Search

Search Results (364578 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2020-9410 2 Oracle, Tibco 3 Retail Order Broker, Jasperreports Library, Jasperreports Server 2024-11-21 7.3 High
The report generator component of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server for AWS Marketplace, and TIBCO JasperReports Server for ActiveMatrix BPM contains a vulnerability that theoretically allows an attacker to exploit HTML injection to gain full control of a web interface containing the output of the report generator component with the privileges of any user that views the affected report(s). The attacker can theoretically exploit this vulnerability when other users view a maliciously generated report, where those reports use Fusion Charts and a data source with contents controlled by the attacker. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Library: versions 7.1.1 and below, versions 7.2.0 and 7.2.1, version 7.3.0, version 7.5.0, TIBCO JasperReports Library for ActiveMatrix BPM: versions 7.1.1 and below, TIBCO JasperReports Server: versions 7.1.1 and below, version 7.2.0, version 7.5.0, TIBCO JasperReports Server for AWS Marketplace: versions 7.5.0 and below, and TIBCO JasperReports Server for ActiveMatrix BPM: versions 7.1.1 and below.
CVE-2020-9409 2 Oracle, Tibco 2 Retail Order Broker, Jasperreports Server 2024-11-21 9.8 Critical
The administrative UI component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server for AWS Marketplace, and TIBCO JasperReports Server for ActiveMatrix BPM contains a vulnerability that theoretically allows an unauthenticated attacker to obtain the permissions of a JasperReports Server "superuser" for the affected systems. The attacker can theoretically exploit the vulnerability consistently, remotely, and without authenticating. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: versions 7.1.1 and below, TIBCO JasperReports Server for AWS Marketplace: versions 7.1.1 and below, and TIBCO JasperReports Server for ActiveMatrix BPM: versions 7.1.1 and below.
CVE-2020-9408 1 Tibco 2 Spotfire Analytics Platform For Aws, Spotfire Server 2024-11-21 8.8 High
The Spotfire library component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace and TIBCO Spotfire Server contains a vulnerability that theoretically allows an attacker with write permissions to the Spotfire Library, but not "Script Author" group permission, to modify attributes of files and objects saved to the library such that the system treats them as trusted. This could allow an attacker to cause the Spotfire Web Player, Analyst clients, and TERR Service into executing arbitrary code with the privileges of the system account that started those processes. Affected releases are TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace: versions 10.8.0 and below and TIBCO Spotfire Server: versions 7.11.9 and below, versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, and 10.3.6, versions 10.4.0, 10.5.0, 10.6.0, 10.6.1, 10.7.0, and 10.8.0.
CVE-2020-9407 1 Iblsoft 1 Online Weather 2024-11-21 5.3 Medium
IBL Online Weather before 4.3.5a allows attackers to obtain sensitive information by reading the IWEBSERVICE_JSONRPC_COOKIE cookie.
CVE-2020-9406 1 Iblsoft 1 Online Weather 2024-11-21 9.8 Critical
IBL Online Weather before 4.3.5a allows unauthenticated eval injection via the queryBCP method of the Auxiliary Service.
CVE-2020-9405 1 Iblsoft 1 Online Weather 2024-11-21 6.1 Medium
IBL Online Weather before 4.3.5a allows unauthenticated reflected XSS via the redirect page.
CVE-2020-9404 1 Pactware 1 Pactware 2024-11-21 7.1 High
In PACTware before 4.1 SP6 and 5.x before 5.0.5.31, passwords are stored in an insecure manner, and may be modified by an attacker with no knowledge of the current passwords.
CVE-2020-9403 1 Pactware 1 Pactware 2024-11-21 5.5 Medium
In PACTware before 4.1 SP6 and 5.x before 5.0.5.31, passwords are stored in a recoverable format, and may be retrieved by any user with access to the PACTware workstation.
CVE-2020-9402 6 Canonical, Debian, Djangoproject and 3 more 7 Ubuntu Linux, Debian Linux, Django and 4 more 2024-11-21 8.8 High
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.
CVE-2020-9399 1 Avast 3 Antivirus For Linux, Antivirus Pro, Antivirus Pro Plus 2024-11-21 5.5 Medium
The Avast AV parsing engine allows virus-detection bypass via a crafted ZIP archive. This affects versions before 12 definitions 200114-0 of Antivirus Pro, Antivirus Pro Plus, and Antivirus for Linux.
CVE-2020-9398 1 Ispconfig 1 Ispconfig 2024-11-21 9.8 Critical
ISPConfig before 3.1.15p3, when the undocumented reverse_proxy_panel_allowed=sites option is manually enabled, allows SQL Injection.
CVE-2020-9395 1 Realtek 8 Rtl8195am, Rtl8195am Firmware, Rtl8710af and 5 more 2024-11-21 8.0 High
An issue was discovered on Realtek RTL8195AM, RTL8711AM, RTL8711AF, and RTL8710AF devices before 2.0.6. A stack-based buffer overflow exists in the client code that takes care of WPA2's 4-way-handshake via a malformed EAPOL-Key packet with a long keydata buffer.
CVE-2020-9394 1 Supsystic 1 Pricing Table By Supsystic 2024-11-21 8.8 High
An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress. It allows CSRF.
CVE-2020-9393 1 Supsystic 1 Pricing Table By Supsystic 2024-11-21 6.1 Medium
An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress. It allows XSS.
CVE-2020-9392 1 Supsystic 1 Pricing Table By Supsystic 2024-11-21 7.3 High
An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress. Because there is no permission check on the ImportJSONTable, createFromTpl, and getJSONExportTable endpoints, unauthenticated users can retrieve pricing table information, create new tables, or import/modify a table.
CVE-2020-9391 3 Fedoraproject, Linux, Netapp 10 Fedora, Linux Kernel, Active Iq Unified Manager and 7 more 2024-11-21 5.5 Medium
An issue was discovered in the Linux kernel 5.4 and 5.5 through 5.5.6 on the AArch64 architecture. It ignores the top byte in the address passed to the brk system call, potentially moving the memory break downwards when the application expects it to move upwards, aka CID-dcde237319e6. This has been observed to cause heap corruption with the GNU C Library malloc implementation.
CVE-2020-9390 1 Squaredup 1 Squaredup 2024-11-21 5.4 Medium
SquaredUp allowed Stored XSS before version 4.6.0. A user was able to create a dashboard that executed malicious content in iframe or by uploading an SVG that contained a script.
CVE-2020-9389 1 Squaredup 1 Squaredup 2024-11-21 3.7 Low
A username enumeration issue was discovered in SquaredUp before version 4.6.0. The login functionality was implemented in a way that would enable a malicious user to guess valid username due to a different response time from invalid usernames.
CVE-2020-9388 1 Squaredup 1 Squaredup 2024-11-21 6.5 Medium
CSRF protection was not present in SquaredUp before version 4.6.0. A CSRF attack could have been possible by an administrator executing arbitrary code in a HTML dashboard tile via a crafted HTML page, or by uploading a malicious SVG payload into a dashboard.
CVE-2020-9387 1 Mahara 1 Mahara 2024-11-21 4.3 Medium
In Mahara 19.04 before 19.04.5 and 19.10 before 19.10.3, account details are shared in the Elasticsearch results for accounts that are not accessible when the config setting 'Isolated institutions' is turned on.