| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| phpList 3.5.0 allows type juggling for admin login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters. |
| Global.py in AIL framework 2.8 allows path traversal. |
| OX App Suite through 7.10.3 allows SSRF. |
| OX App Suite through 7.10.3 has Improper Input Validation. |
| OX App Suite through 7.10.3 allows XSS. |
| OX App Suite through 7.10.3 allows XXE attacks. |
| An XML external entity (XXE) vulnerability in Zoho ManageEngine Desktop Central before the 07-Mar-2020 update allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. |
| Kia Motors Head Unit with Software version: SOP.003.30.18.0703, SOP.005.7.181019, and SOP.007.1.191209 may allow an attacker to inject unauthorized commands, by executing the micomd executable deamon, to trigger unintended functionalities. In addition, this executable may be used by an attacker to inject commands to generate CAN frames that are sent into the M-CAN bus (Multimedia CAN bus) of the vehicle. |
| SQL injection with start and length parameters in Records.php for phpzag live add edit delete data tables records with ajax php mysql |
| SQL injection in order and column parameters in Records.php for phpzag live add edit delete data tables records with ajax php mysql |
| SQL injection with the search parameter in Records.php for phpzag live add edit delete data tables records with ajax php mysql |
| Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, leading to remote code execution. |
| An issue was discovered in Squid before 4.10. Due to incorrect input validation, the NTLM authentication credentials parser in ext_lm_group_acl may write to memory outside the credentials buffer. On systems with memory access protections, this can result in the helper process being terminated unexpectedly. This leads to the Squid process also terminating and a denial of service for all clients using the proxy. |
| The daemon in Tor through 0.4.1.8 and 0.4.2.x through 0.4.2.6 does not verify that a rendezvous node is known before attempting to connect to it, which might make it easier for remote attackers to discover circuit information. NOTE: The network team of Tor claims this is an intended behavior and not a vulnerability |
| An issue was discovered in Rumpus 8.2.10 on macOS. By crafting a directory name, it is possible to activate JavaScript in the context of the web application after invoking the rename folder functionality. |
| In IceWarp Webmail Server through 11.4.4.1, there is XSS in the /webmail/ color parameter. |
| In Artica Pandora FMS through 7.42, Web Admin users can execute arbitrary code by uploading a .php file via the File Repository component, a different issue than CVE-2020-7935 and CVE-2020-8500. |
| An issue was discovered in phpABook 0.9 Intermediate. On the login page, if one sets a userInfo cookie with the value of admin+1+en (user+perms+lang), one can login as any user without a password. |
| Zoho ManageEngine Desktop Central before 10.0.483 allows unauthenticated users to access PDFGenerationServlet, leading to sensitive information disclosure. |
| nsak64.sys in Norman Malware Cleaner 2.08.08 allows users to call arbitrary kernel functions because the passing of function pointers between user and kernel mode is mishandled. |
