HSC 2019 : Un taux de réussite de 74,95% pour la République de Maurice

GIS – 07 février 2020 : Le taux de réussite au niveau du Cambridge Higher School Certificate (HSC) pour la République de Maurice s’élève cette année à 74,95%, représentant ainsi une légère hausse en comparaison à 74,90% pour l’année 2018. Au total, 8 975 candidats ont pris part aux examens du HSC en 2019, soit 8 657 pour Maurice et 318 pour Rodrigues.

 
Ce matin, le Premier ministre, ministre de la Défense, de l’intérieur, et des Communications extérieures, ministre de Rodrigues, des Iles éparses et de l’Intégrité territoriale, M. Pravind Kumar Jugnauth, a procédé à la cérémonie de signature de la liste des lauréats du HSC pour la cuvée 2019 au bâtiment du Trésor à Port-Louis.
 
Le nombre de lauréats par école est comme suit :
  • Collège royal de Port Louis – 9 ;
  • Collège Queen Elizabeth – 7 ;
  • Collège royal de Curepipe – 6 ;
  • Collège d’Etat Dr Maurice Curé – 6 ;
  • Ecole secondaire Rabindranath Tagore – 3 ;
  • Collège d’Etat Droopnath Ramphul – 2 ;
  • Institut Mahatma Gandhi de Moka – 2 ;
  • Collège d’Etat G.M.B Atchia – 2 ;
  • Collège Du Saint Esprit – 2 ;
  • Collège Lorette de Quatre Bornes – 1 ;
  • Collège Moderne – 1 ; et
  • Collège de Rodrigues – 4.
 
Le gouvernement offre chaque année 68 bourses à ceux ayant excellé aux examens du HSC. Une bourse est également offerte par la Mauritius Commercial Bank (MCB) dans le cadre de la MCB Foundation Scholarship. De ses 69 bourses, 45 sont offertes en prenant en compte uniquement la performance.
 
En outre, 24 bourses supplémentaires sont attribuées en se basant sur des critères académiques et sociaux. La liste des 24 bénéficiaires sera proclamée après un exercice de sélection mené par le ministère de l’Education, de l’Enseignement supérieur, des Sciences et de la Technologie, et celui de l’Intégration sociale, de la Sécurité sociale et de la Solidarité Nationale.
 
 

Government Information Service, Prime Minister’s Office, Level 6, New Government Centre, Port Louis, Mauritius. Email: gis@govmu.org  Website: http://gis.govmu.org  Mobile App: Search Gov

Permis de morcellement : réaliser les démarches en ligne

GIS – – 07 février 2020 : Le Morcellement Permit Process, intégré au National E-Licensing System (NELS), a été lancé hier lors d’une cérémonie au Shri Atal Bihari Vajpayee Tower à Ebène. Ainsi, les personnes désirant morceler un terrain pourront entreprendre les démarches en ligne sur la plateforme du NELS.

 
Le NELS, une mesure budgétaire 2016/17, vise à améliorer le climat des affaires et de l’investissement et faciliter la création d’entreprises à Maurice. Ce système est une plateforme unique pour faire une demande de permis et s’acquitter des frais en ligne. Il est mis en œuvre par l’Economic Development Board (EDB) et cofinancé par l’Union européenne (UE).
 
Lors du lancement, le ministre des Finances, de la Planification et du Développement économiques, Dr Renganaden Padayachy, a fait ressortir que la croissance économique est cruciale pour aider Maurice à réaliser ses ambitions. Le NELS, a-t-il déclaré, joue un rôle important pour aider le pays à maintenir sa trajectoire économique et à améliorer son classement dans le rapport Ease of Doing Business de la Banque mondiale.
 
Le ministre du Logement et de l’Aménagement du Territoire, M. Louis Steven Obeegadoo, a, pour sa part, souligné que le processus pour l’obtention d’autorisation et de permis d’aménagement du territoire est perçu comme étant très difficile, long et complexe, d’où la nécessité de réformes. Le NELS fait ainsi partie du programme de réforme du gouvernement pour améliorer le climat des affaires et de l’investissement à Maurice, a-t-il ajouté.
 
En ce qu’il s’agit du système de permis électroniques, le ministre a indiqué que les démarches et les paiements pour un Morcellement Permit se feront en ligne sur une base 24/7. Les citoyens pourront faire le suivi de leur demande en ligne et communiquer avec la Morcellement Unit par le biais du NELS. De plus, un service d’assistance a été mis sur pied au niveau de la Morcellement Unit du ministère du Logement et de l’Aménagement du Territoire pour aider les personnes qui veulent déposer leur dossier en ligne.
 

Government Information Service, Prime Minister’s Office, Level 6, New Government Centre, Port Louis, Mauritius. Email: gis@govmu.org  Website: http://gis.govmu.org  Mobile App: Search Gov

Vulnerability Summary for the Week of January 27, 2020

Original release date: February 3, 2020

The CISA Weekly Vulnerability Summary Bulletin is created using information from the NIST NVD. In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

High Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
adobe — illustrator_cc
 
Adobe Illustrator CC versions 24.0 and earlier have a memory corruption vulnerability. Successful exploitation could lead to arbitrary code execution. 2020-01-29 9.3 CVE-2020-3714
CONFIRM
adobe — illustrator_cc
 
Adobe Illustrator CC versions 24.0 and earlier have a memory corruption vulnerability. Successful exploitation could lead to arbitrary code execution. 2020-01-29 9.3 CVE-2020-3713
CONFIRM
adobe — illustrator_cc
 
Adobe Illustrator CC versions 24.0 and earlier have a memory corruption vulnerability. Successful exploitation could lead to arbitrary code execution. 2020-01-29 9.3 CVE-2020-3712
CONFIRM
adobe — illustrator_cc
 
Adobe Illustrator CC versions 24.0 and earlier have a memory corruption vulnerability. Successful exploitation could lead to arbitrary code execution. 2020-01-29 9.3 CVE-2020-3711
CONFIRM
adobe — illustrator_cc
 
Adobe Illustrator CC versions 24.0 and earlier have a memory corruption vulnerability. Successful exploitation could lead to arbitrary code execution. 2020-01-29 9.3 CVE-2020-3710
CONFIRM
alienvault — ossim
 
OSSIM before 4.3.3.1 has tele_compress.php path traversal vulnerability 2020-01-27 7.8 CVE-2013-6056
MISC
amd — atidxx64.dll_driver An exploitable out-of-bounds read vulnerability exists in AMD ATIDXX64.DLL driver, version 26.20.13001.50005. A specially crafted pixel shader can cause a denial of service. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be triggered from VMware guest, affecting VMware host. 2020-01-25 7.8 CVE-2019-5124
MISC
amd — atidxx64.dll_driver
 
An exploitable out-of-bounds read vulnerability exists in AMD ATIDXX64.DLL driver, version 26.20.13025.10004. A specially crafted pixel shader can cause a denial of service. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be triggered from VMware guest, affecting VMware host. 2020-01-25 7.8 CVE-2019-5146
MISC
amd — atidxx64.dll_driver
 
An exploitable out-of-bounds read vulnerability exists in AMD ATIDXX64.DLL driver, version 26.20.13003.1007. A specially crafted pixel shader can cause a denial of service. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be triggered from VMware guest, affecting VMware host. 2020-01-25 7.8 CVE-2019-5147
MISC
apache — spamassassin
 
A command execution issue was found in Apache SpamAssassin prior to 3.4.3. Carefully crafted nefarious Configuration (.cf) files can be configured to run system commands similar to CVE-2018-11805. This issue is less stealthy and attempts to exploit the issue will throw warnings. Thanks to Damian Lukowski at credativ for reporting the issue ethically. With this bug unpatched, exploits can be injected in a number of scenarios though doing so remotely is difficult. In addition to upgrading to SA 3.4.4, we again recommend that users should only use update channels or 3rd party .cf files from trusted places. 2020-01-30 9.3 CVE-2020-1931
CONFIRM
BUGTRAQ
DEBIAN
apache — spamassassin
 
A command execution issue was found in Apache SpamAssassin prior to 3.4.3. Carefully crafted nefarious rule configuration (.cf) files can be configured to run system commands similar to CVE-2018-11805. With this bug unpatched, exploits can be injected in a number of scenarios including the same privileges as spamd is run which may be elevated though doing so remotely is difficult. In addition to upgrading to SA 3.4.4, we again recommend that users should only use update channels or 3rd party .cf files from trusted places. If you cannot upgrade, do not use 3rd party rulesets, do not use sa-compile and do not run spamd as an account with elevated privileges. 2020-01-30 9.3 CVE-2020-1930
CONFIRM
MLIST
BUGTRAQ
DEBIAN
asus — rt-n56u_devices
 
ASUS RT-N56U devices allow CSRF. 2020-01-28 9.3 CVE-2013-3093
MISC
avast — secure_browser
 
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the elevated process cleans the ACL of the Update.ini file in %PROGRAMDATA%\Avast Software\Browser\Update\ and sets all privileges to group Everyone. Because any low-privileged user can create, delete, or modify the Update.ini file stored in this location, an attacker with low privileges can create a hard link named Update.ini in this folder, and make it point to a file writable by NT AUTHORITY\SYSTEM. Once AvastBrowserUpdate.exe is triggered by the update check functionality, the DACL is set to a misconfigured value on the crafted Update.ini and, consequently, to the target file that was previously not writable by the low-privileged attacker. 2020-01-27 7.2 CVE-2019-17190
MISC
bitdefender — bitdefender_box_2
 
A command injection vulnerability has been discovered in the bootstrap stage of Bitdefender BOX 2, versions 2.1.47.42 and 2.1.53.45. The API method `/api/download_image` unsafely handles the production firmware URL supplied by remote servers, leading to arbitrary execution of system commands. In order to exploit the condition, an unauthenticated attacker should impersonate a infrastructure server to trigger this vulnerability. 2020-01-27 10 CVE-2019-17095
ETC
CONFIRM
ETC
bitdefender — bitdefender_box_2
 
A OS Command Injection vulnerability in the bootstrap stage of Bitdefender BOX 2 allows the manipulation of the `get_image_url()` function in special circumstances to inject a system command. 2020-01-27 9.3 CVE-2019-17096
CONFIRM
cisco — sd-wan_solution
 
A vulnerability in the WebUI of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to inject and execute arbitrary commands with vmanage user privileges on an affected system. The vulnerability is due to insufficient input validation of data parameters for certain fields in the affected solution. An attacker could exploit this vulnerability by configuring a malicious username on the login page of the affected solution. A successful exploit could allow the attacker to inject and execute arbitrary commands with vmanage user privileges on an affected system. 2020-01-26 9 CVE-2019-12629
CISCO
cisco — sd-wan_solution_vmanage
 
A vulnerability in the CLI of the Cisco SD-WAN Solution vManage software could allow an authenticated, local attacker to elevate privileges to root-level privileges on the underlying operating system. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending a crafted file to the affected system. An exploit could allow the attacker to elevate privileges to root-level privileges. 2020-01-26 7.2 CVE-2020-3115
CISCO
cisco — small_business_switches
 
A vulnerability in the web UI of Cisco Small Business Switches could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper validation of requests sent to the web interface. An attacker could exploit this vulnerability by sending a malicious request to the web interface of an affected device. A successful exploit could allow the attacker to cause an unexpected reload of the device, resulting in a DoS condition. This vulnerability affects firmware releases prior than 1.3.7.18 2020-01-30 7.8 CVE-2020-3147
CISCO
cisco — webex_video_mesh
 
A vulnerability in the web-based management interface of Cisco Webex Video Mesh could allow an authenticated, remote attacker to execute arbitrary commands on the affected system. The vulnerability is due to improper validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by logging in to the web-based management interface with administrative privileges and supplying crafted requests to the application. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux operating system with root privileges on a targeted node. 2020-01-26 9 CVE-2019-16005
CISCO
core_security — vivotek_ip_cameras
 
A Command Injection vulnerability exists in Vivotek PT7135 IP Cameras 0300a and 0400a via the system.ntp parameter to the farseer.out binary file, which cold let a malicious user execute arbitrary code. 2020-01-24 9 CVE-2013-1598
MISC
MISC
MISC
MISC
MISC
core_security — vivotek_pt7135_ip_camera
 
A Buffer Overflow vulnerability exists in Vivotek PT7135 IP Camera 0300a and 0400a via a specially crafted packet in the Authorization header field sent to the RTSP service, which could let a remote malicious user execute arbitrary code or cause a Denial of Service. 2020-01-24 7.5 CVE-2013-1595
MISC
MISC
MISC
MISC
MISC
d-link — dir-859_devices
 
D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers to execute arbitrary OS commands via the urn: to the M-SEARCH method in ssdpcgi() in /htdocs/cgibin, because REMOTE_PORT is mishandled. The value of the urn: service/device is checked with the strstr function, which allows an attacker to concatenate arbitrary commands separated by shell metacharacters. 2020-01-29 10 CVE-2019-20216
MISC
MISC
CONFIRM
d-link — dir-859_devices
 
D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers to execute arbitrary OS commands via a urn: to the M-SEARCH method in ssdpcgi() in /htdocs/cgibin, because HTTP_ST is mishandled. The value of the urn: service/device is checked with the strstr function, which allows an attacker to concatenate arbitrary commands separated by shell metacharacters. 2020-01-29 10 CVE-2019-20215
MISC
CONFIRM
d-link — dir-859_devices
 
D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers to execute arbitrary OS commands via the urn: to the M-SEARCH method in ssdpcgi() in /htdocs/cgibin, because SERVER_ID is mishandled. The value of the urn: service/device is checked with the strstr function, which allows an attacker to concatenate arbitrary commands separated by shell metacharacters. 2020-01-29 10 CVE-2019-20217
MISC
MISC
CONFIRM
d-link — dsr-250n_devices
 
D-Link DSR-250N devices with firmware 1.05B73_WW allow Persistent Root Access because of the admin password for the admin account. 2020-01-25 9 CVE-2012-6613
EXPLOIT-DB
dolibarr — dolibarr
 
The htdocs/index.php?mainmenu=home login page in Dolibarr 10.0.6 allows an unlimited rate of failed authentication attempts. 2020-01-26 10 CVE-2020-7995
MISC
MISC
exiv2 — exiv2
 
In Jp2Image::readMetadata() in jp2image.cpp in Exiv2 0.27.2, an input file can result in an infinite loop and hang, with high CPU consumption. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file. 2020-01-27 7.1 CVE-2019-20421
MISC
MISC
fudforum — fudforum_bulletin_board
 
PHP Code Injection vulnerability in FUDforum Bulletin Board Software 3.0.4 could allow remote attackers to execute arbitrary code on the system. 2020-01-27 9 CVE-2013-2267
BID
XF
geocoder — geocoder
 
sql.rb in Geocoder before 1.6.1 allows Boolean-based SQL injection when within_bounding_box is used in conjunction with untrusted sw_lat, sw_lng, ne_lat, or ne_lng data. 2020-01-25 7.5 CVE-2020-7981
MISC
MISC
gitlab — gitlab_community_and_enterprise_edition
 
A flawed DNS rebinding protection issue was discovered in GitLab CE/EE 10.2 and later in the `url_blocker.rb` which could result in SSRF where the library is utilized. 2020-01-28 7.5 CVE-2019-5464
MISC
MISC
MISC
gitlab — gitlab_community_and_enterprise_edition
 
Improper authentication exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) in the GitLab SAML integration had a validation issue that permitted an attacker to takeover another user’s account. 2020-01-28 7.5 CVE-2019-15585
MISC
MISC
git — git
 
A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka ‘Git for Visual Studio Remote Code Execution Vulnerability’. This CVE ID is unique from CVE-2019-1349, CVE-2019-1350, CVE-2019-1354, CVE-2019-1387. 2020-01-24 9.3 CVE-2019-1352
SUSE
REDHAT
MISC
MISC
git — git
 
A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka ‘Git for Visual Studio Remote Code Execution Vulnerability’. This CVE ID is unique from CVE-2019-1349, CVE-2019-1350, CVE-2019-1352, CVE-2019-1387. 2020-01-24 9.3 CVE-2019-1354
SUSE
MISC
MISC
git — git
 
A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka ‘Git for Visual Studio Remote Code Execution Vulnerability’. This CVE ID is unique from CVE-2019-1350, CVE-2019-1352, CVE-2019-1354, CVE-2019-1387. 2020-01-24 9.3 CVE-2019-1349
SUSE
REDHAT
MISC
MISC
git — git
 
A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka ‘Git for Visual Studio Remote Code Execution Vulnerability’. This CVE ID is unique from CVE-2019-1349, CVE-2019-1352, CVE-2019-1354, CVE-2019-1387. 2020-01-24 9.3 CVE-2019-1350
SUSE
MISC
MISC
gnu — gnu_coreutils
 
Integer overflow in the keycompare_mb function in sort.c in sort in GNU Coreutils through 8.23 might allow attackers to cause a denial of service (application crash) or possibly have unspecified other impact via long strings. 2020-01-24 7.5 CVE-2015-4042
MISC
MISC
handsomeweb — sos_webpages
 
backup.php in HandsomeWeb SOS Webpages before 1.1.12 does not require knowledge of the cleartext password, which allows remote attackers to bypass authentication by leveraging knowledge of the administrator password hash. 2020-01-28 7.5 CVE-2014-3445
MISC
MISC
MISC
MISC
MISC
huawei — e587_3g_mobile_hotspot
 
Command-injection vulnerability in Huawei E587 3G Mobile Hotspot 11.203.27 allows remote attackers to execute arbitrary shell commands with root privileges due to an error in the Web UI. 2020-01-27 10 CVE-2013-2612
XF
BID
i_read_it_somewhere — i_read_it_somewhere
 
IRIS citations management tool through 1.3 allows remote attackers to execute arbitrary commands. 2020-01-25 7.5 CVE-2013-1744
MISC
intellian_technologies — aptus
 
The Intellian Aptus application 1.0.2 for Android has a hardcoded password of intellian for the masteruser FTP account. 2020-01-27 10 CVE-2020-8001
MISC
intellian_technologies — aptus_web
 
Intellian Aptus Web 1.24 has a hardcoded password of 12345678 for the intellian account. 2020-01-27 10 CVE-2020-8000
MISC
intellian_technologies — aptus_web
 
Intellian Aptus Web 1.24 allows remote attackers to execute arbitrary OS commands via the Q field within JSON data to the cgi-bin/libagent.cgi URI. NOTE: a valid sid cookie for a login to the intellian default account might be needed. 2020-01-25 10 CVE-2020-7980
MISC
MISC
MISC
intellian — aptus
 
The Intellian Aptus application 1.0.2 for Android has hardcoded values for DOWNLOAD_API_KEY and FILE_DOWNLOAD_API_KEY. 2020-01-27 7.5 CVE-2020-7999
MISC
irfanview — flashpix_plugin
 
IrfanView FlashPix Plugin 4.3.4 0 has an Integer Overflow Vulnerability 2020-01-27 9.3 CVE-2013-3486
MISC
MISC
isof — isof
 
All versions including 0.0.4 of lsof npm module are vulnerable to Command Injection. Every exported method used by the package uses the exec function to parse user input. 2020-01-29 7.5 CVE-2019-10783
MISC
jenkins — jenkins
 
Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3, allowing unauthorized attackers with knowledge of agent names to obtain the connection secrets for those agents, which can be used to connect to Jenkins, impersonating those agents. 2020-01-29 7.5 CVE-2020-2099
MLIST
CONFIRM
koha — koha
 
SQL injection vulnerability in the MARC framework import/export function (admin/import_export_framework.pl) in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. NOTE: this can be leveraged by remote attackers using CVE-2014-1924. 2020-01-24 7.5 CVE-2014-1925
MISC
MISC
MISC
MISC
koha — koha
 
The MARC framework import/export function (admin/import_export_framework.pl) in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 does not require authentication, which allows remote attackers to conduct SQL injection attacks via unspecified vectors. 2020-01-24 7.5 CVE-2014-1924
MISC
MISC
MISC
MISC
lexmark — markvision_enterprise
 
Directory traversal vulnerability in the ReportDownloadServlet servlet in Lexmark MarkVision Enterprise before 2.1 allows remote attackers to read arbitrary files via unspecified vectors. 2020-01-27 7.8 CVE-2014-8742
CONFIRM
MISC
lexmark — markvision_enterprise
 
Directory traversal vulnerability in the GfdFileUploadServerlet servlet in Lexmark MarkVision Enterprise before 2.1 allows remote attackers to write to arbitrary files via unspecified vectors. 2020-01-27 10 CVE-2014-8741
CONFIRM
MISC
lorex_technology — lnc116_and_lnc104_ip_cameras
 
Lorex LNC116 and LNC104 IP Cameras have a Remote Authentication Bypass Vulnerability 2020-01-24 7.5 CVE-2012-6451
MISC
MISC
lustre — lustre
 
In the Lustre file system before 2.12.3, mdt_object_remote in the mdt module has a NULL pointer dereference and panic due to the lack of validation for specific fields of packets sent by a client. 2020-01-27 7.8 CVE-2019-20424
MISC
MISC
MISC
MISC
lustre — lustre
 
In the Lustre file system before 2.12.3, the mdt module has an out-of-bounds access and panic due to the lack of validation for specific fields of packets sent by a client. mdt_file_secctx_unpack does not validate the value of name_size derived from req_capsule_get_size. 2020-01-27 7.8 CVE-2019-20432
MISC
MISC
MISC
MISC
lustre — lustre
 
In the Lustre file system before 2.12.3, the ptlrpc module has an out-of-bounds access and panic due to the lack of validation for specific fields of packets sent by a client. In the function lustre_msg_string, there is no validation of a certain length value derived from lustre_msg_buflen_v2. 2020-01-27 7.8 CVE-2019-20425
MISC
MISC
MISC
MISC
lustre — lustre
 
In the Lustre file system before 2.12.3, the mdt module has an LBUG panic (via a large MDT Body eadatasize field) due to the lack of validation for specific fields of packets sent by a client. 2020-01-27 7.8 CVE-2019-20430
MISC
MISC
MISC
MISC
lustre — lustre
 
In the Lustre file system before 2.12.3, the ptlrpc module has an osd_map_remote_to_local out-of-bounds access and panic due to the lack of validation for specific fields of packets sent by a client. osd_bufs_get in the osd_ldiskfs module does not validate a certain length value. 2020-01-27 7.8 CVE-2019-20431
MISC
MISC
MISC
MISC
lustre — lustre
 
In the Lustre file system before 2.12.3, the ptlrpc module has an out-of-bounds read and panic (via a modified lm_bufcount field) due to the lack of validation for specific fields of packets sent by a client. This is caused by interaction between sptlrpc_svc_unwrap_request and lustre_msg_hdr_size_v2. 2020-01-27 7.8 CVE-2019-20429
MISC
MISC
MISC
MISC
lustre — lustre
 
In the Lustre file system before 2.12.3, the ptlrpc module has an out-of-bounds read and panic due to the lack of validation for specific fields of packets sent by a client. The ldl_request_cancel function mishandles a large lock_count parameter. 2020-01-27 7.8 CVE-2019-20428
MISC
MISC
MISC
MISC
lustre — lustre
 
In the Lustre file system before 2.12.3, the ptlrpc module has an out-of-bounds access and panic due to the lack of validation for specific fields of packets sent by a client. In the function ldlm_cancel_hpreq_check, there is no lock_count bounds check. 2020-01-27 7.8 CVE-2019-20426
MISC
MISC
MISC
MISC
lustre — lustre
 
In the Lustre file system before 2.12.3, the ptlrpc module has a buffer overflow and panic due to the lack of validation for specific fields of packets sent by a client. The function target_handle_connect() mishandles a certain size value when a client connects to a server, because of an integer signedness error. 2020-01-27 7.8 CVE-2019-20423
MISC
MISC
MISC
MISC
lustre — lustre
 
In the Lustre file system before 2.12.3, the ptlrpc module has a buffer overflow and panic, and possibly remote code execution, due to the lack of validation for specific fields of packets sent by a client. Interaction between req_capsule_get_size and tgt_brw_write leads to a tgt_shortio2pages integer signedness error. 2020-01-27 9 CVE-2019-20427
MISC
MISC
MISC
MISC
magento — magento
 
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have an sql injection vulnerability. Successful exploitation could lead to sensitive information disclosure. 2020-01-29 7.8 CVE-2020-3719
CONFIRM
magento — magento
 
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution. 2020-01-29 10 CVE-2020-3716
CONFIRM
magento — magento
 
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a security bypass vulnerability. Successful exploitation could lead to arbitrary code execution. 2020-01-29 10 CVE-2020-3718
CONFIRM
microsoft — visual_studio_code
 
An elevation of privilege vulnerability exists in Visual Studio Code when it exposes a debug listener to users of a local computer, aka ‘Visual Studio Code Elevation of Privilege Vulnerability’. 2020-01-24 7.2 CVE-2019-1414
MISC
netgear — centria_wndr4700_devices
 
NETGEAR Centria WNDR4700 devices with firmware 1.0.0.34 allow authentication bypass. 2020-01-28 7.5 CVE-2013-3071
BID
netgear — wndr4700_media_server_devices
 
NetGear WNDR4700 Media Server devices with firmware 1.0.0.34 allow remote attackers to cause a denial of service (device crash). 2020-01-28 7.8 CVE-2013-3074
BID
netgear — wnr1000v3
 
Netgear WNR1000v3 with firmware before 1.0.2.60 contains an Authentication Bypass via the NtgrBak key. 2020-01-29 10 CVE-2013-3317
EXPLOIT-DB
netgear — wnr1000v3
 
Netgear WNR1000v3 with firmware before 1.0.2.60 contains an Authentication Bypass due to the server skipping checks for URLs containing a “.jpg”. 2020-01-29 10 CVE-2013-3316
EXPLOIT-DB

opensmtpd — opensmtpd

smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the “uncommented” default configuration. The issue exists because of an incorrect return value upon failure of input validation. 2020-01-29 10 CVE-2020-7247
MISC
MISC
FULLDISC
MISC
CONFIRM
BUGTRAQ
DEBIAN
CERT-VN
CONFIRM
postgresql — postgresql
 
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 does not properly handle errors while reading a protocol message, which allows remote attackers to conduct SQL injection attacks via crafted binary data in a parameter and causing an error, which triggers the loss of synchronization and part of the protocol message to be treated as a new message, as demonstrated by causing a timeout or query cancellation. 2020-01-27 7.5 CVE-2015-0244
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
red_hat — openshift_origin
 
The download_from_url function in OpenShift Origin allows remote attackers to execute arbitrary commands via shell metacharacters in the URL of a request to download a cart. 2020-01-28 10 CVE-2013-2060
MISC
MISC
MISC
MISC
ruckus — zoneflex_r500_devices
 
Ruckus ZoneFlex R500 104.0.0.0.1347 devices allow an authenticated attacker to execute arbitrary OS commands via the hidden /forms/nslookupHandler form, as demonstrated by the nslookuptarget=|cat${IFS} substring. 2020-01-29 9 CVE-2020-8438
MISC
soapbox — soapbox
 
Soapbox through 0.3.1: Sandbox bypass – runs a second instance of Soapbox within a sandboxed Soapbox. 2020-01-24 7.2 CVE-2012-6302
MISC
suse — Linux_enterprise_server_11
 
A symlink following vulnerability in the packaging of mailman in SUSE Linux Enterprise Server 11, SUSE Linux Enterprise Server 12; openSUSE Leap 15.1 allowed local attackers to escalate their privileges from user wwwrun to root. Additionally arbitrary files could be changed to group mailman. This issue affects: SUSE Linux Enterprise Server 11 mailman versions prior to 2.1.15-9.6.15.1. SUSE Linux Enterprise Server 12 mailman versions prior to 2.1.17-3.11.1. openSUSE Leap 15.1 mailman version 2.1.29-lp151.2.14 and prior versions. 2020-01-24 7.2 CVE-2019-3693
SUSE
CONFIRM
suse — linux_enterprise_server_11
 
The packaging of inn on SUSE Linux Enterprise Server 11; openSUSE Factory, Leap 15.1 allows local attackers to escalate from user inn to root via symlink attacks. This issue affects: SUSE Linux Enterprise Server 11 inn version 2.4.2-170.21.3.1 and prior versions. openSUSE Factory inn version 2.6.2-2.2 and prior versions. openSUSE Leap 15.1 inn version 2.5.4-lp151.2.47 and prior versions. 2020-01-24 7.2 CVE-2019-3692
CONFIRM
suse — opensuse
 
UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of gnump3d in openSUSE Leap 15.1 allows local attackers to escalate from user gnump3d to root. This issue affects: openSUSE Leap 15.1 gnump3d version 3.0-lp151.2.1 and prior versions. 2020-01-24 7.2 CVE-2019-3697
CONFIRM
suse — opensuse_factory
 
A Symbolic Link (Symlink) Following vulnerability in the packaging of munin in openSUSE Factory, Leap 15.1 allows local attackers to escalate from user munin to root. This issue affects: openSUSE Factory munin version 2.0.49-4.2 and prior versions. openSUSE Leap 15.1 munin version 2.0.40-lp151.1.1 and prior versions. 2020-01-24 7.2 CVE-2019-3694
CONFIRM
synacor — zimbra_collaboration
 
Synacor Zimbra Collaboration before 8.0.9 allows plaintext command injection during STARTTLS. 2020-01-27 7.5 CVE-2014-8563
CONFIRM
CONFIRM
tp-link — tp-link_ip_cameras
 
A Command Injection vulnerability exists in the ap parameter to the /cgi-bin/mft/wireless_mft.cgi file in TP-Link IP Cameras TL-SC 3130, TL-SC 3130G, 3171G. and 4171G 1.6.18P12s, which could let a malicious user execute arbitrary code. 2020-01-29 10 CVE-2013-2573
MISC
MISC
MISC
MISC
MISC
vtiger — vtiger_crm
 
vtiger CRM 5.4.0 and earlier contain an Authentication Bypass Vulnerability due to improper authentication validation in the validateSession function. 2020-01-29 7.5 CVE-2013-3215
BID
XF
vtiger — vtiger_crm
 
vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in ‘vtigerolservice.php’. 2020-01-28 7.5 CVE-2013-3214
EXPLOIT-DB
BID
XF
webcalendar_project — webcalendar
 
install/index.php in WebCalendar before 1.2.5 allows remote attackers to execute arbitrary code via the form_single_user_login parameter. 2020-01-27 7.5 CVE-2012-1495
MISC
MISC
MISC
MISC
xnview — xnview
 
XnView 2.03 has an integer overflow vulnerability 2020-01-27 7.5 CVE-2013-3493
MISC
xnview — xnview
 
XnView 2.03 has a stack-based buffer overflow vulnerability 2020-01-27 7.5 CVE-2013-3492
MISC
zavio — zavio_ip_cameras
 
A Command Injection vulnerability exists in Zavio IP Cameras through 1.6.3 via the ap parameter to /cgi-bin/mft/wireless_mft.cgi, which could let a remote malicious user execute arbitrary code. 2020-01-29 10 CVE-2013-2568
MISC
MISC
MISC
MISC
MISC
zavio — zavio_ip_cameras
 
A Command Injection vulnerability exists in Zavio IP Cameras through 1.6.3 in the General.Time.NTP.Server parameter to the sub_C8C8 function of the binary /opt/cgi/view/param, which could let a remove malicious user execute arbitrary code. 2020-01-29 7.5 CVE-2013-2570
MISC
MISC
MISC
MISC

Back to top

 

Medium Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
3s-smart_software_solutions — codesys_control_and_gateway_and_hmi
 
CODESYS Control V3, Gateway V3, and HMI V3 before 3.5.15.30 allow uncontrolled memory allocation which can result in a remote denial of service condition. 2020-01-24 4 CVE-2020-7052
CONFIRM
MISC
N/A — N/A
 
Buffer overflow in the lldp_decode function in daemon/protocols/lldp.c in lldpd before 0.8.0 allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via vectors involving large management addresses and TLV boundaries. 2020-01-28 6.8 CVE-2015-8011
MISC
MISC
MISC
N/A — N/A
 
svg.swf in TYPO3 6.2.0 to 6.2.38 ELTS and 7.0.0 to 7.1.0 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system. This may be at a contrib/websvg/svg.swf pathname. 2020-01-27 4.3 CVE-2020-8091
MISC
MISC
N/A — N/A
 
BearFTP before 0.2.0 allows remote attackers to achieve denial of service via a large volume of connections to the PASV mode port. 2020-01-29 5 CVE-2020-8416
CONFIRM
CONFIRM
CONFIRM
MISC
N/A — N/A
 
Cross-site scripting (XSS) vulnerability in TennisConnect COMPONENTS 9.927 allows remote attackers to inject arbitrary web script or HTML via the pid parameter to index.cfm. 2020-01-28 4.3 CVE-2014-8490
MISC
MISC
N/A — secure_entry_server
 
Secure Entry Server before 4.7.0 contains a URI Redirection vulnerability which could allow remote attackers to conduct phishing attacks due to HSP_AbsoluteRedirects being disabled by default. 2020-01-28 5.8 CVE-2013-2764
BID
XF
adive — adive
 
Adive Framework 2.0.8 has admin/config CSRF to change the Administrator password. 2020-01-26 6.8 CVE-2020-7991
MISC
MISC
MISC
adive — adive_framework
 
Adive Framework 2.0.8 has admin/user/add userName XSS. 2020-01-26 4.3 CVE-2020-7990
MISC
MISC
adive — adive_framework
 
Adive Framework 2.0.8 has admin/user/add userUsername XSS. 2020-01-26 4.3 CVE-2020-7989
MISC
MISC
amazon — aws_xms
 
Directory traversal vulnerability in AWS XMS 2.5 allows remote attackers to view arbitrary files via the ‘what’ parameter. 2020-01-27 5 CVE-2013-2474
EXPLOIT-DB
BID
XF

amd — atidxx64.dll_driver

An exploitable type confusion vulnerability exists in AMD ATIDXX64.DLL driver, versions 26.20.13031.10003, 26.20.13031.15006 and 26.20.13031.18002. A specially crafted pixel shader can cause a type confusion issue, leading to potential code execution. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be triggered from VMware guest, affecting VMware host. 2020-01-25 6.8 CVE-2019-5183
MISC
angular_expressions — angular_expressions
 
Angular Expressions before version 1.0.1 has a remote code execution vulnerability if you call expressions.compile(userControlledInput) where userControlledInput is text that comes from user input. If running angular-expressions in the browser, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput). If running angular-expressions on the server, an attacker could run any Javascript expression, thus gaining Remote Code Execution. 2020-01-24 6.8 CVE-2020-5219
MISC
MISC
CONFIRM
apache — nifi
 
A XSS vulnerability was found in Apache NiFi 1.0.0 to 1.10.0. Malicious scripts could be injected to the UI through action by an unaware authenticated user in Firefox. Did not appear to occur in other browsers. 2020-01-28 4.3 CVE-2020-1933
CONFIRM
apache — nifi
 
An information disclosure vulnerability was found in Apache NiFi 1.10.0. The sensitive parameter parser would log parsed values for debugging purposes. This would expose literal values entered in a sensitive property when no parameter was present. 2020-01-28 5 CVE-2020-1928
CONFIRM
apache — superset
 
An information disclosure issue was found in Apache Superset 0.34.0, 0.34.1, 0.35.0, and 0.35.1. Authenticated Apache Superset users are able to retrieve other users’ information, including hashed passwords, by accessing an unused and undocumented API endpoint on Apache Superset. 2020-01-28 4 CVE-2020-1932
MISC
asus — wrt-ac66u_3_rt_devices
 
ASUS WRT-AC66U 3 RT 3.0.0.4.372_67 devices allow XSS via the Client Name field to the Parental Control feature. 2020-01-28 4.3 CVE-2020-7997
MISC
big_switch_networks — big_monitoring_fabric
 
An issue was discovered in Big Switch Big Monitoring Fabric 6.2 through 6.2.4, 6.3 through 6.3.9, 7.0 through 7.0.3, and 7.1 through 7.1.3; Big Cloud Fabric 4.5 through 4.5.5, 4.7 through 4.7.7, 5.0 through 5.0.1, and 5.1 through 5.1.4; and Multi-Cloud Director through 1.1.0. An unauthenticated attacker may inject stored arbitrary JavaScript (XSS), and execute it in the content of authenticated administrators. 2020-01-24 4.3 CVE-2019-19632
MISC
MISC
bitdefender — epsecurityservice.exe
 
An Untrusted Search Path vulnerability in EPSecurityService.exe as used in Bitdefender Endpoint Security Tools versions prior to 6.6.11.163 allows an attacker to load an arbitrary DLL file from the search path. This issue affects: Bitdefender EPSecurityService.exe versions prior to 6.6.11.163. 2020-01-27 4.4 CVE-2019-17099
CONFIRM
bytemark — symbiosis
 
Bytemark Symbiosis allows remote attackers to cause a denial of service via a crafted username, which triggers the firewall to blacklist the IP. 2020-01-27 5 CVE-2014-3979
MISC
MISC
MISC
chamilo — chamilo
 
Chamilo 1.9.4 has XSS due to improper validation of user-supplied input by the chat.php script. 2020-01-30 4.3 CVE-2013-0739
MISC
MISC
chamilo — chamilo
 
Chamilo 1.9.4 has Multiple XSS and HTML Injection Vulnerabilities: blog.php and announcements.php. 2020-01-30 4.3 CVE-2013-0738
MISC
MISC
cisco — application_policy_infrastructure_controller
 
A vulnerability in the out of band (OOB) management interface IP table rule programming for Cisco Application Policy Infrastructure Controller (APIC) could allow an unauthenticated, remote attacker to bypass configured deny entries for specific IP ports. These IP ports would be permitted to the OOB management interface when, in fact, the packets should be dropped. The vulnerability is due to the configuration of specific IP table entries for which there is a programming logic error that results in the IP port being permitted. An attacker could exploit this vulnerability by sending traffic to the OOB management interface on the targeted device. A successful exploit could allow the attacker to bypass configured IP table rules to drop specific IP port traffic. The attacker has no control over the configuration of the device itself. This vulnerability affects Cisco APIC releases prior to the first fixed software Release 4.2(3j). 2020-01-26 5 CVE-2020-3139
CISCO
cisco — asyncos_software
 
A vulnerability in the zip decompression engine of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper validation of zip files. An attacker could exploit this vulnerability by sending an email message with a crafted zip-compressed attachment. A successful exploit could trigger a restart of the content-scanning process, causing a temporary DoS condition. This vulnerability affects Cisco AsyncOS Software for Cisco ESA releases earlier than 13.0. 2020-01-26 6.4 CVE-2020-3134
CISCO
cisco — crosswork_change_automation
 
A vulnerability in the web-based management interface of Cisco Crosswork Change Automation could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected system. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. 2020-01-26 4.3 CVE-2019-16024
CISCO
cisco — data_center_analytics_framework
 
A vulnerability in the web-based management interface of the Cisco Data Center Analytics Framework application could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface of an affected system. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information on the affected system. 2020-01-26 4.3 CVE-2019-16015
CISCO
cisco — finesse
 
A vulnerability in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to bypass authorization and access sensitive information related to the device. The vulnerability exists because the software fails to sanitize URLs before it handles requests. An attacker could exploit this vulnerability by submitting a crafted URL. A successful exploit could allow the attacker to gain unauthorized access to sensitive information. 2020-01-26 4.3 CVE-2019-15278
CISCO
cisco — identity_services_engine
 
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to bypass authorization and access sensitive information related to the device. The vulnerability exists because the software fails to sanitize URLs before it handles requests. An attacker could exploit this vulnerability by submitting a crafted URL. A successful exploit could allow the attacker to gain unauthorized access to sensitive information. 2020-01-26 4 CVE-2019-15255
CISCO
cisco — ios_xr_software
 
Multiple vulnerabilities in the implementation of Border Gateway Protocol (BGP) Ethernet VPN (EVPN) functionality in Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerabilities are due to incorrect processing of BGP update messages that contain crafted EVPN attributes. An attacker could exploit these vulnerabilities by sending BGP EVPN update messages with malformed attributes to be processed by an affected system. A successful exploit could allow the attacker to cause the BGP process to restart unexpectedly, resulting in a DoS condition. The Cisco implementation of BGP accepts incoming BGP traffic only from explicitly defined peers. To exploit these vulnerabilities, the malicious BGP update message would need to come from a configured, valid BGP peer, or would need to be injected by the attacker into the victim’s BGP network on an existing, valid TCP connection to a BGP peer. 2020-01-26 5 CVE-2019-16022
CISCO
cisco — ios_xr_software
 
A vulnerability in the implementation of the Border Gateway Protocol (BGP) functionality in Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to incorrect processing of a BGP update message that contains a specific BGP attribute. An attacker could exploit this vulnerability by sending BGP update messages that include a specific, malformed attribute to be processed by an affected system. A successful exploit could allow the attacker to cause the BGP process to restart unexpectedly, resulting in a DoS condition. The Cisco implementation of BGP accepts incoming BGP traffic only from explicitly defined peers. To exploit this vulnerability, the malicious BGP update message would need to come from a configured, valid BGP peer or would need to be injected by the attacker into the victim&rsquo;s BGP network on an existing, valid TCP connection to a BGP peer. 2020-01-26 5 CVE-2019-15989
CISCO
cisco — ios_xr_software
 
Multiple vulnerabilities in the implementation of Border Gateway Protocol (BGP) Ethernet VPN (EVPN) functionality in Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerabilities are due to incorrect processing of BGP update messages that contain crafted EVPN attributes. An attacker could exploit these vulnerabilities by sending BGP EVPN update messages with malformed attributes to be processed by an affected system. A successful exploit could allow the attacker to cause the BGP process to restart unexpectedly, resulting in a DoS condition. The Cisco implementation of BGP accepts incoming BGP traffic only from explicitly defined peers. To exploit these vulnerabilities, the malicious BGP update message would need to come from a configured, valid BGP peer, or would need to be injected by the attacker into the victim’s BGP network on an existing, valid TCP connection to a BGP peer. 2020-01-26 5 CVE-2019-16020
CISCO
cisco — ios_xr_software
 
A vulnerability in the implementation of the Intermediate System&ndash;to&ndash;Intermediate System (IS&ndash;IS) routing protocol functionality in Cisco IOS XR Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition in the IS&ndash;IS process. The vulnerability is due to improper handling of a Simple Network Management Protocol (SNMP) request for specific Object Identifiers (OIDs) by the IS&ndash;IS process. An attacker could exploit this vulnerability by sending a crafted SNMP request to the affected device. A successful exploit could allow the attacker to cause a DoS condition in the IS&ndash;IS process. 2020-01-26 4 CVE-2019-16027
CISCO
cisco — jabber_guest
 
A vulnerability in the web-based management interface of Cisco Jabber Guest could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability exists because the web-based management interface of the affected device does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or to access sensitive, browser-based information. This vulnerability affects Cisco Jabber Guest releases 11.1(2) and earlier. 2020-01-26 4.3 CVE-2020-3136
CISCO
cisco — mobility_management_entity
 
A vulnerability in the implementation of the Stream Control Transmission Protocol (SCTP) on Cisco Mobility Management Entity (MME) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an eNodeB that is connected to an affected device. The vulnerability is due to insufficient input validation of SCTP traffic. An attacker could exploit this vulnerability by leveraging a man-in-the-middle position between the eNodeB and the MME and then sending a crafted SCTP message to the MME. A successful exploit would cause the MME to stop sending SCTP messages to the eNodeB, triggering a DoS condition. 2020-01-26 4.3 CVE-2019-16026
CISCO
cisco — sd-wan_solution_vmanage
 
A vulnerability in the web interface for Cisco SD-WAN Solution vManage could allow an authenticated, remote attacker to impact the integrity of an affected system by executing arbitrary SQL queries. The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending crafted input that includes SQL statements to an affected system. A successful exploit could allow the attacker to modify entries in some database tables, affecting the integrity of the data. 2020-01-26 4 CVE-2019-12619
CISCO
cisco — small_business_smart_and_managed_switches
 
A vulnerability in the web-based management interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link and access a specific page. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. 2020-01-26 4.3 CVE-2020-3121
CISCO
cisco — smart_software_manager_on-prem
 
A vulnerability in the application programming interface (API) of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to change user account information which can prevent users from logging in, resulting in a denial of service (DoS) condition of the web interface. The vulnerability is due to the lack of input validation in the API. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the attacker to change or corrupt user account information which could grant the attacker administrator access or prevent legitimate user access to the web interface, resulting in a denial of service (DoS) condition. 2020-01-26 6.4 CVE-2019-16029
CISCO
cisco — ucs_director
 
A vulnerability in the web-based management interface of Cisco UCS Director could allow an unauthenticated, remote attacker to download system log files from an affected device. The vulnerability is due to an issue in the authentication logic of the web-based management interface. An attacker could exploit this vulnerability by sending a crafted request to the web interface. A successful exploit could allow the attacker to download log files if they were previously generated by an administrator. 2020-01-26 5 CVE-2019-16003
CISCO
cisco — webex_meetings_suite_and_online
 
A vulnerability in Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites could allow an unauthenticated, remote attendee to join a password-protected meeting without providing the meeting password. The connection attempt must initiate from a Webex mobile application for either iOS or Android. The vulnerability is due to unintended meeting information exposure in a specific meeting join flow for mobile applications. An unauthorized attendee could exploit this vulnerability by accessing a known meeting ID or meeting URL from the mobile device&rsquo;s web browser. The browser will then request to launch the device&rsquo;s Webex mobile application. A successful exploit could allow the unauthorized attendee to join the password-protected meeting. The unauthorized attendee will be visible in the attendee list of the meeting as a mobile attendee. Cisco has applied updates that address this vulnerability and no user action is required. This vulnerability affects Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites releases earlier than 39.11.5 and 40.1.3. 2020-01-26 5 CVE-2020-3142
CISCO
cisco — webex_teams
 
A vulnerability in the Cisco Webex Teams client for Windows could allow an authenticated, remote attacker to cause the client to crash, resulting in a denial of service (DoS) condition. The attacker needs a valid developer account to exploit this vulnerability. The vulnerability is due to insufficient input validation when processing received adaptive cards. The attacker could exploit this vulnerability by sending an adaptive card with malicious content to an existing user of the Cisco Webex Teams client for Windows. A successful exploit could allow the attacker to cause the targeted user’s client to crash continuously. This vulnerability was introduced in Cisco Webex Teams client for Windows Release 3.0.13131. 2020-01-26 4 CVE-2020-3131
CISCO
codecov — codecov
 
Codecov npm module before 3.6.2 allows remote attackers to execute arbitrary commands via the “gcov-args” argument. 2020-01-25 6.5 CVE-2020-7596
MISC
contao — contao
 
contao prior to 2.11.4 has a sql injection vulnerability 2020-01-29 6.5 CVE-2012-4383
MISC
core_security — vivotek_pt7135_ip_camera
 
An Information Disclosure vulnerability exists via a GET request in Vivotek PT7135 IP Camera 0300a and 0400a due to wireless keys and 3rd party credentials stored in clear text. 2020-01-24 5 CVE-2013-1594
MISC
MISC
MISC
MISC
MISC
MISC
core_security — vivotek_pt7135_ip_camera
 
An Authentication Bypass Vulnerability exists in Vivotek PT7135 IP Camera 0300a and 0400a via specially crafted RTSP packets to TCP port 554. 2020-01-24 5 CVE-2013-1596
MISC
MISC
MISC
MISC
MISC
core_security — tp-link_ip_cameras
 
A Security Bypass vulnerability exists in TP-LINK IP Cameras TL-SC 3130, TL-SC 3130G, 3171G, 4171G, and 3130 1.6.18P12 due to default hard-coded credentials for the administrative Web interface, which could let a malicious user obtain unauthorized access to CGI files. 2020-01-29 5 CVE-2013-2572
MISC
MISC
MISC
MISC
MISC
core_security — vivotek_pt7135_ip_cameras
 
A Directory Traversal vulnerability exists in Vivotek PT7135 IP Cameras 0300a and 0400a via a specially crafted GET request, which could let a malicious user obtain user credentials. 2020-01-24 4 CVE-2013-1597
MISC
MISC
MISC
MISC
MISC
core_security — zavio_ip_cameras
 
An Authentication Bypass vulnerability exists in the web interface in Zavio IP Cameras through 1.6.03 due to a hardcoded admin account found in boa.conf, which lets a remote malicious user obtain sensitive information. 2020-01-29 5 CVE-2013-2567
MISC
MISC
MISC
MISC
MISC
core_security — zavio_ip_cameras
 
A Security Bypass vulnerability exists in Zavio IP Cameras through 1.6.3 because the RTSP protocol authentication is disabled by default, which could let a malicious user obtain unauthorized access to the live video stream. 2020-01-29 5 CVE-2013-2569
MISC
MISC
MISC
MISC
cpanel — webhost_manager
 
Cross-site Scripting (XSS) in cPanel WebHost Manager (WHM) 11.34.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2020-01-27 4.3 CVE-2012-6448
EXPLOIT-DB
dolibarr — dolibarr
 
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 10.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) label[libelle] parameter to the /htdocs/admin/dict.php?id=3 page; the (2) name[constname] parameter to the /htdocs/admin/const.php?mainmenu=home page; the (3) note[note] parameter to the /htdocs/admin/dict.php?id=10 page; the (4) zip[MAIN_INFO_SOCIETE_ZIP] or email[mail] parameter to the /htdocs/admin/company.php page; the (5) url[defaulturl], field[defaultkey], or value[defaultvalue] parameter to the /htdocs/admin/defaultvalues.php page; the (6) key[transkey] or key[transvalue] parameter to the /htdocs/admin/translation.php page; or the (7) [main_motd] or [main_home] parameter to the /htdocs/admin/ihm.php page. 2020-01-26 4.3 CVE-2020-7994
MISC
MISC
dolibarr — dolibarr
 
htdocs/user/passwordforgotten.php in Dolibarr 10.0.6 allows XSS via the Referer HTTP header. 2020-01-26 4.3 CVE-2020-7996
MISC
MISC
eucalyptus — eucalyptus_management_control
 
Cross-site scripting (XSS) vulnerability in Eucalyptus Management Console (EMC) 4.0.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2020-01-27 4.3 CVE-2013-4770
MISC
f-revocrm — f-revocrm
 
Cross-site scripting vulnerability in F-RevoCRM 6.0 to F-RevoCRM 6.5 patch6 (version 6 series) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2020-01-27 4.3 CVE-2019-6036
MISC
MISC
fuji_xerox — netprint
 
The netprint App for iOS 3.2.3 and earlier does not verify X.509 certificates from servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. 2020-01-27 5.8 CVE-2020-5520
MISC
MISC
fuji_xerox — kantan_netprint
 
The kantan netprint App for iOS 2.0.2 and earlier does not verify X.509 certificates from servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. 2020-01-27 5.8 CVE-2020-5521
MISC
MISC
fuji_xerox — kantan_netprint
 
The kantan netprint App for Android 2.0.3 and earlier does not verify X.509 certificates from servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. 2020-01-27 5.8 CVE-2020-5522
MISC
MISC
gitlab — gitlab
 
An information disclosure issue was discovered GitLab versions < 12.1.2, < 12.0.4, and < 11.11.6 in the security dashboard which could result in disclosure of vulnerability feedback information. 2020-01-28 5 CVE-2019-5470
MISC
MISC
MISC
gitlab — gitlab
 
An authorization issue was discovered in Gitlab versions < 12.1.2, < 12.0.4, and < 11.11.6 that prevented owners and maintainer to delete epic comments. 2020-01-28 5 CVE-2019-5472
MISC
MISC
MISC
gitlab — gitlab_community_and_enterprise_edition

 

An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE). The path of a private project, that used to be public, would be disclosed in the unsubscribe email link of issues and merge requests. 2020-01-28 5 CVE-2019-15578
MISC
MISC
gitlab — gitlab_community_and_enterprise_edition

 

An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) where the assignee(s) of a confidential issue in a private project would be disclosed to a guest via milestones. 2020-01-28 5 CVE-2019-15579
MISC
MISC
gitlab — gitlab_community_and_enterprise_edition

 

An IDOR exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a project owner or maintainer to see the members of any private group via merge request approval rules. 2020-01-28 5 CVE-2019-15581
MISC
MISC
gitlab — gitlab_community_and_enterprise_edition

 

An IDOR was discovered in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a maintainer to add any private group to a protected environment. 2020-01-28 5 CVE-2019-15582
MISC
MISC
gitlab — gitlab_community_and_enterprise_edition
 
An access control issue exists in < 12.3.5, < 12.2.8, and < 12.1.14 for GitLab Community Edition (CE) and Enterprise Edition (EE) where private merge requests and issues would be disclosed with the Group Search feature provided by Elasticsearch integration 2020-01-28 5 CVE-2019-15590
MISC
MISC
gitlab — gitlab_community_and_enterprise_edition
 
An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE). When an issue was moved to a public project from a private one, the associated private labels and the private project namespace would be disclosed through the GitLab API. 2020-01-28 5 CVE-2019-15583
MISC
MISC
gitlab — gitlab_community_and_enterprise_edition
 
A XSS exists in Gitlab CE/EE < 12.1.10 in the Mermaid plugin. 2020-01-28 4.3 CVE-2019-15586
MISC
MISC
gitlab — gitlab_community_end_enterprise_edition
 
A privilege escalation issue was discovered in GitLab CE/EE 9.0 and later when trigger tokens are not rotated once ownership of them has changed. 2020-01-28 6.8 CVE-2019-5462
MISC
MISC
MISC
git — git
 
A tampering vulnerability exists when Git for Visual Studio improperly handles virtual drive paths, aka ‘Git for Visual Studio Tampering Vulnerability’. 2020-01-24 5 CVE-2019-1351
SUSE
MISC
MISC
gnu — aspell
 
libaspell.a in GNU Aspell before 0.60.8 has a buffer over-read for a string ending with a single ‘\0’ byte, if the encoding is set to ucs-2 or ucs-4 outside of the application, as demonstrated by the ASPELL_CONF environment variable. 2020-01-27 6.4 CVE-2019-20433
MISC
gnu — gnucoreutils
 
The keycompare_mb function in sort.c in sort in GNU Coreutils through 8.23 on 64-bit platforms performs a size calculation without considering the number of bytes occupied by multibyte characters, which allows attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via long UTF-8 strings. 2020-01-24 4.6 CVE-2015-4041
MISC
MISC
MISC
gnu — gnutls
 
GnuTLS before 3.3.13 does not validate that the signature algorithms match when importing a certificate. 2020-01-27 5 CVE-2015-0294
MISC
MISC
MISC
google — android
 
audio/AudioPolicyManagerBase.cpp in Android before 5.1 allows attackers to cause a denial of service (audio_policy application outage) via a crafted application that provides a NULL device address. 2020-01-24 4.3 CVE-2015-1525
MISC
google — android
 
media/libmedia/IAudioPolicyService.cpp in Android before 5.1 allows attackers to execute arbitrary code with media_server privileges or cause a denial of service (integer overflow) via a crafted application that provides an invalid array size. 2020-01-24 6 CVE-2015-1530
MISC
ibm — content_navigator
 
IBM Content Navigator 3.0CD could allow an authenticated user to gain information about the hosting operating system and version that could be used in further attacks against the system. IBM X-Force ID: 171515. 2020-01-28 4 CVE-2019-4679
XF
CONFIRM
ibm — mq_and_mq_appliance
 
IBM MQ and IBM MQ Appliance 8.0 and 9.0 LTS client connecting to a Queue Manager could cause a SIGSEGV denial of service caused by converting an invalid message. IBM X-Force ID: 168639. 2020-01-28 4 CVE-2019-4614
XF
CONFIRM
ibm — mq_and_mq_appliance
 
IBM MQ and IBM MQ Appliance 8.0 and 9.0 LTS could allow a remote attacker with intimate knowledge of the server to cause a denial of service when receiving data on the channel. IBM X-Force ID: 166629. 2020-01-28 4.3 CVE-2019-4568
XF
CONFIRM
ibm — mq_appliance_and_lts
 
IBM MQ Appliance 8.0 and 9.0 LTS could allow a local attacker to bypass security restrictions caused by improper validation of environment variables. IBM X-Force ID: 168863. 2020-01-28 4.6 CVE-2019-4620
XF
CONFIRM
ibm — security_access_manager_appliance
 
IBM Security Access Manager Appliance 9.0.7.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 172018. 2020-01-28 5.5 CVE-2019-4707
XF
CONFIRM
ibm — security_secret_server
 
IBM Security Secret Server 10.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 170004. 2020-01-28 4.3 CVE-2019-4632
XF
CONFIRM
ibm — security_secret_server
 
IBM Security Secret Server 10.7 does not set the secure attribute on authorization tokens or session cookies. This could allow an attacker to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 170044. 2020-01-28 4.3 CVE-2019-4638
XF
CONFIRM
ibm — security_secret_server
 
IBM Security Secret Server 10.7 could allow a privileged user to perform unauthorized command injection due to imporoper input neutralization of special elements. IBM X-Force ID: 170011. 2020-01-28 4 CVE-2019-4635
XF
CONFIRM
ibm — security_secret_server
 
IBM Security Secret Server 10.7 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 170001. 2020-01-28 5.8 CVE-2019-4631
XF
CONFIRM
ibm — security_secret_server
 
IBM Security Secret Server 10.7 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 170045. 2020-01-28 5 CVE-2019-4639
XF
CONFIRM
ibm — security_secret_server
 
IBM Security Secret Server 10.7 could disclose sensitive information to an authenticated user from generated error messages. IBM X-Force ID: 170013. 2020-01-28 4 CVE-2019-4636
XF
CONFIRM
ibm — security_secret_server
 
IBM Security Secret Server 10.7 uses incomplete blacklisting for input validation which allows attackers to bypass application controls resulting in direct impact to the system and data integrity. IBM X-Force ID: 170043. 2020-01-28 4 CVE-2019-4637
XF
CONFIRM
ibm — security_secret_server
 
IBM Security Secret Server 10.7 could allow an attacker to obtain sensitive information due to an overly permissive CORS policy. IBM X-Force ID: 170007. 2020-01-28 4.3 CVE-2019-4633
XF
CONFIRM
icewarp — webmail_server
 
In IceWarp Webmail Server through 11.4.4.1, there is XSS in the /webmail/ color parameter. 2020-02-01 4.3 CVE-2020-8512
MISC
MISC
jazzband — django-user-sessions
 
In Django User Sessions (django-user-sessions) before 1.7.1, the views provided allow users to terminate specific sessions. The session key is used to identify sessions, and thus included in the rendered HTML. In itself this is not a problem. However if the website has an XSS vulnerability, the session key could be extracted by the attacker and a session takeover could happen. 2020-01-24 4 CVE-2020-5224
CONFIRM
MISC
jenkins — fortify_plugin
 
Jenkins Fortify Plugin 19.1.29 and earlier stores proxy server passwords unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. 2020-01-29 4 CVE-2020-2107
MLIST
CONFIRM
jenkins — jenkins
 
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier allowed users with Overall/Read access to view a JVM memory usage chart. 2020-01-29 4 CVE-2020-2104
MLIST
CONFIRM
jenkins — jenkins
 
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier was vulnerable to a UDP amplification reflection denial of service attack on port 33848. 2020-01-29 5 CVE-2020-2100
MLIST
CONFIRM
jenkins — jenkins
 
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier exposed session identifiers on a user’s detail object in the whoAmI diagnostic page. 2020-01-29 4 CVE-2020-2103
MLIST
CONFIRM
jenkins — jenkins
 
REST API endpoints in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier were vulnerable to clickjacking attacks. 2020-01-29 4.3 CVE-2020-2105
MLIST
CONFIRM
jenkins — websphere_deployer_plugin
 
Jenkins WebSphere Deployer Plugin 1.6.1 and earlier does not configure the XML parser to prevent XXE attacks which can be exploited by a user with Job/Configure permissions. 2020-01-29 6.5 CVE-2020-2108
MLIST
CONFIRM
jetbrains — intellij_idea
 
Ports listened to by JetBrains IntelliJ IDEA before 2019.3 were exposed to the network. 2020-01-30 5 CVE-2020-7905
MISC
CONFIRM
jetbrains — intellij_idea
 
In JetBrains IntelliJ IDEA before 2019.3, some Maven repositories were accessed via HTTP instead of HTTPS. 2020-01-30 5.8 CVE-2020-7904
MISC
CONFIRM
jetbrains — rider
 
In JetBrains Rider versions 2019.3 EAP2 through 2019.3 EAP7, there were unsigned binaries provided by the Windows installer. This issue was fixed in release version 2019.3. 2020-01-30 5 CVE-2020-7906
MISC
MISC
jetbrains — teamcity
 
In JetBrains TeamCity before 2019.1.5, reverse tabnabbing was possible on several pages. 2020-01-30 4.3 CVE-2020-7908
MISC
CONFIRM
jetbrains — teamcity
 
In JetBrains TeamCity before 2019.1.5, some server-stored passwords could be shown via the web UI. 2020-01-30 5 CVE-2020-7909
MISC
CONFIRM
jetbrains — teamcity
 
In JetBrains TeamCity before 2019.2, several user-level pages were vulnerable to XSS. 2020-01-30 4.3 CVE-2020-7911
MISC
CONFIRM
jetbrains — youtrack
 
In JetBrains YouTrack before 2019.2.59309, SMTP/Jabber settings could be accessed using backups. 2020-01-30 5 CVE-2020-7912
MISC
CONFIRM
jetbrains — youtrack
 
JetBrains YouTrack 2019.2 before 2019.2.59309 was vulnerable to XSS via an issue description. 2020-01-30 4.3 CVE-2020-7913
MISC
CONFIRM
koha — koha
 
Multiple directory traversal vulnerabilities in the (1) staff interface help editor (edithelp.pl) or (2) member-picupload.pl in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allow remote attackers to write to arbitrary files via unspecified vectors. 2020-01-24 5 CVE-2014-1923
MISC
MISC
MISC
MISC
MISC
koha — koha
 
Absolute path traversal vulnerability in tools/pdfViewer.pl in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allows remote attackers to read arbitrary files via unspecified vectors. 2020-01-24 5 CVE-2014-1922
MISC
MISC
MISC
MISC
lldpd — lldpd
 
lldpd before 0.8.0 allows remote attackers to cause a denial of service (assertion failure and daemon crash) via a malformed packet. 2020-01-28 5 CVE-2015-8012
MISC
MISC
CONFIRM
CONFIRM
magento — magento
 
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a path traversal vulnerability. Successful exploitation could lead to sensitive information disclosure. 2020-01-29 5 CVE-2020-3717
CONFIRM
magento — magento
 
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure. 2020-01-29 4.3 CVE-2020-3715
CONFIRM
magento — magento
 
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure. 2020-01-29 4.3 CVE-2020-3758
CONFIRM
mediawiki — N/A
 
Cross-site scripting (XSS) vulnerability in MediaWiki 1.19.9 before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via unspecified CSS values. 2020-01-28 4.3 CVE-2013-6451
MISC
mediawiki — mediawiki
 
The CentralAuth extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain usernames via vectors related to writing the names to the DOM of a page. 2020-01-28 5 CVE-2013-6455
MISC
microsoft — Microsoft_dynamics_365_server
 
An elevation of privilege vulnerability exists in Microsoft Dynamics 365 Server, aka ‘Microsoft Dynamics 365 Elevation of Privilege Vulnerability’. 2020-01-24 4 CVE-2018-8654
MISC
mirumee — saleor
 
An issue was discovered in Mirumee Saleor 2.x before 2.9.1. Incorrect access control in the checkoutCustomerAttach mutations allows attackers to attach their checkouts to any user ID and consequently leak user data (e.g., name, address, and previous orders of any other customer). 2020-01-24 5 CVE-2020-7964
MISC
MISC
mympc — media_player_classic_home_cinema
 
Stack-based buffer overflow in Media Player Classic – Home Cinema (MPC-HC) before 1.7.0.7858 allows remote attackers to execute arbitrary code via a crafted MPEG-2 Transport Stream (M2TS) file. 2020-01-31 6.8 CVE-2013-3488
CONFIRM
MISC
mympc — media_player_classic_home_cinema
 
Buffer overflow in Media Player Classic – Home Cinema (MPC-HC) before 1.7.0 allows remote attackers to execute arbitrary code via a crafted RealMedia .rm file 2020-01-31 6.8 CVE-2013-3489
MISC
MISC
netapp — oncommand_system_manager
 
Cross-site Scripting (XSS) vulnerability in NetApp OnCommand System Manager before 2.2 allows remote attackers to inject arbitrary web script or HTML via the ‘full-name’ and ‘comment’ fields. 2020-01-29 4.3 CVE-2013-3320
BID
XF
XF
netapp — oncommand_system_manager
 
NetApp OnCommand System Manager 2.1 and earlier allows remote attackers to include arbitrary files through specially crafted requests to the “diagnostic” page using the SnapMirror log path parameter. 2020-01-29 6 CVE-2013-3321
XF
MISC
netty — netty
 
Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869. 2020-01-27 5 CVE-2020-7238
MISC
MISC
netty — netty
 
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an “invalid fold.” 2020-01-29 6.4 CVE-2019-20444
MISC
MISC
MLIST
MLIST
MLIST
netty — netty
 
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header. 2020-01-29 6.4 CVE-2019-20445
MISC
MISC
MLIST
MLIST
MLIST
novell — zenworks_configuration_management
 
Novell ZENworks Configuration Management before 11.2.4 allows obtaining sensitive trace information. 2020-01-25 5 CVE-2012-6345
MISC
novell — zenworks_configuration_management
 
Novell ZENworks Configuration Management before 11.2.4 allows XSS. 2020-01-25 4.3 CVE-2012-6344
MISC
ntt_data_corporation — mypallete
 
Android App ‘MyPallete’ and some of the Android banking applications based on ‘MyPallete’ do not verify X.509 certificates from servers, and also do not properly validate certificates with host-mismatch, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. 2020-01-28 5.8 CVE-2020-5523
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
openpne — openpne_3
 
OpenPNE 3 versions 3.8.7, 3.6.11, 3.4.21.1, 3.2.7.6, 3.0.8.5 has an External Entity Injection Vulnerability 2020-01-24 6.4 CVE-2013-4333
MISC
MISC
MISC
ossec — ossec-hids
 
In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for log analysis (ossec-analysisd) is vulnerable to a heap-based buffer overflow in the rootcheck decoder component via an authenticated client. 2020-01-30 6.5 CVE-2020-8442
MISC
MISC
MISC
postgresql — postgresql
 
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message. 2020-01-27 4 CVE-2014-8161
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
postgresql — postgresql
 
Multiple buffer overflows in contrib/pgcrypto in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allow remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors. 2020-01-27 6.5 CVE-2015-0243
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
postgresql — postgresql
 
Stack-based buffer overflow in the *printf function implementations in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1, when running on a Windows system, allows remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a floating point number with a large precision, as demonstrated by using the to_char function. 2020-01-27 6.5 CVE-2015-0242
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
postgresql — postgresql
 
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric formatting template, which triggers a buffer over-read, or (2) crafted timestamp formatting template, which triggers a buffer overflow. 2020-01-27 6.5 CVE-2015-0241
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
proxmox — proxmox
 
Proxmox VE prior to 3.2: ‘AccessControl.pm’ User Enumeration Vulnerability 2020-01-27 5 CVE-2014-4156
MISC
MISC
pwgen_project — pwgen
 
The Phonemes mode in Pwgen 2.06 generates predictable passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack. 2020-01-27 5 CVE-2013-4441
MISC
MISC
MISC
MISC
pyradius — pyrad
 
packet.py in pyrad before 2.1 uses weak random numbers to generate RADIUS authenticators and hash passwords, which makes it easier for remote attackers to obtain sensitive information via a brute force attack. 2020-01-28 4.3 CVE-2013-0294
CONFIRM
CONFIRM
CONFIRM
MISC
MISC
CONFIRM
MISC
CONFIRM
python — python
 
In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1, an insecure dependency load upon launch on Windows 7 may result in an attacker’s copy of api-ms-win-core-path-l1-1-0.dll being loaded and used instead of the system’s copy. Windows 8 and later are unaffected. 2020-01-28 4.3 CVE-2020-8315
MISC
qt — qt
 
Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564. 2020-01-24 5 CVE-2015-9541
MISC
rapid7 — nexpose
 
Rapid7 Nexpose before 5.5.4 contains a session hijacking vulnerability which allows remote attackers to capture a user’s session and gain unauthorized access. 2020-01-25 4.3 CVE-2012-6494
BID
XF
ratpack — ratpack
 
All versions of io.ratpack:ratpack-core from 0.9.10 inclusive and before 1.7.6 are vulnerable to Cross-site Scripting (XSS). This affects the development mode error handler when an exception message contains untrusted data. Note the production mode error handler is not vulnerable – so for this to be utilized in production it would require users to not disable development mode. 2020-01-28 4.3 CVE-2019-10770
CONFIRM
roundup — roundup
 
Multiple cross-site scripting (XSS) vulnerabilities in Roundup before 1.4.20 allow remote attackers to inject arbitrary web script or HTML via the (1) @ok_message or (2) @error_message parameter to issue*. 2020-01-30 4.3 CVE-2012-6133
CONFIRM
MISC
MISC
MISC
CONFIRM
simplehrm — simplehrm
 
SimpleHRM 2.3 and earlier could allow remote attackers to bypass the authentication process in ‘user_manager.php’ via spoofing a cookie. 2020-01-27 5 CVE-2013-2499
MISC
BID
XF
simplesamlphp — simplesamlphp
 
Log injection in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script, which receives error reports and sends them via email to the system administrator, did not properly sanitize the report identifier obtained from the request. This allows an attacker, under specific circumstances, to inject new log lines by manually crafting this report ID. When configured to use the file logging handler, SimpleSAMLphp will output all its logs by appending each log line to a given file. Since the reportID parameter received in a request sent to www/errorreport.php was not properly sanitized, it was possible to inject newline characters into it, effectively allowing a malicious user to inject new log lines with arbitrary content. 2020-01-24 5.5 CVE-2020-5225
CONFIRM
MISC
smb4k — smb4k
 
Smb4K before 1.1.1 allows remote attackers to obtain credentials via vectors related to the cuid option in the “Additional options” line edit. 2020-01-28 5 CVE-2014-2581
CONFIRM
CONFIRM
CONFIRM
MISC
MISC
MISC
stroom — stroom
 
All versions of stroom:stroom-app before 5.5.12 and all versions of the 6.0.0 branch before 6.0.25 are affected by Cross-site Scripting. An attacker website is able to load the Stroom UI into a hidden iframe. Using that iframe, the attacker site can issue commands to the Stroom UI via an XSS vulnerability to take full control of the Stroom UI on behalf of the logged-in user. 2020-01-28 4.3 CVE-2019-10779
CONFIRM
synacor — zimbra-collaboration
 
Synacor Zimbra Collaboration before 8.0.8 has XSS. 2020-01-27 4.3 CVE-2014-5500
CONFIRM
synacor — zimbra_collaboration
 
Zimbra Collaboration 8.7.x – 8.8.11P2 contains persistent XSS. 2020-01-27 4.3 CVE-2019-8945
MISC
MISC
MISC
MISC
synacor — zimbra_collaboration
 
In Zimbra Collaboration before 8.8.15 Patch 1, there is a non-persistent XSS vulnerability. 2020-01-27 4.3 CVE-2019-15313
MISC
MISC
synacor — zimbra_collaboration
 
Zimbra Collaboration 8.7.x – 8.8.11P2 contains persistent XSS. 2020-01-27 4.3 CVE-2019-8946
MISC
MISC
MISC
MISC
synacor — zimbra_collaboration
 
Zimbra Collaboration 8.7.x – 8.8.11P2 contains non-persistent XSS. 2020-01-27 4.3 CVE-2019-8947
MISC
MISC
MISC
MISC
tiki_software — tiki_wiki_cms_groupware
 
Tiki 8.2 and earlier allows remote administrators to execute arbitrary PHP code via crafted input to the regexres and regex parameters. 2020-01-27 6 CVE-2011-4558
MISC
tor_project — tor
 
buf_pullup in Tor before 0.2.4.26 and 0.2.5.x before 0.2.5.11 does not properly handle unexpected arrival times of buffers with invalid layouts, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via crafted packets. 2020-01-24 5 CVE-2015-2688
MISC
MISC
tor_project — tor
 
The Hidden Service (HS) client implementation in Tor before 0.2.4.27, 0.2.5.x before 0.2.5.12, and 0.2.6.x before 0.2.6.7 allows remote servers to cause a denial of service (assertion failure and application exit) via a malformed HS descriptor. 2020-01-24 5 CVE-2015-2929
MISC
MISC
tor_project — tor
 
The Hidden Service (HS) server implementation in Tor before 0.2.4.27, 0.2.5.x before 0.2.5.12, and 0.2.6.x before 0.2.6.7 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via unspecified vectors. 2020-01-24 5 CVE-2015-2928
MLIST
CONFIRM
tor_project — tor
 
Tor before 0.2.4.26 and 0.2.5.x before 0.2.5.11 does not properly handle pending-connection resolve states during periods of high DNS load, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via crafted packets. 2020-01-24 5 CVE-2015-2689
MISC
MISC
tornadoweb — tornado
 
Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests. 2020-01-24 4.3 CVE-2014-9720
MISC
MISC
MISC
MISC
MISC
tp-link — tp-link_tl-wr849n
 
TP-LINK TL-WR849N 0.9.1 4.16 devices do not require authentication to replace the firmware via a POST request to the cgi/softup URI. 2020-01-27 4.1 CVE-2019-19143
MISC
valve_dota_2 — valve_dota_2
 
rendersystemdx9.dll in Valve Dota 2 before 7.23f allows remote attackers to achieve code execution or denial of service by creating a gaming server and inviting a victim to this server, because a crafted map is affected by memory corruption. 2020-01-27 6.8 CVE-2020-7952
MISC
valve_dota_2 — valve_dota_2
 
schemasystem.dll in Valve Dota 2 before 7.23f allows remote attackers to achieve code execution or denial of service by creating a gaming server and inviting a victim to this server, because a crafted map is mishandled during a GetValue call. 2020-01-27 6.8 CVE-2020-7949
MISC
valve_dota_2 — valve_dota_2
 
meshsystem.dll in Valve Dota 2 before 7.23e allows remote attackers to achieve code execution or denial of service by creating a gaming server and inviting a victim to this server, because a crafted map is affected by memory corruption. 2020-01-27 6.8 CVE-2020-7951
MISC
valve_dota_2 — valve_dota_2
 
meshsystem.dll in Valve Dota 2 before 7.23f allows remote attackers to achieve code execution or denial of service by creating a gaming server and inviting a victim to this server, because a crafted map is mishandled during a vulnerable function call. 2020-01-27 6.8 CVE-2020-7950
MISC
videolan — vlc_media_player
 
Integer underflow in the MP4_ReadBox_String function in modules/demux/mp4/libmp4.c in VideoLAN VLC media player before 2.1.6 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a box size less than 7. 2020-01-24 6.8 CVE-2014-9626
MISC
MISC
CONFIRM
videolan — vlc_media_player
 
The rtp_packetize_xiph_config function in modules/stream_out/rtpfmt.c in VideoLAN VLC media player before 2.1.6 uses a stack-allocation approach with a size determined by arbitrary input data, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted length value. 2020-01-24 6.8 CVE-2014-9630
MISC
MISC
CONFIRM
videolan — vlc_media_player
 
The MP4_ReadBox_String function in modules/demux/mp4/libmp4.c in VideoLAN VLC media player before 2.1.6 allows remote attackers to trigger an unintended zero-size malloc and conduct buffer overflow attacks, and consequently execute arbitrary code, via a box size of 7. 2020-01-24 6.8 CVE-2014-9628
MISC
MISC
CONFIRM
videolan — vlc_media_player
 
Integer overflow in the Encode function in modules/codec/schroedinger.c in VideoLAN VLC media player before 2.1.6 and 2.2.x before 2.2.1 allows remote attackers to conduct buffer overflow attacks and execute arbitrary code via a crafted length value. 2020-01-24 6.8 CVE-2014-9629
MISC
MISC
CONFIRM
videolan — vlc_media_player
 
The GetUpdateFile function in misc/update.c in the Updater in VideoLAN VLC media player before 2.1.6 performs an incorrect cast operation from a 64-bit integer to a 32-bit integer, which allows remote attackers to conduct buffer overflow attacks and execute arbitrary code via a crafted update status file, aka an “integer truncation” vulnerability. 2020-01-24 6.8 CVE-2014-9625
MISC
MISC
CONFIRM
videolan — vlc_media_player
 
The MP4_ReadBox_String function in modules/demux/mp4/libmp4.c in VideoLAN VLC media player before 2.1.6 performs an incorrect cast operation from a 64-bit integer to a 32-bit integer, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large box size. 2020-01-24 6.8 CVE-2014-9627
MISC
MISC
CONFIRM
viewgit — viewgit
 
Multiple cross-site scripting (XSS) vulnerabilities in ViewGit before 0.0.7 allow remote repository users to inject arbitrary web script or HTML via a (1) tag name to the Shortlog table in templates/shortlog.php or branch name to the (2) Shortlog table in templates/shortlog.php or (3) Heads table in plates/summary.php. 2020-01-30 4.3 CVE-2013-2294
CONFIRM
MISC
MISC
MISC
webcalendar_project — webcalendar
 
Local file inclusion in WebCalendar before 1.2.5. 2020-01-27 6.5 CVE-2012-1496
MISC
wiz — wiz
 
Wiz 5.0.3 has a user mode write access violation 2020-01-27 5 CVE-2013-5659
MISC
MISC
wordpress — wordpress
 
Multiple cross-site request forgery (CSRF) vulnerabilities in the Private Only plugin 3.5.1 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) add users, (2) delete posts, or (3) modify PHP files via unspecified vectors, or (4) conduct cross-site scripting (XSS) attacks via the po_logo parameter in the privateonly.php page to wp-admin/options-general.php. 2020-01-28 6.8 CVE-2015-5483
MISC
MISC
MISC
wordpress — wordpress
 
WordPress Portable phpMyAdmin Plugin has an authentication bypass vulnerability 2020-01-27 6.4 CVE-2013-4462
MISC
MISC
wordpress — wordpress
 
Cross-site Scripting (XSS) in WordPress podPress Plugin 8.8.10.13 could allow remote attackers to inject arbitrary web script or html via the ‘playerID’ parameter. 2020-01-28 4.3 CVE-2013-2714
BID
wso2 — multiple_products An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. If there is a claim dialect configured with an XSS payload in the dialect URI, and a user picks up this dialect’s URI and adds it as the service provider claim dialect while configuring the service provider, that payload gets executed. The attacker also needs to have privileges to log in to the management console, and to add and configure claim dialects. 2020-01-28 4.3 CVE-2019-20436
MISC
MISC
wso2 — multiple_products
 
An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. When a custom claim dialect with an XSS payload is configured in the identity provider basic claim configuration, that payload gets executed, if a user picks up that dialect’s URI as the provisioning claim in the advanced claim configuration of the same Identity Provider. The attacker also needs to have privileges to log in to the management console, and to add and update identity provider configurations. 2020-01-28 4.3 CVE-2019-20437
MISC
MISC
zend — zend_mail
 
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email. 2020-01-27 4.3 CVE-2015-3154
CONFIRM
zeuscart — zeuscart
 
Multiple SQL injection vulnerabilities in ZeusCart 4.x. 2020-01-31 6.5 CVE-2014-3868
MISC
MISC
MISC
MISC

Back to top

 

Low Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
N/A — N/A
 
A stored XSS vulnerability is present within node-red (version: <= 0.20.7) npm package, which is a visual tool for wiring the Internet of Things. This issue will allow the attacker to steal session cookies, deface web applications, etc. 2020-01-28 3.5 CVE-2019-15607
MISC
N/A — N/A
 
The Username field in the Storage Service settings of A1 WLAN Box ADB VV2220v2 devices allows stored XSS (after a successful Administrator login). 2020-01-27 3.5 CVE-2020-8090
MISC
bitdefender — bitdefender_av_for_mac
 
An Incorrect Default Permissions vulnerability in the BDLDaemon component of Bitdefender AV for Mac allows an attacker to elevate permissions to read protected directories. This issue affects: Bitdefender AV for Mac versions prior to 8.0.0. 2020-01-27 2.1 CVE-2019-17103
CONFIRM
cisco — multiple_products
 
A vulnerability in the web-based GUI of Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface of an affected system. The vulnerability is due to insufficient validation of user-supplied input by the web-based GUI of an affected system. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. 2020-01-26 3.5 CVE-2019-16008
CISCO
cisco — unity_connection_software
 
A vulnerability in the web-based management interface of Cisco Unity Connection Software could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack. The vulnerability is due to insufficient input validation by the web-based management interface. An attacker could exploit this vulnerability by providing crafted data to a specific field within the interface. A successful exploit could allow the attacker to store an XSS attack within the interface. This stored XSS attack would then be executed on the system of any user viewing the attacker-supplied data element. 2020-01-26 3.5 CVE-2020-3129
CISCO
dokeos — dokeos
 
Dokeos 2.1.1 has multiple XSS issues involving “extra_” parameters in main/auth/profile.php. 2020-01-29 3.5 CVE-2012-5776
MISC
MISC
fortinet — fortisiem
 
An Improper Neutralization of Input vulnerability in the description and title parameters of a Device Maintenance Schedule in FortiSIEM version 5.2.5 and below may allow a remote authenticated attacker to perform a Stored Cross Site Scripting attack (XSS) by injecting malicious JavaScript code into the description field of a Device Maintenance schedule. 2020-01-28 3.5 CVE-2019-17651
CONFIRM
git — git
 
An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. The –export-marks option of git fast-import is exposed also via the in-stream command feature export-marks=… and it allows overwriting arbitrary paths. 2020-01-24 3.6 CVE-2019-1348
SUSE
REDHAT
MISC
MISC
google — android
 
A spoofing vulnerability exists in the way Microsoft Outlook for Android software parses specifically crafted email messages, aka ‘Outlook for Android Spoofing Vulnerability’. 2020-01-24 3.5 CVE-2019-1460
MISC
havalite — havalite_cms
 
Havalite CMS 1.1.7 has a stored XSS vulnerability 2020-01-29 3.5 CVE-2013-0161
MISC
jenkins — jenkins
 
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier did not use a constant-time comparison function for validating connection secrets, which could potentially allow an attacker to use a timing attack to obtain this secret. 2020-01-29 3.5 CVE-2020-2101
MLIST
CONFIRM
jenkins — jenkins
 
Jenkins Code Coverage API Plugin 1.1.2 and earlier does not escape the filename of the coverage report used in its view, resulting in a stored XSS vulnerability exploitable by users able to change job configurations. 2020-01-29 3.5 CVE-2020-2106
MLIST
CONFIRM
jenkins — jenkins
 
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier used a non-constant time comparison function when validating an HMAC. 2020-01-29 3.5 CVE-2020-2102
MLIST
CONFIRM
jetbrains — teamcity
 
JetBrains TeamCity before 2019.2 was vulnerable to a stored XSS attack by a user with the developer role. 2020-01-30 3.5 CVE-2020-7910
MISC
CONFIRM
linux — Linux_kernel
 
fs/namei.c in the Linux kernel before 5.5 has a may_create_in_sticky use-after-free, which allows local users to cause a denial of service (OOPS) or possibly obtain sensitive information from kernel memory, aka CID-d0cb50185ae9. One attack vector may be an open system call for a UNIX domain socket, if the socket is being moved to a new parent directory and its old parent directory is being removed. 2020-01-29 3.6 CVE-2020-8428
MLIST
MLIST
MISC
MISC
MISC
linux — linux_kernel
 
In the Linux kernel before 5.3.4, fib6_rule_lookup in net/ipv6/ip6_fib.c mishandles the RT6_LOOKUP_F_DST_NOREF flag in a reference-count decision, leading to (for example) a crash that was identified by syzkaller, aka CID-7b09c2d052db. 2020-01-27 2.1 CVE-2019-20422
MISC
MISC
microsoft — multiple_windows_products
 
An elevation of privilege vulnerability exists when the Windows User Profile Service (ProfSvc) improperly handles symlinks, aka ‘Windows User Profile Service Elevation of Privilege Vulnerability’. 2020-01-24 3.6 CVE-2019-1454
MISC
netapp — e-series_santricity_os_controller_software
 
E-Series SANtricity OS Controller Software version 11.60.0 is susceptible to a vulnerability which allows an attacker to cause a Denial of Service (DoS) in IPv6 environments. 2020-01-30 3.3 CVE-2019-17273
CONFIRM
ossec — ossec-hids
 
In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for log analysis (ossec-analysisd) is vulnerable to path traversal (with write access) via crafted syscheck messages written directly to the analysisd UNIX domain socket by a local user. 2020-01-30 2.1 CVE-2020-8446
MISC
MISC
MISC
ossec — ossec-hids
 
In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for log analysis (ossec-analysisd) is vulnerable to a denial of service (NULL pointer dereference) via crafted messages written directly to the analysisd UNIX domain socket by a local user. 2020-01-30 2.1 CVE-2020-8448
MISC
MISC
MISC
simplesamlphp — simplesamlphp
 
Cross-site scripting in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script allows error reports to be submitted and sent to the system administrator. Starting with SimpleSAMLphp 1.18.0, a new SimpleSAML\Utils\EMail class was introduced to handle sending emails, implemented as a wrapper of an external dependency. This new wrapper allows us to use Twig templates in order to create the email sent with an error report. Since Twig provides automatic escaping of variables, manual escaping of the free-text field in www/errorreport.php was removed to avoid double escaping. However, for those not using the new user interface yet, an email template is hardcoded into the class itself in plain PHP. Since no escaping is provided in this template, it is then possible to inject HTML inside the template by manually crafting the contents of the free-text field. 2020-01-24 3.5 CVE-2020-5226
CONFIRM
MISC
suse — linux_enterprise_server
 
The permission package in SUSE Linux Enterprise Server allowed all local users to run dumpcap in the “easy” permission profile and sniff network traffic. This issue affects: SUSE Linux Enterprise Server permissions versions starting from 85c83fef7e017f8ab7f8602d3163786d57344439 to 081d081dcfaf61710bda34bc21c80c66276119aa. 2020-01-24 1.9 CVE-2019-3687
CONFIRM
suse — networkmanager
 
NetworkManager 0.9.x does not pin a certificate’s subject to an ESSID when 802.11X authentication is used. 2020-01-27 3.2 CVE-2006-7246
MISC
MISC
MISC
MISC
synacor — zimbra_collaboration
 
Zimbra Collaboration before 8.6.0 patch5 has XSS. 2020-01-27 3.5 CVE-2015-2249
CONFIRM
synacor — zimbra_collaboration
 
Zimbra Collaboration before 8.8.12 Patch 1 has persistent XSS. 2020-01-27 3.5 CVE-2019-11318
MISC
MISC
MISC
MISC
synacor — zimbra_collaboration
 
Zimbra Collaboration before 8.8.15 Patch 1 is vulnerable to a non-persistent XSS via the Admin Console. 2020-01-27 3.5 CVE-2019-12427
MISC
MISC
MISC
virgl — virglrenderer
 
A double-free vulnerability in vrend_renderer.c in virglrenderer through 0.8.1 allows attackers to cause a denial of service by triggering texture allocation failure, because vrend_renderer_resource_allocated_texture is not an appropriate place for a free. 2020-01-27 2.1 CVE-2020-8003
MISC
MISC
MISC
MISC
virgl — virglrenderer
 
A NULL pointer dereference in vrend_renderer.c in virglrenderer through 0.8.1 allows attackers to cause a denial of service via commands that attempt to launch a grid without previously providing a Compute Shader (CS). 2020-01-27 2.1 CVE-2020-8002
MISC
MISC
MISC
wordpress — wordpress
 
Pinboard 1.0.6 theme for WordPress has XSS. 2020-01-27 3.5 CVE-2013-0286
MISC
wordpress — wordpress
 
The Elementor plugin before 2.8.5 for WordPress suffers from a reflected XSS vulnerability on the elementor-system-info page. These can be exploited by targeting an authenticated user. 2020-01-28 3.5 CVE-2020-8426
MISC
MISC
MISC
wowza_media_systems — wowza_streaming_engine
 
Wowza Streaming Engine 4.7.7 and 4.7.8 suffers from multiple authenticated XSS vulnerabilities via the (1) customList%5B0%5D.value field in enginemanager/server/serversetup/edit_adv.htm of the Server Setup configuration or the (2) host field in enginemanager/j_spring_security_check of the login form. 2020-01-29 3.5 CVE-2019-7655
MISC
MISC
wso2 — api_manager
 
An issue was discovered in WSO2 API Manager 2.6.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Datasource creation page of the Management Console. 2020-01-28 3.5 CVE-2019-20434
MISC
MISC
wso2 — api_manager
 
An issue was discovered in WSO2 API Manager 2.6.0. A reflected XSS attack could be performed in the inline API documentation editor page of the API Publisher by sending an HTTP GET request with a harmful docName request parameter. 2020-01-28 3.5 CVE-2019-20435
MISC
MISC
wso2 — api_manager
 
An issue was discovered in WSO2 API Manager 2.6.0. A potential stored Cross-Site Scripting (XSS) vulnerability has been identified in the inline API documentation editor page of the API Publisher. 2020-01-28 3.5 CVE-2019-20438
MISC
MISC
wso2 — api_manager
 
An issue was discovered in WSO2 API Manager 2.6.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in defining a scope in the “manage the API” page of the API Publisher. 2020-01-28 3.5 CVE-2019-20439
MISC
MISC
wso2 — api_manager
 
An issue was discovered in WSO2 API Manager 2.6.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the update API documentation feature of the API Publisher. 2020-01-28 3.5 CVE-2019-20440
MISC
MISC
wso2 — api_manager
 
An issue was discovered in WSO2 API Manager 2.6.0. A potential Stored Cross-Site Scripting (XSS) vulnerability has been identified in the ‘implement phase’ of the API Publisher. 2020-01-28 3.5 CVE-2019-20441
MISC
MISC
wso2 — multiple_products
 
An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. A potential stored Cross-Site Scripting (XSS) vulnerability in mediaType has been identified in the registry UI. 2020-01-28 3.5 CVE-2019-20443
MISC
MISC
wso2 — multiple_products
 
An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. A potential stored Cross-Site Scripting (XSS) vulnerability in roleToAuthorize has been identified in the registry UI. 2020-01-28 3.5 CVE-2019-20442
MISC
MISC

Back to top

 

Severity Not Yet Assigned

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
abrt — abrt
 
ABRT might allow attackers to obtain sensitive information from crash reports. 2020-01-31 not yet calculated CVE-2011-4088
MISC
MISC
adobe — acrobat_and_reader
 
Adobe Acrobat and Reader versions , 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution . 2020-01-28 not yet calculated CVE-2019-8257
CONFIRM
adobe — acrobat_and_reader
 
Adobe Acrobat and Reader versions 2019.010.20064 and earlier, 2019.010.20064 and earlier, 2017.011.30110 and earlier version, and 2015.006.30461 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution. 2020-01-28 not yet calculated CVE-2019-7131
CONFIRM
aircrack-ng — aircrack-ng
 
Stack-based buffer overflow in the gps_tracker function in airodump-ng.c in Aircrack-ng before 1.2 RC 1 allows local users to execute arbitrary code or gain privileges via unspecified vectors. 2020-01-31 not yet calculated CVE-2014-8321
CONFIRM
MISC
MISC
CONFIRM
MISC
aircrack-ng — aircrack-ng
 
Stack-based buffer overflow in the tcp_test function in aireplay-ng.c in Aircrack-ng before 1.2 RC 1 allows remote attackers to execute arbitrary code via a crafted length parameter value. 2020-01-31 not yet calculated CVE-2014-8322
CONFIRM
MISC
MISC
MISC
CONFIRM
MISC
alcatel-lucent — 1830_photonic_service_switch Cross-site scripting (XSS) vulnerability in the management interface in Alcatel-Lucent 1830 Photonic Service Switch (PSS) 6.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the myurl parameter to menu/pop.html. 2020-01-31 not yet calculated CVE-2014-3809
MISC
apache — jackrabbit_oak
 
The optional initial password change and password expiration features present in Apache Jackrabbit Oak 1.2.0 to 1.22.0 are prone to a sensitive information disclosure vulnerability. The code mandates the changed password to be passed as an additional attribute to the credentials object but does not remove it upon processing during the first phase of the authentication. In combination with additional, independent authentication mechanisms, this may lead to the new password being disclosed. 2020-01-28 not yet calculated CVE-2020-1940
MLIST
MLIST
MLIST
MLIST
MLIST
MLIST
MISC
MLIST
aroxsolution — school_management_software_php/mysql
 
School Management Software PHP/mySQL through 2019-03-14 allows office_admin/?action=deleteadmin CSRF to delete a user. 2020-01-31 not yet calculated CVE-2020-8505
MISC
aroxsolution — school_management_software_php/mysql
 
School Management Software PHP/mySQL through 2019-03-14 allows office_admin/?action=addadmin CSRF to add an administrative user. 2020-01-31 not yet calculated CVE-2020-8504
MISC
aruba — airwave_management_platform
 
A vulnerability exists in the Aruba AirWave Management Platform 8.x prior to 8.2 in the management interface of an underlying system component called RabbitMQ, which could let a malicious user obtain sensitive information. This interface listens on TCP port 15672 and 55672 2020-01-31 not yet calculated CVE-2016-2032
MISC
MISC
MISC
MISC
aruba — clearpass_policy_manager
 
Multiple vulnerabilities exist in Aruba ClearPass Policy Manager up to 6.5.6 and 6.6.0 includes SQL injection issues, unauthenticated arbitrary file read via XXE, remote root command execution, and elevated privilege issues. 2020-01-31 not yet calculated CVE-2016-2033
CONFIRM
aruba — instate
 
Multiple vulnerabilities exists in Aruba Instate before 4.1.3.0 and 4.2.3.1 due to insufficient validation of user-supplied input and insufficient checking of parameters, which could allow a malicious user to bypass security restrictions, obtain sensitive information, perform unauthorized actions and execute arbitrary code. 2020-01-31 not yet calculated CVE-2016-2031
MISC
MISC
MISC
MISC
belkin — wemo_switch Belkin Wemo Switch before WeMo_US_2.00.2176.PVT could allow remote attackers to upload arbitrary files onto the system. 2020-01-28 not yet calculated CVE-2013-2748
EXPLOIT-DB
BID
XF
belkin_wemo_insight_switch
 
A Stack-based Buffer Overflow vulnerability in libbelkin_api.so component of Belkin WeMo Insight Switch firmware allows a local attacker to obtain code execution on the device. This issue affects: Belkin WeMo Insight Switch firmware version 2.00.11396 and prior versions. 2020-01-27 not yet calculated CVE-2019-17094
CONFIRM
biscom — biscom_secure_file_transfer
 
Biscom Secure File Transfer (SFT) 5.0.1050 through 5.1.1067 and 6.0.1000 through 6.0.1003 allows Insecure Direct Object Reference (IDOR) by an authenticated sender because of an error in a file-upload feature. This is fixed in 5.1.1068 and 6.0.1004. 2020-01-31 not yet calculated CVE-2020-8503
MISC
bitdefender — bitdefender_antivirus_for_mac
 
A privilege escalation vulnerability in BDLDaemon as used in Bitdefender Antivirus for Mac allows a local attacker to obtain authentication tokens for requests submitted to the Bitdefender Cloud. This issue affects: Bitdefender Bitdefender Antivirus for Mac versions prior to 8.0.0. 2020-01-30 not yet calculated CVE-2020-8092
MISC
bitdefender — bitdefender_antivirus_for_mac
 
A vulnerability in the AntivirusforMac binary as used in Bitdefender Antivirus for Mac allows an attacker to inject a library using DYLD environment variable to cause third-party code execution 2020-01-30 not yet calculated CVE-2020-8093
MISC
bitdefender — bitdefender_total_security_2020
 
A vulnerability in the improper handling of junctions before deletion in Bitdefender Total Security 2020 can allow an attacker to to trigger a denial of service on the affected device. 2020-01-30 not yet calculated CVE-2020-8095
CONFIRM
bitdefender — box_2
 
An exploitable command execution vulnerability exists in the recovery partition of Bitdefender BOX 2, version 2.0.1.91. The API method `/api/update_setup` does not perform firmware signature checks atomically, leading to an exploitable race condition (TOCTTOU) that allows arbitrary execution of system commands. This issue affects: Bitdefender Bitdefender BOX 2 versions prior to 2.1.47.36. 2020-01-27 not yet calculated CVE-2019-17102
CONFIRM
bitdefender — total_security_2020
 
An Untrusted Search Path vulnerability in bdserviceshost.exe as used in Bitdefender Total Security 2020 allows an attacker to execute arbitrary code. This issue does not affect: Bitdefender Total Security versions prior to 24.0.12.69. 2020-01-27 not yet calculated CVE-2019-17100
MISC
c-lightning — c-lightning
 
c-lightning before 0.7.1 allows attackers to trigger loss of funds because of Incorrect Access Control. NOTE: README.md states “It can be used for testing, but it should not be used for real funds.” 2020-01-31 not yet calculated CVE-2019-12998
MISC
CONFIRM
cisco — ios_xr_software
 
A vulnerability in the implementation of Border Gateway Protocol (BGP) Ethernet VPN (EVPN) functionality in Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to incorrect processing of a BGP update message that contains crafted EVPN attributes. An attacker could indirectly exploit the vulnerability by sending BGP EVPN update messages with a specific, malformed attribute to an affected system and waiting for a user on the device to display the EVPN operational routes&rsquo; status. If successful, the attacker could cause the BGP process to restart unexpectedly, resulting in a DoS condition. The Cisco implementation of BGP accepts incoming BGP traffic only from explicitly defined peers. To exploit this vulnerability, the malicious BGP update message would need to come from a configured, valid BGP peer, or would need to be injected by the attacker into the victim’s BGP network on an existing, valid TCP connection to a BGP peer. 2020-01-26 not yet calculated CVE-2019-16018
CISCO
com.puppycrawl.tools:checkstyle — com.puppycrawl.tools:checkstyle
 
All versions of com.puppycrawl.tools:checkstyle before 8.29 are vulnerable to XML External Entity (XXE) Injection due to an incomplete fix for CVE-2019-9658. 2020-01-30 not yet calculated CVE-2019-10782
MISC
cups_easy — cups_easy_purchase_&_inventory
 
Cups Easy (Purchase & Inventory) 1.0 is vulnerable to CSRF that leads to admin account deletion via userdelete.php. 2020-01-28 not yet calculated CVE-2020-8425
MISC
MISC
cups_easy — cups_easy_purchase_&_inventory
 
Cups Easy (Purchase & Inventory) 1.0 is vulnerable to CSRF that leads to admin account takeover via passwordmychange.php. 2020-01-28 not yet calculated CVE-2020-8424
MISC
MISC
cysharp — messagepack_for_c#_and_unity
 
MessagePack for C# and Unity before version 1.9.3 and 2.1.80 has a vulnerability where untrusted data can lead to DoS attack due to hash collisions and stack overflow. Review the linked GitHub Security Advisory for more information and remediation steps. 2020-01-31 not yet calculated CVE-2020-5234
MISC
CONFIRM
d-link — multiple_cameras An Authentication Bypass vulnerability exists in upnp/asf-mp4.asf when streaming live video in D-Link TESCO DCS-2121 1.05_TESCO, TESCO DCS-2102 1.05_TESCO, DCS-2121 1.06_FR, 1.06, and 1.05_RU, DCS-2102 1.06_FR. 1.06, and 1.05_RU, which could let a malicious user obtain sensitive information. 2020-01-28 not yet calculated CVE-2013-1600
MISC
MISC
MISC
MISC
MISC
d-link — multiple_ip_cameras An Authentication vulnerability exists in D-LINK WCS-1100 1.02, TESCO DCS-2121 1.05_TESCO, TESCO DCS-2102 1.05_TESCO, DCS-7510 1.00, DCS-7410 1.00, DCS-6410 1.00, DCS-5635 1.01, DCS-5605 1.01, DCS-5230L 1.02, DCS-5230 1.02, DCS-3430 1.02, DCS-3411 1.02, DCS-3410 1.02, DCS-2121 1.06_FR, DCS-2121 1.06, DCS-2121 1.05_RU, DCS-2102 1.06_FR, DCS-2102 1.06, DCS-2102 1.05_RU, DCS-1130L 1.04, DCS-1130 1.04_US, DCS-1130 1.03, DCS-1100L 1.04, DCS-1100 1.04_US, and DCS-1100 1.03 due to hard-coded credentials that serve as a backdoor, which allows remote attackers to access the RTSP video stream. 2020-01-28 not yet calculated CVE-2013-1603
MISC
MISC
MISC
MISC
MISC
d-link — multiple_ip_cameras A Command Injection vulnerability exists in the /var/www/cgi-bin/rtpd.cgi script in D-Link IP Cameras DCS-3411/3430 firmware 1.02, DCS-5605/5635 1.01, DCS-1100L/1130L 1.04, DCS-1100/1130 1.03, DCS-1100/1130 1.04_US, DCS-2102/2121 1.05_RU, DCS-3410 1.02, DCS-5230 1.02, DCS-5230L 1.02, DCS-6410 1.00, DCS-7410 1.00, DCS-7510 1.00, and WCS-1100 1.02, which could let a remote malicious user execute arbitrary commands through the camera?s web interface. 2020-01-28 not yet calculated CVE-2013-1599
MISC
MISC
MISC
MISC
FULLDISC
MISC
d-link — multiple_ip_cameras An Information Disclosure vulnerability exists due to a failure to restrict access on the lums.cgi script when processing a live video stream in D-LINK An Information Disclosure vulnerability exists due to a failure to restrict access on the lums.cgi script when processing a live video stream in D-LINK WCS-1100 1.02, TESCO DCS-2121 1.05_TESCO, TESCO DCS-2102 1.05_TESCO, DCS-7510 1.00, DCS-7410 1.00, DCS-6410 1.00, DCS-5635 1.01, DCS-5605 1.01, DCS-5230L 1.02, DCS-5230 1.02, DCS-3430 1.02, DCS-3411 1.02, DCS-3410 1.02, DCS-2121 1.06_FR, DCS-2121 1.06, DCS-2121 1.05_RU, DCS-2102 1.06_FR, DCS-2102 1.06, DCS-2102 1.05_RU, DCS-1130L 1.04, DCS-1130 1.04_US, DCS-1130 1.03, DCS-1100L 1.04, DCS-1100 1.04_US, and DCS-1100 1.03, which could let a malicious user obtain sensitive information. which could let a malicious user obtain sensitive information. 2020-01-28 not yet calculated CVE-2013-1601
MISC
MISC
MISC
MISC
MISC
d-link — multiple_ip_cameras An Information Disclosure vulnerability exists due to insufficient validation of authentication cookies for the RTSP session in D-Link DCS-5635 1.01, DCS-1100L 1.04, DCS-1130L 1.04, DCS-1100 1.03/1.04_US, DCS-1130 1.03/1.04_US , DCS-2102 1.05_RU/1.06/1.06_FR/1.05_TESCO, DCS-2121 1.05_RU/1.06/1.06_FR/1.05_TESCO, DCS-3410 1.02, DCS-5230 1.02, DCS-5230L 1.02, DCS-6410 1.0, DCS-7410 1.0, DCS-7510 1.0, and WCS-1100 1.02, which could let a malicious user obtain unauthorized access to video streams. 2020-01-28 not yet calculated CVE-2013-1602
MISC
MISC
MISC
MISC
das_u-boot — das_u-bootN/A
 
In Das U-Boot through 2020.01, a double free has been found in the cmd/gpt.c do_rename_gpt_parts() function. Double freeing may result in a write-what-where condition, allowing an attacker to execute arbitrary code. NOTE: this vulnerablity was introduced when attempting to fix a memory leak identified by static analysis. 2020-01-29 not yet calculated CVE-2020-8432
MISC
MISC
draytek — multiple_devices
 
DrayTek Vigor2960 1.3.1_Beta; Vigor3900 1.4.4_Beta; and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI. 2020-02-01 not yet calculated CVE-2020-8515
MISC
drupal — drupal The Login Security module 6.x-1.x before 6.x-1.3 and 7.x-1.x before 7.x-1.3 for Drupal allows attackers to bypass intended restrictions via a crafted username. 2020-01-30 not yet calculated CVE-2013-2198
MISC
CONFIRM
CONFIRM
CONFIRM
drupal — drupal The Flippy module 7.x-1.x before 7.x-1.2 for Drupal does not properly restrict access to nodes, which allows remote authenticated users with the permission to access content to read a link or alias to a restricted node. 2020-01-30 not yet calculated CVE-2013-4187
MISC
MISC
MISC
CONFIRM
MISC
drupal — drupal
 
Cross-site scripting (XSS) vulnerability in vwrooms/js/jsor-jcarousel/examples/special_textscroller.php in the VideoWhisper Webcam plugins for Drupal 7.x allows remote attackers to inject arbitrary web script or HTML via a URL to a crafted SVG file in the feed parameter. 2020-01-31 not yet calculated CVE-2014-8338
MISC
MISC
eclair — eclair
 
Eclair through 0.3 allows attackers to trigger loss of funds because of Incorrect Access Control. NOTE: README.md states “it is beta-quality software and don’t put too much money in it.” 2020-01-31 not yet calculated CVE-2019-13000
MISC
MISC
CONFIRM
edk2 — unified_extensible_firmware_interface Integer overflow in the Drive Execution Environment (DXE) phase in the Capsule Update feature in the UEFI implementation in EDK2 allows physically proximate attackers to bypass intended access restrictions via crafted data. 2020-01-31 not yet calculated CVE-2014-4859
MISC
edk2 — unified_extensible_firmware_interface Multiple integer overflows in the Pre-EFI Initialization (PEI) boot phase in the Capsule Update feature in the UEFI implementation in EDK2 allow physically proximate attackers to bypass intended access restrictions by providing crafted data that is not properly handled during the coalescing phase. 2020-01-31 not yet calculated CVE-2014-4860
MISC
ensdomains — ens
 
A user who owns an ENS domain can set a trapdoor, allowing them to transfer ownership to another user, and later regain ownership without the new owners consent or awareness. A new ENS deployment is being rolled out that fixes this vulnerability in the ENS registry. 2020-01-31 not yet calculated CVE-2020-5232
MISC
CONFIRM
eucalyptus — eucalyptus_management_console Cross-site scripting (XSS) vulnerability in Eucalyptus Management Console (EMC) 4.0.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2020-01-31 not yet calculated CVE-2014-5039
CONFIRM
evernote — evernote Evernote before 5.5.1 has insecure PIN storage 2020-01-31 not yet calculated CVE-2013-5112
MISC
MISC
evernote — evernote Evernote prior to 5.5.1 has insecure password change 2020-01-31 not yet calculated CVE-2013-5116
MISC
MISC
MISC
feedgen — feedgen
 
Feedgen (python feedgen) before 0.9.0 is susceptible to XML Denial of Service attacks. The *feedgen* library allows supplying XML as content for some of the available fields. This XML will be parsed and integrated into the existing XML tree. During this process, feedgen is vulnerable to XML Denial of Service Attacks (e.g. XML Bomb). This becomes a concern in particular if feedgen is used to include content from untrused sources and if XML (including XHTML) is directly included instead of providing plain tex content only. This problem has been fixed in feedgen 0.9.0 which disallows XML entity expansion and external resources. 2020-01-28 not yet calculated CVE-2020-5227
MISC
MISC
CONFIRM
fish-shell — fish-shell fish (aka fish-shell) 2.0.0 before 2.1.1 does not restrict access to the configuration service (aka fish_config), which allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by set_prompt. 2020-01-28 not yet calculated CVE-2014-2914
MISC
CONFIRM
fish-shell — fish-shell The funced function in fish (aka fish-shell) 1.23.0 before 2.1.1 does not properly create temporary files, which allows local users to gain privileges via a temporary file with a predictable name. 2020-01-28 not yet calculated CVE-2014-3856
MISC
CONFIRM
MISC
fish-shell — fish-shell The psub function in fish (aka fish-shell) 1.16.0 before 2.1.1 does not properly create temporary files, which allows local users to execute arbitrary commands via a temporary file with a predictable name. 2020-01-28 not yet calculated CVE-2014-2906
MISC
MISC
CONFIRM
foscam — ip_camera_fi8620 An Access vulnerability exists in FOSCAM IP Camera FI8620 due to insufficient access restrictions in the /tmpfs/ and /log/ directories, which could let a malicious user obtain sensitive information. 2020-01-29 not yet calculated CVE-2013-2574
MISC
MISC
MISC
MISC
MISC
fuji_xerox — awms_mobile_app
 
The AWMS Mobile App for Android 2.0.0 to 2.0.5 and for iOS 2.0.0 to 2.0.8 does not verify X.509 certificates from servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. 2020-01-31 not yet calculated CVE-2020-5526
MISC
MISC
fusionauth — fusionauth
 
An issue was discovered in FusionAuth before 1.11.0. An authenticated user, allowed to edit e-mail templates (Home -> Settings -> Email Templates) or themes (Home -> Settings -> Themes), can execute commands on the underlying operating system by abusing freemarker.template.utility.Execute in the Apache FreeMarker engine that processes custom templates. 2020-01-28 not yet calculated CVE-2020-7799
MISC
MISC
MISC
BUGTRAQ
gemalto — gemalto_tokend Gemalto Tokend 2013 has an Arbitrary File Creation/Overwrite Vulnerability 2020-01-30 not yet calculated CVE-2013-1867
MISC
MISC
git — git
 
An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the Windows Subsystem for Linux (also known as “WSL”) while accessing a working directory on a regular Windows drive, none of the NTFS protections were active. 2020-01-24 not yet calculated CVE-2019-1353
SUSE
MISC
MISC
git-extras — git-extras The git-changelog utility in git-extras 1.7.0 allows local users to overwrite arbitrary files via a symlink attack on (1) /tmp/changelog or (2) /tmp/.git-effort. 2020-01-28 not yet calculated CVE-2012-6114
MISC
MISC
MISC
gitlab — ce/ee An IDOR was discovered in GitLab CE/EE 11.5 and later that allowed new merge requests endpoint to disclose label names. 2020-01-28 not yet calculated CVE-2019-5466
MISC
MISC
MISC
gitlab — ce/ee
 
An information disclosure issue was discovered in GitLab CE/EE 8.14 and later, by using the move issue feature which could result in disclosure of the newly created issue ID. 2020-01-28 not yet calculated CVE-2019-5465
MISC
MISC
MISC
gitlab — ee
 
An authorization issue was discovered in GitLab EE < 12.1.2, < 12.0.4, and < 11.11.6 allowing the merge request approval rules to be overridden without appropriate permissions. 2020-01-28 not yet calculated CVE-2019-5474
MISC
MISC
MISC
gitlab — gitlab The parse_cmd function in lib/gitlab_shell.rb in GitLab 5.0 before 5.4.2, Community Edition before 6.2.4, and Enterprise Edition before 6.2.1 and gitlab-shell before 1.7.8 allows remote authenticated users to gain privileges and clone arbitrary repositories. 2020-01-28 not yet calculated CVE-2013-4583
MISC
MISC
MISC
gitlab — gitlab The (1) create_branch, (2) create_tag, (3) import_project, and (4) fork_project functions in lib/gitlab_projects.rb in GitLab 5.0 before 5.4.2, Community Edition before 6.2.4, Enterprise Edition before 6.2.1 and gitlab-shell before 1.7.8 allows remote authenticated users to include information from local files into the metadata of a Git repository via the web interface. 2020-01-28 not yet calculated CVE-2013-4582
MISC
MISC
MISC
gitlab — gitlab
 
An privilege escalation issue was discovered in Gitlab versions < 12.1.2, < 12.0.4, and < 11.11.6 when Mattermost slash commands are used with a blocked account. 2020-01-28 not yet calculated CVE-2019-5468
MISC
MISC
MISC
hashicorp — consul_and_consul_enterprise HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3. 2020-01-31 not yet calculated CVE-2020-7219
MISC
MISC
hashicorp — consul_and_consul_enterprise
 
HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3. 2020-01-31 not yet calculated CVE-2020-7955
MISC
MISC
hashicorp — nomad_and_nomad_enterprise
 
HashiCorp Nomad and Nomad Enterprise before 0.10.3 allow unbounded resource usage. 2020-01-31 not yet calculated CVE-2020-7218
MISC
MISC
hashicorp — nomad_and_nomad_enterprise
 
HashiCorp Nomad and Nomad Enterprise up to 0.10.2 incorrectly validated role/region associated with TLS certificates used for mTLS RPC, and were susceptible to privilege escalation. Fixed in 0.10.3. 2020-01-31 not yet calculated CVE-2020-7956
MISC
MISC
hp — intel-based_business_pcs
 
A potential security vulnerability with pre-boot DMA may allow unauthorized UEFI code execution using open-case attacks. This industry-wide issue requires physically accessing internal expansion slots with specialized hardware and software tools to modify UEFI code in memory. This affects HP Intel-based Business PCs that support Microsoft Windows 10 Kernel DMA protection. Affected versions depend on platform (prior to 01.04.02; or prior to 02.04.01; or prior to 02.04.02). 2020-01-31 not yet calculated CVE-2019-18913
CONFIRM
htcondor — mrg_grid
 
The scheduler in HTCondor before 8.2.6 allows remote authenticated users to execute arbitrary code. 2020-01-31 not yet calculated CVE-2014-8126
MISC
MISC
MISC
MISC
ibm — watson_iot_message_gateway
 
IBM Watson IoT Message Gateway 2.0.0.x, 5.0.0.0, 5.0.0.1, and 5.0.0.2 is vulnerable to a buffer overflow, caused by improper bounds checking when handling a failed HTTP request with specific content in the headers. By sending a specially crafted HTTP request, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause a denial of service. IBM X-Force ID: 174972. 2020-01-28 not yet calculated CVE-2020-4207
XF
CONFIRM
ibm — websphere_application_server
 
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume all available memory. IBM X-Force ID: 172125. 2020-01-31 not yet calculated CVE-2019-4720
XF
CONFIRM
idelji — web_viewpoint_and_web_viewpoint_plus_and_web_viewpoint_enterprise
 
An issue was discovered in Idelji Web ViewPoint H01ABO-H01BY and L01ABP-L01ABZ, Web ViewPoint Plus H01AAG-H01AAQ and L01AAH-L01AAR, and Web ViewPoint Enterprise H01-H01AAE and L01-L01AAF. By reading ADB or AADB file content within the Installation subvolume, a Guardian user can discover the password of the group.user or alias who acknowledges events from the WVP Events screen. 2020-01-27 not yet calculated CVE-2019-19539
CONFIRM

info-zip — unzip

Heap-based buffer overflow in the test_compr_eb function in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute arbitrary code via a crafted zip file in the -t command argument to the unzip command. 2020-01-31 not yet calculated CVE-2014-8140
MISC
MISC
MISC
MISC
info-zip — unzip
 
Heap-based buffer overflow in the CRC32 verification in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute arbitrary code via a crafted zip file in the -t command argument to the unzip command. 2020-01-31 not yet calculated CVE-2014-8139
MISC
MISC
MISC
MISC
info-zip — unzip
 
Heap-based buffer overflow in the getZip64Data function in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute arbitrary code via a crafted zip file in the -t command argument to the unzip command. 2020-01-31 not yet calculated CVE-2014-8141
MISC
MISC
MISC
MISC
infoware — mapsuite mapapi Cross-site scripting (XSS) vulnerability in infoware MapSuite MapAPI 1.0.x before 1.0.36 and 1.1.x before 1.1.49 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2020-01-31 not yet calculated CVE-2014-2843
MISC
MISC
MISC
intel — multiple_intel_processors
 
Cleanup errors in some data cache evictions for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. 2020-01-28 not yet calculated CVE-2020-0549
CONFIRM
intel — multiple_intel_processors
 
Cleanup errors in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. 2020-01-28 not yet calculated CVE-2020-0548
CONFIRM
intergraph_corporation — erdas_er_viewer
 
ERDAS ER Viewer 13.0 has dwmapi.dll and irml.dll libraries arbitrary code execution vulnerabilities 2020-01-30 not yet calculated CVE-2013-0725
MISC
MISC
israeli_ex_libris — aleph_500 Multiple SQL injection vulnerabilities in cgi-bin/review_m.cgi in Ex Libris ALEPH 500 (Integrated library management system) 18.1 and 20 allow remote attackers to execute arbitrary SQL commands via the (1) find, (2) lib, or (3) sid parameter. 2020-01-30 not yet calculated CVE-2014-3719
MISC
MISC
israeli_ex_libris — aleph_500 Multiple cross-site scripting (XSS) vulnerabilities in cgi-bin/tag_m.cgi in Ex Libris ALEPH 500 (Integrated library management system) 18.1 and 20 allow remote attackers to inject arbitrary web script or HTML via the (1) find, (2) lib, or (3) sid parameter. 2020-01-30 not yet calculated CVE-2014-3718
MISC
MISC
jetbrains — intellij_idea
 
In JetBrains IntelliJ IDEA 2019.2, an XSLT debugger plugin misconfiguration allows arbitrary file read operations over the network. This issue was fixed in 2019.3. 2020-01-31 not yet calculated CVE-2020-7914
MISC
CONFIRM
joomla! — joomla! An issue was discovered in Joomla! before 3.9.15. Missing token checks in the batch actions of various components cause CSRF vulnerabilities. 2020-01-28 not yet calculated CVE-2020-8419
MISC
joomla! — joomla!
 
An issue was discovered in Joomla! before 3.9.15. Inadequate escaping of usernames allows XSS attacks in com_actionlogs. 2020-01-28 not yet calculated CVE-2020-8421
MISC
joomla! — joomla!
 
An issue was discovered in Joomla! before 3.9.15. A missing CSRF token check in the LESS compiler of com_templates causes a CSRF vulnerability. 2020-01-28 not yet calculated CVE-2020-8420
MISC
kronos — kronos_web_time_and_attendance A stored XSS vulnerability in Kronos Web Time and Attendance (webTA) affects 3.8.x and later 3.x versions before 4.0 via multiple input fields (Login Message, Banner Message, and Password Instructions) of the com.threeis.webta.H261configMenu servlet via an authenticated administrator. 2020-01-30 not yet calculated CVE-2020-8493
MISC
MISC
kronos — kronos_web_time_and_attendance
 
In Kronos Web Time and Attendance (webTA) 3.8.x and later 3.x versions before 4.0, the com.threeis.webta.H491delegate servlet allows an attacker with Timekeeper or Supervisor privileges to gain unauthorized administrative privileges within the application via the delegate, delegateRole, and delegatorUserId parameters. 2020-01-30 not yet calculated CVE-2020-8495
MISC
MISC
kronos — kronos_web_time_and_attendance
 
In Kronos Web Time and Attendance (webTA) 4.1.x and later 4.x versions before 5.0, there is a Stored XSS vulnerability by setting the Application Banner input field of the /ApplicationBanner page as an authenticated administrator. 2020-01-30 not yet calculated CVE-2020-8496
MISC
MISC
kronos — kronos_web_time_and_attendance
 
In Kronos Web Time and Attendance (webTA) 3.8.x and later 3.x versions before 4.0, the com.threeis.webta.H402editUser servlet allows an attacker with Timekeeper, Master Timekeeper, or HR Admin privileges to gain unauthorized administrative privileges within the application via the emp_id, userid, pw1, pw2, supervisor, and timekeeper parameters. 2020-01-30 not yet calculated CVE-2020-8494
MISC
MISC
ktor — ktor
 
In Ktor before 1.3.0, request smuggling is possible when running behind a proxy that doesn’t handle Content-Length and Transfer-Encoding properly or doesn’t handle \n as a headers separator. 2020-01-27 not yet calculated CVE-2020-5207
MISC
CONFIRM
liferay — portal_ce
 
In LifeRay Portal CE 7.1.0 through 7.2.1, the First Name, Middle Name, and Last Name fields for user accounts in MyAccountPortlet are all vulnerable to a persistent XSS issue. Any user can modify these fields with a particular XSS payload, and it will be stored in the database. The payload will then be rendered when a user utilizes the search feature to search for other users (i.e., if a user with modified fields occurs in the search results). 2020-01-28 not yet calculated CVE-2020-7934
MISC
lightning_labs — lightning_network_daemon
 
Lightning Network Daemon (lnd) before 0.7 allows attackers to trigger loss of funds because of Incorrect Access Control. 2020-01-31 not yet calculated CVE-2019-12999
MISC
MISC
CONFIRM
linux — linux_kernel
 
In a Linux KVM guest that has PV TLB enabled, a process in the guest kernel may be able to read memory locations from another process in the same guest. This problem is limit to the host running linux kernel 4.10 with a guest running linux kernel 4.16 or later. The problem mainly affects AMD processors but Intel CPUs cannot be ruled out. 2020-01-31 not yet calculated CVE-2019-3016
CONFIRM
CONFIRM
CONFIRM
logmein — lastpass LastPass prior to 2.5.1 allows secure wipe bypass. 2020-01-31 not yet calculated CVE-2013-5114
MISC
MISC
MISC
logmein — lastpass LastPass prior to 2.5.1 has an insecure PIN implementation. 2020-01-31 not yet calculated CVE-2013-5113
MISC
MISC
MISC
lzx_apps — super_file_explorer
 
An arbitrary file upload vulnerability has been discovered in the Super File Explorer app 1.0.1 for iOS. The vulnerability is located in the developer path that is accessible and hidden next to the root path. By default, there is no password set for the FTP or Web UI service. 2020-01-28 not yet calculated CVE-2020-7998
MISC
MISC
manageengine — desktopcentral Unrestricted file upload vulnerability in AgentLogUploadServlet in ManageEngine DesktopCentral 7.x and 8.0.0 before build 80293 allows remote attackers to execute arbitrary code by uploading a file with a jsp extension, then accessing it via a direct request to the file in the webroot. 2020-01-27 not yet calculated CVE-2013-7390
MISC
MISC
mediawiki — mediawiki
 
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML. 2020-01-27 not yet calculated CVE-2014-9481
MISC
MISC
CONFIRM
MISC
micasaverde — veralite The HomeAutomationGateway service in MiCasaVerde VeraLite with firmware 1.5.408 allows (1) remote attackers to execute arbitrary Lua code via a RunLua action in a request to upnp/control/hag on port 49451 or (2) remote authenticated users to execute arbitrary Lua code via a RunLua action in a request to port_49451/upnp/control/hag. 2020-01-28 not yet calculated CVE-2013-4863
MISC
MISC
MISC
micasaverde — veralite MiCasaVerde VeraLite with firmware 1.5.408 does not properly restrict access, which allows remote authenticated users to (1) update the firmware via the squashfs parameter to upgrade_step2.sh or (2) obtain hashed passwords via the cgi-bin/cmh/backup.sh page. 2020-01-28 not yet calculated CVE-2013-4862
MISC
MISC
MISC
micasaverde — veralite Directory traversal vulnerability in cgi-bin/cmh/get_file.sh in MiCasaVerde VeraLite with firmware 1.5.408 allows remote authenticated users to read arbirary files via a .. (dot dot) in the filename parameter. 2020-01-28 not yet calculated CVE-2013-4861
MISC
MISC
MISC
micasaverde — veralite MiCasaVerde VeraLite with firmware 1.5.408 allows remote attackers to send HTTP requests to intranet servers via the url parameter to cgi-bin/cmh/proxy.sh, related to a Server-Side Request Forgery (SSRF) issue. 2020-01-28 not yet calculated CVE-2013-4864
MISC
MISC
MISC
micasaverde — veralite Cross-site request forgery (CSRF) vulnerability in upgrade_step2.sh in MiCasaVerde VeraLite with firmware 1.5.408 allows remote attackers to hijack the authentication of users for requests that install arbitrary firmware via the squashfs parameter. 2020-01-28 not yet calculated CVE-2013-4865
MISC
MISC
MISC
motu — motu_avb_devices
 
AVB MOTU devices through 2020-01-22 allow /.. Directory Traversal, as demonstrated by reading the /etc/passwd file. 2020-01-27 not yet calculated CVE-2020-8009
MISC
multiple_vendors — multiple_bios_implementations
 
The System Management Mode (SMM) implementation in Dell Latitude E6430 BIOS Revision A09, HP EliteBook 850 G1 BIOS revision L71 Ver. 01.09, and possibly other BIOS implementations does not ensure that function calls operate on SMRAM memory locations, which allows local users to bypass the Secure Boot protection mechanism and gain privileges by leveraging write access to physical memory. 2020-01-30 not yet calculated CVE-2015-0949
MISC
multiple_vendors — multiple_realtek_sdk_based_routers
 
A certain router administration interface (that includes Realtek APMIB 0.11f for Boa 0.94.14rc21) allows remote attackers to retrieve the configuration, including sensitive data (usernames and passwords). This affects TOTOLINK A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0; Rutek RTK 11N AP through 2019-12-12; Sapido GR297n through 2019-12-12; CIK TELECOM MESH ROUTER through 2019-12-12; KCTVJEJU Wireless AP through 2019-12-12; Fibergate FGN-R2 through 2019-12-12; Hi-Wifi MAX-C300N through 2019-12-12; HCN MAX-C300N through 2019-12-12; T-broad GN-866ac through 2019-12-12; Coship EMTA AP through 2019-12-12; and IO-Data WN-AC1167R through 2019-12-12. 2020-01-27 not yet calculated CVE-2019-19822
MISC
MISC
FULLDISC
FULLDISC
MISC
MISC
multiple_vendors — multiple_realtek_sdk_based_routers
 
A certain router administration interface (that includes Realtek APMIB 0.11f for Boa 0.94.14rc21) stores cleartext administrative passwords in flash memory and in a file. This affects TOTOLINK A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0; Rutek RTK 11N AP through 2019-12-12; Sapido GR297n through 2019-12-12; CIK TELECOM MESH ROUTER through 2019-12-12; KCTVJEJU Wireless AP through 2019-12-12; Fibergate FGN-R2 through 2019-12-12; Hi-Wifi MAX-C300N through 2019-12-12; HCN MAX-C300N through 2019-12-12; T-broad GN-866ac through 2019-12-12; Coship EMTA AP through 2019-12-12; and IO-Data WN-AC1167R through 2019-12-12. 2020-01-27 not yet calculated CVE-2019-19823
MISC
MISC
FULLDISC
FULLDISC
MISC
MISC
neato — botvac_connected
 
An issue was discovered in Neato Botvac Connected 2.2.0. The GenerateRobotPassword function of the NeatoCrypto library generates insufficiently random numbers for robot secret_key values used for local and cloud authentication/authorization. If an attacker knows the serial number and is able to estimate the time of first provisioning of a robot, he is able to brute force the generated secret_key of the robot. This is because the entropy of the secret_key exclusively relies on these two values, due to not seeding the random generator and using several constant inputs for secret_key computation. Serial numbers are printed on the packaging and equal the MAC address of the robot. 2020-01-27 not yet calculated CVE-2018-19441
MISC
MISC
netapp — oncommand_system_manager NetApp OnCommand System Manager 2.1 and earlier allows remote attackers to inject arbitrary commands in the Halt/Reboot interface. 2020-01-31 not yet calculated CVE-2013-3322
XF
MISC
nethack — nethack
 
In NetHack before 3.6.5, detecting an unknown configuration file option can cause a buffer overflow resulting in a crash or remote code execution/privilege escalation. This vulnerability affects systems that have NetHack installed suid/sgid and shared systems that allow users to upload their own configuration files. Users should upgrade to NetHack 3.6.5. 2020-01-28 not yet calculated CVE-2020-5214
CONFIRM
nethack — nethack
 
In NetHack before 3.6.5, too long of a value for the SYMBOL configuration file option can cause a buffer overflow resulting in a crash or remote code execution/privilege escalation. This vulnerability affects systems that have NetHack installed suid/sgid and shared systems that allow users to upload their own configuration files. Users should upgrade to NetHack 3.6.5. 2020-01-28 not yet calculated CVE-2020-5213
CONFIRM
nethack — nethack
 
In NetHack before 3.6.5, an extremely long value for the MENUCOLOR configuration file option can cause a buffer overflow resulting in a crash or remote code execution/privilege escalation. This vulnerability affects systems that have NetHack installed suid/sgid and shared systems that allow users to upload their own configuration files. Users should upgrade to NetHack 3.6.5. 2020-01-28 not yet calculated CVE-2020-5212
CONFIRM
nethack — nethack
 
In NetHack before 3.6.5, an invalid argument to the -w command line option can cause a buffer overflow resulting in a crash or remote code execution/privilege escalation. This vulnerability affects systems that have NetHack installed suid/sgid and shared systems that allow users to influence command line options. Users should upgrade to NetHack 3.6.5. 2020-01-28 not yet calculated CVE-2020-5210
MISC
CONFIRM
nethack — nethack
 
In NetHack before 3.6.5, unknown options starting with -de and -i can cause a buffer overflow resulting in a crash or remote code execution/privilege escalation. This vulnerability affects systems that have NetHack installed suid/sgid and shared systems that allow users to influence command line options. Users should upgrade to NetHack 3.6.5. 2020-01-28 not yet calculated CVE-2020-5209
MISC
CONFIRM
nethack — nethack
 
In NetHack before 3.6.5, an invalid extended command in value for the AUTOCOMPLETE configuration file option can cause a buffer overflow resulting in a crash or remote code execution/privilege escalation. This vulnerability affects systems that have NetHack installed suid/sgid and shared systems that allow users to upload their own configuration files. Users should upgrade to NetHack 3.6.5. 2020-01-28 not yet calculated CVE-2020-5211
CONFIRM
network_time_protocol — network_time_protocol
 
Directory traversal vulnerability in the save_config function in ntpd in ntp_control.c in NTP before 4.2.8p4, when used on systems that do not use ‘\’ or ‘/’ characters for directory separation such as OpenVMS, allows remote authenticated users to overwrite arbitrary files. 2020-01-28 not yet calculated CVE-2015-7851
MISC
MISC
MISC
node-uuid — node-uuid
 
node-uuid before 1.4.4 uses insufficiently random data to create a GUID, which could make it easier for attackers to have unspecified impact via brute force guessing. 2020-01-30 not yet calculated CVE-2015-8851
MISC
MISC
CONFIRM
CONFIRM
oauth2_proxy — oauth2_proxy
 
OAuth2 Proxy before 5.0 has an open redirect vulnerability. Authentication tokens could be silently harvested by an attacker. This has been patched in version 5.0. 2020-01-30 not yet calculated CVE-2020-5233
MISC
MISC
CONFIRM
open-xchange — open-xchange_app_suite Multiple absolute path traversal vulnerabilities in documentconverter in Open-Xchange (OX) AppSuite before 7.4.2-rev10 and 7.6.x before 7.6.0-rev10 allow remote attackers to read application files via a full pathname in a crafted (1) OLE Object or (2) image in an OpenDocument text file. 2020-01-31 not yet calculated CVE-2014-5236
MISC
MISC
MISC
opencast — opencast
 
Opencast before 8.1 stores passwords using the rather outdated and cryptographically insecure MD5 hash algorithm. Furthermore, the hashes are salted using the username instead of a random salt, causing hashes for users with the same username and password to collide which is problematic especially for popular users like the default `admin` user. This essentially means that for an attacker, it might be feasible to reconstruct a user’s password given access to these hashes. Note that attackers needing access to the hashes means that they must gain access to the database in which these are stored first to be able to start cracking the passwords. The problem is addressed in Opencast 8.1 which now uses the modern and much stronger bcrypt password hashing algorithm for storing passwords. Note, that old hashes remain MD5 until the password is updated. For a list of users whose password hashes are stored using MD5, take a look at the `/user-utils/users/md5.json` REST endpoint. 2020-01-30 not yet calculated CVE-2020-5229
MISC
CONFIRM
opencast — opencast
 
Opencast before 7.6 and 8.1 enables a remember-me cookie based on a hash created from the username, password, and an additional system key. This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials. This problem is fixed in Opencast 7.6 and Opencast 8.1 2020-01-30 not yet calculated CVE-2020-5222
MISC
CONFIRM
opencast — opencast
 
Opencast before 8.1 and 7.6 allows almost arbitrary identifiers for media packages and elements to be used. This can be problematic for operation and security since such identifiers are sometimes used for file system operations which may lead to an attacker being able to escape working directories and write files to other locations. In addition, Opencast’s Id.toString(?) vs Id.compact(?) behavior, the latter trying to mitigate some of the file system problems, can cause errors due to identifier mismatch since an identifier may unintentionally change. This issue is fixed in Opencast 7.6 and 8.1. 2020-01-30 not yet calculated CVE-2020-5230
MISC
CONFIRM
opencast — opencast
 
In Opencast before 7.6 and 8.1, users with the role ROLE_COURSE_ADMIN can use the user-utils endpoint to create new users not including the role ROLE_ADMIN. ROLE_COURSE_ADMIN is a non-standard role in Opencast which is referenced neither in the documentation nor in any code (except for tests) but only in the security configuration. From the name ? implying an admin for a specific course ? users would never expect that this role allows user creation. This issue is fixed in 7.6 and 8.1 which both ship a new default security configuration. 2020-01-30 not yet calculated CVE-2020-5231
MISC
CONFIRM
opencast — opencast
 
Opencast before 8.1 and 7.6 allows unauthorized public access to all media and metadata by default via OAI-PMH. OAI-PMH is part of the default workflow and is activated by default, requiring active user intervention of users to protect media. This leads to users unknowingly handing out public access to events without their knowledge. The problem has been addressed in Opencast 7.6 and 8.1 where the OAI-PMH endpoint is configured to require users with `ROLE_ADMIN` by default. In addition to this, Opencast 9 removes the OAI-PMH publication from the default workflow, making the publication a conscious decision users have to make by updating their workflows. 2020-01-30 not yet calculated CVE-2020-5228
MISC
CONFIRM
opencast — opencast
 
In Opencast before 7.6 and 8.1, using a remember-me cookie with an arbitrary username can cause Opencast to assume proper authentication for that user even if the remember-me cookie was incorrect given that the attacked endpoint also allows anonymous access. This way, an attacker can, for example, fake a remember-me token, assume the identity of the global system administrator and request non-public content from the search service without ever providing any proper authentication. This problem is fixed in Opencast 7.6 and Opencast 8.1 2020-01-30 not yet calculated CVE-2020-5206
MISC
CONFIRM
openjpeg_2.3.1 — openjpeg_2.3.1N/A
 
opj_t1_clbl_decode_processor in openjp2/t1.c in OpenJPEG 2.3.1 through 2020-01-28 has a heap-based buffer overflow in the qmfbid==1 case, a different issue than CVE-2020-6851. 2020-01-28 not yet calculated CVE-2020-8112
MISC
MLIST
opensc — opensc.tokend
 
OpenSC OpenSC.tokend has an Arbitrary File Creation/Overwrite Vulnerability 2020-01-30 not yet calculated CVE-2013-1866
MISC
MISC
ossec — ossec-hids
 
In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for log analysis (ossec-analysisd) is vulnerable to an off-by-one heap-based buffer overflow during the cleaning of crafted syslog msgs (received from authenticated remote agents and delivered to the analysisd processing queue by ossec-remoted). 2020-01-30 not yet calculated CVE-2020-8443
MISC
MISC
MISC
ossec — ossec-hids
 
In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for log analysis (ossec-analysisd) is vulnerable to a use-after-free during processing of ossec-alert formatted msgs (received from authenticated remote agents and delivered to the analysisd processing queue by ossec-remoted). 2020-01-30 not yet calculated CVE-2020-8444
MISC
MISC
MISC
ossec — ossec-hids
 
In OSSEC-HIDS 2.7 through 3.5.0, the OS_CleanMSG function in ossec-analysisd doesn’t remove or encode terminal control characters or newlines from processed log messages. In many cases, those characters are later logged. Because newlines (\n) are permitted in messages processed by ossec-analysisd, it may be possible to inject nested events into the ossec log. Use of terminal control characters may allow obfuscating events or executing commands when viewed through vulnerable terminal emulators. This may be an unauthenticated remote attack for certain types and origins of logged data. 2020-01-30 not yet calculated CVE-2020-8445
MISC
MISC
MISC
ossec — ossec-hids
 
In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for log analysis (ossec-analysisd) is vulnerable to a use-after-free during processing of syscheck formatted msgs (received from authenticated remote agents and delivered to the analysisd processing queue by ossec-remoted). 2020-01-30 not yet calculated CVE-2020-8447
MISC
MISC
MISC
pandora_fms — pandora_fms
 
Pandora FMS ? 7.42 suffers from a remote code execution vulnerability. To exploit the vulnerability, an authenticated user should create a new folder with a “tricky” name in the filemanager. The exploit works when the php-fileinfo extension is disabled on the host system. The attacker must include shell metacharacters in the content type. 2020-01-30 not yet calculated CVE-2019-20050
MISC
perl — perl Parallel::ForkManager module before 1.0.0 for Perl does not properly handle temporary files. 2020-01-31 not yet calculated CVE-2011-4115
MISC
MISC
CONFIRM
perl — perl Eval injection vulnerability in the Module-Metadata module before 1.000015 for Perl allows remote attackers to execute arbitrary Perl code via the $Version value. 2020-01-28 not yet calculated CVE-2013-1437
MISC
MISC
MISC
perl — perl The Batch::BatchRun module 1.03 for Perl does not properly handle temporary files. 2020-01-31 not yet calculated CVE-2011-4117
MISC
MISC
MISC
perl — perl The libwww-perl LWP::Protocol::https module 6.04 through 6.06 for Perl, when using IO::Socket::SSL as the SSL socket class, allows attackers to disable server certificate validation via the (1) HTTPS_CA_DIR or (2) HTTPS_CA_FILE environment variable. 2020-01-28 not yet calculated CVE-2014-3230
MISC
MISC
MISC
MISC
MISC
perl — perl _is_safe in the File::Temp module for Perl does not properly handle symlinks. 2020-01-31 not yet calculated CVE-2011-4116
MISC
MISC
MISC
MISC
MISC
pivotal — pivotal_tc_server_and_pivotal_tc_runtime
 
In Pivotal tc Server, 3.x versions prior to 3.2.19 and 4.x versions prior to 4.0.10, and Pivotal tc Runtimes, 7.x versions prior to 7.0.99.B, 8.x versions prior to 8.5.47.A, and 9.x versions prior to 9.0.27.A, when a tc Runtime instance is configured with the JMX Socket Listener, a local attacker without access to the tc Runtime process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the tc Runtime instance. 2020-01-27 not yet calculated CVE-2019-11288
CONFIRM
polycom — hdx_video_end_points_and_uc_ap Polycom HDX Video End Points before 3.0.4 and UC APL before 2.7.1.J allows remote authenticated users to execute arbitrary commands as demonstrated by a ; (semicolon) to the ping command feature. 2020-01-28 not yet calculated CVE-2012-6610
MISC
MISC
polycom — web_management_interface_g3/hdx_8000_hd Directory traversal vulnerability in a_getlog.cgi in Polycom HDX Video End Points before 3.0.4 and UC APL before 2.7.1.J allows remote attackers to read arbitrary files via a .. (dot dot) in the name parameter. 2020-01-28 not yet calculated CVE-2012-6609
MISC
MISC
prosody — prosody
 
The mod_auth_ldap and mod_auth_ldap2 Community Modules through 2020-01-27 for Prosody incompletely verify the XMPP address passed to the is_admin() function. This grants remote entities admin-only functionality if their username matches the username of a local admin. 2020-01-28 not yet calculated CVE-2020-8086
MISC
MISC
CONFIRM
BUGTRAQ
DEBIAN
python — python The py-bcrypt module before 0.3 for Python does not properly handle concurrent memory access, which allows attackers to bypass authentication via multiple authentication requests, which trigger the password hash to be overwritten. 2020-01-28 not yet calculated CVE-2013-1895
MISC
MISC
MISC
MISC
MISC
python — python
 
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. 2020-01-30 not yet calculated CVE-2020-8492
MISC
MISC
MISC
qemu — qemu
 
The process_tx_desc function in hw/net/e1000.c in QEMU before 2.4.0.1 does not properly process transmit descriptor data when sending a network packet, which allows attackers to cause a denial of service (infinite loop and guest crash) via unspecified vectors. 2020-01-31 not yet calculated CVE-2015-6815
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
CONFIRM
CONFIRM
rockwell_automation — arena_simulation_software
 
A maliciously crafted program file opened by an unsuspecting user of Rockwell Automation Arena Simulation Software version 16.00.00 and earlier may result in the limited exposure of information related to the targeted workstation. Rockwell Automation has released version 16.00.01 of Arena Simulation Software to address the reported vulnerabilities. 2020-01-27 not yet calculated CVE-2019-13521
MISC
MISC
rockwell_automation — arena_simulation_software
 
A maliciously crafted program file opened by an unsuspecting user of Rockwell Automation Arena Simulation Software version 16.00.00 and earlier may result in the limited exposure of information related to the targeted workstation. Rockwell Automation has released version 16.00.01 of Arena Simulation Software to address the reported vulnerabilities. 2020-01-27 not yet calculated CVE-2019-13519
MISC
MISC
senior — rubiweb
 
Remote Authentication Bypass in Senior Rubiweb 6.2.34.28 and 6.2.34.37 allows admin access to sensitive information of affected users using vulnerable versions. The attacker only needs to provide the correct URL. 2020-01-31 not yet calculated CVE-2019-19550
CONFIRM
silicon_graphics_international — sgi_tempo
 
SGI Tempo, as used on SGI ICE-X systems, uses weak permissions for certain files, which allows local users to obtain password hashes and possibly other unspecified sensitive information by reading etc/dbdump.db. 2020-01-27 not yet calculated CVE-2014-7303
MISC
MISC
silicon_graphics_international — sgi_tempo
 
SGI Tempo, as used on SGI ICE-X systems, uses weak permissions for certain files, which allows local users to change the permissions of arbitrary files by executing /opt/sgi/sgimc/bin/vx. 2020-01-27 not yet calculated CVE-2014-7302
MISC
MISC
silicon_graphics_international — sgi_tempo
 
SGI Tempo, as used on SGI ICE-X systems, uses weak permissions for certain files, which allows local users to obtain password hashes and possibly other unspecified sensitive information by reading /etc/odapw. 2020-01-27 not yet calculated CVE-2014-7301
MISC
MISC
simplejobscript — simplejobscript
 
controllers/page_apply.php in Simplejobscript.com SJS through 1.66 is prone to unauthenticated Remote Code Execution by uploading a PHP script as a resume. 2020-01-31 not yet calculated CVE-2020-8440
CONFIRM
smc_networks — d3g0804w_d3gnv5m-3.5.1.6.10_ga_devices
 
SMC Networks D3G0804W D3GNV5M-3.5.1.6.10_GA devices allow remote command execution by leveraging access to the Network Diagnostic Tools screen, as demonstrated by an admin login. The attacker must use a Parameter Pollution approach against goform/formSetDiagnosticToolsFmPing by providing the vlu_diagnostic_tools__ping_address parameter twice: once with a shell metacharacter and a command name, and once with a command argument. 2020-01-27 not yet calculated CVE-2020-8087
MISC
solarwinds — n-central
 
SolarWinds N-central before 12.1 SP1 HF5 and 12.2 before SP1 HF2 allows remote attackers to retrieve cleartext domain admin credentials from the Agent & Probe settings, and obtain other sensitive information. The attacker can use a customer ID to self register and read any aspects of the agent/appliance configuration. 2020-01-26 not yet calculated CVE-2020-7984
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
sonalak — verax_nms Verax NMS prior to 2.1.0 has multiple security bypass vulnerabilities 2020-01-30 not yet calculated CVE-2013-1350
MISC
MISC
sonalak — verax_nms Verax NMS prior to 2.1.0 uses an encryption key that is hardcoded in a JAR archive. 2020-01-30 not yet calculated CVE-2013-1352
MISC
MISC
MISC
sonalak — verax_nms Verax NMS prior to 2.10 allows authentication via the encrypted password without knowing the cleartext password. 2020-01-30 not yet calculated CVE-2013-1351
MISC
MISC
MISC
sonalak — verax_nms
 
Verax NMS prior to 2.1.0 leaks connection details when any user executes a Repair Table action 2020-01-30 not yet calculated CVE-2013-1631
MISC
MISC
sudo — sudo
 
In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c. 2020-01-29 not yet calculated CVE-2019-18634
FULLDISC
MLIST
MLIST
MLIST
BUGTRAQ
BUGTRAQ
BUGTRAQ
CONFIRM
DEBIAN
CONFIRM
MISC
suse — linux_enterprise_server_15_obs-service-tar_scm_and_opensuse_factory_obs-service-tar_scm Relative Path Traversal vulnerability in obs-service-tar_scm of SUSE Linux Enterprise Server 15; openSUSE Factory allows remote attackers with control over a repository to overwrite files on the machine of the local user if a malicious service is executed. This issue affects: SUSE Linux Enterprise Server 15 obs-service-tar_scm versions prior to 0.9.2.1537788075.fefaa74:. openSUSE Factory obs-service-tar_scm versions prior to 0.9.2.1537788075.fefaa74. 2020-01-27 not yet calculated CVE-2018-12476
CONFIRM
suse — opensuse_leap_yast2-rmt
 
A Inclusion of Sensitive Information in Log Files vulnerability in yast2-rmt of SUSE Linux Enterprise Server 15; openSUSE Leap allows local attackers to learn the password if they can access the log file. This issue affects: SUSE Linux Enterprise Server 15 yast2-rmt versions prior to 1.2.2. openSUSE Leap yast2-rmt versions prior to 1.2.2. 2020-01-27 not yet calculated CVE-2018-20105
CONFIRM
suse — suse_studio_onsite_susestudio-common
 
A Improper Certificate Validation vulnerability in susestudio-common of SUSE Studio onsite allows remote attackers to MITM connections to the repositories, which allows the modification of packages received over these connections. This issue affects: SUSE Studio onsite susestudio-common version 1.3.17-56.6.3 and prior versions. 2020-01-27 not yet calculated CVE-2017-14806
CONFIRM
suse — suse_studio_onsite_susestudio-ui-server
 
An Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in susestudio-ui-server of SUSE Studio onsite allows remote attackers with admin privileges in Studio to alter SQL statements, allowing for extraction and modification of data. This issue affects: SUSE Studio onsite susestudio-ui-server version 1.3.17-56.6.3 and prior versions. 2020-01-27 not yet calculated CVE-2017-14807
CONFIRM
sylius — resourcebundle
 
Sylius ResourceBundle accepts and uses any serialisation groups to be passed via a HTTP header. This might lead to data exposure by using an unintended serialisation group – for example it could make Shop API use a more permissive group from Admin API. Anyone exposing an API with ResourceBundle’s controller is affected. The vulnerable versions are: <1.3 || >=1.3.0 <=1.3.12 || >=1.4.0 <=1.4.5 || >=1.5.0 <=1.5.0 || >=1.6.0 <=1.6.2. The patch is provided for Sylius ResourceBundle 1.3.13, 1.4.6, 1.5.1 and 1.6.3, but not for any versions below 1.3. 2020-01-27 not yet calculated CVE-2020-5220
MISC
CONFIRM
sylius — sylius
 
Affected versions of Sylius give attackers the ability to switch channels via the _channel_code GET parameter in production environments. This was meant to be enabled only when kernel.debug is set to true. However, if no sylius_channel.debug is set explicitly in the configuration, the default value which is kernel.debug will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false. Patch has been provided for Sylius 1.3.x and newer – 1.3.16, 1.4.12, 1.5.9, 1.6.5. Versions older than 1.3 are not covered by our security support anymore. 2020-01-27 not yet calculated CVE-2020-5218
MISC
CONFIRM
tensorflow — tensorflow
 
In TensorFlow before 1.15.2 and 2.0.1, converting a string (from Python) to a tf.float16 value results in a segmentation fault in eager mode as the format checks for this use case are only in the graph mode. This issue can lead to denial of service in inference/training where a malicious attacker can send a data point which contains a string instead of a tf.float16 value. Similar effects can be obtained by manipulating saved models and checkpoints whereby replacing a scalar tf.float16 value with a scalar string will trigger this issue due to automatic conversions. This can be easily reproduced by tf.constant(“hello”, tf.float16), if eager execution is enabled. This issue is patched in TensorFlow 1.15.1 and 2.0.1 with this vulnerability patched. TensorFlow 2.1.0 was released after we fixed the issue, thus it is not affected. Users are encouraged to switch to TensorFlow 1.15.1, 2.0.1 or 2.1.0. 2020-01-28 not yet calculated CVE-2020-5215
MISC
MISC
MISC
CONFIRM
tibco_software — tibco_patterns_-_search
 
The user interface component of TIBCO Software Inc.’s TIBCO Patterns – Search contains multiple vulnerabilities that theoretically allow authenticated users to perform persistent cross-site scripting (XSS) attacks. Affected releases are TIBCO Software Inc.’s TIBCO Patterns – Search: versions 5.4.0 and below. 2020-01-28 not yet calculated CVE-2019-17338
CONFIRM
CONFIRM
totolink — realtek_sdk_based_routers
 
On certain TOTOLINK Realtek SDK based routers, the CAPTCHA text can be retrieved via an {“topicurl”:”setting/getSanvas”} POST to the boafrm/formLogin URI, leading to a CAPTCHA bypass. (Also, the CAPTCHA text is not needed once the attacker has determined valid credentials. The attacker can perform router actions via HTTP requests with Basic Authentication.) This affects A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0. 2020-01-27 not yet calculated CVE-2019-19825
MISC
FULLDISC
FULLDISC
MISC
totolink — realtek_sdk_based_routers
 
On certain TOTOLINK Realtek SDK based routers, an authenticated attacker may execute arbitrary OS commands via the sysCmd parameter to the boafrm/formSysCmd URI, even if the GUI (syscmd.htm) is not available. This allows for full control over the device’s internals. This affects A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0. 2020-01-27 not yet calculated CVE-2019-19824
MISC
FULLDISC
FULLDISC
MISC
trend_micro — anti-threat_toolkit
 
Trend Micro Anti-Threat Toolkit (ATTK) versions 1.62.0.1218 and below have a vulnerability that may allow an attacker to place malicious files in the same directory, potentially leading to arbitrary remote code execution (RCE) when executed. Another attack vector similar to CVE-2019-9491 was idenitfied and resolved in version 1.62.0.1228 of the tool. 2020-01-30 not yet calculated CVE-2019-20358
FULLDISC
N/A
N/A
united_planet — intrexx_professional Unrestricted file upload vulnerability in an unspecified third party tool in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via unknown vectors. 2020-01-31 not yet calculated CVE-2014-2025
MISC
MISC
CONFIRM
usebb — usebb
 
panel_login.php in UseBB 1.0.12 allows type juggling for login bypass because != is used instead of !== for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters. 2020-01-27 not yet calculated CVE-2020-8088
MISC
videolan — vlc_media_player Multiple cross-site scripting (XSS) vulnerabilities in the HTTP Interface in VideoLAN VLC Media Player before 2.0.7 allow remote attackers to inject arbitrary web script or HTML via the (1) command parameter to requests/vlm_cmd.xml, (2) dir parameter to requests/browse.xml, or (3) URI in a request, which is returned in an error message through share/lua/intf/http.lua. 2020-01-31 not yet calculated CVE-2013-3565
MISC
MISC
MISC
MISC
vtiger — vtiger_crm vtiger CRM 5.4.0 and earlier contain local file-include vulnerabilities in ‘customerportal.php’ which allows remote attackers to view files and execute local script code. 2020-01-28 not yet calculated CVE-2013-3212
EXPLOIT-DB
BID
XF
web2project — web2project Multiple SQL injection vulnerabilities in web2Project 3.1 and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) search_string parameter in the contacts module to index.php or allow remote attackers to execute arbitrary SQL commands via the updatekey parameter to (2) do_updatecontact.php or (3) updatecontact.php. 2020-01-31 not yet calculated CVE-2014-3119
MISC
MISC
MISC
webargs — webargs
 
flaskparser.py in Webargs 5.x through 5.5.2 doesn’t check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made across domains, leading to CSRF. 2020-01-29 not yet calculated CVE-2020-7965
CONFIRM
wolfssl — cyassl The DoAlert function in the (1) TLS and (2) DTLS implementations in wolfSSL CyaSSL before 2.9.4 allows remote attackers to have unspecified impact and vectors, which trigger memory corruption or an out-of-bounds read. 2020-01-28 not yet calculated CVE-2014-2896
MISC
MISC
CONFIRM
CONFIRM
wolfssl — cyassl wolfSSL CyaSSL before 2.9.4 allows remote attackers to have unspecified impact via multiple calls to the CyaSSL_read function which triggers an out-of-bounds read when an error occurs, related to not checking the return code and MAC verification failure. 2020-01-28 not yet calculated CVE-2014-2898
MISC
MISC
CONFIRM
CONFIRM
wolfssl — cyassl The SSL 3 HMAC functionality in wolfSSL CyaSSL 2.5.0 before 2.9.4 does not check the padding length when verification fails, which allows remote attackers to have unspecified impact via a crafted HMAC, which triggers an out-of-bounds read. 2020-01-28 not yet calculated CVE-2014-2897
MISC
MISC
CONFIRM
CONFIRM
wordpress — wordpress Multiple cross-site scripting (XSS) vulnerabilities in the HMS Testimonials plugin before 2.0.11 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) image, (3) url, or (4) testimonial parameter to the Testimonial form (hms-testimonials-addnew page); (5) date_format parameter to the Settings – Default form (hms-testimonials-settings page); (6) name parameter in a Save action to the Settings – Custom Fields form (hms-testimonials-settings-fields page); or (7) name parameter in a Save action to the Settings – Template form (hms-testimonials-templates-new page). 2020-01-30 not yet calculated CVE-2013-4241
MISC
MISC
MISC
MISC
MISC
wordpress — wordpress
 
The Code Snippets plugin before 2.14.0 for WordPress allows CSRF because of the lack of a Referer check on the import menu. 2020-01-28 not yet calculated CVE-2020-8417
MISC
MISC
wordpress — wordpress
 
NextGEN Gallery Plugin for WordPress 1.9.10 and 1.9.11 has a Path Disclosure Vulnerability 2020-01-30 not yet calculated CVE-2013-0291
MISC
MISC
wordpress — wordpress
 
XSS exists in the shortcode functionality of the GistPress plugin before 3.0.2 for WordPress via the includes/class-gistpress.php id parameter. This allows an attacker with the WordPress Contributor role to execute arbitrary JavaScript code with the privileges of other users (e.g., ones who have the publish_posts capability). 2020-01-30 not yet calculated CVE-2020-8498
MISC
MISC
MISC
wowza — wowza_streaming_engine
 
A privilege escalation vulnerability in Wowza Streaming Engine 4.7.7 and 4.7.8 allows any unprivileged Linux user to escalate privileges to root. The installer sets too relaxed permissions on /usr/local/WowzaStreamingEngine/bin/* core program files. By injecting a payload into one of those files, it will run with the same privileges as the Wowza server, root. For example, /usr/local/WowzaStreamingEngine/bin/tune.sh could be replaced with a Trojan horse. 2020-01-29 not yet calculated CVE-2019-7656
MISC
MISC
wowza — wowza_streaming_engine
 
Wowza Streaming Engine 4.7.7 and 4.7.8 suffers from multiple CSRF vulnerabilities. For example, an administrator, by following a link, can be tricked into making unwanted changes such as adding another admin user via enginemanager/server/user/edit.htm in the Server->Users component. 2020-01-29 not yet calculated CVE-2019-7654
MISC
MISC
xpient — xpient_point_of_sale_systems Iris 3.8 before build 1548, as used in Xpient point of sale (POS) systems, allows remote attackers to execute arbitrary commands via a crafted request to TCP port 7510, as demonstrated by opening the cash drawer. 2020-01-28 not yet calculated CVE-2013-2571
MISC
MISC
MISC
MISC
zoho_manageengine — remote_access_plus
 
An authorization issue was discovered in the Credential Manager feature in Zoho ManageEngine Remote Access Plus before 10.0.450. A user with the Guest role can extract the collection of all defined credentials of remote machines: the credential name, credential type, user name, domain/workgroup name, and description (but not the password). 2020-01-31 not yet calculated CVE-2020-8422
MISC
MISC

Back to top

This product is provided subject to this Notification and this Privacy & Use policy.

Cabinet Decisions taken on ​24 JANUARY 2020

CABI​NET DECISIONS – 24 JANUARY 2020


 





1.         Cabinet has taken note of the outcome
of the mission of the Prime Minister to UK where he attended the UK-Africa
Investment Summit. The objective of the Summit was to showcase opportunities
for investment across Africa and expertise which the UK could offer to African
countries in different sectors.  The UK Prime
Minister pointed out that apart from assisting countries in raising funds for
their projects and offering technology of all kinds, the UK had more of the
world’s top universities apart from the USA. 





 





            The Prime Minister of Mauritius
formed part of the Heads of State Panel on “African Growth Opportunities:
Generating Investment for Inclusive Growth in Africa”.  In his intervention, the Prime Minister,
inter alia, highlighted that diversification had been key to the economic
success of Mauritius and that industrialisation was imperative to start that
process. He pointed out that the gains from the textile and sugar industries
were reinvested in the development of the tourism sector, thus marking our
first steps in the services industry.  He
also underscored that Mauritius had since then, developed the tertiary sector
to include financial services, ICT-BPO and professional services. 





 





            The Prime Minister had a meeting
with the UK Prime Minister and discussed with him the Chagos Archipelago issue,
the Economic Partnership Agreement which Mauritius had concluded with the UK
together with three other countries of Eastern and Southern Africa (ESA) and
assistance to Small Island Developing States to cope with the adverse effects
of climate change.  The Prime Minister
also met the Rt Hon Elizabeth Truss MP, Secretary of State for International
Trade and President of the Board of Trade and sought assistance from the UK for
the further development of our financial sector and of Mauritius as a knowledge
hub as well as training from the UK for combating cybercrimes and drug
trafficking.





 





            In the margins of the Summit, the
Prime Minister also met the President of Egypt, Ghana, Mozambique and Senegal respectively
with whom he discussed bilateral areas of cooperation.  Prior to the UK-Africa Investment Summit, the
Prime Minister also participated in a roundtable session organised by the
Economic Development Board (EDB) and hosted by Invest Africa. The session was
attended by 45 business leaders, mainly from the financial services sector as
well as UK-based companies operating in Africa. The focus of the session was to
position Mauritius as an ideal international financial centre and business hub
for Africa.  He also participated in a
meeting organised by the EDB with Mr Bill Winters, CBE, Group Chief Executive
of Standard Chartered
Bank.  Mr Neil Mulcock, Vice-President, Government
Affairs and Policy EMEA of Gilead Sciences, had a meeting with the Prime
Minister to discuss the status of the medicine donation programme of his firm
which aims at treating and curing patients who suffer from hepatitis C in
Mauritius. 





 





****





 





2.          Cabinet
has agreed to the adoption of a fare structure for feeder buses.  A uniform flat fare of Rs15 would be
applicable on all feeder routes irrespective of where the passenger alights or
boards.  A rebate of Rs5 would be
provided to those passengers using the feeders to connect to the light rail.





 





****





 





3.         Cabinet has agreed to the signing of
the Reimbursable Advisory Services Agreement between the Ministry of
Agro-Industry and Food Security and the World Bank in the context of the study
on the viability of the sugar cane sector in Mauritius.  The key deliverables of the Agreement are –





 





(a)       a competitiveness assessment of the advantages
of the agro-industrial enterprises and farmers which will focus on
productivity, cost of production, opportunity costs, and revenues from
different potential market sources;





 





(b)       an analysis of the institutional
structure, performance and incentives of the various stakeholders of the sugar
cane sector, including, the Ministry of Agro-Industry and Food Security, the
Mauritius Sugar Syndicate, the Sugar Insurance Fund Board, the Ministry of
Finance, Economic Planning and Development, the Central Electricity Board,
smallholder growers, producers, millers, employees of the various institutions,
and traders; and





 





(c)   a policy note summarising the sector
review and providing main recommendations for public policy and programmes for
the future development of the sugar cane sector as well as the development of
implementation plans for
each recommended
action.





****





 





4.         Cabinet has agreed to the adjustment of
the rates for non-contributory benefits payable under
the Social Aid Act, the Unemployment Hardship Relief Act and the Social
Integration and Empowerment Act, in line with the salary compensation approved
by Government for part-time employees with effect from 1 January 2020.  Some 40,000 beneficiaries of social
assistance would benefit from these adjustments as well as some 12,000 children
attending schools under the Social Integration and Empowerment Act.  The relevant Regulations would be amended
accordingly.





 





****





 





5.         Cabinet
has agreed to
Mauritius
making a yearly voluntary contribution to the United Nations Road Safety Trust
Fund.
The Fund which supports the implementation of the
Global Plan for the Decade of Action for Road Safety, benefits the world’s
citizens by leveraging the expertise of the United Nations system to achieve
the road safety related Sustainable Development Goals. The objectives include –





 





(a)       strengthening road
safety management capacity at the national and local   levels;





 





(b)       supporting
road safety programmes at the national and local levels across the five pillars of the Global Plan
for the Decade of Action for Road Safety by
providing financial support to participating institutions and organisations;         and





 





(c)    coordinating and
harmonising initiatives for the Sustainable Development Goals, and maximising the effectiveness and efficiency of the goals.





 





****





 





6.         Cabinet
has taken note of the three-year Strategic Business Plan of the Utility
Regulatory Authority (URA).  The
Strategic Business plan has identified seven strategic key objectives, namely  –





 





(a)       recruiting, skilling and strengthening the URA team, including
the Board     members;





 





            (b)       enhancing the electricity sector legal
framework by introducing regulations for
licensing and harmonisation of existing legislation;





 





(c)        phased implementation of licensing,
developing a tariff methodology, enforcing
quality of service regulations and commercial regulation;





 





(d)       enhancing financial independence of URA
and ensuring accountability;





 





(e)       maintaining regular public engagement through
consultations, dialogue and public
relations with stakeholders and publishing regular reports;





 





(f)        developing conducive working conditions
and adopting performance tools; and





 





(g)       keeping in view the role of URA in
regulating the water and waste water sectors
in the future.





 





****





 





7.         Cabinet has taken note that the
Ministry of Foreign Affairs, Regional Integration and International Trade in
collaboration with the United Nations Economic Commission for Africa (UNECA)
would organise a national workshop on the African Continental Free Trade Area
(AfCFTA) in May 2020.  The AfCFTA is
expected to be operational by 01 July 2020.  The objective of the AfCFTA Agreement is to
boost intra-Africa trade, promote industrialisation and achieve greater
sustainable development.  The workshop would
be an opportunity to sensitise stakeholders on the AfCFTA and the opportunities
that it would provide to Mauritius.  Some
50 participants from both the public and private sectors would attend the
workshop.  





 





****





 





8.         Cabinet has taken note that the
Ministry of Youth Empowerment, Sports and Recreation would enlist the services
of a Consultant for the drafting of a Policy Paper on Recreation.  The main tasks of the Consultant would be to





 





(a)       carry out an
assessment of the current situation on recreational services, activities and
facilities provided by other Ministries/Departments and non-state actors; 
 





(b)       formulate a Policy on
Recreation for the Ministry of Youth Empowerment, Sports and Recreation, including
strategic objectives and devise appropriate Action Plans with reference to
practices in other countries;





(c)        develop a
comprehensive and integrated strategic plan of sustainable events and
activities for different age groups with measurable goals and targets;





(d)       recommend on any
linkages that need to be put in place internally within the Ministry and with
other Ministries/Departments and with the private sector; and





(e)       provide an estimated
costing on the required institutional set-up and operational arrangements for
the implementation of the recommendations in the policy document as well as a
cost estimate of the proposed yearly events and activities over a period of
five years.





 





****





 





9.         Cabinet has taken note of the status of the key projects and programmes
being implemented by the Ministry of Industrial Development, SMEs and
Cooperatives jointly with SME Mauritius, for the promotion and development of
the SME sector.  Various schemes have
been completed and/or are under implementation, namely –





 





 (a)      the
Mentoring and Hand-holding Programme;





 





(b)       the Communication and Visibility – Online
Presence Scheme;





 





(c)        the Technology and Skills Transfer
Scheme;





 





(d)       the Barcode Registration System;





 





(e)       the SME Certification Scheme; and





 





(f)        the SME Productivity Improvement Scheme.





 





During the period July 2018 to
November 2019, over 1,100 SMEs have already benefitted from those schemes while
some 1,300 have acquired applied knowledge and know-how in different specific
fields including crafts, skills and aquaponics. 
Under the SME Employment Scheme, implemented by SME Mauritius, a total
of 940 graduates has been placed, while 550 degree holders and 82 diploma
holders are in post as at date.  Loan to
the tune of Rs443 Million from MauBank has been approved for some 196 SMEs
under the SME Development Scheme Certificate. An SME Observatory to enhance SME
market intelligence, has also been set up at SME Mauritius since September 2019.





 





 





****












 





10.       Cabinet has taken note of the outcome of
the recent mission of the Deputy Prime Minister, Minister of Energy and Public
Utilities to Abu Dhabi where he participated in the 10th Assembly of
the International Renewable Energy Agency (IRENA). 
In his message to the IRENA Assembly, the Secretary-General of the
United Nations urged all leaders to push their governments to make new
investments in innovation, and to boldly phase out subsidies and replace them
with tax incentives for renewable scale-up. 
He also urged the Assembly to continue to push for renewable energy
scale-up in all sectors. 





 





The Deputy Prime Minister made a
keynote address at the High Level Meeting
on Accelerating the Energy Transformation in Small Island Developing States through
Renewable Energy.  A Ministerial
Roundtable on Green Hydrogen and a Ministerial Session on Hydropower were also
held. 
The Deputy Prime Minister also had meetings
with HE Dr Thani Ahmed Al Zeyoudi, Minister of Climate Change and Environment
of UAE and the Director General of IRENA.





 





****





 





11.       Cabinet has taken note of the activities
that would be organised in the context of World Cancer Day, observed on 4
February.  The theme of the World Cancer
Day campaign for the period 2019 to 2021 is
I am and I will’.  The Ministry of Health and Wellness would
launch the activities on 05 February 2020 at L’Escalier Mediclinic.  An exhibition on health lifestyle and healthy
diet would also be held.  Sensitisation
programmes on the causes and risk factors of cancer and preventive measures
would also be carried out as well as screening programmes for breast and
cervical cancer.





 





****





12.       Cabinet has taken note that in the context of the National
Day Celebrations, the Ministry of Youth Empowerment, Sports and Recreation
would organise a Youth Carnival on 11 March 2020.  The starting point of the Carnival
would be
Saint François Xavier Stadium in
Port Louis and it
would end at
Port
Louis Waterfront
where a flag-raising ceremony would be
organised
. The best participants in the carnival would be rewarded with cash
prizes.





 





****





 





13.       Cabinet has taken note that the Ministry
of Social Integration, Social Security and National Solidarity would proceed
with the anti-influenza vaccination exercise during period April to May this
year. Vaccines would be provided to elderly persons aged 60 and above, children
with disabilities attending specialised schools and inmates of charitable institutions
and private licensed Homes.  The
vaccination exercise would also be extended to Rodrigues and Agalega.





 





********


IC3 Issues Alert on Employment Scams

Original release date: January 22, 2020

The Internet Crime Complaint Center (IC3) has issued an alert warning consumers of fake jobs and hiring scams targeting applicants’ personally identifiable information (PII). Cyber criminals posing as legitimate employers spoof company websites and post fake job openings to lure victims. Cyber criminals will conduct fake interviews and even offer positions to victims before requesting PII such as Social Security numbers and bank account information.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the IC3 Alert and CISA’s Tips on Avoiding Social Engineering and Phishing Attacks and Website Security for more information. If you believe you are a victim of cybercrime, file a complaint with IC3 at www.ic3.gov.

This product is provided subject to this Notification and this Privacy & Use policy.

Vulnerability Summary for the Week of January 13, 2020

Original release date: January 20, 2020

The CISA Weekly Vulnerability Summary Bulletin is created using information from the NIST NVD. In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

 

High Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
deja_vu — crescendo_sales_crm
 
D?j? Vu Crescendo Sales CRM has remote SQL Injection 2020-01-10 7.5 CVE-2014-4984
MISC
MISC
MISC
ether — etherpad-lite The Etherpad Lite ep_imageconvert Plugin has a Remote Command Injection Vulnerability 2020-01-10 7.5 CVE-2013-7380
MISC
MISC
hashbrown_cms — hashbrown_cms
 
A remote code execution issue was discovered in HashBrown CMS through 1.3.3. Server/Entity/Deployer/GitDeployer.js has a Service.AppService.exec call that mishandles the URL, repository, username, and password. 2020-01-13 7.5 CVE-2020-6948
MISC
jcow — jcow_cms
 
A Code Execution vulnerability exists the attachment parameter to index.php in Jcow CMS 4.x to 4.2 and 5.2 to 5.2. 2020-01-14 7.5 CVE-2011-3203
MISC
livezilla — livezilla
 
LiveZilla 5.0.1.4 has a Remote Code Execution vulnerability 2020-01-13 7.5 CVE-2013-6225
MISC
MISC
MISC
microsoft — .net_core__and_.net_framework
 
A remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file.An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user, aka ‘.NET Framework Remote Code Execution Vulnerability’. This CVE ID is unique from CVE-2020-0605. 2020-01-14 9.3 CVE-2020-0606
N/A
microsoft — .net_framework
 
A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly, aka ‘.NET Framework Remote Code Execution Injection Vulnerability’. 2020-01-14 10 CVE-2020-0646
N/A
microsoft — asp.net_core
 
A remote code execution vulnerability exists in ASP.NET Core software when the software fails to handle objects in memory.An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user, aka ‘ASP.NET Core Remote Code Execution Vulnerability’. 2020-01-14 9.3 CVE-2020-0603
REDHAT
REDHAT
N/A
microsoft — internet_explorer_9_and_10_and_11
 
A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory, aka ‘Internet Explorer Memory Corruption Vulnerability’. 2020-01-14 7.6 CVE-2020-0640
N/A
microsoft — multiple_products
 
A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka ‘Microsoft Excel Remote Code Execution Vulnerability’. This CVE ID is unique from CVE-2020-0651, CVE-2020-0653. 2020-01-14 9.3 CVE-2020-0650
N/A
microsoft — multiple_products
 
A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka ‘Microsoft Excel Remote Code Execution Vulnerability’. This CVE ID is unique from CVE-2020-0650, CVE-2020-0653. 2020-01-14 9.3 CVE-2020-0651
N/A
microsoft — multiple_windows_products
 
An elevation of privilege vulnerability exists in Windows Media Service that allows file creation in arbitrary locations.To exploit the vulnerability, an attacker would first have to log on to the system, aka ‘Microsoft Windows Elevation of Privilege Vulnerability’. 2020-01-14 7.2 CVE-2020-0641
N/A
microsoft — multiple_windows_products
 
An elevation of privilege vulnerability exists when Microsoft Windows implements predictable memory section names, aka ‘Windows Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2020-0635. 2020-01-14 7.2 CVE-2020-0644
N/A
microsoft — multiple_windows_products
 
An elevation of privilege vulnerability exists in Microsoft Windows when Windows fails to properly handle certain symbolic links, aka ‘Windows Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2020-0644. 2020-01-14 7.2 CVE-2020-0635
N/A
MISC
microsoft — multiple_windows_products
 
An elevation of privilege vulnerability exists when the Windows Common Log File System (CLFS) driver improperly handles objects in memory, aka ‘Windows Common Log File System Driver Elevation of Privilege Vulnerability’. 2020-01-14 7.2 CVE-2020-0634
N/A
MISC
microsoft — multiple_windows_products
 
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka ‘Win32k Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2020-0624. 2020-01-14 7.2 CVE-2020-0642
N/A
microsoft — multiple_windows_server_products
 
A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka ‘Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability’. This CVE ID is unique from CVE-2020-0609. 2020-01-14 10 CVE-2020-0610
N/A
microsoft — multiple_windows_server_products
 
A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka ‘Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability’. This CVE ID is unique from CVE-2020-0610. 2020-01-14 10 CVE-2020-0609
N/A
mruby — mruby
 
In mruby 2.1.0, there is a use-after-free in hash_values_at in mrbgems/mruby-hash-ext/src/hash-ext.c. 2020-01-11 7.5 CVE-2020-6838
MISC
mruby — mruby
 
In mruby 2.1.0, there is a stack-based buffer overflow in mrb_str_len_to_dbl in string.c. 2020-01-11 7.5 CVE-2020-6839
MISC
mruby — mruby
 
In mruby 2.1.0, there is a use-after-free in hash_slice in mrbgems/mruby-hash-ext/src/hash-ext.c. 2020-01-11 7.5 CVE-2020-6840
MISC
online_tv_database — online_tv_database An SQL Injection vulnerability exists in the ID parameter in Online TV Database 2011. 2020-01-10 7.5 CVE-2011-5020
MISC
oracle — outside_in_technology
 
Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware (component: Outside In Filters). The supported version that is affected is 8.5.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In Technology. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Outside In Technology accessible data as well as unauthorized read access to a subset of Oracle Outside In Technology accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Outside In Technology. Note: Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower. CVSS 3.0 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). 2020-01-15 7.5 CVE-2020-2543
MISC
oracle — solaris Vulnerability in the Oracle Solaris product of Oracle Systems (component: Common Desktop Environment). The supported version that is affected is 10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). 2020-01-15 7.2 CVE-2020-2696
MISC
MISC
FULLDISC
BUGTRAQ
MISC
oracle — weblogic_server
 
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). 2020-01-15 7.5 CVE-2020-2551
MISC
oracle — weblogic_server
 
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Application Container – JavaEE). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). 2020-01-15 7.5 CVE-2020-2546
MISC

Back to top

 

Medium Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
adobe — experience_manager Adobe Experience Manager versions 6.5, 6.4, 6.3, 6.2, 6.1, and 6.0 have a reflected cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure. 2020-01-15 4.3 CVE-2019-16467
CONFIRM
adobe — experience_manager
 
Adobe Experience Manager versions 6.5, 6.4, 6.3, 6.2, 6.1, and 6.0 have an expression language injection vulnerability. Successful exploitation could lead to sensitive information disclosure. 2020-01-15 5 CVE-2019-16469
CONFIRM
adobe — experience_manager
 
Adobe Experience Manager versions 6.5, 6.4, 6.3, 6.2, 6.1, and 6.0 have an user interface injection vulnerability. Successful exploitation could lead to sensitive information disclosure. 2020-01-15 5 CVE-2019-16468
CONFIRM
apache — cxf
 
By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javascript into the web page. Please note that the attack exploits a feature which is not typically not present in modern browsers, who remove dot segments before sending the request. However, Mobile applications may be vulnerable. 2020-01-16 4.3 CVE-2019-17573
CONFIRM
MLIST
arial_software — campaign_enterprise
 
Arial Campaign Enterprise before 11.0.551 stores passwords in clear text and these may be retrieved. 2020-01-10 5 CVE-2012-3823
MISC
XF
arial_software — campaign_enterprise
 
Arial Campaign Enterprise before 11.0.551 has unauthorized access to the User-Edit.asp page, which allows remote attackers to enumerate users’ credentials. 2020-01-10 5 CVE-2012-3822
MISC
XF
arial_software — campaign_enterprise
 
In Arial Campaign Enterprise before 11.0.551, multiple pages are accessible without authentication or authorization. 2020-01-10 5 CVE-2012-3824
MISC
XF
atlassian — bitbucket_server Bitbucket Server and Bitbucket Data Center versions starting from version 3.0.0 before version 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, and from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via certain user input fields. A remote attacker with user level permissions can exploit this vulnerability to run arbitrary commands on the victim’s systems. Using a specially crafted payload as user input, the attacker can execute arbitrary commands on the victim’s Bitbucket Server or Bitbucket Data Center instance. 2020-01-15 6.5 CVE-2019-15010
MISC
atlassian — bitbucket_server
 
Bitbucket Server and Bitbucket Data Center from version 4.13. before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via the edit-file request. A remote attacker with write permission on a repository can write to any arbitrary file to the victims Bitbucket Server or Bitbucket Data Center instance using the edit-file endpoint, if the user has Bitbucket Server or Bitbucket Data Center running, and has the permission to write the file at that destination. In some cases, this can result in execution of arbitrary code by the victims Bitbucket Server or Bitbucket Data Center instance. 2020-01-15 6.5 CVE-2019-15012
MISC
atlassian — bitbucket_server_and_bitbucket_data_center
 
Bitbucket Server and Bitbucket Data Center versions starting from 1.0.0 before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via the post-receive hook. A remote attacker with permission to clone and push files to a repository on the victim’s Bitbucket Server or Bitbucket Data Center instance, can exploit this vulnerability to execute arbitrary commands on the Bitbucket Server or Bitbucket Data Center systems, using a file with specially crafted content. 2020-01-15 6.5 CVE-2019-20097
MISC
axper — vision_ii_devices Axper Vision II 4 devices allow XSS via the DEVICE_NAME (aka Device Name) parameter to the configWebParams.cgi URI. 2020-01-13 4.3 CVE-2020-6848
MISC
cacti — cacti
 
Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the description parameter in data_sources.php (a raw string from the database that is displayed by $header to trigger the XSS). 2020-01-16 4.3 CVE-2020-7106
MISC
MLIST
cerberus — cerberus_ftp_server_enterprise_edition Cerberus FTP Server Enterprise Edition prior to versions 11.0.3 and 10.0.18 allows an authenticated attacker to create files, display hidden files, list directories, and list files without the permission to zip and download (or unzip and upload) files. There are multiple ways to bypass certain permissions by utilizing the zip and unzip features. As a result, users without permission can see files, folders, and hidden files, and can create directories without permission. 2020-01-14 5.5 CVE-2020-5196
MISC
MISC
MISC
chamilo — chamilo
 
Chamilo before 1.8.8.6 does not adequately handle user supplied input by the index.php script, which could allow remote attackers to delete arbitrary files. 2020-01-10 6.4 CVE-2012-4030
XF
clickdesk — clickdesk ClickDesk version 4.3 and below has persistent cross site scripting 2020-01-14 4.3 CVE-2014-9211
MISC
MISC
comcrete_cms — concrete5 A Cross-Site Scripting (XSS) vulnerability exists in the rcID parameter in Concrete CMS 5.4.1.1 and earlier. 2020-01-14 4.3 CVE-2011-3183
MISC
dompdf — dompdf
 
DOMPDF before 0.6.2 allows remote code execution, a related issue to CVE-2014-2383. 2020-01-10 6.8 CVE-2014-5013
MISC
MISC
dompdf — dompdf
 
DOMPDF before 0.6.2 allows Information Disclosure. 2020-01-10 4.3 CVE-2014-5011
MISC
MISC
dompdf — dompdf
 
DOMPDF before 0.6.2 allows denial of service. 2020-01-10 4.3 CVE-2014-5012
MISC
MISC
elog — electronic_logbook
 
A cross-site scripting (XSS) vulnerability in Electronic Logbook (ELOG) 3.1.4 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG document to elogd.c. 2020-01-10 4.3 CVE-2019-20376
MISC
elog — electronic_logbook
 
A cross-site scripting (XSS) vulnerability in Electronic Logbook (ELOG) 3.1.4 allows remote attackers to inject arbitrary web script or HTML via the value parameter in a localization (loc) command to elogd.c. 2020-01-10 4.3 CVE-2019-20375
MISC
ganglia — ganglia-web
 
ganglia-web (aka Ganglia Web Frontend) through 3.7.5 allows XSS via the header.php cs parameter. 2020-01-11 4.3 CVE-2019-20379
MISC
ganglia — ganglia-web
 
ganglia-web (aka Ganglia Web Frontend) through 3.7.5 allows XSS via the header.php ce parameter. 2020-01-11 4.3 CVE-2019-20378
MISC
gitlab — gitlab_community_and_enterprise_edition
 
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 8.13 through 12.6.1. It has Incorrect Access Control. 2020-01-13 4.3 CVE-2019-20148
MISC
CONFIRM
gitlab — gitlab_community_and_enterprise_edition
 
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 9.1 through 12.6.1. It has Incorrect Access Control. 2020-01-13 5 CVE-2019-20147
MISC
CONFIRM
gitlab — gitlab_community_and_enterprise_edition
 
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 11.4 through 12.6.1. It has Incorrect Access Control. 2020-01-13 4 CVE-2019-20145
MISC
CONFIRM
gitlab — gitlab_community_and_enterprise_edition
 
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 11.0 through 12.6. It allows Uncontrolled Resource Consumption. 2020-01-13 5 CVE-2019-20146
MISC
CONFIRM
google — chrome
 
Use after free in audio in Google Chrome prior to 79.0.3945.117 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 2020-01-10 6.8 CVE-2020-6377
SUSE
SUSE
SUSE
REDHAT
MISC
MISC
FEDORA
FEDORA
granding_technology — grand_ma_300
 
Grand MA 300 allows a brute-force attack on the PIN. 2020-01-13 5 CVE-2014-5381
MISC
MISC
MISC
MISC
hashbrown_cms — hashbrown_cms
 
A privilege escalation issue was discovered in the postUser function in HashBrown CMS through 1.3.3. An editor user can change the password hash of an admin user’s account, or otherwise reconfigure that account. 2020-01-13 6.5 CVE-2020-6949
MISC

ibm — qradar_security_information_and_event_manager

IBM QRadar SIEM 7.3.0 through 7.3.3 discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. IBM X-Force ID: 166355. 2020-01-10 5 CVE-2019-4559
XF
CONFIRM
jcow — jcow
 
A Cross-Site Scripting (XSS) vulnerability exists in the g parameter to index.php in Jcow CMS 4.2 and earlier. 2020-01-14 4.3 CVE-2011-3202
MISC
jenkins — jenkins
 
A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method. 2020-01-15 6.8 CVE-2020-2090
CONFIRM
kubernetes — kubernetes Versions < 1.5 of the Kubernetes ingress default backend, which handles invalid ingress traffic, exposed prometheus metrics publicly. 2020-01-14 5 CVE-2018-1002104
CONFIRM
markdown2 — markdown2 python-markdown2 before 1.0.1.14 has multiple cross-site scripting (XSS) issues. 2020-01-15 4.3 CVE-2009-3724
MISC
MISC
microsoft — asp.net_core A denial of service vulnerability exists when ASP.NET Core improperly handles web requests, aka ‘ASP.NET Core Denial of Service Vulnerability’. 2020-01-14 5 CVE-2020-0602
REDHAT
REDHAT
N/A
microsoft — multiple_windows_products An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory, aka ‘Windows Search Indexer Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2020-0613, CVE-2020-0614, CVE-2020-0623, CVE-2020-0625, CVE-2020-0626, CVE-2020-0627, CVE-2020-0628, CVE-2020-0629, CVE-2020-0631, CVE-2020-0632, CVE-2020-0633. 2020-01-14 4.6 CVE-2020-0630
N/A
microsoft — multiple_windows_products An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory, aka ‘Windows Search Indexer Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2020-0614, CVE-2020-0623, CVE-2020-0625, CVE-2020-0626, CVE-2020-0627, CVE-2020-0628, CVE-2020-0629, CVE-2020-0630, CVE-2020-0631, CVE-2020-0632, CVE-2020-0633. 2020-01-14 4.6 CVE-2020-0613
N/A
microsoft — multiple_windows_products An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory, aka ‘Windows Search Indexer Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2020-0613, CVE-2020-0614, CVE-2020-0623, CVE-2020-0625, CVE-2020-0626, CVE-2020-0627, CVE-2020-0629, CVE-2020-0630, CVE-2020-0631, CVE-2020-0632, CVE-2020-0633. 2020-01-14 4.6 CVE-2020-0628
N/A
microsoft — multiple_windows_products
 
An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory, aka ‘Windows Search Indexer Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2020-0613, CVE-2020-0614, CVE-2020-0623, CVE-2020-0625, CVE-2020-0627, CVE-2020-0628, CVE-2020-0629, CVE-2020-0630, CVE-2020-0631, CVE-2020-0632, CVE-2020-0633. 2020-01-14 4.6 CVE-2020-0626
N/A
microsoft — multiple_windows_products
 
An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory, aka ‘Windows Search Indexer Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2020-0613, CVE-2020-0614, CVE-2020-0623, CVE-2020-0625, CVE-2020-0626, CVE-2020-0628, CVE-2020-0629, CVE-2020-0630, CVE-2020-0631, CVE-2020-0632, CVE-2020-0633. 2020-01-14 4.6 CVE-2020-0627
N/A
microsoft — multiple_windows_products
 
A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server, aka ‘Remote Desktop Client Remote Code Execution Vulnerability’. 2020-01-14 5.1 CVE-2020-0611
N/A
microsoft — multiple_windows_products
 
An elevation of privilege vulnerability exists when Microsoft Cryptographic Services improperly handles files, aka ‘Microsoft Cryptographic Services Elevation of Privilege Vulnerability’. 2020-01-14 4.6 CVE-2020-0620
N/A
microsoft — multiple_windows_products
 
An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory, aka ‘Windows Search Indexer Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2020-0613, CVE-2020-0614, CVE-2020-0625, CVE-2020-0626, CVE-2020-0627, CVE-2020-0628, CVE-2020-0629, CVE-2020-0630, CVE-2020-0631, CVE-2020-0632, CVE-2020-0633. 2020-01-14 4.6 CVE-2020-0623
N/A
microsoft — multiple_windows_products
 
An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory, aka ‘Windows Search Indexer Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2020-0613, CVE-2020-0614, CVE-2020-0623, CVE-2020-0625, CVE-2020-0626, CVE-2020-0627, CVE-2020-0628, CVE-2020-0630, CVE-2020-0631, CVE-2020-0632, CVE-2020-0633. 2020-01-14 4.6 CVE-2020-0629
N/A
microsoft — multiple_windows_products
 
An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory, aka ‘Windows Search Indexer Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2020-0613, CVE-2020-0623, CVE-2020-0625, CVE-2020-0626, CVE-2020-0627, CVE-2020-0628, CVE-2020-0629, CVE-2020-0630, CVE-2020-0631, CVE-2020-0632, CVE-2020-0633. 2020-01-14 4.6 CVE-2020-0614
N/A
microsoft — multiple_windows_products
 
An information disclosure vulnerability exists in the way that Microsoft Graphics Components handle objects in memory, aka ‘Microsoft Graphics Components Information Disclosure Vulnerability’. 2020-01-14 4.3 CVE-2020-0607
N/A
microsoft — multiple_windows_products
 
An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory, aka ‘Windows Search Indexer Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2020-0613, CVE-2020-0614, CVE-2020-0623, CVE-2020-0625, CVE-2020-0626, CVE-2020-0627, CVE-2020-0628, CVE-2020-0629, CVE-2020-0630, CVE-2020-0631, CVE-2020-0632. 2020-01-14 4.6 CVE-2020-0633
N/A
microsoft — multiple_windows_products
 
An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory, aka ‘Windows Search Indexer Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2020-0613, CVE-2020-0614, CVE-2020-0623, CVE-2020-0626, CVE-2020-0627, CVE-2020-0628, CVE-2020-0629, CVE-2020-0630, CVE-2020-0631, CVE-2020-0632, CVE-2020-0633. 2020-01-14 4.6 CVE-2020-0625
N/A
microsoft — multiple_windows_products
 
An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory, aka ‘Windows Search Indexer Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2020-0613, CVE-2020-0614, CVE-2020-0623, CVE-2020-0625, CVE-2020-0626, CVE-2020-0627, CVE-2020-0628, CVE-2020-0629, CVE-2020-0630, CVE-2020-0632, CVE-2020-0633. 2020-01-14 4.6 CVE-2020-0631
N/A
microsoft — multiple_windows_products
 
An information disclosure vulnerability exists when Remote Desktop Web Access improperly handles credential information, aka ‘Remote Desktop Web Access Information Disclosure Vulnerability’. 2020-01-14 4 CVE-2020-0637
N/A
microsoft — multiple_windows_products
 
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka ‘Windows CryptoAPI Spoofing Vulnerability’. 2020-01-14 5.8 CVE-2020-0601
MISC
MISC
N/A
microsoft — multiple_windows_products
 
An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory, aka ‘Windows Search Indexer Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2020-0613, CVE-2020-0614, CVE-2020-0623, CVE-2020-0625, CVE-2020-0626, CVE-2020-0627, CVE-2020-0628, CVE-2020-0629, CVE-2020-0630, CVE-2020-0631, CVE-2020-0633. 2020-01-14 4.6 CVE-2020-0632
N/A
microsoft — office_and_office_365_proplus A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory, aka ‘Microsoft Office Memory Corruption Vulnerability’. 2020-01-14 6.8 CVE-2020-0652
N/A
MISC
microsoft — windows_10_and_windows_server
 
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka ‘Win32k Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2020-0642. 2020-01-14 4.6 CVE-2020-0624
N/A

microsoft — windows_10_and_windows_server_and_windows_server_2019

An elevation of privilege vulnerability exists in the way the Update Notification Manager handles files.To exploit this vulnerability, an attacker would first have to gain execution on the victim system, aka ‘Update Notification Manager Elevation of Privilege Vulnerability’. 2020-01-14 4.6 CVE-2020-0638
N/A
microsoft — windows_10_and_windows_server_and_windows_server_2019
 
A denial of service vulnerability exists when Windows improperly handles hard links, aka ‘Microsoft Windows Denial of Service Vulnerability’. 2020-01-14 4.9 CVE-2020-0616
N/A
MISC
mitel — sip-dect_wireless_devices
 
An encryption key vulnerability on Mitel SIP-DECT wireless devices 8.0 and 8.1 could allow an attacker to launch a man-in-the-middle attack. A successful exploit may allow the attacker to intercept sensitive information. 2020-01-13 4.3 CVE-2019-19891
MISC
CONFIRM
mozilla — firefox Mozilla Firefox before 3.6 is vulnerable to XSS via the rendering of Cascading Style Sheets 2020-01-13 4.3 CVE-2011-2670
MISC
nitro_software — free_pdf_reader
 
The JBIG2Globals library in npdf.dll in Nitro Free PDF Reader 12.0.0.112 has a CAPPDAnnotHandlerUtils::PDAnnotHandlerDestroyData2+0x90ec NULL Pointer Dereference via crafted Unicode content. 2020-01-10 4.3 CVE-2019-19819
MISC
MISC
nitro_software — free_pdf_reader
 
The JBIG2Decode library in npdf.dll in Nitro Free PDF Reader 12.0.0.112 has a CAPPDAnnotHandlerUtils::PDAnnotHandlerDestroyData2+0x2e8a Out-of-Bounds Read via crafted Unicode content. 2020-01-10 4.3 CVE-2019-19817
MISC
MISC
openjpeg — openjpeg
 
OpenJPEG through 2.3.1 has a heap-based buffer overflow in opj_t1_clbl_decode_processor in libopenjp2.so. 2020-01-13 5 CVE-2020-6851
MISC
oracle — applications_framework
 
Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite (component: Attachments / File Upload). Supported versions that are affected are 12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Applications Framework. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Applications Framework, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Applications Framework accessible data. CVSS 3.0 Base Score 4.7 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N). 2020-01-15 4.3 CVE-2020-2566
MISC
oracle — applications_framwork Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite (component: Attachments / File Upload). Supported versions that are affected are 12.2.5-12.2.9. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Applications Framework. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Applications Framework accessible data. CVSS 3.0 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). 2020-01-15 5 CVE-2020-2666
MISC
oracle — banking_corporate_lending

 

Vulnerability in the Oracle Banking Corporate Lending product of Oracle Financial Services Applications (component: Core). Supported versions that are affected are 12.3.0-12.4.0 and 14.0.0-14.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Corporate Lending. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Banking Corporate Lending accessible data as well as unauthorized read access to a subset of Oracle Banking Corporate Lending accessible data. CVSS 3.0 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N). 2020-01-15 5.8 CVE-2020-2717
MISC
oracle — banking_corporate_lending
 
Vulnerability in the Oracle Banking Corporate Lending product of Oracle Financial Services Applications (component: Core). Supported versions that are affected are 12.3.0-12.4.0 and 14.0.0-14.3.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Banking Corporate Lending. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Banking Corporate Lending accessible data as well as unauthorized read access to a subset of Oracle Banking Corporate Lending accessible data. CVSS 3.0 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). 2020-01-15 5.5 CVE-2020-2715
MISC
oracle — banking_corporate_lending
 
Vulnerability in the Oracle Banking Corporate Lending product of Oracle Financial Services Applications (component: Core). Supported versions that are affected are 12.3.0-12.4.0 and 14.0.0-14.3.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Banking Corporate Lending. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Banking Corporate Lending accessible data. CVSS 3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). 2020-01-15 4 CVE-2020-2719
MISC
oracle — banking_corporate_lending
 
Vulnerability in the Oracle Banking Corporate Lending product of Oracle Financial Services Applications (component: Core). Supported versions that are affected are 12.3.0-12.4.0 and 14.0.0-14.3.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Banking Corporate Lending. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Banking Corporate Lending accessible data as well as unauthorized update, insert or delete access to some of Oracle Banking Corporate Lending accessible data. CVSS 3.0 Base Score 7.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N). 2020-01-15 5.5 CVE-2020-2718
MISC
oracle — banking_corporate_lending
 
Vulnerability in the Oracle Banking Corporate Lending product of Oracle Financial Services Applications (component: Core). Supported versions that are affected are 12.3.0-12.4.0 and 14.0.0-14.3.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Banking Corporate Lending. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Banking Corporate Lending accessible data. CVSS 3.0 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). 2020-01-15 4 CVE-2020-2716
MISC
oracle — banking_payments
 
Vulnerability in the Oracle Banking Payments product of Oracle Financial Services Applications (component: Core). Supported versions that are affected are 14.1.0-14.3.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Banking Payments. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Banking Payments accessible data. CVSS 3.0 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). 2020-01-15 4 CVE-2020-2711
MISC
oracle — banking_payments
 
Vulnerability in the Oracle Banking Payments product of Oracle Financial Services Applications (component: Core). Supported versions that are affected are 14.1.0-14.3.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Banking Payments. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Banking Payments accessible data. CVSS 3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). 2020-01-15 4 CVE-2020-2714
MISC
oracle — banking_payments
 
Vulnerability in the Oracle Banking Payments product of Oracle Financial Services Applications (component: Core). Supported versions that are affected are 14.1.0-14.3.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Banking Payments. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Banking Payments accessible data as well as unauthorized read access to a subset of Oracle Banking Payments accessible data. CVSS 3.0 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). 2020-01-15 5.5 CVE-2020-2710
MISC
oracle — banking_payments
 
Vulnerability in the Oracle Banking Payments product of Oracle Financial Services Applications (component: Core). Supported versions that are affected are 14.1.0-14.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Payments. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Banking Payments accessible data as well as unauthorized read access to a subset of Oracle Banking Payments accessible data. CVSS 3.0 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N). 2020-01-15 5.8 CVE-2020-2712
MISC
oracle — banking_payments
 
Vulnerability in the Oracle Banking Payments product of Oracle Financial Services Applications (component: Core). Supported versions that are affected are 14.1.0-14.3.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Banking Payments. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Banking Payments accessible data as well as unauthorized update, insert or delete access to some of Oracle Banking Payments accessible data. CVSS 3.0 Base Score 7.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N). 2020-01-15 5.5 CVE-2020-2713
MISC
oracle — business_intelligence_enterprise_edition Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Actions). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Intelligence Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Business Intelligence Enterprise Edition accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Business Intelligence Enterprise Edition. CVSS 3.0 Base Score 7.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L). 2020-01-15 6.8 CVE-2020-2537
MISC
oracle — business_intelligence_enterprise_edition Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Server). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Intelligence Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Business Intelligence Enterprise Edition accessible data. CVSS 3.0 Base Score 4.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N). 2020-01-15 4.3 CVE-2020-2535
MISC
oracle — crm_technical_foundation Vulnerability in the Oracle CRM Technical Foundation product of Oracle E-Business Suite (component: Preferences). Supported versions that are affected are 12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle CRM Technical Foundation. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle CRM Technical Foundation, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle CRM Technical Foundation accessible data as well as unauthorized update, insert or delete access to some of Oracle CRM Technical Foundation accessible data. CVSS 3.0 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N). 2020-01-15 5.8 CVE-2020-2651
MISC
oracle — crm_technical_foundation
 
Vulnerability in the Oracle CRM Technical Foundation product of Oracle E-Business Suite (component: Preferences). Supported versions that are affected are 12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle CRM Technical Foundation. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle CRM Technical Foundation, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle CRM Technical Foundation accessible data as well as unauthorized update, insert or delete access to some of Oracle CRM Technical Foundation accessible data. CVSS 3.0 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N). 2020-01-15 5.8 CVE-2020-2653
MISC
oracle — crm_technical_foundation
 
Vulnerability in the Oracle CRM Technical Foundation product of Oracle E-Business Suite (component: Preferences). Supported versions that are affected are 12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle CRM Technical Foundation. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle CRM Technical Foundation, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle CRM Technical Foundation accessible data as well as unauthorized update, insert or delete access to some of Oracle CRM Technical Foundation accessible data. CVSS 3.0 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N). 2020-01-15 5.8 CVE-2020-2652
MISC
oracle — crm_technical_foundation
 
Vulnerability in the Oracle CRM Technical Foundation product of Oracle E-Business Suite (component: Message Hooks). Supported versions that are affected are 12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle CRM Technical Foundation. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle CRM Technical Foundation, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle CRM Technical Foundation accessible data. CVSS 3.0 Base Score 4.7 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N). 2020-01-15 4.3 CVE-2020-2596
MISC
oracle — crm_technical_foundation
 
Vulnerability in the Oracle CRM Technical Foundation product of Oracle E-Business Suite (component: Preferences). Supported versions that are affected are 12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle CRM Technical Foundation. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle CRM Technical Foundation, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle CRM Technical Foundation accessible data. CVSS 3.0 Base Score 4.7 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N). 2020-01-15 4.3 CVE-2020-2657
MISC
oracle — email_center Vulnerability in the Oracle Email Center product of Oracle E-Business Suite (component: Message Display). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Email Center. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Email Center, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Email Center accessible data as well as unauthorized update, insert or delete access to some of Oracle Email Center accessible data. CVSS 3.0 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N). 2020-01-15 5.8 CVE-2020-2671
MISC
oracle — email_center
 
Vulnerability in the Oracle Email Center product of Oracle E-Business Suite (component: Message Display). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Email Center. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Email Center, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Email Center accessible data as well as unauthorized update, insert or delete access to some of Oracle Email Center accessible data. CVSS 3.0 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N). 2020-01-15 5.8 CVE-2020-2672
MISC
oracle — email_center
 
Vulnerability in the Oracle Email Center product of Oracle E-Business Suite (component: Message Display). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Email Center. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Email Center, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Email Center accessible data as well as unauthorized update, insert or delete access to some of Oracle Email Center accessible data. CVSS 3.0 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N). 2020-01-15 5.8 CVE-2020-2670
MISC
oracle — email_center
 
Vulnerability in the Oracle Email Center product of Oracle E-Business Suite (component: Message Display). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Email Center. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Email Center, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Email Center accessible data as well as unauthorized update, insert or delete access to some of Oracle Email Center accessible data. CVSS 3.0 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N). 2020-01-15 5.8 CVE-2020-2669
MISC
oracle — enterprise_manager_base_platform
 
Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Enterprise Manager Repository). Supported versions that are affected are 12.1.0.5, 13.2.0.0 and 13.3.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform. CVSS 3.0 Base Score 6.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L). 2020-01-15 6.5 CVE-2020-2616
MISC
oracle — enterprise_manager_base_platform
 
Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Oracle Management Service). Supported versions that are affected are 12.1.0.5, 13.2.0.0 and 13.3.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform. CVSS 3.0 Base Score 6.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L). 2020-01-15 6.5 CVE-2020-2615
MISC
oracle — enterprise_manager_base_platform
 
Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Connector Framework). Supported versions that are affected are 12.1.0.5, 13.2.0.0 and 13.3.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform. CVSS 3.0 Base Score 6.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L). 2020-01-15 6.5 CVE-2020-2642
MISC
oracle — enterprise_manager_base_platform
 
Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Enterprise Config Management). Supported versions that are affected are 12.1.0.5, 13.2.0.0 and 13.3.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform. CVSS 3.0 Base Score 6.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L). 2020-01-15 6.5 CVE-2020-2610
MISC
oracle — enterprise_manager_base_platform
 
Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Event Management). Supported versions that are affected are 12.1.0.5, 13.2.0.0 and 13.3.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform. CVSS 3.0 Base Score 6.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L). 2020-01-15 6.5 CVE-2020-2622
MISC
oracle — enterprise_manager_base_platform
 
Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Enterprise Config Management). Supported versions that are affected are 12.1.0.5, 13.2.0.0 and 13.3.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform. CVSS 3.0 Base Score 6.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L). 2020-01-15 6.5 CVE-2020-2612
MISC
oracle — enterprise_manager_base_platform
 
Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Global EM Framework). Supported versions that are affected are 12.1.0.5, 13.2.0.0 and 13.3.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform. CVSS 3.0 Base Score 6.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L). 2020-01-15 6.5 CVE-2020-2613
MISC
oracle — enterprise_manager_base_platform
 
Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Oracle Management Service). Supported versions that are affected are 12.1.0.5, 13.2.0.0 and 13.3.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform. CVSS 3.0 Base Score 6.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L). 2020-01-15 6.5 CVE-2020-2644
MISC
oracle — enterprise_manager_base_platform
 
Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Discovery Framework). Supported versions that are affected are 12.1.0.5, 13.2.0.0 and 13.3.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform. CVSS 3.0 Base Score 6.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L). 2020-01-15 6.5 CVE-2020-2617
MISC
oracle — enterprise_manager_base_platform
 
Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Job System). Supported versions that are affected are 12.1.0.5, 13.2.0.0 and 13.3.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform. CVSS 3.0 Base Score 6.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L). 2020-01-15 6.5 CVE-2020-2643
MISC
oracle — enterprise_manager_base_platform
 
Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Enterprise Config Management). Supported versions that are affected are 12.1.0.5, 13.2.0.0 and 13.3.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform. CVSS 3.0 Base Score 6.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L). 2020-01-15 6.5 CVE-2020-2618
MISC
oracle — enterprise_manager_base_platform
 
Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Enterprise Config Management). Supported versions that are affected are 12.1.0.5, 13.2.0.0 and 13.3.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform. CVSS 3.0 Base Score 6.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L). 2020-01-15 6.5 CVE-2020-2619
MISC
oracle — enterprise_manager_base_platform
 
Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Enterprise Config Management). Supported versions that are affected are 12.1.0.5, 13.2.0.0 and 13.3.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform. CVSS 3.0 Base Score 6.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L). 2020-01-15 6.5 CVE-2020-2620
MISC
oracle — enterprise_manager_base_platform
 
Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Connector Framework). Supported versions that are affected are 12.1.0.5, 13.2.0.0 and 13.3.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform. CVSS 3.0 Base Score 6.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L). 2020-01-15 6.5 CVE-2020-2645
MISC
oracle — enterprise_manager_base_platform
 
Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Enterprise Config Management). Supported versions that are affected are 12.1.0.5, 13.2.0.0 and 13.3.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform. CVSS 3.0 Base Score 6.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L). 2020-01-15 6.5 CVE-2020-2611
MISC
oracle — enterprise_manager_base_platform
 
Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Enterprise Config Management). Supported versions that are affected are 12.1.0.5, 13.2.0.0 and 13.3.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data as well as unauthorized read access to a subset of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). 2020-01-15 6.5 CVE-2020-2609
MISC
oracle — enterprise_manager_base_platform
 
Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Connector Framework). Supported versions that are affected are 12.1.0.5, 13.2.0.0 and 13.3.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform. CVSS 3.0 Base Score 6.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L). 2020-01-15 6.5 CVE-2020-2633
MISC
oracle — enterprise_manager_base_platform
 
Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Application Service Level Mgmt). Supported versions that are affected are 12.1.0.5, 13.2.0.0 and 13.3.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform. CVSS 3.0 Base Score 6.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L). 2020-01-15 6.5 CVE-2020-2636
MISC
oracle — enterprise_manager_base_platform
 
Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Job System). Supported versions that are affected are 12.1.0.5, 13.2.0.0 and 13.3.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform. CVSS 3.0 Base Score 6.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L). 2020-01-15 6.5 CVE-2020-2625
MISC
oracle — enterprise_manager_base_platform
 
Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Command Line Interface). Supported versions that are affected are 12.1.0.5, 13.2.0.0 and 13.3.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Enterprise Manager Base Platform, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data as well as unauthorized read access to a subset of Enterprise Manager Base Platform accessible data. CVSS 3.0 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). 2020-01-15 4.9 CVE-2020-2646
MISC
oracle — enterprise_manager_base_platform
 
Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Enterprise Config Management). Supported versions that are affected are 12.1.0.5, 13.2.0.0 and 13.3.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform. CVSS 3.0 Base Score 6.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L). 2020-01-15 6.5 CVE-2020-2621
MISC
oracle — enterprise_manager_base_platform
 
Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Repository). Supported versions that are affected are 13.2.0.0 and 13.3.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform. CVSS 3.0 Base Score 6.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L). 2020-01-15 6.5 CVE-2020-2608
MISC
oracle — enterprise_manager_base_platform
 
Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Host Management). Supported versions that are affected are 12.1.0.5, 13.2.0.0 and 13.3.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform. CVSS 3.0 Base Score 6.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L). 2020-01-15 6.5 CVE-2020-2639
MISC
oracle — enterprise_manager_base_platform
 
Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Connector Framework). Supported versions that are affected are 12.1.0.5, 13.2.0.0 and 13.3.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform. CVSS 3.0 Base Score 6.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L). 2020-01-15 6.5 CVE-2020-2624
MISC
oracle — enterprise_manager_base_platform
 
Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Metrics Framework). Supported versions that are affected are 12.1.0.5, 13.2.0.0 and 13.3.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform. CVSS 3.0 Base Score 6.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L). 2020-01-15 6.5 CVE-2020-2623
MISC
oracle — enterprise_manager_base_platform
 
Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Cloud Control Manager – OMS). Supported versions that are affected are 12.1.0.5, 13.2.0.0 and 13.3.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform. CVSS 3.0 Base Score 6.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L). 2020-01-15 6.5 CVE-2020-2626
MISC
oracle — enterprise_manager_base_platform
 
Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Host Management). Supported versions that are affected are 12.1.0.5, 13.2.0.0 and 13.3.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform. CVSS 3.0 Base Score 6.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L). 2020-01-15 6.5 CVE-2020-2628
MISC
oracle — enterprise_manager_base_platform
 
Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Extensibility Framework). Supported versions that are affected are 12.1.0.5, 13.2.0.0 and 13.3.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform. CVSS 3.0 Base Score 6.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L). 2020-01-15 6.5 CVE-2020-2629
MISC
oracle — enterprise_manager_base_platform
 
Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Extensibility Framework). Supported versions that are affected are 12.1.0.5, 13.2.0.0 and 13.3.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform. CVSS 3.0 Base Score 6.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L). 2020-01-15 6.5 CVE-2020-2630
MISC
oracle — enterprise_manager_base_platform
 
Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Application Service Level Mgmt). Supported versions that are affected are 12.1.0.5, 13.2.0.0 and 13.3.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform. CVSS 3.0 Base Score 6.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L). 2020-01-15 6.5 CVE-2020-2631
MISC
oracle — enterprise_manager_base_platform
 
Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: System Monitoring). Supported versions that are affected are 12.1.0.5, 13.2.0.0 and 13.3.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform. CVSS 3.0 Base Score 6.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L). 2020-01-15 6.5 CVE-2020-2632
MISC
oracle — enterprise_manager_base_platform
 
Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Configuration Standard Framewk). Supported versions that are affected are 12.1.0.5, 13.2.0.0 and 13.3.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform. CVSS 3.0 Base Score 6.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L). 2020-01-15 6.5 CVE-2020-2634
MISC
oracle — enterprise_manager_base_platform
 
Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: System Monitoring). Supported versions that are affected are 12.1.0.5, 13.2.0.0 and 13.3.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform. CVSS 3.0 Base Score 6.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L). 2020-01-15 6.5 CVE-2020-2635
MISC
oracle — financial_services_revenue_management_and_billing
 
Vulnerability in the Oracle Financial Services Revenue Management and Billing product of Oracle Financial Services Applications (component: File Upload). Supported versions that are affected are 2.7.0.0, 2.7.0.1 and 2.8.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financial Services Revenue Management and Billing. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Financial Services Revenue Management and Billing, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Financial Services Revenue Management and Billing accessible data as well as unauthorized read access to a subset of Oracle Financial Services Revenue Management and Billing accessible data. CVSS 3.0 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). 2020-01-15 4.9 CVE-2020-2730
MISC
oracle — flexcube_investor_servicing
 
Vulnerability in the Oracle FLEXCUBE Investor Servicing product of Oracle Financial Services Applications (component: Infrastructure). Supported versions that are affected are 12.1.0-12.4.0 and 14.0.0-14.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Investor Servicing. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle FLEXCUBE Investor Servicing accessible data. CVSS 3.0 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). 2020-01-15 4 CVE-2020-2721
MISC
oracle — flexcube_investor_servicing
 
Vulnerability in the Oracle FLEXCUBE Investor Servicing product of Oracle Financial Services Applications (component: Infrastructure). Supported versions that are affected are 12.1.0-12.4.0 and 14.0.0-14.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Investor Servicing. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle FLEXCUBE Investor Servicing accessible data. CVSS 3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). 2020-01-15 4 CVE-2020-2724
MISC
oracle — flexcube_investor_servicing
 
Vulnerability in the Oracle FLEXCUBE Investor Servicing product of Oracle Financial Services Applications (component: Infrastructure). Supported versions that are affected are 12.1.0-12.4.0 and 14.0.0-14.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle FLEXCUBE Investor Servicing. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle FLEXCUBE Investor Servicing accessible data as well as unauthorized read access to a subset of Oracle FLEXCUBE Investor Servicing accessible data. CVSS 3.0 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N). 2020-01-15 5.8 CVE-2020-2722
MISC
oracle — flexcube_investor_servicing
 
Vulnerability in the Oracle FLEXCUBE Investor Servicing product of Oracle Financial Services Applications (component: Infrastructure). Supported versions that are affected are 12.1.0-12.4.0 and 14.0.0-14.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Investor Servicing. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle FLEXCUBE Investor Servicing accessible data as well as unauthorized read access to a subset of Oracle FLEXCUBE Investor Servicing accessible data. CVSS 3.0 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). 2020-01-15 5.5 CVE-2020-2720
MISC
oracle — flexcube_investor_servicing
 
Vulnerability in the Oracle FLEXCUBE Investor Servicing product of Oracle Financial Services Applications (component: Infrastructure). Supported versions that are affected are 12.1.0-12.4.0 and 14.0.0-14.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Investor Servicing. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle FLEXCUBE Investor Servicing accessible data as well as unauthorized update, insert or delete access to some of Oracle FLEXCUBE Investor Servicing accessible data. CVSS 3.0 Base Score 7.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N). 2020-01-15 5.5 CVE-2020-2723
MISC
oracle — flexcube_universal_banking
 
Vulnerability in the Oracle FLEXCUBE Universal Banking product of Oracle Financial Services Applications (component: Infrastructure). Supported versions that are affected are 12.0.1-12.4.0 and 14.0.0-14.3.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Universal Banking. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle FLEXCUBE Universal Banking accessible data as well as unauthorized update, insert or delete access to some of Oracle FLEXCUBE Universal Banking accessible data. CVSS 3.0 Base Score 7.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N). 2020-01-15 5.5 CVE-2020-2699
MISC
oracle — flexcube_universal_banking
 
Vulnerability in the Oracle FLEXCUBE Universal Banking product of Oracle Financial Services Applications (component: Infrastructure). Supported versions that are affected are 12.0.1-12.4.0 and 14.0.0-14.3.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Universal Banking. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle FLEXCUBE Universal Banking accessible data. CVSS 3.0 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). 2020-01-15 4 CVE-2020-2684
MISC
oracle — flexcube_universal_banking
 
Vulnerability in the Oracle FLEXCUBE Universal Banking product of Oracle Financial Services Applications (component: Infrastructure). Supported versions that are affected are 12.0.1-12.4.0 and 14.0.0-14.3.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle FLEXCUBE Universal Banking. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle FLEXCUBE Universal Banking accessible data as well as unauthorized read access to a subset of Oracle FLEXCUBE Universal Banking accessible data. CVSS 3.0 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). 2020-01-15 5.5 CVE-2020-2683
MISC
oracle — flexcube_universal_banking
 
Vulnerability in the Oracle FLEXCUBE Universal Banking product of Oracle Financial Services Applications (component: Infrastructure). Supported versions that are affected are 12.0.1-12.4.0 and 14.0.0-14.3.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Universal Banking. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle FLEXCUBE Universal Banking accessible data. CVSS 3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). 2020-01-15 4 CVE-2020-2700
MISC
oracle — flexcube_universal_banking
 
Vulnerability in the Oracle FLEXCUBE Universal Banking product of Oracle Financial Services Applications (component: Infrastructure). Supported versions that are affected are 12.0.1-12.4.0 and 14.0.0-14.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle FLEXCUBE Universal Banking. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle FLEXCUBE Universal Banking accessible data as well as unauthorized read access to a subset of Oracle FLEXCUBE Universal Banking accessible data. CVSS 3.0 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N). 2020-01-15 5.8 CVE-2020-2685
MISC
oracle — http_server Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Web Listener). Supported versions that are affected are 11.1.1.9.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle HTTP Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle HTTP Server accessible data as well as unauthorized read access to a subset of Oracle HTTP Server accessible data. CVSS 3.0 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). 2020-01-15 5.8 CVE-2020-2530
MISC
oracle — http_server
 
Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: OSSL Module). Supported versions that are affected are 11.1.1.9.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle HTTP Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle HTTP Server. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 2020-01-15 5 CVE-2020-2545
MISC
oracle — human_resources
 
Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Human Resources. While the vulnerability is in Oracle Human Resources, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Human Resources. CVSS 3.0 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L). 2020-01-15 6.5 CVE-2020-2586
MISC
oracle — human_resources
 
Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Human Resources. While the vulnerability is in Oracle Human Resources, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Human Resources. CVSS 3.0 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L). 2020-01-15 6.5 CVE-2020-2587
MISC
oracle — identity_manager Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: OIM – LDAP user and role Synch). The supported version that is affected is 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Identity Manager. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Identity Manager accessible data. CVSS 3.0 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). 2020-01-15 5 CVE-2020-2728
MISC
oracle — identity_manager
 
Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: Advanced Console). Supported versions that are affected are 11.1.2.3.0 and 12.2.1.3.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Identity Manager. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Identity Manager accessible data as well as unauthorized read access to a subset of Identity Manager accessible data. CVSS 3.0 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). 2020-01-15 5.5 CVE-2020-2729
MISC
oracle — ilearning
 
Vulnerability in the Oracle iLearning product of Oracle iLearning (component: Learner Pages). The supported version that is affected is 6.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iLearning. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle iLearning, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle iLearning accessible data. CVSS 3.0 Base Score 4.7 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N). 2020-01-15 4.3 CVE-2020-2709
MISC
oracle — istore
 
Vulnerability in the Oracle iStore product of Oracle E-Business Suite (component: Shopping Cart). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle iStore. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle iStore, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle iStore accessible data as well as unauthorized update, insert or delete access to some of Oracle iStore accessible data. CVSS 3.0 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N). 2020-01-15 5.8 CVE-2020-2582
MISC
oracle — isupport
 
Vulnerability in the Oracle iSupport product of Oracle E-Business Suite (component: Others). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle iSupport. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle iSupport, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle iSupport accessible data. CVSS 3.0 Base Score 4.7 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N). 2020-01-15 4.3 CVE-2020-2668
MISC
oracle — isupport
 
Vulnerability in the Oracle iSupport product of Oracle E-Business Suite (component: Others). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle iSupport. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle iSupport, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle iSupport accessible data. CVSS 3.0 Base Score 4.7 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N). 2020-01-15 4.3 CVE-2020-2667
MISC
oracle — isupport
 
Vulnerability in the Oracle iSupport product of Oracle E-Business Suite (component: Others). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle iSupport. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle iSupport, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle iSupport accessible data as well as unauthorized update, insert or delete access to some of Oracle iSupport accessible data. CVSS 3.0 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N). 2020-01-15 5.8 CVE-2020-2661
MISC
oracle — isupport
 
Vulnerability in the Oracle iSupport product of Oracle E-Business Suite (component: Others). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle iSupport. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle iSupport, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle iSupport accessible data as well as unauthorized update, insert or delete access to some of Oracle iSupport accessible data. CVSS 3.0 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N). 2020-01-15 5.8 CVE-2020-2658
MISC
oracle — isupport
 
Vulnerability in the Oracle iSupport product of Oracle E-Business Suite (component: Others). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle iSupport. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle iSupport, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle iSupport accessible data as well as unauthorized update, insert or delete access to some of Oracle iSupport accessible data. CVSS 3.0 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N). 2020-01-15 5.8 CVE-2020-2662
MISC
oracle — isupport
 
Vulnerability in the Oracle iSupport product of Oracle E-Business Suite (component: Others). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle iSupport. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle iSupport, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle iSupport accessible data as well as unauthorized update, insert or delete access to some of Oracle iSupport accessible data. CVSS 3.0 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N). 2020-01-15 5.8 CVE-2020-2665
MISC
oracle — mysql_client
 
Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.46 and prior, 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. CVSS 3.0 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). 2020-01-15 4.3 CVE-2020-2574
MISC
oracle — mysql_client
 
Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. CVSS 3.0 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). 2020-01-15 4.3 CVE-2020-2573
MISC
oracle — mysql_client
 
Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. CVSS 3.0 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). 2020-01-15 4.3 CVE-2020-2570
MISC
oracle — mysql_server Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.18 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 2020-01-15 4 CVE-2020-2686
MISC
oracle — mysql_server Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Audit Plugin). Supported versions that are affected are 5.7.28 and prior and 8.0.18 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 2.7 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N). 2020-01-15 4 CVE-2020-2572
MISC
oracle — mysql_server Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.17 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 2020-01-15 4 CVE-2020-2580
MISC
oracle — mysql_server
 
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.18 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 2020-01-15 4 CVE-2020-2588
MISC
oracle — mysql_server
 
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.28 and prior and 8.0.18 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 2020-01-15 4 CVE-2020-2577
MISC
oracle — mysql_server
 
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.6.46 and prior, 5.7.28 and prior and 8.0.18 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 2020-01-15 4 CVE-2020-2579
MISC
oracle — mysql_server
 
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 8.0.18 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 2020-01-15 4 CVE-2020-2627
MISC
oracle — mysql_server
 
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.28 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 2020-01-15 4 CVE-2020-2589
MISC
oracle — mysql_server
 
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.7.28 and prior and 8.0.18 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 2020-01-15 4 CVE-2020-2660
MISC
oracle — mysql_server
 
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.18 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 2020-01-15 4 CVE-2020-2679
MISC
oracle — one-to-one_fulfillment
 
Vulnerability in the Oracle One-to-One Fulfillment product of Oracle E-Business Suite (component: Call Phone Number Page). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle One-to-One Fulfillment. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle One-to-One Fulfillment, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle One-to-One Fulfillment accessible data. CVSS 3.0 Base Score 4.7 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N). 2020-01-15 4.3 CVE-2020-2597
MISC
oracle — outside_in_technology

 

Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware (component: Outside In Filters). The supported version that is affected is 8.5.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In Technology. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Outside In Technology accessible data as well as unauthorized read access to a subset of Oracle Outside In Technology accessible data. Note: Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower. CVSS 3.0 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N). 2020-01-15 5.8 CVE-2020-2536
MISC
oracle — outside_in_technology
 
Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware (component: Outside In Filters). The supported version that is affected is 8.5.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In Technology. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Outside In Technology accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Outside In Technology. Note: Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower. CVSS 3.0 Base Score 6.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L). 2020-01-15 6.4 CVE-2020-2541
MISC
oracle — outside_in_technology
 
Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware (component: Outside In Filters). The supported version that is affected is 8.5.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In Technology. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Outside In Technology accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Outside In Technology. Note: Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower. CVSS 3.0 Base Score 6.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L). 2020-01-15 6.4 CVE-2020-2542
MISC
oracle — outside_in_technology
 
Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware (component: Outside In Filters). The supported version that is affected is 8.5.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In Technology. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Outside In Technology accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Outside In Technology. Note: Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower. CVSS 3.0 Base Score 6.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L). 2020-01-15 6.4 CVE-2020-2540
MISC
oracle — peoplesoft_enterprise_cc_common_application_objects
 
Vulnerability in the PeopleSoft Enterprise CC Common Application Objects product of Oracle PeopleSoft (component: Approval Framework). Supported versions that are affected are 9.1 and 9.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise CC Common Application Objects. Successful attacks of this vulnerability can result in unauthorized read access to a subset of PeopleSoft Enterprise CC Common Application Objects accessible data. CVSS 3.0 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). 2020-01-15 5 CVE-2020-2695
MISC
oracle — peoplesoft_enterprise_peopletools
 
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: PIA Core Technology). Supported versions that are affected are 8.56 and 8.57. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.0 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). 2020-01-15 5.8 CVE-2020-2607
MISC
oracle — primavera_p6_enterprise_project_portfolio_management
 
Vulnerability in the Primavera P6 Enterprise Project Portfolio Management product of Oracle Construction and Engineering (component: WebAccess). Supported versions that are affected are 15.1.0.0-15.2.18.7, 16.1.0.0-16.2.19.0, 17.1.0.0-17.12.16.0, 18.1.0.0-18.8.16.0 and 19.12.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Primavera P6 Enterprise Project Portfolio Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Primavera P6 Enterprise Project Portfolio Management accessible data as well as unauthorized read access to a subset of Primavera P6 Enterprise Project Portfolio Management accessible data. CVSS 3.0 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). 2020-01-15 4.9 CVE-2020-2707
MISC
oracle — reports_developer
 
Vulnerability in the Oracle Reports Developer product of Oracle Fusion Middleware (component: Security and Authentication). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Reports Developer. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Reports Developer, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Reports Developer accessible data as well as unauthorized read access to a subset of Oracle Reports Developer accessible data. CVSS 3.0 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). 2020-01-15 5.8 CVE-2020-2533
MISC
oracle — reports_developer
 
Vulnerability in the Oracle Reports Developer product of Oracle Fusion Middleware (component: Security and Authentication). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Reports Developer. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Reports Developer, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Reports Developer accessible data as well as unauthorized read access to a subset of Oracle Reports Developer accessible data. CVSS 3.0 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). 2020-01-15 5.8 CVE-2020-2534
MISC
oracle — solaris
 
Vulnerability in the Oracle Solaris product of Oracle Systems (component: Kernel). The supported version that is affected is 11. Easily exploitable vulnerability allows unauthenticated attacker with network access via SMB to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Solaris. CVSS 3.0 Base Score 5.8 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L). 2020-01-15 5 CVE-2020-2558
MISC
oracle — vm_virtualbox Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.36, prior to 6.0.16 and prior to 6.1.2. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). 2020-01-15 4.4 CVE-2020-2702
MISC
oracle — vm_virtualbox
 
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.36, prior to 6.0.16 and prior to 6.1.2. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). 2020-01-15 4.4 CVE-2020-2726
MISC
oracle — vm_virtualbox
 
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.36, prior to 6.0.16 and prior to 6.1.2. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). 2020-01-15 4.4 CVE-2020-2701
MISC
oracle — vm_virtualbox
 
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.36, prior to 6.0.16 and prior to 6.1.2. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). 2020-01-15 4.4 CVE-2020-2698
MISC
oracle — vm_virtualbox
 
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.36, prior to 6.0.16 and prior to 6.1.2. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). 2020-01-15 4.6 CVE-2020-2682
MISC
oracle — web_applications_desktop_integrator
 
Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Application Service). The supported version that is affected is 12.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Web Applications Desktop Integrator. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Web Applications Desktop Integrator, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Web Applications Desktop Integrator accessible data as well as unauthorized update, insert or delete access to some of Oracle Web Applications Desktop Integrator accessible data. CVSS 3.0 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N). 2020-01-15 5.8 CVE-2020-2591
MISC
oracle — webcenter_sites
 
Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: Advanced UI). The supported version that is affected is 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Sites, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebCenter Sites accessible data as well as unauthorized read access to a subset of Oracle WebCenter Sites accessible data. CVSS 3.0 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). 2020-01-15 5.8 CVE-2020-2539
MISC
oracle — webcenter_sites
 
Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: Advanced UI). The supported version that is affected is 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Sites, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebCenter Sites accessible data as well as unauthorized read access to a subset of Oracle WebCenter Sites accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebCenter Sites. CVSS 3.0 Base Score 7.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L). 2020-01-15 6.8 CVE-2020-2538
MISC
oracle — weblogic Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). The supported version that is affected is 10.3.6.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). 2020-01-15 6.5 CVE-2020-2549
MISC
oracle — weblogic_server Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N). 2020-01-15 4.9 CVE-2020-2547
MISC
oracle — weblogic_server Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N). 2020-01-15 4.3 CVE-2020-2544
MISC
oracle — weblogic_server
 
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). The supported version that is affected is 10.3.6.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N). 2020-01-15 4.9 CVE-2020-2548
MISC
oracle — weblogic_server
 
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N). 2020-01-15 4.9 CVE-2020-2552
MISC
oracle — weblogic_server
 
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebLogic Server. CVSS 3.0 Base Score 4.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L). 2020-01-15 4.3 CVE-2020-2519
MISC
powerdns — authoritative_server
 
The DNS packet parsing/generation code in PowerDNS (aka pdns) Authoritative Server 3.4.x before 3.4.6 allows remote attackers to cause a denial of service (crash) via crafted query packets. 2020-01-15 5 CVE-2015-5230
MISC
MISC
CONFIRM
ricoh — sp_c250dn_printers
 
Ricoh SP C250DN 1.06 devices allow CSRF. 2020-01-10 6.8 CVE-2019-14304
CONFIRM
serpico_project — serpico An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. It does not use CSRF Tokens to mitigate against CSRF; it uses the Origin header (which must match the request origin). This is problematic in conjunction with XSS: one can escalate privileges from User level to Administrator. 2020-01-15 6.8 CVE-2019-19854
MISC
snews — snews
 
A Cross-Site Scripting (XSS) vulnerability exists in the reorder administrator functions in sNews 1.71. 2020-01-14 4.3 CVE-2011-2706
MISC
MISC
status2k — status2k Status2k does not remove the install directory allowing credential reset. 2020-01-10 5 CVE-2014-5093
MISC
MISC
symantec — endpoint_detection_and_response
 
Symantec Endpoint Detection and Response (SEDR), prior to 4.3.0, may be susceptible to a cross site scripting (XSS) issue. XSS is a type of issue that can enable attackers to inject client-side scripts into web pages viewed by other users. An XSS vulnerability may be used by attackers to potentially bypass access controls such as the same-origin policy. 2020-01-13 4.3 CVE-2019-19547
CONFIRM
tophub — toplist
 
TopList before 2019-09-03 allows XSS via a title. 2020-01-11 4.3 CVE-2019-20377
MISC
websitebaker — websitebaker
 
A Cross Site Request Forgery (CSRF) vulnerability exists in the administrator functions in WebsiteBaker 2.8.1 and earlier due to inadequate confirmation for sensitive transactions. 2020-01-14 6.8 CVE-2011-2934
MISC
wordpress — wordpress The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow nsecure Direct Object Reference (IDOR) via wp-admin/admin-ajax.php to delete any page/post/listing. 2020-01-13 6.4 CVE-2019-20209
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
wordpress — wordpress The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow Persistent XSS via the chat widget/page message form. 2020-01-13 4.3 CVE-2019-20212
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
wordpress — wordpress
 
Pretty-Link WordPress plugin 1.5.2 has XSS 2020-01-10 4.3 CVE-2011-4595
MISC
MISC
wordpress — wordpress
 
flog plugin 0.1 for WordPress has XSS 2020-01-10 4.3 CVE-2014-4530
MISC
wordpress — wordpress
 
The ultimate-weather plugin 1.0 for WordPress has XSS 2020-01-10 4.3 CVE-2014-4561
MISC
wordpress — wordpress
 
The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow Reflected XSS via a search query. 2020-01-13 4.3 CVE-2019-20210
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
wordpress — wordpress
 
The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow Persistent XSS via Listing Address, Listing Latitude, Listing Longitude, Email Address, Description, Name, Job or Position, Description, Service Name, Address, Latitude, Longitude, Phone Number, or Website. 2020-01-13 4.3 CVE-2019-20211
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
MISC
zoho_manageengine — eventlog_analyzer
 
Zoho ManageEngine EventLog Analyzer versions 7 through 9.9 build 9002 have a database Information Disclosure Vulnerability 2020-01-13 5 CVE-2014-6038
MISC
MISC
MISC
MISC

Back to top

 

Low Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
f5 — big-ip_access_policy_manager
 
In BIG-IP APM portal access on versions 15.0.0-15.1.0, 14.0.0-14.1.2.3, 13.1.0-13.1.3.2, 12.1.0-12.1.5, and 11.5.2-11.6.5.1, when backend servers serve HTTP pages with special JavaScript code, this can lead to internal portal access name conflict. 2020-01-14 3.5 CVE-2020-5853
CONFIRM

ibm — qradar_security_information_and_event_manager

 

IBM QRadar SIEM 7.3.0 through 7.3.3 uses weak credential storage in some instances which could be decrypted by a local attacker. IBM X-Force ID: 164429. 2020-01-10 2.1 CVE-2019-4508
XF
CONFIRM
itasteam — articlefr
 
Directory traversal vulnerability in application/templates/amelia/loadjs.php in Free Reprintables ArticleFR 3.0.7 and earlier allows local users to read arbitrary files via the s parameter. 2020-01-15 2.1 CVE-2015-6591
MISC
microsoft — multiple_windows_products An information disclosure vulnerability exists when the win32k component improperly provides kernel information, aka ‘Win32k Information Disclosure Vulnerability’. 2020-01-14 2.1 CVE-2020-0608
N/A
microsoft — multiple_windows_products
 
An information disclosure vulnerability exists in the Windows Common Log File System (CLFS) driver when it fails to properly handle objects in memory, aka ‘Windows Common Log File System Driver Information Disclosure Vulnerability’. This CVE ID is unique from CVE-2020-0639. 2020-01-14 2.1 CVE-2020-0615
N/A
MISC
microsoft — multiple_windows_products
 
An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface Plus (GDI+) handles objects in memory, allowing an attacker to retrieve information from a targeted system, aka ‘Windows GDI+ Information Disclosure Vulnerability’. 2020-01-14 2.1 CVE-2020-0643
N/A

microsoft — windows_10_and_windows_server_and_windows_server_2016

An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory, aka ‘Microsoft Graphics Component Information Disclosure Vulnerability’. 2020-01-14 2.1 CVE-2020-0622
N/A

microsoft — windows_10_and_windows_server_and_windows_server_2019

A security feature bypass vulnerability exists in Windows 10 when third party filters are called during a password update, aka ‘Windows Security Feature Bypass Vulnerability’. 2020-01-14 2.1 CVE-2020-0621
N/A
opentrade — opentrade
 
OpenTrade through 0.2.0 has a DOM-based XSS vulnerability that is executed when an administrator attempts to delete a message that contains JavaScript. 2020-01-11 3.5 CVE-2020-6847
MISC
MISC
CONFIRM
oracle — database_server Vulnerability in the Core RDBMS component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows low privileged attacker having Local Logon privilege with logon to the infrastructure where Core RDBMS executes to compromise Core RDBMS. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Core RDBMS accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Core RDBMS. CVSS 3.0 Base Score 3.9 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L). 2020-01-15 3.3 CVE-2020-2731
MISC
oracle — food_and_beverage_applications
 
Vulnerability in the Oracle Hospitality Suites Management component of Oracle Food and Beverage Applications. Supported versions that are affected are 3.7 and 3.8. Easily exploitable vulnerability allows physical access to compromise Oracle Hospitality Suites Management. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hospitality Suites Management accessible data as well as unauthorized update, insert or delete access to some of Oracle Hospitality Suites Management accessible data. CVSS 3.0 Base Score 4.9 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N). 2020-01-15 3.2 CVE-2020-2697
MISC
oracle — mysql_server
 
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Options). Supported versions that are affected are 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.0 Base Score 4.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N). 2020-01-15 3.5 CVE-2020-2584
MISC
oracle — mysql_server
 
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.18 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N). 2020-01-15 3.5 CVE-2020-2694
MISC
oracle — oracle_business_intelligence_enterprise_edition
 
Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: BI Platform Security). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Business Intelligence Enterprise Edition accessible data. CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N). 2020-01-15 2.6 CVE-2020-2531
MISC
oracle — vm_virtualbox Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.36, prior to 6.0.16 and prior to 6.1.2. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.0 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N). 2020-01-15 2.1 CVE-2020-2692
MISC
oracle — vm_virtualbox
 
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.36, prior to 6.0.16 and prior to 6.1.2. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.0 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N). 2020-01-15 1.9 CVE-2020-2693
MISC
oracle — vm_virtualbox
 
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.36, prior to 6.0.16 and prior to 6.1.2. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data as well as unauthorized read access to a subset of Oracle VM VirtualBox accessible data. CVSS 3.0 Base Score 6.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N). 2020-01-15 3.3 CVE-2020-2678
MISC
oracle — vm_virtualbox
 
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.36, prior to 6.0.16 and prior to 6.1.2. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.0 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N). 2020-01-15 2.1 CVE-2020-2681
MISC
oracle — vm_virtualbox
 
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.36, prior to 6.0.16 and prior to 6.1.2. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.0 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N). 2020-01-15 2.1 CVE-2020-2689
MISC
oracle — vm_virtualbox
 
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.36, prior to 6.0.16 and prior to 6.1.2. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.0 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N). 2020-01-15 2.1 CVE-2020-2690
MISC
oracle — vm_virtualbox
 
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.36, prior to 6.0.16 and prior to 6.1.2. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.0 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N). 2020-01-15 2.1 CVE-2020-2727
MISC
oracle — vm_virtualbox
 
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.36, prior to 6.0.16 and prior to 6.1.2. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.0 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N). 2020-01-15 2.1 CVE-2020-2691
MISC
oracle — vm_virtualbox
 
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.36, prior to 6.0.16 and prior to 6.1.2. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H). 2020-01-15 2.1 CVE-2020-2725
MISC
oracle — vm_virtualbox
 
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.36, prior to 6.0.16 and prior to 6.1.2. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.0 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N). 2020-01-15 2.1 CVE-2020-2705
MISC
oracle — vm_virtualbox
 
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.36, prior to 6.0.16 and prior to 6.1.2. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.0 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N). 2020-01-15 2.1 CVE-2020-2704
MISC
oracle — vm_virtualbox
 
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.36 and prior to 6.0.16. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H). 2020-01-15 2.1 CVE-2020-2703
MISC
oracle — weblogic_server
 
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle WebLogic Server executes to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data as well as unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 5.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N). 2020-01-15 3.6 CVE-2020-2550
MISC
serpico_project — serpico An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. admin/add_user/UID allows stored XSS via the author parameter. 2020-01-15 3.5 CVE-2019-19858
CONFIRM
MISC
serpico_project — serpico
 
An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. The User Type on the admin/list_user page allows stored XSS via the type parameter. 2020-01-15 3.5 CVE-2019-19856
CONFIRM
MISC
serpico_project — serpico
 
An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. admin/list_user allows stored XSS via the auth_type parameter. 2020-01-15 3.5 CVE-2019-19855
CONFIRM
MISC
wordpress — wordpress
 
Cross-site scripting (XSS) vulnerability in the Plotly plugin before 1.0.3 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via a post. 2020-01-15 3.5 CVE-2015-5484
MISC
MISC
MISC

Back to top

 

Severity Not Yet Assigned

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
abb — cp651_hmi_products
 
ABB CP651 HMI products revision BSP UN30 v1.76 and prior implement hidden administrative accounts that are used during the provisioning phase of the HMI interface. 2020-01-14 not yet calculated CVE-2019-10995
BID
MISC
abrt_project — automatic_bug_reporting_tool The default event handling scripts in Automatic Bug Reporting Tool (ABRT) allow local users to gain privileges as demonstrated by a symlink attack on a var_log_messages file. 2020-01-14 not yet calculated CVE-2015-1869
MISC
MISC
CONFIRM
CONFIRM
abrt_project — automatic_bug_reporting_tool
 
Directory traversal vulnerability in abrt-dbus in Automatic Bug Reporting Tool (ABRT) allows local users to read, write to, or change ownership of arbitrary files via unspecified vectors to the (1) NewProblem, (2) GetInfo, (3) SetElement, or (4) DeleteElement method. 2020-01-14 not yet calculated CVE-2015-3151
MISC
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
abrt_project — automatic_bug_reporting_tool
 
The abrt-action-install-debuginfo-to-abrt-cache help program in Automatic Bug Reporting Tool (ABRT) does not properly handle the process environment before invoking abrt-action-install-debuginfo, which allows local users to gain privileges. 2020-01-14 not yet calculated CVE-2015-3159
CONFIRM
CONFIRM
CONFIRM
abrt_project — automatic_bug_reporting_tool
 
abrt-dbus in Automatic Bug Reporting Tool (ABRT) allows local users to delete or change the ownership of arbitrary files via the problem directory argument to the (1) ChownProblemDir, (2) DeleteElement, or (3) DeleteProblem method. 2020-01-14 not yet calculated CVE-2015-3150
MISC
MISC
MISC
MISC
MISC
abrt_project — automatic_bug_reporting_tool
 
daemon/abrt-handle-upload.in in Automatic Bug Reporting Tool (ABRT), when moving problem reports from /var/spool/abrt-upload, allows local users to write to arbitrary files or possibly have other unspecified impact via a symlink attack on (1) /var/spool/abrt or (2) /var/tmp/abrt. 2020-01-14 not yet calculated CVE-2015-3147
MISC
MISC
MISC
CONFIRM
MISC
adb_broadband — p.dga4001n_router
 
The ADB (formerly Pirelli Broadband Solutions) P.DGA4001N router with firmware PDG_TEF_SP_4.06L.6, and possibly other routers, uses “1236790” and the MAC address to generate the WPA key. 2020-01-14 not yet calculated CVE-2015-0558
MISC
MISC
MISC
adobe — experience_manager
 
Adobe Experience Manager versions 6.5, 6.4, 6.3, 6.2, 6.1, and 6.0 have a reflected cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure. 2020-01-15 not yet calculated CVE-2019-16466
CONFIRM

aist — delegate

DeleGate 9.9.13 allows local users to gain privileges as demonstrated by the dgcpnod setuid program. 2020-01-15 not yet calculated CVE-2015-7556
MISC
MISC
amcrest — web_server
 
An issue was discovered in Amcrest Web Server 2.520.AC00.18.R 2017-06-29 WEB 3.2.1.453504. The login page responds with JavaScript when one tries to authenticate. An attacker who changes the result parameter (to true) in this JavaScript code can bypass authentication and achieve limited privileges (ability to see every option but not modify them). 2020-01-18 not yet calculated CVE-2020-7222
MISC
angular — angular
 
A Stored Client Side Template Injection (CSTI) with Angular was discovered in the SolarWinds Orion Platform 2019.2 HF1 in many application forms. An attacker can inject an Angular expression and escape the Angular sandbox to achieve stored XSS. This can lead to privilege escalation. 2020-01-17 not yet calculated CVE-2019-17127
CONFIRM
MISC
angular — angular
 
A Reflected Client Side Template Injection (CSTI) with Angular was discovered in the SolarWinds Orion Platform 2019.2 HF1 in many forms. An attacker can inject an Angular expression and escape the Angular sandbox to achieve stored XSS. 2020-01-17 not yet calculated CVE-2019-17125
CONFIRM
MISC
apache — airflow
 
In Apache Airflow before 1.10.5 when running with the “classic” UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. The new “RBAC” UI is unaffected. 2020-01-14 not yet calculated CVE-2019-12398
MLIST
MLIST
MLIST
apache — beam
 
The Apache Beam MongoDB connector in versions 2.10.0 to 2.16.0 has an option to disable SSL trust verification. However this configuration is not respected and the certificate verification disables trust verification in every case. This exclusion also gets registered globally which disables trust checking for any code running in the same JVM. 2020-01-15 not yet calculated CVE-2020-1929
MLIST
apache — cxf
 
Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore (JKS/PKCS12) by specifing the path of the keystore and the alias of the keystore entry. This case is not vulnerable. However it is also possible to obtain the keys from a JWK keystore file, by setting the configuration parameter “rs.security.keystore.type” to “jwk”. For this case all keys are returned in this file “as is”, including all private key and secret key credentials. This is an obvious security risk if the user has configured the signature keystore file with private or secret key credentials. From CXF 3.3.5 and 3.2.12, it is mandatory to specify an alias corresponding to the id of the key in the JWK file, and only this key is returned. In addition, any private key information is omitted by default. “oct” keys, which contain secret keys, are not returned at all. 2020-01-16 not yet calculated CVE-2019-12423
CONFIRM
MLIST
apache — kafka
 
When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector’s task configuration and the response will contain the plaintext secret rather than the externalized secrets variables. 2020-01-14 not yet calculated CVE-2019-12399
MLIST
MLIST
MLIST
MLIST
MLIST
automobility_distribution — mycar_controls
 
The MyCar Controls of AutoMobility Distribution Inc., mobile application contains hard-coded admin credentials. A remote unauthenticated attacker may be able to send commands to and retrieve data from a target MyCar unit. This may allow the attacker to learn the location of a target, or gain unauthorized physical access to a vehicle. This issue affects AutoMobility MyCar versions prior to 3.4.24 on iOS and versions prior to 4.1.2 on Android. This issue has additionally been fixed in Carlink, Link, Visions MyCar, and MyCar Kia. 2020-01-15 not yet calculated CVE-2019-9493
MISC
MISC
MISC
CERT-VN
BID
avast — premium_security In Avast Premium Security 19.8.2393, attackers can send a specially crafted request to the local web server run by Avast Antivirus on port 27275 to support Bank Mode functionality. A flaw in the processing of a command allows execution of arbitrary OS commands with the privileges of the currently logged in user. This allows for example attackers who compromised a browser extension to escape from the browser sandbox. 2020-01-13 not yet calculated CVE-2019-18894
MISC
avast — secure_browser
 
XSS in the Video Downloader component before 1.5 of Avast Secure Browser 77.1.1831.91 and AVG Secure Browser 77.0.1790.77 allows websites to execute their code in the context of this component. While Video Downloader is technically a browser extension, it is granted a very wide set of privileges and can for example access cookies and browsing history, spy on the user while they are surfing the web, and alter their surfing experience in almost arbitrary ways. 2020-01-13 not yet calculated CVE-2019-18893
MISC
aveva_and_schnieder_electric — vijeo_citect_and_citectscada_and_power_scada_operation
 
The IEC870IP driver for AVEVA?s Vijeo Citect and Citect SCADA and Schneider Electric?s Power SCADA Operation has a buffer overflow vulnerability that could result in a server-side crash. 2020-01-14 not yet calculated CVE-2019-13537
CONFIRM
MISC
bftpdf — bftpd
 
An issue was discovered in Bftpd before 5.4. There is a heap-based off-by-one error during file-transfer error checking. 2020-01-10 not yet calculated CVE-2020-6835
MISC
MISC
bmc — remedy_ar_system_server AR System Mid Tier in the AR System Mid Tier component before 9.0 SP1 for BMC Remedy AR System Server allows remote authenticated users to “navigate” to arbitrary files via the __report parameter of the BIRT viewer servlet. 2020-01-15 not yet calculated CVE-2015-5071
CONFIRM
MISC
bmc — remedy_ar_system_server
 
The BIRT Engine servlet in the AR System Mid Tier component before 9.0 SP1 for BMC Remedy AR System Server allows remote authenticated users to “navigate” to arbitrary local files via the __imageid parameter. 2020-01-15 not yet calculated CVE-2015-5072
CONFIRM
MISC
broadcom — brcmfmac_drivers The Broadcom brcmfmac WiFi driver prior to commit 1b5e2423164b3670e8bc9174e4762d297990deff is vulnerable to a heap buffer overflow. If the Wake-up on Wireless LAN functionality is configured, a malicious event frame can be constructed to trigger an heap buffer overflow in the brcmf_wowl_nd_results function. This vulnerability can be exploited with compromised chipsets to compromise the host, or when used in combination with CVE-2019-9503, can be used remotely. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, this vulnerability will result in denial-of-service conditions. 2020-01-16 not yet calculated CVE-2019-9500
MISC
MISC
MISC
broadcom — brcmfmac_drivers
 
The Broadcom brcmfmac WiFi driver prior to commit a4176ec356c73a46c07c181c6d04039fafa34a9f is vulnerable to a frame validation bypass. If the brcmfmac driver receives a firmware event frame from a remote source, the is_wlc_event_frame function will cause this frame to be discarded and unprocessed. If the driver receives the firmware event frame from the host, the appropriate handler is called. This frame validation can be bypassed if the bus used is USB (for instance by a wifi dongle). This can allow firmware event frames from a remote source to be processed. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, this vulnerability will result in denial-of-service conditions. 2020-01-16 not yet calculated CVE-2019-9503
MISC
MISC
MISC
bsd-mailx — bsd-mailx
 
BSD mailx 8.1.2 and earlier allows remote attackers to execute arbitrary commands via a crafted email address. 2020-01-14 not yet calculated CVE-2014-7844
MISC
MISC
MISC
MISC
MISC
cayin_technology — smp-pro4_devices
 
An issue was discovered on Cayin SMP-PRO4 devices. They allow image_preview.html?filename= reflected XSS. 2020-01-13 not yet calculated CVE-2020-6955
MISC
cayin_technology — smp-pro4_devices
 
An issue was discovered on Cayin SMP-PRO4 devices. A user can discover a saved password by viewing the URL after a Connection String Test. This password is shown in the webpass parameter of a media_folder.cgi?apply_mode=ping_server URI. 2020-01-13 not yet calculated CVE-2020-6954
MISC
centire — yopify Yopify, an e-commerce notification plugin, up to April 06, 2017, leaks the first name, last initial, city, and recent purchase data of customers, all without user authorization. 2020-01-15 not yet calculated CVE-2017-3211
MISC
centreon — infrastructure_monitoring_software
 
Insecure permissions in cwrapper_perl in Centreon Infrastructure Monitoring Software through 19.10 allow local attackers to gain privileges. (cwrapper_perl is a setuid executable allowing execution of Perl scripts with root privileges.) 2020-01-16 not yet calculated CVE-2019-20327
MISC
MISC
cerberus — cerberus_ftp_server
 
The zip API endpoint in Cerberus FTP Server 8 allows an authenticated attacker without zip permission to use the zip functionality via an unrestricted API endpoint. Improper permission verification occurs when calling the file/ajax_download_zip/zip_name endpoint. The result is that a user without permissions can zip and download files even if they do not have permission to view whether the file exists. 2020-01-14 not yet calculated CVE-2020-5194
MISC
MISC
cerberus — cerberus_ftp_server
 
Reflected XSS through an IMG element in Cerberus FTP Server prior to versions 11.0.1 and 10.0.17 allows a remote attacker to execute arbitrary JavaScript or HTML via a crafted public folder URL. This occurs because of the folder_up.png IMG element not properly sanitizing user-inserted directory paths. The path modification must be done on a publicly shared folder for a remote attacker to insert arbitrary JavaScript or HTML. The vulnerability impacts anyone who clicks the malicious link crafted by the attacker. 2020-01-13 not yet calculated CVE-2020-5195
MISC
MISC
MISC
cisco — ironport_web_security_appliance
 
Cisco IronPort Web Security Appliance up to and including 7.5 does not validate the basic constraints of the certificate authority which could lead to MITM attacks 2020-01-15 not yet calculated CVE-2012-1326
MISC
CONFIRM
cisco — ironport_web_security_appliance
 
Cisco IronPort Web Security Appliance does not check for certificate revocation which could lead to MITM attacks 2020-01-15 not yet calculated CVE-2012-1316
MISC
MISC
cisco — ironport_web_security_appliance_asyncos Cisco IronPort Web Security Appliance AsyncOS software prior to 7.5 has a SSL Certificate Caching vulnerability which could allow man-in-the-middle attacks 2020-01-15 not yet calculated CVE-2012-0334
MISC
CONFIRM
cisco — unified_personal_communicator
 
Cisco Unified Personal Communicator 7.0 (1.13056) does not free allocated memory for received data and does not perform validation if memory allocation is successful, causing a remote denial of service condition. 2020-01-16 not yet calculated CVE-2010-3048
MISC
citrix — xenapp_online_plug-in_for_windows_and_receiver_for_windows
 
Citrix XenApp Online Plug-in for Windows 12.1 and earlier, and Citrix Receiver for Windows 3.2 and earlier could allow remote attackers to execute arbitrary code by convincing a target to open a specially crafted file from an SMB or WebDAV fileserver. 2020-01-10 not yet calculated CVE-2012-4603
BID
SECTRACK
SECTRACK
XF
clamav — clamav
 
A vulnerability in the email parsing module Clam AntiVirus (ClamAV) Software versions 0.102.0, 0.101.4 and prior could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to inefficient MIME parsing routines that result in extremely long scan times of specially formatted email files. An attacker could exploit this vulnerability by sending a crafted email file to an affected device. An exploit could allow the attacker to cause the ClamAV scanning process to scan the crafted email file indefinitely, resulting in a denial of service condition. 2020-01-15 not yet calculated CVE-2019-15961
CISCO
CISCO
daum_communications — potplayer
 
PotPlayer 1.5.40688: .avi File Memory Corruption 2020-01-14 not yet calculated CVE-2013-7185
MISC
MISC
drupal — drupal
 
A Cross-Site Scripting vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table descriptions, field names, or labels before display. 2020-01-14 not yet calculated CVE-2011-2714
MISC
MISC
MISC
drupal — drupal
 
An SQL Injection vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table names or column names. 2020-01-14 not yet calculated CVE-2011-2715
MISC
MISC
eclipse_foundation — eclipse_memory_analyzer
 
Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a cross site scripting (XSS) vulnerability when generating an HTML report from a malicious heap dump. The user must chose todownload, open the malicious heap dump and generate an HTML report for the problem to occur. The heap dump could be specially crafted, or could come from a crafted application or from an application processing malicious data. The vulnerability is present whena report is generated and opened from the Memory Analyzer graphical user interface, or when a report generated in batch mode is then opened in Memory Analyzer or by a web browser. The vulnerability could possibly allow code execution on the local system whenthe report is opened in Memory Analyzer. 2020-01-17 not yet calculated CVE-2019-17634
CONFIRM
eclipse_foundation — eclipse_memory_analyzer
 
Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a deserialization vulnerability if an index file of a parsed heap dump is replaced by a malicious version and the heap dump is reopened in Memory Analyzer. The user must chose to reopen an already parsed heap dump with an untrusted index for the problem to occur. The problem can be averted if the index files from an untrusted source are deleted and the heap dump is opened and reparsed. Also some local configuration data is subject to a deserialization vulnerability if the local data were to be replaced with a malicious version. This can be averted if the local configuration data stored on the file system cannot be changed by an attacker. The vulnerability could possibly allow code execution on the local system. 2020-01-17 not yet calculated CVE-2019-17635
CONFIRM
emc — replistor_server_service
 
EMC RepliStor Server Service before ESA-09-003 has a DoASOCommand Remote Code Execution Vulnerability. The flaw exists within the DoRcvRpcCall RPC function -exposed via the rep_srv.exe process- where the vulnerability is caused by an error when the rep_srv.exe handles a specially crafted packet sent by an unauthenticated attacker. 2020-01-15 not yet calculated CVE-2009-1120
MISC
MISC
ezhometech — ezserve
 
A Code Execution vulnerability exists in the memcpy function when processing AMF requests in Ezhometech EzServer 7.0, which could let a remote malicious user execute arbitrary code or cause a Denial of Service 2020-01-13 not yet calculated CVE-2012-4750
MISC
MISC
MISC
MISC
f5 — multiple_big-ip_products
 
On impacted versions and platforms the Trusted Platform Module (TPM) system integrity check cannot detect modifications to specific system components. This issue only impacts specific engineering hotfixes and platforms. NOTE: This vulnerability does not affect any of the BIG-IP major, minor or maintenance releases you obtained from downloads.f5.com. The affected Engineering Hotfix builds are as follows: Hotfix-BIGIP-14.1.0.2.0.45.4-ENG Hotfix-BIGIP-14.1.0.2.0.62.4-ENG 2020-01-14 not yet calculated CVE-2020-5851
CONFIRM
f5 — multiple_big-ip_products
 
Undisclosed traffic patterns received may cause a disruption of service to the Traffic Management Microkernel (TMM). This vulnerability affects TMM through a virtual server configured with a FastL4 profile. Traffic processing is disrupted while TMM restarts. This issue only impacts specific engineering hotfixes. NOTE: This vulnerability does not affect any of the BIG-IP major, minor or maintenance releases you obtained from downloads.f5.com. The affected Engineering Hotfix builds are as follows: Hotfix-BIGIP-14.1.2.1.0.83.4-ENG Hotfix-BIGIP-12.1.4.1.0.97.6-ENG Hotfix-BIGIP-11.5.4.2.74.291-HF2 2020-01-14 not yet calculated CVE-2020-5852
CONFIRM
feldtech — easescreen
 
Feldtech easescreen Crystal 9.0 Web-Services 9.0.1.16265 allows Stored XSS via the Debug-Log and Display-Log components. This could be exploited when an attacker sends an crafted string for FTP authentication. 2020-01-17 not yet calculated CVE-2019-20003
MISC
MISC
ffmpeg — ffmpeg
 
Integer overflow in the get_len function in libavutil/lzo.c in FFmpeg before 0.10.14, 1.1.x before 1.1.12, 1.2.x before 1.2.7, 2.0.x before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.4 allows remote attackers to execute arbitrary code via a crafted Literal Run. 2020-01-14 not yet calculated CVE-2014-4610
MISC
MISC
MISC
foxit_software — foxit_pdf_reader An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software’s Foxit PDF Reader, version 9.7.0.29435. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability. 2020-01-16 not yet calculated CVE-2019-5131
MISC
foxit_software — foxit_pdf_reader
 
An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit PDF Reader, version 9.7.0.29435. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability. 2020-01-16 not yet calculated CVE-2019-5145
MISC
foxit_software — foxit_pdf_reader
 
An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software’s Foxit PDF Reader version 9.7.0.29435. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability. 2020-01-16 not yet calculated CVE-2019-5130
MISC
foxit_software — foxit_pdf_reader
 
An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit PDF Reader, version 9.7.0.29435. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability. 2020-01-16 not yet calculated CVE-2019-5126
MISC
free — freebox_os_web_interface
 
Freebox OS Web interface 3.0.2 has CSRF which can allow VPN user account creation 2020-01-13 not yet calculated CVE-2014-9382
MISC
MISC
MISC
freelancy — freelancy
 
Freelancy v1.0.0 allows remote command execution via the “file”:”data:application/x-php;base64 substring (in conjunction with “type”:”application/x-php”} to the /api/files/ URI. 2020-01-14 not yet calculated CVE-2020-5505
MISC
gallagher — command_centre_server
 
In Gallagher Command Centre Server versions of v8.10 prior to v8.10.1134(MR4), v8.00 prior to v8.00.1161(MR5), v7.90 prior to v7.90.991(MR5), v7.80 prior to v7.80.960(MR2) and v7.70 or earlier, an unprivileged but authenticated user is able to perform a backup of the Command Centre databases. 2020-01-17 not yet calculated CVE-2019-19801
CONFIRM
gallagher — command_centre_server
 
In Gallagher Command Centre Server v8.10 prior to v8.10.1134(MR4), v8.00 prior to v8.00.1161(MR5), v7.90 prior to v7.90.991(MR5), v7.80 prior to v7.80.960(MR2) and v7.70 or earlier, an authenticated user connecting to OPCUA can view all data that would be replicated in a multi-server setup without privilege checks being applied. 2020-01-17 not yet calculated CVE-2019-19802
CONFIRM
ge-emerson — pacsystems_rx3in/a
 
GE PACSystems RX3i CPE100/115: All versions prior to R9.85,CPE302/305/310/330/400/410: All versions prior to R9.90,CRU/320 All versions(End of Life) may allow an attacker sending specially manipulated packets to cause the module state to change to halt-mode, resulting in a denial-of-service condition. An operator must reboot the CPU module after removing battery or energy pack to recover from halt-mode. 2020-01-16 not yet calculated CVE-2019-13524
MISC
geutebruck — g-code_and_c-cam_ip_cameras
 
Geutebruck IP Cameras G-Code(EEC-2xxx), G-Cam(EBC-21xx/EFD-22xx/ETHC-22xx/EWPC-22xx): All versions 1.12.0.25 and prior may allow a remote authenticated user, using a specially crafted URL command, to execute commands as root. 2020-01-17 not yet calculated CVE-2019-10956
MISC
geutebruck — g-code_and_c-cam_ip_cameras
 
Geutebruck IP Cameras G-Code(EEC-2xxx), G-Cam(EBC-21xx/EFD-22xx/ETHC-22xx/EWPC-22xx): All versions 1.12.0.25 and prior may allow a remote authenticated attacker with access to network configuration to supply system commands to the server, leading to remote code execution as root. 2020-01-17 not yet calculated CVE-2019-10958
MISC
geutebruck — g-code_and_c-cam_ip_cameras
 
Geutebruck IP Cameras G-Code(EEC-2xxx), G-Cam(EBC-21xx/EFD-22xx/ETHC-22xx/EWPC-22xx): All versions 1.12.0.25 and prior may allow a remote authenticated attacker with access to event configuration to store malicious code on the server, which could later be triggered by a legitimate user resulting in code execution within the user?s browser. 2020-01-17 not yet calculated CVE-2019-10957
MISC
gitlab — gitlab_community_and_enterprise_edition
 
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 12.3 through 12.6.1. It allows Denial of Service. 2020-01-13 not yet calculated CVE-2019-20142
MISC
CONFIRM
gitlab — gitlab_community_and_enterprise_edition
 
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 10.8 through 12.6.1. It has Incorrect Access Control. 2020-01-13 not yet calculated CVE-2019-20144
MISC
CONFIRM
gitlab — gitlab_community_and_enterprise_edition
 
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 5.1 through 12.6.1. It has Incorrect Access Control. 2020-01-13 not yet calculated CVE-2020-5197
MISC
CONFIRM
gitlab — gitlab_community_and_enterprise_edition
 
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 12.6. It has Incorrect Access Control. 2020-01-13 not yet calculated CVE-2019-20143
MISC
CONFIRM
gitlab — gitlab_enterprise_edition
 
An issue was discovered in GitLab Enterprise Edition (EE) 8.9.0 through 12.6.1. Using the project import feature, it was possible for someone to obtain issues from private projects. 2020-01-13 not yet calculated CVE-2020-6832
MISC
CONFIRM
google — android
 
A website running in the InAppBrowser webview on Android could execute arbitrary JavaScript in the main application’s webview using a specially crafted gap-iab: URI. 2020-01-14 not yet calculated CVE-2019-0219
MLIST
MLIST
google — chrome Use after free in media picker in Google Chrome prior to 79.0.3945.88 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. 2020-01-10 not yet calculated CVE-2019-13767
SUSE
MISC
MISC
FEDORA
google — chrome
 
Inappropriate implementation in WebRTC in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 2020-01-14 not yet calculated CVE-2019-13722
MISC
MISC
granding_technology — grand_ma_300
 
Grand MA 300 allows retrieval of the access PIN from sniffed data. 2020-01-13 not yet calculated CVE-2014-5380
MISC
MISC
MISC
MISC
hikvision — dvr_ds-7204hghi-f1_devices
 
Hikvision DVR DS-7204HGHI-F1 V4.0.1 build 180903 Web Version sends a different response for failed ISAPI/Security/sessionLogin/capabilities login attempts depending on whether the user account exists, which might make it easier to enumerate users. However, only about 4 or 5 failed logins are allowed. 2020-01-14 not yet calculated CVE-2020-7057
MISC
hpe — enhanced_internet_usage_manager
 
A potential security vulnerability has been identified in HPE enhanced Internet Usage Manager (eIUM) versions 8.3 and 9.0. The vulnerability could be used for unauthorized access to information via cross site scripting. HPE has made the following software updates to resolve the vulnerability in eIUM. The eIUM 8.3 FP01 customers are advised to install eIUM83FP01Patch_QXCR1001711284.20190806-1244 patch. The eIUM 9.0 customers are advised to upgrade to eIUM 9.0 FP02 PI5 or later versions. For other versions, please, contact the product support. 2020-01-16 not yet calculated CVE-2019-11997
CONFIRM
hpe — superdome_flex_server
 
HPE Superdome Flex Server is vulnerable to multiple remote vulnerabilities via improper input validation of administrator commands. This vulnerability could allow an Administrator to bypass security restrictions and access multiple remote vulnerabilities including information disclosure, or denial of service. HPE has provided firmware updates that address the above vulnerabilities for the HPE Superdome Flex Server starting with firmware version v3.20.186 (not available online) and v3.20.206 (available online). Apply v3.20.206 (4 December 2019) or a newer version to resolve this issue. Please visit HPE Support Center https://ift.tt/2HRwvvr to obtain the updated firmware for your product. 2020-01-16 not yet calculated CVE-2019-11998
CONFIRM
huawei — p2_devices
 
cn.wps.moffice.common.beans.print.CloudPrintWebView in Kingsoft Office 5.3.1, as used in Huawei P2 devices before V100R001C00B043, falls back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and execute arbitrary Java code by leveraging a network position between the client and the registry to block HTTPS traffic. 2020-01-14 not yet calculated CVE-2014-2271
MISC
MISC
MISC
MISC
MISC
identitypython — pysaml2
 
PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature