Total
958 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-35450 | 1 Entando | 1 Admin Console | 2021-08-10 | 9.0 HIGH | 7.2 HIGH |
| A Server Side Template Injection in the Entando Admin Console 6.3.9 and before allows a user with privileges to execute FreeMarker template with command execution via freemarker.template.utility.Execute | |||||
| CVE-2020-24825 | 1 Libelfin Project | 1 Libelfin | 2021-08-10 | 4.3 MEDIUM | 5.5 MEDIUM |
| A vulnerability in the line_table::line_table function of Libelfin v0.3 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted ELF file. | |||||
| CVE-2021-21580 | 1 Dell | 2 Emc Idrac8 Firmware, Emc Idrac9 Firmware | 2021-08-09 | 4.3 MEDIUM | 4.3 MEDIUM |
| Dell EMC iDRAC8 versions prior to 2.80.80.80 & Dell EMC iDRAC9 versions prior to 5.00.00.00 contain a Content spoofing / Text injection, where a malicious URL can inject text to present a customized message on the application that can phish users into believing that the message is legitimate. | |||||
| CVE-2019-6802 | 1 Python | 1 Pypiserver | 2021-07-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| CRLF Injection in pypiserver 1.2.5 and below allows attackers to set arbitrary HTTP headers and possibly conduct XSS attacks via a %0d%0a in a URI. | |||||
| CVE-2020-16268 | 1 1e | 1 Client | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| The MSI installer in 1E Client 4.1.0.267 and 5.0.0.745 allows remote authenticated users and local users to gain elevated privileges via the repair option. This applies to installations that have a TRANSFORM (MST) with the option to disable the installation of the Nomad module. An attacker may craft a .reg file in a specific location that will be able to write to any registry key as an elevated user. | |||||
| CVE-2019-17123 | 1 Egain | 1 Mail | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| The eGain Web Email API 11+ allows spoofed messages because the fromName and message fields (to /system/ws/v11/ss/email) are mishandled, as demonstrated by fromName header injection with a %0a or %0d character. (Also, the message parameter can have initial HTML comment characters.) | |||||
| CVE-2020-28031 | 1 Eramba | 1 Eramba | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| eramba through c2.8.1 allows HTTP Host header injection with (for example) resultant wkhtml2pdf PDF printing by authenticated users. | |||||
| CVE-2019-0304 | 1 Sap | 5 Advanced Business Application Programming Platform Kernel, Advanced Business Application Programming Platform Krnl32nuc, Advanced Business Application Programming Platform Krnl32uc and 2 more | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| FTP Function of SAP NetWeaver AS ABAP Platform, versions- KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73, KERNEL 7.21, 7.45, 7.49, 7.53, 7.73, allows an attacker to inject code or specifically manipulated command that can be executed by the application. An attacker could thereby control the behaviour of the application. | |||||
| CVE-2020-25967 | 2 Fastadmin, Microsoft | 2 Fastadmin, Windows | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| The member center function in fastadmin V1.0.0.20200506_beta is vulnerable to a Server-Side Template Injection (SSTI) vulnerability. | |||||
| CVE-2020-10208 | 1 Amino | 12 Ak45x, Ak45x Firmware, Ak5xx and 9 more | 2021-07-21 | 9.0 HIGH | 9.9 CRITICAL |
| Command Injection in EntoneWebEngine in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series and Kami7B allows authenticated remote attackers to execute arbitrary commands with root user privileges. | |||||
| CVE-2020-14987 | 1 Bloomreach | 1 Experience Manager | 2021-07-21 | 9.0 HIGH | 7.2 HIGH |
| An issue was discovered in Bloomreach Experience Manager (brXM) 4.1.0 through 14.2.2. It allows remote attackers to execute arbitrary code because there is a mishandling of the capability for administrators to write and run Groovy scripts within the updater editor. An attacker must use an AST transforming annotation such as @Grab. | |||||
| CVE-2020-13445 | 1 Liferay | 1 Liferay Portal | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| In Liferay Portal before 7.3.2 and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 6, the template API does not restrict user access to sensitive objects, which allows remote authenticated users to execute arbitrary code via crafted FreeMarker and Velocity templates. | |||||
| CVE-2020-3884 | 1 Apple | 1 Mac Os X | 2021-07-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An injection issue was addressed with improved validation. This issue is fixed in macOS Catalina 10.15.4. A remote attacker may be able to cause arbitrary javascript code execution. | |||||
| CVE-2020-9382 | 1 Widgets Project | 1 Widgets | 2021-07-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. Improper title sanitization allowed for the execution of any wiki page as a widget (as defined by this extension) via MediaWiki's {{#widget:}} parser function. | |||||
| CVE-2020-27687 | 1 Thingsboard | 1 Thingsboard | 2021-07-21 | 6.8 MEDIUM | 8.8 HIGH |
| ThingsBoard before v3.2 is vulnerable to Host header injection in password-reset emails. This allows an attacker to send malicious links in password-reset emails to victims, pointing to an attacker-controlled server. Lack of validation of the Host header allows this to happen. | |||||
| CVE-2019-16468 | 1 Adobe | 1 Experience Manager | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| Adobe Experience Manager versions 6.5, 6.4, 6.3, 6.2, 6.1, and 6.0 have an user interface injection vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
| CVE-2020-13262 | 1 Gitlab | 1 Gitlab | 2021-07-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Client-Side code injection through Mermaid markup in GitLab CE/EE 12.9 and later through 13.0.1 allows a specially crafted Mermaid payload to PUT requests on behalf of other users via clicking on a link | |||||
| CVE-2020-12736 | 1 Code42 | 1 Code42 | 2021-07-21 | 6.5 MEDIUM | 7.2 HIGH |
| Code42 environments with on-premises server versions 7.0.4 and earlier allow for possible remote code execution. When an administrator creates a local (non-SSO) user via a Code42-generated email, the administrator has the option to modify content for the email invitation. If the administrator entered template language code in the subject line, that code could be interpreted by the email generation services, potentially resulting in server-side code injection. | |||||
| CVE-2020-25768 | 1 Contao | 1 Contao | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Contao before 4.4.52, 4.9.x before 4.9.6, and 4.10.x before 4.10.1 have Improper Input Validation. It is possible to inject insert tags in front end forms which will be replaced when the page is rendered. | |||||
| CVE-2019-16385 | 1 Cybelesoft | 1 Thinfinity Virtualui | 2021-07-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cybele Thinfinity VirtualUI 2.5.17.2 allows HTTP response splitting via the mimetype parameter within a PDF viewer request, as demonstrated by an example.pdf?mimetype= substring. The victim user must load an application request to view a PDF, containing the malicious payload. This results in a reflected XSS payload being executed. | |||||