Export limit exceeded: 80540 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (80540 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-8827 | 1 Argoproj | 1 Argo Cd | 2024-11-21 | 7.5 High |
| As of v1.5.0, the Argo API does not implement anti-automation measures such as rate limiting, account lockouts, or other anti-bruteforce measures. Attackers can submit an unlimited number of authentication attempts without consequence. | ||||
| CVE-2020-8826 | 1 Argoproj | 1 Argo Cd | 2024-11-21 | 7.5 High |
| As of v1.5.0, the Argo web interface authentication system issued immutable tokens. Authentication tokens, once issued, were usable forever without expiration—there was no refresh or forced re-authentication. | ||||
| CVE-2020-8819 | 1 Cardgate | 1 Cardgate Payments | 2024-11-21 | 8.1 High |
| An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass the payment process (e.g., spoof an order status by manually sending an IPN callback request with a valid signature but without real payment) and/or receive all of the subsequent payments. | ||||
| CVE-2020-8818 | 2 Adobe, Cardgate | 2 Magento, Cardgate Payments | 2024-11-21 | 8.1 High |
| An issue was discovered in the CardGate Payments plugin through 2.0.30 for Magento 2. Lack of origin authentication in the IPN callback processing function in Controller/Payment/Callback.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass the payment process (e.g., spoof an order status by manually sending an IPN callback request with a valid signature but without real payment) and/or receive all of the subsequent payments. | ||||
| CVE-2020-8817 | 1 Dataiku | 1 Data Science Studio | 2024-11-21 | 8.1 High |
| Dataiku DSS before 6.0.5 allows attackers write access to the project to modify the "Created by" metadata. | ||||
| CVE-2020-8815 | 1 Iktm | 1 Bearftp | 2024-11-21 | 7.5 High |
| Improper connection handling in the base connection handler in IKTeam BearFTP before v0.3.1 allows a remote attacker to achieve denial of service via a Slowloris approach by sending a large volume of small packets. | ||||
| CVE-2020-8813 | 5 Cacti, Debian, Fedoraproject and 2 more | 6 Cacti, Debian Linux, Fedora and 3 more | 2024-11-21 | 8.8 High |
| graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege. | ||||
| CVE-2020-8810 | 1 Gurux | 1 Device Language Message Specification Director | 2024-11-21 | 8.1 High |
| An issue was discovered in Gurux GXDLMS Director through 8.5.1905.1301. When downloading OBIS codes, it does not verify that the downloaded files are actual OBIS codes and doesn't check for path traversal. This allows the attacker exploiting CVE-2020-8809 to send executable files and place them in an autorun directory, or to place DLLs inside the existing GXDLMS Director installation (run on next execution of GXDLMS Director). This can be used to achieve code execution even if the user doesn't have any add-ins installed. | ||||
| CVE-2020-8809 | 1 Gurux | 1 Device Language Message Specification Director | 2024-11-21 | 8.1 High |
| Gurux GXDLMS Director prior to 8.5.1905.1301 downloads updates to add-ins and OBIS code over an unencrypted HTTP connection. A man-in-the-middle attacker can prompt the user to download updates by modifying the contents of gurux.fi/obis/files.xml and gurux.fi/updates/updates.xml. Then, the attacker can modify the contents of downloaded files. In the case of add-ins (if the user is using those), this will lead to code execution. In case of OBIS codes (which the user is always using as they are needed to communicate with the energy meters), this can lead to code execution when combined with CVE-2020-8810. | ||||
| CVE-2020-8808 | 1 Corsair | 1 Icue | 2024-11-21 | 7.8 High |
| The CorsairLLAccess64.sys and CorsairLLAccess32.sys drivers in CORSAIR iCUE before 3.25.60 allow local non-privileged users (including low-integrity level processes) to read and write to arbitrary physical memory locations, and consequently gain NT AUTHORITY\SYSTEM privileges, via a function call such as MmMapIoSpace. | ||||
| CVE-2020-8806 | 1 Electriccoin | 1 Zcashd | 2024-11-21 | 7.5 High |
| Electric Coin Company Zcashd before 2.1.1-1 allows attackers to trigger consensus failure and double spending. A valid chain could be incorrectly rejected because timestamp requirements on block headers were not properly enforced. | ||||
| CVE-2020-8801 | 1 Salesagility | 1 Suitecrm | 2024-11-21 | 7.2 High |
| SuiteCRM through 7.11.11 allows PHAR Deserialization. | ||||
| CVE-2020-8800 | 1 Salesagility | 1 Suitecrm | 2024-11-21 | 8.8 High |
| SuiteCRM through 7.11.11 allows EmailsControllerActionGetFromFields PHP Object Injection. | ||||
| CVE-2020-8795 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 7.5 High |
| In GitLab Enterprise Edition (EE) 12.5.0 through 12.7.5, sharing a group with a group could grant project access to unauthorized users. | ||||
| CVE-2020-8787 | 1 Salesagility | 1 Suitecrm | 2024-11-21 | 7.5 High |
| SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow for an invalid Bean ID to be submitted. | ||||
| CVE-2020-8782 | 1 Sierrawireless | 14 Airlink Es440, Airlink Es450, Airlink Gx400 and 11 more | 2024-11-21 | 7.5 High |
| Unauthenticated RPC server on ALEOS before 4.4.9, 4.9.5, and 4.14.0 allows remote code execution. | ||||
| CVE-2020-8781 | 1 Sierrawireless | 14 Airlink Es440, Airlink Es450, Airlink Gx400 and 11 more | 2024-11-21 | 7.8 High |
| Lack of input sanitization in UpdateRebootMgr service of ALEOS 4.11 and later allow an escalation to root from a low-privilege process. | ||||
| CVE-2020-8775 | 1 Pega | 1 Platform | 2024-11-21 | 8.9 High |
| Pega Platform before version 8.2.6 is affected by a Stored Cross-Site Scripting (XSS) vulnerability in the comment tags. | ||||
| CVE-2020-8774 | 1 Pega | 1 Pega Platform | 2024-11-21 | 8.8 High |
| Pega Platform before version 8.2.6 is affected by a Reflected Cross-Site Scripting vulnerability in the "ActionStringID" function. | ||||
| CVE-2020-8773 | 1 Pega | 1 Platform | 2024-11-21 | 8.9 High |
| The Richtext Editor in Pega Platform before 8.2.6 is affected by a Stored Cross-Site Scripting (XSS) vulnerability. | ||||