Export limit exceeded: 366864 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (366864 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-7704 | 1 Linux-cmdline Project | 1 Linux-cmdline | 2024-11-21 | 9.8 Critical |
| The package linux-cmdline before 1.0.1 are vulnerable to Prototype Pollution via the constructor. | ||||
| CVE-2020-7703 | 1 Nis-utils Project | 1 Nis-utils | 2024-11-21 | 9.8 Critical |
| All versions of package nis-utils are vulnerable to Prototype Pollution via the setValue function. | ||||
| CVE-2020-7702 | 1 Templ8 Project | 1 Templ8 | 2024-11-21 | 9.8 Critical |
| All versions of package templ8 are vulnerable to Prototype Pollution via the parse function. | ||||
| CVE-2020-7701 | 1 Springtree | 1 Madlib-object-utils | 2024-11-21 | 9.8 Critical |
| madlib-object-utils before 0.1.7 is vulnerable to Prototype Pollution via setValue. | ||||
| CVE-2020-7700 | 1 Php.js Project | 1 Php.js | 2024-11-21 | 9.8 Critical |
| All versions of phpjs are vulnerable to Prototype Pollution via parse_str. | ||||
| CVE-2020-7699 | 2 Express-fileupload Project, Netapp | 2 Express-fileupload, Max Data | 2024-11-21 | 7.5 High |
| This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution. | ||||
| CVE-2020-7698 | 1 Gerapy | 1 Gerapy | 2024-11-21 | 8.1 High |
| This affects the package Gerapy from 0 and before 0.9.3. The input being passed to Popen, via the project_configure endpoint, isn’t being sanitized. | ||||
| CVE-2020-7697 | 1 Mock2easy Project | 1 Mock2easy | 2024-11-21 | 9.8 Critical |
| This affects all versions of package mock2easy. a malicious user could inject commands through the _data variable: Affected Area require('../server/getJsonByCurl')(mock2easy, function (error, stdout) { if (error) { return res.json(500, error); } res.json(JSON.parse(stdout)); }, '', _data.interfaceUrl, query, _data.cookie,_data.interfaceType); | ||||
| CVE-2020-7696 | 1 React-native-fast-image Project | 1 React-native-fast-image | 2024-11-21 | 5.3 Medium |
| This affects all versions of package react-native-fast-image. When an image with source={{uri: "...", headers: { host: "somehost.com", authorization: "..." }} is loaded, all other subsequent images will use the same headers, this can lead to signing credentials or other session tokens being leaked to other servers. | ||||
| CVE-2020-7695 | 1 Encode | 1 Uvicorn | 2024-11-21 | 5.3 Medium |
| Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit this to add arbitrary headers to HTTP responses, or even return an arbitrary response body, whenever crafted input is used to construct HTTP headers. | ||||
| CVE-2020-7694 | 1 Encode | 1 Uvicorn | 2024-11-21 | 3.7 Low |
| This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request crafted URLs with percent-encoded escape sequences, the logging component will log the URL after it's been processed with urllib.parse.unquote, therefore converting any percent-encoded characters into their single-character equivalent, which can have special meaning in terminal emulators. By requesting URLs with crafted paths, attackers can: * Pollute uvicorn's access logs, therefore jeopardising the integrity of such files. * Use ANSI sequence codes to attempt to interact with the terminal emulator that's displaying the logs (either in real time or from a file). | ||||
| CVE-2020-7693 | 1 Sockjs Project | 1 Sockjs | 2024-11-21 | 5.3 Medium |
| Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20. | ||||
| CVE-2020-7692 | 2 Google, Redhat | 3 Oauth Client Library For Java, Ocp Tools, Openshift | 2024-11-21 | 7.4 High |
| PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0. | ||||
| CVE-2020-7691 | 1 Parall | 1 Jspdf | 2024-11-21 | 6.3 Medium |
| In all versions of the package jspdf, it is possible to use <<script>script> in order to go over the filtering regex. | ||||
| CVE-2020-7690 | 1 Parall | 1 Jspdf | 2024-11-21 | 6.1 Medium |
| All affected versions <2.0.0 of package jspdf are vulnerable to Cross-site Scripting (XSS). It is possible to inject JavaScript code via the html method. | ||||
| CVE-2020-7689 | 1 Node.bcrypt.js Project | 1 Node.bcrypt.js | 2024-11-21 | 5.9 Medium |
| Data is truncated wrong when its length is greater than 255 bytes. | ||||
| CVE-2020-7688 | 1 Mversion Project | 1 Mversion | 2024-11-21 | 8.4 High |
| The issue occurs because tagName user input is formatted inside the exec function is executed without any checks. | ||||
| CVE-2020-7687 | 1 Fast-http Project | 1 Fast-http | 2024-11-21 | 7.5 High |
| This affects all versions of package fast-http. There is no path sanitization in the path provided at fs.readFile in index.js. | ||||
| CVE-2020-7686 | 1 Rollup-plugin-dev-server Project | 1 Rollup-plugin-dev-server | 2024-11-21 | 7.5 High |
| This affects all versions of package rollup-plugin-dev-server. There is no path sanitization in readFile operation inside the readFileFromContentBase function. | ||||
| CVE-2020-7685 | 1 Umbraco | 1 Umbraco Forms | 2024-11-21 | 5.4 Medium |
| This affects all versions of package UmbracoForms. When using the default configuration for upload forms, it is possible to upload arbitrary file types. The package offers a way for users to mitigate the issue. The users of this package can create a custom workflow and frontend validation that blocks certain file types, depending on their security needs and policies. | ||||