Search Results (83852 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2020-27850 1 Rocketgenius 1 Gravityforms 2024-11-21 4.8 Medium
A stored Cross-Site Scripting (XSS) vulnerability in forms import feature in Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary web script or HTML via the import of a GF form. This code is interpreted by users in a privileged role (Administrator, Editor, etc.).
CVE-2020-27844 3 Debian, Oracle, Uclouvain 3 Debian Linux, Outside In Technology, Openjpeg 2024-11-21 7.8 High
A flaw was found in openjpeg's src/lib/openjp2/t2.c in versions prior to 2.4.0. This flaw allows an attacker to provide crafted input to openjpeg during conversion and encoding, causing an out-of-bounds write. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVE-2020-27841 4 Debian, Fedoraproject, Oracle and 1 more 4 Debian Linux, Fedora, Outside In Technology and 1 more 2024-11-21 5.5 Medium
There's a flaw in openjpeg in versions prior to 2.4.0 in src/lib/openjp2/pi.c. When an attacker is able to provide crafted input to be processed by the openjpeg encoder, this could cause an out-of-bounds read. The greatest impact from this flaw is to application availability.
CVE-2020-27836 1 Redhat 3 Enterprise Linux, Openshift, Openshift Container Platform 2024-11-21 9.8 Critical
A flaw was found in cluster-ingress-operator. A change to how the router-default service allows only certain IP source ranges could allow an attacker to access resources that would otherwise be restricted to specified IP ranges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability..
CVE-2020-27832 1 Redhat 1 Quay 2024-11-21 9.0 Critical
A flaw was found in Red Hat Quay, where it has a persistent Cross-site Scripting (XSS) vulnerability when displaying a repository's notification. This flaw allows an attacker to trick a user into performing a malicious action to impersonate the target user. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVE-2020-27828 3 Fedoraproject, Jasper Project, Redhat 3 Fedora, Jasper, Enterprise Linux 2024-11-21 7.8 High
There's a flaw in jasper's jpc encoder in versions prior to 2.0.23. Crafted input provided to jasper by an attacker could cause an arbitrary out-of-bounds write. This could potentially affect data confidentiality, integrity, or application availability.
CVE-2020-27823 4 Debian, Fedoraproject, Redhat and 1 more 4 Debian Linux, Fedora, Enterprise Linux and 1 more 2024-11-21 7.8 High
A flaw was found in OpenJPEG’s encoder. This flaw allows an attacker to pass specially crafted x,y offset input to OpenJPEG to use during encoding. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVE-2020-27821 3 Debian, Qemu, Redhat 4 Debian Linux, Qemu, Advanced Virtualization and 1 more 2024-11-21 6.0 Medium
A flaw was found in the memory management API of QEMU during the initialization of a memory region cache. This issue could lead to an out-of-bounds write access to the MSI-X table while performing MMIO operations. A guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service. This flaw affects QEMU versions prior to 5.2.0.
CVE-2020-27815 3 Debian, Linux, Netapp 22 Debian Linux, Linux Kernel, Aff A250 and 19 more 2024-11-21 7.8 High
A flaw was found in the JFS filesystem code in the Linux Kernel which allows a local attacker with the ability to set extended attributes to panic the system, causing memory corruption or escalating privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVE-2020-27752 1 Imagemagick 1 Imagemagick 2024-11-21 7.1 High
A flaw was found in ImageMagick in MagickCore/quantum-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger a heap buffer overflow. This would most likely lead to an impact to application availability, but could potentially lead to an impact to data integrity as well. This flaw affects ImageMagick versions prior to 7.0.9-0.
CVE-2020-27749 4 Fedoraproject, Gnu, Netapp and 1 more 12 Fedora, Grub2, Ontap Select Deploy Administration Utility and 9 more 2024-11-21 6.7 Medium
A flaw was found in grub2 in versions prior to 2.06. Variable names present are expanded in the supplied command line into their corresponding variable contents, using a 1kB stack buffer for temporary storage, without sufficient bounds checking. If the function is called with a command line that references a variable with a sufficiently large payload, it is possible to overflow the stack buffer, corrupt the stack frame and control execution which could also circumvent Secure Boot protections. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2020-27744 1 Westerndigital 6 My Cloud Ex2 Ultra, My Cloud Ex4100, My Cloud Firmware and 3 more 2024-11-21 9.8 Critical
An issue was discovered on Western Digital My Cloud NAS devices before 5.04.114. They allow remote code execution with resultant escalation of privileges.
CVE-2020-27741 1 Citadel 1 Webcit 2024-11-21 6.1 Medium
Multiple cross-site scripting (XSS) vulnerabilities in Citadel WebCit through 926 allow remote attackers to inject arbitrary web script or HTML via multiple pages and parameters. NOTE: this was reported to the vendor in a publicly archived "Multiple Security Vulnerabilities in WebCit 926" thread.
CVE-2020-27738 1 Siemens 6 Nucleus Net, Nucleus Readystart V3, Nucleus Readystart V4 and 3 more 2024-11-21 6.5 Medium
A vulnerability has been identified in APOGEE PXC Compact (BACnet) (All versions < V3.5.5), APOGEE PXC Compact (P2 Ethernet) (All versions < V2.8.20), APOGEE PXC Modular (BACnet) (All versions < V3.5.5), APOGEE PXC Modular (P2 Ethernet) (All versions < V2.8.20), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.3), Nucleus ReadyStart V4 (All versions < V4.1.0), Nucleus Source Code (Versions including affected DNS modules), SIMOTICS CONNECT 400 (All versions < V0.5.0.0), TALON TC Compact (BACnet) (All versions < V3.5.5), TALON TC Modular (BACnet) (All versions < V3.5.5). The DNS domain name record decompression functionality does not properly validate the pointer offset values. The parsing of malformed responses could result in a read access past the end of an allocated structure. An attacker with a privileged position in the network could leverage this vulnerability to cause a denial-of-service condition.
CVE-2020-27735 1 Wftpserver 1 Wing Ftp Server 2024-11-21 6.1 Medium
An XSS issue was discovered in Wing FTP 6.4.4. An arbitrary IFRAME element can be included in the help pages via a crafted link, leading to the execution of (sandboxed) arbitrary HTML and JavaScript in the user's browser.
CVE-2020-27726 1 F5 1 Big-ip Access Policy Manager 2024-11-21 6.1 Medium
In versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, 14.1.0-14.1.3, 13.1.0-13.1.3.4, and 12.1.0-12.1.5.2, a reflected cross-site scripting (XSS) vulnerability exists in the resource information page for authenticated users when a full webtop is configured on the BIG-IP APM system.
CVE-2020-27719 1 F5 14 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 11 more 2024-11-21 6.1 Medium
On BIG-IP 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, and 14.1.0-14.1.3, a cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility.
CVE-2020-27691 1 Imomobile 2 Verve Connect Vh510, Verve Connect Vh510 Firmware 2024-11-21 6.1 Medium
The Relish (Verve Connect) VH510 device with firmware before 1.0.1.6L0516 allows XSS via URLBlocking Settings, SNMP Settings, and System Log Settings.
CVE-2020-27689 1 Imomobile 2 Verve Connect Vh510, Verve Connect Vh510 Firmware 2024-11-21 9.8 Critical
The Relish (Verve Connect) VH510 device with firmware before 1.0.1.6L0516 contains undocumented default admin credentials for the web management interface. A remote attacker could exploit this vulnerability to login and execute commands on the device, as well as upgrade the firmware image to a malicious version.
CVE-2020-27687 1 Thingsboard 1 Thingsboard 2024-11-21 8.8 High
ThingsBoard before v3.2 is vulnerable to Host header injection in password-reset emails. This allows an attacker to send malicious links in password-reset emails to victims, pointing to an attacker-controlled server. Lack of validation of the Host header allows this to happen.