Search Results (83852 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2020-27674 3 Debian, Fedoraproject, Xen 3 Debian Linux, Fedora, Xen 2024-11-21 5.3 Medium
An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to gain guest OS privileges by modifying kernel memory contents, because invalidation of TLB entries is mishandled during use of an INVLPG-like attack technique.
CVE-2020-27666 1 Strapi 1 Strapi 2024-11-21 5.4 Medium
Strapi before 3.2.5 has stored XSS in the wysiwyg editor's preview feature.
CVE-2020-27659 1 Synology 1 Safeaccess 2024-11-21 8.4 High
Multiple cross-site scripting (XSS) vulnerabilities in Synology SafeAccess before 1.2.3-0234 allow remote attackers to inject arbitrary web script or HTML via the (1) domain or (2) profile parameter.
CVE-2020-27658 1 Synology 1 Router Manager 2024-11-21 7.1 High
Synology Router Manager (SRM) before 1.2.4-8081 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.
CVE-2020-27642 1 Bigbluebutton 1 Greenlight 2024-11-21 6.1 Medium
A cross-site scripting (XSS) vulnerability exists in the 'merge account' functionality in admins.js in BigBlueButton Greenlight 2.7.6.
CVE-2020-27627 1 Jetbrains 1 Teamcity 2024-11-21 6.1 Medium
JetBrains TeamCity before 2020.1.2 was vulnerable to URL injection.
CVE-2020-27620 1 Mediawiki 1 Skin\ 2024-11-21 6.1 Medium
The Cosmos Skin for MediaWiki through 1.35.0 has stored XSS because MediaWiki messages were not being properly escaped. This is related to wfMessage and Html::rawElement, as demonstrated by CosmosSocialProfile::getUserGroups.
CVE-2020-27608 1 Bigbluebutton 1 Bigbluebutton 2024-11-21 6.1 Medium
In BigBlueButton before 2.2.28 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
CVE-2020-27602 1 Bigbluebutton 1 Bigbluebutton 2024-11-21 9.8 Critical
BigBlueButton before 2.2.7 does not have a protection mechanism for separator injection in meetingId, userId, and authToken.
CVE-2020-27600 1 Dlink 2 Dir-846, Dir-846 Firmware 2024-11-21 9.8 Critical
HNAP1/control/SetMasterWLanSettings.php in D-Link D-Link Router DIR-846 DIR-846 A1_100.26 allows remote attackers to execute arbitrary commands via shell metacharacters in the ssid0 or ssid1 parameter.
CVE-2020-27576 1 Maxum 1 Rumpus 2024-11-21 5.4 Medium
Maxum Rumpus 8.2.13 and 8.2.14 is affected by cross-site scripting (XSS). Users are able to create folders in the web application. The folder name is insufficiently validated resulting in a stored cross-site scripting vulnerability.
CVE-2020-27575 1 Maxum 1 Rumpus 2024-11-21 8.8 High
Maxum Rumpus 8.2.13 and 8.2.14 is affected by a command injection vulnerability. The web administration contains functionality in which administrators are able to manage users. The edit users form contains a parameter vulnerable to command injection due to insufficient validation.
CVE-2020-27568 1 Aviatrix 1 Controller 2024-11-21 7.5 High
Insecure File Permissions exist in Aviatrix Controller 5.3.1516. Several world writable files and directories were found in the controller resource. Note: All Aviatrix appliances are fully encrypted. This is an extra layer of security.
CVE-2020-27543 1 Restify-paginate Project 1 Restify-paginate 2024-11-21 7.5 High
The restify-paginate package 0.0.5 for Node.js allows remote attackers to cause a Denial-of-Service by omitting the HTTP Host header. A Restify-based web service would crash with an uncaught exception.
CVE-2020-27542 1 Company 2 Cs-c2shw, Cs-c2shw Firmware 2024-11-21 6.8 Medium
Rostelecom CS-C2SHW 5.0.082.1 is affected by: Bash command injection. The camera reads configuration from QR code (including network settings). The static IP configuration from QR code is copied to the file /config/ip-static and after reboot data from this file is inserted into bash command (without any escaping). So bash injection is possible. Camera doesn't parse QR codes if it's already successfully configured. Camera is always rebooted after successful configuration via QR code.
CVE-2020-27541 1 Company 2 Cs-c2shw, Cs-c2shw Firmware 2024-11-21 7.5 High
Denial of Service vulnerability in Rostelecom CS-C2SHW 5.0.082.1. AgentGreen service has a bug in parsing broadcast discovery UDP packet. Sending a packet of too small size will lead to an attempt of allocating buffer of negative size. As the result service AgentGreen will be terminated and started again later.
CVE-2020-27539 1 Company 2 Cs-c2shw, Cs-c2shw Firmware 2024-11-21 9.8 Critical
Heap overflow with full parsing of HTTP respose in Rostelecom CS-C2SHW 5.0.082.1. AgentUpdater service has a self-written HTTP parser and builder. HTTP parser has a heap buffer overflow (OOB write). In default configuration camera parses responses only from HTTPS URLs from config file, so vulnerable code is unreachable and one more bug required to reach it.
CVE-2020-27533 1 Dedecms 1 Dedecms 2024-11-21 5.4 Medium
A Cross Site Scripting (XSS) issue was discovered in the search feature of DedeCMS v.5.8 that allows malicious users to inject code into web pages, and other users will be affected when viewing web pages.
CVE-2020-27515 1 Techkshetrainfo 1 Savsoft Quiz 2024-11-21 6.1 Medium
A Cross Site Scripting (XSS) vulnerability in Savsoft Quiz v5.0 allows remote attackers to inject arbitrary web script or HTML via the Skype ID field.
CVE-2020-27459 1 Chronoengine 1 Chronoforums 2024-11-21 6.1 Medium
Chronoforeum 2.0.11 allows Stored XSS vulnerabilities when inserting a crafted payload into a post. If any user sees the post, the inserted XSS code is executed.