Export limit exceeded: 341336 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 77066 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (77066 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-28581 | 1 Trendmicro | 1 Interscan Web Security Virtual Appliance | 2024-11-21 | 7.2 High |
| A command injection vulnerability in ModifyVLANItem of Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an authenticated, remote attacker to send specially crafted HTTP messages and execute arbitrary OS commands with elevated privileges. | ||||
| CVE-2020-28580 | 1 Trendmicro | 1 Interscan Web Security Virtual Appliance | 2024-11-21 | 7.2 High |
| A command injection vulnerability in AddVLANItem of Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an authenticated, remote attacker to send specially crafted HTTP messages and execute arbitrary OS commands with elevated privileges. | ||||
| CVE-2020-28579 | 1 Trendmicro | 1 Interscan Web Security Virtual Appliance | 2024-11-21 | 8.8 High |
| A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an authenticated, remote attacker to send a specially crafted HTTP message and achieve remote code execution with elevated privileges. | ||||
| CVE-2020-28574 | 1 Trendmicro | 1 Worry-free Business Security | 2024-11-21 | 7.5 High |
| A unauthenticated path traversal arbitrary remote file deletion vulnerability in Trend Micro Worry-Free Business Security 10 SP1 could allow an unauthenticated attacker to exploit the vulnerability and modify or delete arbitrary files on the product's management console. | ||||
| CVE-2020-28572 | 2 Microsoft, Trendmicro | 2 Windows, Apex One | 2024-11-21 | 7.8 High |
| A vulnerability in Trend Micro Apex One could allow an unprivileged user to abuse the product installer to reinstall the agent with additional malicious code in the context of a higher privilege. | ||||
| CVE-2020-28503 | 1 Gulpjs | 1 Copy-props | 2024-11-21 | 7.3 High |
| The package copy-props before 2.0.5 are vulnerable to Prototype Pollution via the main functionality. | ||||
| CVE-2020-28502 | 1 Xmlhttprequest Project | 1 Xmlhttprequest | 2024-11-21 | 8.1 High |
| This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run. | ||||
| CVE-2020-28499 | 1 Merge Project | 1 Merge | 2024-11-21 | 7.3 High |
| All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge . | ||||
| CVE-2020-28496 | 1 Three Project | 1 Three | 2024-11-21 | 7.5 High |
| This affects the package three before 0.125.0. This can happen when handling rgb or hsl colors. PoC: var three = require('three') function build_blank (n) { var ret = "rgb(" for (var i = 0; i < n; i++) { ret += " " } return ret + ""; } var Color = three.Color var time = Date.now(); new Color(build_blank(50000)) var time_cost = Date.now() - time; console.log(time_cost+" ms") | ||||
| CVE-2020-28495 | 1 Totaljs | 1 Total.js | 2024-11-21 | 7.3 High |
| This affects the package total.js before 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impact depends on the application. In some cases it is possible to achieve Denial of service (DoS), Remote Code Execution or Property Injection. | ||||
| CVE-2020-28494 | 1 Totaljs | 1 Total.js | 2024-11-21 | 8.6 High |
| This affects the package total.js before 3.4.7. The issue occurs in the image.pipe and image.stream functions. The type parameter is used to build the command that is then executed using child_process.spawn. The issue occurs because child_process.spawn is called with the option shell set to true and because the type parameter is not properly sanitized. | ||||
| CVE-2020-28491 | 4 Fasterxml, Oracle, Quarkus and 1 more | 11 Jackson-dataformats-binary, Weblogic Server, Quarkus and 8 more | 2024-11-21 | 7.5 High |
| This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception. | ||||
| CVE-2020-28483 | 1 Gin-gonic | 1 Gin | 2024-11-21 | 7.1 High |
| This affects all versions of package github.com/gin-gonic/gin. When gin is exposed directly to the internet, a client's IP can be spoofed by setting the X-Forwarded-For header. | ||||
| CVE-2020-28480 | 1 Jointjs | 1 Jointjs | 2024-11-21 | 7.3 High |
| The package jointjs before 3.3.0 are vulnerable to Prototype Pollution via util.setByPath (https://resources.jointjs.com/docs/jointjs/v3.2/joint.htmlutil.setByPath). The path used the access the object's key and set the value is not properly sanitized, leading to a Prototype Pollution. | ||||
| CVE-2020-28478 | 1 Greensock | 1 Greensock Animation Platform | 2024-11-21 | 7.5 High |
| This affects the package gsap before 3.6.0. | ||||
| CVE-2020-28477 | 2 Immer Project, Redhat | 2 Immer, Rhev Manager | 2024-11-21 | 7.5 High |
| This affects all versions of package immer. | ||||
| CVE-2020-28472 | 1 Amazon | 2 Aws Sdk For Javascipt, Aws Shared Configuration File Loader | 2024-11-21 | 7.3 High |
| This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited further depending on the context. | ||||
| CVE-2020-28471 | 1 Properties-reader Project | 1 Properties-reader | 2024-11-21 | 7.3 High |
| This affects the package properties-reader before 2.2.0. | ||||
| CVE-2020-28470 | 1 Scully | 1 Scully | 2024-11-21 | 7.3 High |
| This affects the package @scullyio/scully before 1.0.9. The transfer state is serialised with the JSON.stringify() function and then written into the HTML page. | ||||
| CVE-2020-28468 | 1 Pwntools Project | 1 Pwntools | 2024-11-21 | 8.1 High |
| This affects the package pwntools before 4.3.1. The shellcraft generator for affected versions of this module are vulnerable to Server-Side Template Injection (SSTI), which can lead to remote code execution. | ||||