Vulnerabilities (CVE)

Filtered by CWE-116
Total 242 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-28954 1 Bigbluebutton 1 Bigbluebutton 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
web/controllers/ApiController.groovy in BigBlueButton before 2.2.29 lacks certain parameter sanitization, as demonstrated by accepting control characters in a user name.
CVE-2020-27604 1 Bigbluebutton 1 Bigbluebutton 2024-11-21 4.0 MEDIUM 6.5 MEDIUM
BigBlueButton before 2.3 does not implement LibreOffice sandboxing. This might make it easier for remote authenticated users to read the API shared secret in the bigbluebutton.properties file. With the API shared secret, an attacker can (for example) use api/join to join an arbitrary meeting regardless of its guestPolicy setting.
CVE-2020-26283 1 Protocol 1 Go-ipfs 2024-11-21 6.5 MEDIUM 6.8 MEDIUM
go-ipfs is an open-source golang implementation of IPFS which is a global, versioned, peer-to-peer filesystem. In go-ipfs before version 0.8.0, control characters are not escaped from console output. This can result in hiding input from the user which could result in the user taking an unknown, malicious action. This is fixed in version 0.8.0.
CVE-2020-26226 1 Semantic-release Project 1 Semantic-release 2024-11-21 5.8 MEDIUM 8.1 HIGH
In the npm package semantic-release before version 17.2.3, secrets that would normally be masked by `semantic-release` can be accidentally disclosed if they contain characters that become encoded when included in a URL. Secrets that do not contain characters that become encoded when included in a URL are already masked properly. The issue is fixed in version 17.2.3.
CVE-2020-25646 1 Ansible Collections Project 1 Community.crypto 2024-11-21 5.0 MEDIUM 7.5 HIGH
A flaw was found in Ansible Collection community.crypto. openssl_privatekey_info exposes private key in logs. This directly impacts confidentiality
CVE-2020-24972 3 Fedoraproject, Kleopatra Project, Opensuse 4 Fedora, Kleopatra, Backports Sle and 1 more 2024-11-21 6.5 MEDIUM 8.8 HIGH
The Kleopatra component before 3.1.12 (and before 20.07.80) for GnuPG allows remote attackers to execute arbitrary code because openpgp4fpr: URLs are supported without safe handling of command-line options. The Qt platformpluginpath command-line option can be used to load an arbitrary DLL.
CVE-2020-24592 1 Mitel 1 Micloud Management Portal 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
Mitel MiCloud Management Portal before 6.1 SP5 could allow an attacker, by sending a crafted request, to view system information due to insufficient output sanitization.
CVE-2020-16281 1 Rangee 1 Rangeeos 2024-11-21 4.6 MEDIUM 7.8 HIGH
The Kommbox component in Rangee GmbH RangeeOS 8.0.4 could allow a local authenticated attacker to escape from the restricted environment and execute arbitrary code due to unrestricted context menus being accessible.
CVE-2020-13654 1 Xwiki 1 Xwiki 2024-11-21 5.0 MEDIUM 7.5 HIGH
XWiki Platform before 12.8 mishandles escaping in the property displayer.
CVE-2020-13625 4 Canonical, Debian, Fedoraproject and 1 more 4 Ubuntu Linux, Debian Linux, Fedora and 1 more 2024-11-21 5.0 MEDIUM 7.5 HIGH
PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message.
CVE-2020-10235 1 Froxlor 1 Froxlor 2024-11-21 6.5 MEDIUM 8.8 HIGH
An issue was discovered in Froxlor before 0.10.14. Remote attackers with access to the installation routine could have executed arbitrary code via the database configuration options that were passed unescaped to exec, because of _backupExistingDatabase in install/lib/class.FroxlorInstall.php.
CVE-2019-9853 1 Libreoffice 1 Libreoffice 2024-11-21 6.8 MEDIUM 7.8 HIGH
LibreOffice documents can contain macros. The execution of those macros is controlled by the document security settings, typically execution of macros are blocked by default. A URL decoding flaw existed in how the urls to the macros within the document were processed and categorized, resulting in the possibility to construct a document where macro execution bypassed the security settings. The documents were correctly detected as containing macros, and prompted the user to their existence within the documents, but macros within the document were subsequently not controlled by the security settings allowing arbitrary macro execution This issue affects: LibreOffice 6.2 series versions prior to 6.2.7; LibreOffice 6.3 series versions prior to 6.3.1.
CVE-2019-6109 9 Canonical, Debian, Fedoraproject and 6 more 28 Ubuntu Linux, Debian Linux, Fedora and 25 more 2024-11-21 4.0 MEDIUM 6.8 MEDIUM
An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c.
CVE-2019-4326 1 Hcltech 1 Appscan 2024-11-21 5.0 MEDIUM 7.5 HIGH
"HCL AppScan Enterprise security rules update administration section of the web application console is missing HTTP Strict-Transport-Security Header."
CVE-2019-1968 1 Cisco 92 Mds 9000, Mds 9100, Mds 9140 and 89 more 2024-11-21 5.0 MEDIUM 7.5 HIGH
A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause an NX-API system process to unexpectedly restart. The vulnerability is due to incorrect validation of the HTTP header of a request that is sent to the NX-API. An attacker could exploit this vulnerability by sending a crafted HTTP request to the NX-API on an affected device. A successful exploit could allow the attacker to cause a denial of service (DoS) condition in the NX-API service; however, the NX-OS device itself would still be available and passing network traffic. Note: The NX-API feature is disabled by default.
CVE-2019-19714 1 Contao 1 Contao 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
Contao 4.8.4 and 4.8.5 has Improper Encoding or Escaping of Output. It is possible to inject insert tags into the login module which will be replaced when the page is rendered.
CVE-2019-15944 1 Valvesoftware 1 Counter-strike\ 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
In Counter-Strike: Global Offensive before 8/29/2019, community game servers can display unsafe HTML in a disconnection message.
CVE-2019-12675 1 Cisco 17 Firepower 4110, Firepower 4110 Firmware, Firepower 4115 and 14 more 2024-11-21 7.2 HIGH 8.8 HIGH
Multiple vulnerabilities in the multi-instance feature of Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to escape the container for their FTD instance and execute commands with root privileges in the host namespace. These vulnerabilities are due to insufficient protections on the underlying filesystem. An attacker could exploit these vulnerabilities by modifying critical files on the underlying filesystem. A successful exploit could allow the attacker to execute commands with root privileges within the host namespace. This could allow the attacker to impact other running FTD instances.
CVE-2019-12674 1 Cisco 17 Firepower 4110, Firepower 4110 Firmware, Firepower 4115 and 14 more 2024-11-21 7.2 HIGH 8.2 HIGH
Multiple vulnerabilities in the multi-instance feature of Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to escape the container for their FTD instance and execute commands with root privileges in the host namespace. These vulnerabilities are due to insufficient protections on the underlying filesystem. An attacker could exploit these vulnerabilities by modifying critical files on the underlying filesystem. A successful exploit could allow the attacker to execute commands with root privileges within the host namespace. This could allow the attacker to impact other running FTD instances.
CVE-2019-12463 1 Librenms 1 Librenms 2024-11-21 6.5 MEDIUM 8.8 HIGH
An issue was discovered in LibreNMS 1.50.1. The scripts that handle graphing options (includes/html/graphs/common.inc.php and includes/html/graphs/graphs.inc.php) do not sufficiently validate or encode several fields of user supplied input. Some parameters are filtered with mysqli_real_escape_string, which is only useful for preventing SQL injection attacks; other parameters are unfiltered. This allows an attacker to inject RRDtool syntax with newline characters via the html/graph.php and html/graph-realtime.php scripts. RRDtool syntax is quite versatile and an attacker could leverage this to perform a number of attacks, including disclosing directory structure and filenames, disclosing file content, denial of service, or writing arbitrary files. NOTE: relative to CVE-2019-10665, this requires authentication and the pathnames differ.