| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| GitLab Enterprise Edition (EE) 11.9 and later through 12.5 has Insecure Permissions. |
| GitLab Enterprise Edition (EE) 6.7 and later through 12.5 allows SSRF. |
| GitLab Community Edition (CE) and Enterprise Edition (EE) through 12.5 has Incorrect Access Control (issue 2 of 2). |
| GitLab Enterprise Edition (EE) 11.3 and later through 12.5 allows an Insecure Direct Object Reference (IDOR). |
| GitLab Enterprise Edition (EE) 10.8 and later through 12.5 has Incorrect Access Control. |
| GitLab Community Edition (CE) and Enterprise Edition (EE) through 12.5 has Incorrect Access Control (issue 1 of 2). |
| GitLab Enterprise Edition (EE) 12.2 and later through 12.5 has Incorrect Access Control. |
| GitLab Enterprise Edition (EE) 12.3 and later through 12.5 has Incorrect Access Control. |
| GitLab Community Edition (CE) and Enterprise Edition (EE). 9.6 and later through 12.5 has Incorrect Access Control. |
| vcs_write in drivers/tty/vt/vc_screen.c in the Linux kernel through 5.3.13 does not prevent write access to vcsu devices, aka CID-0c9acb1af77a. |
| The Last.fm desktop app (Last.fm Scrobbler) through 2.1.39 on macOS makes HTTP requests that include an API key without the use of SSL/TLS. Although there is an Enable SSL option, it is disabled by default, and cleartext requests are made as soon as the app starts. |
| OpenTrade before 2019-11-23 allows SQL injection, related to server/modules/api/v1.js and server/utils.js. |
| Controllers/InvitationsController.cs in QueryTree before 3.0.99-beta mishandles invitations. |
| Electronic Arts Origin through 10.5.x allows Elevation of Privilege (issue 2 of 2). |
| Electronic Arts Origin through 10.5.x allows Elevation of Privilege (issue 1 of 2). |
| Oniguruma through 6.9.3, as used in PHP 7.3.x and other products, has a heap-based buffer over-read in str_lower_case_match in regexec.c. |
| sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage. |
| SQLite 3.30.1 mishandles pExpr->y.pTab, as demonstrated by the TK_COLUMN case in sqlite3ExprCodeTarget in expr.c. |
| In the Linux kernel before 5.4.2, the io_uring feature leads to requests that inadvertently have UID 0 and full capabilities, aka CID-181e448d8709. This is related to fs/io-wq.c, fs/io_uring.c, and net/socket.c. For example, an attacker can bypass intended restrictions on adding an IPv4 address to the loopback interface. This occurs because IORING_OP_SENDMSG operations, although requested in the context of an unprivileged user, are sometimes performed by a kernel worker thread without considering that context. |
| Embedthis GoAhead before 5.0.1 mishandles redirected HTTP requests with a large Host header. The GoAhead WebsRedirect uses a static host buffer that has a limited length and can overflow. This can cause a copy of the Host header to fail, leaving that buffer uninitialized, which may leak uninitialized data in a response. |
