Topics

Sort by:
Attacker Value
Very High

CVE-2020-5902

Last updated July 05, 2020
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
Utility Class: RCE
5
Attacker Value
High

Total.js requestcontinue Directory Traversal Vulnerability

Disclosure Date: February 18, 2019 (last updated November 13, 2019)
Total.js is prone to a directory traversal vulnerability. Attackers can exploit this issue and read files remotely.
1
Attacker Value
Moderate

CVE-2019-8903

Last updated October 30, 2019
index.js in Total.js Platform before 3.2.3 allows path traversal.
1
Attacker Value
Very High

CVE-2020-7961

Disclosure Date: March 20, 2020 (last updated June 30, 2020)
Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).
Attack Vector: Network
2
Attacker Value
Unknown

CVE-2019-9082

Disclosure Date: February 24, 2019 (last updated June 30, 2020)
ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.
Attack Vector: Network
1
Attacker Value
Moderate

CVE-2020-5284

Disclosure Date: March 30, 2020 (last updated June 05, 2020)
Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2.
Attack Vector: Network
1
Attacker Value
Unknown

CVE-2020-12116

Disclosure Date: May 07, 2020 (last updated June 05, 2020)
Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request.
Attack Vector: Network
1
Attacker Value
Very High

CVE-2020-5410

Disclosure Date: June 01, 2020 (last updated June 05, 2020)
Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack.
Attack Vector: Network
1
Attacker Value
High

CVE-2020-9757

Disclosure Date: March 04, 2020 (last updated June 05, 2020)
The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the metacontainers controller.
Attack Vector: Network
1
Attacker Value
Moderate

CVE-2020-8091

Disclosure Date: January 27, 2020 (last updated June 05, 2020)
svg.swf in TYPO3 6.2.0 to 6.2.38 ELTS and 7.0.0 to 7.1.0 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system. This may be at a contrib/websvg/svg.swf pathname.
Attack Vector: Network
1