CVE Schwachstellen
CVE-Datenbank angereichert mit CISA KEV und NVD Daten
| CVE ID | CVSS | Schweregrad | KEV | Sichtungen |
|---|---|---|---|---|
| CVE-2020-11718 An issue was discovered in Programi Bilanc build 007 release 014 31.01.2020 and below. Its software-update packages are downloaded via cleartext HTTP. | 7.4 | HIGH | — | 0 |
| CVE-2020-11720 An issue was discovered in Programi Bilanc build 007 release 014 31.01.2020 and possibly below. During the installation, it sets up administrative access by default with the account admin and password... | 9.8 | CRITICAL | — | 0 |
| CVE-2020-26031 An issue was discovered in Zammad before 3.4.1. The global-search feature leaks Knowledge Base drafts to Knowledge Base readers (who are authenticated but have insufficient permissions). | 4.3 | MEDIUM | — | 0 |
| CVE-2020-29550 An issue was discovered in URVE Build 24.03.2020. The password of an integration user account (used for the connection of the MS Office 365 Integration Service) is stored in cleartext in configuration... | 7.5 | HIGH | — | 0 |
| CVE-2020-29551 An issue was discovered in URVE Build 24.03.2020. Using the _internal/pc/shutdown.php path, it is possible to shutdown the system. Among others, the following files and scripts are also accessible: _i... | 9.1 | CRITICAL | — | 0 |
| CVE-2020-29552 An issue was discovered in URVE Build 24.03.2020. By using the _internal/pc/vpro.php?mac=0&ip=0&operation=0&usr=0&pass=0%3bpowershell+-c+" substring, it is possible to execute a Powershell command and... | 9.8 | CRITICAL | — | 0 |
| CVE-2020-35587 In Solstice Pod before 3.0.3, the firmware can easily be decompiled/disassembled. The decompiled/disassembled files contain non-obfuscated code. NOTE: it is unclear whether lack of obfuscation is dire... | 7.5 | HIGH | — | 0 |
| CVE-2020-35650 Multiple cross-site scripting (XSS) vulnerabilities in Uncanny Groups for LearnDash before v3.7 allow authenticated remote attackers to inject arbitrary JavaScript or HTML via the ulgm_code_redeem POS... | 6.1 | MEDIUM | — | 0 |
| CVE-2020-6159 URLs using “javascript:” have the protocol removed when pasted into the address bar to protect users from cross-site scripting (XSS) attacks, but in certain circumstances this removal was not performe... | 6.1 | MEDIUM | — | 0 |
| CVE-2020-9439 Multiple cross-site scripting (XSS) vulnerabilities in Uncanny Owl Tin Canny LearnDash Reporting before 3.4.4 allows authenticated remote attackers to inject arbitrary web script or HTML via the searc... | 6.1 | MEDIUM | — | 0 |
| CVE-2018-1000891 Bitcoin SV before 0.1.1 allows uncontrolled resource consumption when receiving messages with invalid checksums. | 7.5 | HIGH | — | 0 |
| CVE-2018-1000892 Bitcoin SV before 0.1.1 allows uncontrolled resource consumption when receiving sendheaders messages. | 7.5 | HIGH | — | 0 |
| CVE-2018-1000893 Bitcoin SV before 0.1.1 allows uncontrolled resource consumption when deserializing transactions. | 7.5 | HIGH | — | 0 |
| CVE-2020-11719 An issue was discovered in Programi Bilanc build 007 release 014 31.01.2020 and possibly below. It relies on broken encryption with a weak and guessable static encryption key. | 7.5 | HIGH | — | 0 |
| CVE-2020-4642 IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow local attacker to cause a denial of service inside the "DB2 Management Service". | 5.5 | MEDIUM | — | 0 |
| CVE-2020-13968 CRK Business Platform <= 2019.1 allows can inject SQL statements against the DB on any path using the 'strSessao' parameter. | 9.8 | CRITICAL | — | 0 |
| CVE-2020-13969 CRK Business Platform <= 2019.1 allows reflected XSS via erro.aspx on 'CRK', 'IDContratante', 'Erro', or 'Mod' parameter. This is path-independent. | 6.1 | MEDIUM | — | 0 |
| CVE-2020-27397 Marital - Online Matrimonial Project In PHP version 1.0 suffers from an authenticated file upload vulnerability allowing remote attackers to gain remote code execution (RCE) on the Hosting web server ... | 8.8 | HIGH | — | 0 |
| CVE-2020-28070 SourceCodester Alumni Management System 1.0 is affected by SQL injection causing arbitrary remote code execution from GET input in view_event.php via the 'id' parameter. | 9.8 | CRITICAL | — | 0 |
| CVE-2020-28071 SourceCodester Alumni Management System 1.0 is affected by cross-site Scripting (XSS) in /admin/gallery.php. After the admin authentication an attacker can upload an image in the gallery using a XSS p... | 4.8 | MEDIUM | — | 0 |
| CVE-2020-28073 SourceCodester Library Management System 1.0 is affected by SQL Injection allowing an attacker to bypass the user authentication and impersonate any user on the system. | 9.8 | CRITICAL | — | 0 |
| CVE-2020-28074 SourceCodester Online Health Care System 1.0 is affected by SQL Injection which allows a potential attacker to bypass the authentication system and become an admin. | 9.8 | CRITICAL | — | 0 |
| CVE-2020-35252 Cross Site Scripting (XSS) vulnerability via the 'Full Name' parameter in the User Registration section of User Registration & Login System with Admin Panel 1.0. | 6.1 | MEDIUM | — | 0 |
| CVE-2020-35269 Nagios Core application version 4.2.4 is vulnerable to Site-Wide Cross-Site Request Forgery (CSRF) in many functions, like adding – deleting for hosts or servers. | 8.8 | HIGH | — | 0 |
| CVE-2020-35370 A RCE vulnerability exists in Raysync below 3.3.3.8. An unauthenticated unauthorized attacker sending a specifically crafted request to override the specific file in server with malicious content can ... | 8.8 | HIGH | — | 0 |
| CVE-2020-35598 ACS Advanced Comment System 1.0 is affected by Directory Traversal via an advanced_component_system/index.php?ACS_path=..%2f URI. NOTE: this might be the same as CVE-2009-4623 | 7.5 | HIGH | — | 0 |
| CVE-2020-35665 An unauthenticated command-execution vulnerability exists in TerraMaster TOS through 4.2.06 via shell metacharacters in the Event parameter in include/makecvs.php during CSV creation. | 9.8 | CRITICAL | — | 0 |
| CVE-2020-35666 Steedos Platform through 1.21.24 allows NoSQL injection because the /api/collection/findone implementation in server/packages/steedos_base.js mishandles req.body validation, as demonstrated by MongoDB... | 8.8 | HIGH | — | 0 |
| CVE-2020-29243 dhowden tag before 2020-11-19 allows "panic: runtime error: index out of range" via readAPICFrame. | 6.5 | MEDIUM | — | 0 |
| CVE-2020-35668 RedisGraph 2.x through 2.2.11 has a NULL Pointer Dereference that leads to a server crash because it mishandles an unquoted string, such as an alias that has not yet been introduced. | 7.5 | HIGH | — | 0 |
| CVE-2020-2499 A hard-coded password vulnerability has been reported to affect earlier versions of QES. If exploited, this vulnerability could allow attackers to log in with a hard-coded password. QNAP has already f... | 6.3 | MEDIUM | — | 0 |
| CVE-2020-2503 If exploited, this stored cross-site scripting vulnerability could allow remote attackers to inject malicious code in File Station. QNAP has already fixed these issues in QES 2.1.1 Build 20201006 and ... | 9.0 | CRITICAL | — | 0 |
| CVE-2020-2504 If exploited, this absolute path traversal vulnerability could allow attackers to traverse files in File Station. QNAP has already fixed these issues in QES 2.1.1 Build 20201006 and later. | 5.8 | MEDIUM | — | 0 |
| CVE-2020-35677 BigProf Online Invoicing System before 4.0 fails to adequately sanitize fields for HTML characters upon an administrator using admin/pageEditGroup.php to create a new group, resulting in Stored XSS. T... | 4.8 | MEDIUM | — | 0 |
| CVE-2020-2505 If exploited, this vulnerability could allow attackers to gain sensitive information via generation of error messages. QNAP has already fixed these issues in QES 2.1.1 Build 20201006 and later. | 2.3 | LOW | — | 0 |
| CVE-2020-5681 Untrusted search path vulnerability in self-extracting files created by EpsonNet SetupManager versions 2.2.14 and earlier, and Offirio SynergyWare PrintDirector versions 1.6x/1.6y and earlier allows a... | 7.8 | HIGH | — | 0 |
| CVE-2020-5684 iSM client versions from V5.1 prior to V12.1 running on NEC Storage Manager or NEC Storage Manager Express does not verify a server certificate properly, which allows a man-in-the-middle attacker to e... | 4.8 | MEDIUM | — | 0 |
| CVE-2020-35669 An issue was discovered in the http package through 0.12.2 for Dart. If the attacker controls the HTTP method and the app is using Request directly, it's possible to achieve CRLF injection in an HTTP ... | 6.1 | MEDIUM | — | 0 |
| CVE-2020-35676 BigProf Online Invoicing System before 3.1 fails to correctly sanitize an XSS payload when a user registers using the self-registration functionality. As such, an attacker can input a crafted payload ... | 6.1 | MEDIUM | — | 0 |
| CVE-2020-27718 When a BIG-IP ASM or Advanced WAF system running version 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, 14.1.0-14.1.3, 13.1.0-13.1.3.4, 12.1.0-12.1.5.2, or 11.6.1-11.6.5.2 processes requests with JSON payload, an ... | 7.5 | HIGH | — | 0 |
| CVE-2020-27721 In versions 16.0.0-16.0.0.1, 15.1.0-15.1.1, 14.1.0-14.1.3, 13.1.0-13.1.3.5, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2, in a BIG-IP DNS / BIG-IP LTM GSLB deployment, under certain circumstances, the BIG-IP ... | 7.5 | HIGH | — | 0 |
| CVE-2020-27724 In BIG-IP APM versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.4, 15.0.0-15.0.1.3, 14.1.0-14.1.3, 13.1.0-13.1.3.4, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2, on systems running more than one TMM instance, authentic... | 6.5 | MEDIUM | — | 0 |
| CVE-2020-27725 In version 15.1.0-15.1.0.5, 14.1.0-14.1.3, 13.1.0-13.1.3.4, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2 of BIG-IP DNS, GTM, and Link Controller, zxfrd leaks memory when listing DNS zones. Zones can be listed... | 4.3 | MEDIUM | — | 0 |
| CVE-2020-28190 TerraMaster TOS <= 4.2.06 was found to check for updates (of both system and applications) via an insecure channel (HTTP). Man-in-the-middle attackers are able to intercept these requests and serve a ... | 5.9 | MEDIUM | — | 0 |
| CVE-2020-28169 The td-agent-builder plugin before 2020-12-18 for Fluentd allows attackers to gain privileges because the bin directory is writable by a user account, but a file in bin is executed as NT AUTHORITY\SYS... | 7.0 | HIGH | — | 0 |
| CVE-2020-28184 Cross-site scripting (XSS) vulnerability in TerraMaster TOS <= 4.2.06 allows remote authenticated users to inject arbitrary web script or HTML via the mod parameter to /module/index.php. | 5.4 | MEDIUM | — | 0 |
| CVE-2020-28185 User Enumeration vulnerability in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to identify valid users within the system via the username parameter to wizard/initialise.php. | 5.3 | MEDIUM | — | 0 |
| CVE-2020-28186 Email Injection in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to abuse the forget password functionality and achieve account takeover. | 7.3 | HIGH | — | 0 |
| CVE-2020-28187 Multiple directory traversal vulnerabilities in TerraMaster TOS <= 4.2.06 allow remote authenticated attackers to read, edit or delete any file within the filesystem via the (1) filename parameter to ... | 9.8 | CRITICAL | — | 0 |
| CVE-2020-28188 Remote Command Execution (RCE) vulnerability in TerraMaster TOS <= 4.2.06 allow remote unauthenticated attackers to inject OS commands via /include/makecvs.php in Event parameter. | 9.8 | CRITICAL | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.