Total
34215 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-7777 | 1 Jsen Project | 1 Jsen | 2024-11-21 | 7.2 High |
| This affects all versions of package jsen. If an attacker can control the schema file, it could run arbitrary JavaScript code on the victim machine. In the module description and README file there is no mention about the risks of untrusted schema files, so I assume that this is applicable. In particular the required field of the schema is not properly sanitized. The resulting string that is build based on the schema definition is then passed to a Function.apply();, leading to an Arbitrary Code Execution. | ||||
| CVE-2020-7772 | 1 Doc-path Project | 1 Doc-path | 2024-11-21 | 7.5 High |
| This affects the package doc-path before 2.1.2. | ||||
| CVE-2020-7765 | 1 Google | 1 Firebase\/util | 2024-11-21 | 5.6 Medium |
| This affects the package @firebase/util before 0.3.4. This vulnerability relates to the deepExtend function within the DeepCopy.ts file. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program. | ||||
| CVE-2020-7761 | 1 Absolunet | 1 Kafe | 2024-11-21 | 5.3 Medium |
| This affects the package @absolunet/kafe before 3.2.10. It allows cause a denial of service when validating crafted invalid emails. | ||||
| CVE-2020-7754 | 2 Npmjs, Redhat | 3 Npm-user-validate, Enterprise Linux, Rhel Software Collections | 2024-11-21 | 7.5 High |
| This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters. | ||||
| CVE-2020-7742 | 1 Simpl-schema Project | 1 Simpl-schema | 2024-11-21 | 7.5 High |
| This affects the package simpl-schema before 1.10.2. | ||||
| CVE-2020-7738 | 1 Shiba Project | 1 Shiba | 2024-11-21 | 8.3 High |
| All versions of package shiba are vulnerable to Arbitrary Code Execution due to the default usage of the function load() of the package js-yaml instead of its secure replacement , safeLoad(). | ||||
| CVE-2020-7678 | 1 Node-import Project | 1 Node-import | 2024-11-21 | 8.6 High |
| This affects all versions of package node-import. The "params" argument of module function can be controlled by users without any sanitization.b. This is then provided to the “eval” function located in line 79 in the index file "index.js". | ||||
| CVE-2020-7677 | 3 Debian, Fedoraproject, Thenify Project | 3 Debian Linux, Fedora, Thenify | 2024-11-21 | 8.6 High |
| This affects the package thenify before 3.3.1. The name argument provided to the package can be controlled by users without any sanitization, and this is provided to the eval function without any sanitization. | ||||
| CVE-2020-7531 | 1 Schneider-electric | 1 Scadapack 7x Remote Connect | 2024-11-21 | 7.8 High |
| A CWE-284 Improper Access Control vulnerability exists in SCADAPack 7x Remote Connect (V3.6.3.574 and prior) which allows an attacker to place executables in a specific folder and run code whenever RemoteConnect is executed by the user. | ||||
| CVE-2020-7491 | 1 Schneider-electric | 14 Tricon Tcm 4351, Tricon Tcm 4351 Firmware, Tricon Tcm 4351a and 11 more | 2024-11-21 | 7.5 High |
| **VERSION NOT SUPPORTED WHEN ASSIGNED** A legacy debug port account in TCMs installed in Tricon system versions 10.2.0 through 10.5.3 is visible on the network and could allow inappropriate access. This vulnerability was remediated in TCM version 10.5.4. | ||||
| CVE-2020-7485 | 2 Microsoft, Schneider-electric | 4 Windows 7, Windows Nt, Windows Xp and 1 more | 2024-11-21 | 9.8 Critical |
| **VERSION NOT SUPPORTED WHEN ASSIGNED** A legacy support account in the TriStation software version v4.9.0 and earlier could cause improper access to the TriStation host machine. This was addressed in TriStation version v4.9.1 and v4.10.1 released on May 30, 2013.1 | ||||
| CVE-2020-7484 | 2 Microsoft, Schneider-electric | 4 Windows 7, Windows Nt, Windows Xp and 1 more | 2024-11-21 | 7.5 High |
| **VERSION NOT SUPPORTED WHEN ASSIGNED** A vulnerability with the former 'password' feature could allow a denial of service attack if the user is not following documented guidelines pertaining to dedicated TriStation connection and key-switch protection. This vulnerability was discovered and remediated in versions v4.9.1 and v4.10.1 on May 30, 2013. This feature is not present in version v4.9.1 and v4.10.1 through current. Therefore, the vulnerability is not present in these versions. | ||||
| CVE-2020-7387 | 1 Sage | 3 Adxadmin, X3, X3 Hr \& Payroll | 2024-11-21 | 5.3 Medium |
| Sage X3 Installation Pathname Disclosure. A specially crafted packet can elicit a response from the AdxDSrv.exe component that reveals the installation directory of the product. Note that this vulnerability can be combined with CVE-2020-7388 to achieve full RCE. This issue was fixed in AdxAdmin 93.2.53, which ships with updates for on-premises versions of Sage X3 Version 9 (components shipped with Syracuse 9.22.7.2 and later), Sage X3 HR & Payroll Version 9 (those components that ship with Syracuse 9.24.1.3), Version 11 (components shipped with Syracuse 11.25.2.6 and later), and Version 12 (components shipped with Syracuse 12.10.2.8 and later) of Sage X3. Other on-premises versions of Sage X3 are unsupported by the vendor. | ||||
| CVE-2020-7363 | 1 Ucweb | 1 Uc Browser | 2024-11-21 | 4.3 Medium |
| User Interface (UI) Misrepresentation of Critical Information vulnerability in the address bar of UCWeb's UC Browser allows an attacker to obfuscate the true source of data as presented in the browser. This issue affects UCWeb's UC Browser version 13.0.8 and prior versions. | ||||
| CVE-2020-7320 | 1 Mcafee | 1 Endpoint Security | 2024-11-21 | 6.7 Medium |
| Protection Mechanism Failure vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 September 2020 Update allows local administrator to temporarily reduce the detection capability allowing otherwise detected malware to run via stopping certain Microsoft services. | ||||
| CVE-2020-7298 | 1 Mcafee | 1 Total Protection | 2024-11-21 | 7.5 High |
| Unexpected behavior violation in McAfee Total Protection (MTP) prior to 16.0.R26 allows local users to turn off real time scanning via a specially crafted object making a specific function call. | ||||
| CVE-2020-7270 | 1 Mcafee | 1 Advanced Threat Defense | 2024-11-21 | 4.9 Medium |
| Exposure of Sensitive Information in the web interface in McAfee Advanced Threat Defense (ATD) prior to 4.12.2 allows remote authenticated users to view sensitive unencrypted information via a carefully crafted HTTP request parameter. The risk is partially mitigated if your ATD instances are deployed as recommended with no direct access from the Internet to them. | ||||
| CVE-2020-7269 | 1 Mcafee | 1 Advanced Threat Defense | 2024-11-21 | 4.9 Medium |
| Exposure of Sensitive Information in the web interface in McAfee Advanced Threat Defense (ATD) prior to 4.12.2 allows remote authenticated users to view sensitive unencrypted information via a carefully crafted HTTP request parameter. The risk is partially mitigated if your ATD instances are deployed as recommended with no direct access from the Internet to them. | ||||
| CVE-2020-7232 | 1 Evoko | 1 Home | 2024-11-21 | 7.5 High |
| Evoko Home devices 1.31 through 1.37 allow remote attackers to obtain sensitive information (such as usernames and password hashes) via a WebSocket request, as demonstrated by the sockjs/224/uf1psgff/websocket URI at a wss:// URL. | ||||