Export limit exceeded: 363299 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (363299 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-4101 | 1 Hcltech | 1 Hcl Digital Experience | 2024-11-21 | 9.8 Critical |
| "HCL Digital Experience is susceptible to Server Side Request Forgery." | ||||
| CVE-2020-4100 | 1 Hcltechsw | 1 Hcl Verse | 2024-11-21 | 4.4 Medium |
| "HCL Verse for Android was found to employ dynamic code loading. This mechanism allows a developer to specify which components of the application should not be loaded by default when the application is started. Typically, core components and additional dependencies are loaded natively at runtime; however, dynamically loaded components are only loaded as they are specifically requested. While this can have a positive impact on performance, or grant additional functionality (for example, a non-invasive update feature), it can also open the application to loading unintended code if not implemented properly." | ||||
| CVE-2020-4097 | 1 Hcltech | 1 Notes | 2024-11-21 | 6.8 Medium |
| In HCL Notes version 9 previous to release 9.0.1 FixPack 10 Interim Fix 8, version 10 previous to release 10.0.1 FixPack 6 and version 11 previous to 11.0.1 FixPack 1, a vulnerability in the input parameter handling of the Notes Client could potentially be exploited by an attacker resulting in a buffer overflow. This could enable an attacker to crash HCL Notes or execute attacker-controlled code on the client. | ||||
| CVE-2020-4095 | 1 Hcltech | 1 Bigfix Platform | 2024-11-21 | 6.0 Medium |
| "BigFix Platform is storing clear text credentials within the system's memory. An attacker who is able to gain administrative privileges can use a program to create a memory dump and extract the credentials. These credentials can be used to pivot further into the environment. The principle of least privilege should be applied to all BigFix deployments, limiting administrative access." | ||||
| CVE-2020-4092 | 1 Hcltech | 1 Hcl Nomad | 2024-11-21 | 5.3 Medium |
| "If port encryption is not enabled on the Domino Server, HCL Nomad on Android and iOS Platforms will communicate in clear text and does not currently have a user interface option to change the setting to request an encrypted communication channel with the Domino server. This can potentially expose sensitive information including but not limited to server names, user IDs and document content." | ||||
| CVE-2020-4089 | 1 Hcltech | 1 Notes | 2024-11-21 | 6.5 Medium |
| HCL Notes is vulnerable to an information leakage vulnerability through its support for the 'mailto' protocol. This vulnerability could result in files from the user's filesystem or connected network filesystems being leaked to a third party. All versions of HCL Notes 9, 10 and 11 are affected. | ||||
| CVE-2020-4085 | 1 Hcltech | 1 Connections | 2024-11-21 | 6.5 Medium |
| "HCL Connections is vulnerable to possible information leakage and could disclose sensitive information via stack trace to a local user." | ||||
| CVE-2020-4084 | 1 Hcltech | 1 Connections | 2024-11-21 | 5.4 Medium |
| HCL Connections v5.5, v6.0, and v6.5 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | ||||
| CVE-2020-4083 | 1 Hcltech | 1 Connections | 2024-11-21 | 5.5 Medium |
| HCL Connections 6.5 is vulnerable to possible information leakage. Connections could disclose sensitive information via trace logs to a local user. | ||||
| CVE-2020-4082 | 1 Hcltech | 1 Connections | 2024-11-21 | 5.4 Medium |
| The HCL Connections 5.5 help system is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. | ||||
| CVE-2020-4081 | 1 Hcltech | 1 Digital Experience | 2024-11-21 | 6.1 Medium |
| In Digital Experience 8.5, 9.0, and 9.5, WSRP consumer is vulnerable to cross-site scripting (XSS). | ||||
| CVE-2020-4080 | 1 Hcltech | 1 Domino | 2024-11-21 | 6.1 Medium |
| HCL Verse v10 and v11 is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability due to improper handling of message content. An unauthenticated remote attacker could exploit this vulnerability using specially-crafted markup to execute script in a victim's web browser within the security context of the hosting Web site and/or steal the victim's cookie-based authentication credentials. | ||||
| CVE-2020-4079 | 1 Combodo | 1 Itop | 2024-11-21 | 7.7 High |
| Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 2.8.0, when the ajax endpoint for the "excel export" portal functionality is called directly it allows getting data without scope filtering. This allows a user to access data they which they should not have access to. This is fixed in versions 2.7.2 and 3.0.0. | ||||
| CVE-2020-4077 | 1 Electronjs | 1 Electron | 2024-11-21 | 7.7 High |
| In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using both `contextIsolation` and `contextBridge` are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4. | ||||
| CVE-2020-4076 | 1 Electronjs | 1 Electron | 2024-11-21 | 7.8 High |
| In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using contextIsolation are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4. | ||||
| CVE-2020-4075 | 1 Electronjs | 1 Electron | 2024-11-21 | 6.8 Medium |
| In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling `event.preventDefault()` on all new-window events where the `url` or `options` is not something you expect. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4. | ||||
| CVE-2020-4074 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 8.9 High |
| In PrestaShop from version 1.5.0.0 and before version 1.7.6.6, the authentication system is malformed and an attacker is able to forge requests and execute admin commands. The problem is fixed in 1.7.6.6. | ||||
| CVE-2020-4072 | 1 Jhipster | 1 Generator-jhipster-kotlin | 2024-11-21 | 5.3 Medium |
| In generator-jhipster-kotlin version 1.6.0 log entries are created for invalid password reset attempts. As the email is provided by a user and the api is public this can be used by an attacker to forge log entries. This is vulnerable to https://cwe.mitre.org/data/definitions/117.html This problem affects only application generated with jwt or session authentication. Applications using oauth are not vulnerable. This issue has been fixed in version 1.7.0. | ||||
| CVE-2020-4071 | 1 Django-basic-auth-ip-whitelist Project | 1 Django-basic-auth-ip-whitelist | 2024-11-21 | 2.2 Low |
| In django-basic-auth-ip-whitelist before 0.3.4, a potential timing attack exists on websites where the basic authentication is used or configured, i.e. BASIC_AUTH_LOGIN and BASIC_AUTH_PASSWORD is set. Currently the string comparison between configured credentials and the ones provided by users is performed through a character-by-character string comparison. This enables a possibility that attacker may time the time it takes the server to validate different usernames and password, and use this knowledge to work out the valid credentials. This attack is understood not to be realistic over the Internet. However, it may be achieved from within local networks where the website is hosted, e.g. from inside a data centre where a website's server is located. Sites protected by IP address whitelisting only are unaffected by this vulnerability. This vulnerability has been fixed on version 0.3.4 of django-basic-auth-ip-whitelist. Update to version 0.3.4 as soon as possible and change basic authentication username and password configured on a Django project using this package. A workaround without upgrading to version 0.3.4 is to stop using basic authentication and use the IP whitelisting component only. It can be achieved by not setting BASIC_AUTH_LOGIN and BASIC_AUTH_PASSWORD in Django project settings. | ||||
| CVE-2020-4070 | 1 W3c | 1 Css Validator | 2024-11-21 | 4.6 Medium |
| In CSS Validator less than or equal to commit 54d68a1, there is a cross-site scripting vulnerability in handling URIs. A user would have to click on a specifically crafted validator link to trigger it. This has been patched in commit e5c09a9. | ||||