vulnerability in Exponentcms Exponent CMS

Exponent CMS before 2.6.0 has improper input validation in cron/find_help.php.

9.8
2020-12-31 CVE-2016-9022 Exponentcms Improper Input Validation vulnerability in Exponentcms Exponent CMS

Exponent CMS before 2.6.0 has improper input validation in usersController.php.

9.8
2020-12-31 CVE-2016-9021 Exponentcms Improper Input Validation vulnerability in Exponentcms Exponent CMS

Exponent CMS before 2.6.0 has improper input validation in storeController.php.

9.8
2020-12-31 CVE-2020-12658 Gssproxy Project
Debian
Improper Locking vulnerability in multiple products

gssproxy (aka gss-proxy) before 0.8.3 does not unlock cond_mutex before pthread exit in gp_worker_main() in gp_workers.c.

9.8
2020-12-30 CVE-2020-11103 Webswing Unspecified vulnerability in Webswing

JsLink in Webswing before 2.6.12 LTS, and 2.7.x and 20.x before 20.1, allows remote code execution.

9.8
2020-12-30 CVE-2020-35173 Amaze File Manager Project Unspecified vulnerability in Amaze File Manager Project Amaze File Manager

The Amaze File Manager application before 3.4.2 for Android does not properly restrict intents for controlling the FTP server (aka services.ftpservice.FTPReceiver.ACTION_START_FTPSERVER and services.ftpservice.FTPReceiver.ACTION_STOP_FTPSERVER).

9.8
2020-12-30 CVE-2019-12768 Dlink Forced Browsing vulnerability in Dlink Dap-1650 Firmware

An issue was discovered on D-Link DAP-1650 devices through v1.03b07 before 1.04B02_J65H Hot Fix.

9.8
2020-12-30 CVE-2020-29594 Rocket Chat Unspecified vulnerability in Rocket.Chat

Rocket.Chat before 0.74.4, 1.x before 1.3.4, 2.x before 2.4.13, 3.x before 3.7.3, 3.8.x before 3.8.3, and 3.9.x before 3.9.1 mishandles SAML login.

9.8
2020-12-30 CVE-2020-35848 Agentejo SQL Injection vulnerability in Agentejo Cockpit

Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php newpassword function.

9.8
2020-12-30 CVE-2020-35847 Agentejo SQL Injection vulnerability in Agentejo Cockpit

Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function.

9.8
2020-12-30 CVE-2020-35846 Agentejo SQL Injection vulnerability in Agentejo Cockpit

Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function.

9.8
2020-12-30 CVE-2020-35799 Netgear Out-of-bounds Write vulnerability in Netgear products

Certain NETGEAR devices are affected by a stack-based buffer overflow by an unauthenticated attacker.

9.8
2020-12-30 CVE-2020-35797 Netgear Unrestricted Upload of File with Dangerous Type vulnerability in Netgear Nms300 Firmware

NETGEAR NMS300 devices before 1.6.0.27 are affected by command injection by an unauthenticated attacker.

9.8
2020-12-30 CVE-2020-35796 Netgear Classic Buffer Overflow vulnerability in Netgear products

Certain NETGEAR devices are affected by a buffer overflow by an unauthenticated attacker.

9.8
2020-12-30 CVE-2020-35795 Netgear Classic Buffer Overflow vulnerability in Netgear products

Certain NETGEAR devices are affected by a buffer overflow by an unauthenticated attacker.

9.8
2020-12-29 CVE-2020-10210 Amino Use of Hard-coded Credentials vulnerability in Amino products

Because of hard-coded SSH keys for the root user in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series, Kami7B, an attacker may remotely log in through SSH.

9.8
2020-12-29 CVE-2020-10207 Amino Use of Hard-coded Credentials vulnerability in Amino products

Use of Hard-coded Credentials in EntoneWebEngine in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series and Kami7B allows remote attackers to retrieve and modify the device settings.

9.8
2020-12-29 CVE-2020-10148 Solarwinds Improper Authentication vulnerability in Solarwinds Orion Platform 2019.4/2020.2/2020.2.1

The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands.

9.8
2020-12-29 CVE-2020-28283 Libnested Project Unspecified vulnerability in Libnested Project Libnested

Prototype pollution vulnerability in 'libnested' versions 0.0.0 through 1.5.0 allows an attacker to cause a denial of service and may lead to remote code execution.

9.8
2020-12-29 CVE-2020-28282 Getobject Project Unspecified vulnerability in Getobject Project Getobject 0.1.0

Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.

9.8
2020-12-29 CVE-2020-28281 SET Object Value Project Unspecified vulnerability in Set-Object-Value Project Set-Object-Value

Prototype pollution vulnerability in 'set-object-value' versions 0.0.0 through 0.0.5 allows an attacker to cause a denial of service and may lead to remote code execution.

9.8
2020-12-29 CVE-2020-28280 Predefine Project Unspecified vulnerability in Predefine Project Predefine 0.0.0/0.1.2

Prototype pollution vulnerability in 'predefine' versions 0.0.0 through 0.1.2 allows an attacker to cause a denial of service and may lead to remote code execution.

9.8
2020-12-29 CVE-2020-28279 Flattenizer Project Unspecified vulnerability in Flattenizer Project Flattenizer

Prototype pollution vulnerability in 'flattenizer' versions 0.0.5 through 1.0.5 allows an attacker to cause a denial of service and may lead to remote code execution.

9.8
2020-12-29 CVE-2020-28278 Shvl Project Unspecified vulnerability in Shvl Project Shvl

Prototype pollution vulnerability in 'shvl' versions 1.0.0 through 2.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.

9.8
2020-12-29 CVE-2020-28277 Dset Project Unspecified vulnerability in Dset Project Dset 1.0.0/2.0.0/2.0.1

Prototype pollution vulnerability in 'dset' versions 1.0.0 through 2.0.1 allows attacker to cause a denial of service and may lead to remote code execution.

9.8
2020-12-29 CVE-2020-28276 Deep SET Project Unspecified vulnerability in Deep-Set Project Deep-Set 1.0.0/1.0.1

Prototype pollution vulnerability in 'deep-set' versions 1.0.0 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution.

9.8
2020-12-29 CVE-2020-35769 Webmin Unspecified vulnerability in Webmin 1.962

miniserv.pl in Webmin 1.962 on Windows mishandles special characters in query arguments to the CGI program.

9.8
2020-12-28 CVE-2020-27172 Gdatasoftware Link Following vulnerability in Gdatasoftware G Data

An issue was discovered in G-Data before 25.5.9.25 using Symbolic links, it is possible to abuse the infected-file restore mechanism to achieve arbitrary write that leads to elevation of privileges.

9.8
2020-12-28 CVE-2020-35613 Joomla SQL Injection vulnerability in Joomla Joomla!

An issue was discovered in Joomla! 3.0.0 through 3.9.22.

9.8
2020-12-28 CVE-2020-26030 Zammad Improper Authentication vulnerability in Zammad

An issue was discovered in Zammad before 3.4.1.

9.8
2020-12-28 CVE-2020-26290 Linuxfoundation Unspecified vulnerability in Linuxfoundation DEX

Dex is a federated OpenID Connect provider written in Go.

9.6
2020-12-30 CVE-2020-35800 Netgear Unspecified vulnerability in Netgear products

Certain NETGEAR devices are affected by incorrect configuration of security settings.

9.4
2020-12-31 CVE-2018-19945 Qnap Path Traversal vulnerability in Qnap QTS

A vulnerability has been reported to affect earlier QNAP devices running QTS 4.3.4 to 4.3.6.

9.1
2020-12-31 CVE-2020-35892 Simple Slab Project Out-of-bounds Read vulnerability in Simple-Slab Project Simple-Slab

An issue was discovered in the simple-slab crate before 0.3.3 for Rust.

9.1
2020-12-31 CVE-2020-35883 Mozwire Project Path Traversal vulnerability in Mozwire Project Mozwire

An issue was discovered in the mozwire crate through 2020-08-18 for Rust.

9.1
2020-12-31 CVE-2020-35859 Lucet Runtime Internals Project Out-of-bounds Write vulnerability in Lucet-Runtime-Internals Project Lucet-Runtime-Internals

An issue was discovered in the lucet-runtime-internals crate before 0.5.1 for Rust.

9.1
2020-12-31 CVE-2020-35898 Actix Use After Free vulnerability in Actix Actix-Utils

An issue was discovered in the actix-utils crate before 2.0.0 for Rust.

9.1
2021-01-01 CVE-2020-35717 Electronjs Cross-site Scripting vulnerability in Electronjs Zonote

zonote through 0.4.0 allows XSS via a crafted note, with resultant Remote Code Execution (because nodeIntegration in webPreferences is true).

9.0

118 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2021-01-01 CVE-2020-35950 Xcloner Cross-Site Request Forgery (CSRF) vulnerability in Xcloner

An issue was discovered in the XCloner Backup and Restore plugin before 4.2.153 for WordPress.

8.8
2021-01-01 CVE-2020-35948 Xcloner Incorrect Authorization vulnerability in Xcloner

An issue was discovered in the XCloner Backup and Restore plugin before 4.2.13 for WordPress.

8.8
2021-01-01 CVE-2020-35945 Elegant Themes Unrestricted Upload of File with Dangerous Type vulnerability in Elegant Themes Divi, Divi Builder and Divi Extra

An issue was discovered in the Divi Builder plugin, Divi theme, and Divi Extra theme before 4.5.3 for WordPress.

8.8
2021-01-01 CVE-2020-35944 Pagelayer Cross-site Scripting vulnerability in Pagelayer

An issue was discovered in the PageLayer plugin before 1.1.2 for WordPress.

8.8
2021-01-01 CVE-2020-35939 Pickplugins Deserialization of Untrusted Data vulnerability in Pickplugins Post Grid and Team Showcase

PHP Object injection vulnerabilities in the Team Showcase plugin before 1.22.16 for WordPress allow remote authenticated attackers to inject arbitrary PHP objects due to insecure unserialization of data supplied in a remotely hosted crafted payload in the source parameter via AJAX.

8.8
2021-01-01 CVE-2020-35938 Pickplugins Deserialization of Untrusted Data vulnerability in Pickplugins Post Grid and Team Showcase

PHP Object injection vulnerabilities in the Post Grid plugin before 2.0.73 for WordPress allow remote authenticated attackers to inject arbitrary PHP objects due to insecure unserialization of data supplied in a remotely hosted crafted payload in the source parameter via AJAX.

8.8
2021-01-01 CVE-2020-35935 Vasyltech Unspecified vulnerability in Vasyltech Advanced Access Manager

The Advanced Access Manager plugin before 6.6.2 for WordPress allows privilege escalation on profile updates via the aam_user_roles POST parameter if Multiple Role support is enabled.

8.8
2021-01-01 CVE-2020-35932 Tribulant Deserialization of Untrusted Data vulnerability in Tribulant Newsletter

Insecure Deserialization in the Newsletter plugin before 6.8.2 for WordPress allows authenticated remote attackers with minimal privileges (such as subscribers) to use the tpnc_render AJAX action to inject arbitrary PHP objects via the options[inline_edits] parameter.

8.8
2021-01-01 CVE-2018-25002 Sunhater Improper Input Validation vulnerability in Sunhater Kcfinder

uploader.php in the KCFinder integration project through 2018-06-01 for Drupal mishandles validation, aka SA-CONTRIB-2018-024.

8.8
2020-12-31 CVE-2020-26165 Qdpm Deserialization of Untrusted Data vulnerability in Qdpm 8.3/9.0/9.1

qdPM through 9.1 allows PHP Object Injection via timeReportActions::executeExport in core/apps/qdPM/modules/timeReport/actions/actions.class.php because unserialize is used.

8.8
2020-12-31 CVE-2018-16795 Open EMR Cross-Site Request Forgery (CSRF) vulnerability in Open-Emr Openemr 5.0.1.3

OpenEMR 5.0.1.3 allows Cross-Site Request Forgery (CSRF) via library/ajax and interface/super, as demonstrated by use of interface/super/manage_site_files.php to upload a .php file.

8.8
2020-12-31 CVE-2020-19664 Draytek OS Command Injection vulnerability in Draytek Vigor2960 Firmware 1.3.1

DrayTek Vigor2960 1.5.1 allows remote command execution via shell metacharacters in a toLogin2FA action to mainfunction.cgi.

8.8
2020-12-30 CVE-2020-28736 Plone XXE vulnerability in Plone

Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role).

8.8
2020-12-30 CVE-2020-28735 Plone Server-Side Request Forgery (SSRF) vulnerability in Plone

Plone before 5.2.3 allows SSRF attacks via the tracebacks feature (only available to the Manager role).

8.8
2020-12-30 CVE-2020-28734 Plone XXE vulnerability in Plone

Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role.

8.8
2020-12-30 CVE-2020-27848 Dotcms SQL Injection vulnerability in Dotcms

dotCMS before 20.10.1 allows SQL injection, as demonstrated by the /api/v1/containers orderby parameter.

8.8
2020-12-30 CVE-2020-35789 Netgear OS Command Injection vulnerability in Netgear Nms300 Firmware

NETGEAR NMS300 devices before 1.6.0.27 are affected by command injection by an authenticated user.

8.8
2020-12-30 CVE-2020-35785 Netgear Improper Authentication vulnerability in Netgear Dgn2200 Firmware 1.0.0.507.0.50/1.0.0.55/1.0.0.58

NETGEAR DGN2200v1 devices before v1.0.0.60 mishandle HTTPd authentication (aka PSV-2020-0363, PSV-2020-0364, and PSV-2020-0365).

8.8
2020-12-30 CVE-2020-35778 Netgear Cross-Site Request Forgery (CSRF) vulnerability in Netgear Gs716T Firmware and Gs724T Firmware

Certain NETGEAR devices are affected by CSRF.

8.8
2020-12-29 CVE-2020-27645 1E Unquoted Search Path or Element vulnerability in 1E Client 5.0.0.745

The Inventory module of the 1E Client 5.0.0.745 doesn't handle an unquoted path when executing %PROGRAMFILES%\1E\Client\Tachyon.Performance.Metrics.exe.

8.8
2020-12-29 CVE-2020-27644 1E Unquoted Search Path or Element vulnerability in 1E Client 5.0.0.745

The Inventory module of the 1E Client 5.0.0.745 doesn't handle an unquoted path when executing %PROGRAMFILES%\1E\Client\Tachyon.Performance.Metrics.exe.

8.8
2020-12-29 CVE-2020-16268 1E Exposure of Resource to Wrong Sphere vulnerability in 1E Client 4.1.0.267/5.0.0.745

The MSI installer in 1E Client 4.1.0.267 and 5.0.0.745 allows remote authenticated users and local users to gain elevated privileges via the repair option.

8.8
2020-12-29 CVE-2020-35773 Freehtmldesigns Cross-Site Request Forgery (CSRF) vulnerability in Freehtmldesigns Site Offline

The site-offline plugin before 1.4.4 for WordPress lacks certain wp_create_nonce and wp_verify_nonce calls, aka CSRF.

8.8
2020-12-29 CVE-2020-25847 Qnap Command Injection vulnerability in Qnap QTS and Quts Hero

This command injection vulnerability allows attackers to execute arbitrary commands in a compromised application.

8.8
2020-12-28 CVE-2020-35627 Woocommerce Unrestricted Upload of File with Dangerous Type vulnerability in Woocommerce Gift Cards 3.0.2

Ultimate WooCommerce Gift Cards 3.0.2 is affected by a file upload vulnerability in the Custom GiftCard Template that can remotely execute arbitrary code.

8.8
2020-12-30 CVE-2020-26296 Vega Project Unspecified vulnerability in Vega Project Vega

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs.

8.7
2020-12-29 CVE-2020-26287 Hedgedoc Cross-site Scripting vulnerability in Hedgedoc

HedgeDoc is a collaborative platform for writing and sharing markdown.

8.7
2020-12-30 CVE-2020-35779 Netgear Unspecified vulnerability in Netgear Nms300 Firmware

NETGEAR NMS300 devices before 1.6.0.27 are affected by denial of service.

8.6
2020-12-30 CVE-2020-35777 Netgear Command Injection vulnerability in Netgear Dgn2200V1 Firmware

NETGEAR DGN2200v1 devices before v1.0.0.58 are affected by command injection.

8.4
2020-12-31 CVE-2020-35889 Crayon Project Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Crayon Project Crayon

An issue was discovered in the crayon crate through 2020-08-31 for Rust.

8.1
2020-12-31 CVE-2020-35882 Rocket Race Condition vulnerability in Rocket

An issue was discovered in the rocket crate before 0.4.5 for Rust.

8.1
2020-12-31 CVE-2020-35874 Internment Project Use After Free vulnerability in Internment Project Internment 0.3.12

An issue was discovered in the internment crate through 2020-05-28 for Rust.

8.1
2020-12-31 CVE-2020-35871 Rusqlite Project Race Condition vulnerability in Rusqlite Project Rusqlite

An issue was discovered in the rusqlite crate before 0.23.0 for Rust.

8.1
2020-12-30 CVE-2020-35839 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by Stored XSS.

8.1
2020-12-30 CVE-2020-35831 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

8.1
2020-12-30 CVE-2020-35782 Netgear Unspecified vulnerability in Netgear products

Certain NETGEAR devices are affected by lack of access control at the function level.

8.1
2020-12-30 CVE-2020-10209 Amino OS Command Injection vulnerability in Amino products

Command Injection in the CPE WAN Management Protocol (CWMP) registration in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series and Kami7B allows man-in-the-middle attackers to execute arbitrary commands with root level privileges.

8.1
2020-12-29 CVE-2020-17533 Apache Unspecified vulnerability in Apache Accumulo

Apache Accumulo versions 1.5.0 through 1.10.0 and version 2.0.0 do not properly check the return value of some policy enforcement functions before permitting an authenticated user to perform certain administrative operations.

8.1
2021-01-01 CVE-2020-35937 Pickplugins Cross-site Scripting vulnerability in Pickplugins Post Grid and Team Showcase

Stored Cross-Site Scripting (XSS) vulnerabilities in the Team Showcase plugin before 1.22.16 for WordPress allow remote authenticated attackers to import layouts including JavaScript supplied via a remotely hosted crafted payload in the source parameter via AJAX.

8.0
2021-01-01 CVE-2020-35936 Pickplugins Cross-site Scripting vulnerability in Pickplugins Post Grid and Team Showcase

Stored Cross-Site Scripting (XSS) vulnerabilities in the Post Grid plugin before 2.0.73 for WordPress allow remote authenticated attackers to import layouts including JavaScript supplied via a remotely hosted crafted payload in the source parameter via AJAX.

8.0
2020-12-30 CVE-2020-35787 Netgear Classic Buffer Overflow vulnerability in Netgear products

Certain NETGEAR devices are affected by a buffer overflow by an authenticated user.

8.0
2021-01-03 CVE-2020-35963 Treasuredata Out-of-bounds Write vulnerability in Treasuredata Fluent BIT

flb_gzip_compress in flb_gzip.c in Fluent Bit before 1.6.4 has an out-of-bounds write because it does not use the correct calculation of the maximum gzip data-size expansion.

7.8
2020-12-31 CVE-2020-35931 Foxitsoftware Improper Check for Unusual or Exceptional Conditions vulnerability in Foxitsoftware Foxit Reader

An issue was discovered in Foxit Reader before 10.1.1 (and before 4.1.1 on macOS) and PhantomPDF before 9.7.5 and 10.x before 10.1.1 (and before 4.1.1 on macOS).

7.8
2020-12-31 CVE-2020-35906 Rust Lang Use After Free vulnerability in Rust-Lang Futures-Task

An issue was discovered in the futures-task crate before 0.3.6 for Rust.

7.8
2020-12-30 CVE-2020-35798 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker.

7.8
2020-12-29 CVE-2020-9207 Huawei Improper Authentication vulnerability in Huawei products

There is an improper authentication vulnerability in some verisons of Huawei CloudEngine product.

7.8
2020-12-28 CVE-2020-35766 Opendkim Link Following vulnerability in Opendkim

The test suite in libopendkim in OpenDKIM through 2.10.3 allows local users to gain privileges via a symlink attack against the /tmp/testkeys file (related to t-testdata.h, t-setup.c, and t-cleanup.c).

7.8
2020-12-28 CVE-2020-25507 3DS Incorrect Permission Assignment for Critical Resource vulnerability in 3DS Teamwork Cloud

An incorrect permission assignment during the installation script of TeamworkCloud 18.0 thru 19.0 allows a local unprivileged attacker to execute arbitrary code as root.

7.8
2020-12-31 CVE-2020-35743 Hgiga SQL Injection vulnerability in Hgiga products

HGiga MailSherlock contains a SQL injection flaw.

7.6
2020-12-31 CVE-2020-35742 Hgiga SQL Injection vulnerability in Hgiga products

HGiga MailSherlock contains a vulnerability of SQL Injection.

7.6
2020-12-30 CVE-2020-35841 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

7.6
2021-01-03 CVE-2020-35962 Loopring Unspecified vulnerability in Loopring

The sellTokenForLRC function in the vault protocol in the smart contract implementation for Loopring (LRC), an Ethereum token, lacks access control for fee swapping and thus allows price manipulation.

7.5
2021-01-03 CVE-2021-3006 Seal Finance Project Unspecified vulnerability in Seal Finance Project Seal Finance

The breed function in the smart contract implementation for Farm in Seal Finance (Seal), an Ethereum token, lacks access control and thus allows price manipulation, as exploited in the wild in December 2020 and January 2021.

7.5
2021-01-03 CVE-2021-3004 Stableyieldcredit Project Incorrect Calculation vulnerability in Stableyieldcredit Project Stableyieldcredit

The _deposit function in the smart contract implementation for Stable Yield Credit (yCREDIT), an Ethereum token, has certain incorrect calculations.

7.5
2021-01-02 CVE-2020-28852 Golang Improper Validation of Array Index vulnerability in Golang Text

In x/text in Go before v0.3.5, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag.

7.5
2021-01-02 CVE-2020-28851 Golang Improper Validation of Array Index vulnerability in Golang GO 1.15.4

In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension.

7.5
2021-01-01 CVE-2019-25012 Webform Report Project Forced Browsing vulnerability in Webform Report Project Webform Report 7.X1.Xdev

The Webform Report project 7.x-1.x-dev for Drupal allows remote attackers to view submissions by visiting the /rss.xml page.

7.5
2021-01-01 CVE-2017-20001 AES Encryption Project Inadequate Encryption Strength vulnerability in AES Encryption Project AES Encryption

The AES encryption project 7.x and 8.x for Drupal does not sufficiently prevent attackers from decrypting data, aka SA-CONTRIB-2017-027.

7.5
2021-01-01 CVE-2016-20003 Rest Json Project Unspecified vulnerability in Rest/Json Project Rest/Json

The REST/JSON project 7.x-1.x for Drupal allows user enumeration, aka SA-CONTRIB-2016-033.

7.5
2021-01-01 CVE-2016-20008 Rest Json Project Unspecified vulnerability in Rest/Json Project Rest/Json

The REST/JSON project 7.x-1.x for Drupal allows session enumeration, aka SA-CONTRIB-2016-033.

7.5
2021-01-01 CVE-2016-20007 Rest Json Project Insufficient Session Expiration vulnerability in Rest/Json Project Rest/Json

The REST/JSON project 7.x-1.x for Drupal allows session name guessing, aka SA-CONTRIB-2016-033.

7.5
2021-01-01 CVE-2016-20006 Rest Json Project Unspecified vulnerability in Rest/Json Project Rest/Json

The REST/JSON project 7.x-1.x for Drupal allows blockage of user logins, aka SA-CONTRIB-2016-033.

7.5
2020-12-31 CVE-2018-19944 Qnap Cleartext Transmission of Sensitive Information vulnerability in Qnap QTS

A cleartext transmission of sensitive information vulnerability has been reported to affect certain QTS devices.

7.5
2020-12-31 CVE-2018-19941 Qnap Cleartext Storage of Sensitive Information vulnerability in Qnap QTS

A vulnerability has been reported to affect QNAP NAS.

7.5
2020-12-31 CVE-2020-35896 WS RS Project Allocation of Resources Without Limits or Throttling vulnerability in Ws-Rs Project Ws-Rs

An issue was discovered in the ws crate through 2020-09-25 for Rust.

7.5
2020-12-31 CVE-2020-35894 Obstack Project Use of Incorrectly-Resolved Name or Reference vulnerability in Obstack Project Obstack 0.1.0/0.1.1/0.1.2

An issue was discovered in the obstack crate before 0.1.4 for Rust.

7.5
2020-12-31 CVE-2020-35893 Simple Slab Project Use of Uninitialized Resource vulnerability in Simple-Slab Project Simple-Slab

An issue was discovered in the simple-slab crate before 0.3.3 for Rust.

7.5
2020-12-31 CVE-2020-35891 Ordnung Project Double Free vulnerability in Ordnung Project Ordnung 20200903

An issue was discovered in the ordnung crate through 2020-09-03 for Rust.

7.5
2020-12-31 CVE-2020-35890 Ordnung Project Out-of-bounds Read vulnerability in Ordnung Project Ordnung 20200903

An issue was discovered in the ordnung crate through 2020-09-03 for Rust.

7.5
2020-12-31 CVE-2020-35875 Tokio Unspecified vulnerability in Tokio Tokio-Rustls

An issue was discovered in the tokio-rustls crate before 0.13.1 for Rust.

7.5
2020-12-31 CVE-2020-35865 OS STR Bytes Project Unspecified vulnerability in OS STR Bytes Project OS STR Bytes

An issue was discovered in the os_str_bytes crate before 2.0.0 for Rust.

7.5
2020-12-31 CVE-2020-35864 Google Unspecified vulnerability in Google Flatbuffers

An issue was discovered in the flatbuffers crate through 2020-04-11 for Rust.

7.5
2020-12-31 CVE-2020-35861 Bumpalo Project Out-of-bounds Read vulnerability in Bumpalo Project Bumpalo

An issue was discovered in the bumpalo crate before 3.2.1 for Rust.

7.5
2020-12-31 CVE-2020-35857 Trust DNS Server Project Resource Exhaustion vulnerability in Trust-Dns-Server Project Trust-Dns-Server

An issue was discovered in the trust-dns-server crate before 0.18.1 for Rust.

7.5
2020-12-31 CVE-2019-25007 Streebog Project Unspecified vulnerability in Streebog Project Streebog

An issue was discovered in the streebog crate before 0.8.0 for Rust.

7.5
2020-12-31 CVE-2019-25006 Streebog Project Use of a Broken or Risky Cryptographic Algorithm vulnerability in Streebog Project Streebog

An issue was discovered in the streebog crate before 0.8.0 for Rust.

7.5
2020-12-31 CVE-2019-25005 Chacha20 Project Integer Overflow or Wraparound vulnerability in Chacha20 Project Chacha20

An issue was discovered in the chacha20 crate before 0.2.3 for Rust.

7.5
2020-12-31 CVE-2019-25003 Parity Unspecified vulnerability in Parity Libsecp256K1

An issue was discovered in the libsecp256k1 crate before 0.3.1 for Rust.

7.5
2020-12-31 CVE-2019-25001 Serde Cbor Project Out-of-bounds Write vulnerability in Serde Cbor Project Serde Cbor

An issue was discovered in the serde_cbor crate before 0.10.2 for Rust.

7.5
2020-12-31 CVE-2020-35909 Protocol Unspecified vulnerability in Protocol Multihash

An issue was discovered in the multihash crate before 0.11.3 for Rust.

7.5
2020-12-31 CVE-2020-35901 Actix Use After Free vulnerability in Actix Actix-Http

An issue was discovered in the actix-http crate before 2.0.0-alpha.1 for Rust.

7.5
2020-12-31 CVE-2020-25850 Hgiga Unspecified vulnerability in Hgiga Msr45 Isherlock-User and Ssr45 Isherlock-User

The function, view the source code, of HGiga MailSherlock does not validate specific characters.

7.5
2020-12-31 CVE-2020-25842 Panorama Missing Encryption of Sensitive Data vulnerability in Panorama Nhiservisignadapter 1.0.20.0218

The encryption function of NHIServiSignAdapter fail to verify the file path input by users.

7.5
2020-12-31 CVE-2020-13654 Xwiki Improper Encoding or Escaping of Output vulnerability in Xwiki

XWiki Platform before 12.8 mishandles escaping in the property displayer.

7.5
2020-12-30 CVE-2020-28095 Tenda Infinite Loop vulnerability in Tenda Ac1200 Firmware 15.03.06.51Multi

On Tenda AC1200 (Model AC6) 15.03.06.51_multi devices, a large HTTP POST request sent to the change password API will trigger the router to crash and enter an infinite boot loop.

7.5
2020-12-30 CVE-2019-16747 Matrixssl Out-of-bounds Write vulnerability in Matrixssl

In MatrixSSL before 4.2.2 Open, the DTLS server can encounter an invalid pointer free (leading to memory corruption and a daemon crash) via a crafted incoming network message, a different vulnerability than CVE-2019-14431.

7.5
2020-12-30 CVE-2019-16281 Ptarmigan Project Improper Certificate Validation vulnerability in Ptarmigan Project Ptarmigan 0.2.0/0.2.1/0.2.2

Ptarmigan before 0.2.3 lacks API token validation, e.g., an "if (token === apiToken) {return true;} return false;" code block.

7.5
2020-12-30 CVE-2020-35737 Newgensoft Unspecified vulnerability in Newgensoft Egov 12.0

In Correspondence Management System (corms) in Newgen eGov 12.0, an attacker can modify other users' profile information by manipulating the unvalidated UserIndex parameter, aka Insecure Direct Object Reference.

7.5
2020-12-30 CVE-2019-15080 Morph Project Unspecified vulnerability in Morph Project Morph 20190605

An issue was discovered in a smart contract implementation for MORPH Token through 2019-06-05, an Ethereum token.

7.5
2020-12-30 CVE-2019-15079 EAI Project Unspecified vulnerability in EAI Project EAI 20190605

A typo exists in the constructor of a smart contract implementation for EAI through 2019-06-05, an Ethereum token.

7.5
2020-12-30 CVE-2019-15078 Xbornid Unspecified vulnerability in Xbornid 20190529

An issue was discovered in a smart contract implementation for AIRDROPX BORN through 2019-05-29, an Ethereum token.

7.5
2020-12-30 CVE-2020-35849 Mantisbt Authorization Bypass Through User-Controlled Key vulnerability in Mantisbt

An issue was discovered in MantisBT before 2.24.4.

7.5
2020-12-30 CVE-2020-29228 Egavilanmedia SQL Injection vulnerability in Egavilanmedia User Registration and Login System With Admin Panel 1.0

EGavilanMedia User Registration and Login System With Admin Panel 1.0 is affected by SQL injection in the User Login Page.

7.5
2020-12-30 CVE-2020-35802 Netgear Unspecified vulnerability in Netgear products

Certain NETGEAR devices are affected by disclosure of sensitive information.

7.5
2020-12-29 CVE-2020-9223 Huawei Unspecified vulnerability in Huawei products

There is a denial of service vulnerability in some Huawei smartphones.

7.5
2020-12-29 CVE-2020-9124 Huawei Memory Leak vulnerability in Huawei products

There is a memory leak vulnerability in some versions of Huawei CloudEngine product.

7.5
2020-12-29 CVE-2020-9094 Huawei Out-of-bounds Read vulnerability in Huawei products

There is an out of bound read vulnerability in some verisons of Huawei CloudEngine product.

7.5
2020-12-29 CVE-2020-5807 Rockwellautomation Improper Handling of Exceptional Conditions vulnerability in Rockwellautomation Factorytalk Diagnostics 6.11

An unauthenticated remote attacker can send data to RsvcHost.exe listening on TCP port 5241 to add entries in the FactoryTalk Diagnostics event log.

7.5
2020-12-29 CVE-2020-5802 Rockwellautomation Allocation of Resources Without Limits or Throttling vulnerability in Rockwellautomation Factorytalk Linx 6.00/6.10/6.11

An attacker-controlled memory allocation size can be passed to the C++ new operator in RnaDaSvr.dll by sending a specially crafted ConfigureItems message to TCP port 4241.

7.5
2020-12-29 CVE-2020-5801 Rockwellautomation Improper Handling of Exceptional Conditions vulnerability in Rockwellautomation Factorytalk Linx 6.00/6.10/6.11

An attacker can craft and send an OpenNamespace message to port 4241 with valid session-id that triggers an unhandled exception in CFTLDManager::HandleRequest function in RnaDaSvr.dll, resulting in process termination.

7.5
2020-12-29 CVE-2020-26286 Hedgedoc Unspecified vulnerability in Hedgedoc

HedgeDoc is a collaborative platform for writing and sharing markdown.

7.5
2020-12-28 CVE-2020-35616 Joomla Improper Input Validation vulnerability in Joomla Joomla!

An issue was discovered in Joomla! 1.7.0 through 3.9.22.

7.5
2020-12-28 CVE-2020-35612 Joomla Path Traversal vulnerability in Joomla Joomla!

An issue was discovered in Joomla! 2.5.0 through 3.9.22.

7.5
2020-12-28 CVE-2020-35611 Joomla Information Exposure vulnerability in Joomla Joomla!

An issue was discovered in Joomla! 2.5.0 through 3.9.22.

7.5
2020-12-28 CVE-2020-35610 Joomla Unspecified vulnerability in Joomla Joomla!

An issue was discovered in Joomla! 2.5.0 through 3.9.22.

7.5
2020-12-28 CVE-2020-14273 Hcltech Improper Input Validation vulnerability in Hcltech Domino 10.0.1/11.0.0/11.0.1

HCL Domino is susceptible to a Denial of Service (DoS) vulnerability due to insufficient validation of input to its public API.

7.5
2020-12-28 CVE-2020-26289 Date AND Time Project Unspecified vulnerability in Date-And-Time Project Date-And-Time

date-and-time is an npm package for manipulating date and time.

7.5
2020-12-28 CVE-2020-29160 Zammad Missing Authorization vulnerability in Zammad

An issue was discovered in Zammad before 3.5.1.

7.5
2020-12-28 CVE-2020-26032 Zammad Server-Side Request Forgery (SSRF) vulnerability in Zammad

An SSRF issue was discovered in Zammad before 3.4.1.

7.5
2020-12-28 CVE-2020-29194 Panasonic Unspecified vulnerability in Panasonic Wv-S2231L Firmware 4.25

Panasonic Security System WV-S2231L 4.25 allows a denial of service of the admin control panel (which will require a physical reset to restore administrative control) via Randomnum=99AC8CEC6E845B28&mode=1 in a POST request to the cgi-bin/set_factory URI.

7.5
2020-12-28 CVE-2020-28094 Tendacn Unspecified vulnerability in Tendacn Ac1200 Firmware 15.03.06.51

On Tenda AC1200 (Model AC6) 15.03.06.51_multi devices, the default settings for the router speed test contain links to download malware named elive or CNKI E-Learning.

7.5
2021-01-01 CVE-2020-35947 Pagelayer Cross-site Scripting vulnerability in Pagelayer

An issue was discovered in the PageLayer plugin before 1.1.2 for WordPress.

7.4
2020-12-31 CVE-2020-25846 Panorama Project Open Redirect vulnerability in Panorama Project Nhiservisignadapter 1.0.20.0218

The digest generation function of NHIServiSignAdapter has not been verified for source file path, which leads to the SMB request being redirected to a malicious host, resulting in the leakage of user's credential.

7.4
2020-12-31 CVE-2020-25845 Panorama Project Open Redirect vulnerability in Panorama Project Nhiservisignadapter 1.0.20.0218

Multiple functions of NHIServiSignAdapter failed to verify the users’ file path, which leads to the SMB request being redirected to a malicious host, resulting in the leakage of user's credential.

7.4
2020-12-28 CVE-2020-24360 Arista Improper Resource Shutdown or Release vulnerability in Arista EOS

An issue with ARP packets in Arista’s EOS affecting the 7800R3, 7500R3, and 7280R3 series of products may result in issues that cause a kernel crash, followed by a device reload.

7.4
2020-12-30 CVE-2020-35801 Netgear Unspecified vulnerability in Netgear products

Certain NETGEAR devices are affected by incorrect configuration of security settings.

7.3
2020-12-30 CVE-2020-35784 Netgear Unspecified vulnerability in Netgear products

Certain NETGEAR devices are affected by lack of access control at the function level.

7.2
2020-12-28 CVE-2020-28093 Tendacn Unspecified vulnerability in Tendacn Ac1200 Firmware 15.03.06.51

On Tenda AC1200 (Model AC6) 15.03.06.51_multi devices, admin, support, user, and nobody have a password of 1234.

7.2

152 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2020-12-30 CVE-2020-35794 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

6.8
2020-12-30 CVE-2020-35792 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

6.8
2020-12-30 CVE-2020-35790 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

6.8
2020-12-30 CVE-2020-35788 Netgear Classic Buffer Overflow vulnerability in Netgear Wac104 Firmware

NETGEAR WAC104 devices before 1.0.4.13 are affected by a buffer overflow by an authenticated user.

6.8
2020-12-28 CVE-2020-29193 Panasonic Use of Hard-coded Credentials vulnerability in Panasonic Wv-S2231L Firmware 4.25

Panasonic Security System WV-S2231L 4.25 has an insecure hard-coded password of lkjhgfdsa (which is just the asdf keyboard row in reverse order).

6.8
2020-12-28 CVE-2020-28096 Foscammall Unspecified vulnerability in Foscammall Foscam X1 Firmware 1.14.2.4

FOSCAM FHD X1 1.14.2.4 devices allow attackers (with physical UART access) to login via the ipc.fos~ password.

6.8
2020-12-30 CVE-2020-35793 Netgear Command Injection vulnerability in Netgear products

Certain NETGEAR devices are affected by command injection by an authenticated user.

6.7
2020-12-30 CVE-2020-35791 Netgear Command Injection vulnerability in Netgear R7800 Firmware, R8900 Firmware and R9000 Firmware

Certain NETGEAR devices are affected by command injection by an authenticated user.

6.7
2020-12-29 CVE-2020-9125 Huawei Out-of-bounds Read vulnerability in Huawei Mate 30 Firmware

There is an out-of-bound read vulnerability in huawei smartphone Mate 30 versions earlier than 10.1.0.156 (C00E155R7P2).

6.7
2021-01-03 CVE-2020-35964 Ffmpeg Out-of-bounds Write vulnerability in Ffmpeg 4.3.1

track_header in libavformat/vividas.c in FFmpeg 4.3.1 has an out-of-bounds write because of incorrect extradata packing.

6.5
2021-01-03 CVE-2020-35952 PHP Fusion Unspecified vulnerability in PHP-Fusion

login.php in PHPFusion (aka PHP-Fusion) Andromeda 9.x before 2020-12-30 generates error messages that distinguish between incorrect username and incorrect password (i.e., not a single "Incorrect username or password" message in both cases), which might allow enumeration.

6.5
2021-01-01 CVE-2020-35391 Tenda Forced Browsing vulnerability in Tenda F3 Firmware 12.01.01.48

Tenda N300 F3 12.01.01.48 devices allow remote attackers to obtain sensitive information (possibly including an http_passwd line) via a direct request for cgi-bin/DownloadCfg/RouterCfm.cfg, a related issue to CVE-2017-14942.

6.5
2021-01-01 CVE-2020-35933 Thenewsletterplugin Cross-site Scripting vulnerability in Thenewsletterplugin Newsletter 2.4.6

A Reflected Authenticated Cross-Site Scripting (XSS) vulnerability in the Newsletter plugin before 6.8.2 for WordPress allows remote attackers to trick a victim into submitting a tnpc_render AJAX request containing either JavaScript in an options parameter, or a base64-encoded JSON string containing JavaScript in the encoded_options parameter.

6.5
2020-12-31 CVE-2020-35884 Tiny Http Project
Fedoraproject
HTTP Request Smuggling vulnerability in multiple products

An issue was discovered in the tiny_http crate through 2020-06-16 for Rust.

6.5
2020-12-31 CVE-2018-25001 Libpulse Binding Project Use After Free vulnerability in Libpulse-Binding Project Libpulse-Binding

An issue was discovered in the libpulse-binding crate before 2.5.0 for Rust.

6.5
2020-12-31 CVE-2019-20808 Qemu Out-of-bounds Read vulnerability in Qemu 4.1.0

In QEMU 4.1.0, an out-of-bounds read flaw was found in the ATI VGA implementation.

6.5
2020-12-31 CVE-2020-26291 URI JS Project Unspecified vulnerability in Uri.Js Project Uri.Js

URI.js is a javascript URL mutation library (npm package urijs).

6.5
2020-12-30 CVE-2020-28413 Mantisbt SQL Injection vulnerability in Mantisbt 2.24.3

In MantisBT 2.24.3, SQL Injection can occur in the parameter "access" of the mc_project_get_users function through the API SOAP.

6.5
2020-12-30 CVE-2020-26288 Parseplatform Unspecified vulnerability in Parseplatform Parse-Server

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js.

6.5
2020-12-30 CVE-2020-5811 Umbraco Path Traversal vulnerability in Umbraco CMS

An authenticated path traversal vulnerability exists during package installation in Umbraco CMS <= 8.9.1 or current, which could result in arbitrary files being written outside of the site home and expected paths when installing an Umbraco package.

6.5
2020-12-30 CVE-2020-35850 Cockpit Project Server-Side Request Forgery (SSRF) vulnerability in Cockpit-Project Cockpit 234

An SSRF issue was discovered in cockpit-project.org Cockpit 234.

6.5
2020-12-30 CVE-2020-35783 Netgear Unspecified vulnerability in Netgear products

Certain NETGEAR devices are affected by lack of access control at the function level.

6.5
2020-12-30 CVE-2020-35781 Netgear Unspecified vulnerability in Netgear Nms300 Firmware

NETGEAR NMS300 devices before 1.6.0.27 are affected by denial of service.

6.5
2020-12-30 CVE-2020-35780 Netgear Unspecified vulnerability in Netgear Nms300 Firmware

NETGEAR NMS300 devices before 1.6.0.27 are affected by denial of service.

6.5
2020-12-29 CVE-2020-27643 1E Link Following vulnerability in 1E Client 4.1.0.267/5.0.0.745

The %PROGRAMDATA%\1E\Client directory in 1E Client 5.0.0.745 and 4.1.0.267 allows remote authenticated users and local users to create and modify files in protected directories (where they would not normally have access to create or modify files) via the creation of a junction point to a system directory.

6.5
2020-12-29 CVE-2020-9208 Huawei Missing Authentication for Critical Function vulnerability in Huawei Imanager Neteco 6000 V600R021C00

There is an information leak vulnerability in iManager NetEco 6000 versions V600R021C00.

6.5
2020-12-28 CVE-2020-13474 Nchsoftware Forced Browsing vulnerability in Nchsoftware Express Accounts 8.24

In NCH Express Accounts 8.24 and earlier, an authenticated low-privilege user can enter a crafted URL to access higher-privileged functionalities such as Add/Edit users.

6.5
2020-12-28 CVE-2020-29245 TAG Project Improper Validation of Array Index vulnerability in TAG Project TAG 20200828

dhowden tag before 2020-11-19 allows "panic: runtime error: slice bounds out of range" via readAtomData.

6.5
2020-12-28 CVE-2020-29244 TAG Project Improper Validation of Array Index vulnerability in TAG Project TAG 20200828

dhowden tag before 2020-11-19 allows "panic: runtime error: slice bounds out of range" via readTextWithDescrFrame.

6.5
2020-12-28 CVE-2020-29243 TAG Project Improper Validation of Array Index vulnerability in TAG Project TAG 20200828

dhowden tag before 2020-11-19 allows "panic: runtime error: index out of range" via readAPICFrame.

6.5
2020-12-28 CVE-2020-29242 TAG Project Improper Validation of Array Index vulnerability in TAG Project TAG 20200828

dhowden tag before 2020-11-19 allows "panic: runtime error: index out of range" via readPICFrame.

6.5
2020-12-28 CVE-2020-26029 Zammad Incorrect Authorization vulnerability in Zammad

An issue was discovered in Zammad before 3.4.1.

6.5
2020-12-28 CVE-2020-27837 Gnome Unspecified vulnerability in Gnome Display Manager

A flaw was found in GDM in versions prior to 3.38.2.1.

6.4
2020-12-28 CVE-2020-35615 Joomla Cross-Site Request Forgery (CSRF) vulnerability in Joomla Joomla!

An issue was discovered in Joomla! 2.5.0 through 3.9.22.

6.3
2021-01-01 CVE-2021-3002 Seopanel Cross-site Scripting vulnerability in Seopanel SEO Panel 4.8.0

Seo Panel 4.8.0 allows reflected XSS via the seo/seopanel/login.php?sec=forgot email parameter.

6.1
2020-12-31 CVE-2020-35741 Hgiga Cross-site Scripting vulnerability in Hgiga products

HGiga MailSherlock does not validate user parameters on multiple login pages.

6.1
2020-12-31 CVE-2020-35740 Hgiga Cross-site Scripting vulnerability in Hgiga products

HGiga MailSherlock does not validate specific URL parameters properly that allows attackers to inject JavaScript syntax for XSS attacks.

6.1
2020-12-30 CVE-2020-29230 Egavilanmedia Cross-site Scripting vulnerability in Egavilanmedia User Registration and Login System With Admin Panel 1.0

EGavilanMedia User Registration and Login System With Admin Panel 1.0 is affected by cross-site scripting (XSS) in the Admin Panel - Manage User tab using the Full Name of the user.

6.1
2020-12-30 CVE-2020-28365 Sapplica Cross-site Scripting vulnerability in Sapplica Sentrifugo 3.2

Sentrifugo 3.2 allows Stored Cross-Site Scripting (XSS) vulnerability by inserting a payload within the X-Forwarded-For HTTP header during the login process.

6.1
2020-12-28 CVE-2020-35730 Roundcube
Fedoraproject
Debian
Cross-site Scripting vulnerability in multiple products

An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10.

6.1
2020-12-28 CVE-2020-35738 Wavpack
Debian
Fedoraproject
Integer Overflow or Wraparound vulnerability in multiple products

WavPack 5.3.0 has an out-of-bounds write in WavpackPackSamples in pack_utils.c because of an integer overflow in a malloc argument.

6.1
2020-12-28 CVE-2020-26569 Arista Unspecified vulnerability in Arista EOS

In EVPN VxLAN setups in Arista EOS, specific malformed packets can lead to incorrect MAC to IP bindings and as a result packets can be incorrectly forwarded across VLAN boundaries.

5.9
2021-01-03 CVE-2020-28841 Drivergenius Unspecified vulnerability in Drivergenius Firmware 9.61.3708.3054

MyDrivers64.sys in DriverGenius 9.61.3708.3054 allows attackers to cause a system crash via the ioctl command 0x9c402000 to \\.\MyDrivers0_0_1.

5.5
2020-12-31 CVE-2020-11835 Oppo Out-of-bounds Write vulnerability in Oppo Find X2 PRO Firmware and Reno3 PRO Firmware

In /SM8250_Q_Master/android/vendor/oppo_charger/oppo/charger_ic/oppo_da9313.c, failure to check the parameter buf in the function proc_work_mode_write in proc_work_mode_write causes a vulnerability.

5.5
2020-12-31 CVE-2020-11834 Oppo Out-of-bounds Write vulnerability in Oppo Find X2 PRO Firmware and Reno3 PRO Firmware

In /SM8250_Q_Master/android/vendor/oppo_charger/oppo/oppo_vooc.c, the function proc_fastchg_fw_update_write in proc_fastchg_fw_update_write does not check the parameter len, resulting in a vulnerability.

5.5
2020-12-31 CVE-2020-11833 Oppo Out-of-bounds Write vulnerability in Oppo Find X2 PRO Firmware and Reno3 PRO Firmware

In /SM8250_Q_Master/android/vendor/oppo_charger/oppo/charger_ic/oppo_mp2650.c, the function mp2650_data_log_write in mp2650_data_log_write does not check the parameter len which causes a vulnerability.

5.5
2020-12-31 CVE-2020-11832 Oppo Out-of-bounds Write vulnerability in Oppo Find X2 PRO Firmware and Reno3 PRO Firmware

In functions charging_limit_current_write and charging_limit_time_write in /SM8250_Q_Master/android/vendor/oppo_charger/oppo/oppo_charger.c have not checked the parameters, which causes a vulnerability.

5.5
2020-12-31 CVE-2020-35927 Thex Project Unspecified vulnerability in Thex Project Thex 20201208

An issue was discovered in the thex crate through 2020-12-08 for Rust.

5.5
2020-12-31 CVE-2020-35925 Magnetic Project Unspecified vulnerability in Magnetic Project Magnetic

An issue was discovered in the magnetic crate before 2.0.1 for Rust.

5.5
2020-12-31 CVE-2020-35924 TRY Mutex Project Out-of-bounds Write vulnerability in Try-Mutex Project Try-Mutex 0.1.0/0.1.1/0.2.0

An issue was discovered in the try-mutex crate before 0.3.0 for Rust.

5.5
2020-12-31 CVE-2020-35923 Ordered Float Project Use After Free vulnerability in Ordered-Float Project Ordered-Float

An issue was discovered in the ordered-float crate before 1.1.1 and 2.x before 2.0.1 for Rust.

5.5
2020-12-31 CVE-2020-35922 MIO Project Unspecified vulnerability in MIO Project MIO

An issue was discovered in the mio crate before 0.7.6 for Rust.

5.5
2020-12-31 CVE-2020-35921 Miow Project Unspecified vulnerability in Miow Project Miow

An issue was discovered in the miow crate before 0.3.6 for Rust.

5.5
2020-12-31 CVE-2020-35920 Rust Lang Unspecified vulnerability in Rust-Lang Socket2

An issue was discovered in the socket2 crate before 0.3.16 for Rust.

5.5
2020-12-31 CVE-2020-35919 Net2 Project Unspecified vulnerability in Net2 Project Net2

An issue was discovered in the net2 crate before 0.2.36 for Rust.

5.5
2020-12-31 CVE-2020-35918 Hakobaito Unspecified vulnerability in Hakobaito Branca

An issue was discovered in the branca crate before 0.10.0 for Rust.

5.5
2020-12-31 CVE-2020-35917 Pyo3 Project Use After Free vulnerability in Pyo3 Project Pyo3

An issue was discovered in the pyo3 crate before 0.12.4 for Rust.

5.5
2020-12-31 CVE-2020-35916 Image RS Resource Exhaustion vulnerability in Image-Rs Image

An issue was discovered in the image crate before 0.23.12 for Rust.

5.5
2020-12-31 CVE-2020-35915 Futures Intrusive Project Unspecified vulnerability in Futures-Intrusive Project Futures-Intrusive

An issue was discovered in the futures-intrusive crate before 0.4.0 for Rust.

5.5
2020-12-31 CVE-2020-35910 Lock API Project Unspecified vulnerability in Lock API Project Lock API

An issue was discovered in the lock_api crate before 0.4.2 for Rust.

5.5
2020-12-31 CVE-2020-35908 Rust Lang Unspecified vulnerability in Rust-Lang Future-Utils

An issue was discovered in the futures-util crate before 0.3.2 for Rust.

5.5
2020-12-31 CVE-2020-35907 Rust Lang NULL Pointer Dereference vulnerability in Rust-Lang Futures-Task

An issue was discovered in the futures-task crate before 0.3.5 for Rust.

5.5
2020-12-31 CVE-2020-35904 Crossbeam Channel Project Unspecified vulnerability in Crossbeam-Channel Project Crossbeam-Channel

An issue was discovered in the crossbeam-channel crate before 0.4.4 for Rust.

5.5
2020-12-31 CVE-2020-35903 Dync Project Unspecified vulnerability in Dync Project Dync

An issue was discovered in the dync crate before 0.5.0 for Rust.

5.5
2020-12-31 CVE-2020-35900 Array Queue Project Use After Free vulnerability in Array-Queue Project Array-Queue

An issue was discovered in the array-queue crate through 2020-09-26 for Rust.

5.5
2020-12-31 CVE-2020-35899 Actix Use After Free vulnerability in Actix Actix-Service

An issue was discovered in the actix-service crate before 1.0.6 for Rust.

5.5
2020-12-29 CVE-2020-9093 Huawei Use After Free vulnerability in Huawei Taurus-Al00A Firmware 10.0.0.1(C00E1R1P1)

There is a use after free vulnerability in Taurus-AL00A versions 10.0.0.1(C00E1R1P1).

5.5
2020-12-29 CVE-2020-1848 Huawei Unspecified vulnerability in Huawei Jackman-Al00D Firmware 8.2.0.185(C00R2P1)

There is a resource management error vulnerability in Jackman-AL00D versions 8.2.0.185(C00R2P1).

5.5
2020-12-29 CVE-2020-5806 Rockwellautomation Allocation of Resources Without Limits or Throttling vulnerability in Rockwellautomation Factorytalk Linx 6.00/6.10/6.11

An attacker-controlled memory allocation size can be passed to the C++ new operator in the CServerManager::HandleBrowseLoadIconStreamRequest in messaging.dll.

5.5
2020-12-28 CVE-2020-13473 Nchsoftware Cleartext Storage of Sensitive Information vulnerability in Nchsoftware Express Accounts 8.24

NCH Express Accounts 8.24 and earlier allows local users to discover the cleartext password by reading the configuration file.

5.5
2021-01-01 CVE-2020-35946 Semperplugins Cross-site Scripting vulnerability in Semperplugins ALL in ONE SEO Pack

An issue was discovered in the All in One SEO Pack plugin before 3.6.2 for WordPress.

5.4
2020-12-31 CVE-2020-35930 Seopanel Cross-site Scripting vulnerability in Seopanel SEO Panel 4.8.0

Seo Panel 4.8.0 allows stored XSS by an Authenticated User via the url parameter, as demonstrated by the seo/seopanel/websites.php URI.

5.4
2020-12-31 CVE-2019-25011 Netbox Cross-site Scripting vulnerability in Netbox

NetBox through 2.6.2 allows an Authenticated User to conduct an XSS attack against an admin via a GFM-rendered field, as demonstrated by /dcim/sites/add/ comments.

5.4
2020-12-31 CVE-2020-25799 Limesurvey Cross-site Scripting vulnerability in Limesurvey 3.21.1

LimeSurvey 3.21.1 is affected by cross-site scripting (XSS) in the Quota component of the Survey page.

5.4
2020-12-31 CVE-2020-25797 Limesurvey Cross-site Scripting vulnerability in Limesurvey 3.21.1

LimeSurvey 3.21.1 is affected by cross-site scripting (XSS) in the Add Participants Function (First and last name parameters).

5.4
2020-12-30 CVE-2020-29231 Egavilanmedia Cross-site Scripting vulnerability in Egavilanmedia User Registration and Login System With Admin Panel 1.0

EGavilanMedia User Registration and Login System With Admin Panel 1.0 is affected by cross-site scripting (XSS) in the Admin Profile Page.

5.4
2020-12-30 CVE-2020-5810 Umbraco Cross-site Scripting vulnerability in Umbraco CMS

A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current.

5.4
2020-12-30 CVE-2020-5809 Umbraco Cross-site Scripting vulnerability in Umbraco CMS

A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current.

5.4
2020-12-30 CVE-2020-29469 Wondercms Cross-site Scripting vulnerability in Wondercms 3.1.3

WonderCMS 3.1.3 is affected by cross-site scripting (XSS) in the Menu component.

5.4
2020-12-30 CVE-2020-29233 Wondercms Cross-site Scripting vulnerability in Wondercms 3.1.3

WonderCMS 3.1.3 is affected by cross-site scripting (XSS) in the Page description component.

5.4
2020-12-30 CVE-2020-35842 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

5.4
2020-12-30 CVE-2020-35840 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

5.4
2020-12-29 CVE-2020-35774 Twitter Cross-site Scripting vulnerability in Twitter Twitter-Server

server/handler/HistogramQueryHandler.scala in Twitter TwitterServer (aka twitter-server) before 20.12.0, in some configurations, allows XSS via the /histograms endpoint.

5.4
2020-12-28 CVE-2020-26035 Zammad Cross-site Scripting vulnerability in Zammad

An issue was discovered in Zammad before 3.4.1.

5.4
2020-12-28 CVE-2020-26033 Zammad Cross-Site Request Forgery (CSRF) vulnerability in Zammad

An issue was discovered in Zammad before 3.4.1.

5.4
2020-12-30 CVE-2020-27534 Docker Path Traversal vulnerability in Docker

util/binfmt_misc/check.go in Builder in Docker Engine before 19.03.9 calls os.OpenFile with a potentially unsafe qemu-check temporary pathname, constructed with an empty first argument in an ioutil.TempDir call.

5.3
2020-12-30 CVE-2019-15523 Linbit
Debian
Unchecked Return Value vulnerability in multiple products

An issue was discovered in LINBIT csync2 through 2.0.

5.3
2020-12-30 CVE-2019-12953 Dropbear SSH Project Information Exposure Through Discrepancy vulnerability in Dropbear SSH Project Dropbear SSH

Dropbear 2011.54 through 2018.76 has an inconsistent failure delay that may lead to revealing valid usernames, a different issue than CVE-2018-15599.

5.3
2020-12-30 CVE-2020-28925 Boltcms Unspecified vulnerability in Boltcms Bolt

Bolt before 3.7.2 does not restrict filter options in a Request in the Twig context, and is therefore inconsistent with the "How to Harden Your PHP for Better Security" guidance.

5.3
2020-12-28 CVE-2020-35614 Joomla Unspecified vulnerability in Joomla Joomla!

An issue was discovered in Joomla! 3.9.0 through 3.9.22.

5.3
2020-12-28 CVE-2020-15898 Arista Unspecified vulnerability in Arista EOS

In Arista EOS malformed packets can be incorrectly forwarded across VLAN boundaries in one direction.

5.3
2020-12-28 CVE-2020-29159 Zammad Unspecified vulnerability in Zammad

An issue was discovered in Zammad before 3.5.1.

4.9
2020-12-28 CVE-2020-26028 Zammad Incorrect Authorization vulnerability in Zammad

An issue was discovered in Zammad before 3.4.1.

4.9
2020-12-30 CVE-2020-35241 Flatpress Cross-site Scripting vulnerability in Flatpress 1.0.3

FlatPress 1.0.3 is affected by cross-site scripting (XSS) in the Blog Content component.

4.8
2020-12-30 CVE-2020-35240 Fluxbb Cross-site Scripting vulnerability in Fluxbb 1.5.11

FluxBB 1.5.11 is affected by cross-site scripting (XSS in the Blog Content component.

4.8
2020-12-30 CVE-2020-29477 Invisioncommunity Cross-site Scripting vulnerability in Invisioncommunity Community 4.5.4

Invision Community 4.5.4 is affected by cross-site scripting (XSS) in the Field Name field.

4.8
2020-12-30 CVE-2020-35838 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

4.8
2020-12-30 CVE-2020-35837 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

4.8
2020-12-30 CVE-2020-35836 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

4.8
2020-12-30 CVE-2020-35835 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

4.8
2020-12-30 CVE-2020-35834 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

4.8
2020-12-30 CVE-2020-35833 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

4.8
2020-12-30 CVE-2020-35832 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

4.8
2020-12-30 CVE-2020-35830 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

4.8
2020-12-30 CVE-2020-35829 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

4.8
2020-12-30 CVE-2020-35828 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

4.8
2020-12-30 CVE-2020-35827 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

4.8
2020-12-30 CVE-2020-35826 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

4.8
2020-12-30 CVE-2020-35825 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

4.8
2020-12-30 CVE-2020-35824 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

4.8
2020-12-30 CVE-2020-35823 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

4.8
2020-12-30 CVE-2020-35822 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

4.8
2020-12-30 CVE-2020-35821 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

4.8
2020-12-30 CVE-2020-35820 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

4.8
2020-12-30 CVE-2020-35819 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

4.8
2020-12-30 CVE-2020-35818 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

4.8
2020-12-30 CVE-2020-35817 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

4.8
2020-12-30 CVE-2020-35816 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

4.8
2020-12-30 CVE-2020-35815 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

4.8
2020-12-30 CVE-2020-35814 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

4.8
2020-12-30 CVE-2020-35813 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

4.8
2020-12-30 CVE-2020-35812 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

4.8
2020-12-30 CVE-2020-35811 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

4.8
2020-12-30 CVE-2020-35810 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

4.8
2020-12-30 CVE-2020-35809 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

4.8
2020-12-30 CVE-2020-35808 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

4.8
2020-12-30 CVE-2020-35807 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

4.8
2020-12-30 CVE-2020-35806 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

4.8
2020-12-30 CVE-2020-35805 Netgear Cross-site Scripting vulnerability in Netgear products

Certain NETGEAR devices are affected by stored XSS.

4.8
2020-12-29 CVE-2020-29471 Opencart Cross-site Scripting vulnerability in Opencart 3.0.3.6

OpenCart 3.0.3.6 is affected by cross-site scripting (XSS) in the Profile Image.

4.8
2020-12-29 CVE-2020-29470 Opencart Cross-site Scripting vulnerability in Opencart 3.0.3.6

OpenCart 3.0.3.6 is affected by cross-site scripting (XSS) in the Subject field of mail.

4.8
2020-12-29 CVE-2020-29475 Nopcommerce Cross-site Scripting vulnerability in Nopcommerce Store 4.30

nopCommerce Store 4.30 is affected by cross-site scripting (XSS) in the Schedule tasks name field.

4.8
2020-12-28 CVE-2020-13476 Nchsoftware Cross-site Scripting vulnerability in Nchsoftware Express Invoice 8.06/8.24

NCH Express Invoice 8.06 to 8.24 is vulnerable to Reflected XSS in the Quotes List module.

4.8
2020-12-31 CVE-2020-35897 Atom Project Race Condition vulnerability in Atom Project Atom

An issue was discovered in the atom crate before 0.3.6 for Rust.

4.7
2020-12-31 CVE-2020-35886 ARR Project Race Condition vulnerability in ARR Project ARR

An issue was discovered in the arr crate through 2020-08-25 for Rust.

4.7
2020-12-31 CVE-2020-35928 Concread Project Race Condition vulnerability in Concread Project Concread

An issue was discovered in the concread crate before 0.2.6 for Rust.

4.7
2020-12-31 CVE-2020-35914 Lock API Project Race Condition vulnerability in Lock API Project Lock API

An issue was discovered in the lock_api crate before 0.4.2 for Rust.

4.7
2020-12-31 CVE-2020-35913 Lock API Project Race Condition vulnerability in Lock API Project Lock API

An issue was discovered in the lock_api crate before 0.4.2 for Rust.

4.7
2020-12-31 CVE-2020-35912 Lock API Project Race Condition vulnerability in Lock API Project Lock API

An issue was discovered in the lock_api crate before 0.4.2 for Rust.

4.7
2020-12-31 CVE-2020-35911 Lock API Project Race Condition vulnerability in Lock API Project Lock API

An issue was discovered in the lock_api crate before 0.4.2 for Rust.

4.7
2020-12-31 CVE-2020-35905 Rust Lang Race Condition vulnerability in Rust-Lang Future-Utils

An issue was discovered in the futures-util crate before 0.3.7 for Rust.

4.7
2020-12-29 CVE-2020-35735 Vidyo Improper Restriction of Rendered UI Layers or Frames vulnerability in Vidyo

Vidyo 02-09-/D allows clickjacking via the portal/ URI.

4.7
2020-12-30 CVE-2020-35804 Netgear Unspecified vulnerability in Netgear products

Certain NETGEAR devices are affected by disclosure of sensitive information.

4.6
2020-12-30 CVE-2020-35786 Netgear Classic Buffer Overflow vulnerability in Netgear R7800 Firmware

NETGEAR R7800 devices before 1.0.2.74 are affected by a buffer overflow by an authenticated user.

4.5
2020-12-30 CVE-2020-35803 Netgear Unspecified vulnerability in Netgear products

Certain NETGEAR devices are affected by disclosure of sensitive information.

4.4
2020-12-30 CVE-2020-10206 Amino Use of Hard-coded Credentials vulnerability in Amino products

Use of a Hard-coded Password in VNCserver in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series and Kami7B allows local attackers to view and interact with the video output of the device.

4.4
2021-01-03 CVE-2021-3005 MK Auth Unspecified vulnerability in Mk-Auth 19.01

MK-AUTH through 19.01 K4.9 allows remote attackers to obtain sensitive information (e.g., a CPF number) via a modified titulo (aka invoice number) value to the central/recibo.php URI.

4.3
2021-01-01 CVE-2020-35934 Vasyltech Information Exposure vulnerability in Vasyltech Advanced Access Manager

The Advanced Access Manager plugin before 6.6.2 for WordPress displays the unfiltered user object (including all metadata) upon login via the REST API (aam/v1/authenticate or aam/v2/authenticate).

4.3
2020-12-30 CVE-2020-26247 Nokogiri
Debian
XXE vulnerability in multiple products

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support.

4.3
2020-12-28 CVE-2020-29158 Zammad Missing Authorization vulnerability in Zammad

An issue was discovered in Zammad before 3.5.1.

4.3
2020-12-28 CVE-2020-26034 Zammad Unspecified vulnerability in Zammad

An account-enumeration issue was discovered in Zammad before 3.4.1.

4.3
2020-12-28 CVE-2020-26031 Zammad Incorrect Default Permissions vulnerability in Zammad

An issue was discovered in Zammad before 3.4.1.

4.3

1 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2020-12-31 CVE-2020-11947 Qemu Out-of-bounds Read vulnerability in Qemu 4.1.0

iscsi_aio_ioctl_cb in block/iscsi.c in QEMU 4.1.0 has a heap-based buffer over-read that may disclose unrelated information from process memory to an attacker.

3.8