Export limit exceeded: 344006 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (8023 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-24227 | 1 Playgroundsessions | 1 Playground Sessions | 2024-11-21 | 7.5 High |
| Playground Sessions v2.5.582 (and earlier) for Windows, stores the user credentials in plain text allowing anyone with access to UserProfiles.sol to extract the email and password. | ||||
| CVE-2020-24164 | 1 Taoensso | 1 Nippy | 2024-11-21 | 7.8 High |
| A deserialization flaw is present in Taoensso Nippy before 2.14.2. In some circumstances, it is possible for an attacker to create a malicious payload that, when deserialized, will allow arbitrary code to be executed. This occurs because there is automatic use of the Java Serializable interface. | ||||
| CVE-2020-24038 | 1 Eram | 6 Myfax150, Myfax150 Firmware, Myfax250 and 3 more | 2024-11-21 | 6.5 Medium |
| myFax version 229 logs sensitive information in the export log module which allows any user to access critical information. | ||||
| CVE-2020-24036 | 1 Fork-cms | 1 Fork Cms | 2024-11-21 | 8.8 High |
| PHP object injection in the Ajax endpoint of the backend in ForkCMS below version 5.8.3 allows an authenticated remote user to execute malicious code. | ||||
| CVE-2020-24034 | 1 Sagemcom | 2 F\@st 5280 Router, F\@st 5280 Router Firmware | 2024-11-21 | 8.8 High |
| Sagemcom F@ST 5280 routers using firmware version 1.150.61 have insecure deserialization that allows any authenticated user to perform a privilege escalation to any other user. By making a request with valid sess_id, nonce, and ha1 values inside of the serialized session cookie, an attacker may alter the user value inside of this cookie, and assume the role and permissions of the user specified. By assuming the role of the user internal, which is inaccessible to end users by default, the attacker gains the permissions of the internal account, which includes the ability to flash custom firmware to the router, allowing the attacker to achieve a complete compromise. | ||||
| CVE-2020-23968 | 1 Ilex | 1 International Sign\&go | 2024-11-21 | 7.8 High |
| Ilex International Sign&go Workstation Security Suite 7.1 allows elevation of privileges via a symlink attack on ProgramData\Ilex\S&G\Logs\000-sngWSService1.log. | ||||
| CVE-2020-23653 | 1 Thinkadmin | 1 Thinkadmin | 2024-11-21 | 9.8 Critical |
| An insecure unserialize vulnerability was discovered in ThinkAdmin versions 4.x through 6.x in app/admin/controller/api/Update.php and app/wechat/controller/api/Push.php, which may lead to arbitrary remote code execution. | ||||
| CVE-2020-23621 | 1 Squire-technologies | 1 Svi Ms Management System | 2024-11-21 | 9.8 Critical |
| The Java Remote Management Interface of all versions of SVI MS Management System was discovered to contain a vulnerability due to insecure deserialization of user-supplied content, which can allow attackers to execute arbitrary code via a crafted serialized Java object. | ||||
| CVE-2020-23620 | 1 Orlansoft | 1 Orlansoft Erp | 2024-11-21 | 9.8 Critical |
| The Java Remote Management Interface of all versions of Orlansoft ERP was discovered to contain a vulnerability due to insecure deserialization of user-supplied content, which can allow attackers to execute arbitrary code via a crafted serialized Java object. | ||||
| CVE-2020-23284 | 1 Mv | 1 Idce | 2024-11-21 | 7.5 High |
| Information disclosure in aspx pages in MV's IDCE application v1.0 allows an attacker to copy and paste aspx pages in the end of the URL application that connect into the database which reveals internal and sensitive information without logging into the web application. | ||||
| CVE-2020-23036 | 1 Medianavi | 1 Smacom | 2024-11-21 | 5.9 Medium |
| MEDIA NAVI Inc SMACom v1.2 was discovered to contain an insecure session validation vulnerability in the session handling of the `password` authentication parameter of the wifi photo transfer module. This vulnerability allows attackers with network access privileges or on public wifi networks to read the authentication credentials and follow-up requests containing the user password via a man in the middle attack. | ||||
| CVE-2020-22124 | 1 Joyplus-cms Project | 1 Joyplus-cms | 2024-11-21 | 7.5 High |
| A vulnerability in the \inc\config.php component of joyplus-cms v1.6 allows attackers to access sensitive information. | ||||
| CVE-2020-22083 | 1 Jsonpickle Project | 1 Jsonpickle | 2024-11-21 | 9.8 Critical |
| jsonpickle through 1.4.1 allows remote code execution during deserialization of a malicious payload through the decode() function. Note: It has been argued that this is expected and clearly documented behaviour. pickle is known to be capable of causing arbitrary code execution, and must not be used with un-trusted data | ||||
| CVE-2020-21994 | 1 Ave | 13 53ab-wbs, 53ab-wbs Firmware, Dominaplus and 10 more | 2024-11-21 | 9.8 Critical |
| AVE DOMINAplus <=1.10.x suffers from clear-text credentials disclosure vulnerability that allows an unauthenticated attacker to issue a request to an unprotected directory that hosts an XML file '/xml/authClients.xml' and obtain administrative login information that allows for a successful authentication bypass attack. | ||||
| CVE-2020-21933 | 1 Motorola | 2 Cx2, Cx2 Firmware | 2024-11-21 | 7.5 High |
| An issue was discovered in Motorola CX2 router CX 1.0.2 Build 20190508 Rel.97360n where the admin password and private key could be found in the log tar package. | ||||
| CVE-2020-21686 | 1 Nasm | 1 Netwide Assembler | 2024-11-21 | 5.5 Medium |
| A stack-use-after-scope issue discovered in expand_mmac_params function in preproc.c in nasm before 2.15.04 allows remote attackers to cause a denial of service via crafted asm file. | ||||
| CVE-2020-20136 | 1 Quantconnect | 1 Lean | 2024-11-21 | 9.8 Critical |
| QuantConnect Lean versions from 2.3.0.0 to 2.4.0.1 are affected by an insecure deserialization vulnerability due to insecure configuration of TypeNameHandling property in Json.NET library. | ||||
| CVE-2020-1987 | 1 Paloaltonetworks | 1 Globalprotect | 2024-11-21 | 3.9 Low |
| An information exposure vulnerability in the logging component of Palo Alto Networks Global Protect Agent allows a local authenticated user to read VPN cookie information when the troubleshooting logging level is set to "Dump". This issue affects Palo Alto Networks Global Protect Agent 5.0 versions prior to 5.0.9; 5.1 versions prior to 5.1.1. | ||||
| CVE-2020-1978 | 1 Paloaltonetworks | 2 Pan-os, Vm-series | 2024-11-21 | 5.8 Medium |
| TechSupport files generated on Palo Alto Networks VM Series firewalls for Microsoft Azure platform configured with high availability (HA) inadvertently collect Azure dashboard service account credentials. These credentials are equivalent to the credentials associated with the Contributor role in Azure. A user with the credentials will be able to manage all the Azure resources in the subscription except for granting access to other resources. These credentials do not allow login access to the VMs themselves. This issue affects VM Series Plugin versions before 1.0.9 for PAN-OS 9.0. This issue does not affect VM Series in non-HA configurations or on other cloud platforms. It does not affect hardware firewall appliances. Since becoming aware of the issue, Palo Alto Networks has safely deleted all the tech support files with the credentials. We now filter and remove these credentials from all TechSupport files sent to us. The TechSupport files uploaded to Palo Alto Networks systems were only accessible by authorized personnel with valid Palo Alto Networks credentials. We do not have any evidence of malicious access or use of these credentials. | ||||
| CVE-2020-1964 | 1 Apache | 1 Heron | 2024-11-21 | 9.8 Critical |
| It was noticed that Apache Heron 0.20.2-incubating, Release 0.20.1-incubating, and Release v-0.20.0-incubating does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerabilities (CWE-502: Deserialization of Untrusted Data). | ||||