Export limit exceeded: 345193 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 75928 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (75928 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-9381 | 1 Totaljs | 1 Total.js Cms | 2024-11-21 | 7.5 High |
| controllers/admin.js in Total.js CMS 13 allows remote attackers to execute arbitrary code via a POST to the /admin/api/widgets/ URI. This can be exploited in conjunction with CVE-2019-15954. | ||||
| CVE-2020-9376 | 1 Dlink | 2 Dir-610, Dir-610 Firmware | 2024-11-21 | 7.5 High |
| D-Link DIR-610 devices allow Information Disclosure via SERVICES=DEVICE.ACCOUNT%0AAUTHORIZED_GROUP=1 to getcfg.php. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | ||||
| CVE-2020-9372 | 1 Codepeople | 1 Appointment Booking Calendar | 2024-11-21 | 7.8 High |
| The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or Name) in any booking form to be any formula, which then could be exported via the Bookings list tab in /wp-admin/admin.php?page=cpabc_appointments.php. The attacker could achieve remote code execution via CSV injection. | ||||
| CVE-2020-9369 | 3 Debian, Fedoraproject, Sympa | 3 Debian Linux, Fedora, Sympa | 2024-11-21 | 7.5 High |
| Sympa 6.2.38 through 6.2.52 allows remote attackers to cause a denial of service (disk consumption from temporary files, and a flood of notifications to listmasters) via a series of requests with malformed parameters. | ||||
| CVE-2020-9368 | 1 Oleacorner | 1 Olea Gift On Order | 2024-11-21 | 7.5 High |
| The Module Olea Gift On Order module through 5.0.8 for PrestaShop enables an unauthenticated user to read arbitrary files on the server via getfile.php?file=/.. directory traversal. | ||||
| CVE-2020-9367 | 1 Zohocorp | 1 Manageengine Desktop Central | 2024-11-21 | 7.8 High |
| The MPS Agent in Zoho ManageEngine Desktop Central MSP build MSP build 10.0.486 is vulnerable to DLL Hijacking: dcinventory.exe and dcconfig.exe try to load CSUNSAPI.dll without supplying the complete path. The issue is aggravated because this DLL is missing from the installation, thus making it possible to hijack the DLL and subsequently inject code, leading to an escalation of privilege to NT AUTHORITY\SYSTEM. | ||||
| CVE-2020-9365 | 2 Fedoraproject, Pureftpd | 2 Fedora, Pure-ftpd | 2024-11-21 | 7.5 High |
| An issue was discovered in Pure-FTPd 1.0.49. An out-of-bounds (OOB) read has been detected in the pure_strcmp function in utils.c. | ||||
| CVE-2020-9363 | 1 Sophos | 6 Cloud Optix, Endpoint Protection, Intercept X Endpoint and 3 more | 2024-11-21 | 7.8 High |
| The Sophos AV parsing engine before 2020-01-14 allows virus-detection bypass via a crafted ZIP archive. This affects Endpoint Protection, Cloud Optix, Mobile, Intercept X Endpoint, Intercept X for Server, and Secure Web Gateway. NOTE: the vendor feels that this does not apply to endpoint-protection products because the virus would be detected upon extraction. | ||||
| CVE-2020-9362 | 1 Quickheal | 6 Antivirus For Server, Antivirus Pro, Home Security and 3 more | 2024-11-21 | 7.8 High |
| The Quick Heal AV parsing engine (November 2019) allows virus-detection bypass via a crafted GPFLAG in a ZIP archive. This affects Total Security, Home Security, Total Security Multi-Device, Internet Security, Total Security for Mac, AntiVirus Pro, AntiVirus for Server, and Total Security for Android. | ||||
| CVE-2020-9354 | 1 Smartclient | 1 Smartclient | 2024-11-21 | 7.5 High |
| An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) saveFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL allows an unauthenticated attacker to overwrite files via vectors involving an XML comment and /.. path traversal. | ||||
| CVE-2020-9353 | 1 Smartclient | 1 Smartclient | 2024-11-21 | 7.5 High |
| An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) loadFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL is affected by unauthenticated Local File Inclusion via directory-traversal sequences in the elem XML element in the _transaction parameter. NOTE: the documentation states "These tools are, by default, available to anyone ... so they should only be deployed into a trusted environment. Alternately, the tools can easily be restricted to administrators or end users by protecting the tools path with normal authentication and authorization mechanisms on the web server." | ||||
| CVE-2020-9349 | 1 Cacagoo | 2 Tv-288zd-2mp, Tv-288zd-2mp Firmware | 2024-11-21 | 7.5 High |
| The CACAGOO Cloud Storage Intelligent Camera TV-288ZD-2MP with firmware 3.4.2.0919 allows access to the RTSP service without a password. | ||||
| CVE-2020-9346 | 1 Zohocorp | 1 Manageengine Password Manager Pro | 2024-11-21 | 8.8 High |
| Zoho ManageEngine Password Manager Pro 10.4 and prior has no protection against Cross-site Request Forgery (CSRF) attacks, as demonstrated by changing a user's role. | ||||
| CVE-2020-9341 | 1 Auieo | 1 Candidats | 2024-11-21 | 8.8 High |
| CandidATS 2.1.0 is vulnerable to CSRF that allows for an administrator account to be added via the index.php?m=settings&a=addUser URI. | ||||
| CVE-2020-9340 | 1 Fauzantrif Election Project | 1 Fauzantrif Election | 2024-11-21 | 7.2 High |
| fauzantrif eLection 2.0 has SQL Injection via the admin/ajax/op_kandidat.php id parameter. | ||||
| CVE-2020-9332 | 1 Fabulatech | 1 Usb For Remote Desktop | 2024-11-21 | 7.8 High |
| ftusbbus2.sys in FabulaTech USB for Remote Desktop through 2020-02-19 allows privilege escalation via crafted IoCtl code related to a USB HID device. | ||||
| CVE-2020-9331 | 1 Cryptopro | 1 Csp | 2024-11-21 | 7.8 High |
| CryptoPro CSP through 5.0.0.10004 on 32-bit platforms allows Local Privilege Escalation (by local users with the SeChangeNotifyPrivilege right) because user-mode input is mishandled during process creation. An attacker can write arbitrary data to an arbitrary location in the kernel's address space. | ||||
| CVE-2020-9330 | 1 Xerox | 36 Workcentre 3655, Workcentre 3655 Firmware, Workcentre 3655i and 33 more | 2024-11-21 | 8.8 High |
| Certain Xerox WorkCentre printers before 073.xxx.000.02300 do not require the user to reenter or validate LDAP bind credentials when changing the LDAP connector IP address. A malicious actor who gains access to affected devices (e.g., by using default credentials) can change the LDAP connection IP address to a system owned by the actor without knowledge of the LDAP bind credentials. After changing the LDAP connection IP address, subsequent authentication attempts will result in the printer sending plaintext LDAP (Active Directory) credentials to the actor. Although the credentials may belong to a non-privileged user, organizations frequently use privileged service accounts to bind to Active Directory. The attacker gains a foothold on the Active Directory domain at a minimum, and may use the credentials to take over control of the Active Directory domain. This affects 3655*, 3655i*, 58XX*, 58XXi*, 59XX*, 59XXi*, 6655**, 6655i**, 72XX*, 72XXi*, 78XX**, 78XXi**, 7970**, 7970i**, EC7836**, and EC7856** devices. | ||||
| CVE-2020-9327 | 6 Canonical, Netapp, Oracle and 3 more | 12 Ubuntu Linux, Cloud Backup, Communications Messaging Server and 9 more | 2024-11-21 | 7.5 High |
| In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations. | ||||
| CVE-2020-9326 | 1 Beyondtrust | 1 Privilege Management For Windows And Mac | 2024-11-21 | 7.5 High |
| BeyondTrust Privilege Management for Windows and Mac (aka PMWM; formerly Avecto Defendpoint) 5.1 through 5.5 before 5.5 SR1 mishandles command-line arguments with PowerShell .ps1 file extensions present, leading to a DefendpointService.exe crash. | ||||