Export limit exceeded: 367102 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Export limit exceeded: 367102 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (367102 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2020-7767 1 Express-validators Project 1 Express-validators 2024-11-21 5.3 Medium
All versions of package express-validators are vulnerable to Regular Expression Denial of Service (ReDoS) when validating specifically-crafted invalid urls.
CVE-2020-7766 1 Json-ptr Project 1 Json-ptr 2024-11-21 7.3 High
This affects all versions of package json-ptr. The issue occurs in the set operation (https://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.htmlset) when the force flag is set to true. The function recursively set the property in the target object, however it does not properly check the key being set, leading to a prototype pollution.
CVE-2020-7765 1 Google 1 Firebase\/util 2024-11-21 5.6 Medium
This affects the package @firebase/util before 0.3.4. This vulnerability relates to the deepExtend function within the DeepCopy.ts file. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.
CVE-2020-7764 1 Find-my-way Project 1 Find-my-way 2024-11-21 5.9 Medium
This affects the package find-my-way before 2.2.5, from 3.0.0 and before 3.0.5. It accepts the Accept-Version' header by default, and if versioned routes are not being used, this could lead to a denial of service. Accept-Version can be used as an unkeyed header in a cache poisoning attack.
CVE-2020-7763 1 Jsreport 1 Phantom-html-to-pdf 2024-11-21 7.5 High
This affects the package phantom-html-to-pdf before 0.6.1.
CVE-2020-7762 1 Jsreport 1 Jsreport-chrome-pdf 2024-11-21 6.5 Medium
This affects the package jsreport-chrome-pdf before 1.10.0.
CVE-2020-7761 1 Absolunet 1 Kafe 2024-11-21 5.3 Medium
This affects the package @absolunet/kafe before 3.2.10. It allows cause a denial of service when validating crafted invalid emails.
CVE-2020-7760 2 Codemirror, Oracle 6 Codemirror, Application Express, Enterprise Manager Express User Interface and 3 more 2024-11-21 5.3 Medium
This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2. The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vulnerability of the regex is mainly due to the sub-pattern (s|/*.*?*/)*
CVE-2020-7759 1 Pimcore 1 Pimcore 2024-11-21 6.5 Medium
The package pimcore/pimcore from 6.7.2 and before 6.8.3 are vulnerable to SQL Injection in data classification functionality in ClassificationstoreController. This can be exploited by sending a specifically-crafted input in the relationIds parameter as demonstrated by the following request: http://vulnerable.pimcore.example/admin/classificationstore/relations?relationIds=[{"keyId"%3a"''","groupId"%3a"'asd'))+or+1%3d1+union+(select+1,2,3,4,5,6,name,8,password,'',11,12,'',14+from+users)+--+"}]
CVE-2020-7758 1 Browserless 1 Chrome 2024-11-21 7.5 High
This affects versions of package browserless-chrome before 1.40.2-chrome-stable. User input flowing from the workspace endpoint gets used to create a file path filePath and this is fetched and then sent back to a user. This can be escaped to fetch arbitrary files from a server.
CVE-2020-7757 1 Droppy Project 1 Droppy 2024-11-21 6.5 Medium
This affects all versions of package droppy. It is possible to traverse directories to fetch configuration files from a droopy server.
CVE-2020-7754 2 Npmjs, Redhat 3 Npm-user-validate, Enterprise Linux, Rhel Software Collections 2024-11-21 7.5 High
This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.
CVE-2020-7753 1 Trim Project 1 Trim 2024-11-21 7.5 High
All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().
CVE-2020-7752 1 Systeminformation 1 Systeminformation 2024-11-21 8.8 High
This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl's parameters to overwrite Javascript files and then execute any OS commands.
CVE-2020-7751 1 Chaijis 1 Pathval 2024-11-21 6 Medium
pathval before version 1.1.1 is vulnerable to prototype pollution.
CVE-2020-7750 1 Mit 1 Scratch-svg-renderer 2024-11-21 9.6 Critical
This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the _transformMeasurements function.
CVE-2020-7749 1 Osm-static-maps Project 1 Osm-static-maps 2024-11-21 7.6 High
This affects all versions of package osm-static-maps. User input given to the package is passed directly to a template without escaping ({{{ ... }}}). As such, it is possible for an attacker to inject arbitrary HTML/JS code and depending on the context. It will be outputted as an HTML on the page which gives opportunity for XSS or rendered on the server (puppeteer) which also gives opportunity for SSRF and Local File Read.
CVE-2020-7748 1 Ts.ed Project 1 Ts.ed 2024-11-21 5.6 Medium
This affects the package @tsed/core before 5.65.7. This vulnerability relates to the deepExtend function which is used as part of the utils directory. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.
CVE-2020-7747 1 Lightning-viz 1 Lightning 2024-11-21 6.3 Medium
This affects all versions of package lightning-server. It is possible to inject malicious JavaScript code as part of a session controller.
CVE-2020-7746 2 Chartjs, Redhat 2 Chart.js, Jboss Enterprise Bpms Platform 2024-11-21 7.5 High
This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to a prototype pollution.