Search Results (Refine Search)
- CVSS Version: 3
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2021-21491 |
SAP Netweaver Application Server Java (Applications based on WebDynpro Java) versions 7.00, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allow an attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities. Published: March 10, 2021; 10:15:12 AM -0500 |
V3.1: 6.1 MEDIUM V2.0: 5.8 MEDIUM |
CVE-2020-5016 |
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the system. When application security is disabled and JAX-RPC applications are present, an attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary xml files on the system. This does not occur if Application security is enabled. IBM X-Force ID: 193556. Published: March 10, 2021; 10:15:12 AM -0500 |
V3.1: 6.5 MEDIUM V2.0: 3.5 LOW |
CVE-2020-4717 |
A vulnerability exists in IBM SPSS Modeler Subscription Installer that allows a user with create symbolic link permission to write arbitrary file in another protected path during product installation. IBM X-Force ID: 187727. Published: March 10, 2021; 10:15:12 AM -0500 |
V3.1: 5.5 MEDIUM V2.0: 2.1 LOW |
CVE-2020-35752 |
Baby Care System 1.0 is affected by a cross-site scripting (XSS) vulnerability in the Edit Page tab through the Post title parameter. Published: March 10, 2021; 10:15:12 AM -0500 |
V3.1: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2021-3224 |
A stored cross-site scripting (XSS) vulnerability in cszcms 1.2.9 exists in /admin/pages/new via the content parameter. Published: March 10, 2021; 9:15:12 AM -0500 |
V3.1: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2020-28705 |
FUEL CMS 1.4.13 contains a cross-site request forgery (CSRF) vulnerability that can delete a page via a post ID to /pages/delete/3. Published: March 10, 2021; 9:15:12 AM -0500 |
V3.1: 4.3 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2020-24791 |
FUEL CMS 1.4.8 allows SQL injection via the 'fuel_replace_id' parameter in pages/replace/1. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Published: March 10, 2021; 9:15:12 AM -0500 |
V3.1: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2020-23722 |
An issue was discovered in FUEL CMS 1.4.7. There is a escalation of privilege vulnerability to obtain super admin privilege via the "id" and "fuel_id" parameters. Published: March 10, 2021; 9:15:12 AM -0500 |
V3.1: 8.8 HIGH V2.0: 6.5 MEDIUM |
CVE-2020-23721 |
An issue was discovered in FUEL CMS V1.4.7. An attacker can use a XSS payload and bypass a filter via /fuelCM/fuel/pages/edit/1?lang=english. Published: March 10, 2021; 9:15:12 AM -0500 |
V3.1: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2021-28007 |
Web Based Quiz System 1.0 is affected by cross-site scripting (XSS) in register.php through the name parameter. Published: March 10, 2021; 8:15:12 AM -0500 |
V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2021-20673 |
Stored cross-site scripting vulnerability in Admin Page of GROWI (v4.2 Series) versions from v4.2.0 to v4.2.7 allows remote authenticated attackers to inject an arbitrary script via unspecified vectors. Published: March 10, 2021; 5:15:13 AM -0500 |
V3.1: 4.8 MEDIUM V2.0: 3.5 LOW |
CVE-2021-20672 |
Reflected cross-site scripting vulnerability due to insufficient verification of URL query parameters in GROWI (v4.2 Series) versions from v4.2.0 to v4.2.7 allows remote attackers to inject an arbitrary script via unspecified vectors. Published: March 10, 2021; 5:15:12 AM -0500 |
V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2021-20671 |
Invalid file validation on the upload feature in GROWI versions v4.2.2 allows a remote attacker with administrative privilege to overwrite the files on the server, which may lead to arbitrary code execution. Published: March 10, 2021; 5:15:12 AM -0500 |
V3.1: 7.2 HIGH V2.0: 6.5 MEDIUM |
CVE-2021-20670 |
Improper access control vulnerability in GROWI versions v4.2.2 and earlier allows a remote unauthenticated attacker to read the user's personal information and/or server's internal information via unspecified vectors. Published: March 10, 2021; 5:15:12 AM -0500 |
V3.1: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2021-20669 |
Path traversal vulnerability in GROWI versions v4.2.2 and earlier allows an attacker with administrator rights to read and/or delete an arbitrary path via a specially crafted URL. Published: March 10, 2021; 5:15:12 AM -0500 |
V3.1: 4.7 MEDIUM V2.0: 6.5 MEDIUM |
CVE-2021-20668 |
Path traversal vulnerability in GROWI versions v4.2.2 and earlier allows an attacker with administrator rights to read an arbitrary path via a specially crafted URL. Published: March 10, 2021; 5:15:12 AM -0500 |
V3.1: 2.7 LOW V2.0: 4.0 MEDIUM |
CVE-2021-20667 |
Stored cross-site scripting vulnerability due to inadequate CSP (Content Security Policy) configuration in GROWI versions v4.2.2 and earlier allows remote authenticated attackers to inject an arbitrary script via a specially crafted content. Published: March 10, 2021; 5:15:12 AM -0500 |
V3.1: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2020-13959 |
The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks. Published: March 10, 2021; 3:15:14 AM -0500 |
V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2020-13936 |
An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2. Published: March 10, 2021; 3:15:14 AM -0500 |
V3.1: 8.8 HIGH V2.0: 9.0 HIGH |
CVE-2021-3310 |
Western Digital My Cloud OS 5 devices before 5.10.122 mishandle Symbolic Link Following on SMB and AFP shares. This can lead to code execution and information disclosure (by reading local files). Published: March 10, 2021; 12:15:13 AM -0500 |
V3.1: 7.8 HIGH V2.0: 4.6 MEDIUM |