| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| In SIMATIC MV400 family versions prior to v7.0.6, the ISN generator is initialized with a constant value and has constant increments. An attacker could predict and hijack TCP sessions. |
| In Oryx CycloneTCP 1.9.6, TCP ISNs are improperly random. |
| In Silicon Labs uC/TCP-IP 3.6.0, TCP ISNs are improperly random. |
| In JetBrains TeamCity before 2020.1.5, secure dependency parameters could be not masked in depending builds when there are no internal artifacts. |
| In JetBrains TeamCity before 2020.1.5, the Guest user had access to audit records. |
| JetBrains TeamCity before 2020.1.2 was vulnerable to URL injection. |
| JetBrains YouTrack before 2020.3.5333 was vulnerable to SSRF. |
| In JetBrains YouTrack before 2020.3.888, notifications might have mentioned inaccessible issues. |
| JetBrains YouTrack before 2020.3.888 was vulnerable to SSRF. |
| JetBrains IdeaVim before version 0.58 might have caused an information leak in limited circumstances. |
| In JetBrains IntelliJ IDEA before 2020.2, the built-in web server could expose information about the IDE version. |
| The FileImporter extension in MediaWiki through 1.35.0 was not properly attributing various user actions to a specific user's IP address. Instead, for various actions, it would report the IP address of an internal Wikimedia Foundation server by omitting X-Forwarded-For data. This resulted in an inability to properly audit and attribute various user actions performed via the FileImporter extension. |
| The Cosmos Skin for MediaWiki through 1.35.0 has stored XSS because MediaWiki messages were not being properly escaped. This is related to wfMessage and Html::rawElement, as demonstrated by CosmosSocialProfile::getUserGroups. |
| In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP. |
| eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS users to trigger an assertion failure. A guest can crash the QEMU process via packet data that lacks a valid Layer 3 protocol. |
| ati_2d_blt in hw/display/ati_2d.c in QEMU 4.2.1 can encounter an outside-limits situation in a calculation. A guest can crash the QEMU process. |
| The Loginizer plugin before 1.6.4 for WordPress allows SQL injection (with resultant XSS), related to loginizer_login_failed and lz_valid_ip. |
| AnyDesk for macOS versions 6.0.2 and older have a vulnerability in the XPC interface that does not properly validate client requests and allows local privilege escalation. |
| The installation procedure in BigBlueButton before 2.2.28 (or earlier) uses ClueCon as the FreeSWITCH password, which allows local users to achieve unintended FreeSWITCH access. |
| Greenlight in BigBlueButton through 2.2.28 places usernames in room URLs, which may represent an unintended information leak to users in a room, or an information leak to outsiders if any user publishes a screenshot of a browser window. |
