Total
27865 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2006-1681 | 1 Cherokee | 1 Cherokee Httpd | 2020-12-23 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Cherokee HTTPD 0.5 and earlier allows remote attackers to inject arbitrary web script or HTML via a malformed request that generates an HTTP 400 error, which is not properly handled when the error message is generated. | |||||
| CVE-2020-7662 | 1 Websocket-extensions Project | 1 Websocket-extensions | 2020-12-23 | 5.0 MEDIUM | 7.5 HIGH |
| websocket-extensions npm module prior to 0.1.4 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header. | |||||
| CVE-2020-14225 | 2 Hcltech, Hcltechsw | 2 Hcl Inotes, Hcl Inotes | 2020-12-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| HCL iNotes is susceptible to a Tabnabbing vulnerability caused by improper sanitization of message content. A remote unauthenticated attacker could use this vulnerability to trick the end user into entering sensitive information such as credentials, e.g. as part of a phishing attack. | |||||
| CVE-2020-15294 | 1 Bitdefender | 1 Hypervisor Introspection | 2020-12-22 | 4.4 MEDIUM | 7.0 HIGH |
| Compiler Optimization Removal or Modification of Security-critical Code vulnerability in IntPeParseUnwindData() results in multiple dereferences to the same pointer. If the pointer is located in memory-mapped from the guest space, this may cause a race-condition where the generated code would dereference the same address twice, thus obtaining different values, which may lead to arbitrary code execution. This issue affects: Bitdefender Hypervisor Introspection versions prior to 1.132.2. | |||||
| CVE-2020-35579 | 1 Subconverter Project | 1 Subconverter | 2020-12-22 | 5.0 MEDIUM | 7.5 HIGH |
| tindy2013 subconverter 0.6.4 has a /sub?target=%TARGET%&url=%URL%&config=%CONFIG% API endpoint that accepts an arbitrary %URL% value and launches a GET request for it, but does not consider that the external request target may indirectly redirect back to this original /sub endpoint. Thus, a request loop and a denial of service may occur. | |||||
| CVE-2020-29578 | 1 Matomo | 1 Piwik Fpm-alpine Docker Image | 2020-12-22 | 10.0 HIGH | 9.8 CRITICAL |
| The official piwik Docker images before fpm-alpine (Alpine specific) contain a blank password for a root user. Systems using the Piwik Docker container deployed by affected versions of the Docker image may allow an remote attacker to achieve root access. | |||||
| CVE-2020-29577 | 1 Znc | 1 Znc Docker Image | 2020-12-22 | 10.0 HIGH | 9.8 CRITICAL |
| The official znc docker images before 1.7.1-slim contain a blank password for a root user. Systems using the znc docker container deployed by affected versions of the Docker image may allow an remote attacker to achieve root access with a blank password. | |||||
| CVE-2020-29576 | 1 Eggheads | 1 Eggdrop Docker Image | 2020-12-22 | 10.0 HIGH | 9.8 CRITICAL |
| The official eggdrop Docker images before 1.8.4rc2 contain a blank password for a root user. Systems using the Eggdrop Docker container deployed by affected versions of the Docker image may allow an remote attacker to achieve root access with a blank password. | |||||
| CVE-2020-29575 | 1 Docker | 1 Elixir Alpine Docker Image | 2020-12-22 | 10.0 HIGH | 9.8 CRITICAL |
| The official elixir Docker images before 1.8.0-alpine (Alpine specific) contain a blank password for a root user. Systems using the elixir Linux Docker container deployed by affected versions of the Docker image may allow a remote attacker to achieve root access with a blank password. | |||||
| CVE-2020-29564 | 1 Hashicorp | 1 Consul Docker Image | 2020-12-22 | 10.0 HIGH | 9.8 CRITICAL |
| The official Consul Docker images 0.7.1 through 1.4.2 contain a blank password for a root user. System using the Consul Docker container deployed by affected versions of the Docker image may allow a remote attacker to achieve root access with a blank password. | |||||
| CVE-2020-29579 | 1 Express-gateway | 1 Express-gateway Docker Image | 2020-12-21 | 10.0 HIGH | 9.8 CRITICAL |
| The official Express Gateway Docker images before 1.14.0 contain a blank password for a root user. Systems using the Express Gateway Docker container deployed by affected versions of the Docker image may allow an remote attacker to achieve root access. | |||||
| CVE-2020-29580 | 1 Docker | 1 Storm Docker Image | 2020-12-21 | 10.0 HIGH | 9.8 CRITICAL |
| The official storm Docker images before 1.2.1 contain a blank password for a root user. Systems using the Storm Docker container deployed by affected versions of the Docker image may allow an remote attacker to achieve root access with a blank password. | |||||
| CVE-2020-29581 | 1 Docker | 1 Spiped Alpine Docker Image | 2020-12-21 | 10.0 HIGH | 9.8 CRITICAL |
| The official spiped docker images before 1.5-alpine contain a blank password for a root user. Systems using the spiped docker container deployed by affected versions of the docker image may allow an remote attacker to achieve root access with a blank password. | |||||
| CVE-2020-14232 | 1 Hcltech | 1 Notes | 2020-12-21 | 9.0 HIGH | 8.8 HIGH |
| A vulnerability in the input parameter handling of HCL Notes v9 could potentially be exploited by an authenticated attacker resulting in a stack buffer overflow. This could allow the attacker to crash the program or inject code into the system which would execute with the privileges of the currently logged in user. | |||||
| CVE-2020-35554 | 1 Google | 1 Android | 2020-12-21 | 4.6 MEDIUM | 7.8 HIGH |
| An issue was discovered on LG mobile devices with Android OS 8.0, 8.1, 9.0, and 10 software. There is a WebView SSL error-handler vulnerability. The LG ID is LVE-SMP-200026 (December 2020). | |||||
| CVE-2020-25619 | 1 Solarwinds | 1 N-central | 2020-12-21 | 3.6 LOW | 4.4 MEDIUM |
| An issue was discovered in SolarWinds N-Central 12.3.0.670. The SSH component does not restrict the Communication Channel to Intended Endpoints. An attacker can leverage an SSH feature (port forwarding with a temporary key pair) to access network services on the 127.0.0.1 interface, even though this feature was only intended for user-to-agent communication. | |||||
| CVE-2020-25096 | 1 Logrhythm | 1 Platform Manager | 2020-12-21 | 6.5 MEDIUM | 8.8 HIGH |
| LogRhythm Platform Manager (PM) 7.4.9 has Incorrect Access Control. Users within LogRhythm can be delegated different roles and privileges, intended to limit what data and services they can interact with. However, no access control is enforced for WebSocket-based communication to the PM application server, which will forward requests to any configured back-end server, regardless of whether the user's access rights should permit this. As a result, even the most low-privileged user can interact with any back-end component that has a LogRhythm agent installed. | |||||
| CVE-2020-28442 | 1 Js-data | 1 Js-data | 2020-12-16 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package js-data are vulnerable to Prototype Pollution via the deepFillIn function. | |||||
| CVE-2007-1321 | 4 Debian, Fedoraproject, Qemu and 1 more | 5 Debian Linux, Fedora, Fedora Core and 2 more | 2020-12-15 | 7.2 HIGH | N/A |
| Integer signedness error in the NE2000 emulator in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to trigger a heap-based buffer overflow via certain register values that bypass sanity checks, aka QEMU NE2000 "receive" integer signedness error. NOTE: this identifier was inadvertently used by some sources to cover multiple issues that were labeled "NE2000 network driver and the socket code," but separate identifiers have been created for the individual vulnerabilities since there are sometimes different fixes; see CVE-2007-5729 and CVE-2007-5730. | |||||
| CVE-2007-1366 | 2 Debian, Qemu | 2 Debian Linux, Qemu | 2020-12-15 | 2.1 LOW | N/A |
| QEMU 0.8.2 allows local users to crash a virtual machine via the divisor operand to the aam instruction, as demonstrated by "aam 0x0," which triggers a divide-by-zero error. | |||||