Total
1509 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-14162 | 1 Pi-hole | 1 Pi-hole | 2021-07-21 | 7.2 HIGH | 7.8 HIGH |
| An issue was discovered in Pi-Hole through 5.0. The local www-data user has sudo privileges to execute the pihole core script as root without a password, which could allow an attacker to obtain root access via shell metacharacters to this script's setdns command. | |||||
| CVE-2020-10088 | 1 Gitlab | 1 Gitlab | 2021-07-21 | 5.5 MEDIUM | 8.1 HIGH |
| GitLab 12.5 through 12.8.1 has Insecure Permissions. Depending on particular group settings, it was possible for invited groups to be given the incorrect permission level. | |||||
| CVE-2020-9141 | 1 Huawei | 2 Emui, Magic Ui | 2021-07-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| There is a improper privilege management vulnerability in some Huawei smartphone. Successful exploitation of this vulnerability can cause information disclosure and malfunctions due to insufficient verification of data authenticity. | |||||
| CVE-2020-7908 | 1 Jetbrains | 1 Teamcity | 2021-07-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| In JetBrains TeamCity before 2019.1.5, reverse tabnabbing was possible on several pages. | |||||
| CVE-2020-29481 | 3 Debian, Fedoraproject, Xen | 3 Debian Linux, Fedora, Xen | 2021-07-21 | 4.6 MEDIUM | 8.8 HIGH |
| An issue was discovered in Xen through 4.14.x. Access rights of Xenstore nodes are per domid. Unfortunately, existing granted access rights are not removed when a domain is being destroyed. This means that a new domain created with the same domid will inherit the access rights to Xenstore nodes from the previous domain(s) with the same domid. Because all Xenstore entries of a guest below /local/domain/<domid> are being deleted by Xen tools when a guest is destroyed, only Xenstore entries of other guests still running are affected. For example, a newly created guest domain might be able to read sensitive information that had belonged to a previously existing guest domain. Both Xenstore implementations (C and Ocaml) are vulnerable. | |||||
| CVE-2020-16262 | 1 Winstonprivacy | 2 Winston, Winston Firmware | 2021-07-21 | 7.2 HIGH | 7.8 HIGH |
| Winston 1.5.4 devices have a local www-data user that is overly permissioned, resulting in root privilege escalation. | |||||
| CVE-2020-26596 | 2 Elementor, Wordpress | 2 Elementor Pro, Wordpress | 2021-07-21 | 9.0 HIGH | 8.8 HIGH |
| The Dynamic OOO widget for the Elementor Pro plugin through 3.0.5 for WordPress allows remote authenticated users to execute arbitrary code because only the Editor role is needed to upload executable PHP code via the PHP Raw snippet. NOTE: this issue can be mitigated by removing the Dynamic OOO widget or by restricting availability of the Editor role. | |||||
| CVE-2020-5182 | 1 Cmsjunkie | 1 J-businessdirectory | 2021-07-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The J-BusinessDirectory extension before 5.2.9 for Joomla! allows Reverse Tabnabbing. In some configurations, the link to the business website can be entered by any user. If it doesn't contain rel="noopener" (or similar attributes such as noreferrer), the tabnabbing may occur. To reproduce the bug, create a business with a website link that contains JavaScript to exploit the window.opener property (for example, by setting window.opener.location). | |||||
| CVE-2019-3651 | 1 Mcafee | 1 Advanced Threat Defense | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| Information Disclosure vulnerability in McAfee Advanced Threat Defense (ATD prior to 4.8 allows remote authenticated attackers to gain access to ePO as an administrator via using the atduser credentials, which were too permissive. | |||||
| CVE-2020-14194 | 1 Zulip | 1 Zulip Server | 2021-07-21 | 5.8 MEDIUM | 5.4 MEDIUM |
| Zulip Server before 2.1.5 allows reverse tabnapping via a topic header link. | |||||
| CVE-2020-14215 | 1 Zulip | 1 Zulip Server | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| Zulip Server before 2.1.5 has Incorrect Access Control because 0198_preregistrationuser_invited_as adds the administrator role to invitations. | |||||
| CVE-2020-14976 | 1 Gns3 | 2 Gns3, Ubridge | 2021-07-21 | 4.9 MEDIUM | 5.5 MEDIUM |
| GNS3 ubridge through 0.9.18 on macOS, as used in GNS3 server before 2.1.17, allows a local attacker to read arbitrary files because it handles configuration-file errors by printing the configuration file while executing in a setuid root context. | |||||
| CVE-2020-15826 | 1 Jetbrains | 1 Teamcity | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| In JetBrains TeamCity before 2020.1, users are able to assign more permissions than they have. | |||||
| CVE-2020-11464 | 1 Deskpro | 1 Deskpro | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Deskpro before 2019.8.0. The /api/people endpoint failed to properly validate a user's privilege, allowing an attacker to retrieve sensitive information about all users registered on the system. This includes their full name, privilege, email address, phone number, etc. | |||||
| CVE-2020-11466 | 1 Deskpro | 1 Deskpro | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Deskpro before 2019.8.0. The /api/tickets endpoint failed to properly validate a user's privilege, allowing an attacker to retrieve arbitrary information about all helpdesk tickets stored in database with numerous filters. This leaked sensitive information to unauthorized parties. Additionally, it leaked ticket authentication code, making it possible to make changes to a ticket. | |||||
| CVE-2020-25106 | 1 Supremocontrol | 1 Supremo | 2021-07-21 | 9.3 HIGH | 7.8 HIGH |
| Nanosystems SupRemo 4.1.3.2348 allows attackers to obtain LocalSystem access because File Manager can be used to rename Supremo.exe and then upload a Trojan horse with the Supremo.exe filename. | |||||
| CVE-2020-11956 | 1 Rittal | 9 Cmc Iii Pu 7030.000, Cmc Iii Pu 7030.000 Firmware, Cmciii-pu-9333e0fb and 6 more | 2021-07-21 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered on Rittal PDU-3C002DEC through 5.17.10 and CMCIII-PU-9333E0FB through 3.17.10 devices. There is a least privilege violation. | |||||
| CVE-2020-12074 | 1 Webtoffee | 1 Import Export Wordpress Users | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| The users-customers-import-export-for-wp-woocommerce plugin before 1.3.9 for WordPress allows subscribers to import administrative accounts via CSV. | |||||
| CVE-2020-12860 | 1 Health | 1 Covidsafe | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| COVIDSafe through v1.0.17 allows a remote attacker to access phone name and model information because a BLE device can have four roles and COVIDSafe uses all of them. This allows for re-identification of a device, and potentially identification of the owner's name. | |||||
| CVE-2020-13638 | 1 Rconfig | 1 Rconfig | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| lib/crud/userprocess.php in rConfig 3.9.x before 3.9.7 has an authentication bypass, leading to administrator account creation. This issue has been fixed in 3.9.7. | |||||