Search

Search Results (363284 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2020-35722 1 Quest 1 Policy Authority For Unified Communications 2024-11-21 6.5 Medium
CSRF in Web Compliance Manager in Quest Policy Authority 8.1.2.200 allows remote attackers to force user modification/creation via a specially crafted link to the submitUser.jsp file. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
CVE-2020-35721 1 Quest 1 Policy Authority For Unified Communications 2024-11-21 5.4 Medium
Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the BrowseAssets.do file via the title parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
CVE-2020-35720 1 Quest 1 Policy Authority For Unified Communications 2024-11-21 5.4 Medium
Stored XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to store malicious code in multiple fields (first name, last name, and logon name) when creating or modifying a user via the submitUser.jsp file. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
CVE-2020-35719 1 Quest 1 Policy Authority For Unified Communications 2024-11-21 6.1 Medium
Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the /WebCM/Applications/Search/index.jsp file via the added parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
CVE-2020-35717 1 Electronjs 1 Zonote 2024-11-21 9.0 Critical
zonote through 0.4.0 allows XSS via a crafted note, with resultant Remote Code Execution (because nodeIntegration in webPreferences is true).
CVE-2020-35716 1 Linksys 2 Re6500, Re6500 Firmware 2024-11-21 7.5 High
Belkin LINKSYS RE6500 devices before 1.0.012.001 allow remote attackers to cause a persistent denial of service (segmentation fault) via a long /goform/langSwitch langSelectionOnly parameter.
CVE-2020-35715 1 Linksys 2 Re6500, Re6500 Firmware 2024-11-21 8.8 High
Belkin LINKSYS RE6500 devices before 1.0.012.001 allow remote authenticated users to execute arbitrary commands via shell metacharacters in a filename to the upload_settings.cgi page.
CVE-2020-35714 1 Linksys 2 Re6500, Re6500 Firmware 2024-11-21 8.8 High
Belkin LINKSYS RE6500 devices before 1.0.11.001 allow remote authenticated users to execute arbitrary commands via goform/systemCommand?command= in conjunction with the goform/pingstart program.
CVE-2020-35713 1 Linksys 2 Re6500, Re6500 Firmware 2024-11-21 9.8 Critical
Belkin LINKSYS RE6500 devices before 1.0.012.001 allow remote attackers to execute arbitrary commands or set a new password via shell metacharacters to the goform/setSysAdm page.
CVE-2020-35712 3 Esri, Linux, Microsoft 3 Arcgis Server, Linux Kernel, Windows 2024-11-21 9.8 Critical
Esri ArcGIS Server before 10.8 is vulnerable to SSRF in some configurations.
CVE-2020-35711 1 Arc-swap Project 1 Arc-swap 2024-11-21 7.5 High
An issue has been discovered in the arc-swap crate before 0.4.8 (and 1.x before 1.1.0) for Rust. Use of arc_swap::access::Map with the Constant test helper (or with a user-supplied implementation of the Access trait) could sometimes lead to dangling references being returned by the map.
CVE-2020-35710 1 Parallels 1 Remote Application Server 2024-11-21 5.3 Medium
Parallels Remote Application Server (RAS) 18 allows remote attackers to discover an intranet IP address because submission of the login form (even with blank credentials) provides this address to the attacker's client for use as a "host" value. In other words, after an attacker's web browser sent a request to the login form, it would automatically send a second request to a RASHTML5Gateway/socket.io URI with something like "host":"192.168.###.###" in the POST data.
CVE-2020-35709 1 Bloofox 1 Bloofoxcms 2024-11-21 4.9 Medium
bloofoxCMS 0.5.2.1 allows admins to upload arbitrary .php files (with "Content-Type: application/octet-stream") to ../media/images/ via the admin/index.php?mode=tools&page=upload URI, aka directory traversal.
CVE-2020-35708 1 Phplist 1 Phplist 2024-11-21 7.2 High
phpList 3.5.9 allows SQL injection by admins who provide a crafted fourth line of a file to the "Config - Import Administrators" page.
CVE-2020-35707 1 Daybydaycrm 1 Daybyday 2024-11-21 5.4 Medium
Daybyday 2.1.0 allows stored XSS via the Company Name parameter to the New Client screen.
CVE-2020-35706 1 Daybydaycrm 1 Daybyday 2024-11-21 5.4 Medium
Daybyday 2.1.0 allows stored XSS via the Title parameter to the New Project screen.
CVE-2020-35705 1 Daybydaycrm 1 Daybyday 2024-11-21 5.4 Medium
Daybyday 2.1.0 allows stored XSS via the Name parameter to the New User screen.
CVE-2020-35704 1 Daybydaycrm 1 Daybyday 2024-11-21 5.4 Medium
Daybyday 2.1.0 allows stored XSS via the Title parameter to the New Lead screen.
CVE-2020-35702 1 Freedesktop 1 Poppler 2024-11-21 7.8 High
DCTStream::getChars in DCTStream.cc in Poppler 20.12.1 has a heap-based buffer overflow via a crafted PDF document. NOTE: later reports indicate that this only affects builds from Poppler git clones in late December 2020, not the 20.12.1 release. In this situation, it should NOT be considered a Poppler vulnerability. However, several third-party Open Source projects directly rely on Poppler git clones made at arbitrary times, and therefore the CVE remains useful to users of those projects
CVE-2020-35701 2 Cacti, Fedoraproject 2 Cacti, Fedora 2024-11-21 8.8 High
An issue was discovered in Cacti 1.2.x through 1.2.16. A SQL injection vulnerability in data_debug.php allows remote authenticated attackers to execute arbitrary SQL commands via the site_id parameter. This can lead to remote code execution.