All CVEs — 2020 (Page 2/122)

Browse all CVEs by publication year. Use filters to refine.

CVSS ≥ 0.0

2020-12-30

Medium

CVE-2020-35240

FluxBB 1.5.11 is affected by cross-site scripting (XSS in the Blog Content component. This vulnerability can allow an attacker to inject the XSS payload in "Blog Content" and each time any user will…

CVSS: 4.8 CWE: CWE-79

Medium

CVE-2020-29477

Invision Community 4.5.4 is affected by cross-site scripting (XSS) in the Field Name field. This vulnerability can allow an attacker to inject the XSS payload in Field Name and each time any user wil…

CVSS: 4.8 CWE: CWE-79

Medium

CVE-2020-29469

WonderCMS 3.1.3 is affected by cross-site scripting (XSS) in the Menu component. This vulnerability can allow an attacker to inject the XSS payload in the Setting - Menu and each time any user will v…

CVSS: 5.4 CWE: CWE-79

Medium

CVE-2020-29233

WonderCMS 3.1.3 is affected by cross-site scripting (XSS) in the Page description component. This vulnerability can allow an attacker to inject the XSS payload in the Page description and each time a…

CVSS: 5.4 CWE: CWE-79

Medium

CVE-2020-35850

An SSRF issue was discovered in cockpit-project.org Cockpit 234. NOTE: this is unrelated to the Agentejo Cockpit product. NOTE: the vendor states "I don't think [it] is a big real-life issue.

CVSS: 6.5 CWE: CWE-918

Critical

CVE-2020-35848

Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php newpassword function.

CVSS: 9.8 CWE: CWE-89

Critical

CVE-2020-35847

Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function.

CVSS: 9.8 CWE: CWE-89

Critical

CVE-2020-35846

Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function.

CVSS: 9.8 CWE: CWE-89

Medium

CVE-2020-35842

Certain NETGEAR devices are affected by stored XSS. This affects D6200 before 1.1.00.38, D7000 before 1.0.1.78, JNR1010v2 before 1.1.0.62, JR6150 before 1.0.1.24, JWNR2010v5 before 1.1.0.62, R6020 be…

CVSS: 6.9 CWE: CWE-79

Medium

CVE-2020-35841

CVSS: 6.9 CWE: CWE-79

Medium

CVE-2020-35840

CVSS: 6.9 CWE: CWE-79

Medium

CVE-2020-35839

Certain NETGEAR devices are affected by Stored XSS. This affects D7800 before 1.0.1.56, R7500v2 before 1.0.3.46, R7800 before 1.0.2.68, R8900 before 1.0.4.28, R9000 before 1.0.4.28, XR500 before 2.3.…

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2020-35838

Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.56, R7500v2 before 1.0.3.46, R7800 before 1.0.2.74, R8900 before 1.0.4.28, R9000 before 1.0.4.28, RAX120 before 1.0…

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2020-35837

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2020-35836

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2020-35835

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2020-35834

Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.56, R7500v2 before 1.0.3.46, R7800 before 1.0.2.68, R8900 before 1.0.4.28, R9000 before 1.0.4.28, RAX120 before 1.0…

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2020-35833

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2020-35832

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2020-35831

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2020-35830

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2020-35829

Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.56, R7800 before 1.0.2.74, R8900 before 1.0.4.28, R9000 before 1.0.4.28, RAX120 before 1.0.0.78, RBK20 before 2.3.5…

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2020-35828

Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.56, RBK20 before 2.3.5.26, RBR20 before 2.3.5.26, RBS20 before 2.3.5.26, RBK40 before 2.3.5.30, RBR40 before 2.3.5.…

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2020-35827

Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.56, RBK50 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, R7800 before 1.0.2.74, R8900 before 1.0.4.…

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2020-35826

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2020-35825

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2020-35824

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2020-35823

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2020-35822

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2020-35821

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2020-35820

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2020-35819

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2020-35818

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2020-35817

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2020-35816

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2020-35815

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2020-35814

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2020-35813

Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.56, RBK50 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, RBK40 before 2.3.5.30, RBR40 before 2.3.5.…

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2020-35812

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2020-35811

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2020-35810

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2020-35809

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2020-35808

Certain NETGEAR devices are affected by stored XSS. This affects D6100 before 1.0.0.63, DM200 before 1.0.0.61, R7800 before 1.0.2.52, R8900 before 1.0.4.12, R9000 before 1.0.4.12, WN3000RPv2 before 1…

CVSS: 4.8 CWE: CWE-79

Medium

CVE-2020-35807

Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.56, R7800 before 1.0.2.68, RAX120 before 1.0.0.78, RBK22 before 2.3.5.26, RBR20 before 2.3.5.26, RBS20 before 2.3.5…

CVSS: 6.0 CWE: CWE-79

Medium

CVE-2020-35806

Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.56, R7500v2 before 1.0.3.46, R7800 before 1.0.2.68, RAX120 before 1.0.0.78, RBK22 before 2.3.5.26, RBR20 before 2.3…

CVSS: 6.0 CWE: CWE-79

Medium

CVE-2020-35805

CVSS: 6.1 CWE: CWE-79

High

CVE-2020-35799

Certain NETGEAR devices are affected by a stack-based buffer overflow by an unauthenticated attacker. This affects D3600 before 1.0.0.76, D6000 before 1.0.0.78, D6200 before 1.1.00.32, D7000 before 1…

CVSS: 8.8 CWE: CWE-787

Critical

CVE-2020-35798

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects R6400v2 before 1.0.4.84, R6700v3 before 1.0.4.84, R6900P before 1.3.2.124, R7000 before 1.0.11.1…

CVSS: 9.3 CWE: CWE-77

Critical

CVE-2020-35797

NETGEAR NMS300 devices before 1.6.0.27 are affected by command injection by an unauthenticated attacker.

CVSS: 9.8 CWE: CWE-434

High

CVE-2020-35796

Certain NETGEAR devices are affected by a buffer overflow by an unauthenticated attacker. This affects CBR40 before 2.5.0.10, D6220 before 1.0.0.60, D6400 before 1.0.0.94, D7000v2 before 1.0.0.62, D8…

CVSS: 8.8 CWE: CWE-120

Critical

CVE-2020-35795

Certain NETGEAR devices are affected by a buffer overflow by an unauthenticated attacker. This affects AC2100 before 1.2.0.72, AC2400 before 1.2.0.72, AC2600 before 1.2.0.72, CBK40 before 2.5.0.10, C…

CVSS: 9.8 CWE: CWE-120

High

CVE-2020-35794

Certain NETGEAR devices are affected by command injection by an authenticated user. This affects RBS40V before 2.6.1.4, RBK752 before 3.2.15.25, RBR750 before 3.2.15.25, RBS750 before 3.2.15.25, RBK8…

CVSS: 8.4 CWE: CWE-77

Medium

CVE-2020-35793

Certain NETGEAR devices are affected by command injection by an authenticated user. This affects D7800 before 1.0.1.58, R7500v2 before 1.0.3.46, R7800 before 1.0.2.74, R8900 before 1.0.5.2, and R9000…

CVSS: 6.1 CWE: CWE-77

High

CVE-2020-35792

Certain NETGEAR devices are affected by command injection by an authenticated user. This affects R7500v2 before 1.0.3.48, R8900 before 1.0.5.2, R9000 before 1.0.5.2, and R7800 before 1.0.2.68.

CVSS: 8.3 CWE: CWE-77

Medium

CVE-2020-35791

Certain NETGEAR devices are affected by command injection by an authenticated user. This affects R7800 before 1.0.2.68, R8900 before 1.0.5.2, and R9000 before 1.0.5.2.

CVSS: 6.4 CWE: CWE-77

Medium

CVE-2020-35790

Certain NETGEAR devices are affected by command injection by an authenticated user. This affects D7800 before 1.0.1.56, R7800 before 1.0.2.68, R8900 before 1.0.4.26, and R9000 before 1.0.4.26.

CVSS: 6.4 CWE: CWE-77

High

CVE-2020-35789

NETGEAR NMS300 devices before 1.6.0.27 are affected by command injection by an authenticated user.

CVSS: 8.8 CWE: CWE-20

High

CVE-2020-35788

NETGEAR WAC104 devices before 1.0.4.13 are affected by a buffer overflow by an authenticated user.

CVSS: 7.6 CWE: CWE-120

High

CVE-2020-35787

Certain NETGEAR devices are affected by a buffer overflow by an authenticated user. This affects D3600 before 1.0.0.76, D6000 before 1.0.0.76, D6200 before 1.1.00.36, D7000 before 1.0.1.70, EX6200v2…

CVSS: 8.0 CWE: CWE-120

Medium

CVE-2020-35786

NETGEAR R7800 devices before 1.0.2.74 are affected by a buffer overflow by an authenticated user.

CVSS: 4.5 CWE: CWE-120

High

CVE-2020-35785

NETGEAR DGN2200v1 devices before v1.0.0.60 mishandle HTTPd authentication (aka PSV-2020-0363, PSV-2020-0364, and PSV-2020-0365).

CVSS: 8.3 CWE: CWE-287

Medium

CVE-2020-35778

Certain NETGEAR devices are affected by CSRF. This affects GS716Tv3 before 6.3.1.36 and GS724Tv4 before 6.3.1.36.

CVSS: 4.3 CWE: CWE-352

High

CVE-2020-35777

NETGEAR DGN2200v1 devices before v1.0.0.58 are affected by command injection.

CVSS: 8.4 CWE: CWE-77

High

CVE-2020-10209

Command Injection in the CPE WAN Management Protocol (CWMP) registration in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series and Kami7B allows man-in-…

CVSS: 8.1 CWE: CWE-78

Critical

CVE-2020-10208

Command Injection in EntoneWebEngine in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series and Kami7B allows authenticated remote attackers to execute a…

CVSS: 9.9 CWE: CWE-74

Medium

CVE-2020-10206

Use of a Hard-coded Password in VNCserver in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series and Kami7B allows local attackers to view and interact w…

CVSS: 4.4 CWE: CWE-798

2020-12-29

Critical

CVE-2020-10210

Because of hard-coded SSH keys for the root user in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series, Kami7B, an attacker may remotely log in through…

CVSS: 9.8 CWE: CWE-798

Critical

CVE-2020-10207

Use of Hard-coded Credentials in EntoneWebEngine in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series and Kami7B allows remote attackers to retrieve an…

CVSS: 9.8 CWE: CWE-798

Critical

CVE-2020-10148

The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authenticatio…

CVSS: 9.8 CWE: CWE-288

High

CVE-2020-27645

The Inventory module of the 1E Client 5.0.0.745 doesn't handle an unquoted path when executing %PROGRAMFILES%\1E\Client\Tachyon.Performance.Metrics.exe. This may allow remote authenticated users and…

CVSS: 8.8 CWE: CWE-428

High

CVE-2020-27644

CVSS: 8.8 CWE: CWE-428

Medium

CVE-2020-27643

The %PROGRAMDATA%\1E\Client directory in 1E Client 5.0.0.745 and 4.1.0.267 allows remote authenticated users and local users to create and modify files in protected directories (where they would not…

CVSS: 6.5 CWE: CWE-59

High

CVE-2020-16268

The MSI installer in 1E Client 4.1.0.267 and 5.0.0.745 allows remote authenticated users and local users to gain elevated privileges via the repair option. This applies to installations that have a T…

CVSS: 8.8 CWE: CWE-74

Medium

CVE-2020-35735

Vidyo 02-09-/D allows clickjacking via the portal/ URI.

CVSS: 4.7 CWE: CWE-1021

Medium

CVE-2020-9208

There is an information leak vulnerability in iManager NetEco 6000 versions V600R021C00. A module is lack of authentication. Attackers without access to the module can exploit this vulnerability to o…

CVSS: 6.5 CWE: CWE-306

High

CVE-2020-9207

There is an improper authentication vulnerability in some verisons of Huawei CloudEngine product. A module does not verify the input file properly. Attackers can exploit this vulnerability by craftin…

CVSS: 7.8 CWE: CWE-287

Medium

CVE-2020-9125

There is an out-of-bound read vulnerability in huawei smartphone Mate 30 versions earlier than 10.1.0.156 (C00E155R7P2). An attacker with specific permission can exploit this vulnerability by sending…

CVSS: 6.7 CWE: CWE-125

High

CVE-2020-9124

There is a memory leak vulnerability in some versions of Huawei CloudEngine product. An unauthenticated, remote attacker may exploit this vulnerability by sending specific message to the affected pro…

CVSS: 7.5 CWE: CWE-401

High

CVE-2020-9094

There is an out of bound read vulnerability in some verisons of Huawei CloudEngine product. A module does not deal with specific message properly. Attackers can exploit this vulnerability by sending…

CVSS: 7.5 CWE: CWE-125

Medium

CVE-2020-9093

There is a use after free vulnerability in Taurus-AL00A versions 10.0.0.1(C00E1R1P1). A module does not deal with specific message properly, which makes a function refer to memory after it has been f…

CVSS: 5.5 CWE: CWE-416

Medium

CVE-2020-35774

server/handler/HistogramQueryHandler.scala in Twitter TwitterServer (aka twitter-server) before 20.12.0, in some configurations, allows XSS via the /histograms endpoint.

CVSS: 5.4 CWE: CWE-79

High

CVE-2020-35773

The site-offline plugin before 1.4.4 for WordPress lacks certain wp_create_nonce and wp_verify_nonce calls, aka CSRF.

CVSS: 8.8 CWE: CWE-352

Medium

CVE-2020-29471

OpenCart 3.0.3.6 is affected by cross-site scripting (XSS) in the Profile Image. An admin can upload a profile image as a malicious code using JavaScript. Whenever anyone will see the profile picture…

CVSS: 4.8 CWE: CWE-79

Medium

CVE-2020-29470

OpenCart 3.0.3.6 is affected by cross-site scripting (XSS) in the Subject field of mail. This vulnerability can allow an attacker to inject the XSS payload in the Subject field of the mail and each t…

CVSS: 4.8 CWE: CWE-79

High

CVE-2020-5807

An unauthenticated remote attacker can send data to RsvcHost.exe listening on TCP port 5241 to add entries in the FactoryTalk Diagnostics event log. The attacker can specify long fields in the log en…

CVSS: 7.5 CWE: CWE-755

Medium

CVE-2020-5806

An attacker-controlled memory allocation size can be passed to the C++ new operator in the CServerManager::HandleBrowseLoadIconStreamRequest in messaging.dll. This can be done by sending a specially…

CVSS: 5.5 CWE: CWE-770

High

CVE-2020-5802

An attacker-controlled memory allocation size can be passed to the C++ new operator in RnaDaSvr.dll by sending a specially crafted ConfigureItems message to TCP port 4241. This will cause an unhandle…

CVSS: 7.5 CWE: CWE-770

High

CVE-2020-5801

An attacker can craft and send an OpenNamespace message to port 4241 with valid session-id that triggers an unhandled exception in CFTLDManager::HandleRequest function in RnaDaSvr.dll, resulting in p…

CVSS: 7.5 CWE: CWE-755

Medium

CVE-2020-29475

nopCommerce Store 4.30 is affected by cross-site scripting (XSS) in the Schedule tasks name field. This vulnerability can allow an attacker to inject the XSS payload in Schedule tasks and each time a…

CVSS: 4.8 CWE: CWE-79

High

CVE-2020-17533

Apache Accumulo versions 1.5.0 through 1.10.0 and version 2.0.0 do not properly check the return value of some policy enforcement functions before permitting an authenticated user to perform certain…

CVSS: 8.1 CWE: CWE-252

High

CVE-2020-25847

This command injection vulnerability allows attackers to execute arbitrary commands in a compromised application. QNAP have already fixed this vulnerability in the following versions of QTS and QuTS…

CVSS: 8.8 CWE: CWE-77

High

CVE-2020-26287

HedgeDoc is a collaborative platform for writing and sharing markdown. In HedgeDoc before version 1.7.1 an attacker can inject arbitrary `script` tags in HedgeDoc notes using mermaid diagrams. Our co…

CVSS: 8.7 CWE: CWE-79

High

CVE-2020-26286

HedgeDoc is a collaborative platform for writing and sharing markdown. In HedgeDoc before version 1.7.1 an unauthenticated attacker can upload arbitrary files to the upload storage backend including…

CVSS: 7.5 CWE: CWE-434

2020-12-28

Medium

CVE-2020-13476

NCH Express Invoice 8.06 to 8.24 is vulnerable to Reflected XSS in the Quotes List module.

CVSS: 4.8 CWE: CWE-79

Medium

CVE-2020-13474

In NCH Express Accounts 8.24 and earlier, an authenticated low-privilege user can enter a crafted URL to access higher-privileged functionalities such as Add/Edit users.

CVSS: 6.5 CWE: CWE-425

Medium

CVE-2020-13473

NCH Express Accounts 8.24 and earlier allows local users to discover the cleartext password by reading the configuration file.

CVSS: 5.5 CWE: CWE-312

Critical

CVE-2020-27172

An issue was discovered in G-Data before 25.5.9.25 using Symbolic links, it is possible to abuse the infected-file restore mechanism to achieve arbitrary write that leads to elevation of privileges.

CVSS: 9.8 CWE: CWE-59

High

CVE-2020-35766

The test suite in libopendkim in OpenDKIM through 2.10.3 allows local users to gain privileges via a symlink attack against the /tmp/testkeys file (related to t-testdata.h, t-setup.c, and t-cleanup.c…

CVSS: 7.8 CWE: CWE-59

Medium

CVE-2020-35730

An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference el…

CVSS: 6.1 CWE: CWE-79

High

CVE-2020-35616

An issue was discovered in Joomla! 1.7.0 through 3.9.22. Lack of input validation while handling ACL rulesets can cause write ACL violations.

CVSS: 7.5 CWE: CWE-20

Medium

CVE-2020-35615

An issue was discovered in Joomla! 2.5.0 through 3.9.22. A missing token check in the emailexport feature of com_privacy causes a CSRF vulnerability.

CVSS: 6.3 CWE: CWE-352

Critical

CVE-2020-35613

An issue was discovered in Joomla! 3.0.0 through 3.9.22. Improper filter blacklist configuration leads to a SQL injection vulnerability in the backend user list.

CVSS: 9.8 CWE: CWE-89

High

CVE-2020-35612

An issue was discovered in Joomla! 2.5.0 through 3.9.22. The folder parameter of mod_random_image lacked input validation, leading to a path traversal vulnerability.

CVSS: 7.5 CWE: CWE-22

High

CVE-2020-35611

An issue was discovered in Joomla! 2.5.0 through 3.9.22. The globlal configuration page does not remove secrets from the HTML output, disclosing the current values.

CVSS: 7.5 CWE: CWE-200

Critical

CVE-2020-26290

Dex is a federated OpenID Connect provider written in Go. In Dex before version 2.27.0 there is a critical set of vulnerabilities which impacts users leveraging the SAML connector. The vulnerabilitie…

CVSS: 9.3 CWE: CWE-347

High

CVE-2020-25507

An incorrect permission assignment during the installation script of TeamworkCloud 18.0 thru 19.0 allows a local unprivileged attacker to execute arbitrary code as root. During installation, the user…

CVSS: 7.8 CWE: CWE-732

High

CVE-2020-14273

HCL Domino is susceptible to a Denial of Service (DoS) vulnerability due to insufficient validation of input to its public API. An unauthenticated attacker could could exploit this vulnerability to c…

CVSS: 7.5 CWE: CWE-20

Medium

CVE-2020-27837

A flaw was found in GDM in versions prior to 3.38.2.1. A race condition in the handling of session shutdown makes it possible to bypass the lock screen for a user that has autologin enabled, accessin…

CVSS: 6.4 CWE: CWE-362

High

CVE-2020-26289

date-and-time is an npm package for manipulating date and time. In date-and-time before version 0.14.2, there a regular expression involved in parsing which can be exploited to to cause a denial of s…

CVSS: 7.5 CWE: CWE-400

High

CVE-2020-24360

An issue with ARP packets in Arista’s EOS affecting the 7800R3, 7500R3, and 7280R3 series of products may result in issues that cause a kernel crash, followed by a device reload. The affected Arista…

CVSS: 7.4 CWE: CWE-404

High

CVE-2020-35627

Ultimate WooCommerce Gift Cards 3.0.2 is affected by a file upload vulnerability in the Custom GiftCard Template that can remotely execute arbitrary code. Once it contains the function "Custom Gift C…

CVSS: 8.8 CWE: CWE-434

Medium

CVE-2020-29245

dhowden tag before 2020-11-19 allows "panic: runtime error: slice bounds out of range" via readAtomData.

CVSS: 6.5 CWE: CWE-129

Medium

CVE-2020-29244

dhowden tag before 2020-11-19 allows "panic: runtime error: slice bounds out of range" via readTextWithDescrFrame.

CVSS: 6.5 CWE: CWE-129

Medium

CVE-2020-29243

dhowden tag before 2020-11-19 allows "panic: runtime error: index out of range" via readAPICFrame.

CVSS: 6.5 CWE: CWE-129

Medium

CVE-2020-29242

dhowden tag before 2020-11-19 allows "panic: runtime error: index out of range" via readPICFrame.

CVSS: 6.5 CWE: CWE-129

High

CVE-2020-29160

An issue was discovered in Zammad before 3.5.1. A REST API call allows an attacker to change Ticket Article data in a way that defeats auditing.

CVSS: 7.5 CWE: CWE-862

Medium

CVE-2020-29158

An issue was discovered in Zammad before 3.5.1. An Agent with Customer permissions in a Group can bypass intended access control on internal Articles via the Ticket detail view.

CVSS: 4.3 CWE: CWE-862

Medium

CVE-2020-26035

An issue was discovered in Zammad before 3.4.1. There is Stored XSS via a Tags element in a TIcket.

CVSS: 5.4 CWE: CWE-79

Medium

CVE-2020-26033

An issue was discovered in Zammad before 3.4.1. The Tag and Link REST API endpoints (for add and delete) lack a CSRF token check.

CVSS: 5.4 CWE: CWE-352

High

CVE-2020-26032

An SSRF issue was discovered in Zammad before 3.4.1. The SMS configuration interface for Massenversand is implemented in a way that renders the result of a test request to the User. An attacker can u…

CVSS: 7.5 CWE: CWE-918