Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-14494 | 1 Openclinic Ga Project | 1 Openclinic Ga | 2021-11-04 | 5.0 MEDIUM | 9.8 CRITICAL |
| OpenClinic GA versions 5.09.02 and 5.89.05b contain an authentication mechanism within the system that does not provide sufficient complexity to protect against brute force attacks, which may allow unauthorized users to access the system after no more than a fixed maximum number of attempts. | |||||
| CVE-2021-43324 | 1 Librenms | 1 Librenms | 2021-11-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| LibreNMS through 21.10.2 allows XSS via a widget title. | |||||
| CVE-2020-14510 | 1 Secomea | 2 Gatemanager 8250, Gatemanager 8250 Firmware | 2021-11-04 | 10.0 HIGH | 9.8 CRITICAL |
| GateManager versions prior to 9.2c, The affected product contains a hard-coded credential for telnet, allowing an unprivileged attacker to execute commands as root. | |||||
| CVE-2020-14517 | 1 Wibu | 1 Codemeter | 2021-11-04 | 7.5 HIGH | 9.8 CRITICAL |
| Protocol encryption can be easily broken for CodeMeter (All versions prior to 6.90 are affected, including Version 6.90 or newer only if CodeMeter Runtime is running as server) and the server accepts external connections, which may allow an attacker to remotely communicate with the CodeMeter API. | |||||
| CVE-2020-11057 | 1 Xwiki | 1 Xwiki | 2021-11-04 | 9.0 HIGH | 8.8 HIGH |
| In XWiki Platform 7.2 through 11.10.2, registered users without scripting/programming permissions are able to execute python/groovy scripts while editing personal dashboards. This has been fixed 11.3.7 , 11.10.3 and 12.0. | |||||
| CVE-2020-16048 | 1 Google | 1 Angle | 2021-11-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| Out of bounds read in ANGLE allowed a remote attacker to obtain sensitive data via a crafted HTML page. | |||||
| CVE-2021-43270 | 1 Datalust | 1 Seq.app.emailplus | 2021-11-04 | 5.0 MEDIUM | 7.5 HIGH |
| Datalust Seq.App.EmailPlus (aka seq-app-htmlemail) 3.1.0-dev-00148, 3.1.0-dev-00170, and 3.1.0-dev-00176 can use cleartext SMTP on port 25 in some cases where encryption on port 465 was intended. | |||||
| CVE-2021-33593 | 1 Navercorp | 1 Whale | 2021-11-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| Whale browser for iOS before 1.14.0 has an inconsistent user interface issue that allows an attacker to obfuscate the address bar which may lead to address bar spoofing. | |||||
| CVE-2020-11060 | 1 Glpi-project | 1 Glpi | 2021-11-04 | 9.0 HIGH | 8.8 HIGH |
| In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable by an account having Maintenance privileges and the right to add WIFI networks. This is fixed in version 9.4.6. | |||||
| CVE-2020-11069 | 1 Typo3 | 1 Typo3 | 2021-11-04 | 6.8 MEDIUM | 8.8 HIGH |
| In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that the backend user interface and install tool are vulnerable to a same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously managed to upload to the web server. Scripts are then executed with the privileges of the victims' user session. In a worst-case scenario, new admin users can be created which can directly be used by an attacker. The vulnerability is basically a cross-site request forgery (CSRF) triggered by a cross-site scripting vulnerability (XSS) - but happens on the same target host - thus, it's actually a same-site request forgery. Malicious payload such as HTML containing JavaScript might be provided by either an authenticated backend user or by a non-authenticated user using a third party extension, e.g. file upload in a contact form with knowing the target location. To be successful, the attacked victim requires an active and valid backend or install tool user session at the time of the attack. This has been fixed in 9.5.17 and 10.4.2. The deployment of additional mitigation techniques is suggested as described below. - Sudo Mode Extension This TYPO3 extension intercepts modifications to security relevant database tables, e.g. those storing user accounts or storages of the file abstraction layer. Modifications need to confirmed again by the acting user providing their password again. This technique is known as sudo mode. This way, unintended actions happening in the background can be mitigated. - https://github.com/FriendsOfTYPO3/sudo-mode - https://extensions.typo3.org/extension/sudo_mode - Content Security Policy Content Security Policies tell (modern) browsers how resources served a particular site are handled. It is also possible to disallow script executions for specific locations. In a TYPO3 context, it is suggested to disallow direct script execution at least for locations /fileadmin/ and /uploads/. | |||||
| CVE-2020-11073 | 1 Autoswitch Python Virtualenv Project | 1 Autoswitch Python Virtualenv | 2021-11-04 | 4.6 MEDIUM | 7.8 HIGH |
| In Autoswitch Python Virtualenv before version 0.16.0, a user who enters a directory with a malicious `.venv` file could run arbitrary code without any user interaction. This is fixed in version: 1.16.0 | |||||
| CVE-2020-11933 | 1 Canonical | 2 Snapd, Ubuntu Linux | 2021-11-04 | 4.6 MEDIUM | 6.8 MEDIUM |
| cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices was run without restrictions on every boot, which a physical attacker could exploit by crafting cloud-init user-data/meta-data via external media to perform arbitrary changes on the device to bypass intended security mechanisms such as full disk encryption. This issue did not affect traditional Ubuntu systems. Fixed in snapd version 2.45.2, revision 8539 and core version 2.45.2, revision 9659. | |||||
| CVE-2020-12001 | 1 Rockwellautomation | 2 Factorytalk Linx, Rslinx Classic | 2021-11-04 | 7.5 HIGH | 9.8 CRITICAL |
| FactoryTalk Linx versions 6.00, 6.10, and 6.11, RSLinx Classic v4.11.00 and prior,Connected Components Workbench: Version 12 and prior, ControlFLASH: Version 14 and later, ControlFLASH Plus: Version 1 and later, FactoryTalk Asset Centre: Version 9 and later, FactoryTalk Linx CommDTM: Version 1 and later, Studio 5000 Launcher: Version 31 and later Stud, 5000 Logix Designer software: Version 32 and prior is vulnerable. The parsing mechanism that processes certain file types does not provide input sanitation. This may allow an attacker to use specially crafted files to traverse the file system and modify or expose sensitive data or execute arbitrary code. | |||||
| CVE-2020-12013 | 2 Iconics, Mitsubishielectric | 11 Bizviz, Energy Analytix, Facility Analytix and 8 more | 2021-11-04 | 6.4 MEDIUM | 9.1 CRITICAL |
| A specially crafted WCF client that interfaces to the may allow the execution of certain arbitrary SQL commands remotely. This affects: Mitsubishi Electric MC Works64 Version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 Version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server v10.96 and prior; ICONICS GenBroker32 v9.5 and prior. | |||||
| CVE-2020-12024 | 1 Baxter | 4 Em1200, Em1200 Firmware, Em2400 and 1 more | 2021-11-04 | 3.6 LOW | 6.1 MEDIUM |
| Baxter ExactaMix EM 2400 versions 1.10, 1.11, 1.13, 1.14 and ExactaMix EM1200 Versions 1.1, 1.2, 1.4 and 1.5 does not restrict access to the USB interface from an unauthorized user with physical access. Successful exploitation of this vulnerability may allow an attacker with physical access to the system the ability to load an unauthorized payload or unauthorized access to the hard drive by booting a live USB OS. This could impact confidentiality and integrity of the system and risk exposure of sensitive information including PHI. | |||||
| CVE-2001-1323 | 1 Mit | 1 Kerberos 5 | 2021-11-04 | 7.5 HIGH | N/A |
| Buffer overflow in MIT Kerberos 5 (krb5) 1.2.2 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via base-64 encoded data, which is not properly handled when the radix_encode function processes file glob output from the ftpglob function. | |||||
| CVE-2020-12032 | 1 Baxter | 4 Em1200, Em1200 Firmware, Em2400 and 1 more | 2021-11-04 | 6.4 MEDIUM | 9.1 CRITICAL |
| Baxter ExactaMix EM 2400 Versions 1.10, 1.11 and ExactaMix EM1200 Versions 1.1, 1.2 systems store device data with sensitive information in an unencrypted database. This could allow an attacker with network access to view or modify sensitive data including PHI. | |||||
| CVE-2020-12493 | 1 Swarco | 1 Cpu Ls4000 Firmware | 2021-11-04 | 10.0 HIGH | 10.0 CRITICAL |
| An open port used for debugging in SWARCOs CPU LS4000 Series with versions starting with G4... grants root access to the device without access control via network. A malicious user could use this vulnerability to get access to the device and disturb operations with connected devices. | |||||
| CVE-2021-36181 | 1 Fortinet | 1 Fortiportal | 2021-11-04 | 3.5 LOW | 3.1 LOW |
| A concurrent execution using shared resource with improper Synchronization vulnerability ('Race Condition') in the customer database interface of FortiPortal before 6.0.6 may allow an authenticated, low-privilege user to bring the underlying database data into an inconsistent state via specific coordination of web requests. | |||||
| CVE-2020-11643 | 1 Br-automation | 6 Gatemanager 4260, Gatemanager 4260 Firmware, Gatemanager 8250 and 3 more | 2021-11-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| An information disclosure vulnerability in B&R GateManager 4260 and 9250 versions <9.0.20262 and GateManager 8250 versions <9.2.620236042 allows authenticated users to view information of devices belonging to foreign domains. | |||||