| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| A Remote code execution vulnerability exists in DEXT5Upload in DEXT5 through 2.7.1402870. An attacker can upload a PHP file via dext5handler.jsp handler because the uploaded file is stored under dext5uploadeddata/. |
| ffjpeg through 2020-02-24 has an invalid write in bmp_load in bmp.c. |
| ffjpeg through 2020-02-24 has a heap-based buffer over-read in jfif_decode in jfif.c. |
| ffjpeg through 2020-02-24 has an invalid read in jfif_encode in jfif.c. |
| SQLite through 3.32.0 has a segmentation fault in sqlite3ExprCodeTarget in expr.c. |
| SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c. |
| Jason2605 AdminPanel 4.0 allows SQL Injection via the editPlayer.php hidden parameter. |
| rejetto HFS (aka HTTP File Server) v2.3m Build #300, when virtual files or folders are used, allows remote attackers to trigger an invalid-pointer write access violation via concurrent HTTP requests with a long URI or long HTTP headers. |
| I2P before 0.9.46 allows local users to gain privileges via a Trojan horse I2PSvc.exe file because of weak permissions on a certain %PROGRAMFILES% subdirectory. |
| Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource. |
| legend.ts in the piechart-panel (aka Pie Chart Panel) plugin before 1.5.0 for Grafana allows XSS via the Values Header (aka legend header) option. |
| A heap-based buffer overflow in the hxxx_AnnexB_to_xVC function in modules/packetizer/hxxx_nal.c in VideoLAN VLC media player before 3.0.11 for macOS/iOS allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a crafted H.264 Annex-B video (.avi for example) file. |
| Victor CMS 1.0 has Persistent XSS in admin/users.php?source=add_user via the user_name, user_firstname, or user_lastname parameter. |
| The Multi-Scheduler plugin 1.0.0 for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability in the forms it presents, allowing the possibility of deleting records (users) when an ID is known. |
| TrackR devices through 2020-05-06 allow attackers to trigger the Beep (aka alarm) feature, which will eventually cause a denial of service when battery capacity is exhausted. |
| The XCloner component before 3.5.4 for Joomla! allows Authenticated Local File Disclosure. |
| Form Builder 2.1.0 for Magento has multiple XSS issues that can be exploited against Magento 2 admin accounts via the Current_url or email field, or the User-Agent HTTP header. |
| OpenIAM before 4.2.0.3 does not verify if a user has permissions to perform /webconsole/rest/api/* administrative actions. |
| OpenIAM before 4.2.0.3 has Incorrect Access Control for the Create User, Modify User Permissions, and Password Reset actions. |
| OpenIAM before 4.2.0.3 allows remote attackers to execute arbitrary code via Groovy Script. |
