Search Results (83870 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2020-28909 1 Nagios 1 Fusion 2024-11-21 8.8 High
Incorrect File Permissions in Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation to root via modification of scripts. Low-privileges users are able to modify files that can be executed by sudo.
CVE-2020-28908 1 Nagios 1 Fusion 2024-11-21 9.8 Critical
Command Injection in Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation to nagios.
CVE-2020-28903 1 Nagios 1 Fusion 2024-11-21 6.1 Medium
Improper input validation in Nagios Fusion 4.1.8 and earlier allows a remote attacker with control over a fused server to inject arbitrary HTML, aka XSS.
CVE-2020-28902 1 Nagios 1 Fusion 2024-11-21 9.8 Critical
Command Injection in Nagios Fusion 4.1.8 and earlier allows Privilege Escalation from apache to root in cmd_subsys.php.
CVE-2020-28901 1 Nagios 1 Fusion 2024-11-21 9.8 Critical
Command Injection in Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation or Code Execution as root via vectors related to corrupt component installation in cmd_subsys.php.
CVE-2020-28896 4 Debian, Mutt, Neomutt and 1 more 4 Debian Linux, Mutt, Neomutt and 1 more 2024-11-21 5.3 Medium
Mutt before 2.0.2 and NeoMutt before 2020-11-20 did not ensure that $ssl_force_tls was processed if an IMAP server's initial server response was invalid. The connection was not properly closed, and the code could continue attempting to authenticate. This could result in authentication credentials being exposed on an unencrypted connection, or to a machine-in-the-middle.
CVE-2020-28895 2 Oracle, Windriver 2 Communications Eagle, Vxworks 2024-11-21 7.3 High
In Wind River VxWorks, memory allocator has a possible overflow in calculating the memory block's size to be allocated by calloc(). As a result, the actual memory allocated is smaller than the buffer size specified by the arguments, leading to memory corruption.
CVE-2020-28885 1 Liferay 1 Liferay Portal 2024-11-21 7.2 High
Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject commands through the Gogo Shell module to execute any OS command on the Liferay Portal Sever. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to access and execute commands in Gogo Shell and therefore not a design fla
CVE-2020-28884 1 Liferay 1 Liferay Portal 2024-11-21 7.2 High
Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject Groovy script to execute any OS command on the Liferay Portal Sever. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to run groovy scripts and therefore not a design flaw.
CVE-2020-28859 1 Openasset 1 Digital Asset Management 2024-11-21 6.1 Medium
OpenAsset Digital Asset Management (DAM) through 12.0.19 does not correctly sanitize user supplied input in multiple parameters and endpoints, allowing for reflected cross-site scripting attacks.
CVE-2020-28857 1 Openasset 1 Digital Asset Management 2024-11-21 6.1 Medium
OpenAsset Digital Asset Management (DAM) through 12.0.19, does not correctly sanitize user supplied input in multiple parameters and endpoints, allowing for stored cross-site scripting attacks.
CVE-2020-28849 1 Churchcrm 1 Churchcrm 2024-11-21 5.4 Medium
Cross Site Scripting (XSS) vulnerability in ChurchCRM version 4.2.1, allows remote attckers to execute arbitrary code and gain sensitive information via crafted payload in Add New Deposit field in View All Deposit module.
CVE-2020-28848 1 Churchcrm 1 Churchcrm 2024-11-21 8.8 High
CSV Injection vulnerability in ChurchCRM version 4.2.0, allows remote attackers to execute arbitrary code via crafted CSV file.
CVE-2020-28847 1 Valine.js 1 Valine 2024-11-21 5.4 Medium
Cross Site Scripting (XSS) vulnerability in xCss Valine v1.4.14 via the nick parameter to /classes/Comment.
CVE-2020-28727 1 Seeddms 1 Seeddms 2024-11-21 6.1 Medium
Cross-site scripting (XSS) exists in SeedDMS 6.0.13 via the folderid parameter to views/bootstrap/class.DropFolderChooser.php.
CVE-2020-28722 1 Deskpro 1 Deskpro 2024-11-21 5.4 Medium
Deskpro Cloud Platform and on-premise 2020.2.3.48207 from 2020-07-30 contains a cross-site scripting (XSS) vulnerability that can lead to an account takeover via custom email templates.
CVE-2020-28717 1 Kindsoft 1 Kindeditor 2024-11-21 6.1 Medium
Cross Site Scripting (XSS) vulnerability in content1 parameter in demo.jsp in kindsoft kindeditor version 4.1.12, allows attackers to execute arbitrary code.
CVE-2020-28707 1 Stockdio 1 Stockdio Historical Chart 2024-11-21 6.1 Medium
The Stockdio Historical Chart plugin before 2.8.1 for WordPress is affected by Cross Site Scripting (XSS) via stockdio_chart_historical-wp.js in wp-content/plugins/stockdio-historical-chart/assets/ because the origin of a postMessage() event is not validated. The stockdio_eventer function listens for any postMessage event. After a message event is sent to the application, this function sets the "e" variable as the event and checks that the types of the data and data.method are not undefined (empty) before proceeding to eval the data.method received from the postMessage. However, on a different website. JavaScript code can call window.open for the vulnerable WordPress instance and do a postMessage(msg,'*') for that object.
CVE-2020-28695 1 Askey 2 Rtf3505vw-n1 Br Sv G000 R3505vwn1001 S32 7, Rtf3505vw-n1 Br Sv G000 R3505vwn1001 S32 7 Firmware 2024-11-21 8.8 High
Askey Fiber Router RTF3505VW-N1 BR_SV_g000_R3505VWN1001_s32_7 devices allow Remote Code Execution and retrieval of admin credentials to log into the Dashboard or login via SSH, leading to code execution as root.
CVE-2020-28650 1 Wpbakery 1 Page Builder 2024-11-21 6.4 Medium
The WPBakery plugin before 6.4.1 for WordPress allows XSS because it calls kses_remove_filters to disable the standard WordPress XSS protection mechanism for the Author and Contributor roles.