Search Results (364234 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2020-8142 1 Revive-adserver 1 Revive Adserver 2024-11-21 6.8 Medium
A security restriction bypass vulnerability has been discovered in Revive Adserver version < 5.0.5 by HackerOne user hoangn144. Revive Adserver, like many other applications, requires the logged in user to type the current password in order to change the e-mail address or the password. It was however possible for anyone with access to a Revive Adserver admin user interface to bypass such check and change e-email address or password of the currently logged in user by altering the form payload.The attack requires physical access to the user interface of a logged in user. If the POST payload was altered by turning the “pwold” parameter into an array, Revive Adserver would fetch and authorise the operation even if no password was provided.
CVE-2020-8141 1 Dot Project 1 Dot 2024-11-21 8.8 High
The dot package v1.1.2 uses Function() to compile templates. This can be exploited by the attacker if they can control the given template or if they can control the value set on Object.prototype.
CVE-2020-8140 2 Apple, Nextcloud 2 Macos, Desktop 2024-11-21 6.7 Medium
A code injection in Nextcloud Desktop Client 2.6.2 for macOS allowed to load arbitrary code when starting the client with DYLD_INSERT_LIBRARIES set in the environment.
CVE-2020-8139 2 Fedoraproject, Nextcloud 2 Fedora, Nextcloud Server 2024-11-21 6.5 Medium
A missing access control check in Nextcloud Server < 18.0.1, < 17.0.4, and < 16.0.9 causes hide-download shares to be downloadable when appending /download to the URL.
CVE-2020-8138 1 Nextcloud 1 Nextcloud Server 2024-11-21 6.5 Medium
A missing check for IPv4 nested inside IPv6 in Nextcloud server < 17.0.1, < 16.0.7, and < 15.0.14 allowed a Server-Side Request Forgery (SSRF) vulnerability when subscribing to a malicious calendar URL.
CVE-2020-8137 1 Blamer Project 1 Blamer 2024-11-21 9.8 Critical
Code injection vulnerability in blamer 1.0.0 and earlier may result in remote code execution when the input can be controlled by an attacker.
CVE-2020-8136 1 Fastify 1 Fastify-multipart 2024-11-21 7.5 High
Prototype pollution vulnerability in fastify-multipart < 1.0.5 allows an attacker to crash fastify applications parsing multipart requests by sending a specially crafted request.
CVE-2020-8135 1 Uppy 1 Uppy 2024-11-21 9.8 Critical
The uppy npm package < 1.9.3 is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability, which allows an attacker to scan local or external network or otherwise interact with internal systems.
CVE-2020-8134 1 Ghost 1 Ghost 2024-11-21 8.1 High
Server-side request forgery (SSRF) vulnerability in Ghost CMS < 3.10.0 allows an attacker to scan local or external network or otherwise interact with internal systems.
CVE-2020-8133 1 Nextcloud 1 Nextcloud Server 2024-11-21 5.3 Medium
A wrong generation of the passphrase for the encrypted block in Nextcloud Server 19.0.1 allowed an attacker to overwrite blocks in a file.
CVE-2020-8132 1 Pdf-image Project 1 Pdf-image 2024-11-21 9.8 Critical
Lack of input validation in pdf-image npm package version <= 2.0.0 may allow an attacker to run arbitrary code if PDF file path is constructed based on untrusted user input.
CVE-2020-8131 2 Redhat, Yarnpkg 2 Quay, Yarn 2024-11-21 7.5 High
Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.
CVE-2020-8130 6 Canonical, Debian, Fedoraproject and 3 more 7 Ubuntu Linux, Debian Linux, Fedora and 4 more 2024-11-21 6.4 Medium
There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character `|`.
CVE-2020-8129 1 Script-manager Project 1 Script-manager 2024-11-21 9.8 Critical
An unintended require vulnerability in script-manager npm package version 0.8.6 and earlier may allow attackers to execute arbitrary code.
CVE-2020-8128 1 Jsreport 1 Jsreport 2024-11-21 9.8 Critical
An unintended require and server-side request forgery vulnerabilities in jsreport version 2.5.0 and earlier allow attackers to execute arbitrary code.
CVE-2020-8127 1 Revealjs 1 Reveal.js 2024-11-21 6.1 Medium
Insufficient validation in cross-origin communication (postMessage) in reveal.js version 3.9.1 and earlier allow attackers to perform cross-site scripting attacks.
CVE-2020-8126 1 Ui 1 Edgeswitch 2024-11-21 7.8 High
A privilege escalation in the EdgeSwitch prior to version 1.7.1, an CGI script don't fully sanitize the user input resulting in local commands execution, allowing an operator user (Privilege-1) to escalate privileges and became administrator (Privilege-15).
CVE-2020-8125 1 Klona Project 1 Klona 2024-11-21 9.8 Critical
Flaw in input validation in npm package klona version 1.1.0 and earlier may allow prototype pollution attack that may result in remote code execution or denial of service of applications using klona.
CVE-2020-8124 2 Redhat, Url-parse Project 2 Service Mesh, Url-parse 2024-11-21 5.3 Medium
Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks.
CVE-2020-8123 1 Strapi 1 Strapi 2024-11-21 4.9 Medium
A denial of service exists in strapi v3.0.0-beta.18.3 and earlier that can be abused in the admin console using admin rights can lead to arbitrary restart of the application.