Total
304 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-5304 | 1 Whitesourcesoftware | 1 Whitesource | 2024-11-21 | 7.5 High |
| The dashboard in WhiteSource Application Vulnerability Management (AVM) before version 20.4.1 allows Log Injection via a %0A%0D substring in the idp parameter to the /saml/login URI. This closes the current log and creates a new log with one line of data. The attacker can also insert malicious data and false entries. | ||||
| CVE-2020-4850 | 1 Ibm | 1 Gpfs.tct.server | 2024-11-21 | 7.5 High |
| IBM Spectrum Scale 1.1.1.0 through 1.1.8.4 Transparent Cloud Tiering could allow a remote attacker to obtain sensitive information, caused by the leftover files after configuration. IBM X-Force ID: 190298. | ||||
| CVE-2020-4282 | 1 Ibm | 1 Security Information Queue | 2024-11-21 | 4.3 Medium |
| IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could allow an authenticated user to perform unauthorized actions by bypassing illegal character restrictions. X-Force ID: 176205. | ||||
| CVE-2020-36599 | 1 Omniauth | 1 Omniauth | 2024-11-21 | 9.8 Critical |
| lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and before 2.0) does not escape the message_key value. | ||||
| CVE-2020-36173 | 1 Ninjaforms | 1 Ninja Forms | 2024-11-21 | 5.3 Medium |
| The Ninja Forms plugin before 3.4.28 for WordPress lacks escaping for submissions-table fields. | ||||
| CVE-2020-29023 | 1 Secomea | 8 Gatemanager 4250, Gatemanager 4250 Firmware, Gatemanager 4260 and 5 more | 2024-11-21 | 3.5 Low |
| Improper Encoding or Escaping of Output from CSV Report Generator of Secomea GateManager allows an authenticated administrator to generate a CSV file that may run arbitrary commands on a victim's computer when opened in a spreadsheet program (like Excel). This issue affects: Secomea GateManager all versions prior to 9.3. | ||||
| CVE-2020-28954 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 5.3 Medium |
| web/controllers/ApiController.groovy in BigBlueButton before 2.2.29 lacks certain parameter sanitization, as demonstrated by accepting control characters in a user name. | ||||
| CVE-2020-27958 | 1 Osu | 1 Ohio Supercomputer Center Open Ondemand | 2024-11-21 | 4.3 Medium |
| The Job Composer app in Ohio Supercomputer Center Open OnDemand before 1.7.19 and 1.8.x before 1.8.18 allows remote authenticated users to provide crafted input in a job template. | ||||
| CVE-2020-27604 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 6.5 Medium |
| BigBlueButton before 2.3 does not implement LibreOffice sandboxing. This might make it easier for remote authenticated users to read the API shared secret in the bigbluebutton.properties file. With the API shared secret, an attacker can (for example) use api/join to join an arbitrary meeting regardless of its guestPolicy setting. | ||||
| CVE-2020-26283 | 1 Protocol | 1 Go-ipfs | 2024-11-21 | 6.8 Medium |
| go-ipfs is an open-source golang implementation of IPFS which is a global, versioned, peer-to-peer filesystem. In go-ipfs before version 0.8.0, control characters are not escaped from console output. This can result in hiding input from the user which could result in the user taking an unknown, malicious action. This is fixed in version 0.8.0. | ||||
| CVE-2020-26226 | 1 Semantic-release Project | 1 Semantic-release | 2024-11-21 | 8.1 High |
| In the npm package semantic-release before version 17.2.3, secrets that would normally be masked by `semantic-release` can be accidentally disclosed if they contain characters that become encoded when included in a URL. Secrets that do not contain characters that become encoded when included in a URL are already masked properly. The issue is fixed in version 17.2.3. | ||||
| CVE-2020-25646 | 1 Ansible Collections Project | 1 Community.crypto | 2024-11-21 | 7.5 High |
| A flaw was found in Ansible Collection community.crypto. openssl_privatekey_info exposes private key in logs. This directly impacts confidentiality | ||||
| CVE-2020-24972 | 3 Fedoraproject, Kleopatra Project, Opensuse | 4 Fedora, Kleopatra, Backports Sle and 1 more | 2024-11-21 | 8.8 High |
| The Kleopatra component before 3.1.12 (and before 20.07.80) for GnuPG allows remote attackers to execute arbitrary code because openpgp4fpr: URLs are supported without safe handling of command-line options. The Qt platformpluginpath command-line option can be used to load an arbitrary DLL. | ||||
| CVE-2020-24592 | 1 Mitel | 1 Micloud Management Portal | 2024-11-21 | 5.3 Medium |
| Mitel MiCloud Management Portal before 6.1 SP5 could allow an attacker, by sending a crafted request, to view system information due to insufficient output sanitization. | ||||
| CVE-2020-16281 | 1 Rangee | 1 Rangeeos | 2024-11-21 | 7.8 High |
| The Kommbox component in Rangee GmbH RangeeOS 8.0.4 could allow a local authenticated attacker to escape from the restricted environment and execute arbitrary code due to unrestricted context menus being accessible. | ||||
| CVE-2020-13654 | 1 Xwiki | 1 Xwiki | 2024-11-21 | 7.5 High |
| XWiki Platform before 12.8 mishandles escaping in the property displayer. | ||||
| CVE-2020-13625 | 4 Canonical, Debian, Fedoraproject and 1 more | 4 Ubuntu Linux, Debian Linux, Fedora and 1 more | 2024-11-21 | 7.5 High |
| PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message. | ||||
| CVE-2020-10235 | 1 Froxlor | 1 Froxlor | 2024-11-21 | 8.8 High |
| An issue was discovered in Froxlor before 0.10.14. Remote attackers with access to the installation routine could have executed arbitrary code via the database configuration options that were passed unescaped to exec, because of _backupExistingDatabase in install/lib/class.FroxlorInstall.php. | ||||
| CVE-2019-9853 | 2 Libreoffice, Redhat | 2 Libreoffice, Enterprise Linux | 2024-11-21 | 7.8 High |
| LibreOffice documents can contain macros. The execution of those macros is controlled by the document security settings, typically execution of macros are blocked by default. A URL decoding flaw existed in how the urls to the macros within the document were processed and categorized, resulting in the possibility to construct a document where macro execution bypassed the security settings. The documents were correctly detected as containing macros, and prompted the user to their existence within the documents, but macros within the document were subsequently not controlled by the security settings allowing arbitrary macro execution This issue affects: LibreOffice 6.2 series versions prior to 6.2.7; LibreOffice 6.3 series versions prior to 6.3.1. | ||||
| CVE-2019-9852 | 6 Canonical, Debian, Fedoraproject and 3 more | 6 Ubuntu Linux, Debian Linux, Fedora and 3 more | 2024-11-21 | 7.8 High |
| LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2018-16858, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed. However this new protection could be bypassed by a URL encoding attack. In the fixed versions, the parsed url describing the script location is correctly encoded before further processing. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6. | ||||