Total
243 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-20333 | 1 Mongodb | 1 Mongodb | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split. This issue affects MongoDB Server v3.6 versions prior to 3.6.20; MongoDB Server v4.0 versions prior to 4.0.21 and MongoDB Server v4.2 versions prior to 4.2.10. | |||||
CVE-2021-20195 | 1 Redhat | 1 Keycloak | 2024-11-21 | 6.8 MEDIUM | 9.6 CRITICAL |
A flaw was found in keycloak in versions before 13.0.0. A Self Stored XSS attack vector escalating to a complete account takeover is possible due to user-supplied data fields not being properly encoded and Javascript code being used to process the data. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | |||||
CVE-2021-0933 | 1 Google | 1 Android | 2024-11-21 | 7.9 HIGH | 8.0 HIGH |
In onCreate of CompanionDeviceActivity.java or DeviceChooserActivity.java, there is a possible way for HTML tags to interfere with a consent dialog due to improper input validation. This could lead to remote escalation of privilege, confusing the user into accepting pairing of a malicious Bluetooth device, with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-172251622 | |||||
CVE-2020-9862 | 1 Apple | 7 Icloud, Ipados, Iphone Os and 4 more | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
A command injection issue existed in Web Inspector. This issue was addressed with improved escaping. This issue is fixed in iOS 13.6 and iPadOS 13.6, tvOS 13.4.8, watchOS 6.2.8, Safari 13.1.2, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. Copying a URL from Web Inspector may lead to command injection. | |||||
CVE-2020-7694 | 1 Encode | 1 Uvicorn | 2024-11-21 | 5.0 MEDIUM | 3.7 LOW |
This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request crafted URLs with percent-encoded escape sequences, the logging component will log the URL after it's been processed with urllib.parse.unquote, therefore converting any percent-encoded characters into their single-character equivalent, which can have special meaning in terminal emulators. By requesting URLs with crafted paths, attackers can: * Pollute uvicorn's access logs, therefore jeopardising the integrity of such files. * Use ANSI sequence codes to attempt to interact with the terminal emulator that's displaying the logs (either in real time or from a file). | |||||
CVE-2020-6313 | 1 Sap | 1 Netweaver Application Server Java | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
SAP NetWeaver Application Server JAVA(XML Forms) versions 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user controlled inputs, which allows an authenticated User with special roles to store malicious content, that when accessed by a victim, can perform malicious actions by executing JavaScript, leading to Stored Cross-Site Scripting. | |||||
CVE-2020-6261 | 1 Sap | 1 Solution Manager | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
SAP Solution Manager (Trace Analysis), version 7.20, allows an attacker to perform a log injection into the trace file, due to Incomplete XML Validation. The readability of the trace file is impaired. | |||||
CVE-2020-6227 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
SAP Business Objects Business Intelligence Platform (CMS / Auditing issues), version 4.2, allows attacker to send specially crafted GIOP packets to several services due to Improper Input Validation, allowing to forge additional entries in GLF log files. | |||||
CVE-2020-5304 | 1 Whitesourcesoftware | 1 Whitesource | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
The dashboard in WhiteSource Application Vulnerability Management (AVM) before version 20.4.1 allows Log Injection via a %0A%0D substring in the idp parameter to the /saml/login URI. This closes the current log and creates a new log with one line of data. The attacker can also insert malicious data and false entries. | |||||
CVE-2020-4850 | 1 Ibm | 1 Gpfs.tct.server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
IBM Spectrum Scale 1.1.1.0 through 1.1.8.4 Transparent Cloud Tiering could allow a remote attacker to obtain sensitive information, caused by the leftover files after configuration. IBM X-Force ID: 190298. | |||||
CVE-2020-4282 | 1 Ibm | 1 Security Information Queue | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could allow an authenticated user to perform unauthorized actions by bypassing illegal character restrictions. X-Force ID: 176205. | |||||
CVE-2020-36599 | 1 Omniauth | 1 Omniauth | 2024-11-21 | N/A | 9.8 CRITICAL |
lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and before 2.0) does not escape the message_key value. | |||||
CVE-2020-36567 | 1 Gin-gonic | 1 Gin | 2024-11-21 | N/A | 7.5 HIGH |
Unsanitized input in the default logger in github.com/gin-gonic/gin before v1.6.0 allows remote attackers to inject arbitrary log lines. | |||||
CVE-2020-36173 | 1 Ninjaforms | 1 Ninja Forms | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
The Ninja Forms plugin before 3.4.28 for WordPress lacks escaping for submissions-table fields. | |||||
CVE-2020-29023 | 1 Secomea | 8 Gatemanager 4250, Gatemanager 4250 Firmware, Gatemanager 4260 and 5 more | 2024-11-21 | 4.9 MEDIUM | 3.5 LOW |
Improper Encoding or Escaping of Output from CSV Report Generator of Secomea GateManager allows an authenticated administrator to generate a CSV file that may run arbitrary commands on a victim's computer when opened in a spreadsheet program (like Excel). This issue affects: Secomea GateManager all versions prior to 9.3. | |||||
CVE-2020-28954 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
web/controllers/ApiController.groovy in BigBlueButton before 2.2.29 lacks certain parameter sanitization, as demonstrated by accepting control characters in a user name. | |||||
CVE-2020-27958 | 1 Osu | 1 Ohio Supercomputer Center Open Ondemand | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
The Job Composer app in Ohio Supercomputer Center Open OnDemand before 1.7.19 and 1.8.x before 1.8.18 allows remote authenticated users to provide crafted input in a job template. | |||||
CVE-2020-27604 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
BigBlueButton before 2.3 does not implement LibreOffice sandboxing. This might make it easier for remote authenticated users to read the API shared secret in the bigbluebutton.properties file. With the API shared secret, an attacker can (for example) use api/join to join an arbitrary meeting regardless of its guestPolicy setting. | |||||
CVE-2020-26283 | 1 Protocol | 1 Go-ipfs | 2024-11-21 | 6.5 MEDIUM | 6.8 MEDIUM |
go-ipfs is an open-source golang implementation of IPFS which is a global, versioned, peer-to-peer filesystem. In go-ipfs before version 0.8.0, control characters are not escaped from console output. This can result in hiding input from the user which could result in the user taking an unknown, malicious action. This is fixed in version 0.8.0. | |||||
CVE-2020-26226 | 1 Semantic-release Project | 1 Semantic-release | 2024-11-21 | 5.8 MEDIUM | 8.1 HIGH |
In the npm package semantic-release before version 17.2.3, secrets that would normally be masked by `semantic-release` can be accidentally disclosed if they contain characters that become encoded when included in a URL. Secrets that do not contain characters that become encoded when included in a URL are already masked properly. The issue is fixed in version 17.2.3. |