Export limit exceeded: 35247 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (4766 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-36308 | 2 Debian, Redmine | 2 Debian Linux, Redmine | 2024-11-21 | 5.3 Medium |
| Redmine before 4.0.7 and 4.1.x before 4.1.1 allows attackers to discover the subject of a non-visible issue by performing a CSV export and reading time entries. | ||||
| CVE-2020-36144 | 1 Redash | 1 Redash | 2024-11-21 | 5.3 Medium |
| Redash 8.0.0 is affected by LDAP Injection. There is an information leak through the crafting of special queries, escaping the provided template since the username included in the search filter lacks sanitization. | ||||
| CVE-2020-35775 | 1 Citsmart | 1 Citsmart | 2024-11-21 | 9.8 Critical |
| CITSmart before 9.1.2.23 allows LDAP Injection. | ||||
| CVE-2020-35669 | 1 Dart | 1 Http | 2024-11-21 | 6.1 Medium |
| An issue was discovered in the http package through 0.12.2 for Dart. If the attacker controls the HTTP method and the app is using Request directly, it's possible to achieve CRLF injection in an HTTP request. | ||||
| CVE-2020-35608 | 1 Microsoft | 1 Azure Sphere | 2024-11-21 | 7.8 High |
| A code execution vulnerability exists in the normal world’s signed code execution functionality of Microsoft Azure Sphere 20.07. A specially crafted AF_PACKET socket can cause a process to create an executable memory mapping with controllable content. An attacker can execute a shellcode that uses the PACKET_MMAP functionality to trigger this vulnerability. | ||||
| CVE-2020-35564 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2024-11-21 | 7.5 High |
| An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an outdated and unused component allowing for malicious user input of active code. | ||||
| CVE-2020-35213 | 1 Atomix | 1 Atomix | 2024-11-21 | 8.1 High |
| An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false link event messages sent to a master ONOS node. | ||||
| CVE-2020-2503 | 1 Qnap | 1 Qes | 2024-11-21 | 9 Critical |
| If exploited, this stored cross-site scripting vulnerability could allow remote attackers to inject malicious code in File Station. QNAP has already fixed these issues in QES 2.1.1 Build 20201006 and later. | ||||
| CVE-2020-29655 | 1 Asus | 2 Rt-ac88u, Rt-ac88u Firmware | 2024-11-21 | 7.5 High |
| An injection vulnerability exists in RT-AC88U Download Master before 3.1.0.108. Accessing Main_Login.asp?flag=1&productname=FOOBAR&url=/downloadmaster/task.asp will redirect to the login site, which will show the value of the parameter productname within the title. An attacker might be able to influence the appearance of the login page, aka text injection. | ||||
| CVE-2020-28848 | 1 Churchcrm | 1 Churchcrm | 2024-11-21 | 8.8 High |
| CSV Injection vulnerability in ChurchCRM version 4.2.0, allows remote attackers to execute arbitrary code via crafted CSV file. | ||||
| CVE-2020-28468 | 1 Pwntools Project | 1 Pwntools | 2024-11-21 | 8.1 High |
| This affects the package pwntools before 4.3.1. The shellcraft generator for affected versions of this module are vulnerable to Server-Side Template Injection (SSTI), which can lead to remote code execution. | ||||
| CVE-2020-28246 | 1 Form | 1 Form.io | 2024-11-21 | 9.8 Critical |
| A Server-Side Template Injection (SSTI) was discovered in Form.io 2.0.0. This leads to Remote Code Execution during deletion of the default Email template URL. NOTE: the email templating service was removed after 2020. Additionally, the vendor disputes this issue indicating this is sandboxed and only executable by admins. | ||||
| CVE-2020-28031 | 1 Eramba | 1 Eramba | 2024-11-21 | 4.3 Medium |
| eramba through c2.8.1 allows HTTP Host header injection with (for example) resultant wkhtml2pdf PDF printing by authenticated users. | ||||
| CVE-2020-27687 | 1 Thingsboard | 1 Thingsboard | 2024-11-21 | 8.8 High |
| ThingsBoard before v3.2 is vulnerable to Host header injection in password-reset emails. This allows an attacker to send malicious links in password-reset emails to victims, pointing to an attacker-controlled server. Lack of validation of the Host header allows this to happen. | ||||
| CVE-2020-27627 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | 6.1 Medium |
| JetBrains TeamCity before 2020.1.2 was vulnerable to URL injection. | ||||
| CVE-2020-27602 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 9.8 Critical |
| BigBlueButton before 2.2.7 does not have a protection mechanism for separator injection in meetingId, userId, and authToken. | ||||
| CVE-2020-27260 | 1 Innokasmedical | 2 Vital Signs Monitor Vc150, Vital Signs Monitor Vc150 Firmware | 2024-11-21 | 5.3 Medium |
| Innokas Yhtymä Oy Vital Signs Monitor VC150 prior to Version 1.7.15 HL7 v2.x injection vulnerabilities exist in the affected products that allow physically proximate attackers with a connected barcode reader to inject HL7 v2.x segments into specific HL7 v2.x messages via multiple expected parameters. | ||||
| CVE-2020-27212 | 1 St | 95 Stm32cubel4 Firmware, Stm32l412c8, Stm32l412cb and 92 more | 2024-11-21 | 7.0 High |
| STMicroelectronics STM32L4 devices through 2020-10-19 have incorrect access control. The flash read-out protection (RDP) can be degraded from RDP level 2 (no access via debug interface) to level 1 (limited access via debug interface) by injecting a fault during the boot phase. | ||||
| CVE-2020-27123 | 1 Cisco | 1 Anyconnect Secure Mobility Client | 2024-11-21 | 5.5 Medium |
| A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to read arbitrary files on the underlying operating system of an affected device. The vulnerability is due to an exposed IPC function. An attacker could exploit this vulnerability by sending a crafted IPC message to the AnyConnect process on an affected device. A successful exploit could allow the attacker to read arbitrary files on the underlying operating system of the affected device. | ||||
| CVE-2020-26884 | 1 Rsa | 1 Archer | 2024-11-21 | 6.1 Medium |
| RSA Archer 6.8 through 6.8.0.3 and 6.9 contains a URL injection vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability by tricking a victim application user into executing malicious JavaScript code in the context of the web application. | ||||