Show filters

Showing topic results for "":

(11-20 of 48056)

Maximum of 10,000 topics displayable. Please refine your search.
Sort by:
Attacker Value
Very High

CVE-2020-11651

Disclosure Date: April 30, 2020 (last updated August 28, 2020)
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.
Attacker Value
Very High

CVE-2020-14882 — Unauthenticated RCE in Console component of Oracle WebLogic Se…

Disclosure Date: October 21, 2020 (last updated December 28, 2020)
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Attacker Value
Very High

VMware vSphere Client Unauth Remote Code Execution Vulnerability — CVE-2021-219…

Disclosure Date: February 24, 2021 (last updated March 05, 2021)
The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).
Attacker Value
Very High

CVE-2020-13379

Disclosure Date: June 03, 2020 (last updated August 03, 2020)
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault.
Attacker Value
Moderate

CVE-2020-10713 - BootHole

Disclosure Date: July 30, 2020 (last updated August 28, 2020)
A flaw was found in grub2, prior to version 2.06. An attacker may use the GRUB 2 flaw to hijack and tamper the GRUB verification process. This flaw also allows the bypass of Secure Boot protections. In order to load an untrusted or modified kernel, an attacker would first need to establish access to the system such as gaining physical access, obtain the ability to alter a pxe-boot network, or have remote access to a networked system with root access. With this access, an attacker could then craft a string to cause a buffer overflow by injecting a malicious payload that leads to arbitrary code execution within GRUB. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Attacker Value
High

CVE-2020-0796 - SMBGhost

Disclosure Date: March 12, 2020 (last updated September 02, 2020)
This indicates an attack attempt to exploit a Buffer Overflow Vulnerability in Microsoft SMB Servers. The vulnerability is due to an error when the vulnerable software handles a maliciously crafted compressed data packet. A remote, unauthenticated attacker can exploit this to execute arbitrary code within the context of the application.
Attacker Value
Low

CVE-2021-1647 Microsoft Windows Defender Zero-Day Vulnerability

Disclosure Date: January 12, 2021 (last updated January 16, 2021)
CVE-2021-1647 is a zero-day remote code execution vulnerability in the Malware Protection Engine component (mpengine.dll) of Microsoft's Defender anti-virus product. It was published as part of the January 2021 Patch Tuesday release, along with a disclosure from Microsoft acknowledging that the vulnerability had been exploited in the wild. More information: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647
Attacker Value
Very High

CVE-2020-14871

Disclosure Date: October 21, 2020 (last updated November 05, 2020)
Vulnerability in the Oracle Solaris product of Oracle Systems (component: Pluggable authentication module). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Attacker Value
High

CVE-2020-3992 — ESXi OpenSLP remote code execution vulnerability

Disclosure Date: October 20, 2020 (last updated November 17, 2020)
OpenSLP as used in VMware ESXi (7.0 before ESXi_7.0.1-0.0.16850804, 6.7 before ESXi670-202010401-SG, 6.5 before ESXi650-202010401-SG) has a use-after-free issue. A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution. **NOTE**: VMware issued a patch for the patch on 2020-11-04. The advisory URL — https://www.vmware.com/security/advisories/VMSA-2020-0023.html — did not change.
Attacker Value
Very High

CVE-2020-6287: Critical Vulnerability in SAP NetWeaver Application Server (AS) …

Disclosure Date: July 14, 2020 (last updated December 21, 2020)
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.