| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The CACAGOO Cloud Storage Intelligent Camera TV-288ZD-2MP with firmware 3.4.2.0919 allows access to the RTSP service without a password. |
| Zoho ManageEngine Password Manager Pro through 10.x has a CSV Excel Macro Injection vulnerability via a crafted name that is mishandled by the Export Passwords feature. NOTE: the vendor disputes the significance of this report because they expect CSV risk mitigation to be provided by an external application, and do not plan to add CSV constraints to their own products |
| Zoho ManageEngine Password Manager Pro 10.4 and prior has no protection against Cross-site Request Forgery (CSRF) attacks, as demonstrated by changing a user's role. |
| An issue was discovered in signotec signoPAD-API/Web (formerly Websocket Pad Server) before 3.1.1 on Windows. It is possible to perform a Denial of Service attack because the application doesn't limit the number of opened WebSocket sockets. If a victim visits an attacker-controlled website, this vulnerability can be exploited. |
| Subversion ALM for the enterprise before 8.8.2 allows reflected XSS at multiple locations. |
| An issue was discovered in signotec signoPAD-API/Web (formerly Websocket Pad Server) before 3.1.1 on Windows. It is possible to perform a Denial of Service attack because the implementation doesn't limit the parsing of nested JSON structures. If a victim visits an attacker-controlled website, this vulnerability can be exploited via WebSocket data with a deeply nested JSON array. |
| The F-Secure AV parsing engine before 2020-02-05 allows virus-detection bypass via crafted Compression Method data in a GZIP archive. This affects versions before 17.0.605.474 (on Linux) of Cloud Protection For Salesforce, Email and Server Security, and Internet GateKeeper. |
| CandidATS 2.1.0 is vulnerable to CSRF that allows for an administrator account to be added via the index.php?m=settings&a=addUser URI. |
| fauzantrif eLection 2.0 has SQL Injection via the admin/ajax/op_kandidat.php id parameter. |
| SOPlanning 1.45 allows XSS via the Name or Comment to status.php. |
| SOPlanning 1.45 allows XSS via the "Your SoPlanning url" field. |
| In GolfBuddy Course Manager 1.1, passwords are sent (with base64 encoding) via a GET request. |
| fauzantrif eLection 2.0 has XSS via the Admin Dashboard -> Settings -> Election -> "message if election is closed" field. |
| Multiple stored XSS vulnerabilities exist in the 10Web Photo Gallery plugin before 1.5.46 WordPress. Successful exploitation of this vulnerability would allow a authenticated admin user to inject arbitrary JavaScript code that is viewed by other users. |
| A stored XSS vulnerability exists in the Envira Photo Gallery plugin through 1.7.6 for WordPress. Successful exploitation of this vulnerability would allow a authenticated low-privileged user to inject arbitrary JavaScript code that is viewed by other users. |
| ftusbbus2.sys in FabulaTech USB for Remote Desktop through 2020-02-19 allows privilege escalation via crafted IoCtl code related to a USB HID device. |
| CryptoPro CSP through 5.0.0.10004 on 32-bit platforms allows Local Privilege Escalation (by local users with the SeChangeNotifyPrivilege right) because user-mode input is mishandled during process creation. An attacker can write arbitrary data to an arbitrary location in the kernel's address space. |
| Certain Xerox WorkCentre printers before 073.xxx.000.02300 do not require the user to reenter or validate LDAP bind credentials when changing the LDAP connector IP address. A malicious actor who gains access to affected devices (e.g., by using default credentials) can change the LDAP connection IP address to a system owned by the actor without knowledge of the LDAP bind credentials. After changing the LDAP connection IP address, subsequent authentication attempts will result in the printer sending plaintext LDAP (Active Directory) credentials to the actor. Although the credentials may belong to a non-privileged user, organizations frequently use privileged service accounts to bind to Active Directory. The attacker gains a foothold on the Active Directory domain at a minimum, and may use the credentials to take over control of the Active Directory domain. This affects 3655*, 3655i*, 58XX*, 58XXi*, 59XX*, 59XXi*, 6655**, 6655i**, 72XX*, 72XXi*, 78XX**, 78XXi**, 7970**, 7970i**, EC7836**, and EC7856** devices. |
| Gogs through 0.11.91 allows attackers to violate the admin-specified repo-creation policy due to an internal/db/repo.go race condition. |
| In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations. |
