Weekly Vulnerabilities Reports > December 28, 2020 to January 3, 2021
Overview
353 new vulnerabilities reported during this period, including 82 critical vulnerabilities and 118 high severity vulnerabilities. This weekly summary report vulnerabilities in 380 products from 171 vendors including Netgear, Zammad, Huawei, Rusqlite Project, and Rest Json Project. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "Use After Free", "SQL Injection", and "Race Condition".
- 285 reported vulnerabilities are remotely exploitables.
- 14 reported vulnerabilities have public exploit available.
- 125 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 191 reported vulnerabilities are exploitable by an anonymous user.
- Netgear has the most reported vulnerabilities, with 66 reported vulnerabilities.
- Rusqlite Project has the most reported critical vulnerabilities, with 7 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
82 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-01-01 | CVE-2020-35951 | Expresstech | Missing Authentication for Critical Function vulnerability in Expresstech Quiz and Survey Master An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. | 9.9 |
2020-12-31 | CVE-2020-17363 | Usvn | OS Command Injection vulnerability in Usvn USVN (aka User-friendly SVN) before 1.0.9 allows remote code execution via shell metacharacters in the number_start or number_end parameter to LastHundredRequest (aka lasthundredrequestAction) in the Timeline module. | 9.9 |
2020-12-30 | CVE-2020-10208 | Amino | Injection vulnerability in Amino products Command Injection in EntoneWebEngine in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series and Kami7B allows authenticated remote attackers to execute arbitrary commands with root user privileges. | 9.9 |
2021-01-01 | CVE-2020-35949 | Expresstech | Unrestricted Upload of File with Dangerous Type vulnerability in Expresstech Quiz and Survey Master An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. | 9.8 |
2021-01-01 | CVE-2016-20005 | Rest Json Project | Incorrect Authorization vulnerability in Rest/Json Project Rest/Json The REST/JSON project 7.x-1.x for Drupal allows user registration bypass, aka SA-CONTRIB-2016-033. | 9.8 |
2021-01-01 | CVE-2016-20004 | Rest Json Project | Incorrect Authorization vulnerability in Rest/Json Project Rest/Json The REST/JSON project 7.x-1.x for Drupal allows field access bypass, aka SA-CONTRIB-2016-033. | 9.8 |
2021-01-01 | CVE-2016-20002 | Rest Json Project | Incorrect Authorization vulnerability in Rest/Json Project Rest/Json The REST/JSON project 7.x-1.x for Drupal allows comment access bypass, aka SA-CONTRIB-2016-033. | 9.8 |
2021-01-01 | CVE-2016-20001 | Rest Json Project | Incorrect Authorization vulnerability in Rest/Json Project Rest/Json The REST/JSON project 7.x-1.x for Drupal allows node access bypass, aka SA-CONTRIB-2016-033. | 9.8 |
2020-12-31 | CVE-2020-35895 | Stack Project | Out-of-bounds Write vulnerability in Stack Project Stack An issue was discovered in the stack crate before 0.3.1 for Rust. | 9.8 |
2020-12-31 | CVE-2020-35888 | ARR Project | Use of Uninitialized Resource vulnerability in ARR Project ARR An issue was discovered in the arr crate through 2020-08-25 for Rust. | 9.8 |
2020-12-31 | CVE-2020-35887 | ARR Project | Classic Buffer Overflow vulnerability in ARR Project ARR An issue was discovered in the arr crate through 2020-08-25 for Rust. | 9.8 |
2020-12-31 | CVE-2020-35885 | Alpm RS Project | Double Free vulnerability in Alpm-Rs Project Alpm-Rs An issue was discovered in the alpm-rs crate through 2020-08-20 for Rust. | 9.8 |
2020-12-31 | CVE-2020-35881 | Traitobject Project | Out-of-bounds Write vulnerability in Traitobject Project Traitobject An issue was discovered in the traitobject crate through 2020-06-01 for Rust. | 9.8 |
2020-12-31 | CVE-2020-35880 | Bigint Project | Unspecified vulnerability in Bigint Project Bigint An issue was discovered in the bigint crate through 2020-05-07 for Rust. | 9.8 |
2020-12-31 | CVE-2020-35879 | Rulinalg Project | Unspecified vulnerability in Rulinalg Project Rulinalg 0.4.1 An issue was discovered in the rulinalg crate through 2020-02-11 for Rust. | 9.8 |
2020-12-31 | CVE-2020-35878 | Ozone Project | Use of Uninitialized Resource vulnerability in Ozone Project Ozone 0.0.1/0.1.0 An issue was discovered in the ozone crate through 2020-07-04 for Rust. | 9.8 |
2020-12-31 | CVE-2020-35877 | Ozone Project | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Ozone Project Ozone 0.0.1/0.1.0 An issue was discovered in the ozone crate through 2020-07-04 for Rust. | 9.8 |
2020-12-31 | CVE-2020-35876 | RIO Project | Missing Release of Resource after Effective Lifetime vulnerability in RIO Project RIO An issue was discovered in the rio crate through 2020-05-11 for Rust. | 9.8 |
2020-12-31 | CVE-2020-35873 | Rusqlite Project | Use After Free vulnerability in Rusqlite Project Rusqlite An issue was discovered in the rusqlite crate before 0.23.0 for Rust. | 9.8 |
2020-12-31 | CVE-2020-35872 | Rusqlite Project | Unspecified vulnerability in Rusqlite Project Rusqlite An issue was discovered in the rusqlite crate before 0.23.0 for Rust. | 9.8 |
2020-12-31 | CVE-2020-35870 | Rusqlite Project | Use After Free vulnerability in Rusqlite Project Rusqlite An issue was discovered in the rusqlite crate before 0.23.0 for Rust. | 9.8 |
2020-12-31 | CVE-2020-35869 | Rusqlite Project | Use of Externally-Controlled Format String vulnerability in Rusqlite Project Rusqlite An issue was discovered in the rusqlite crate before 0.23.0 for Rust. | 9.8 |
2020-12-31 | CVE-2020-35868 | Rusqlite Project | Unspecified vulnerability in Rusqlite Project Rusqlite An issue was discovered in the rusqlite crate before 0.23.0 for Rust. | 9.8 |
2020-12-31 | CVE-2020-35867 | Rusqlite Project | Unspecified vulnerability in Rusqlite Project Rusqlite An issue was discovered in the rusqlite crate before 0.23.0 for Rust. | 9.8 |
2020-12-31 | CVE-2020-35866 | Rusqlite Project | Unspecified vulnerability in Rusqlite Project Rusqlite An issue was discovered in the rusqlite crate before 0.23.0 for Rust. | 9.8 |
2020-12-31 | CVE-2020-35863 | Hyper | HTTP Request Smuggling vulnerability in Hyper An issue was discovered in the hyper crate before 0.12.34 for Rust. | 9.8 |
2020-12-31 | CVE-2020-35862 | Bitvec Project | Use After Free vulnerability in Bitvec Project Bitvec An issue was discovered in the bitvec crate before 0.17.4 for Rust. | 9.8 |
2020-12-31 | CVE-2020-35860 | Cbox Project | NULL Pointer Dereference vulnerability in Cbox Project Cbox An issue was discovered in the cbox crate through 2020-03-19 for Rust. | 9.8 |
2020-12-31 | CVE-2020-35858 | Prost Project | Out-of-bounds Write vulnerability in Prost Project Prost An issue was discovered in the prost crate before 0.6.1 for Rust. | 9.8 |
2020-12-31 | CVE-2019-25010 | Failure Project | Type Confusion vulnerability in Failure Project Failure An issue was discovered in the failure crate through 2019-11-13 for Rust. | 9.8 |
2020-12-31 | CVE-2019-25009 | Hyper | Double Free vulnerability in Hyper Http An issue was discovered in the http crate before 0.1.20 for Rust. | 9.8 |
2020-12-31 | CVE-2019-25004 | Unspecified vulnerability in Google Flatbuffers 0.4.0/0.5.0/0.6.0 An issue was discovered in the flatbuffers crate before 0.6.1 for Rust. | 9.8 | |
2020-12-31 | CVE-2019-25002 | Sodiumoxide Project | Unspecified vulnerability in Sodiumoxide Project Sodiumoxide An issue was discovered in the sodiumoxide crate before 0.2.5 for Rust. | 9.8 |
2020-12-31 | CVE-2020-35926 | Nanorand Project | Incorrect Conversion between Numeric Types vulnerability in Nanorand Project Nanorand An issue was discovered in the nanorand crate before 0.5.1 for Rust. | 9.8 |
2020-12-31 | CVE-2020-35902 | Actix | Use After Free vulnerability in Actix Actix-Codec An issue was discovered in the actix-codec crate before 0.3.0-beta.1 for Rust. | 9.8 |
2020-12-31 | CVE-2020-35851 | Hgiga | OS Command Injection vulnerability in Hgiga Msr45 Isherlock-User and Ssr45 Isherlock-User HGiga MailSherlock does not validate specific parameters properly. | 9.8 |
2020-12-31 | CVE-2020-25848 | Hgiga | Improper Authentication vulnerability in Hgiga products HGiga MailSherlock contains weak authentication flaw that attackers grant privilege remotely with default password generation mechanism. | 9.8 |
2020-12-31 | CVE-2020-25844 | Panorama | Out-of-bounds Write vulnerability in Panorama Nhiservisignadapter 1.0.20.0218 The digest generation function of NHIServiSignAdapter has not been verified for parameter’s length, which leads to a stack overflow loophole. | 9.8 |
2020-12-31 | CVE-2020-25843 | Panorama | Out-of-bounds Write vulnerability in Panorama Nhiservisignadapter 1.0.20.0218 NHIServiSignAdapter fails to verify the length of digital credential files’ path which leads to a heap overflow loophole. | 9.8 |
2020-12-31 | CVE-2019-7726 | Nukeviet | SQL Injection vulnerability in Nukeviet modules/banners/funcs/click.php in NukeViet before 4.3.04 has a SQL INSERT statement with raw header data from an HTTP request (e.g., Referer and User-Agent). | 9.8 |
2020-12-31 | CVE-2019-7725 | Nukeviet | Deserialization of Untrusted Data vulnerability in Nukeviet includes/core/is_user.php in NukeViet before 4.3.04 deserializes the untrusted nvloginhash cookie (i.e., the code relies on PHP's serialization format when JSON can be used to eliminate the risk). | 9.8 |
2020-12-31 | CVE-2018-14067 | Greenpacket | Command Injection vulnerability in Greenpacket Dv-360 Firmware 2.10.14G1.0.6.1 Green Packet WiMax DV-360 2.10.14-g1.0.6.1 devices allow Command Injection, with unauthenticated remote command execution, via a crafted payload to the HTTPS port, because lighttpd listens on all network interfaces (including the external Internet) by default. | 9.8 |
2020-12-31 | CVE-2016-9026 | Exponentcms | Improper Input Validation vulnerability in Exponentcms Exponent CMS Exponent CMS before 2.6.0 has improper input validation in fileController.php. | 9.8 |
2020-12-31 | CVE-2016-9025 | Exponentcms | Improper Input Validation vulnerability in Exponentcms Exponent CMS Exponent CMS before 2.6.0 has improper input validation in purchaseOrderController.php. | 9.8 |
2020-12-31 | CVE-2016-9023 | Exponentcms | Improper Input Validation vulnerability in Exponentcms Exponent CMS Exponent CMS before 2.6.0 has improper input validation in cron/find_help.php. | 9.8 |
2020-12-31 | CVE-2016-9022 | Exponentcms | Improper Input Validation vulnerability in Exponentcms Exponent CMS Exponent CMS before 2.6.0 has improper input validation in usersController.php. | 9.8 |
2020-12-31 | CVE-2016-9021 | Exponentcms | Improper Input Validation vulnerability in Exponentcms Exponent CMS Exponent CMS before 2.6.0 has improper input validation in storeController.php. | 9.8 |
2020-12-31 | CVE-2020-12658 | Gssproxy Project Debian | Improper Locking vulnerability in multiple products gssproxy (aka gss-proxy) before 0.8.3 does not unlock cond_mutex before pthread exit in gp_worker_main() in gp_workers.c. | 9.8 |
2020-12-30 | CVE-2020-11103 | Webswing | Unspecified vulnerability in Webswing JsLink in Webswing before 2.6.12 LTS, and 2.7.x and 20.x before 20.1, allows remote code execution. | 9.8 |
2020-12-30 | CVE-2020-35173 | Amaze File Manager Project | Unspecified vulnerability in Amaze File Manager Project Amaze File Manager The Amaze File Manager application before 3.4.2 for Android does not properly restrict intents for controlling the FTP server (aka services.ftpservice.FTPReceiver.ACTION_START_FTPSERVER and services.ftpservice.FTPReceiver.ACTION_STOP_FTPSERVER). | 9.8 |
2020-12-30 | CVE-2019-12768 | Dlink | Forced Browsing vulnerability in Dlink Dap-1650 Firmware An issue was discovered on D-Link DAP-1650 devices through v1.03b07 before 1.04B02_J65H Hot Fix. | 9.8 |
2020-12-30 | CVE-2020-29594 | Rocket Chat | Unspecified vulnerability in Rocket.Chat Rocket.Chat before 0.74.4, 1.x before 1.3.4, 2.x before 2.4.13, 3.x before 3.7.3, 3.8.x before 3.8.3, and 3.9.x before 3.9.1 mishandles SAML login. | 9.8 |
2020-12-30 | CVE-2020-35848 | Agentejo | SQL Injection vulnerability in Agentejo Cockpit Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php newpassword function. | 9.8 |
2020-12-30 | CVE-2020-35847 | Agentejo | SQL Injection vulnerability in Agentejo Cockpit Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function. | 9.8 |
2020-12-30 | CVE-2020-35846 | Agentejo | SQL Injection vulnerability in Agentejo Cockpit Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function. | 9.8 |
2020-12-30 | CVE-2020-35799 | Netgear | Out-of-bounds Write vulnerability in Netgear products Certain NETGEAR devices are affected by a stack-based buffer overflow by an unauthenticated attacker. | 9.8 |
2020-12-30 | CVE-2020-35797 | Netgear | Unrestricted Upload of File with Dangerous Type vulnerability in Netgear Nms300 Firmware NETGEAR NMS300 devices before 1.6.0.27 are affected by command injection by an unauthenticated attacker. | 9.8 |
2020-12-30 | CVE-2020-35796 | Netgear | Classic Buffer Overflow vulnerability in Netgear products Certain NETGEAR devices are affected by a buffer overflow by an unauthenticated attacker. | 9.8 |
2020-12-30 | CVE-2020-35795 | Netgear | Classic Buffer Overflow vulnerability in Netgear products Certain NETGEAR devices are affected by a buffer overflow by an unauthenticated attacker. | 9.8 |
2020-12-29 | CVE-2020-10210 | Amino | Use of Hard-coded Credentials vulnerability in Amino products Because of hard-coded SSH keys for the root user in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series, Kami7B, an attacker may remotely log in through SSH. | 9.8 |
2020-12-29 | CVE-2020-10207 | Amino | Use of Hard-coded Credentials vulnerability in Amino products Use of Hard-coded Credentials in EntoneWebEngine in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series and Kami7B allows remote attackers to retrieve and modify the device settings. | 9.8 |
2020-12-29 | CVE-2020-10148 | Solarwinds | Improper Authentication vulnerability in Solarwinds Orion Platform 2019.4/2020.2/2020.2.1 The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. | 9.8 |
2020-12-29 | CVE-2020-28283 | Libnested Project | Unspecified vulnerability in Libnested Project Libnested Prototype pollution vulnerability in 'libnested' versions 0.0.0 through 1.5.0 allows an attacker to cause a denial of service and may lead to remote code execution. | 9.8 |
2020-12-29 | CVE-2020-28282 | Getobject Project | Unspecified vulnerability in Getobject Project Getobject 0.1.0 Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution. | 9.8 |
2020-12-29 | CVE-2020-28281 | SET Object Value Project | Unspecified vulnerability in Set-Object-Value Project Set-Object-Value Prototype pollution vulnerability in 'set-object-value' versions 0.0.0 through 0.0.5 allows an attacker to cause a denial of service and may lead to remote code execution. | 9.8 |
2020-12-29 | CVE-2020-28280 | Predefine Project | Unspecified vulnerability in Predefine Project Predefine 0.0.0/0.1.2 Prototype pollution vulnerability in 'predefine' versions 0.0.0 through 0.1.2 allows an attacker to cause a denial of service and may lead to remote code execution. | 9.8 |
2020-12-29 | CVE-2020-28279 | Flattenizer Project | Unspecified vulnerability in Flattenizer Project Flattenizer Prototype pollution vulnerability in 'flattenizer' versions 0.0.5 through 1.0.5 allows an attacker to cause a denial of service and may lead to remote code execution. | 9.8 |
2020-12-29 | CVE-2020-28278 | Shvl Project | Unspecified vulnerability in Shvl Project Shvl Prototype pollution vulnerability in 'shvl' versions 1.0.0 through 2.0.1 allows an attacker to cause a denial of service and may lead to remote code execution. | 9.8 |
2020-12-29 | CVE-2020-28277 | Dset Project | Unspecified vulnerability in Dset Project Dset 1.0.0/2.0.0/2.0.1 Prototype pollution vulnerability in 'dset' versions 1.0.0 through 2.0.1 allows attacker to cause a denial of service and may lead to remote code execution. | 9.8 |
2020-12-29 | CVE-2020-28276 | Deep SET Project | Unspecified vulnerability in Deep-Set Project Deep-Set 1.0.0/1.0.1 Prototype pollution vulnerability in 'deep-set' versions 1.0.0 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution. | 9.8 |
2020-12-29 | CVE-2020-35769 | Webmin | Unspecified vulnerability in Webmin 1.962 miniserv.pl in Webmin 1.962 on Windows mishandles special characters in query arguments to the CGI program. | 9.8 |
2020-12-28 | CVE-2020-27172 | Gdatasoftware | Link Following vulnerability in Gdatasoftware G Data An issue was discovered in G-Data before 25.5.9.25 using Symbolic links, it is possible to abuse the infected-file restore mechanism to achieve arbitrary write that leads to elevation of privileges. | 9.8 |
2020-12-28 | CVE-2020-35613 | Joomla | SQL Injection vulnerability in Joomla Joomla! An issue was discovered in Joomla! 3.0.0 through 3.9.22. | 9.8 |
2020-12-28 | CVE-2020-26030 | Zammad | Improper Authentication vulnerability in Zammad An issue was discovered in Zammad before 3.4.1. | 9.8 |
2020-12-28 | CVE-2020-26290 | Linuxfoundation | Unspecified vulnerability in Linuxfoundation DEX Dex is a federated OpenID Connect provider written in Go. | 9.6 |
2020-12-30 | CVE-2020-35800 | Netgear | Unspecified vulnerability in Netgear products Certain NETGEAR devices are affected by incorrect configuration of security settings. | 9.4 |
2020-12-31 | CVE-2018-19945 | Qnap | Path Traversal vulnerability in Qnap QTS A vulnerability has been reported to affect earlier QNAP devices running QTS 4.3.4 to 4.3.6. | 9.1 |
2020-12-31 | CVE-2020-35892 | Simple Slab Project | Out-of-bounds Read vulnerability in Simple-Slab Project Simple-Slab An issue was discovered in the simple-slab crate before 0.3.3 for Rust. | 9.1 |
2020-12-31 | CVE-2020-35883 | Mozwire Project | Path Traversal vulnerability in Mozwire Project Mozwire An issue was discovered in the mozwire crate through 2020-08-18 for Rust. | 9.1 |
2020-12-31 | CVE-2020-35859 | Lucet Runtime Internals Project | Out-of-bounds Write vulnerability in Lucet-Runtime-Internals Project Lucet-Runtime-Internals An issue was discovered in the lucet-runtime-internals crate before 0.5.1 for Rust. | 9.1 |
2020-12-31 | CVE-2020-35898 | Actix | Use After Free vulnerability in Actix Actix-Utils An issue was discovered in the actix-utils crate before 2.0.0 for Rust. | 9.1 |
2021-01-01 | CVE-2020-35717 | Electronjs | Cross-site Scripting vulnerability in Electronjs Zonote zonote through 0.4.0 allows XSS via a crafted note, with resultant Remote Code Execution (because nodeIntegration in webPreferences is true). | 9.0 |
118 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2021-01-01 | CVE-2020-35950 | Xcloner | Cross-Site Request Forgery (CSRF) vulnerability in Xcloner An issue was discovered in the XCloner Backup and Restore plugin before 4.2.153 for WordPress. | 8.8 |
2021-01-01 | CVE-2020-35948 | Xcloner | Incorrect Authorization vulnerability in Xcloner An issue was discovered in the XCloner Backup and Restore plugin before 4.2.13 for WordPress. | 8.8 |
2021-01-01 | CVE-2020-35945 | Elegant Themes | Unrestricted Upload of File with Dangerous Type vulnerability in Elegant Themes Divi, Divi Builder and Divi Extra An issue was discovered in the Divi Builder plugin, Divi theme, and Divi Extra theme before 4.5.3 for WordPress. | 8.8 |
2021-01-01 | CVE-2020-35944 | Pagelayer | Cross-site Scripting vulnerability in Pagelayer An issue was discovered in the PageLayer plugin before 1.1.2 for WordPress. | 8.8 |
2021-01-01 | CVE-2020-35939 | Pickplugins | Deserialization of Untrusted Data vulnerability in Pickplugins Post Grid and Team Showcase PHP Object injection vulnerabilities in the Team Showcase plugin before 1.22.16 for WordPress allow remote authenticated attackers to inject arbitrary PHP objects due to insecure unserialization of data supplied in a remotely hosted crafted payload in the source parameter via AJAX. | 8.8 |
2021-01-01 | CVE-2020-35938 | Pickplugins | Deserialization of Untrusted Data vulnerability in Pickplugins Post Grid and Team Showcase PHP Object injection vulnerabilities in the Post Grid plugin before 2.0.73 for WordPress allow remote authenticated attackers to inject arbitrary PHP objects due to insecure unserialization of data supplied in a remotely hosted crafted payload in the source parameter via AJAX. | 8.8 |
2021-01-01 | CVE-2020-35935 | Vasyltech | Unspecified vulnerability in Vasyltech Advanced Access Manager The Advanced Access Manager plugin before 6.6.2 for WordPress allows privilege escalation on profile updates via the aam_user_roles POST parameter if Multiple Role support is enabled. | 8.8 |
2021-01-01 | CVE-2020-35932 | Tribulant | Deserialization of Untrusted Data vulnerability in Tribulant Newsletter Insecure Deserialization in the Newsletter plugin before 6.8.2 for WordPress allows authenticated remote attackers with minimal privileges (such as subscribers) to use the tpnc_render AJAX action to inject arbitrary PHP objects via the options[inline_edits] parameter. | 8.8 |
2021-01-01 | CVE-2018-25002 | Sunhater | Improper Input Validation vulnerability in Sunhater Kcfinder uploader.php in the KCFinder integration project through 2018-06-01 for Drupal mishandles validation, aka SA-CONTRIB-2018-024. | 8.8 |
2020-12-31 | CVE-2020-26165 | Qdpm | Deserialization of Untrusted Data vulnerability in Qdpm 8.3/9.0/9.1 qdPM through 9.1 allows PHP Object Injection via timeReportActions::executeExport in core/apps/qdPM/modules/timeReport/actions/actions.class.php because unserialize is used. | 8.8 |
2020-12-31 | CVE-2018-16795 | Open EMR | Cross-Site Request Forgery (CSRF) vulnerability in Open-Emr Openemr 5.0.1.3 OpenEMR 5.0.1.3 allows Cross-Site Request Forgery (CSRF) via library/ajax and interface/super, as demonstrated by use of interface/super/manage_site_files.php to upload a .php file. | 8.8 |
2020-12-31 | CVE-2020-19664 | Draytek | OS Command Injection vulnerability in Draytek Vigor2960 Firmware 1.3.1 DrayTek Vigor2960 1.5.1 allows remote command execution via shell metacharacters in a toLogin2FA action to mainfunction.cgi. | 8.8 |
2020-12-30 | CVE-2020-28736 | Plone | XXE vulnerability in Plone Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role). | 8.8 |
2020-12-30 | CVE-2020-28735 | Plone | Server-Side Request Forgery (SSRF) vulnerability in Plone Plone before 5.2.3 allows SSRF attacks via the tracebacks feature (only available to the Manager role). | 8.8 |
2020-12-30 | CVE-2020-28734 | Plone | XXE vulnerability in Plone Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role. | 8.8 |
2020-12-30 | CVE-2020-27848 | Dotcms | SQL Injection vulnerability in Dotcms dotCMS before 20.10.1 allows SQL injection, as demonstrated by the /api/v1/containers orderby parameter. | 8.8 |
2020-12-30 | CVE-2020-35789 | Netgear | OS Command Injection vulnerability in Netgear Nms300 Firmware NETGEAR NMS300 devices before 1.6.0.27 are affected by command injection by an authenticated user. | 8.8 |
2020-12-30 | CVE-2020-35785 | Netgear | Improper Authentication vulnerability in Netgear Dgn2200 Firmware 1.0.0.507.0.50/1.0.0.55/1.0.0.58 NETGEAR DGN2200v1 devices before v1.0.0.60 mishandle HTTPd authentication (aka PSV-2020-0363, PSV-2020-0364, and PSV-2020-0365). | 8.8 |
2020-12-30 | CVE-2020-35778 | Netgear | Cross-Site Request Forgery (CSRF) vulnerability in Netgear Gs716T Firmware and Gs724T Firmware Certain NETGEAR devices are affected by CSRF. | 8.8 |
2020-12-29 | CVE-2020-27645 | 1E | Unquoted Search Path or Element vulnerability in 1E Client 5.0.0.745 The Inventory module of the 1E Client 5.0.0.745 doesn't handle an unquoted path when executing %PROGRAMFILES%\1E\Client\Tachyon.Performance.Metrics.exe. | 8.8 |
2020-12-29 | CVE-2020-27644 | 1E | Unquoted Search Path or Element vulnerability in 1E Client 5.0.0.745 The Inventory module of the 1E Client 5.0.0.745 doesn't handle an unquoted path when executing %PROGRAMFILES%\1E\Client\Tachyon.Performance.Metrics.exe. | 8.8 |
2020-12-29 | CVE-2020-16268 | 1E | Exposure of Resource to Wrong Sphere vulnerability in 1E Client 4.1.0.267/5.0.0.745 The MSI installer in 1E Client 4.1.0.267 and 5.0.0.745 allows remote authenticated users and local users to gain elevated privileges via the repair option. | 8.8 |
2020-12-29 | CVE-2020-35773 | Freehtmldesigns | Cross-Site Request Forgery (CSRF) vulnerability in Freehtmldesigns Site Offline The site-offline plugin before 1.4.4 for WordPress lacks certain wp_create_nonce and wp_verify_nonce calls, aka CSRF. | 8.8 |
2020-12-29 | CVE-2020-25847 | Qnap | Command Injection vulnerability in Qnap QTS and Quts Hero This command injection vulnerability allows attackers to execute arbitrary commands in a compromised application. | 8.8 |
2020-12-28 | CVE-2020-35627 | Woocommerce | Unrestricted Upload of File with Dangerous Type vulnerability in Woocommerce Gift Cards 3.0.2 Ultimate WooCommerce Gift Cards 3.0.2 is affected by a file upload vulnerability in the Custom GiftCard Template that can remotely execute arbitrary code. | 8.8 |
2020-12-30 | CVE-2020-26296 | Vega Project | Unspecified vulnerability in Vega Project Vega Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. | 8.7 |
2020-12-29 | CVE-2020-26287 | Hedgedoc | Cross-site Scripting vulnerability in Hedgedoc HedgeDoc is a collaborative platform for writing and sharing markdown. | 8.7 |
2020-12-30 | CVE-2020-35779 | Netgear | Unspecified vulnerability in Netgear Nms300 Firmware NETGEAR NMS300 devices before 1.6.0.27 are affected by denial of service. | 8.6 |
2020-12-30 | CVE-2020-35777 | Netgear | Command Injection vulnerability in Netgear Dgn2200V1 Firmware NETGEAR DGN2200v1 devices before v1.0.0.58 are affected by command injection. | 8.4 |
2020-12-31 | CVE-2020-35889 | Crayon Project | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Crayon Project Crayon An issue was discovered in the crayon crate through 2020-08-31 for Rust. | 8.1 |
2020-12-31 | CVE-2020-35882 | Rocket | Race Condition vulnerability in Rocket An issue was discovered in the rocket crate before 0.4.5 for Rust. | 8.1 |
2020-12-31 | CVE-2020-35874 | Internment Project | Use After Free vulnerability in Internment Project Internment 0.3.12 An issue was discovered in the internment crate through 2020-05-28 for Rust. | 8.1 |
2020-12-31 | CVE-2020-35871 | Rusqlite Project | Race Condition vulnerability in Rusqlite Project Rusqlite An issue was discovered in the rusqlite crate before 0.23.0 for Rust. | 8.1 |
2020-12-30 | CVE-2020-35839 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by Stored XSS. | 8.1 |
2020-12-30 | CVE-2020-35831 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 8.1 |
2020-12-30 | CVE-2020-35782 | Netgear | Unspecified vulnerability in Netgear products Certain NETGEAR devices are affected by lack of access control at the function level. | 8.1 |
2020-12-30 | CVE-2020-10209 | Amino | OS Command Injection vulnerability in Amino products Command Injection in the CPE WAN Management Protocol (CWMP) registration in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series and Kami7B allows man-in-the-middle attackers to execute arbitrary commands with root level privileges. | 8.1 |
2020-12-29 | CVE-2020-17533 | Apache | Unspecified vulnerability in Apache Accumulo Apache Accumulo versions 1.5.0 through 1.10.0 and version 2.0.0 do not properly check the return value of some policy enforcement functions before permitting an authenticated user to perform certain administrative operations. | 8.1 |
2021-01-01 | CVE-2020-35937 | Pickplugins | Cross-site Scripting vulnerability in Pickplugins Post Grid and Team Showcase Stored Cross-Site Scripting (XSS) vulnerabilities in the Team Showcase plugin before 1.22.16 for WordPress allow remote authenticated attackers to import layouts including JavaScript supplied via a remotely hosted crafted payload in the source parameter via AJAX. | 8.0 |
2021-01-01 | CVE-2020-35936 | Pickplugins | Cross-site Scripting vulnerability in Pickplugins Post Grid and Team Showcase Stored Cross-Site Scripting (XSS) vulnerabilities in the Post Grid plugin before 2.0.73 for WordPress allow remote authenticated attackers to import layouts including JavaScript supplied via a remotely hosted crafted payload in the source parameter via AJAX. | 8.0 |
2020-12-30 | CVE-2020-35787 | Netgear | Classic Buffer Overflow vulnerability in Netgear products Certain NETGEAR devices are affected by a buffer overflow by an authenticated user. | 8.0 |
2021-01-03 | CVE-2020-35963 | Treasuredata | Out-of-bounds Write vulnerability in Treasuredata Fluent BIT flb_gzip_compress in flb_gzip.c in Fluent Bit before 1.6.4 has an out-of-bounds write because it does not use the correct calculation of the maximum gzip data-size expansion. | 7.8 |
2020-12-31 | CVE-2020-35931 | Foxitsoftware | Improper Check for Unusual or Exceptional Conditions vulnerability in Foxitsoftware Foxit Reader An issue was discovered in Foxit Reader before 10.1.1 (and before 4.1.1 on macOS) and PhantomPDF before 9.7.5 and 10.x before 10.1.1 (and before 4.1.1 on macOS). | 7.8 |
2020-12-31 | CVE-2020-35906 | Rust Lang | Use After Free vulnerability in Rust-Lang Futures-Task An issue was discovered in the futures-task crate before 0.3.6 for Rust. | 7.8 |
2020-12-30 | CVE-2020-35798 | Netgear | Command Injection vulnerability in Netgear products Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. | 7.8 |
2020-12-29 | CVE-2020-9207 | Huawei | Improper Authentication vulnerability in Huawei products There is an improper authentication vulnerability in some verisons of Huawei CloudEngine product. | 7.8 |
2020-12-28 | CVE-2020-35766 | Opendkim | Link Following vulnerability in Opendkim The test suite in libopendkim in OpenDKIM through 2.10.3 allows local users to gain privileges via a symlink attack against the /tmp/testkeys file (related to t-testdata.h, t-setup.c, and t-cleanup.c). | 7.8 |
2020-12-28 | CVE-2020-25507 | 3DS | Incorrect Permission Assignment for Critical Resource vulnerability in 3DS Teamwork Cloud An incorrect permission assignment during the installation script of TeamworkCloud 18.0 thru 19.0 allows a local unprivileged attacker to execute arbitrary code as root. | 7.8 |
2020-12-31 | CVE-2020-35743 | Hgiga | SQL Injection vulnerability in Hgiga products HGiga MailSherlock contains a SQL injection flaw. | 7.6 |
2020-12-31 | CVE-2020-35742 | Hgiga | SQL Injection vulnerability in Hgiga products HGiga MailSherlock contains a vulnerability of SQL Injection. | 7.6 |
2020-12-30 | CVE-2020-35841 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 7.6 |
2021-01-03 | CVE-2020-35962 | Loopring | Unspecified vulnerability in Loopring The sellTokenForLRC function in the vault protocol in the smart contract implementation for Loopring (LRC), an Ethereum token, lacks access control for fee swapping and thus allows price manipulation. | 7.5 |
2021-01-03 | CVE-2021-3006 | Seal Finance Project | Unspecified vulnerability in Seal Finance Project Seal Finance The breed function in the smart contract implementation for Farm in Seal Finance (Seal), an Ethereum token, lacks access control and thus allows price manipulation, as exploited in the wild in December 2020 and January 2021. | 7.5 |
2021-01-03 | CVE-2021-3004 | Stableyieldcredit Project | Incorrect Calculation vulnerability in Stableyieldcredit Project Stableyieldcredit The _deposit function in the smart contract implementation for Stable Yield Credit (yCREDIT), an Ethereum token, has certain incorrect calculations. | 7.5 |
2021-01-02 | CVE-2020-28852 | Golang | Improper Validation of Array Index vulnerability in Golang Text In x/text in Go before v0.3.5, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. | 7.5 |
2021-01-02 | CVE-2020-28851 | Golang | Improper Validation of Array Index vulnerability in Golang GO 1.15.4 In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. | 7.5 |
2021-01-01 | CVE-2019-25012 | Webform Report Project | Forced Browsing vulnerability in Webform Report Project Webform Report 7.X1.Xdev The Webform Report project 7.x-1.x-dev for Drupal allows remote attackers to view submissions by visiting the /rss.xml page. | 7.5 |
2021-01-01 | CVE-2017-20001 | AES Encryption Project | Inadequate Encryption Strength vulnerability in AES Encryption Project AES Encryption The AES encryption project 7.x and 8.x for Drupal does not sufficiently prevent attackers from decrypting data, aka SA-CONTRIB-2017-027. | 7.5 |
2021-01-01 | CVE-2016-20003 | Rest Json Project | Unspecified vulnerability in Rest/Json Project Rest/Json The REST/JSON project 7.x-1.x for Drupal allows user enumeration, aka SA-CONTRIB-2016-033. | 7.5 |
2021-01-01 | CVE-2016-20008 | Rest Json Project | Unspecified vulnerability in Rest/Json Project Rest/Json The REST/JSON project 7.x-1.x for Drupal allows session enumeration, aka SA-CONTRIB-2016-033. | 7.5 |
2021-01-01 | CVE-2016-20007 | Rest Json Project | Insufficient Session Expiration vulnerability in Rest/Json Project Rest/Json The REST/JSON project 7.x-1.x for Drupal allows session name guessing, aka SA-CONTRIB-2016-033. | 7.5 |
2021-01-01 | CVE-2016-20006 | Rest Json Project | Unspecified vulnerability in Rest/Json Project Rest/Json The REST/JSON project 7.x-1.x for Drupal allows blockage of user logins, aka SA-CONTRIB-2016-033. | 7.5 |
2020-12-31 | CVE-2018-19944 | Qnap | Cleartext Transmission of Sensitive Information vulnerability in Qnap QTS A cleartext transmission of sensitive information vulnerability has been reported to affect certain QTS devices. | 7.5 |
2020-12-31 | CVE-2018-19941 | Qnap | Cleartext Storage of Sensitive Information vulnerability in Qnap QTS A vulnerability has been reported to affect QNAP NAS. | 7.5 |
2020-12-31 | CVE-2020-35896 | WS RS Project | Allocation of Resources Without Limits or Throttling vulnerability in Ws-Rs Project Ws-Rs An issue was discovered in the ws crate through 2020-09-25 for Rust. | 7.5 |
2020-12-31 | CVE-2020-35894 | Obstack Project | Use of Incorrectly-Resolved Name or Reference vulnerability in Obstack Project Obstack 0.1.0/0.1.1/0.1.2 An issue was discovered in the obstack crate before 0.1.4 for Rust. | 7.5 |
2020-12-31 | CVE-2020-35893 | Simple Slab Project | Use of Uninitialized Resource vulnerability in Simple-Slab Project Simple-Slab An issue was discovered in the simple-slab crate before 0.3.3 for Rust. | 7.5 |
2020-12-31 | CVE-2020-35891 | Ordnung Project | Double Free vulnerability in Ordnung Project Ordnung 20200903 An issue was discovered in the ordnung crate through 2020-09-03 for Rust. | 7.5 |
2020-12-31 | CVE-2020-35890 | Ordnung Project | Out-of-bounds Read vulnerability in Ordnung Project Ordnung 20200903 An issue was discovered in the ordnung crate through 2020-09-03 for Rust. | 7.5 |
2020-12-31 | CVE-2020-35875 | Tokio | Unspecified vulnerability in Tokio Tokio-Rustls An issue was discovered in the tokio-rustls crate before 0.13.1 for Rust. | 7.5 |
2020-12-31 | CVE-2020-35865 | OS STR Bytes Project | Unspecified vulnerability in OS STR Bytes Project OS STR Bytes An issue was discovered in the os_str_bytes crate before 2.0.0 for Rust. | 7.5 |
2020-12-31 | CVE-2020-35864 | Unspecified vulnerability in Google Flatbuffers An issue was discovered in the flatbuffers crate through 2020-04-11 for Rust. | 7.5 | |
2020-12-31 | CVE-2020-35861 | Bumpalo Project | Out-of-bounds Read vulnerability in Bumpalo Project Bumpalo An issue was discovered in the bumpalo crate before 3.2.1 for Rust. | 7.5 |
2020-12-31 | CVE-2020-35857 | Trust DNS Server Project | Resource Exhaustion vulnerability in Trust-Dns-Server Project Trust-Dns-Server An issue was discovered in the trust-dns-server crate before 0.18.1 for Rust. | 7.5 |
2020-12-31 | CVE-2019-25007 | Streebog Project | Unspecified vulnerability in Streebog Project Streebog An issue was discovered in the streebog crate before 0.8.0 for Rust. | 7.5 |
2020-12-31 | CVE-2019-25006 | Streebog Project | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Streebog Project Streebog An issue was discovered in the streebog crate before 0.8.0 for Rust. | 7.5 |
2020-12-31 | CVE-2019-25005 | Chacha20 Project | Integer Overflow or Wraparound vulnerability in Chacha20 Project Chacha20 An issue was discovered in the chacha20 crate before 0.2.3 for Rust. | 7.5 |
2020-12-31 | CVE-2019-25003 | Parity | Unspecified vulnerability in Parity Libsecp256K1 An issue was discovered in the libsecp256k1 crate before 0.3.1 for Rust. | 7.5 |
2020-12-31 | CVE-2019-25001 | Serde Cbor Project | Out-of-bounds Write vulnerability in Serde Cbor Project Serde Cbor An issue was discovered in the serde_cbor crate before 0.10.2 for Rust. | 7.5 |
2020-12-31 | CVE-2020-35909 | Protocol | Unspecified vulnerability in Protocol Multihash An issue was discovered in the multihash crate before 0.11.3 for Rust. | 7.5 |
2020-12-31 | CVE-2020-35901 | Actix | Use After Free vulnerability in Actix Actix-Http An issue was discovered in the actix-http crate before 2.0.0-alpha.1 for Rust. | 7.5 |
2020-12-31 | CVE-2020-25850 | Hgiga | Unspecified vulnerability in Hgiga Msr45 Isherlock-User and Ssr45 Isherlock-User The function, view the source code, of HGiga MailSherlock does not validate specific characters. | 7.5 |
2020-12-31 | CVE-2020-25842 | Panorama | Missing Encryption of Sensitive Data vulnerability in Panorama Nhiservisignadapter 1.0.20.0218 The encryption function of NHIServiSignAdapter fail to verify the file path input by users. | 7.5 |
2020-12-31 | CVE-2020-13654 | Xwiki | Improper Encoding or Escaping of Output vulnerability in Xwiki XWiki Platform before 12.8 mishandles escaping in the property displayer. | 7.5 |
2020-12-30 | CVE-2020-28095 | Tenda | Infinite Loop vulnerability in Tenda Ac1200 Firmware 15.03.06.51Multi On Tenda AC1200 (Model AC6) 15.03.06.51_multi devices, a large HTTP POST request sent to the change password API will trigger the router to crash and enter an infinite boot loop. | 7.5 |
2020-12-30 | CVE-2019-16747 | Matrixssl | Out-of-bounds Write vulnerability in Matrixssl In MatrixSSL before 4.2.2 Open, the DTLS server can encounter an invalid pointer free (leading to memory corruption and a daemon crash) via a crafted incoming network message, a different vulnerability than CVE-2019-14431. | 7.5 |
2020-12-30 | CVE-2019-16281 | Ptarmigan Project | Improper Certificate Validation vulnerability in Ptarmigan Project Ptarmigan 0.2.0/0.2.1/0.2.2 Ptarmigan before 0.2.3 lacks API token validation, e.g., an "if (token === apiToken) {return true;} return false;" code block. | 7.5 |
2020-12-30 | CVE-2020-35737 | Newgensoft | Unspecified vulnerability in Newgensoft Egov 12.0 In Correspondence Management System (corms) in Newgen eGov 12.0, an attacker can modify other users' profile information by manipulating the unvalidated UserIndex parameter, aka Insecure Direct Object Reference. | 7.5 |
2020-12-30 | CVE-2019-15080 | Morph Project | Unspecified vulnerability in Morph Project Morph 20190605 An issue was discovered in a smart contract implementation for MORPH Token through 2019-06-05, an Ethereum token. | 7.5 |
2020-12-30 | CVE-2019-15079 | EAI Project | Unspecified vulnerability in EAI Project EAI 20190605 A typo exists in the constructor of a smart contract implementation for EAI through 2019-06-05, an Ethereum token. | 7.5 |
2020-12-30 | CVE-2019-15078 | Xbornid | Unspecified vulnerability in Xbornid 20190529 An issue was discovered in a smart contract implementation for AIRDROPX BORN through 2019-05-29, an Ethereum token. | 7.5 |
2020-12-30 | CVE-2020-35849 | Mantisbt | Authorization Bypass Through User-Controlled Key vulnerability in Mantisbt An issue was discovered in MantisBT before 2.24.4. | 7.5 |
2020-12-30 | CVE-2020-29228 | Egavilanmedia | SQL Injection vulnerability in Egavilanmedia User Registration and Login System With Admin Panel 1.0 EGavilanMedia User Registration and Login System With Admin Panel 1.0 is affected by SQL injection in the User Login Page. | 7.5 |
2020-12-30 | CVE-2020-35802 | Netgear | Unspecified vulnerability in Netgear products Certain NETGEAR devices are affected by disclosure of sensitive information. | 7.5 |
2020-12-29 | CVE-2020-9223 | Huawei | Unspecified vulnerability in Huawei products There is a denial of service vulnerability in some Huawei smartphones. | 7.5 |
2020-12-29 | CVE-2020-9124 | Huawei | Memory Leak vulnerability in Huawei products There is a memory leak vulnerability in some versions of Huawei CloudEngine product. | 7.5 |
2020-12-29 | CVE-2020-9094 | Huawei | Out-of-bounds Read vulnerability in Huawei products There is an out of bound read vulnerability in some verisons of Huawei CloudEngine product. | 7.5 |
2020-12-29 | CVE-2020-5807 | Rockwellautomation | Improper Handling of Exceptional Conditions vulnerability in Rockwellautomation Factorytalk Diagnostics 6.11 An unauthenticated remote attacker can send data to RsvcHost.exe listening on TCP port 5241 to add entries in the FactoryTalk Diagnostics event log. | 7.5 |
2020-12-29 | CVE-2020-5802 | Rockwellautomation | Allocation of Resources Without Limits or Throttling vulnerability in Rockwellautomation Factorytalk Linx 6.00/6.10/6.11 An attacker-controlled memory allocation size can be passed to the C++ new operator in RnaDaSvr.dll by sending a specially crafted ConfigureItems message to TCP port 4241. | 7.5 |
2020-12-29 | CVE-2020-5801 | Rockwellautomation | Improper Handling of Exceptional Conditions vulnerability in Rockwellautomation Factorytalk Linx 6.00/6.10/6.11 An attacker can craft and send an OpenNamespace message to port 4241 with valid session-id that triggers an unhandled exception in CFTLDManager::HandleRequest function in RnaDaSvr.dll, resulting in process termination. | 7.5 |
2020-12-29 | CVE-2020-26286 | Hedgedoc | Unspecified vulnerability in Hedgedoc HedgeDoc is a collaborative platform for writing and sharing markdown. | 7.5 |
2020-12-28 | CVE-2020-35616 | Joomla | Improper Input Validation vulnerability in Joomla Joomla! An issue was discovered in Joomla! 1.7.0 through 3.9.22. | 7.5 |
2020-12-28 | CVE-2020-35612 | Joomla | Path Traversal vulnerability in Joomla Joomla! An issue was discovered in Joomla! 2.5.0 through 3.9.22. | 7.5 |
2020-12-28 | CVE-2020-35611 | Joomla | Information Exposure vulnerability in Joomla Joomla! An issue was discovered in Joomla! 2.5.0 through 3.9.22. | 7.5 |
2020-12-28 | CVE-2020-35610 | Joomla | Unspecified vulnerability in Joomla Joomla! An issue was discovered in Joomla! 2.5.0 through 3.9.22. | 7.5 |
2020-12-28 | CVE-2020-14273 | Hcltech | Improper Input Validation vulnerability in Hcltech Domino 10.0.1/11.0.0/11.0.1 HCL Domino is susceptible to a Denial of Service (DoS) vulnerability due to insufficient validation of input to its public API. | 7.5 |
2020-12-28 | CVE-2020-26289 | Date AND Time Project | Unspecified vulnerability in Date-And-Time Project Date-And-Time date-and-time is an npm package for manipulating date and time. | 7.5 |
2020-12-28 | CVE-2020-29160 | Zammad | Missing Authorization vulnerability in Zammad An issue was discovered in Zammad before 3.5.1. | 7.5 |
2020-12-28 | CVE-2020-26032 | Zammad | Server-Side Request Forgery (SSRF) vulnerability in Zammad An SSRF issue was discovered in Zammad before 3.4.1. | 7.5 |
2020-12-28 | CVE-2020-29194 | Panasonic | Unspecified vulnerability in Panasonic Wv-S2231L Firmware 4.25 Panasonic Security System WV-S2231L 4.25 allows a denial of service of the admin control panel (which will require a physical reset to restore administrative control) via Randomnum=99AC8CEC6E845B28&mode=1 in a POST request to the cgi-bin/set_factory URI. | 7.5 |
2020-12-28 | CVE-2020-28094 | Tendacn | Unspecified vulnerability in Tendacn Ac1200 Firmware 15.03.06.51 On Tenda AC1200 (Model AC6) 15.03.06.51_multi devices, the default settings for the router speed test contain links to download malware named elive or CNKI E-Learning. | 7.5 |
2021-01-01 | CVE-2020-35947 | Pagelayer | Cross-site Scripting vulnerability in Pagelayer An issue was discovered in the PageLayer plugin before 1.1.2 for WordPress. | 7.4 |
2020-12-31 | CVE-2020-25846 | Panorama Project | Open Redirect vulnerability in Panorama Project Nhiservisignadapter 1.0.20.0218 The digest generation function of NHIServiSignAdapter has not been verified for source file path, which leads to the SMB request being redirected to a malicious host, resulting in the leakage of user's credential. | 7.4 |
2020-12-31 | CVE-2020-25845 | Panorama Project | Open Redirect vulnerability in Panorama Project Nhiservisignadapter 1.0.20.0218 Multiple functions of NHIServiSignAdapter failed to verify the users’ file path, which leads to the SMB request being redirected to a malicious host, resulting in the leakage of user's credential. | 7.4 |
2020-12-28 | CVE-2020-24360 | Arista | Improper Resource Shutdown or Release vulnerability in Arista EOS An issue with ARP packets in Arista’s EOS affecting the 7800R3, 7500R3, and 7280R3 series of products may result in issues that cause a kernel crash, followed by a device reload. | 7.4 |
2020-12-30 | CVE-2020-35801 | Netgear | Unspecified vulnerability in Netgear products Certain NETGEAR devices are affected by incorrect configuration of security settings. | 7.3 |
2020-12-30 | CVE-2020-35784 | Netgear | Unspecified vulnerability in Netgear products Certain NETGEAR devices are affected by lack of access control at the function level. | 7.2 |
2020-12-28 | CVE-2020-28093 | Tendacn | Unspecified vulnerability in Tendacn Ac1200 Firmware 15.03.06.51 On Tenda AC1200 (Model AC6) 15.03.06.51_multi devices, admin, support, user, and nobody have a password of 1234. | 7.2 |
152 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2020-12-30 | CVE-2020-35794 | Netgear | Command Injection vulnerability in Netgear products Certain NETGEAR devices are affected by command injection by an authenticated user. | 6.8 |
2020-12-30 | CVE-2020-35792 | Netgear | Command Injection vulnerability in Netgear products Certain NETGEAR devices are affected by command injection by an authenticated user. | 6.8 |
2020-12-30 | CVE-2020-35790 | Netgear | Command Injection vulnerability in Netgear products Certain NETGEAR devices are affected by command injection by an authenticated user. | 6.8 |
2020-12-30 | CVE-2020-35788 | Netgear | Classic Buffer Overflow vulnerability in Netgear Wac104 Firmware NETGEAR WAC104 devices before 1.0.4.13 are affected by a buffer overflow by an authenticated user. | 6.8 |
2020-12-28 | CVE-2020-29193 | Panasonic | Use of Hard-coded Credentials vulnerability in Panasonic Wv-S2231L Firmware 4.25 Panasonic Security System WV-S2231L 4.25 has an insecure hard-coded password of lkjhgfdsa (which is just the asdf keyboard row in reverse order). | 6.8 |
2020-12-28 | CVE-2020-28096 | Foscammall | Unspecified vulnerability in Foscammall Foscam X1 Firmware 1.14.2.4 FOSCAM FHD X1 1.14.2.4 devices allow attackers (with physical UART access) to login via the ipc.fos~ password. | 6.8 |
2020-12-30 | CVE-2020-35793 | Netgear | Command Injection vulnerability in Netgear products Certain NETGEAR devices are affected by command injection by an authenticated user. | 6.7 |
2020-12-30 | CVE-2020-35791 | Netgear | Command Injection vulnerability in Netgear R7800 Firmware, R8900 Firmware and R9000 Firmware Certain NETGEAR devices are affected by command injection by an authenticated user. | 6.7 |
2020-12-29 | CVE-2020-9125 | Huawei | Out-of-bounds Read vulnerability in Huawei Mate 30 Firmware There is an out-of-bound read vulnerability in huawei smartphone Mate 30 versions earlier than 10.1.0.156 (C00E155R7P2). | 6.7 |
2021-01-03 | CVE-2020-35964 | Ffmpeg | Out-of-bounds Write vulnerability in Ffmpeg 4.3.1 track_header in libavformat/vividas.c in FFmpeg 4.3.1 has an out-of-bounds write because of incorrect extradata packing. | 6.5 |
2021-01-03 | CVE-2020-35952 | PHP Fusion | Unspecified vulnerability in PHP-Fusion login.php in PHPFusion (aka PHP-Fusion) Andromeda 9.x before 2020-12-30 generates error messages that distinguish between incorrect username and incorrect password (i.e., not a single "Incorrect username or password" message in both cases), which might allow enumeration. | 6.5 |
2021-01-01 | CVE-2020-35391 | Tenda | Forced Browsing vulnerability in Tenda F3 Firmware 12.01.01.48 Tenda N300 F3 12.01.01.48 devices allow remote attackers to obtain sensitive information (possibly including an http_passwd line) via a direct request for cgi-bin/DownloadCfg/RouterCfm.cfg, a related issue to CVE-2017-14942. | 6.5 |
2021-01-01 | CVE-2020-35933 | Thenewsletterplugin | Cross-site Scripting vulnerability in Thenewsletterplugin Newsletter 2.4.6 A Reflected Authenticated Cross-Site Scripting (XSS) vulnerability in the Newsletter plugin before 6.8.2 for WordPress allows remote attackers to trick a victim into submitting a tnpc_render AJAX request containing either JavaScript in an options parameter, or a base64-encoded JSON string containing JavaScript in the encoded_options parameter. | 6.5 |
2020-12-31 | CVE-2020-35884 | Tiny Http Project Fedoraproject | HTTP Request Smuggling vulnerability in multiple products An issue was discovered in the tiny_http crate through 2020-06-16 for Rust. | 6.5 |
2020-12-31 | CVE-2018-25001 | Libpulse Binding Project | Use After Free vulnerability in Libpulse-Binding Project Libpulse-Binding An issue was discovered in the libpulse-binding crate before 2.5.0 for Rust. | 6.5 |
2020-12-31 | CVE-2019-20808 | Qemu | Out-of-bounds Read vulnerability in Qemu 4.1.0 In QEMU 4.1.0, an out-of-bounds read flaw was found in the ATI VGA implementation. | 6.5 |
2020-12-31 | CVE-2020-26291 | URI JS Project | Unspecified vulnerability in Uri.Js Project Uri.Js URI.js is a javascript URL mutation library (npm package urijs). | 6.5 |
2020-12-30 | CVE-2020-28413 | Mantisbt | SQL Injection vulnerability in Mantisbt 2.24.3 In MantisBT 2.24.3, SQL Injection can occur in the parameter "access" of the mc_project_get_users function through the API SOAP. | 6.5 |
2020-12-30 | CVE-2020-26288 | Parseplatform | Unspecified vulnerability in Parseplatform Parse-Server Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. | 6.5 |
2020-12-30 | CVE-2020-5811 | Umbraco | Path Traversal vulnerability in Umbraco CMS An authenticated path traversal vulnerability exists during package installation in Umbraco CMS <= 8.9.1 or current, which could result in arbitrary files being written outside of the site home and expected paths when installing an Umbraco package. | 6.5 |
2020-12-30 | CVE-2020-35850 | Cockpit Project | Server-Side Request Forgery (SSRF) vulnerability in Cockpit-Project Cockpit 234 An SSRF issue was discovered in cockpit-project.org Cockpit 234. | 6.5 |
2020-12-30 | CVE-2020-35783 | Netgear | Unspecified vulnerability in Netgear products Certain NETGEAR devices are affected by lack of access control at the function level. | 6.5 |
2020-12-30 | CVE-2020-35781 | Netgear | Unspecified vulnerability in Netgear Nms300 Firmware NETGEAR NMS300 devices before 1.6.0.27 are affected by denial of service. | 6.5 |
2020-12-30 | CVE-2020-35780 | Netgear | Unspecified vulnerability in Netgear Nms300 Firmware NETGEAR NMS300 devices before 1.6.0.27 are affected by denial of service. | 6.5 |
2020-12-29 | CVE-2020-27643 | 1E | Link Following vulnerability in 1E Client 4.1.0.267/5.0.0.745 The %PROGRAMDATA%\1E\Client directory in 1E Client 5.0.0.745 and 4.1.0.267 allows remote authenticated users and local users to create and modify files in protected directories (where they would not normally have access to create or modify files) via the creation of a junction point to a system directory. | 6.5 |
2020-12-29 | CVE-2020-9208 | Huawei | Missing Authentication for Critical Function vulnerability in Huawei Imanager Neteco 6000 V600R021C00 There is an information leak vulnerability in iManager NetEco 6000 versions V600R021C00. | 6.5 |
2020-12-28 | CVE-2020-13474 | Nchsoftware | Forced Browsing vulnerability in Nchsoftware Express Accounts 8.24 In NCH Express Accounts 8.24 and earlier, an authenticated low-privilege user can enter a crafted URL to access higher-privileged functionalities such as Add/Edit users. | 6.5 |
2020-12-28 | CVE-2020-29245 | TAG Project | Improper Validation of Array Index vulnerability in TAG Project TAG 20200828 dhowden tag before 2020-11-19 allows "panic: runtime error: slice bounds out of range" via readAtomData. | 6.5 |
2020-12-28 | CVE-2020-29244 | TAG Project | Improper Validation of Array Index vulnerability in TAG Project TAG 20200828 dhowden tag before 2020-11-19 allows "panic: runtime error: slice bounds out of range" via readTextWithDescrFrame. | 6.5 |
2020-12-28 | CVE-2020-29243 | TAG Project | Improper Validation of Array Index vulnerability in TAG Project TAG 20200828 dhowden tag before 2020-11-19 allows "panic: runtime error: index out of range" via readAPICFrame. | 6.5 |
2020-12-28 | CVE-2020-29242 | TAG Project | Improper Validation of Array Index vulnerability in TAG Project TAG 20200828 dhowden tag before 2020-11-19 allows "panic: runtime error: index out of range" via readPICFrame. | 6.5 |
2020-12-28 | CVE-2020-26029 | Zammad | Incorrect Authorization vulnerability in Zammad An issue was discovered in Zammad before 3.4.1. | 6.5 |
2020-12-28 | CVE-2020-27837 | Gnome | Unspecified vulnerability in Gnome Display Manager A flaw was found in GDM in versions prior to 3.38.2.1. | 6.4 |
2020-12-28 | CVE-2020-35615 | Joomla | Cross-Site Request Forgery (CSRF) vulnerability in Joomla Joomla! An issue was discovered in Joomla! 2.5.0 through 3.9.22. | 6.3 |
2021-01-01 | CVE-2021-3002 | Seopanel | Cross-site Scripting vulnerability in Seopanel SEO Panel 4.8.0 Seo Panel 4.8.0 allows reflected XSS via the seo/seopanel/login.php?sec=forgot email parameter. | 6.1 |
2020-12-31 | CVE-2020-35741 | Hgiga | Cross-site Scripting vulnerability in Hgiga products HGiga MailSherlock does not validate user parameters on multiple login pages. | 6.1 |
2020-12-31 | CVE-2020-35740 | Hgiga | Cross-site Scripting vulnerability in Hgiga products HGiga MailSherlock does not validate specific URL parameters properly that allows attackers to inject JavaScript syntax for XSS attacks. | 6.1 |
2020-12-30 | CVE-2020-29230 | Egavilanmedia | Cross-site Scripting vulnerability in Egavilanmedia User Registration and Login System With Admin Panel 1.0 EGavilanMedia User Registration and Login System With Admin Panel 1.0 is affected by cross-site scripting (XSS) in the Admin Panel - Manage User tab using the Full Name of the user. | 6.1 |
2020-12-30 | CVE-2020-28365 | Sapplica | Cross-site Scripting vulnerability in Sapplica Sentrifugo 3.2 Sentrifugo 3.2 allows Stored Cross-Site Scripting (XSS) vulnerability by inserting a payload within the X-Forwarded-For HTTP header during the login process. | 6.1 |
2020-12-28 | CVE-2020-35730 | Roundcube Fedoraproject Debian | Cross-site Scripting vulnerability in multiple products An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. | 6.1 |
2020-12-28 | CVE-2020-35738 | Wavpack Debian Fedoraproject | Integer Overflow or Wraparound vulnerability in multiple products WavPack 5.3.0 has an out-of-bounds write in WavpackPackSamples in pack_utils.c because of an integer overflow in a malloc argument. | 6.1 |
2020-12-28 | CVE-2020-26569 | Arista | Unspecified vulnerability in Arista EOS In EVPN VxLAN setups in Arista EOS, specific malformed packets can lead to incorrect MAC to IP bindings and as a result packets can be incorrectly forwarded across VLAN boundaries. | 5.9 |
2021-01-03 | CVE-2020-28841 | Drivergenius | Unspecified vulnerability in Drivergenius Firmware 9.61.3708.3054 MyDrivers64.sys in DriverGenius 9.61.3708.3054 allows attackers to cause a system crash via the ioctl command 0x9c402000 to \\.\MyDrivers0_0_1. | 5.5 |
2020-12-31 | CVE-2020-11835 | Oppo | Out-of-bounds Write vulnerability in Oppo Find X2 PRO Firmware and Reno3 PRO Firmware In /SM8250_Q_Master/android/vendor/oppo_charger/oppo/charger_ic/oppo_da9313.c, failure to check the parameter buf in the function proc_work_mode_write in proc_work_mode_write causes a vulnerability. | 5.5 |
2020-12-31 | CVE-2020-11834 | Oppo | Out-of-bounds Write vulnerability in Oppo Find X2 PRO Firmware and Reno3 PRO Firmware In /SM8250_Q_Master/android/vendor/oppo_charger/oppo/oppo_vooc.c, the function proc_fastchg_fw_update_write in proc_fastchg_fw_update_write does not check the parameter len, resulting in a vulnerability. | 5.5 |
2020-12-31 | CVE-2020-11833 | Oppo | Out-of-bounds Write vulnerability in Oppo Find X2 PRO Firmware and Reno3 PRO Firmware In /SM8250_Q_Master/android/vendor/oppo_charger/oppo/charger_ic/oppo_mp2650.c, the function mp2650_data_log_write in mp2650_data_log_write does not check the parameter len which causes a vulnerability. | 5.5 |
2020-12-31 | CVE-2020-11832 | Oppo | Out-of-bounds Write vulnerability in Oppo Find X2 PRO Firmware and Reno3 PRO Firmware In functions charging_limit_current_write and charging_limit_time_write in /SM8250_Q_Master/android/vendor/oppo_charger/oppo/oppo_charger.c have not checked the parameters, which causes a vulnerability. | 5.5 |
2020-12-31 | CVE-2020-35927 | Thex Project | Unspecified vulnerability in Thex Project Thex 20201208 An issue was discovered in the thex crate through 2020-12-08 for Rust. | 5.5 |
2020-12-31 | CVE-2020-35925 | Magnetic Project | Unspecified vulnerability in Magnetic Project Magnetic An issue was discovered in the magnetic crate before 2.0.1 for Rust. | 5.5 |
2020-12-31 | CVE-2020-35924 | TRY Mutex Project | Out-of-bounds Write vulnerability in Try-Mutex Project Try-Mutex 0.1.0/0.1.1/0.2.0 An issue was discovered in the try-mutex crate before 0.3.0 for Rust. | 5.5 |
2020-12-31 | CVE-2020-35923 | Ordered Float Project | Use After Free vulnerability in Ordered-Float Project Ordered-Float An issue was discovered in the ordered-float crate before 1.1.1 and 2.x before 2.0.1 for Rust. | 5.5 |
2020-12-31 | CVE-2020-35922 | MIO Project | Unspecified vulnerability in MIO Project MIO An issue was discovered in the mio crate before 0.7.6 for Rust. | 5.5 |
2020-12-31 | CVE-2020-35921 | Miow Project | Unspecified vulnerability in Miow Project Miow An issue was discovered in the miow crate before 0.3.6 for Rust. | 5.5 |
2020-12-31 | CVE-2020-35920 | Rust Lang | Unspecified vulnerability in Rust-Lang Socket2 An issue was discovered in the socket2 crate before 0.3.16 for Rust. | 5.5 |
2020-12-31 | CVE-2020-35919 | Net2 Project | Unspecified vulnerability in Net2 Project Net2 An issue was discovered in the net2 crate before 0.2.36 for Rust. | 5.5 |
2020-12-31 | CVE-2020-35918 | Hakobaito | Unspecified vulnerability in Hakobaito Branca An issue was discovered in the branca crate before 0.10.0 for Rust. | 5.5 |
2020-12-31 | CVE-2020-35917 | Pyo3 Project | Use After Free vulnerability in Pyo3 Project Pyo3 An issue was discovered in the pyo3 crate before 0.12.4 for Rust. | 5.5 |
2020-12-31 | CVE-2020-35916 | Image RS | Resource Exhaustion vulnerability in Image-Rs Image An issue was discovered in the image crate before 0.23.12 for Rust. | 5.5 |
2020-12-31 | CVE-2020-35915 | Futures Intrusive Project | Unspecified vulnerability in Futures-Intrusive Project Futures-Intrusive An issue was discovered in the futures-intrusive crate before 0.4.0 for Rust. | 5.5 |
2020-12-31 | CVE-2020-35910 | Lock API Project | Unspecified vulnerability in Lock API Project Lock API An issue was discovered in the lock_api crate before 0.4.2 for Rust. | 5.5 |
2020-12-31 | CVE-2020-35908 | Rust Lang | Unspecified vulnerability in Rust-Lang Future-Utils An issue was discovered in the futures-util crate before 0.3.2 for Rust. | 5.5 |
2020-12-31 | CVE-2020-35907 | Rust Lang | NULL Pointer Dereference vulnerability in Rust-Lang Futures-Task An issue was discovered in the futures-task crate before 0.3.5 for Rust. | 5.5 |
2020-12-31 | CVE-2020-35904 | Crossbeam Channel Project | Unspecified vulnerability in Crossbeam-Channel Project Crossbeam-Channel An issue was discovered in the crossbeam-channel crate before 0.4.4 for Rust. | 5.5 |
2020-12-31 | CVE-2020-35903 | Dync Project | Unspecified vulnerability in Dync Project Dync An issue was discovered in the dync crate before 0.5.0 for Rust. | 5.5 |
2020-12-31 | CVE-2020-35900 | Array Queue Project | Use After Free vulnerability in Array-Queue Project Array-Queue An issue was discovered in the array-queue crate through 2020-09-26 for Rust. | 5.5 |
2020-12-31 | CVE-2020-35899 | Actix | Use After Free vulnerability in Actix Actix-Service An issue was discovered in the actix-service crate before 1.0.6 for Rust. | 5.5 |
2020-12-29 | CVE-2020-9093 | Huawei | Use After Free vulnerability in Huawei Taurus-Al00A Firmware 10.0.0.1(C00E1R1P1) There is a use after free vulnerability in Taurus-AL00A versions 10.0.0.1(C00E1R1P1). | 5.5 |
2020-12-29 | CVE-2020-1848 | Huawei | Unspecified vulnerability in Huawei Jackman-Al00D Firmware 8.2.0.185(C00R2P1) There is a resource management error vulnerability in Jackman-AL00D versions 8.2.0.185(C00R2P1). | 5.5 |
2020-12-29 | CVE-2020-5806 | Rockwellautomation | Allocation of Resources Without Limits or Throttling vulnerability in Rockwellautomation Factorytalk Linx 6.00/6.10/6.11 An attacker-controlled memory allocation size can be passed to the C++ new operator in the CServerManager::HandleBrowseLoadIconStreamRequest in messaging.dll. | 5.5 |
2020-12-28 | CVE-2020-13473 | Nchsoftware | Cleartext Storage of Sensitive Information vulnerability in Nchsoftware Express Accounts 8.24 NCH Express Accounts 8.24 and earlier allows local users to discover the cleartext password by reading the configuration file. | 5.5 |
2021-01-01 | CVE-2020-35946 | Semperplugins | Cross-site Scripting vulnerability in Semperplugins ALL in ONE SEO Pack An issue was discovered in the All in One SEO Pack plugin before 3.6.2 for WordPress. | 5.4 |
2020-12-31 | CVE-2020-35930 | Seopanel | Cross-site Scripting vulnerability in Seopanel SEO Panel 4.8.0 Seo Panel 4.8.0 allows stored XSS by an Authenticated User via the url parameter, as demonstrated by the seo/seopanel/websites.php URI. | 5.4 |
2020-12-31 | CVE-2019-25011 | Netbox | Cross-site Scripting vulnerability in Netbox NetBox through 2.6.2 allows an Authenticated User to conduct an XSS attack against an admin via a GFM-rendered field, as demonstrated by /dcim/sites/add/ comments. | 5.4 |
2020-12-31 | CVE-2020-25799 | Limesurvey | Cross-site Scripting vulnerability in Limesurvey 3.21.1 LimeSurvey 3.21.1 is affected by cross-site scripting (XSS) in the Quota component of the Survey page. | 5.4 |
2020-12-31 | CVE-2020-25797 | Limesurvey | Cross-site Scripting vulnerability in Limesurvey 3.21.1 LimeSurvey 3.21.1 is affected by cross-site scripting (XSS) in the Add Participants Function (First and last name parameters). | 5.4 |
2020-12-30 | CVE-2020-29231 | Egavilanmedia | Cross-site Scripting vulnerability in Egavilanmedia User Registration and Login System With Admin Panel 1.0 EGavilanMedia User Registration and Login System With Admin Panel 1.0 is affected by cross-site scripting (XSS) in the Admin Profile Page. | 5.4 |
2020-12-30 | CVE-2020-5810 | Umbraco | Cross-site Scripting vulnerability in Umbraco CMS A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. | 5.4 |
2020-12-30 | CVE-2020-5809 | Umbraco | Cross-site Scripting vulnerability in Umbraco CMS A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. | 5.4 |
2020-12-30 | CVE-2020-29469 | Wondercms | Cross-site Scripting vulnerability in Wondercms 3.1.3 WonderCMS 3.1.3 is affected by cross-site scripting (XSS) in the Menu component. | 5.4 |
2020-12-30 | CVE-2020-29233 | Wondercms | Cross-site Scripting vulnerability in Wondercms 3.1.3 WonderCMS 3.1.3 is affected by cross-site scripting (XSS) in the Page description component. | 5.4 |
2020-12-30 | CVE-2020-35842 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 5.4 |
2020-12-30 | CVE-2020-35840 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 5.4 |
2020-12-29 | CVE-2020-35774 | Cross-site Scripting vulnerability in Twitter Twitter-Server server/handler/HistogramQueryHandler.scala in Twitter TwitterServer (aka twitter-server) before 20.12.0, in some configurations, allows XSS via the /histograms endpoint. | 5.4 | |
2020-12-28 | CVE-2020-26035 | Zammad | Cross-site Scripting vulnerability in Zammad An issue was discovered in Zammad before 3.4.1. | 5.4 |
2020-12-28 | CVE-2020-26033 | Zammad | Cross-Site Request Forgery (CSRF) vulnerability in Zammad An issue was discovered in Zammad before 3.4.1. | 5.4 |
2020-12-30 | CVE-2020-27534 | Docker | Path Traversal vulnerability in Docker util/binfmt_misc/check.go in Builder in Docker Engine before 19.03.9 calls os.OpenFile with a potentially unsafe qemu-check temporary pathname, constructed with an empty first argument in an ioutil.TempDir call. | 5.3 |
2020-12-30 | CVE-2019-15523 | Linbit Debian | Unchecked Return Value vulnerability in multiple products An issue was discovered in LINBIT csync2 through 2.0. | 5.3 |
2020-12-30 | CVE-2019-12953 | Dropbear SSH Project | Information Exposure Through Discrepancy vulnerability in Dropbear SSH Project Dropbear SSH Dropbear 2011.54 through 2018.76 has an inconsistent failure delay that may lead to revealing valid usernames, a different issue than CVE-2018-15599. | 5.3 |
2020-12-30 | CVE-2020-28925 | Boltcms | Unspecified vulnerability in Boltcms Bolt Bolt before 3.7.2 does not restrict filter options in a Request in the Twig context, and is therefore inconsistent with the "How to Harden Your PHP for Better Security" guidance. | 5.3 |
2020-12-28 | CVE-2020-35614 | Joomla | Unspecified vulnerability in Joomla Joomla! An issue was discovered in Joomla! 3.9.0 through 3.9.22. | 5.3 |
2020-12-28 | CVE-2020-15898 | Arista | Unspecified vulnerability in Arista EOS In Arista EOS malformed packets can be incorrectly forwarded across VLAN boundaries in one direction. | 5.3 |
2020-12-28 | CVE-2020-29159 | Zammad | Unspecified vulnerability in Zammad An issue was discovered in Zammad before 3.5.1. | 4.9 |
2020-12-28 | CVE-2020-26028 | Zammad | Incorrect Authorization vulnerability in Zammad An issue was discovered in Zammad before 3.4.1. | 4.9 |
2020-12-30 | CVE-2020-35241 | Flatpress | Cross-site Scripting vulnerability in Flatpress 1.0.3 FlatPress 1.0.3 is affected by cross-site scripting (XSS) in the Blog Content component. | 4.8 |
2020-12-30 | CVE-2020-35240 | Fluxbb | Cross-site Scripting vulnerability in Fluxbb 1.5.11 FluxBB 1.5.11 is affected by cross-site scripting (XSS in the Blog Content component. | 4.8 |
2020-12-30 | CVE-2020-29477 | Invisioncommunity | Cross-site Scripting vulnerability in Invisioncommunity Community 4.5.4 Invision Community 4.5.4 is affected by cross-site scripting (XSS) in the Field Name field. | 4.8 |
2020-12-30 | CVE-2020-35838 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 4.8 |
2020-12-30 | CVE-2020-35837 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 4.8 |
2020-12-30 | CVE-2020-35836 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 4.8 |
2020-12-30 | CVE-2020-35835 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 4.8 |
2020-12-30 | CVE-2020-35834 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 4.8 |
2020-12-30 | CVE-2020-35833 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 4.8 |
2020-12-30 | CVE-2020-35832 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 4.8 |
2020-12-30 | CVE-2020-35830 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 4.8 |
2020-12-30 | CVE-2020-35829 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 4.8 |
2020-12-30 | CVE-2020-35828 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 4.8 |
2020-12-30 | CVE-2020-35827 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 4.8 |
2020-12-30 | CVE-2020-35826 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 4.8 |
2020-12-30 | CVE-2020-35825 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 4.8 |
2020-12-30 | CVE-2020-35824 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 4.8 |
2020-12-30 | CVE-2020-35823 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 4.8 |
2020-12-30 | CVE-2020-35822 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 4.8 |
2020-12-30 | CVE-2020-35821 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 4.8 |
2020-12-30 | CVE-2020-35820 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 4.8 |
2020-12-30 | CVE-2020-35819 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 4.8 |
2020-12-30 | CVE-2020-35818 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 4.8 |
2020-12-30 | CVE-2020-35817 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 4.8 |
2020-12-30 | CVE-2020-35816 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 4.8 |
2020-12-30 | CVE-2020-35815 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 4.8 |
2020-12-30 | CVE-2020-35814 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 4.8 |
2020-12-30 | CVE-2020-35813 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 4.8 |
2020-12-30 | CVE-2020-35812 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 4.8 |
2020-12-30 | CVE-2020-35811 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 4.8 |
2020-12-30 | CVE-2020-35810 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 4.8 |
2020-12-30 | CVE-2020-35809 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 4.8 |
2020-12-30 | CVE-2020-35808 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 4.8 |
2020-12-30 | CVE-2020-35807 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 4.8 |
2020-12-30 | CVE-2020-35806 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 4.8 |
2020-12-30 | CVE-2020-35805 | Netgear | Cross-site Scripting vulnerability in Netgear products Certain NETGEAR devices are affected by stored XSS. | 4.8 |
2020-12-29 | CVE-2020-29471 | Opencart | Cross-site Scripting vulnerability in Opencart 3.0.3.6 OpenCart 3.0.3.6 is affected by cross-site scripting (XSS) in the Profile Image. | 4.8 |
2020-12-29 | CVE-2020-29470 | Opencart | Cross-site Scripting vulnerability in Opencart 3.0.3.6 OpenCart 3.0.3.6 is affected by cross-site scripting (XSS) in the Subject field of mail. | 4.8 |
2020-12-29 | CVE-2020-29475 | Nopcommerce | Cross-site Scripting vulnerability in Nopcommerce Store 4.30 nopCommerce Store 4.30 is affected by cross-site scripting (XSS) in the Schedule tasks name field. | 4.8 |
2020-12-28 | CVE-2020-13476 | Nchsoftware | Cross-site Scripting vulnerability in Nchsoftware Express Invoice 8.06/8.24 NCH Express Invoice 8.06 to 8.24 is vulnerable to Reflected XSS in the Quotes List module. | 4.8 |
2020-12-31 | CVE-2020-35897 | Atom Project | Race Condition vulnerability in Atom Project Atom An issue was discovered in the atom crate before 0.3.6 for Rust. | 4.7 |
2020-12-31 | CVE-2020-35886 | ARR Project | Race Condition vulnerability in ARR Project ARR An issue was discovered in the arr crate through 2020-08-25 for Rust. | 4.7 |
2020-12-31 | CVE-2020-35928 | Concread Project | Race Condition vulnerability in Concread Project Concread An issue was discovered in the concread crate before 0.2.6 for Rust. | 4.7 |
2020-12-31 | CVE-2020-35914 | Lock API Project | Race Condition vulnerability in Lock API Project Lock API An issue was discovered in the lock_api crate before 0.4.2 for Rust. | 4.7 |
2020-12-31 | CVE-2020-35913 | Lock API Project | Race Condition vulnerability in Lock API Project Lock API An issue was discovered in the lock_api crate before 0.4.2 for Rust. | 4.7 |
2020-12-31 | CVE-2020-35912 | Lock API Project | Race Condition vulnerability in Lock API Project Lock API An issue was discovered in the lock_api crate before 0.4.2 for Rust. | 4.7 |
2020-12-31 | CVE-2020-35911 | Lock API Project | Race Condition vulnerability in Lock API Project Lock API An issue was discovered in the lock_api crate before 0.4.2 for Rust. | 4.7 |
2020-12-31 | CVE-2020-35905 | Rust Lang | Race Condition vulnerability in Rust-Lang Future-Utils An issue was discovered in the futures-util crate before 0.3.7 for Rust. | 4.7 |
2020-12-29 | CVE-2020-35735 | Vidyo | Improper Restriction of Rendered UI Layers or Frames vulnerability in Vidyo Vidyo 02-09-/D allows clickjacking via the portal/ URI. | 4.7 |
2020-12-30 | CVE-2020-35804 | Netgear | Unspecified vulnerability in Netgear products Certain NETGEAR devices are affected by disclosure of sensitive information. | 4.6 |
2020-12-30 | CVE-2020-35786 | Netgear | Classic Buffer Overflow vulnerability in Netgear R7800 Firmware NETGEAR R7800 devices before 1.0.2.74 are affected by a buffer overflow by an authenticated user. | 4.5 |
2020-12-30 | CVE-2020-35803 | Netgear | Unspecified vulnerability in Netgear products Certain NETGEAR devices are affected by disclosure of sensitive information. | 4.4 |
2020-12-30 | CVE-2020-10206 | Amino | Use of Hard-coded Credentials vulnerability in Amino products Use of a Hard-coded Password in VNCserver in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series and Kami7B allows local attackers to view and interact with the video output of the device. | 4.4 |
2021-01-03 | CVE-2021-3005 | MK Auth | Unspecified vulnerability in Mk-Auth 19.01 MK-AUTH through 19.01 K4.9 allows remote attackers to obtain sensitive information (e.g., a CPF number) via a modified titulo (aka invoice number) value to the central/recibo.php URI. | 4.3 |
2021-01-01 | CVE-2020-35934 | Vasyltech | Information Exposure vulnerability in Vasyltech Advanced Access Manager The Advanced Access Manager plugin before 6.6.2 for WordPress displays the unfiltered user object (including all metadata) upon login via the REST API (aam/v1/authenticate or aam/v2/authenticate). | 4.3 |
2020-12-30 | CVE-2020-26247 | Nokogiri Debian | XXE vulnerability in multiple products Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. | 4.3 |
2020-12-28 | CVE-2020-29158 | Zammad | Missing Authorization vulnerability in Zammad An issue was discovered in Zammad before 3.5.1. | 4.3 |
2020-12-28 | CVE-2020-26034 | Zammad | Unspecified vulnerability in Zammad An account-enumeration issue was discovered in Zammad before 3.4.1. | 4.3 |
2020-12-28 | CVE-2020-26031 | Zammad | Incorrect Default Permissions vulnerability in Zammad An issue was discovered in Zammad before 3.4.1. | 4.3 |
1 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2020-12-31 | CVE-2020-11947 | Qemu | Out-of-bounds Read vulnerability in Qemu 4.1.0 iscsi_aio_ioctl_cb in block/iscsi.c in QEMU 4.1.0 has a heap-based buffer over-read that may disclose unrelated information from process memory to an attacker. | 3.8 |