Total
3863 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-11056 | 1 Barrelstrengthdesign | 1 Sprout Forms | 2024-08-04 | 7.4 High |
| In Sprout Forms before 3.9.0, there is a potential Server-Side Template Injection vulnerability when using custom fields in Notification Emails which could lead to the execution of Twig code. This has been fixed in 3.9.0. | ||||
| CVE-2020-11079 | 1 Node-dns-sync Project | 1 Node-dns-sync | 2024-08-04 | 8.6 High |
| node-dns-sync (npm module dns-sync) through 0.2.0 allows execution of arbitrary commands . This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This has been fixed in 0.2.1. | ||||
| CVE-2020-10948 | 1 Alienform2 Project | 1 Alienform2 | 2024-08-04 | 9.8 Critical |
| Jon Hedley AlienForm2 (typically installed as af.cgi or alienform.cgi) 2.0.2 is vulnerable to Remote Command Execution via eval injection, a different issue than CVE-2002-0934. An unauthenticated, remote attacker can exploit this via a series of crafted requests. | ||||
| CVE-2020-10777 | 1 Redhat | 2 Cloudforms, Cloudforms Managementengine | 2024-08-04 | 5.4 Medium |
| A cross-site scripting flaw was found in Report Menu feature of Red Hat CloudForms 4.7 and 5. An attacker could use this flaw to execute a stored XSS attack on an application administrator using CloudForms. | ||||
| CVE-2020-10684 | 3 Debian, Fedoraproject, Redhat | 6 Debian Linux, Fedora, Ansible and 3 more | 2024-08-04 | 7.9 High |
| A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection. | ||||
| CVE-2020-10663 | 7 Apple, Debian, Fedoraproject and 4 more | 10 Macos, Debian Linux, Fedora and 7 more | 2024-08-04 | 7.5 High |
| The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent. | ||||
| CVE-2020-10389 | 1 Chadhaajay | 1 Phpkb | 2024-08-04 | 7.2 High |
| admin/save-settings.php in Chadha PHPKB Standard Multi-Language 9 allows remote attackers to achieve Code Execution by injecting PHP code into any POST parameter when saving global settings. | ||||
| CVE-2020-10257 | 1 Themerex | 63 Addons, Aldo-gutenberg Wordpress Blog Theme, Amuli and 60 more | 2024-08-04 | 9.8 Critical |
| The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trx_addons/v2/get/sc_layout REST API endpoint, allowing for PHP functions to be executed by any users, because includes/plugin.rest-api.php calls trx_addons_rest_get_sc_layout with an unsafe sc parameter. | ||||
| CVE-2020-10176 | 1 Assaabloy | 2 Yale Wipc-301w, Yale Wipc-301w Firmware | 2024-08-04 | 9.8 Critical |
| ASSA ABLOY Yale WIPC-301W 2.x.2.29 through 2.x.2.43_p1 devices allow Eval Injection of commands. | ||||
| CVE-2020-10055 | 1 Siemens | 2 Desigo Consumption Control, Desigo Consumption Control Compact | 2024-08-04 | 9.8 Critical |
| A vulnerability has been identified in Desigo CC (V4.x), Desigo CC (V3.x), Desigo CC Compact (V4.x), Desigo CC Compact (V3.x). Affected applications are delivered with a 3rd party component (BIRT) that contains a remote code execution vulnerability if the Advanced Reporting Engine is enabled. The vulnerability could allow a remote unauthenticated attacker to execute arbitrary commands on the server with SYSTEM privileges. | ||||
| CVE-2020-9530 | 1 Mi | 1 Miui Firmware | 2024-08-04 | 6.5 Medium |
| An issue was discovered on Xiaomi MIUI V11.0.5.0.QFAEUXM devices. The export component of GetApps(com.xiaomi.mipicks) mishandles the functionality of opening other components. Attackers need to induce users to open specific web pages in a specific network environment. By jumping to the WebView component of Messaging(com.android.MMS) and loading malicious web pages, information leakage can occur. This is fixed on version: 2001122; 11.0.1.54. | ||||
| CVE-2020-9406 | 1 Iblsoft | 1 Online Weather | 2024-08-04 | 9.8 Critical |
| IBL Online Weather before 4.3.5a allows unauthenticated eval injection via the queryBCP method of the Auxiliary Service. | ||||
| CVE-2020-8644 | 1 Playsms | 1 Playsms | 2024-08-04 | 9.8 Critical |
| PlaySMS before 1.4.3 does not sanitize inputs from a malicious string. | ||||
| CVE-2020-8518 | 3 Debian, Fedoraproject, Horde | 3 Debian Linux, Fedora, Groupware | 2024-08-04 | 9.8 Critical |
| Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, leading to remote code execution. | ||||
| CVE-2020-8274 | 1 Citrix | 1 Secure Mail | 2024-08-04 | 6.5 Medium |
| Citrix Secure Mail for Android before 20.11.0 suffers from Improper Control of Generation of Code ('Code Injection') by allowing unauthenticated access to read data stored within Secure Mail. Note that a malicious app would need to be installed on the Android device or a threat actor would need to execute arbitrary code on the Android device. | ||||
| CVE-2020-8349 | 1 Lenovo | 10 Cloud Networking Operating System, Rackswitch G8272, Rackswitch G8296 and 7 more | 2024-08-04 | 9.8 Critical |
| An internal security review has identified an unauthenticated remote code execution vulnerability in Cloud Networking Operating System (CNOS)’ optional REST API management interface. This interface is disabled by default and not vulnerable unless enabled. When enabled, it is only vulnerable where attached to a VRF and as allowed by defined ACLs. Lenovo strongly recommends upgrading to a non-vulnerable CNOS release. Where not possible, Lenovo recommends disabling the REST API management interface or restricting access to the management VRF and further limiting access to authorized management stations via ACL. | ||||
| CVE-2020-8243 | 2 Ivanti, Pulsesecure | 4 Connect Secure, Policy Secure, Pulse Connect Secure and 1 more | 2024-08-04 | 7.2 High |
| A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to upload custom template to perform an arbitrary code execution. | ||||
| CVE-2020-8224 | 1 Nextcloud | 1 Desktop | 2024-08-04 | 7.8 High |
| A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL config into a fixed directory. | ||||
| CVE-2020-8194 | 1 Citrix | 11 4000-wo, 4100-wo, 5000-wo and 8 more | 2024-08-04 | 6.5 Medium |
| Reflected code injection in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows the modification of a file download. | ||||
| CVE-2020-8180 | 1 Nextcloud | 1 Talk | 2024-08-04 | 9.9 Critical |
| A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk command was added by an administrator. | ||||