Total
29514 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-28503 | 1 Gulpjs | 1 Copy-props | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
| The package copy-props before 2.0.5 are vulnerable to Prototype Pollution via the main functionality. | |||||
| CVE-2020-28501 | 1 Crawlerdetect Project | 1 Crawlerdetect | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| This affects the package es6-crawler-detect before 3.1.3. No limitation of user agent string length supplied to regex operators. | |||||
| CVE-2020-28500 | 3 Lodash, Oracle, Siemens | 19 Lodash, Banking Corporate Lending Process Management, Banking Credit Facilities Process Management and 16 more | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. | |||||
| CVE-2020-28495 | 1 Totaljs | 1 Total.js | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
| This affects the package total.js before 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impact depends on the application. In some cases it is possible to achieve Denial of service (DoS), Remote Code Execution or Property Injection. | |||||
| CVE-2020-28480 | 1 Jointjs | 1 Jointjs | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
| The package jointjs before 3.3.0 are vulnerable to Prototype Pollution via util.setByPath (https://resources.jointjs.com/docs/jointjs/v3.2/joint.htmlutil.setByPath). The path used the access the object's key and set the value is not properly sanitized, leading to a Prototype Pollution. | |||||
| CVE-2020-28450 | 1 Decal Project | 1 Decal | 2024-11-21 | 7.5 HIGH | 8.6 HIGH |
| This affects all versions of package decal. The vulnerability is in the extend function. | |||||
| CVE-2020-28449 | 1 Decal Project | 1 Decal | 2024-11-21 | 7.5 HIGH | 8.6 HIGH |
| This affects all versions of package decal. The vulnerability is in the set function. | |||||
| CVE-2020-28442 | 1 Js-data | 1 Js-data | 2024-11-21 | 7.5 HIGH | 7.5 HIGH |
| All versions of package js-data are vulnerable to Prototype Pollution via the deepFillIn function. | |||||
| CVE-2020-28388 | 4 Arm, Mips, Powerpc Project and 1 more | 8 Arm, Mips, Powerpc and 5 more | 2024-11-21 | 5.0 MEDIUM | 6.5 MEDIUM |
| A vulnerability has been identified in APOGEE PXC Compact (BACnet) (All versions < V3.5.5), APOGEE PXC Compact (P2 Ethernet) (All versions < V2.8.20), APOGEE PXC Modular (BACnet) (All versions < V3.5.5), APOGEE PXC Modular (P2 Ethernet) (All versions < V2.8.20), Nucleus NET (All versions < V5.2), Nucleus ReadyStart V3 (All versions < V2012.12), Nucleus Source Code (All versions), PLUSCONTROL 1st Gen (All versions), TALON TC Compact (BACnet) (All versions < V3.5.5), TALON TC Modular (BACnet) (All versions < V3.5.5). Initial Sequence Numbers (ISNs) for TCP connections are derived from an insufficiently random source. As a result, the ISN of current and future TCP connections could be predictable. An attacker could hijack existing sessions or spoof future ones. | |||||
| CVE-2020-28342 | 1 Google | 1 Android | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) (China / India) software. The S Secure application allows attackers to bypass authentication for a locked Gallery application via the Reminder application. The Samsung ID is SVE-2020-18689 (November 2020). | |||||
| CVE-2020-28331 | 1 Barco | 2 Wepresent Wipg-1600w, Wepresent Wipg-1600w Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Barco wePresent WiPG-1600W devices have Improper Access Control. Affected Version(s): 2.5.1.8. The Barco wePresent WiPG-1600W device has an SSH daemon included in the firmware image. By default, the SSH daemon is disabled and does not start at system boot. The system initialization scripts read a device configuration file variable to see if the SSH daemon should be started. The web interface does not provide a visible capability to alter this configuration file variable. However, a malicious actor can include this variable in a POST such that the SSH daemon will be started when the device boots. | |||||
| CVE-2020-28283 | 1 Libnested Project | 1 Libnested | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in 'libnested' versions 0.0.0 through 1.5.0 allows an attacker to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2020-28282 | 1 Getobject Project | 1 Getobject | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution. | |||||
| CVE-2020-28250 | 1 Cellinx | 1 Nvt Web Server | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Cellinx NVT Web Server 5.0.0.014b.test 2019-09-05 allows a remote user to run commands as root via SetFileContent.cgi because authentication is on the client side. | |||||
| CVE-2020-28026 | 1 Exim | 1 Exim | 2024-11-21 | 9.3 HIGH | 9.8 CRITICAL |
| Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters, relevant in non-default configurations that enable Delivery Status Notification (DSN). Certain uses of ORCPT= can place a newline into a spool header file, and indirectly allow unauthenticated remote attackers to execute arbitrary commands as root. | |||||
| CVE-2020-28021 | 1 Exim | 1 Exim | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. An authenticated remote SMTP client can insert newline characters into a spool file (which indirectly leads to remote code execution as root) via AUTH= in a MAIL FROM command. | |||||
| CVE-2020-28015 | 1 Exim | 1 Exim | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. Local users can alter the behavior of root processes because a recipient address can have a newline character. | |||||
| CVE-2020-28012 | 1 Exim | 1 Exim | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| Exim 4 before 4.94.2 allows Exposure of File Descriptor to Unintended Control Sphere because rda_interpret uses a privileged pipe that lacks a close-on-exec flag. | |||||
| CVE-2020-27929 | 1 Apple | 1 Iphone Os | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| A logic issue existed in the handling of Group FaceTime calls. The issue was addressed with improved state management. This issue is fixed in iOS 12.4.9. A user may send video in Group FaceTime calls without knowing that they have done so. | |||||
| CVE-2020-27925 | 1 Apple | 2 Ipados, Iphone Os | 2024-11-21 | 1.9 LOW | 5.5 MEDIUM |
| An issue existed in the handling of incoming calls. The issue was addressed with additional state checks. This issue is fixed in iOS 14.2 and iPadOS 14.2. A user may answer two calls simultaneously without indication they have answered a second call. | |||||