Total
32264 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-7738 | 1 Shiba Project | 1 Shiba | 2024-11-21 | 6.5 MEDIUM | 8.3 HIGH |
| All versions of package shiba are vulnerable to Arbitrary Code Execution due to the default usage of the function load() of the package js-yaml instead of its secure replacement , safeLoad(). | |||||
| CVE-2020-7678 | 1 Node-import Project | 1 Node-import | 2024-11-21 | N/A | 8.6 HIGH |
| This affects all versions of package node-import. The "params" argument of module function can be controlled by users without any sanitization.b. This is then provided to the “eval” function located in line 79 in the index file "index.js". | |||||
| CVE-2020-7677 | 3 Debian, Fedoraproject, Thenify Project | 3 Debian Linux, Fedora, Thenify | 2024-11-21 | N/A | 8.6 HIGH |
| This affects the package thenify before 3.3.1. The name argument provided to the package can be controlled by users without any sanitization, and this is provided to the eval function without any sanitization. | |||||
| CVE-2020-7531 | 1 Schneider-electric | 1 Scadapack 7x Remote Connect | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| A CWE-284 Improper Access Control vulnerability exists in SCADAPack 7x Remote Connect (V3.6.3.574 and prior) which allows an attacker to place executables in a specific folder and run code whenever RemoteConnect is executed by the user. | |||||
| CVE-2020-7491 | 1 Schneider-electric | 14 Tricon Tcm 4351, Tricon Tcm 4351 Firmware, Tricon Tcm 4351a and 11 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| **VERSION NOT SUPPORTED WHEN ASSIGNED** A legacy debug port account in TCMs installed in Tricon system versions 10.2.0 through 10.5.3 is visible on the network and could allow inappropriate access. This vulnerability was remediated in TCM version 10.5.4. | |||||
| CVE-2020-7485 | 2 Microsoft, Schneider-electric | 4 Windows 7, Windows Nt, Windows Xp and 1 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| **VERSION NOT SUPPORTED WHEN ASSIGNED** A legacy support account in the TriStation software version v4.9.0 and earlier could cause improper access to the TriStation host machine. This was addressed in TriStation version v4.9.1 and v4.10.1 released on May 30, 2013.1 | |||||
| CVE-2020-7484 | 2 Microsoft, Schneider-electric | 4 Windows 7, Windows Nt, Windows Xp and 1 more | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
| **VERSION NOT SUPPORTED WHEN ASSIGNED** A vulnerability with the former 'password' feature could allow a denial of service attack if the user is not following documented guidelines pertaining to dedicated TriStation connection and key-switch protection. This vulnerability was discovered and remediated in versions v4.9.1 and v4.10.1 on May 30, 2013. This feature is not present in version v4.9.1 and v4.10.1 through current. Therefore, the vulnerability is not present in these versions. | |||||
| CVE-2020-7387 | 1 Sage | 3 Adxadmin, X3, X3 Hr \& Payroll | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Sage X3 Installation Pathname Disclosure. A specially crafted packet can elicit a response from the AdxDSrv.exe component that reveals the installation directory of the product. Note that this vulnerability can be combined with CVE-2020-7388 to achieve full RCE. This issue was fixed in AdxAdmin 93.2.53, which ships with updates for on-premises versions of Sage X3 Version 9 (components shipped with Syracuse 9.22.7.2 and later), Sage X3 HR & Payroll Version 9 (those components that ship with Syracuse 9.24.1.3), Version 11 (components shipped with Syracuse 11.25.2.6 and later), and Version 12 (components shipped with Syracuse 12.10.2.8 and later) of Sage X3. Other on-premises versions of Sage X3 are unsupported by the vendor. | |||||
| CVE-2020-7363 | 1 Ucweb | 1 Uc Browser | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| User Interface (UI) Misrepresentation of Critical Information vulnerability in the address bar of UCWeb's UC Browser allows an attacker to obfuscate the true source of data as presented in the browser. This issue affects UCWeb's UC Browser version 13.0.8 and prior versions. | |||||
| CVE-2020-7320 | 1 Mcafee | 1 Endpoint Security | 2024-11-21 | 2.1 LOW | 6.7 MEDIUM |
| Protection Mechanism Failure vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 September 2020 Update allows local administrator to temporarily reduce the detection capability allowing otherwise detected malware to run via stopping certain Microsoft services. | |||||
| CVE-2020-7298 | 1 Mcafee | 1 Total Protection | 2024-11-21 | 3.6 LOW | 7.5 HIGH |
| Unexpected behavior violation in McAfee Total Protection (MTP) prior to 16.0.R26 allows local users to turn off real time scanning via a specially crafted object making a specific function call. | |||||
| CVE-2020-7270 | 1 Mcafee | 1 Advanced Threat Defense | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| Exposure of Sensitive Information in the web interface in McAfee Advanced Threat Defense (ATD) prior to 4.12.2 allows remote authenticated users to view sensitive unencrypted information via a carefully crafted HTTP request parameter. The risk is partially mitigated if your ATD instances are deployed as recommended with no direct access from the Internet to them. | |||||
| CVE-2020-7269 | 1 Mcafee | 1 Advanced Threat Defense | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| Exposure of Sensitive Information in the web interface in McAfee Advanced Threat Defense (ATD) prior to 4.12.2 allows remote authenticated users to view sensitive unencrypted information via a carefully crafted HTTP request parameter. The risk is partially mitigated if your ATD instances are deployed as recommended with no direct access from the Internet to them. | |||||
| CVE-2020-7232 | 1 Evoko | 1 Home | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Evoko Home devices 1.31 through 1.37 allow remote attackers to obtain sensitive information (such as usernames and password hashes) via a WebSocket request, as demonstrated by the sockjs/224/uf1psgff/websocket URI at a wss:// URL. | |||||
| CVE-2020-7227 | 1 Westermo | 2 Mrd-315, Mrd-315 Firmware | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, backup.asp, sys-power.asp, ifaces-wls.asp, ifaces-wls-pkt.asp, and ifaces-wls-pkt-adv.asp. | |||||
| CVE-2020-7224 | 1 Aviatrix | 1 Openvpn | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The Aviatrix OpenVPN client through 2.5.7 on Linux, macOS, and Windows is vulnerable when OpenSSL parameters are altered from the issued value set; the parameters could allow unauthorized third-party libraries to load. | |||||
| CVE-2020-7209 | 1 Hp | 1 Linuxki | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| LinuxKI v6.0-1 and earlier is vulnerable to an remote code execution which is resolved in release 6.0-2. | |||||
| CVE-2020-7207 | 1 Hp | 42 Apollo 2000, Apollo 2000 Firmware, Apollo 4200 Gen10 and 39 more | 2024-11-21 | 7.2 HIGH | 6.8 MEDIUM |
| A local elevation of privilege using physical access security vulnerability was found in HPE Proliant Gen10 Servers using Intel Innovation Engine (IE). This attack requires a physical attack to the server motherboard. To mitigate this issue, ensure your server is always physically secured. HPE will not address this issue in the impacted Gen 10 servers listed. HPE recommends using appropriate physical security methods as a compensating control to disallow an attacker from having physical access to the server main circuit board. | |||||
| CVE-2020-7205 | 1 Hpe | 118 Apollo 2000 Gen10 Plus System, Apollo 4200 Gen10 Server, Apollo 4200 Gen9 Server and 115 more | 2024-11-21 | 7.2 HIGH | 6.7 MEDIUM |
| A potential security vulnerability has been identified in HPE Intelligent Provisioning, Service Pack for ProLiant, and HPE Scripting ToolKit. The vulnerability could be locally exploited to allow arbitrary code execution during the boot process. **Note:** This vulnerability is related to using insmod in GRUB2 in the specific impacted HPE product and HPE is addressing this issue. HPE has made the following software updates and mitigation information to resolve the vulnerability in Intelligent Provisioning, Service Pack for ProLiant, and HPE Scripting ToolKit. HPE provided latest Intelligent Provisioning, Service Pack for ProLiant, and HPE Scripting Toolkit which includes the GRUB2 patch to resolve this vulnerability. These new boot images will update GRUB2 and the Forbidden Signature Database (DBX). After the DBX is updated, users will not be able to boot to the older IP, SPP or Scripting ToolKit with Secure Boot enabled. HPE have provided a standalone DBX update tool to work with Microsoft Windows, and supported Linux Operating Systems. These tools can be used to update the Forbidden Signature Database (DBX) from within the OS. **Note:** This DBX update mitigates the GRUB2 issue with insmod enabled, and the "Boot Hole" issue for HPE signed GRUB2 applications. | |||||
| CVE-2020-7203 | 1 Hp | 1 Ilo Amplifier Pack | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A potential security vulnerability has been identified in HPE iLO Amplifier Pack server version 1.70. The vulnerability could be exploited to allow remote code execution. | |||||