Total
981 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-20409 | 1 Atlassian | 2 Jira, Jira Software Data Center | 2020-07-06 | 7.5 HIGH | 9.8 CRITICAL |
| The way in which velocity templates were used in Atlassian Jira Server and Data Center prior to version 8.8.0 allowed remote attackers to gain remote code execution if they were able to exploit a server side template injection vulnerability. | |||||
| CVE-2017-18900 | 1 Mattermost | 1 Mattermost Server | 2020-06-26 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows CSV injection via a compliance report. | |||||
| CVE-2016-11068 | 1 Mattermost | 1 Mattermost Server | 2020-06-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Mattermost Server before 3.2.0. Attackers could read LDAP fields via injection. | |||||
| CVE-2018-21258 | 1 Mattermost | 1 Mattermost Server | 2020-06-23 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Mattermost Server before 5.1. It allows attackers to cause a denial of service via the invite_people slash command. | |||||
| CVE-2020-5217 | 1 Twitter | 1 Secure Headers | 2020-05-21 | 5.0 MEDIUM | 5.8 MEDIUM |
| In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could be used to e.g. override a script-src directive. Duplicate directives are ignored and the first one wins. The directives in secure_headers are sorted alphabetically so they pretty much all come before script-src. A previously undefined directive would receive a value even if SecureHeaders::OPT_OUT was supplied. The fixed versions will silently convert the semicolons to spaces and emit a deprecation warning when this happens. This will result in innocuous browser console messages if being exploited/accidentally used. In future releases, we will raise application errors resulting in 500s. Depending on what major version you are using, the fixed versions are 6.2.0, 5.1.0, 3.8.0. | |||||
| CVE-2009-1781 | 1 Frax | 1 Php Recommend | 2020-05-20 | 7.5 HIGH | N/A |
| Static code injection vulnerability in admin.php in Frax.dk Php Recommend 1.3 and earlier allows remote attackers to inject arbitrary PHP code into phpre_config.php via the form_aula parameter. | |||||
| CVE-2020-5574 | 1 Sixapart | 1 Movable Type | 2020-05-15 | 5.0 MEDIUM | 5.3 MEDIUM |
| HTML attribute value injection vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier) allows remote attackers to inject arbitrary HTML attribute value via unspecified vectors. | |||||
| CVE-2020-12790 | 1 Nystudio107 | 1 Seomatic | 2020-05-14 | 5.0 MEDIUM | 7.5 HIGH |
| In the SEOmatic plugin before 3.2.49 for Craft CMS, helpers/DynamicMeta.php does not properly sanitize the URL. This leads to Server-Side Template Injection and credentials disclosure via a crafted Twig template after a semicolon. | |||||
| CVE-2020-6245 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2020-05-14 | 4.6 MEDIUM | 6.7 MEDIUM |
| SAP Business Objects Business Intelligence Platform, version 4.2, allows an attacker with access to local instance, to inject file or code that can be executed by the application due to Improper Control of Resource Identifiers. | |||||
| CVE-2020-8478 | 1 Abb | 4 Ac800m, Base Software, Mms Server and 1 more | 2020-05-13 | 2.1 LOW | 3.3 LOW |
| Insufficient protection of the inter-process communication functions in ABB System 800xA products OPC Server for AC 800M, MMS Server for AC 800M and Base Software for SoftControl (all published versions) enables an attacker authenticated on the local system to inject data, affecting the online view of runtime data shown in Control Builder. | |||||
| CVE-2020-3246 | 1 Cisco | 1 Umbrella | 2020-05-12 | 4.3 MEDIUM | 4.3 MEDIUM |
| A vulnerability in the web server of Cisco Umbrella could allow an unauthenticated, remote attacker to perform a carriage return line feed (CRLF) injection attack against a user of an affected service. The vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user to access a crafted URL. A successful exploit could allow the attacker to inject arbitrary HTTP headers into valid HTTP responses sent to the browser of the user. | |||||
| CVE-2019-13285 | 1 Cososys | 1 Endpoint Protector | 2020-05-11 | 5.0 MEDIUM | 7.5 HIGH |
| CoSoSys Endpoint Protector 5.1.0.2 allows Host Header Injection. | |||||
| CVE-2020-1961 | 1 Apache | 1 Syncope | 2020-05-07 | 7.5 HIGH | 9.8 CRITICAL |
| Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6, enabling attackers to inject arbitrary JEXL expressions, leading to Remote Code Execution (RCE) was discovered. | |||||
| CVE-2017-18854 | 1 Netgear | 1 Readynas Os Firmware | 2020-05-07 | 4.6 MEDIUM | 6.7 MEDIUM |
| NETGEAR ReadyNAS 6.6.1 and earlier is affected by command injection. | |||||
| CVE-2017-18856 | 1 Netgear | 1 Readynas Os Firmware | 2020-05-07 | 4.6 MEDIUM | 6.7 MEDIUM |
| NETGEAR ReadyNAS devices before 6.6.1 are affected by command injection. | |||||
| CVE-2020-5336 | 1 Rsa | 1 Archer | 2020-05-07 | 5.8 MEDIUM | 6.1 MEDIUM |
| RSA Archer, versions prior to 6.7 P1 (6.7.0.1), contain a URL injection vulnerability. An unauthenticated attacker could potentially exploit this vulnerability by tricking a victim application user to execute malicious JavaScript code on the affected system. | |||||
| CVE-2017-18863 | 1 Netgear | 18 Wac120, Wac120 Firmware, Wn604 and 15 more | 2020-05-05 | 3.6 LOW | 7.1 HIGH |
| Certain NETGEAR devices are affected by command execution via a PHP form. This affects WN604 3.3.3 and earlier, WNAP210v2 3.5.20.0 and earlier, WNAP320 3.5.20.0 and earlier, WNDAP350 3.5.20.0 and earlier, WNDAP360 3.5.20.0 and earlier, WNDAP620 2.0.11 and earlier, WNDAP660 3.5.20.0 and earlier, WND930 2.0.11 and earlier, and WAC120 2.0.7 and earlier. | |||||
| CVE-2017-18788 | 1 Netgear | 106 D3600, D3600 Firmware, D6000 and 103 more | 2020-05-04 | 4.6 MEDIUM | 6.7 MEDIUM |
| Certain NETGEAR devices are affected by command injection by an authenticated user. This affects D3600 before 1.0.0.67, D6000 before 1.0.0.67, D6100 before 1.0.0.56, D6200 before 1.1.00.24, D6220 before 1.0.0.32, D6400 before 1.0.0.66, D7000 before 1.0.1.52, D7000v2 before 1.0.0.44, D7800 before 1.0.1.30, D8500 before 1.0.3.35, DGN2200v4 before 1.0.0.96, DGN2200Bv4 before 1.0.0.96, EX2700 before 1.0.1.28, EX6150v2 before 1.0.1.54, EX6100v2 before 1.0.1.54, EX6200v2 before 1.0.1.52, EX6400 before 1.0.1.72, EX7300 before 1.0.1.72, EX8000 before 1.0.0.102, JNR1010v2 before 1.1.0.44, JWNR2010v5 before 1.1.0.44, PR2000 before 1.0.0.20, R6100 before 1.0.1.20, R6250 before 1.0.4.16, R6300v2 before 1.0.4.18, R6400 before 1.0.1.32, R6400v2 before 1.0.2.46, R6700 before 1.0.1.36, R6900 before 1.0.1.34, R7000 before 1.0.9.18, R6900P before 1.3.0.8, R7000P before 1.3.0.8, R7100LG before 1.0.0.34, R7300DST before 1.0.0.58, R7500 before 1.0.0.118, R7500v2 before 1.0.3.24, R7800 before 1.0.2.40, R7900 before 1.0.2.4, R8000 before 1.0.4.4_1.1.42, R7900P before 1.1.5.14, R8000P before 1.1.5.14, R8300 before 1.0.2.110, R8500 before 1.0.2.110, R9000 before 1.0.2.52, WN2000RPTv3 before 1.0.1.14, WN3000RPv3 before 1.0.2.50, WN3100RPv2 before 1.0.0.40, WNDR3400v3 before 1.0.1.16, WNDR3700v4 before 1.0.2.94, WNDR4300 before 1.0.2.96, WNDR4300v2 before 1.0.0.50, WNDR4500v3 before 1.0.0.50, WNR1000v4 before 1.1.0.44, WNR2000v5 before 1.0.0.62, WNR2020 before 1.1.0.44, WNR2050 before 1.1.0.44, and WNR3500Lv2 before 1.2.0.46. | |||||
| CVE-2018-21208 | 1 Netgear | 10 D6100, D6100 Firmware, R6100 and 7 more | 2020-05-04 | 5.8 MEDIUM | 8.8 HIGH |
| Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects D6100 before 1.0.0.57, R6100 before 1.0.1.20, R7500v2 before 1.0.3.24, WNDR4300v2 before 1.0.0.50, and WNDR4500v3 before 1.0.0.50. | |||||
| CVE-2017-18855 | 1 Netgear | 2 Wnr854t, Wnr854t Firmware | 2020-05-01 | 8.3 HIGH | 8.8 HIGH |
| NETGEAR WNR854T devices before 1.5.2 are affected by command execution. | |||||