Export limit exceeded: 10404 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10404 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-26979 | 1 Mozilla | 1 Firefox | 2024-11-21 | 6.1 Medium |
| When a user typed a URL in the address bar or the search bar and quickly hit the enter key, a website could sometimes capture that event and then redirect the user before navigation occurred to the desired, entered address. To construct a convincing spoof the attacker would have had to guess what the user was typing, perhaps by suggesting it. This vulnerability affects Firefox < 84. | ||||
| CVE-2020-26957 | 1 Mozilla | 1 Firefox | 2024-11-21 | 6.5 Medium |
| OneCRL was non-functional in the new Firefox for Android due to a missing service initialization. This could result in a failure to enforce some certificate revocations. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 83. | ||||
| CVE-2020-26938 | 1 Oauth2-server Project | 1 Oauth2-server | 2024-11-21 | 7.2 High |
| In oauth2-server (aka node-oauth2-server) through 3.1.1, the value of the redirect_uri parameter received during the authorization and token request is checked against an incorrect URI pattern ("[a-zA-Z][a-zA-Z0-9+.-]+:") before making a redirection. This allows a malicious client to pass an XSS payload through the redirect_uri parameter while making an authorization request. NOTE: this vulnerability is similar to CVE-2020-7741. | ||||
| CVE-2020-26933 | 1 Trustedcomputinggroup | 1 Trusted Platform Module | 2024-11-21 | 7.2 High |
| Trusted Computing Group (TCG) Trusted Platform Module Library Family 2.0 Library Specification Revisions 1.38 through 1.59 has Incorrect Access Control during a non-orderly TPM shut-down that uses USE_DA_USED. Improper initialization of this shut-down may result in susceptibility to a dictionary attack. | ||||
| CVE-2020-26886 | 1 Softaculous | 1 Softaculous | 2024-11-21 | 7.8 High |
| Softaculous before 5.5.7 is affected by a code execution vulnerability because of External Initialization of Trusted Variables or Data Stores. This leads to privilege escalation on the local host. | ||||
| CVE-2020-26883 | 1 Lightbend | 1 Play Framework | 2024-11-21 | 7.5 High |
| In Play Framework 2.6.0 through 2.8.2, stack consumption can occur because of unbounded recursion during parsing of crafted JSON documents. | ||||
| CVE-2020-26882 | 1 Lightbend | 1 Play Framework | 2024-11-21 | 7.5 High |
| In Play Framework 2.6.0 through 2.8.2, data amplification can occur when an application accepts multipart/form-data JSON input. | ||||
| CVE-2020-26877 | 1 Apifest | 1 Oauth 2.0 Server | 2024-11-21 | 6.1 Medium |
| ApiFest OAuth 2.0 Server 0.3.1 does not validate the redirect URI in accordance with RFC 6749 and is susceptible to an open redirector attack. Specifically, it directly sends an authorization code to the redirect URI submitted with the authorization request, without checking whether the redirect URI is registered by the client who initiated the request. This allows an attacker to craft a request with a manipulated redirect URI (redirect_uri parameter), which is under the attacker's control, and consequently obtain the leaked authorization code when the server redirects the client to the manipulated redirect URI with an authorization code. NOTE: this is similar to CVE-2019-3778. | ||||
| CVE-2020-26868 | 1 Pcvuesolutions | 1 Pcvue | 2024-11-21 | 7.5 High |
| ARC Informatique PcVue prior to version 12.0.17 is vulnerable to a denial-of-service attack due to the ability of an unauthorized user to modify information used to validate messages sent by legitimate web clients. This issue also affects third-party systems based on the Web Services Toolkit. | ||||
| CVE-2020-26836 | 1 Sap | 1 Solution Manager | 2024-11-21 | 6.1 Medium |
| SAP Solution Manager (Trace Analysis), version - 720, allows for misuse of a parameter in the application URL leading to Open Redirect vulnerability, an attacker can enter a link to malicious site which could trick the user to enter credentials or download malicious software, as a parameter in the application URL and share it with the end user who could potentially become a victim of the attack. | ||||
| CVE-2020-26705 | 1 Easyxml Project | 1 Easyxml | 2024-11-21 | 9.1 Critical |
| The parseXML function in Easy-XML 0.5.0 was discovered to have a XML External Entity (XXE) vulnerability which allows for an attacker to expose sensitive data or perform a denial of service (DOS) via a crafted external entity entered into the XML content as input. | ||||
| CVE-2020-26679 | 1 Vfairs | 1 Vfairs | 2024-11-21 | 4.3 Medium |
| vFairs 3.3 is affected by Insecure Permissions. Any user logged in to a vFairs virtual conference or event can modify any other users profile information or profile picture. After receiving any user's unique identification number and their own, an HTTP POST request can be made update their profile description or supply a new profile image. This can lead to potential cross-site scripting attacks on any user, or upload malicious PHP webshells as "profile pictures." The user IDs can be easily determined by other responses from the API for an event or chat room. | ||||
| CVE-2020-26650 | 1 Atomx | 1 Atomxcms | 2024-11-21 | 5.3 Medium |
| AtomXCMS 2.0 is affected by Arbitrary File Read via admin/dump.php | ||||
| CVE-2020-26602 | 1 Google | 1 Android | 2024-11-21 | 7.5 High |
| An issue was discovered in EthernetNetwork on Samsung mobile devices with O(8.1), P(9.0), Q(10.0), and R(11.0) software. PendingIntent allows sdcard access by an unprivileged process. The Samsung ID is SVE-2020-18392 (October 2020). | ||||
| CVE-2020-26564 | 1 Objectplanet | 1 Opinio | 2024-11-21 | 6.5 Medium |
| ObjectPlanet Opinio before 7.15 allows XXE attacks via three steps: modify a .css file to have <!ENTITY content, create a .xml file for a generic survey template (containing a link to this .css file), and import this .xml file at the survey/admin/folderSurvey.do?action=viewImportSurvey['importFile'] URI. The XXE can then be triggered at a admin/preview.do?action=previewSurvey&surveyId= URI. | ||||
| CVE-2020-26513 | 1 Intland | 1 Codebeamer | 2024-11-21 | 5.5 Medium |
| An issue was discovered in Intland codeBeamer ALM 10.x through 10.1.SP4. The ReqIF XML data, used by the codebeamer ALM application to import projects, is parsed by insecurely configured software components, which can be abused for XML External Entity Attacks. | ||||
| CVE-2020-26506 | 1 Marmind | 1 Marmind | 2024-11-21 | 4.3 Medium |
| An Authorization Bypass vulnerability in the Marmind web application with version 4.1.141.0 allows users with lower privileges to gain control to files uploaded by administrative users. The accessed files were not visible by the low privileged users in the web GUI. | ||||
| CVE-2020-26418 | 4 Debian, Fedoraproject, Oracle and 1 more | 4 Debian Linux, Fedora, Zfs Storage Appliance Kit and 1 more | 2024-11-21 | 3.1 Low |
| Memory leak in Kafka protocol dissector in Wireshark 3.4.0 and 3.2.0 to 3.2.8 allows denial of service via packet injection or crafted capture file. | ||||
| CVE-2020-26275 | 1 Jupyter | 1 Jupyter Server | 2024-11-21 | 6.1 Medium |
| The Jupyter Server provides the backend (i.e. the core services, APIs, and REST endpoints) for Jupyter web applications like Jupyter notebook, JupyterLab, and Voila. In Jupyter Server before version 1.1.1, an open redirect vulnerability could cause the jupyter server to redirect the browser to a different malicious website. All jupyter servers running without a base_url prefix are technically affected, however, these maliciously crafted links can only be reasonably made for known jupyter server hosts. A link to your jupyter server may *appear* safe, but ultimately redirect to a spoofed server on the public internet. This same vulnerability was patched in upstream notebook v5.7.8. This is fixed in jupyter_server 1.1.1. If upgrade is not available, a workaround can be to run your server on a url prefix: "jupyter server --ServerApp.base_url=/jupyter/". | ||||
| CVE-2020-26265 | 1 Ethereum | 1 Go Ethereum | 2024-11-21 | 5.3 Medium |
| Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth from version 1.9.4 and before version 1.9.20 a consensus-vulnerability could cause a chain split, where vulnerable versions refuse to accept the canonical chain. The fix was included in the Paragade release version 1.9.20. No individual workaround patches have been made -- all users are recommended to upgrade to a newer version. | ||||