Search Results (83885 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2020-35482 1 Solarwinds 1 Serv-u 2024-11-21 5.4 Medium
SolarWinds Serv-U before 15.2.2 allows authenticated reflected XSS.
CVE-2020-35479 3 Debian, Fedoraproject, Mediawiki 3 Debian Linux, Fedora, Mediawiki 2024-11-21 6.1 Medium
MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. Language::translateBlockExpiry itself does not escape in all code paths. For example, the return of Language::userTimeAndDate is is always unsafe for HTML in a month value. This affects MediaWiki 1.12.0 and later.
CVE-2020-35478 2 Fedoraproject, Mediawiki 2 Fedora, Mediawiki 2024-11-21 6.1 Medium
MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. MediaWiki:blanknamespace potentially can be output as raw HTML with SCRIPT tags via LogFormatter::makePageLink(). This affects MediaWiki 1.33.0 and later.
CVE-2020-35476 1 Opentsdb 1 Opentsdb 2024-11-21 9.8 Critical
A remote code execution vulnerability occurs in OpenTSDB through 2.4.0 via command injection in the yrange parameter. The yrange value is written to a gnuplot file in the /tmp directory. This file is then executed via the mygnuplot.sh shell script. (tsd/GraphHandler.java attempted to prevent command injections by blocking backticks but this is insufficient.)
CVE-2020-35475 3 Debian, Fedoraproject, Mediawiki 3 Debian Linux, Fedora, Mediawiki 2024-11-21 7.5 High
In MediaWiki before 1.35.1, the messages userrights-expiry-current and userrights-expiry-none can contain raw HTML. XSS can happen when a user visits Special:UserRights but does not have rights to change all userrights, and the table on the left side has unchangeable groups in it. (The right column with the changeable groups is not affected and is escaped correctly.)
CVE-2020-35474 2 Fedoraproject, Mediawiki 2 Fedora, Mediawiki 2024-11-21 6.1 Medium
In MediaWiki before 1.35.1, the combination of Html::rawElement and Message::text leads to XSS because the definition of MediaWiki:recentchanges-legend-watchlistexpiry can be changed onwiki so that the output is raw HTML.
CVE-2020-35459 2 Clusterlabs, Debian 2 Crmsh, Debian Linux 2024-11-21 7.8 High
An issue was discovered in ClusterLabs crmsh through 4.2.1. Local attackers able to call "crm history" (when "crm" is run) were able to execute commands via shell code injection to the crm history commandline, potentially allowing escalation of privileges.
CVE-2020-35458 1 Clusterlabs 1 Hawk 2024-11-21 9.8 Critical
An issue was discovered in ClusterLabs Hawk 2.x through 2.3.0-x. There is a Ruby shell code injection issue via the hawk_remember_me_id parameter in the login_from_cookie cookie. The user logout routine could be used by unauthenticated remote attackers to execute code as hauser.
CVE-2020-35457 1 Gnome 1 Glib 2024-11-21 7.8 High
GNOME GLib before 2.65.3 has an integer overflow, that might lead to an out-of-bounds write, in g_option_group_add_entries. NOTE: the vendor's position is "Realistically this is not a security issue. The standard pattern is for callers to provide a static list of option entries in a fixed number of calls to g_option_group_add_entries()." The researcher states that this pattern is undocumented
CVE-2020-35452 5 Apache, Debian, Fedoraproject and 2 more 8 Http Server, Debian Linux, Fedora and 5 more 2024-11-21 7.3 High
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler and/or compilation option might make it possible, with limited consequences anyway due to the size (a single byte) and the value (zero byte) of the overflow
CVE-2020-35438 1 Kamalkhan 1 Kk Star Ratings 2024-11-21 6.1 Medium
Cross Site Scripting (XSS) vulnerability in the kk Star Ratings plugin before 4.1.5.
CVE-2020-35437 1 Intelliants 1 Subrion Cms 2024-11-21 6.1 Medium
Subrion CMS 4.2.1 is affected by: Cross Site Scripting (XSS) through the avatar[path] parameter in a POST request to the /_core/profile/ URI.
CVE-2020-35419 1 Group-office 1 Group Office 2024-11-21 6.1 Medium
Cross Site Scripting (XSS) in Group Office CRM 6.4.196 via the SET_LANGUAGE parameter.
CVE-2020-35418 1 Group-office 1 Group Office 2024-11-21 5.4 Medium
Cross Site Scripting (XSS) in the contact page of Group Office CRM 6.4.196 by uploading a crafted svg file.
CVE-2020-35416 1 Onlineonly 1 Phpjabbers Appointment Scheduler 2024-11-21 6.1 Medium
Multiple cross-site scripting (XSS) vulnerabilities exist in PHPJabbers Appointment Scheduler 2.3, in the index.php admin login webpage (with different request parameters), allows remote attackers to inject arbitrary web script or HTML.
CVE-2020-35396 1 Egavilanmedia 1 Barcodes Generator 2024-11-21 6.1 Medium
EGavilan Barcodes generator 1.0 is affected by: Cross Site Scripting (XSS) via the index.php. An Attacker is able to inject the XSS payload in the web application each time a user visits the website.
CVE-2020-35395 1 Egavilanmedia 1 Expense Management System 2024-11-21 6.1 Medium
XSS in the Add Expense Component of EGavilan Media Expense Management System 1.0 allows an attacker to permanently store malicious JavaScript code via the 'description' field
CVE-2020-35376 2 Fedoraproject, Xpdfreader 2 Fedora, Xpdf 2024-11-21 7.5 High
Xpdf 4.02 allows stack consumption because of an incorrect subroutine reference in a Type 1C font charstring, related to the FoFiType1C::getOp() function.
CVE-2020-35373 1 Fiyo 1 Fiyo Cms 2024-11-21 6.1 Medium
In Fiyo CMS 2.0.6.1, the 'tag' parameter results in an unauthenticated XSS attack.
CVE-2020-35359 1 Pureftpd 1 Pure-ftpd 2024-11-21 7.5 High
Pure-FTPd 1.0.48 allows remote attackers to prevent legitimate server use by making enough connections to exceed the connection limit.