All CVEs — 2021 (Page 142/142)

Browse all CVEs by publication year. Use filters to refine.

CVSS ≥ 0.0

2021-01-06

Critical

CVE-2020-26759

clickhouse-driver before 0.1.5 allows a malicious clickhouse server to trigger a crash or execute arbitrary code (on a database client) via a crafted server response, due to a buffer overflow.

CVSS: 9.8 CWE: CWE-120

Medium

CVE-2021-21235

kamadak-exif is an exif parsing library written in pure Rust. In kamadak-exif version 0.5.2, there is an infinite loop in parsing crafted PNG files. Specifically, reader::read_from_container can caus…

CVSS: 5.7 CWE: CWE-400

Critical

CVE-2020-36167

An issue was discovered in the server in Veritas Backup Exec through 16.2, 20.6 before hotfix 298543, and 21.1 before hotfix 657517. On start-up, it loads the OpenSSL library from the Installation fo…

CVSS: 9.3 CWE: CWE-434

2021-01-05

Medium

CVE-2021-3026

Invision Community IPS Community Suite before 4.5.4.2 allows XSS during the quoting of a post or comment.

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2020-7336

Cross Site Request Forgery vulnerability in McAfee Network Security Management (NSM) prior to 10.1.7.35 and NSM 9.x prior to 9.2.9.55 may allow an attacker to change the configuration of the Network…

CVSS: 6.6 CWE: CWE-352

Critical

CVE-2020-36052

Directory traversal vulnerability in post-edit.php in MiniCMS V1.10 allows remote attackers to include and execute arbitrary files via the state parameter.

CVSS: 9.8 CWE: CWE-22

High

CVE-2020-36051

Directory traversal vulnerability in page_edit.php in MiniCMS V1.10 allows remote attackers to read arbitrary files via the state parameter.

CVSS: 7.5 CWE: CWE-22

Medium

CVE-2020-35170

Dell EMC Unisphere for PowerMax versions prior to 9.1.0.9, Dell EMC Unisphere for PowerMax versions prior to 9.0.2.16, and Dell EMC PowerMax OS 5978.221.221 and 5978.479.479 contain a Cross-Site Scri…

CVSS: 6.3 CWE: CWE-79

High

CVE-2020-29502

Dell EMC PowerStore versions prior to 1.0.3.0.5.007 contain a Plain-Text Password Storage Vulnerability in PowerStore X & T environments. A locally authenticated attacker could potentially exploit th…

CVSS: 7.5 CWE: CWE-312

Medium

CVE-2020-29501

CVSS: 6.4 CWE: CWE-312

High

CVE-2020-29500

Dell EMC PowerStore versions prior to 1.0.3.0.5.007 contain a Plain-Text Password Storage Vulnerability in PowerStore T environments. A locally authenticated attacker could potentially exploit this v…

CVSS: 7.5 CWE: CWE-312

High

CVE-2020-29490

Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.0.4.0.5.012 contain a Denial of Service vulnerability on NAS Servers with NFS exports. A remote authenticated attacker could potentially exp…

CVSS: 7.5 CWE: CWE-400

Medium

CVE-2020-29489

Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.0.4.0.5.012 contains a plain-text password storage vulnerability. A user credentials (including the Unisphere admin privilege user) password…

CVSS: 6.4 CWE: CWE-276

Medium

CVE-2020-26199

Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.0.4.0.5.012 contain a plain-text password storage vulnerability. A user credentials (including the Unisphere admin privilege user) password…

CVSS: 6.4 CWE: CWE-532

High

CVE-2020-26181

Dell EMC Isilon OneFS versions 8.1 and later and Dell EMC PowerScale OneFS version 9.0.0 contain a privilege escalation vulnerability on a SmartLock Compliance mode cluster. The compadmin user connec…

CVSS: 7.0 CWE: CWE-269

Low

CVE-2020-23250

GigaVUE-OS (GVOS) 5.4 - 5.9 uses a weak algorithm for a hash stored in internal database.

CVSS: 2.3 CWE: CWE-327

Medium

CVE-2020-23249

GigaVUE-OS (GVOS) 5.4 - 5.9 stores a Redis database password in plaintext.

CVSS: 4.7 CWE: CWE-312

High

CVE-2019-20484

An issue was discovered in Viki Vera 4.9.1.26180. A user without access to a project could download or upload project files by opening the Project URL directly in the browser after logging in.

CVSS: 8.1 CWE: CWE-425

High

CVE-2020-36067

GJSON <=v1.6.5 allows attackers to cause a denial of service (panic: runtime error: slice bounds out of range) via a crafted GET call.

CVSS: 7.5 CWE: CWE-129

High

CVE-2020-29437

SQL injection in the Buzz module of OrangeHRM through 4.6 allows remote authenticated attackers to execute arbitrary SQL commands via the orangehrmBuzzPlugin/lib/dao/BuzzDao.php loadMorePostsForm[pro…

CVSS: 8.1 CWE: CWE-89

Medium

CVE-2019-20483

An issue was discovered in Viki Vera 4.9.1.26180. An attacker could set a user's last name to an XSS Payload, and read another user's cookie and use that to login to the application.

CVSS: 5.4 CWE: CWE-79

Medium

CVE-2021-22495

An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), Q(10.0), and R(11.0) (Exynos chipsets) software. The Mali GPU driver allows out-of-bounds access and a device reset. The Samsung…

CVSS: 5.5 CWE: CWE-787

High

CVE-2021-22492

An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) (Broadcom Bluetooth chipsets) software. The Bluetooth UART driver has a buffer overflow. The Samsung ID is SVE-2020-…

CVSS: 8.8 CWE: CWE-120

High

CVE-2021-21234

spring-boot-actuator-logview in a library that adds a simple logfile viewer as spring boot actuator endpoint. It is maven package "eu.hinsch:spring-boot-actuator-logview". In spring-boot-actuator-log…

CVSS: 7.7 CWE: CWE-22

High

CVE-2020-29478

CA Service Catalog 17.2 and 17.3 contain a vulnerability in the default configuration of the Setup Utility that may allow a remote attacker to cause a denial of service condition.

CVSS: 7.5 CWE: CWE-258

Medium

CVE-2020-27845

There's a flaw in src/lib/openjp2/pi.c of openjpeg in versions prior to 2.4.0. If an attacker is able to provide untrusted input to openjpeg's conversion/encoding functionality, they could cause an o…

CVSS: 5.5 CWE: CWE-125

High

CVE-2020-27844

A flaw was found in openjpeg's src/lib/openjp2/t2.c in versions prior to 2.4.0. This flaw allows an attacker to provide crafted input to openjpeg during conversion and encoding, causing an out-of-bou…

CVSS: 7.8 CWE: CWE-20

Medium

CVE-2020-27843

A flaw was found in OpenJPEG in versions prior to 2.4.0. This flaw allows an attacker to provide specially crafted input to the conversion or encoding functionality, causing an out-of-bounds read. Th…

CVSS: 5.5 CWE: CWE-125

Medium

CVE-2020-27842

There's a flaw in openjpeg's t2 encoder in versions prior to 2.4.0. An attacker who is able to provide crafted input to be processed by openjpeg could cause a null pointer dereference. The highest im…

CVSS: 5.5 CWE: CWE-125

Medium

CVE-2020-27841

There's a flaw in openjpeg in versions prior to 2.4.0 in src/lib/openjp2/pi.c. When an attacker is able to provide crafted input to be processed by the openjpeg encoder, this could cause an out-of-bo…

CVSS: 5.5 CWE: CWE-122

Critical

CVE-2021-3021

ISPConfig before 3.2.2 allows SQL injection.

CVSS: 9.8 CWE: CWE-89

High

CVE-2020-13541

An exploitable local privilege elevation vulnerability exists in the file system permissions of the Mobile-911 Server V2.5 install directory. Depending on the vector chosen, an attacker can overwrite…

CVSS: 8.8 CWE: CWE-276

High

CVE-2020-13540

An exploitable local privilege elevation vulnerability exists in the file system permissions of the Win-911 Enterprise V4.20.13 install directory via WIN-911 Account Change Utility. Depending on the…

CVSS: 7.8 CWE: CWE-276

High

CVE-2020-13539

An exploitable local privilege elevation vulnerability exists in the file system permissions of the Win-911 Enterprise V4.20.13 install directory via “WIN-911 Mobile Runtime” service. Depending on th…

CVSS: 7.8 CWE: CWE-276

Critical

CVE-2020-4899

IBM API Connect 5.0.0.0 through 5.0.8.10 could potentially leak sensitive information or allow for data corruption due to plain text transmission of sensitive information across the network. IBM X-Fo…

CVSS: 9.1 CWE: CWE-319

Medium

CVE-2020-4761

IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5_2, 6.0.0.0 through 6.0.3.2, and 6.1.0.0 could allow a remote attacker to obtain sensitive information when a detailed technical er…

CVSS: 5.3 CWE: CWE-209

High

CVE-2020-35488

The fileop module of the NXLog service in NXLog Community Edition 2.10.2150 allows remote attackers to cause a denial of service (daemon crash) via a crafted Syslog payload to the Syslog service. Thi…

CVSS: 7.5 CWE: CWE-502

Medium

CVE-2020-26046

FUEL CMS 1.4.11 has stored XSS in Blocks/Navigation/Site variables. This could lead to cookie stealing and other malicious actions. This vulnerability can be exploited with an authenticated account a…

CVSS: 5.4 CWE: CWE-79

Critical

CVE-2020-26045

FUEL CMS 1.4.11 allows SQL Injection via parameter 'name' in /fuel/permissions/create/. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit…

CVSS: 9.8 CWE: CWE-89

High

CVE-2019-4728

IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5_2, 6.0.0.0 through 6.0.3.2, and 6.1.0.0 could allow a remote attacker to execute arbitrary code on the system, caused by the deser…

CVSS: 8.8 CWE: CWE-502

High

CVE-2020-17519

A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the Jo…

CVSS: 7.5 CWE: CWE-552

High

CVE-2020-17518

Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be…

CVSS: 7.5 CWE: CWE-23

High

CVE-2021-3019

ffay lanproxy 0.1 allows Directory Traversal to read /../conf/config.properties to obtain credentials for a connection to the intranet.

CVSS: 7.5 CWE: CWE-22

Critical

CVE-2021-3018

ipeak Infosystems ibexwebCMS (aka IPeakCMS) 3.5 is vulnerable to an unauthenticated Boolean-based SQL injection via the id parameter on the /cms/print.php page.

CVSS: 9.8 CWE: CWE-89

High

CVE-2020-36158

mwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through 5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID…

CVSS: 8.8 CWE: CWE-120

2021-01-04

Medium

CVE-2020-5361

Select Dell Client Commercial and Consumer platforms support a BIOS password reset capability that is designed to assist authorized customers who forget their passwords. Dell is aware of unauthorized…

CVSS: 5.1 CWE: CWE-640

Medium

CVE-2020-29498

Dell Wyse Management Suite versions prior to 3.1 contain an open redirect vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to redirect application users t…

CVSS: 6.1 CWE: CWE-601

Medium

CVE-2020-29497

Dell Wyse Management Suite versions prior to 3.1 contain a stored cross-site scripting vulnerability. A remote authenticated malicious user with low privileges could exploit this vulnerability to sto…

CVSS: 5.4 CWE: CWE-79

Medium

CVE-2020-29496

Dell Wyse Management Suite versions prior to 3.1 contain a stored cross-site scripting vulnerability. A remote authenticated malicious user with high privileges could exploit this vulnerability to st…

CVSS: 4.8 CWE: CWE-79

Critical

CVE-2020-29492

Dell Wyse ThinOS 8.6 and prior versions contain an insecure default configuration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to access the writable…

CVSS: 10.0 CWE: CWE-276

Critical

CVE-2020-29491

CVSS: 10.0 CWE: CWE-276

Medium

CVE-2021-3014

In MikroTik RouterOS through 2021-01-04, the hotspot login page is vulnerable to reflected XSS via the target parameter.

CVSS: 6.1 CWE: CWE-79

High

CVE-2020-26297

mdBook is a utility to create modern online books from Markdown files and is written in Rust. In mdBook before version 0.4.5, there is a vulnerability affecting the search feature of mdBook, which co…

CVSS: 8.2 CWE: CWE-79

High

CVE-2020-26294

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server c…

CVSS: 7.4 CWE: CWE-78

Medium

CVE-2020-26293

HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. In HtmlSanitizer before version 5.0.372, there is a possible XSS bypass if styl…

CVSS: 6.1 CWE: CWE-74

Critical

CVE-2020-36156

An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Authenticated Privilege Escalation via Profile Update. Any user with wp-admin access to the profile.php page cou…

CVSS: 9.9 CWE: CWE-269

Critical

CVE-2020-36155

An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Unauthenticated Privilege Escalation via User Meta. An attacker could supply an array parameter for sensitive me…

CVSS: 10.0 CWE: CWE-269

Critical

CVE-2020-35219

The ASUS DSL-N17U modem with firmware 1.1.0.2 allows attackers to access the admin interface by changing the admin password without authentication via a POST request to Advanced_System_Content.asp wi…

CVSS: 9.8 CWE: CWE-287

Low

CVE-2020-26292

Creeper is an experimental dynamic, interpreted language. The binary release of Creeper Interpreter 1.1.3 contains potential malware. The compromised binary release was available for a few hours betw…

CVSS: 3.1 CWE: CWE-507

Medium

CVE-2019-25013

The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read.

CVSS: 5.9 CWE: CWE-125

High

CVE-2020-36154

The Application Wrapper in Pearson VUE VTS Installer 2.3.1911 has Full Control permissions for Everyone in the "%SYSTEMDRIVE%\Pearson VUE" directory, which allows local users to obtain administrative…

CVSS: 7.8 CWE: CWE-732

High

CVE-2020-25275

Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash via a crafted email message with certain choices for ten thousand MIME parts.

CVSS: 7.5 CWE: CWE-20

Critical

CVE-2020-36112

CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php and in cart.php. A successful exploitation of th…

CVSS: 9.8 CWE: CWE-89

Medium

CVE-2020-35507

There's a flaw in bfd_pef_parse_function_stubs of bfd/pef.c in binutils in versions prior to 2.34 which could allow an attacker who is able to submit a crafted file to be processed by objdump to caus…

CVSS: 5.5 CWE: CWE-476

Medium

CVE-2020-35496

There's a flaw in bfd_pef_scan_start_address() of bfd/pef.c in binutils which could allow an attacker who is able to submit a crafted file to be processed by objdump to cause a NULL pointer dereferen…

CVSS: 5.5 CWE: CWE-476

Medium

CVE-2020-35495

There's a flaw in binutils /bfd/pef.c. An attacker who is able to submit a crafted input file to be processed by the objdump program could cause a null pointer dereference. The greatest threat from t…

CVSS: 5.5 CWE: CWE-476

Medium

CVE-2020-35494

There's a flaw in binutils /opcodes/tic4x-dis.c. An attacker who is able to submit a crafted input file to be processed by binutils could cause usage of uninitialized memory. The highest threat is to…

CVSS: 6.1 CWE: CWE-908

Medium

CVE-2020-35493

A flaw exists in binutils in bfd/pef.c. An attacker who is able to submit a crafted PEF file to be parsed by objdump could cause a heap buffer overflow -> out-of-bounds read that could lead to an imp…

CVSS: 5.5 CWE: CWE-20

High

CVE-2020-22550

Veno File Manager 3.5.6 is affected by a directory traversal vulnerability. Using the traversal allows an attacker to download sensitive files from the server.

CVSS: 7.5 CWE: CWE-22

High

CVE-2020-4942

IBM Curam Social Program Management 7.0.9 and 7.0.11 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user th…

CVSS: 8.8 CWE: CWE-352

Medium

CVE-2020-4928

IBM Cloud Pak System 2.3 could allow a local privileged attacker to upload arbitrary files. By intercepting the request and modifying the file extention, the attacker could execute arbitrary code on…

CVSS: 6.7 CWE: CWE-434

Medium

CVE-2020-4918

IBM Cloud Pak System 2.3 could allow l local privileged user to disclose sensitive information due to an insecure direct object reference in sell service console for the Platform System Manager. IBM…

CVSS: 4.4 CWE: CWE-639

High

CVE-2020-4917

IBM Cloud Pak System 2.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X…

CVSS: 8.8 CWE: CWE-352

Medium

CVE-2020-4916

IBM Cloud Pak System 2.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially l…

CVSS: 4.8 CWE: CWE-79

Medium

CVE-2020-4913

IBM Cloud Pak System 2.3 could reveal credential information in the HTTP response to a local privileged user. IBM X-Force ID: 191288.

CVSS: 4.4 CWE: CWE-200

Medium

CVE-2020-4910

CVSS: 4.8 CWE: CWE-79

Medium

CVE-2020-4909

CVSS: 4.8 CWE: CWE-79

High

CVE-2020-7771

The package asciitable.js before 1.0.3 are vulnerable to Prototype Pollution via the main function.

CVSS: 7.5 CWE: CWE-1321

Critical

CVE-2020-28464

This affects the package djv before 2.1.4. By controlling the schema file, an attacker can run arbitrary JavaScript code on the victim machine.

CVSS: 9.8 CWE: CWE-94

Medium

CVE-2019-16960

SolarWinds Web Help Desk 12.7.0 allows XSS via a CSV template file with a crafted Location Name field.

CVSS: 5.4 CWE: CWE-79

Medium

CVE-2019-16956

SolarWinds Web Help Desk 12.7.0 allows XSS via the Request Type parameter of a ticket.

CVSS: 5.4 CWE: CWE-79

Critical

CVE-2021-3007

Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destr…

CVSS: 9.8 CWE: CWE-502

High

CVE-2021-21495

MK-AUTH through 19.01 K4.9 allows CSRF for password changes via the central/executar_central.php?acao=altsenha_princ URI.

CVSS: 8.8 CWE: CWE-352

Medium

CVE-2021-21494

MK-AUTH through 19.01 K4.9 allows XSS via the admin/logs_ajax.php tipo parameter. An attacker can leverage this to read the centralmka2 (session token) cookie, which is not set to HTTPOnly.

CVSS: 4.8 CWE: CWE-732

High

CVE-2020-35965

decode_frame in libavcodec/exr.c in FFmpeg 4.3.1 has an out-of-bounds write because of errors in calculations of when to perform memset zero operations.

CVSS: 7.5 CWE: CWE-787

2021-01-03

Medium

CVE-2020-35964

track_header in libavformat/vividas.c in FFmpeg 4.3.1 has an out-of-bounds write because of incorrect extradata packing.

CVSS: 6.5 CWE: CWE-787

High

CVE-2020-35963

flb_gzip_compress in flb_gzip.c in Fluent Bit before 1.6.4 has an out-of-bounds write because it does not use the correct calculation of the maximum gzip data-size expansion.

CVSS: 7.8 CWE: CWE-787

High

CVE-2021-3004

The _deposit function in the smart contract implementation for Stable Yield Credit (yCREDIT), an Ethereum token, has certain incorrect calculations. An attacker can obtain more yCREDIT tokens than th…

CVSS: 7.5 CWE: CWE-682

2021-01-02

High

CVE-2020-28852

In x/text in Go before v0.3.5, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accep…

CVSS: 7.5 CWE: CWE-129

High

CVE-2020-28851

In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language…

CVSS: 7.5 CWE: CWE-129

2021-01-01

Medium

CVE-2021-3002

Seo Panel 4.8.0 allows reflected XSS via the seo/seopanel/login.php?sec=forgot email parameter.

CVSS: 6.1 CWE: CWE-79

Critical

CVE-2020-35717

zonote through 0.4.0 allows XSS via a crafted note, with resultant Remote Code Execution (because nodeIntegration in webPreferences is true).

CVSS: 9.0 CWE: CWE-79

Critical

CVE-2020-35391

Tenda N300 F3 12.01.01.48 devices allow remote attackers to obtain sensitive information (possibly including an http_passwd line) via a direct request for cgi-bin/DownloadCfg/RouterCfm.cfg, a related…

CVSS: 9.6 CWE: CWE-425

Critical

CVE-2020-35951

An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. It allows users to delete arbitrary files such as wp-config.php file, which could effectively take a site offl…

CVSS: 9.9 CWE: CWE-306

Critical

CVE-2020-35950

An issue was discovered in the XCloner Backup and Restore plugin before 4.2.153 for WordPress. It allows CSRF (via almost any endpoint).

CVSS: 9.8 CWE: CWE-352

Critical

CVE-2020-35949

An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. It made it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution.…

CVSS: 10.0 CWE: CWE-434

Critical

CVE-2020-35948

An issue was discovered in the XCloner Backup and Restore plugin before 4.2.13 for WordPress. It gave authenticated attackers the ability to modify arbitrary files, including PHP files. Doing so woul…

CVSS: 9.9 CWE: CWE-863

High

CVE-2020-35947

An issue was discovered in the PageLayer plugin before 1.1.2 for WordPress. Nearly all of the AJAX action endpoints lacked permission checks, allowing these actions to be executed by anyone authentic…

CVSS: 7.4 CWE: CWE-79

Medium

CVE-2020-35946

An issue was discovered in the All in One SEO Pack plugin before 3.6.2 for WordPress. The SEO Description and Title fields are vulnerable to unsanitized input from a Contributor, leading to stored XS…

CVSS: 5.4 CWE: CWE-79

Critical

CVE-2020-35945

An issue was discovered in the Divi Builder plugin, Divi theme, and Divi Extra theme before 4.5.3 for WordPress. Authenticated attackers, with contributor-level or above capabilities, can upload arbi…

CVSS: 9.9 CWE: CWE-434

High

CVE-2020-35944

An issue was discovered in the PageLayer plugin before 1.1.2 for WordPress. The pagelayer_settings_page function is vulnerable to CSRF, which can lead to XSS.

CVSS: 8.8 CWE: CWE-79

High

CVE-2020-35939

PHP Object injection vulnerabilities in the Team Showcase plugin before 1.22.16 for WordPress allow remote authenticated attackers to inject arbitrary PHP objects due to insecure unserialization of d…

CVSS: 7.5 CWE: CWE-502

High

CVE-2020-35938

PHP Object injection vulnerabilities in the Post Grid plugin before 2.0.73 for WordPress allow remote authenticated attackers to inject arbitrary PHP objects due to insecure unserialization of data s…

CVSS: 7.5 CWE: CWE-502

High

CVE-2020-35937

Stored Cross-Site Scripting (XSS) vulnerabilities in the Team Showcase plugin before 1.22.16 for WordPress allow remote authenticated attackers to import layouts including JavaScript supplied via a r…

CVSS: 7.5 CWE: CWE-79

High

CVE-2020-35936

Stored Cross-Site Scripting (XSS) vulnerabilities in the Post Grid plugin before 2.0.73 for WordPress allow remote authenticated attackers to import layouts including JavaScript supplied via a remote…

CVSS: 7.5 CWE: CWE-79

Medium

CVE-2020-35934

The Advanced Access Manager plugin before 6.6.2 for WordPress displays the unfiltered user object (including all metadata) upon login via the REST API (aam/v1/authenticate or aam/v2/authenticate). Th…

CVSS: 4.3 CWE: CWE-200

Medium

CVE-2020-35933

A Reflected Authenticated Cross-Site Scripting (XSS) vulnerability in the Newsletter plugin before 6.8.2 for WordPress allows remote attackers to trick a victim into submitting a tnpc_render AJAX req…

CVSS: 6.5 CWE: CWE-79

High

CVE-2020-35932

Insecure Deserialization in the Newsletter plugin before 6.8.2 for WordPress allows authenticated remote attackers with minimal privileges (such as subscribers) to use the tpnc_render AJAX action to…

CVSS: 7.5 CWE: CWE-502

High

CVE-2019-25012

The Webform Report project 7.x-1.x-dev for Drupal allows remote attackers to view submissions by visiting the /rss.xml page. NOTE: This project is not covered by Drupal's security advisory policy.

CVSS: 7.5 CWE: CWE-425

High

CVE-2018-25002

uploader.php in the KCFinder integration project through 2018-06-01 for Drupal mishandles validation, aka SA-CONTRIB-2018-024. NOTE: This project is not covered by Drupal's security advisory policy.

CVSS: 8.8 CWE: CWE-20

High

CVE-2017-20001

The AES encryption project 7.x and 8.x for Drupal does not sufficiently prevent attackers from decrypting data, aka SA-CONTRIB-2017-027. NOTE: This project is not covered by Drupal's security advisor…

CVSS: 7.5 CWE: CWE-326

Critical

CVE-2016-20005

The REST/JSON project 7.x-1.x for Drupal allows user registration bypass, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.

CVSS: 9.8 CWE: CWE-863

Critical

CVE-2016-20004

The REST/JSON project 7.x-1.x for Drupal allows field access bypass, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.

CVSS: 9.8 CWE: CWE-863

Critical

CVE-2016-20002

The REST/JSON project 7.x-1.x for Drupal allows comment access bypass, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.

CVSS: 9.8 CWE: CWE-863

Critical

CVE-2016-20001

The REST/JSON project 7.x-1.x for Drupal allows node access bypass, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.

CVSS: 9.8 CWE: CWE-863

High

CVE-2016-20007

The REST/JSON project 7.x-1.x for Drupal allows session name guessing, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.

CVSS: 7.5 CWE: CWE-613