Search Results (83611 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2020-13978 1 Monstra 1 Monstra Cms 2024-11-21 7.2 High
Monstra CMS 3.0.4 allows an attacker, who already has administrative access to modify .chunk.php files on the Edit Chunk screen, to execute arbitrary OS commands via the Theme Module by visiting the admin/index.php?id=themes&action=edit_chunk URI. NOTE: there is no indication that the Edit Chunk feature was intended to prevent an administrator from using PHP's exec feature
CVE-2020-13976 1 Dd-wrt 1 Dd-wrt 2024-11-21 8.8 High
An issue was discovered in DD-WRT through 16214. The Diagnostic page allows remote attackers to execute arbitrary commands via shell metacharacters in the host field of the ping command. Exploitation through CSRF might be possible. NOTE: software maintainers consider the report invalid because it refers to an old software version, requires administrative privileges, and does not provide access beyond that already available to administrative users
CVE-2020-13973 1 Owasp 1 Json-sanitizer 2024-11-21 6.1 Medium
OWASP json-sanitizer before 1.2.1 allows XSS. An attacker who controls a substring of the input JSON, and controls another substring adjacent to a SCRIPT element in which the output is embedded as JavaScript, may be able to confuse the HTML parser as to where the SCRIPT element ends, and cause non-script content to be interpreted as JavaScript.
CVE-2020-13972 1 Enghouse 1 Web Chat 2024-11-21 6.1 Medium
Enghouse Web Chat 6.2.284.34 allows XSS. When one enters their own domain name in the WebServiceLocation parameter, the response from the POST request is displayed, and any JavaScript returned from the external server is executed in the browser. This is related to CVE-2019-16951.
CVE-2020-13971 1 Shopware 1 Shopware 2024-11-21 5.4 Medium
In Shopware before 6.2.3, authenticated users are allowed to use the Mediabrowser fileupload feature to upload SVG images containing JavaScript. This leads to Persistent XSS. An uploaded image can be accessed without authentication.
CVE-2020-13969 1 Crk 1 Business Platform 2024-11-21 6.1 Medium
CRK Business Platform <= 2019.1 allows reflected XSS via erro.aspx on 'CRK', 'IDContratante', 'Erro', or 'Mod' parameter. This is path-independent.
CVE-2020-13964 3 Debian, Fedoraproject, Roundcube 3 Debian Linux, Fedora, Webmail 2024-11-21 6.1 Medium
An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. include/rcmail_output_html.php allows XSS via the username template object.
CVE-2020-13963 1 Soplanning 1 Soplanning 2024-11-21 9.8 Critical
SOPlanning before 1.47 has Incorrect Access Control because certain secret key information, and the related authentication algorithm, is public. The key for admin is hardcoded in the installation code, and there is no key for publicsp (which is a guest account).
CVE-2020-13947 2 Apache, Oracle 3 Activemq, Communications Session Report Manager, Communications Session Route Manager 2024-11-21 6.1 Medium
An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the message.jsp page of Apache ActiveMQ versions 5.15.12 through 5.16.0.
CVE-2020-13944 1 Apache 1 Airflow 2024-11-21 6.1 Medium
In Apache Airflow < 1.10.12, the "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit.
CVE-2020-13938 4 Apache, Mcafee, Microsoft and 1 more 4 Http Server, Epolicy Orchestrator, Windows and 1 more 2024-11-21 5.5 Medium
Apache HTTP Server versions 2.4.0 to 2.4.46 Unprivileged local users can stop httpd on Windows
CVE-2020-13928 1 Apache 1 Atlas 2024-11-21 6.1 Medium
Apache Atlas before 2.1.0 contain a XSS vulnerability. While saving search or rendering elements values are not sanitized correctly and because of that it triggers the XSS vulnerability.
CVE-2020-13925 1 Apache 1 Kylin 2024-11-21 9.8 Critical
Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then executes them on the server; while the reported API misses necessary input validation, which causes the hackers to have the possibility to execute OS command remotely. Users of all previous versions after 2.3 should upgrade to 3.1.0.
CVE-2020-13919 1 Ruckuswireless 25 C110, E510, H320 and 22 more 2024-11-21 9.8 Critical
emfd/libemf in Ruckus Wireless Unleashed through 200.7.10.102.92 allows a remote attacker to achieve command injection via a crafted HTTP request. This affects C110, E510, H320, H510, M510, R320, R310, R500, R510 R600, R610, R710, R720, R750, T300, T301n, T301s, T310c, T310d, T310n, T310s, T610, T710, and T710s devices.
CVE-2020-13917 1 Ruckuswireless 25 C110, E510, H320 and 22 more 2024-11-21 9.8 Critical
rkscli in Ruckus Wireless Unleashed through 200.7.10.92 allows a remote attacker to achieve command injection and jailbreak the CLI via a crafted CLI command. This affects C110, E510, H320, H510, M510, R320, R310, R500, R510 R600, R610, R710, R720, R750, T300, T301n, T301s, T310c, T310d, T310n, T310s, T610, T710, and T710s devices.
CVE-2020-13916 1 Ruckuswireless 25 C110, E510, H320 and 22 more 2024-11-21 9.8 Critical
A stack buffer overflow in webs in Ruckus Wireless Unleashed through 200.7.10.102.92 allows a remote attacker to execute code via an unauthenticated crafted HTTP request. This affects C110, E510, H320, H510, M510, R320, R310, R500, R510 R600, R610, R710, R720, R750, T300, T301n, T301s, T310c, T310d, T310n, T310s, T610, T710, and T710s devices.
CVE-2020-13915 1 Ruckuswireless 25 C110, E510, H320 and 22 more 2024-11-21 7.5 High
Insecure permissions in emfd/libemf in Ruckus Wireless Unleashed through 200.7.10.102.92 allow a remote attacker to overwrite admin credentials via an unauthenticated crafted HTTP request. This affects C110, E510, H320, H510, M510, R320, R310, R500, R510 R600, R610, R710, R720, R750, T300, T301n, T301s, T310c, T310d, T310n, T310s, T610, T710, and T710s devices.
CVE-2020-13913 1 Ruckuswireless 25 C110, E510, H320 and 22 more 2024-11-21 6.1 Medium
An XSS issue in emfd in Ruckus Wireless Unleashed through 200.7.10.102.92 allows a remote attacker to execute JavaScript code via an unauthenticated crafted HTTP request. This affects C110, E510, H320, H510, M510, R320, R310, R500, R510 R600, R610, R710, R720, R750, T300, T301n, T301s, T310c, T310d, T310n, T310s, T610, T710, and T710s devices.
CVE-2020-13912 1 Solarwinds 1 Advanced Monitoring Agent 2024-11-21 7.3 High
SolarWinds Advanced Monitoring Agent before 10.8.9 allows local users to gain privileges via a Trojan horse .exe file, because everyone can write to a certain .exe file.
CVE-2020-13911 1 Your Online Shop Project 1 Your Online Shop 2024-11-21 5.4 Medium
Your Online Shop 1.8.0 allows authenticated users to trigger XSS via a Change Name or Change Surname operation.