| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| A library index page in NuPoint Messenger in Mitel MiCollab before 9.2 FP1 could allow an unauthenticated attacker to gain access (view and modify) to user data. |
| Envoy before 1.16.1 mishandles dropped and truncated datagrams, as demonstrated by a segmentation fault for a UDP packet size larger than 1500. |
| Envoy before 1.16.1 logs an incorrect downstream address because it considers only the directly connected peer, not the information in the proxy protocol header. This affects situations with tcp-proxy as the network filter (not HTTP filters). |
| HashiCorp Vault Enterprise’s Sentinel EGP policy feature incorrectly allowed requests to be processed in parent and sibling namespaces. Fixed in 1.5.6 and 1.6.1. |
| rainrocka xinhu 2.1.9 allows remote attackers to obtain sensitive information via an index.php?a=gettotal request in which the ajaxbool value is manipulated to be true. |
| jsonparser 1.0.0 allows attackers to cause a denial of service (panic: runtime error: slice bounds out of range) via a GET call. |
| GJSON before 1.6.4 allows attackers to cause a denial of service via crafted JSON. |
| Beijing Huorong Internet Security 5.0.55.2 allows a non-admin user to escalate privileges by injecting code into a process, and then waiting for a Huorong services restart or a system reboot. |
| CONQUEST DICOM SERVER before 1.5.0 has a code execution vulnerability which can be exploited by attackers to execute malicious code. |
| The GitLab Webhook Handler in amazee.io Lagoon before 1.12.3 has incorrect access control associated with project deletion. |
| vendor/elfinder/php/connector.minimal.php in the secure-file-manager plugin through 2.5 for WordPress loads elFinder code without proper access control. Thus, any authenticated user can run the elFinder upload command to achieve remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer |
| An issue in Atomix v3.1.5 allows a malicious Atomix node to remove states of ONOS storage via abuse of primitive operations. |
| An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to become the lead node in a target cluster via manipulation of the variable terms in RaftContext. |
| An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to join a target cluster via providing configuration information. |
| Frappe Framework 12 and 13 does not properly validate the HTTP method for the frappe.client API. |
| The Amaze File Manager application before 3.4.2 for Android does not properly restrict intents for controlling the FTP server (aka services.ftpservice.FTPReceiver.ACTION_START_FTPSERVER and services.ftpservice.FTPReceiver.ACTION_STOP_FTPSERVER). |
| lib/utils.js in mquery before 3.2.3 allows a pollution attack because a special property (e.g., __proto__) can be copied during a merge or clone operation. |
| An issue was discovered in the Keysight Database Connector plugin before 1.5.0 for Confluence. A malicious user could insert arbitrary JavaScript into saved macro parameters that would execute when a user viewed a page with that instance of the macro. |
| If a user downloaded a file lacking an extension on Windows, and then "Open"-ed it from the downloads panel, if there was an executable file in the downloads directory with the same name but with an executable extension (such as .bat or .exe) that executable would have been launched instead. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.*. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6. |
| When an extension with the proxy permission registered to receive <all_urls>, the proxy.onRequest callback was not triggered for view-source URLs. While web content cannot navigate to such URLs, a user opening View Source could have inadvertently leaked their IP address. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6. |
