Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-11058 | 2 Canonical, Freerdp | 2 Ubuntu Linux, Freerdp | 2021-10-07 | 3.5 LOW | 2.2 LOW |
| In FreeRDP after 1.1 and before 2.0.0, a stream out-of-bounds seek in rdp_read_font_capability_set could lead to a later out-of-bounds read. As a result, a manipulated client or server might force a disconnect due to an invalid data read. This has been fixed in 2.0.0. | |||||
| CVE-2020-8151 | 2 Fedoraproject, Rubyonrails | 2 Fedora, Active Resource | 2021-10-07 | 5.0 MEDIUM | 7.5 HIGH |
| There is a possible information disclosure issue in Active Resource <v5.1.1 that could allow an attacker to create specially crafted requests to access data in an unexpected way and possibly leak information. | |||||
| CVE-2020-11050 | 1 Java-websocket Project | 1 Java-websocket | 2021-10-07 | 6.8 MEDIUM | 8.1 HIGH |
| In Java-WebSocket less than or equal to 1.4.1, there is an Improper Validation of Certificate with Host Mismatch where WebSocketClient does not perform SSL hostname validation. This has been patched in 1.5.0. | |||||
| CVE-2020-18684 | 1 Atlassian | 1 Floodlight | 2021-10-07 | 7.5 HIGH | 9.8 CRITICAL |
| Floodlight through 1.2 has an integer overflow in checkFlow in StaticFlowEntryPusherResource.java via priority or port number. | |||||
| CVE-2020-15099 | 1 Typo3 | 1 Typo3 | 2021-10-07 | 6.8 MEDIUM | 8.1 HIGH |
| In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, in a case where an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1) - either by using a different existing vulnerability or in case the internal encryptionKey was exposed - it is possible to retrieve arbitrary files of a TYPO3 installation. This includes the possibility to fetch typo3conf/LocalConfiguration.php, which again contains the encryptionKey as well as credentials of the database management system being used. In case a database server is directly accessible either via internet or in a shared hosting network, this allows the ability to completely retrieve, manipulate or delete database contents. This includes creating an administration user account - which can be used to trigger remote code execution by injecting custom extensions. This has been patched in versions 9.5.20 and 10.4.6. | |||||
| CVE-2020-15102 | 1 Prestashop | 1 Dashboard Products | 2021-10-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| In PrestaShop Dashboard Productions before version 2.1.0, there is improper authorization which enables an attacker to change the configuration. The problem is fixed in 2.1.0. | |||||
| CVE-2020-15111 | 1 Gofiber | 1 Fiber | 2021-10-07 | 5.8 MEDIUM | 5.4 MEDIUM |
| In Fiber before version 1.12.6, the filename that is given in c.Attachment() (https://docs.gofiber.io/ctx#attachment) is not escaped, and therefore vulnerable for a CRLF injection attack. I.e. an attacker could upload a custom filename and then give the link to the victim. With this filename, the attacker can change the name of the downloaded file, redirect to another site, change the authorization header, etc. A possible workaround is to serialize the input before passing it to ctx.Attachment(). | |||||
| CVE-2020-8186 | 1 Devcert Project | 1 Devcert | 2021-10-07 | 7.5 HIGH | 9.8 CRITICAL |
| A command injection vulnerability in the `devcert` module may lead to remote code execution when users of the module pass untrusted input to the `certificateFor` function. | |||||
| CVE-2021-0226 | 1 Juniper | 1 Junos Os Evolved | 2021-10-07 | 5.0 MEDIUM | 7.5 HIGH |
| On Juniper Networks Junos OS Evolved devices, receipt of a specific IPv6 packet may cause an established IPv6 BGP session to terminate, creating a Denial of Service (DoS) condition. Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition. This issue does not affect IPv4 BGP sessions. This issue affects IBGP or EBGP peer sessions with IPv6. This issue affects: Juniper Networks Junos OS Evolved: 19.4 versions prior to 19.4R2-S3-EVO; 20.1 versions prior to 20.1R2-S3-EVO; 20.2 versions prior to 20.2R2-S1-EVO; 20.3 versions prior to 20.3R2-EVO. This issue does not affect Juniper Networks Junos OS releases. | |||||
| CVE-2020-8920 | 1 Google | 1 Gerrit | 2021-10-07 | 2.7 LOW | 3.5 LOW |
| An information leak vulnerability exists in Gerrit versions prior to 2.14.22, 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where an overoptimization with the FilteredRepository wrapper skips the verification of access on All-Users repositories, allowing an attacker to get read access to all users' personal information associated with their accounts. | |||||
| CVE-2020-26256 | 1 C2fo | 1 Fast-csv | 2021-10-07 | 3.5 LOW | 6.5 MEDIUM |
| Fast-csv is an npm package for parsing and formatting CSVs or any other delimited value file in node. In fast-cvs before version 4.3.6 there is a possible ReDoS vulnerability (Regular Expression Denial of Service) when using ignoreEmpty option when parsing. This has been patched in `v4.3.6` You will only be affected by this if you use the `ignoreEmpty` parsing option. If you do use this option it is recommended that you upgrade to the latest version `v4.3.6` This vulnerability was found using a CodeQL query which identified `EMPTY_ROW_REGEXP` regular expression as vulnerable. | |||||
| CVE-2020-10517 | 1 Github | 1 Github | 2021-10-07 | 4.0 MEDIUM | 4.3 MEDIUM |
| An improper access control vulnerability was identified in GitHub Enterprise Server that allowed authenticated users of the instance to determine the names of unauthorized private repositories given their numerical IDs. This vulnerability did not allow unauthorized access to any repository content besides the name. This vulnerability affected all versions of GitHub Enterprise Server prior to 2.22 and was fixed in versions 2.21.6, 2.20.15, and 2.19.21. This vulnerability was reported via the GitHub Bug Bounty program. | |||||
| CVE-2021-25961 | 1 Salesagility | 1 Suitecrm | 2021-10-07 | 6.0 MEDIUM | 8.0 HIGH |
| In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links that is associated with a deleted user id, which makes it possible for account takeover of any newly created user with the same user id. | |||||
| CVE-2021-41295 | 1 Ecoa | 5 Ecs Router Controller-ecs, Ecs Router Controller-ecs Firmware, Riskbuster and 2 more | 2021-10-07 | 6.8 MEDIUM | 8.8 HIGH |
| ECOA BAS controller has a Cross-Site Request Forgery vulnerability, thus authenticated attacker can remotely place a forged request at a malicious web page and execute CRUD commands (GET, POST, PUT, DELETE) to perform arbitrary operations in the system. | |||||
| CVE-2021-25960 | 1 Salesagility | 1 Suitecrm | 2021-10-07 | 6.0 MEDIUM | 8.0 HIGH |
| In “SuiteCRM” application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by “CSV Injection” vulnerability (Formula Injection). A low privileged attacker can use accounts module to inject payloads in the input fields. When an administrator access accounts module to export the data as a CSV file and opens it, the payload gets executed. This was not fixed properly as part of CVE-2020-15301, allowing the attacker to bypass the security measure. | |||||
| CVE-2021-41294 | 1 Ecoa | 5 Ecs Router Controller-ecs, Ecs Router Controller-ecs Firmware, Riskbuster and 2 more | 2021-10-07 | 6.4 MEDIUM | 9.1 CRITICAL |
| ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files deletion. Using the specific GET parameter, unauthenticated attackers can remotely delete arbitrary files on the affected device and cause denial of service scenario. | |||||
| CVE-2021-41293 | 1 Ecoa | 5 Ecs Router Controller-ecs, Ecs Router Controller-ecs Firmware, Riskbuster and 2 more | 2021-10-07 | 5.0 MEDIUM | 7.5 HIGH |
| ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files disclosure. Using the specific POST parameter, unauthenticated attackers can remotely disclose arbitrary files on the affected device and disclose sensitive and system information. | |||||
| CVE-2021-34413 | 1 Zoom | 1 Zoom Plugin For Microsoft Outlook | 2021-10-07 | 6.0 MEDIUM | 7.5 HIGH |
| All versions of the Zoom Plugin for Microsoft Outlook for MacOS before 5.3.52553.0918 contain a Time-of-check Time-of-use (TOC/TOU) vulnerability during the plugin installation process. This could allow a standard user to write their own malicious application to the plugin directory, allowing the malicious application to execute in a privileged context. | |||||
| CVE-2021-41296 | 1 Ecoa | 5 Ecs Router Controller-ecs, Ecs Router Controller-ecs Firmware, Riskbuster and 2 more | 2021-10-07 | 5.0 MEDIUM | 9.8 CRITICAL |
| ECOA BAS controller uses weak set of default administrative credentials that can be easily guessed in remote password attacks and gain full control of the system. | |||||
| CVE-2021-41298 | 1 Ecoa | 5 Ecs Router Controller-ecs, Ecs Router Controller-ecs Firmware, Riskbuster and 2 more | 2021-10-07 | 6.5 MEDIUM | 8.8 HIGH |
| ECOA BAS controller is vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers with general user's privilege can remotely bypass authorization and access the hidden resources in the system and execute privileged functionalities. | |||||