Total
9151 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-8112 | 2 Debian, Uclouvain | 2 Debian Linux, Openjpeg | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| opj_t1_clbl_decode_processor in openjp2/t1.c in OpenJPEG 2.3.1 through 2020-01-28 has a heap-based buffer overflow in the qmfbid==1 case, a different issue than CVE-2020-6851. | |||||
| CVE-2020-8086 | 2 Debian, Prosody | 3 Debian Linux, Mod Auth Ldap, Mod Auth Ldap2 | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| The mod_auth_ldap and mod_auth_ldap2 Community Modules through 2020-01-27 for Prosody incompletely verify the XMPP address passed to the is_admin() function. This grants remote entities admin-only functionality if their username matches the username of a local admin. | |||||
| CVE-2020-8037 | 4 Apple, Debian, Fedoraproject and 1 more | 5 Mac Os X, Macos, Debian Linux and 2 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The ppp decapsulator in tcpdump 4.9.3 can be convinced to allocate a large amount of memory. | |||||
| CVE-2020-8021 | 2 Debian, Opensuse | 2 Debian Linux, Open Build Service | 2024-11-21 | 4.3 MEDIUM | 5.3 MEDIUM |
| a Improper Access Control vulnerability in of Open Build Service allows remote attackers to read files of an OBS package where the sourceaccess/access is disabled This issue affects: Open Build Service versions prior to 2.10.5. | |||||
| CVE-2020-8020 | 2 Debian, Opensuse | 2 Debian Linux, Open Build Service | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| A Improper Neutralization of Input During Web Page Generation vulnerability in open-build-service allows remote attackers to store arbitrary JS code to cause XSS. This issue affects: openSUSE open-build-service versions prior to 7cc32c8e2ff7290698e101d9a80a9dc29a5500fb. | |||||
| CVE-2020-8003 | 2 Debian, Virglrenderer Project | 2 Debian Linux, Virglrenderer | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| A double-free vulnerability in vrend_renderer.c in virglrenderer through 0.8.1 allows attackers to cause a denial of service by triggering texture allocation failure, because vrend_renderer_resource_allocated_texture is not an appropriate place for a free. | |||||
| CVE-2020-8002 | 2 Debian, Virglrenderer Project | 2 Debian Linux, Virglrenderer | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| A NULL pointer dereference in vrend_renderer.c in virglrenderer through 0.8.1 allows attackers to cause a denial of service via commands that attempt to launch a grid without previously providing a Compute Shader (CS). | |||||
| CVE-2020-7919 | 4 Debian, Fedoraproject, Golang and 1 more | 4 Debian Linux, Fedora, Go and 1 more | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
| Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate. | |||||
| CVE-2020-7788 | 2 Debian, Ini Project | 2 Debian Linux, Ini | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
| This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context. | |||||
| CVE-2020-7729 | 3 Canonical, Debian, Gruntjs | 3 Ubuntu Linux, Debian Linux, Grunt | 2024-11-21 | 4.6 MEDIUM | 7.1 HIGH |
| The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML. | |||||
| CVE-2020-7677 | 3 Debian, Fedoraproject, Thenify Project | 3 Debian Linux, Fedora, Thenify | 2024-11-21 | N/A | 8.6 HIGH |
| This affects the package thenify before 3.3.1. The name argument provided to the package can be controlled by users without any sanitization, and this is provided to the eval function without any sanitization. | |||||
| CVE-2020-7663 | 3 Canonical, Debian, Websocket-extensions Project | 3 Ubuntu Linux, Debian Linux, Websocket-extensions | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| websocket-extensions ruby module prior to 0.1.5 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header. | |||||
| CVE-2020-7595 | 7 Canonical, Debian, Fedoraproject and 4 more | 32 Ubuntu Linux, Debian Linux, Fedora and 29 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. | |||||
| CVE-2020-7238 | 4 Debian, Fedoraproject, Netty and 1 more | 6 Debian Linux, Fedora, Netty and 3 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869. | |||||
| CVE-2020-7106 | 5 Cacti, Debian, Fedoraproject and 2 more | 8 Cacti, Debian Linux, Extra Packages For Enterprise Linux and 5 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the description parameter in data_sources.php (a raw string from the database that is displayed by $header to trigger the XSS). | |||||
| CVE-2020-7105 | 3 Debian, Fedoraproject, Redislabs | 3 Debian Linux, Fedora, Hiredis | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| async.c and dict.c in libhiredis.a in hiredis through 0.14.0 allow a NULL pointer dereference because malloc return values are unchecked. | |||||
| CVE-2020-7071 | 3 Debian, Netapp, Php | 3 Debian Linux, Clustered Data Ontap, Php | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL. This may lead to functions that rely on URL being valid to mis-parse the URL and produce wrong data as components of the URL. | |||||
| CVE-2020-7070 | 7 Canonical, Debian, Fedoraproject and 4 more | 7 Ubuntu Linux, Debian Linux, Fedora and 4 more | 2024-11-21 | 5.0 MEDIUM | 4.3 MEDIUM |
| In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-8184 for more information. | |||||
| CVE-2020-7069 | 8 Canonical, Debian, Fedoraproject and 5 more | 8 Ubuntu Linux, Debian Linux, Fedora and 5 more | 2024-11-21 | 6.4 MEDIUM | 5.4 MEDIUM |
| In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used. This can lead to both decreased security and incorrect encryption data. | |||||
| CVE-2020-7068 | 3 Debian, Php, Tenable | 3 Debian Linux, Php, Tenable.sc | 2024-11-21 | 3.3 LOW | 4.8 MEDIUM |
| In PHP versions 7.2.x below 7.2.33, 7.3.x below 7.3.21 and 7.4.x below 7.4.9, while processing PHAR files using phar extension, phar_parse_zipfile could be tricked into accessing freed memory, which could lead to a crash or information disclosure. | |||||