Total
1487 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-35938 | 1 Pickplugins | 2 Post Grid, Team Showcase | 2024-11-21 | 6.0 MEDIUM | 7.5 HIGH |
| PHP Object injection vulnerabilities in the Post Grid plugin before 2.0.73 for WordPress allow remote authenticated attackers to inject arbitrary PHP objects due to insecure unserialization of data supplied in a remotely hosted crafted payload in the source parameter via AJAX. The action must be set to post_grid_import_xml_layouts. | |||||
| CVE-2020-35932 | 1 Tribulant | 1 Newsletter | 2024-11-21 | 6.0 MEDIUM | 7.5 HIGH |
| Insecure Deserialization in the Newsletter plugin before 6.8.2 for WordPress allows authenticated remote attackers with minimal privileges (such as subscribers) to use the tpnc_render AJAX action to inject arbitrary PHP objects via the options[inline_edits] parameter. NOTE: exploitability depends on PHP objects that might be present with certain other plugins or themes. | |||||
| CVE-2020-35728 | 4 Debian, Fasterxml, Netapp and 1 more | 40 Debian Linux, Jackson-databind, Service Level Manager and 37 more | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl). | |||||
| CVE-2020-35491 | 4 Debian, Fasterxml, Netapp and 1 more | 26 Debian Linux, Jackson-databind, Service Level Manager and 23 more | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource. | |||||
| CVE-2020-35490 | 4 Debian, Fasterxml, Netapp and 1 more | 25 Debian Linux, Jackson-databind, Service Level Manager and 22 more | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource. | |||||
| CVE-2020-35488 | 1 Nxlog | 1 Nxlog | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
| The fileop module of the NXLog service in NXLog Community Edition 2.10.2150 allows remote attackers to cause a denial of service (daemon crash) via a crafted Syslog payload to the Syslog service. This attack requires a specific configuration. Also, the name of the directory created must use a Syslog field. (For example, on Linux it is not possible to create a .. directory. On Windows, it is not possible to create a CON directory.) | |||||
| CVE-2020-2757 | 7 Canonical, Debian, Fedoraproject and 4 more | 21 Ubuntu Linux, Debian Linux, Fedora and 18 more | 2024-11-21 | 4.3 MEDIUM | 3.7 LOW |
| Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). | |||||
| CVE-2020-2756 | 7 Canonical, Debian, Fedoraproject and 4 more | 20 Ubuntu Linux, Debian Linux, Fedora and 17 more | 2024-11-21 | 4.3 MEDIUM | 3.7 LOW |
| Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). | |||||
| CVE-2020-2604 | 7 Canonical, Debian, Mcafee and 4 more | 27 Ubuntu Linux, Debian Linux, Epolicy Orchestrator and 24 more | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS v3.0 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). | |||||
| CVE-2020-2555 | 1 Oracle | 9 Access Manager, Coherence, Commerce Platform and 6 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation). Supported versions that are affected are 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | |||||
| CVE-2020-2211 | 1 Jenkins | 1 Kubernetes Ci | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin 1.3 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. | |||||
| CVE-2020-2189 | 1 Jenkins | 1 Source Code Management Filter Jervis | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins SCM Filter Jervis Plugin 0.2.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. | |||||
| CVE-2020-2180 | 1 Jenkins | 1 Amazon Web Services Serverless Application Model | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins AWS SAM Plugin 1.2.2 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. | |||||
| CVE-2020-2179 | 1 Jenkins | 1 Yaml Axis | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins Yaml Axis Plugin 0.2.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. | |||||
| CVE-2020-2158 | 1 Jenkins | 1 Literate | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins Literate Plugin 1.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. | |||||
| CVE-2020-2123 | 1 Jenkins | 1 Radargun | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins RadarGun Plugin 1.7 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. | |||||
| CVE-2020-29312 | 1 Zend | 1 Zend Framework | 2024-11-21 | N/A | 9.8 CRITICAL |
| An issue found in Zend Framework v.3.1.3 and before allow a remote attacker to execute arbitrary code via the unserialize function. Note: This has been disputed by third parties as incomplete and incorrect. The framework does not have a version that surpasses 2.x.x and was deprecated in early 2020. | |||||
| CVE-2020-29047 | 1 Thimpress | 1 Wp Hotel Booking | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The wp-hotel-booking plugin through 1.10.2 for WordPress allows remote attackers to execute arbitrary code because of an unserialize operation on the thimpress_hotel_booking_1 cookie in load in includes/class-wphb-sessions.php. | |||||
| CVE-2020-29045 | 1 Fivestarplugins | 1 Five Star Restaurant Menu | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The food-and-drink-menu plugin through 2.2.0 for WordPress allows remote attackers to execute arbitrary code because of an unserialize operation on the fdm_cart cookie in load_cart_from_cookie in includes/class-cart-manager.php. | |||||
| CVE-2020-28948 | 4 Debian, Drupal, Fedoraproject and 1 more | 4 Debian Linux, Drupal, Fedora and 1 more | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked. | |||||