Total
4218 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-7804 | 2 Handysoft, Microsoft | 4 Groupware, Windows 10, Windows 7 and 1 more | 2024-11-21 | 6.5 MEDIUM | 6.4 MEDIUM |
| ActiveX Control(HShell.dll) in Handy Groupware 1.7.3.1 for Windows 7, 8, and 10 allows an attacker to execute arbitrary command via the ShellExec method. | |||||
| CVE-2020-7794 | 1 Buns Project | 1 Buns | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| This affects all versions of package buns. The injection point is located in line 678 in index file lib/index.js in the exported function install(requestedModule). | |||||
| CVE-2020-7789 | 1 Node-notifier Project | 1 Node-notifier | 2024-11-21 | 6.8 MEDIUM | 5.6 MEDIUM |
| This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array. | |||||
| CVE-2020-7786 | 1 Macfromip Project | 1 Macfromip | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| This affects all versions of package macfromip. The injection point is located in line 66 in macfromip.js. | |||||
| CVE-2020-7785 | 1 Node-ps Project | 1 Node-ps | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| This affects all versions of package node-ps. The injection point is located in line 72 in lib/index.js. | |||||
| CVE-2020-7784 | 1 Ts-process-promises Project | 1 Ts-process-promises | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| This affects all versions of package ts-process-promises. The injection point is located in line 45 in main entry of package in lib/process-promises.js. The vulnerability is demonstrated with the following PoC: | |||||
| CVE-2020-7782 | 1 Spritesheet-js Project | 1 Spritesheet-js | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| This affects all versions of package spritesheet-js. It depends on a vulnerable package platform-command. The injection point is located in line 32 in lib/generator.js, which is triggered by main entry of the package. | |||||
| CVE-2020-7781 | 1 Connection-tester Project | 1 Connection-tester | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| This affects the package connection-tester before 0.2.1. The injection point is located in line 15 in index.js. The following PoC demonstrates the vulnerability: | |||||
| CVE-2020-7778 | 1 Systeminformation | 1 Systeminformation | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
| This affects the package systeminformation before 4.30.2. The attacker can overwrite the properties and functions of an object, which can lead to executing OS commands. | |||||
| CVE-2020-7775 | 1 Freediskspace Project | 1 Freediskproject | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| This affects all versions of package freediskspace. The vulnerability arises out of improper neutralization of arguments in line 71 of freediskspace.js. | |||||
| CVE-2020-7752 | 1 Systeminformation | 1 Systeminformation | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl's parameters to overwrite Javascript files and then execute any OS commands. | |||||
| CVE-2020-7735 | 1 Ng-packagr Project | 1 Ng-packagr | 2024-11-21 | 6.5 MEDIUM | 6.6 MEDIUM |
| The package ng-packagr before 10.1.1 are vulnerable to Command Injection via the styleIncludePaths option. | |||||
| CVE-2020-7730 | 1 Bestzip Project | 1 Bestzip | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The package bestzip before 2.1.7 are vulnerable to Command Injection via the options param. | |||||
| CVE-2020-7712 | 2 Joyent, Oracle | 5 Json, Commerce Guided Search, Financial Services Crime And Compliance Management Studio and 2 more | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| This affects the package json before 10.0.0. It is possible to inject arbritary commands using the parseLookup function. | |||||
| CVE-2020-7698 | 1 Gerapy | 1 Gerapy | 2024-11-21 | 7.5 HIGH | 8.1 HIGH |
| This affects the package Gerapy from 0 and before 0.9.3. The input being passed to Popen, via the project_configure endpoint, isn’t being sanitized. | |||||
| CVE-2020-7688 | 1 Mversion Project | 1 Mversion | 2024-11-21 | 4.6 MEDIUM | 8.4 HIGH |
| The issue occurs because tagName user input is formatted inside the exec function is executed without any checks. | |||||
| CVE-2020-7646 | 1 Curlrequest Project | 1 Curlrequest | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| curlrequest through 1.0.1 allows reading any file by populating the file parameter with user input. | |||||
| CVE-2020-7645 | 1 Google | 1 Chrome-launcher | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of chrome-launcher allow execution of arbitrary commands, by controlling the $HOME environment variable in Linux operating systems. | |||||
| CVE-2020-7640 | 1 Pixlcore | 1 Pixl-class | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| pixl-class prior to 1.0.3 allows execution of arbitrary commands. The members argument of the create function can be controlled by users without any sanitization. | |||||
| CVE-2020-7636 | 1 Adb-driver Project | 1 Adb-driver | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| adb-driver through 0.1.8 is vulnerable to Command Injection.It allows execution of arbitrary commands via the command function. | |||||