Vulnerabilites CVE
Base de donnees CVE enrichie avec CISA KEV et NVD
| CVE ID | CVSS | Severite | KEV | Observations |
|---|---|---|---|---|
| CVE-2020-24679 A S+ Operations and S+ Historian service is subject to a DoS by special crafted messages. An attacker might use this flaw to make it crash or even execute arbitrary code on the machine where the servi... | 7.5 | HIGH | — | 0 |
| CVE-2020-24680 In S+ Operations and S+ Historian, the passwords of internal users (not Windows Users) are encrypted but improperly stored in a database. | 7.0 | HIGH | — | 0 |
| CVE-2020-24683 The affected versions of S+ Operations (version 2.1 SP1 and earlier) used an approach for user authentication which relies on validation at the client node (client-side authentication). This is not as... | 9.8 | CRITICAL | — | 0 |
| CVE-2020-35891 An issue was discovered in the ordnung crate through 2020-09-03 for Rust. compact::Vec violates memory safety via a remove() double free. | 7.5 | HIGH | — | 0 |
| CVE-2020-25066 A heap-based buffer overflow in the Treck HTTP Server component before 6.0.1.68 allows remote attackers to cause a denial of service (crash/reset) or to possibly execute arbitrary code. | 10.0 | CRITICAL | — | 0 |
| CVE-2020-27338 An issue was discovered in Treck IPv6 before 6.0.1.68. Improper Input Validation in the DHCPv6 client component allows an unauthenticated remote attacker to cause an Out of Bounds Read, and possibly a... | 5.9 | MEDIUM | — | 0 |
| CVE-2020-28641 In Malwarebytes Free 4.1.0.56, a symbolic link may be used delete an arbitrary file on the system by exploiting the local quarantine system. | 7.1 | HIGH | — | 0 |
| CVE-2020-35656 Jaws through 1.8.0 allows remote authenticated administrators to execute arbitrary code via crafted use of admin.php?reqGadget=Components&reqAction=InstallGadget&comp=FileBrowser and admin.php?reqGadg... | 7.2 | HIGH | — | 0 |
| CVE-2020-35657 Jaws through 1.8.0 allows remote authenticated administrators to execute arbitrary code via crafted use of UploadTheme to upload a theme ZIP archive containing a .php file that is able to execute OS c... | 7.2 | HIGH | — | 0 |
| CVE-2020-35658 SpamTitan before 7.09 allows attackers to tamper with backups, because backups are not encrypted. | 5.3 | MEDIUM | — | 0 |
| CVE-2020-35864 An issue was discovered in the flatbuffers crate through 2020-04-11 for Rust. read_scalar (and read_scalar_at) can transmute values without unsafe blocks. | 7.5 | HIGH | — | 0 |
| CVE-2020-25153 The built-in web service for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower does not require users to have strong passwords. | 9.8 | CRITICAL | — | 0 |
| CVE-2020-25190 The built-in WEB server for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower stores and transmits the credentials of third-party services in cleartext. | 7.5 | HIGH | — | 0 |
| CVE-2020-25192 The built-in WEB server for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower allows sensitive information to be displayed without proper authorization. | 5.3 | MEDIUM | — | 0 |
| CVE-2020-25194 The built-in WEB server for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower has improper privilege management, which may allow an attacker with user privileges to perform requests with administr... | 8.8 | HIGH | — | 0 |
| CVE-2020-25196 The built-in WEB server for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower allows SSH/Telnet sessions, which may be vulnerable to brute force attacks to bypass authentication. | 9.8 | CRITICAL | — | 0 |
| CVE-2020-25198 The built-in WEB server for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower has incorrectly implemented protections from session fixation, which may allow an attacker to gain access to a session... | 8.8 | HIGH | — | 0 |
| CVE-2020-35136 Dolibarr 12.0.3 is vulnerable to authenticated Remote Code Execution. An attacker who has the access the admin dashboard can manipulate the backup function by inserting a payload into the filename for... | 7.2 | HIGH | — | 0 |
| CVE-2020-35584 In Solstice Pod before 3.0.3, the web services allow users to connect to them over unencrypted channels via the Browser Look-in feature. An attacker suitably positioned to view a legitimate user's net... | 5.9 | MEDIUM | — | 0 |
| CVE-2020-35585 In Solstice Pod before 3.3.0 (or Open4.3), the screen key can be enumerated using brute-force attacks via the /lookin/info Solstice Open Control API because there are only 1.7 million possibilities. | 7.5 | HIGH | — | 0 |
| CVE-2020-35586 In Solstice Pod before 3.3.0 (or Open4.3), the Administrator password can be enumerated using brute-force attacks via the /Config/service/initModel?password= Solstice Open Control API because there is... | 7.5 | HIGH | — | 0 |
| CVE-2020-11718 An issue was discovered in Programi Bilanc build 007 release 014 31.01.2020 and below. Its software-update packages are downloaded via cleartext HTTP. | 7.4 | HIGH | — | 0 |
| CVE-2020-11720 An issue was discovered in Programi Bilanc build 007 release 014 31.01.2020 and possibly below. During the installation, it sets up administrative access by default with the account admin and password... | 9.8 | CRITICAL | — | 0 |
| CVE-2020-26031 An issue was discovered in Zammad before 3.4.1. The global-search feature leaks Knowledge Base drafts to Knowledge Base readers (who are authenticated but have insufficient permissions). | 4.3 | MEDIUM | — | 0 |
| CVE-2020-29550 An issue was discovered in URVE Build 24.03.2020. The password of an integration user account (used for the connection of the MS Office 365 Integration Service) is stored in cleartext in configuration... | 7.5 | HIGH | — | 0 |
| CVE-2020-29551 An issue was discovered in URVE Build 24.03.2020. Using the _internal/pc/shutdown.php path, it is possible to shutdown the system. Among others, the following files and scripts are also accessible: _i... | 9.1 | CRITICAL | — | 0 |
| CVE-2020-29552 An issue was discovered in URVE Build 24.03.2020. By using the _internal/pc/vpro.php?mac=0&ip=0&operation=0&usr=0&pass=0%3bpowershell+-c+" substring, it is possible to execute a Powershell command and... | 9.8 | CRITICAL | — | 0 |
| CVE-2020-35587 In Solstice Pod before 3.0.3, the firmware can easily be decompiled/disassembled. The decompiled/disassembled files contain non-obfuscated code. NOTE: it is unclear whether lack of obfuscation is dire... | 7.5 | HIGH | — | 0 |
| CVE-2020-35650 Multiple cross-site scripting (XSS) vulnerabilities in Uncanny Groups for LearnDash before v3.7 allow authenticated remote attackers to inject arbitrary JavaScript or HTML via the ulgm_code_redeem POS... | 6.1 | MEDIUM | — | 0 |
| CVE-2020-6159 URLs using “javascript:” have the protocol removed when pasted into the address bar to protect users from cross-site scripting (XSS) attacks, but in certain circumstances this removal was not performe... | 6.1 | MEDIUM | — | 0 |
| CVE-2020-9439 Multiple cross-site scripting (XSS) vulnerabilities in Uncanny Owl Tin Canny LearnDash Reporting before 3.4.4 allows authenticated remote attackers to inject arbitrary web script or HTML via the searc... | 6.1 | MEDIUM | — | 0 |
| CVE-2018-1000891 Bitcoin SV before 0.1.1 allows uncontrolled resource consumption when receiving messages with invalid checksums. | 7.5 | HIGH | — | 0 |
| CVE-2018-1000892 Bitcoin SV before 0.1.1 allows uncontrolled resource consumption when receiving sendheaders messages. | 7.5 | HIGH | — | 0 |
| CVE-2018-1000893 Bitcoin SV before 0.1.1 allows uncontrolled resource consumption when deserializing transactions. | 7.5 | HIGH | — | 0 |
| CVE-2020-11719 An issue was discovered in Programi Bilanc build 007 release 014 31.01.2020 and possibly below. It relies on broken encryption with a weak and guessable static encryption key. | 7.5 | HIGH | — | 0 |
| CVE-2020-4642 IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow local attacker to cause a denial of service inside the "DB2 Management Service". | 5.5 | MEDIUM | — | 0 |
| CVE-2020-13968 CRK Business Platform <= 2019.1 allows can inject SQL statements against the DB on any path using the 'strSessao' parameter. | 9.8 | CRITICAL | — | 0 |
| CVE-2020-13969 CRK Business Platform <= 2019.1 allows reflected XSS via erro.aspx on 'CRK', 'IDContratante', 'Erro', or 'Mod' parameter. This is path-independent. | 6.1 | MEDIUM | — | 0 |
| CVE-2020-27397 Marital - Online Matrimonial Project In PHP version 1.0 suffers from an authenticated file upload vulnerability allowing remote attackers to gain remote code execution (RCE) on the Hosting web server ... | 8.8 | HIGH | — | 0 |
| CVE-2020-28070 SourceCodester Alumni Management System 1.0 is affected by SQL injection causing arbitrary remote code execution from GET input in view_event.php via the 'id' parameter. | 9.8 | CRITICAL | — | 0 |
| CVE-2020-28071 SourceCodester Alumni Management System 1.0 is affected by cross-site Scripting (XSS) in /admin/gallery.php. After the admin authentication an attacker can upload an image in the gallery using a XSS p... | 4.8 | MEDIUM | — | 0 |
| CVE-2020-28073 SourceCodester Library Management System 1.0 is affected by SQL Injection allowing an attacker to bypass the user authentication and impersonate any user on the system. | 9.8 | CRITICAL | — | 0 |
| CVE-2020-28074 SourceCodester Online Health Care System 1.0 is affected by SQL Injection which allows a potential attacker to bypass the authentication system and become an admin. | 9.8 | CRITICAL | — | 0 |
| CVE-2020-35252 Cross Site Scripting (XSS) vulnerability via the 'Full Name' parameter in the User Registration section of User Registration & Login System with Admin Panel 1.0. | 6.1 | MEDIUM | — | 0 |
| CVE-2020-35269 Nagios Core application version 4.2.4 is vulnerable to Site-Wide Cross-Site Request Forgery (CSRF) in many functions, like adding – deleting for hosts or servers. | 8.8 | HIGH | — | 0 |
| CVE-2020-35370 A RCE vulnerability exists in Raysync below 3.3.3.8. An unauthenticated unauthorized attacker sending a specifically crafted request to override the specific file in server with malicious content can ... | 8.8 | HIGH | — | 0 |
| CVE-2020-35598 ACS Advanced Comment System 1.0 is affected by Directory Traversal via an advanced_component_system/index.php?ACS_path=..%2f URI. NOTE: this might be the same as CVE-2009-4623 | 7.5 | HIGH | — | 0 |
| CVE-2020-35665 An unauthenticated command-execution vulnerability exists in TerraMaster TOS through 4.2.06 via shell metacharacters in the Event parameter in include/makecvs.php during CSV creation. | 9.8 | CRITICAL | — | 0 |
| CVE-2020-35666 Steedos Platform through 1.21.24 allows NoSQL injection because the /api/collection/findone implementation in server/packages/steedos_base.js mishandles req.body validation, as demonstrated by MongoDB... | 8.8 | HIGH | — | 0 |
| CVE-2020-29243 dhowden tag before 2020-11-19 allows "panic: runtime error: index out of range" via readAPICFrame. | 6.5 | MEDIUM | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.