Search

Search Results (364439 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2020-13259 1 Rad 2 Secflow-1v, Secflow-1v Firmware 2024-11-21 8.8 High
A vulnerability in the web-based management interface of RAD SecFlow-1v os-image SF_0290_2.3.01.26 could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. This could be exploited in conjunction with CVE-2020-13260.
CVE-2020-13258 1 Contentful 1 Python Example 2024-11-21 6.1 Medium
Contentful through 2020-05-21 for Python allows reflected XSS, as demonstrated by the api parameter to the-example-app.py.
CVE-2020-13254 7 Canonical, Debian, Djangoproject and 4 more 8 Ubuntu Linux, Debian Linux, Django and 5 more 2024-11-21 5.9 Medium
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.
CVE-2020-13253 3 Canonical, Debian, Qemu 3 Ubuntu Linux, Debian Linux, Qemu 2024-11-21 5.5 Medium
sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read during sdhci_write() operations. A guest OS user can crash the QEMU process.
CVE-2020-13252 1 Centreon 1 Centreon 2024-11-21 8.8 High
Centreon before 19.04.15 allows remote attackers to execute arbitrary OS commands by placing shell metacharacters in RRDdatabase_status_path (via a main.get.php request) and then visiting the include/views/graphs/graphStatus/displayServiceStatus.php page.
CVE-2020-13250 1 Hashicorp 1 Consul 2024-11-21 7.5 High
HashiCorp Consul and Consul Enterprise include an HTTP API (introduced in 1.2.0) and DNS (introduced in 1.4.3) caching feature that was vulnerable to denial of service. Fixed in 1.6.6 and 1.7.4.
CVE-2020-13249 4 Fedoraproject, Mariadb, Opensuse and 1 more 7 Fedora, Connector\/c, Leap and 4 more 2024-11-21 8.8 High
libmariadb/mariadb_lib.c in MariaDB Connector/C before 3.1.8 does not properly validate the content of an OK packet received from a server. NOTE: although mariadb_lib.c was originally based on code shipped for MySQL, this issue does not affect any MySQL components supported by Oracle.
CVE-2020-13248 1 Boolebox 1 Boolebox 2024-11-21 5.4 Medium
BooleBox Secure File Sharing Utility before 4.2.3.0 allows stored XSS via a crafted avatar field within My Account JSON data to Account.aspx.
CVE-2020-13247 1 Boolebox 1 Boolebox 2024-11-21 7.3 High
BooleBox Secure File Sharing Utility before 4.2.3.0 allows CSV injection via a crafted user name that is mishandled during export from the activity logs in the Audit Area.
CVE-2020-13246 1 Gitea 1 Gitea 2024-11-21 7.5 High
An issue was discovered in Gitea through 1.11.5. An attacker can trigger a deadlock by initiating a transfer of a repository's ownership from one organization to another.
CVE-2020-13245 1 Netgear 28 R6120, R6120 Firmware, R6220 and 25 more 2024-11-21 5.9 Medium
Certain NETGEAR devices are affected by Missing SSL Certificate Validation. This affects R7000 1.0.9.6_1.2.19 through 1.0.11.100_10.2.10, and possibly R6120, R7800, R6220, R8000, R6350, R9000, R6400, RAX120, R6400v2, RBR20, R6800, XR300, R6850, XR500, and R7000P.
CVE-2020-13241 1 Microweber 1 Microweber 2024-11-21 7.8 High
Microweber 1.1.18 allows Unrestricted File Upload because admin/view:modules/load_module:users#edit-user=1 does not verify that the file extension (used with the Add Image option on the Edit User screen) corresponds to an image file.
CVE-2020-13240 1 Dolibarr 1 Dolibarr Erp\/crm 2024-11-21 5.4 Medium
The DMS/ECM module in Dolibarr 11.0.4 allows users with the 'Setup documents directories' permission to rename uploaded files to have insecure file extensions. This bypasses the .noexe protection mechanism against XSS.
CVE-2020-13239 1 Dolibarr 1 Dolibarr Erp\/crm 2024-11-21 5.4 Medium
The DMS/ECM module in Dolibarr 11.0.4 renders user-uploaded .html files in the browser when the attachment parameter is removed from the direct download link. This causes XSS.
CVE-2020-13238 1 Mitsubishielectric 42 Melsec Iq-r00cpu, Melsec Iq-r00cpu Firmware, Melsec Iq-r01cpu and 39 more 2024-11-21 7.5 High
Mitsubishi MELSEC iQ-R Series PLCs with firmware 33 allow attackers to halt the industrial process by sending an unauthenticated crafted packet over the network, because this denial of service attack consumes excessive CPU time. After halting, physical access to the PLC is required in order to restore production.
CVE-2020-13231 2 Cacti, Fedoraproject 2 Cacti, Fedora 2024-11-21 6.5 Medium
In Cacti before 1.2.11, auth_profile.php?action=edit allows CSRF for an admin email change.
CVE-2020-13230 3 Cacti, Debian, Fedoraproject 3 Cacti, Debian Linux, Fedora 2024-11-21 4.3 Medium
In Cacti before 1.2.11, disabling a user account does not immediately invalidate any permissions granted to that account (e.g., permission to view logs).
CVE-2020-13229 1 Sysax 1 Multi Server 2024-11-21 8.8 High
An issue was discovered in Sysax Multi Server 6.90. A session can be hijacked if one observes the sid value in any /scgi URI, because it is an authentication token.
CVE-2020-13228 1 Sysax 1 Multi Server 2024-11-21 6.1 Medium
An issue was discovered in Sysax Multi Server 6.90. There is reflected XSS via the /scgi sid parameter.
CVE-2020-13227 1 Sysax 1 Multi Server 2024-11-21 5.3 Medium
An issue was discovered in Sysax Multi Server 6.90. An attacker can determine the username (under which the web server is running) by triggering an invalid path permission error. This bypasses the fakepath protection mechanism.