Total
182 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-0536 | 1 Google | 1 Android | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| In dropFile of WiFiInstaller, there is a way to delete files accessible to CertInstaller due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-176756691 | |||||
| CVE-2020-9752 | 1 Naver | 1 Cloud Explorer | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Naver Cloud Explorer before 2.2.2.11 allows the attacker can move a local file in any path on the filesystem as a system privilege through its named pipe. | |||||
| CVE-2020-8561 | 1 Kubernetes | 1 Kubernetes | 2024-11-21 | 4.0 MEDIUM | 4.1 MEDIUM |
| A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the log level is set to 10, they can view the redirected responses and headers in the logs. | |||||
| CVE-2020-8553 | 1 Kubernetes | 1 Ingress-nginx | 2024-11-21 | 4.9 MEDIUM | 5.9 MEDIUM |
| The Kubernetes ingress-nginx component prior to version 0.28.0 allows a user with the ability to create namespaces and to read and create ingress objects to overwrite the password file of another ingress which uses nginx.ingress.kubernetes.io/auth-type: basic and which has a hyphenated namespace or secret name. | |||||
| CVE-2020-8226 | 1 Phpbb | 1 Phpbb | 2024-11-21 | 5.0 MEDIUM | 5.8 MEDIUM |
| A vulnerability exists in phpBB <v3.2.10 and <v3.3.1 which allowed remote image dimensions check to be used to SSRF. | |||||
| CVE-2020-6105 | 1 F2fs-tools Project | 1 F2fs-tools | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| An exploitable code execution vulnerability exists in the multiple devices functionality of F2fs-Tools F2fs.Fsck 1.13. A specially crafted f2fs filesystem can cause Information overwrite resulting in a code execution. An attacker can provide a malicious file to trigger this vulnerability. | |||||
| CVE-2020-5412 | 1 Vmware | 1 Spring Cloud Netflix | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can send a request to other servers that should not be exposed publicly. | |||||
| CVE-2020-5297 | 1 Octobercms | 1 October | 2024-11-21 | 4.0 MEDIUM | 3.4 LOW |
| In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to upload jpg, jpeg, bmp, png, webp, gif, ico, css, js, woff, woff2, svg, ttf, eot, json, md, less, sass, scss, xml files to any directory of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the `cms.manage_assets` permission. Issue has been patched in Build 466 (v1.0.466). | |||||
| CVE-2020-5296 | 1 Octobercms | 1 October | 2024-11-21 | 4.0 MEDIUM | 6.2 MEDIUM |
| In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to delete arbitrary local files of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the `cms.manage_assets` permission. Issue has been patched in Build 466 (v1.0.466). | |||||
| CVE-2020-36772 | 1 Cloudlinux | 1 Cagefs | 2024-11-21 | N/A | 4.4 MEDIUM |
| CloudLinux CageFS 7.0.8-2 or below insufficiently restricts file paths supplied to the sendmail proxy command. This allows local users to read and write arbitrary files of certain file formats outside the CageFS environment. | |||||
| CVE-2020-2009 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| An external control of filename vulnerability in the SD WAN component of Palo Alto Networks PAN-OS Panorama allows an authenticated administrator to send a request that results in the creation and write of an arbitrary file on all firewalls managed by the Panorama. In some cases this results in arbitrary code execution with root permissions. This issue affects: All versions of PAN-OS 7.1; PAN-OS 8.1 versions earlier than 8.1.14; PAN-OS 9.0 versions earlier than 9.0.7. | |||||
| CVE-2020-25161 | 1 Advantech | 1 Webaccess\/scada | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| The WADashboard component of WebAccess/SCADA Versions 9.0 and prior may allow an attacker to control or influence a path used in an operation on the filesystem and remotely execute code as an administrator. | |||||
| CVE-2020-23171 | 1 Nim-lang | 1 Nim-lang | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| A vulnerability in all versions of Nim-lang allows unauthenticated attackers to write files to arbitrary directories via a crafted zip file with dot-slash characters included in the name of the crafted file. | |||||
| CVE-2020-21363 | 1 Maccms | 1 Maccms | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
| An arbitrary file deletion vulnerability exists within Maccms10. | |||||
| CVE-2020-14057 | 1 Monstaftp | 1 Monsta Ftp | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Monsta FTP 2.10.1 or below allows external control of paths used in filesystem operations. This allows attackers to read and write arbitrary local files, allowing an attacker to gain remote code execution in common deployments. | |||||
| CVE-2020-0345 | 1 Google | 1 Android | 2024-11-21 | 4.4 MEDIUM | 7.8 HIGH |
| In DocumentsUI, there is a possible permission bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-144286721 | |||||
| CVE-2020-0267 | 1 Google | 1 Android | 2024-11-21 | 9.3 HIGH | 7.8 HIGH |
| In WindowManager, there is a possible launch of an unexpected app due to a confused deputy. This could lead to local escalation of privilege due to launching a malicious app instead of the one the user intended, with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-139128211 | |||||
| CVE-2020-0210 | 1 Google | 1 Android | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| In removeSharedAccountAsUser of AccountManager.java, there is a possible permissions bypass to a confused deputy. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-145206763 | |||||
| CVE-2019-7290 | 1 Apple | 1 Shortcuts | 2024-11-21 | 7.5 HIGH | 10.0 CRITICAL |
| An access issue was addressed with additional sandbox restrictions. This issue is fixed in Shortcuts 2.1.3 for iOS. A sandboxed process may be able to circumvent sandbox restrictions. | |||||
| CVE-2019-3996 | 2 Elog Project, Fedoraproject | 2 Elog, Fedora | 2024-11-21 | 7.5 HIGH | 6.5 MEDIUM |
| ELOG 3.1.4-57bea22 and below can be used as an HTTP GET request proxy when unauthenticated remote attackers send crafted HTTP POST requests. | |||||