Total
1125 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-17234 | 1 Getigniteup | 1 Igniteup | 2021-07-21 | 6.4 MEDIUM | 7.5 HIGH |
| includes/class-coming-soon-creator.php in the igniteup plugin through 3.4 for WordPress allows unauthenticated arbitrary file deletion. | |||||
| CVE-2020-9330 | 1 Xerox | 36 Workcentre 3655, Workcentre 3655 Firmware, Workcentre 3655i and 33 more | 2021-07-21 | 4.0 MEDIUM | 8.8 HIGH |
| Certain Xerox WorkCentre printers before 073.xxx.000.02300 do not require the user to reenter or validate LDAP bind credentials when changing the LDAP connector IP address. A malicious actor who gains access to affected devices (e.g., by using default credentials) can change the LDAP connection IP address to a system owned by the actor without knowledge of the LDAP bind credentials. After changing the LDAP connection IP address, subsequent authentication attempts will result in the printer sending plaintext LDAP (Active Directory) credentials to the actor. Although the credentials may belong to a non-privileged user, organizations frequently use privileged service accounts to bind to Active Directory. The attacker gains a foothold on the Active Directory domain at a minimum, and may use the credentials to take over control of the Active Directory domain. This affects 3655*, 3655i*, 58XX*, 58XXi*, 59XX*, 59XXi*, 6655**, 6655i**, 72XX*, 72XXi*, 78XX**, 78XXi**, 7970**, 7970i**, EC7836**, and EC7856** devices. | |||||
| CVE-2020-27902 | 1 Apple | 2 Ipados, Iphone Os | 2021-07-21 | 2.1 LOW | 4.6 MEDIUM |
| An authentication issue was addressed with improved state management. This issue is fixed in iOS 14.2 and iPadOS 14.2. A person with physical access to an iOS device may be able to access stored passwords without authentication. | |||||
| CVE-2020-15834 | 1 Mofinetwork | 2 Mofi4500-4gxelte, Mofi4500-4gxelte Firmware | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. The wireless network password is exposed in a QR encoded picture that an unauthenticated adversary can download via the web-management interface. | |||||
| CVE-2019-17235 | 1 Getigniteup | 1 Igniteup | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| includes/class-coming-soon-creator.php in the igniteup plugin through 3.4 for WordPress allows information disclosure. | |||||
| CVE-2020-27019 | 2 Microsoft, Trendmicro | 2 Windows, Interscan Messaging Security Virtual Appliance | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to an information disclosure vulnerability which could allow an attacker to access a specific database and key. | |||||
| CVE-2020-9325 | 1 Aquaforest | 1 Tiff Server | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| Aquaforest TIFF Server 4.0 allows Unauthenticated Arbitrary File Download. | |||||
| CVE-2020-26599 | 1 Google | 1 Android | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered on Samsung mobile devices with Q(10.0) software. The DynamicLockscreen Terms and Conditions can be accepted without authentication. The Samsung ID is SVE-2020-17079 (October 2020). | |||||
| CVE-2020-26829 | 1 Sap | 1 Netweaver Application Server Java | 2021-07-21 | 9.0 HIGH | 10.0 CRITICAL |
| SAP NetWeaver AS JAVA (P2P Cluster Communication), versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows arbitrary connections from processes because of missing authentication check, that are outside the cluster and even outside the network segment dedicated for the internal cluster communication. As result, an unauthenticated attacker can invoke certain functions that would otherwise be restricted to system administrators only, including access to system administration functions or shutting down the system completely. | |||||
| CVE-2020-11598 | 1 Cipplanner | 1 Cipace | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. Upload.ashx allows remote attackers to execute arbitrary code by uploading and executing an ASHX file. | |||||
| CVE-2019-12119 | 1 Onap | 1 Open Network Automation Platform | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in ONAP SDC through Dublin. By accessing port 7000 of demo-sdc-sdc-wfd-fe pod, an unauthenticated attacker (who already has access to pod-to-pod communication) may execute arbitrary code inside that pod. All ONAP Operations Manager (OOM) setups are affected. | |||||
| CVE-2020-12478 | 1 Teampass | 1 Teampass | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| TeamPass 2.1.27.36 allows an unauthenticated attacker to retrieve files from the TeamPass web root. This may include backups or LDAP debug files. | |||||
| CVE-2019-20579 | 1 Google | 1 Android | 2021-07-21 | 2.1 LOW | 2.4 LOW |
| An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software. Gallery allows attackers to enable Location information sharing from the lock screen. The Samsung ID is SVE-2019-14462 (August 2019). | |||||
| CVE-2020-12106 | 1 Stengg | 2 Vpncrypt M10, Vpncrypt M10 Firmware | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| The Web portal of the WiFi module of VPNCrypt M10 2.6.5 allows unauthenticated users to send HTTP POST request to several critical Administrative functions such as, changing credentials of the Administrator account or connect the product to a rogue access point. | |||||
| CVE-2020-26876 | 1 Wpcoursesplugin | 1 Wp-courses | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| The wp-courses plugin through 2.0.27 for WordPress allows remote attackers to bypass the intended payment step (for course videos and materials) by using the /wp-json REST API, as exploited in the wild in September 2020. This occurs because show_in_rest is enabled for custom post types (e.g., /wp-json/wp/v2/course and /wp-json/wp/v2/lesson exist). | |||||
| CVE-2020-25824 | 1 Telegram | 1 Telegram Desktop | 2021-07-21 | 2.1 LOW | 2.4 LOW |
| Telegram Desktop through 2.4.3 does not require passcode entry upon pushing the Export key within the Export Telegram Data wizard. The threat model is a victim who has voluntarily opened Export Wizard but is then distracted. An attacker then approaches the unattended desktop and pushes the Export key. This attacker may consequently gain access to all chat conversation and media files. | |||||
| CVE-2019-13338 | 1 Weseek | 1 Growi | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| In WESEEK GROWI before 3.5.0, a remote attacker can obtain the password hash of the creator of a page by leveraging wiki access to make API calls for page metadata. In other words, the password hash can be retrieved even though it is not a publicly available field. | |||||
| CVE-2020-11673 | 1 Total-soft | 1 Responsive Poll | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the Responsive Poll through 1.3.4 for Wordpress. It allows an unauthenticated user to manipulate polls, e.g., delete, clone, or view a hidden poll. This is due to the usage of the callback wp_ajax_nopriv function in Includes/Total-Soft-Poll-Ajax.php for sensitive operations. | |||||
| CVE-2020-35226 | 1 Netgear | 4 Gs116e, Gs116e Firmware, Jgs516pe and 1 more | 2021-07-21 | 4.8 MEDIUM | 7.1 HIGH |
| NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices allow unauthenticated users to modify the switch DHCP configuration by sending the corresponding write request command. | |||||
| CVE-2020-26821 | 1 Sap | 1 Solution Manager | 2021-07-21 | 6.4 MEDIUM | 10.0 CRITICAL |
| SAP Solution Manager (JAVA stack), version - 7.20, allows an unauthenticated attacker to compromise the system because of missing authorization checks in the SVG Converter Service, this has an impact to the integrity and availability of the service. | |||||