Export limit exceeded: 367003 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (367003 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-7662 | 2 Redhat, Websocket-extensions Project | 3 Openshift, Service Mesh, Websocket-extensions | 2024-11-21 | 7.5 High |
| websocket-extensions npm module prior to 0.1.4 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header. | ||||
| CVE-2020-7661 | 1 Url-regex Project | 1 Url-regex | 2024-11-21 | 7.5 High |
| all versions of url-regex are vulnerable to Regular Expression Denial of Service. An attacker providing a very long string in String.test can cause a Denial of Service. | ||||
| CVE-2020-7660 | 2 Redhat, Verizon | 2 Service Mesh, Serialize-javascript | 2024-11-21 | 8.1 High |
| serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js". | ||||
| CVE-2020-7659 | 1 Celluloid | 1 Reel | 2024-11-21 | 7.5 High |
| reel through 0.6.1 allows Request Smuggling attacks due to incorrect Content-Length and Transfer encoding header parsing. It is possible to conduct HTTP request smuggling attacks by sending the Content-Length header twice. Furthermore, invalid Transfer Encoding headers were found to be parsed as valid which could be leveraged for TE:CL smuggling attacks. Note: This project is deprecated, and is not maintained any more. | ||||
| CVE-2020-7658 | 1 Meinheld | 1 Meinheld | 2024-11-21 | 6.1 Medium |
| meinheld prior to 1.0.2 is vulnerable to HTTP Request Smuggling. HTTP pipelining issues and request smuggling attacks might be possible due to incorrect Content-Length and Transfer encoding header parsing. | ||||
| CVE-2020-7656 | 5 Jquery, Juniper, Netapp and 2 more | 9 Jquery, Junos, Active Iq Unified Manager and 6 more | 2024-11-21 | 6.1 Medium |
| jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed. | ||||
| CVE-2020-7655 | 1 Hive | 1 Netius | 2024-11-21 | 6.1 Medium |
| netius prior to 1.17.58 is vulnerable to HTTP Request Smuggling. HTTP pipelining issues and request smuggling attacks might be possible due to incorrect Transfer encoding header parsing which could allow for CL:TE or TE:TE attacks. | ||||
| CVE-2020-7654 | 1 Synk | 1 Broker | 2024-11-21 | 7.5 High |
| All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG. | ||||
| CVE-2020-7653 | 1 Synk | 1 Broker | 2024-11-21 | 6.5 Medium |
| All versions of snyk-broker before 4.80.0 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users with access to Snyk's internal network by creating symlinks to match whitelisted paths. | ||||
| CVE-2020-7652 | 1 Synk | 1 Broker | 2024-11-21 | 6.5 Medium |
| All versions of snyk-broker before 4.80.0 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users with access to Snyk's internal network via directory traversal. | ||||
| CVE-2020-7651 | 1 Synk | 1 Broker | 2024-11-21 | 4.3 Medium |
| All versions of snyk-broker before 4.79.0 are vulnerable to Arbitrary File Read. It allows partial file reads for users who have access to Snyk's internal network via patch history from GitHub Commits API. | ||||
| CVE-2020-7650 | 1 Synk | 1 Broker | 2024-11-21 | 6.5 Medium |
| All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json. | ||||
| CVE-2020-7649 | 1 Snyk | 1 Broker | 2024-11-21 | 4.9 Medium |
| This affects the package snyk-broker before 4.73.0. It allows arbitrary file reads for users with access to Snyk's internal network via directory traversal. | ||||
| CVE-2020-7648 | 1 Synk | 1 Broker | 2024-11-21 | 6.5 Medium |
| All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json` | ||||
| CVE-2020-7647 | 1 Jooby | 1 Jooby | 2024-11-21 | 5.3 Medium |
| All versions before 1.6.7 and all versions after 2.0.0 inclusive and before 2.8.2 of io.jooby:jooby and org.jooby:jooby are vulnerable to Directory Traversal via two separate vectors. | ||||
| CVE-2020-7646 | 1 Curlrequest Project | 1 Curlrequest | 2024-11-21 | 9.8 Critical |
| curlrequest through 1.0.1 allows reading any file by populating the file parameter with user input. | ||||
| CVE-2020-7645 | 1 Google | 1 Chrome-launcher | 2024-11-21 | 9.8 Critical |
| All versions of chrome-launcher allow execution of arbitrary commands, by controlling the $HOME environment variable in Linux operating systems. | ||||
| CVE-2020-7644 | 1 Fun-map Project | 1 Fun-map | 2024-11-21 | 8.1 High |
| fun-map through 3.3.1 is vulnerable to Prototype Pollution. The function assocInM could be tricked into adding or modifying properties of 'Object.prototype' using a '__proto__' payload. | ||||
| CVE-2020-7643 | 1 Idea | 1 Paypal-adaptive | 2024-11-21 | 5.3 Medium |
| paypal-adaptive through 0.4.2 manipulation of JavaScript objects resulting in Prototype Pollution. The PayPal function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. | ||||
| CVE-2020-7642 | 1 Lazysizes Project | 1 Lazysizes | 2024-11-21 | 5.4 Medium |
| lazysizes through 5.2.0 allows execution of malicious JavaScript. The following attributes are not sanitized by the video-embed plugin: data-vimeo, data-vimeoparams, data-youtube and data-ytparams which can be abused to inject malicious JavaScript. | ||||