Export limit exceeded: 79575 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (79575 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-35296 | 1 Thinkadmin | 1 Thinkadmin | 2024-11-21 | 7.5 High |
| ThinkAdmin v6 has default administrator credentials, which allows attackers to gain unrestricted administratior dashboard access. | ||||
| CVE-2020-35284 | 1 Flamingoim Project | 1 Flamingoim | 2024-11-21 | 7.5 High |
| Flamingo (aka FlamingoIM) through 2020-09-29 allows ../ directory traversal because the only ostensibly unpredictable part of a file-transfer request is an MD5 computation; however, this computation occurs on the client side, and the computation details can be easily determined because the product's source code is available. | ||||
| CVE-2020-35273 | 1 Egavilanmedia | 1 User Registration \& Login System With Admin Panel | 2024-11-21 | 8.0 High |
| EgavilanMedia User Registration & Login System with Admin Panel 1.0 is affected by Cross Site Request Forgery (CSRF) to remotely gain privileges in the User Profile panel. An attacker can update any user's account. | ||||
| CVE-2020-35269 | 1 Nagios | 1 Nagios Core | 2024-11-21 | 8.8 High |
| Nagios Core application version 4.2.4 is vulnerable to Site-Wide Cross-Site Request Forgery (CSRF) in many functions, like adding – deleting for hosts or servers. | ||||
| CVE-2020-35235 | 1 Themexa | 1 Secure File Manager | 2024-11-21 | 8.8 High |
| vendor/elfinder/php/connector.minimal.php in the secure-file-manager plugin through 2.5 for WordPress loads elFinder code without proper access control. Thus, any authenticated user can run the elFinder upload command to achieve remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | ||||
| CVE-2020-35234 | 1 Wp-ecommerce | 1 Easy Wp Smtp | 2024-11-21 | 7.5 High |
| The easy-wp-smtp plugin before 1.4.4 for WordPress allows Administrator account takeover, as exploited in the wild in December 2020. If an attacker can list the wp-content/plugins/easy-wp-smtp/ directory, then they can discover a log file (such as #############_debug_log.txt) that contains all password-reset links. The attacker can request a reset of the Administrator password and then use a link found there. | ||||
| CVE-2020-35231 | 1 Netgear | 4 Gs116e, Gs116e Firmware, Jgs516pe and 1 more | 2024-11-21 | 8.8 High |
| The NSDP protocol implementation on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices was affected by an authentication issue that allows an attacker to bypass access controls and obtain full control of the device. | ||||
| CVE-2020-35229 | 1 Netgear | 4 Gs116e, Gs116e Firmware, Jgs516pe and 1 more | 2024-11-21 | 8.8 High |
| The authentication token required to execute NSDP write requests on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices is not properly invalidated and can be reused until a new token is generated, which allows attackers (with access to network traffic) to effectively gain administrative privileges. | ||||
| CVE-2020-35227 | 1 Netgear | 4 Gs116e, Gs116e Firmware, Jgs516pe and 1 more | 2024-11-21 | 7.2 High |
| A buffer overflow vulnerability in the access control section on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices (in the administration web panel) allows an attacker to inject IP addresses into the whitelist via the checkedList parameter to the delete command. | ||||
| CVE-2020-35226 | 1 Netgear | 4 Gs116e, Gs116e Firmware, Jgs516pe and 1 more | 2024-11-21 | 7.1 High |
| NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices allow unauthenticated users to modify the switch DHCP configuration by sending the corresponding write request command. | ||||
| CVE-2020-35223 | 1 Netgear | 4 Gs116e, Gs116e Firmware, Jgs516pe and 1 more | 2024-11-21 | 8.8 High |
| The CSRF protection mechanism implemented in the web administration panel on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices could be bypassed by omitting the CSRF token parameter in HTTP requests. | ||||
| CVE-2020-35221 | 1 Netgear | 4 Gs116e, Gs116e Firmware, Jgs516pe and 1 more | 2024-11-21 | 8.8 High |
| The hashing algorithm implemented for NSDP password authentication on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices was found to be insecure, allowing attackers (with access to a network capture) to quickly generate multiple collisions to generate valid passwords, or infer some parts of the original. | ||||
| CVE-2020-35217 | 1 Eclipse | 1 Vert.x-web | 2024-11-21 | 8.8 High |
| Vert.x-Web framework v4.0 milestone 1-4 does not perform a correct CSRF verification. Instead of comparing the CSRF token in the request with the CSRF token in the cookie, it compares the CSRF token in the cookie against a CSRF token that is stored in the session. An attacker does not even need to provide a CSRF token in the request because the framework does not consider it. The cookies are automatically sent by the browser and the verification will always succeed, leading to a successful CSRF attack. | ||||
| CVE-2020-35214 | 1 Atomix | 1 Atomix | 2024-11-21 | 8.1 High |
| An issue in Atomix v3.1.5 allows a malicious Atomix node to remove states of ONOS storage via abuse of primitive operations. | ||||
| CVE-2020-35213 | 1 Atomix | 1 Atomix | 2024-11-21 | 8.1 High |
| An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false link event messages sent to a master ONOS node. | ||||
| CVE-2020-35211 | 1 Atomix | 1 Atomix | 2024-11-21 | 7.5 High |
| An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to become the lead node in a target cluster via manipulation of the variable terms in RaftContext. | ||||
| CVE-2020-35209 | 1 Atomix | 1 Atomix | 2024-11-21 | 7.5 High |
| An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to join a target cluster via providing configuration information. | ||||
| CVE-2020-35151 | 1 Phpgurukul | 1 Online Marriage Registration System | 2024-11-21 | 8.8 High |
| The Online Marriage Registration System 1.0 post parameter "searchdata" in the user/search.php request is vulnerable to Time Based Sql Injection. | ||||
| CVE-2020-35145 | 1 Acronis | 1 True Image | 2024-11-21 | 7.8 High |
| Acronis True Image for Windows prior to 2021 Update 3 allowed local privilege escalation due to a DLL hijacking vulnerability in multiple components, aka an Untrusted Search Path issue. | ||||
| CVE-2020-35137 | 1 Mobileiron | 1 Mobile\@work | 2024-11-21 | 7.5 High |
| The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate with the MobileIron SaaS discovery API, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in com/mobileiron/registration/RegisterActivity.java and can be used for api/v1/gateway/customers/servers requests. NOTE: Vendor states that this is an opt-in feature to the product - it is not enabled by default and customers cannot enable it without an explicit email to support. At this time, they do not plan change to make any changes to this feature. | ||||