Search

Search Results (362730 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2020-28250 1 Cellinx 1 Nvt Web Server 2024-11-21 9.8 Critical
Cellinx NVT Web Server 5.0.0.014b.test 2019-09-05 allows a remote user to run commands as root via SetFileContent.cgi because authentication is on the client side.
CVE-2020-28249 1 Joplin Project 1 Joplin 2024-11-21 6.1 Medium
Joplin 1.2.6 for Desktop allows XSS via a LINK element in a note.
CVE-2020-28248 1 Png-img Project 1 Png-img 2024-11-21 8.8 High
An integer overflow in the PngImg::InitStorage_() function of png-img before 3.1.0 leads to an under-allocation of heap memory and subsequently an exploitable heap-based buffer overflow when loading a crafted PNG file.
CVE-2020-28247 1 Lettre 1 Lettre 2024-11-21 5.3 Medium
The lettre library through 0.10.0-alpha for Rust allows arbitrary sendmail option injection via transport/sendmail/mod.rs.
CVE-2020-28246 1 Form 1 Form.io 2024-11-21 9.8 Critical
A Server-Side Template Injection (SSTI) was discovered in Form.io 2.0.0. This leads to Remote Code Execution during deletion of the default Email template URL. NOTE: the email templating service was removed after 2020. Additionally, the vendor disputes this issue indicating this is sandboxed and only executable by admins.
CVE-2020-28243 3 Debian, Fedoraproject, Saltstack 3 Debian Linux, Fedora, Salt 2024-11-21 7.8 High
An issue was discovered in SaltStack Salt before 3002.5. The minion's restartcheck is vulnerable to command injection via a crafted process name. This allows for a local privilege escalation by any user able to create a files on the minion in a non-blacklisted directory.
CVE-2020-28242 4 Asterisk, Debian, Fedoraproject and 1 more 4 Certified Asterisk, Debian Linux, Fedora and 1 more 2024-11-21 6.5 Medium
An issue was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1 and Certified Asterisk before 16.8-cert5. If Asterisk is challenged on an outbound INVITE and the nonce is changed in each response, Asterisk will continually send INVITEs in a loop. This causes Asterisk to consume more and more memory since the transaction will never terminate (even if the call is hung up), ultimately leading to a restart or shutdown of Asterisk. Outbound authentication must be configured on the endpoint for this to occur.
CVE-2020-28241 4 Debian, Fedoraproject, Maxmind and 1 more 6 Debian Linux, Fedora, Libmaxminddb and 3 more 2024-11-21 6.5 Medium
libmaxminddb before 1.4.3 has a heap-based buffer over-read in dump_entry_data_list in maxminddb.c.
CVE-2020-28221 1 Schneider-electric 42 Ecostruxure Operator Terminal Expert, Gp-4104g, Gp-4104w and 39 more 2024-11-21 9.8 Critical
A CWE-20: Improper Input Validation vulnerability exists in EcoStruxure™ Operator Terminal Expert and Pro-face BLUE (version details in the notification) that could cause arbitrary code execution when the Ethernet Download feature is enable on the HMI.
CVE-2020-28219 1 Schneider-electric 2 Ecostruxure Geo Scada Expert 2019, Ecostruxure Geo Scada Expert 2020 2024-11-21 7.8 High
A CWE-522: Insufficiently Protected Credentials vulnerability exists in EcoStruxure Geo SCADA Expert 2019 (Original release and Monthly Updates to September 2020, from 81.7268.1 to 81.7578.1) and EcoStruxure Geo SCADA Expert 2020 (Original release and Monthly Updates to September 2020, from 83.7551.1 to 83.7578.1), that could cause exposure of credentials to server-side users when web users are logged in to Virtual ViewX.
CVE-2020-28218 1 Schneider-electric 2 Easergy T300, Easergy T300 Firmware 2024-11-21 6.5 Medium
A CWE-1021: Improper Restriction of Rendered UI Layers or Frames vulnerability exists in Easergy T300 (firmware 2.7 and older), that would allow an attacker to trick a user into initiating an unintended action.
CVE-2020-28217 1 Schneider-electric 2 Easergy T300, Easergy T300 Firmware 2024-11-21 7.5 High
A CWE-311: Missing Encryption of Sensitive Data vulnerability exists in Easergy T300 (firmware 2.7 and older), that would allow an attacker to read network traffic over HTTP protocol.
CVE-2020-28216 1 Schneider-electric 2 Easergy T300, Easergy T300 Firmware 2024-11-21 7.5 High
A CWE-311: Missing Encryption of Sensitive Data vulnerability exists in Easergy T300 (firmware 2.7 and older), that would allow an attacker to read network traffic over HTTP protocol.
CVE-2020-28215 1 Schneider-electric 2 Easergy T300, Easergy T300 Firmware 2024-11-21 9.8 Critical
A CWE-862: Missing Authorization vulnerability exists in Easergy T300 (firmware 2.7 and older), that could cause a wide range of problems, including information exposures, denial of service, and arbitrary code execution when access control checks are not applied consistently.
CVE-2020-28213 1 Schneider-electric 1 Ecostruxure Control Expert 2024-11-21 8.8 High
A CWE-494: Download of Code Without Integrity Check vulnerability exists in PLC Simulator on EcoStruxureª Control Expert (now Unity Pro) (all versions) that could cause unauthorized command execution when sending specially crafted requests over Modbus.
CVE-2020-28212 1 Schneider-electric 1 Ecostruxure Control Expert 2024-11-21 9.8 Critical
A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists in PLC Simulator on EcoStruxureª Control Expert (now Unity Pro) (all versions) that could cause unauthorized command execution when a brute force attack is done over Modbus.
CVE-2020-28211 1 Schneider-electric 1 Ecostruxure Control Expert 2024-11-21 7.8 High
A CWE-863: Incorrect Authorization vulnerability exists in PLC Simulator on EcoStruxureª Control Expert (now Unity Pro) (all versions) that could cause bypass of authentication when overwriting memory using a debugger.
CVE-2020-28208 1 Rocket.chat 1 Rocket.chat 2024-11-21 5.3 Medium
An email address enumeration vulnerability exists in the password reset function of Rocket.Chat through 3.9.1.
CVE-2020-28206 1 Bitrix24 1 Bitrix Framework 2024-11-21 6.5 Medium
An issue was discovered in Bitrix24 Bitrix Framework (1c site management) 20.0. An "User enumeration and Improper Restriction of Excessive Authentication Attempts" vulnerability exists in the admin login form, allowing a remote user to enumerate users in the administrator group. This also allows brute-force attacks on the passwords of users not in the administrator group.
CVE-2020-28203 1 Foxitsoftware 2 Foxit Reader, Phantompdf 2024-11-21 5.5 Medium
An issue was discovered in Foxit Reader and PhantomPDF 10.1.0.37527 and earlier. There is a null pointer access/dereference while opening a crafted PDF file, leading the application to crash (denial of service).