Showing topics marked with the following tags:

(10 of 135)

Sort by:
Attacker Value
Very High

CVE-2020-10224

Disclosure Date: March 08, 2020 (last updated March 10, 2020)
An unauthenticated file upload vulnerability has been identified in admin_add.php in PHPGurukul Online Book Store 1.0. The vulnerability could be exploited by an unauthenticated remote attacker to upload content to the server, including PHP files, which could result in command execution.
Attack Vector: Network
0
Attacker Value
High

CVE-2019-5021

Disclosure Date: May 08, 2019 (last updated February 13, 2020)
Versions of the Official Alpine Linux Docker images (since v3.3) contain a NULL password for the `root` user. This vulnerability appears to be the result of a regression introduced in December of 2015. Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux container which utilize Linux PAM, or some other mechanism which uses the system shadow file as an authentication database, may accept a NULL password for the `root` user.
0
Attacker Value
Very High

Junos Space: Malicious HTTP packets sent to Junos Space allow an attacker to vi…

Disclosure Date: January 15, 2020 (last updated March 10, 2020)
A Local File Inclusion vulnerability in Juniper Networks Junos Space allows an attacker to view all files on the target when the device receives malicious HTTP packets. This issue affects: Juniper Networks Junos Space versions prior to 19.4R1.
Attack Vector: Network
0
Attacker Value
Moderate

CVE-2017-6529

Disclosure Date: March 09, 2017 (last updated March 10, 2020)
An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is vulnerable to session hijacking by guessing the UID parameter.
Attack Vector: Network
0
Attacker Value
High

CVE-2019-17388

Disclosure Date: March 28, 2019 (last updated March 10, 2020)
Weak file permissions applied to the Aviatrix VPN Client through 2.2.10 installation directory on Windows and Linux allow a local attacker to execute arbitrary code by gaining elevated privileges through file modifications.
Attack Vector: Local
0
Attacker Value
Low

CVE-2020-9339

Disclosure Date: February 22, 2020 (last updated March 10, 2020)
SOPlanning 1.45 allows XSS via the Name or Comment to status.php.
Attack Vector: Network
0
Attacker Value
Very High

CVE-2013-3018

Disclosure Date: May 24, 2018 (last updated March 10, 2020)
The AXIS webapp in deploy-tomcat/axis in IBM Tivoli Application Dependency Discovery Manager (TADDM) 7.1.2 and 7.2.0 through 7.2.1.4 allows remote attackers to obtain sensitive configuration information via a direct request, as demonstrated by happyaxis.jsp. IBM X-Force ID: 84354.
Attack Vector: Network
0
Attacker Value
Moderate
The windows task scheduler allows a split token administrator to register a task which runs as a batch job from a limited privilege context. This doesn't require a user's password to accomplish as the task will be run non-interactively and so doesn't need access to the password in order to access remote resources. Due to the way that batch logons work in the latest versions of Windows for a split token admin user this actually creates the fully privileged token to execute the task under.
Utility Class: Privilege Escalation
0
Attacker Value
High

CVE-2019-9627

Disclosure Date: March 08, 2019 (last updated March 10, 2020)
A buffer overflow in the kernel driver CybKernelTracker.sys in CyberArk Endpoint Privilege Manager versions prior to 10.7 allows an attacker (without Administrator privileges) to escalate privileges or crash the machine by loading an image, such as a DLL, with a long path.
Attack Vector: Local
0
Attacker Value
Very High

CVE-2020-12271: Sophos XG Firewall Pre-Auth SQL Injection Vulnerability

Disclosure Date: April 27, 2020 (last updated May 02, 2020)
A SQL injection issue was found in SFOS 17.0, 17.1, 17.5, and 18.0 before 2020-04-25 on Sophos XG Firewall devices, as exploited in the wild in April 2020. This affected devices configured with either the administration (HTTPS) service or the User Portal exposed on the WAN zone. A successful attack may have caused remote code execution that exfiltrated usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords)
Attack Vector: Network
1