Total
801 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-11961 | 1 Mi | 2 Xiaomi R3600, Xiaomi R3600 Firmware | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| Xiaomi router R3600 ROM before 1.0.50 is affected by a sensitive information leakage caused by an insecure interface get_config_result without authentication | |||||
| CVE-2020-11969 | 1 Apache | 1 Tomee | 2021-07-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| If Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker URI includes the useJMX=true parameter, a JMX port is opened on TCP port 1099, which does not include authentication. This affects Apache TomEE 8.0.0-M1 - 8.0.1, Apache TomEE 7.1.0 - 7.1.2, Apache TomEE 7.0.0-M1 - 7.0.7, Apache TomEE 1.0.0 - 1.7.5. | |||||
| CVE-2020-11856 | 1 Microfocus | 1 Operation Bridge Reporter | 2021-07-21 | 10.0 HIGH | 9.8 CRITICAL |
| Arbitrary code execution vulnerability on Micro Focus Operation Bridge Reporter, affecting version 10.40 and earlier. The vulnerability could allow remote attackers to execute arbitrary code on affected installations of OBR. | |||||
| CVE-2019-13194 | 1 Brother | 2 Hl-l8360cdw, Hl-l8360cdw Firmware | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| Some Brother printers (such as the HL-L8360CDW v1.20) were affected by different information disclosure vulnerabilities that provided sensitive information to an unauthenticated user who visits a specific URL. | |||||
| CVE-2020-11673 | 1 Total-soft | 1 Responsive Poll | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the Responsive Poll through 1.3.4 for Wordpress. It allows an unauthenticated user to manipulate polls, e.g., delete, clone, or view a hidden poll. This is due to the usage of the callback wp_ajax_nopriv function in Includes/Total-Soft-Poll-Ajax.php for sensitive operations. | |||||
| CVE-2020-11599 | 1 Cipplanner | 1 Cipace | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in CIPPlanner CIPAce 6.80 Build 2016031401. GetDistributedPOP3 allows attackers to obtain the username and password of the SMTP user. | |||||
| CVE-2020-11598 | 1 Cipplanner | 1 Cipace | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. Upload.ashx allows remote attackers to execute arbitrary code by uploading and executing an ASHX file. | |||||
| CVE-2020-11539 | 1 Titan | 2 Sf Rush Smart Band, Sf Rush Smart Band Firmware | 2021-07-21 | 4.8 MEDIUM | 8.1 HIGH |
| An issue was discovered on Tata Sonata Smart SF Rush 1.12 devices. It has been identified that the smart band has no pairing (mode 0 Bluetooth LE security level) The data being transmitted over the air is not encrypted. Adding to this, the data being sent to the smart band doesn't have any authentication or signature verification. Thus, any attacker can control a parameter of the device. | |||||
| CVE-2020-10965 | 1 Teradici | 1 Pcoip Management Console | 2021-07-21 | 6.8 MEDIUM | 8.1 HIGH |
| Teradici PCoIP Management Console 20.01.0 and 19.11.1 is vulnerable to unauthenticated password resets via login/resetadminpassword of the default admin account. This vulnerability only exists when the default admin account is not disabled. It is fixed in 20.01.1 and 19.11.2. | |||||
| CVE-2019-13205 | 1 Kyocera | 2 Ecosys M5526cdw, Ecosys M5526cdw Firmware | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| All configuration parameters of certain Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) were accessible by unauthenticated users. This information was only presented in the menus when authenticated, and the pages that loaded this information were also protected. However, all files that contained the configuration parameters were accessible. These files contained sensitive information, such as users, community strings, and other passwords configured in the printer. | |||||
| CVE-2019-13338 | 1 Weseek | 1 Growi | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| In WESEEK GROWI before 3.5.0, a remote attacker can obtain the password hash of the creator of a page by leveraging wiki access to make API calls for page metadata. In other words, the password hash can be retrieved even though it is not a publicly available field. | |||||
| CVE-2020-10874 | 1 Motorola | 8 Fx9500-41324d41-us, Fx9500-41324d41-us Firmware, Fx9500-41324d41-ww and 5 more | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| Motorola FX9500 devices allow remote attackers to read database files. | |||||
| CVE-2020-10833 | 1 Google | 1 Android | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on Samsung mobile devices with Q(10.0) software. The DeX Lockscreen allows attackers to access the quick panel and notifications. The Samsung ID is SVE-2019-16532 (March 2020). | |||||
| CVE-2019-14927 | 2 Inea, Mitsubishielectric | 4 Me-rtu, Me-rtu Firmware, Smartrtu and 1 more | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on Mitsubishi Electric ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. An unauthenticated remote configuration download vulnerability allows an attacker to download the smartRTU's configuration file (which contains data such as usernames, passwords, and other sensitive RTU data). | |||||
| CVE-2020-10263 | 1 Mi | 2 Xiaomi Xiaoai Speaker Pro Lx06, Xiaomi Xiaoai Speaker Pro Lx06 Firmware | 2021-07-21 | 7.2 HIGH | 6.8 MEDIUM |
| An issue was discovered on XIAOMI XIAOAI speaker Pro LX06 1.52.4. Attackers can get root shell by accessing the UART interface and then they can (i) read Wi-Fi SSID or password, (ii) read the dialogue text files between users and XIAOMI XIAOAI speaker Pro LX06, (iii) use Text-To-Speech tools pretend XIAOMI speakers' voice achieve social engineering attacks, (iv) eavesdrop on users and record what XIAOMI XIAOAI speaker Pro LX06 hears, (v) modify system files, (vi) use commands to send any IR code through IR emitter on XIAOMI XIAOAI Speaker Pro LX06, (vii) stop voice assistant service, (viii) enable the XIAOMI XIAOAI Speaker Pro’ SSH or TELNET service as a backdoor, (IX) tamper with the router configuration of the router in the local area networks. | |||||
| CVE-2019-15129 | 1 Humanica | 1 Humatrix 7 | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681 allows an unauthenticated attacker to access all candidates' files in the photo folder on the website by specifying a "user id" parameter and file name, such as in a recruitment_online/upload/user/[user_id]/photo/[file_name] URI. | |||||
| CVE-2019-15506 | 1 Kaseya | 1 Virtual System Administrator | 2021-07-21 | 7.8 HIGH | 7.5 HIGH |
| An issue was discovered in Kaseya Virtual System Administrator (VSA) through 9.4.0.37. It has a critical information disclosure vulnerability. An unauthenticated attacker can send properly formatted requests to the web application and download sensitive files and information. For example, the /DATAREPORTS directory can be farmed for reports. Because this directory contains the results of reports such as NMAP, Patch Status, and Active Directory domain metadata, an attacker can easily collect this critical information and parse it for information. There are a number of directories affected. | |||||
| CVE-2019-15511 | 1 Gog | 1 Galaxy | 2021-07-21 | 7.2 HIGH | 7.8 HIGH |
| An exploitable local privilege escalation vulnerability exists in the GalaxyClientService installed by GOG Galaxy. Due to Improper Access Control, an attacker can send unauthenticated local TCP packets to the service to gain SYSTEM privileges in Windows system where GOG Galaxy software is installed. All GOG Galaxy versions before 1.2.60 and all corresponding versions of GOG Galaxy 2.0 Beta are affected. | |||||
| CVE-2020-0052 | 1 Google | 1 Android | 2021-07-21 | 1.9 LOW | 4.3 MEDIUM |
| In smsSelected of AnswerFragment.java, there is a way to send an SMS from the lock screen due to a permissions bypass. This could lead to local escalation of privilege on the lock screen with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-137102479 | |||||
| CVE-2020-15391 | 1 Devspace | 1 Devspace | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| The UI in DevSpace 4.13.0 allows web sites to execute actions on pods (on behalf of a victim) because of a lack of authentication for the WebSocket protocol. This leads to remote code execution. | |||||