Total
4662 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-1518 | 1 Cisco | 1 Firepower Device Manager On-box | 2024-11-21 | 9.0 HIGH | 6.3 MEDIUM |
| A vulnerability in the REST API of Cisco Firepower Device Manager (FDM) On-Box Software could allow an authenticated, remote attacker to execute arbitrary code on the underlying operating system of an affected device. This vulnerability is due to insufficient sanitization of user input on specific REST API commands. An attacker could exploit this vulnerability by sending a crafted HTTP request to the API subsystem of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system. To exploit this vulnerability, an attacker would need valid low-privileged user credentials. | |||||
| CVE-2021-1362 | 1 Cisco | 4 Prime License Manager, Unified Communications Manager, Unified Communications Manager Im \& Presence Service and 1 more | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| A vulnerability in the SOAP API endpoint of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, Cisco Unity Connection, and Cisco Prime License Manager could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to improper sanitization of user-supplied input. An attacker could exploit this vulnerability by sending a SOAP API request with crafted parameters to an affected device. A successful exploit could allow the attacker to execute arbitrary code with root privileges on the underlying Linux operating system of the affected device. | |||||
| CVE-2020-9530 | 1 Mi | 1 Miui Firmware | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered on Xiaomi MIUI V11.0.5.0.QFAEUXM devices. The export component of GetApps(com.xiaomi.mipicks) mishandles the functionality of opening other components. Attackers need to induce users to open specific web pages in a specific network environment. By jumping to the WebView component of Messaging(com.android.MMS) and loading malicious web pages, information leakage can occur. This is fixed on version: 2001122; 11.0.1.54. | |||||
| CVE-2020-9406 | 1 Iblsoft | 1 Online Weather | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| IBL Online Weather before 4.3.5a allows unauthenticated eval injection via the queryBCP method of the Auxiliary Service. | |||||
| CVE-2020-8518 | 3 Debian, Fedoraproject, Horde | 3 Debian Linux, Fedora, Groupware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, leading to remote code execution. | |||||
| CVE-2020-8349 | 1 Lenovo | 10 Cloud Networking Operating System, Rackswitch G8272, Rackswitch G8296 and 7 more | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| An internal security review has identified an unauthenticated remote code execution vulnerability in Cloud Networking Operating System (CNOS)’ optional REST API management interface. This interface is disabled by default and not vulnerable unless enabled. When enabled, it is only vulnerable where attached to a VRF and as allowed by defined ACLs. Lenovo strongly recommends upgrading to a non-vulnerable CNOS release. Where not possible, Lenovo recommends disabling the REST API management interface or restricting access to the management VRF and further limiting access to authorized management stations via ACL. | |||||
| CVE-2020-8274 | 1 Citrix | 1 Secure Mail | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Citrix Secure Mail for Android before 20.11.0 suffers from Improper Control of Generation of Code ('Code Injection') by allowing unauthenticated access to read data stored within Secure Mail. Note that a malicious app would need to be installed on the Android device or a threat actor would need to execute arbitrary code on the Android device. | |||||
| CVE-2020-8224 | 1 Nextcloud | 1 Desktop | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL config into a fixed directory. | |||||
| CVE-2020-8194 | 1 Citrix | 11 4000-wo, 4100-wo, 5000-wo and 8 more | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Reflected code injection in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows the modification of a file download. | |||||
| CVE-2020-8180 | 1 Nextcloud | 1 Talk | 2024-11-21 | 6.5 MEDIUM | 9.9 CRITICAL |
| A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk command was added by an administrator. | |||||
| CVE-2020-8163 | 2 Debian, Rubyonrails | 2 Debian Linux, Rails | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the `locals` argument of a `render` call to perform a RCE. | |||||
| CVE-2020-8149 | 1 Logkitty Project | 1 Logkitty | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Lack of output sanitization allowed an attack to execute arbitrary shell commands via the logkitty npm package before version 0.7.1. | |||||
| CVE-2020-8141 | 1 Dot Project | 1 Dot | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| The dot package v1.1.2 uses Function() to compile templates. This can be exploited by the attacker if they can control the given template or if they can control the value set on Object.prototype. | |||||
| CVE-2020-8140 | 2 Apple, Nextcloud | 2 Macos, Desktop | 2024-11-21 | 4.6 MEDIUM | 6.7 MEDIUM |
| A code injection in Nextcloud Desktop Client 2.6.2 for macOS allowed to load arbitrary code when starting the client with DYLD_INSERT_LIBRARIES set in the environment. | |||||
| CVE-2020-8137 | 1 Blamer Project | 1 Blamer | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Code injection vulnerability in blamer 1.0.0 and earlier may result in remote code execution when the input can be controlled by an attacker. | |||||
| CVE-2020-8129 | 1 Script-manager Project | 1 Script-manager | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An unintended require vulnerability in script-manager npm package version 0.8.6 and earlier may allow attackers to execute arbitrary code. | |||||
| CVE-2020-7745 | 1 Mintegral | 1 Mintegraladsdk | 2024-11-21 | 10.0 HIGH | 7.1 HIGH |
| This affects the package MintegralAdSDK before 6.6.0.0. The SDK distributed by the company contains malicious functionality that acts as a backdoor. Mintegral and their partners (advertisers) can remotely execute arbitrary code on a user device. | |||||
| CVE-2020-7710 | 1 Safe-eval Project | 1 Safe-eval | 2024-11-21 | 7.5 HIGH | 8.1 HIGH |
| This affects all versions of package safe-eval. It is possible for an attacker to run an arbitrary command on the host machine. | |||||
| CVE-2020-7694 | 1 Encode | 1 Uvicorn | 2024-11-21 | 5.0 MEDIUM | 3.7 LOW |
| This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request crafted URLs with percent-encoded escape sequences, the logging component will log the URL after it's been processed with urllib.parse.unquote, therefore converting any percent-encoded characters into their single-character equivalent, which can have special meaning in terminal emulators. By requesting URLs with crafted paths, attackers can: * Pollute uvicorn's access logs, therefore jeopardising the integrity of such files. * Use ANSI sequence codes to attempt to interact with the terminal emulator that's displaying the logs (either in real time or from a file). | |||||
| CVE-2020-7675 | 1 Cd-messenger Project | 1 Cd-messenger | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| cd-messenger through 2.7.26 is vulnerable to Arbitrary Code Execution. User input provided to the `color` argument executed by the `eval` function resulting in code execution. | |||||