| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Zcashd in Zcash before 2.0.7-3 allows discovery of the IP address of a full node that owns a shielded address, related to mishandling of exceptions during deserialization of note plaintexts. This affects anyone who has disclosed their zaddr to a third party. |
| Auth0 auth0.net before 6.5.4 has Incorrect Access Control because IdentityTokenValidator can be accidentally used to validate untrusted ID tokens. |
| Xpdf 4.01.01 has an out-of-bounds write in the vertProfile part of the TextPage::findGaps function in TextOutputDev.cc, a different vulnerability than CVE-2019-9877. |
| Flower 0.9.3 has XSS via a crafted worker name. NOTE: The project author stated that he doesn't think this is a valid vulnerability. Worker name and task name aren’t user facing configuration options. They are internal backend config options and person having rights to change them already has full access |
| Flower 0.9.3 has XSS via the name parameter in an @app.task call. NOTE: The project author stated that he doesn't think this is a valid vulnerability. Worker name and task name aren’t user facing configuration options. They are internal backend config options and person having rights to change them already has full access |
| The Nulock application 1.5.0 for mobile devices sends a cleartext password over Bluetooth, which allows remote attackers (after sniffing the network) to take control of the lock. |
| kkcms 1.3 has jx.php?url= XSS. |
| SuiteCRM 7.10.x before 7.10.20 and 7.11.x before 7.11.8 allows unintended public exposure of files. |
| In the Linux kernel before 4.17, hns_roce_alloc_ucontext in drivers/infiniband/hw/hns/hns_roce_main.c does not initialize the resp data structure, which might allow attackers to obtain sensitive information from kernel stack memory, aka CID-df7e40425813. |
| Harbor API has a Broken Access Control vulnerability. The vulnerability allows project administrators to use the Harbor API to create a robot account with unauthorized push and/or pull access permissions to a project they don't have access or control for. The Harbor API did not enforce the proper project permissions and project scope on the API request to create a new robot account. |
| WiKID Enterprise 2FA (two factor authentication) Enterprise Server through 4.2.0-b2047 is vulnerable to SQL injection through the searchDevices.jsp endpoint. The uid and domain parameters are used, unsanitized, in a SQL query constructed in the buildSearchWhereClause function. |
| An issue was discovered in pfSense through 2.4.4-p3. widgets/widgets/picture.widget.php uses the widgetkey parameter directly without sanitization (e.g., a basename call) for a pathname to file_get_contents or file_put_contents. |
| An XSS issue was discovered in pfSense through 2.4.4-p3. In services_captiveportal_mac.php, the username and delmac parameters are displayed without sanitization. |
| PC Protect Antivirus v4.14.31 installs by default to %PROGRAMFILES(X86)%\PCProtect with very weak folder permissions, granting any user full permission "Everyone: (F)" to the contents of the directory and its subfolders. In addition, the program installs a service called SecurityService that runs as LocalSystem. This allows any user to escalate privileges to "NT AUTHORITY\SYSTEM" by substituting the service's binary with a Trojan horse. |
| An issue was discovered in the Infosysta "In-App & Desktop Notifications" app before 1.6.14_J8 for Jira. It is possible to obtain a list of all Jira projects (with authentication as a Jira user, but without authorization for specific projects) via the plugins/servlet/nfj/NotificationSettings URI. |
| An issue was discovered in the Infosysta "In-App & Desktop Notifications" app before 1.6.14_J8 for Jira. It is possible to obtain a list of all Jira projects without authentication/authorization via the plugins/servlet/nfj/ProjectFilter?searchQuery= URI. |
| An issue was discovered in the Infosysta "In-App & Desktop Notifications" app 1.6.13_J8 for Jira. It is possible to obtain a list of all valid Jira usernames without authentication/authorization via the plugins/servlet/nfj/UserFilter?searchQuery=@ URI. |
| An issue was discovered in the Infosysta "In-App & Desktop Notifications" app 1.6.13_J8 for Jira. By using plugins/servlet/nfj/PushNotification?username= with a modified username, a different user's notifications can be read without authentication/authorization. These notifications are then no longer displayed to the normal user. |
| TeamPass 2.1.27.36 allows Stored XSS by setting a crafted password for an item in a common available folder or sharing the item with an admin. (The crafted password is exploitable when viewing the change history of the item or tapping on the item.) |
| Platinum UPnP SDK 1.2.0 allows Directory Traversal in Core/PltHttpServer.cpp because it checks for /.. where it should be checking for ../ instead. |
