2021-02-15
2021-02-15 13:15Z
HIGH

CVE-2021-25296 — Nagios Nagios_xi: XI version xi-5.7.5 is affected by OS command injection.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-25296in the wild

Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server. CVSSv3.1 8.8 (HIGH) · EPSS 99th percentile

VNDNagiosTYPVulnerabilitySTAitw exploited
8.8
CVSS v3.1
100
Edit Score
2021-02-09
2021-02-09 17:15Z
CRIT

CVE-2020-15798 — Siemens Simatic_hmi_comfort_panels_firmware: This could allow a remote attacker to gain full access to the device.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-15798

A vulnerability has been identified in SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions < V16 Update 3a), SIMATIC HMI KTP Mobile Panels (All versions < V16 Update 3a), SINAMICS GH150 (All versions), SINAMICS GL150 (with option X30) (All versions), SINAMICS GM150 (with option X30) (All versions), SINAMICS SH150 (All versions), SINAMICS SL150 (All versions), SINAMICS SM120 (All versions), SINAMICS SM150 (All versions), SINAMICS SM150i (All versions). Affected de CVSSv3.1 9.8 (CRITICAL) · EPSS 82th percentile

CWECWE 306VNDSiemensTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2021-01-21
2021-01-21 17:15Z
MED

CVE-2020-8554 — Kubernetes Kubernetes: API server in all versions allow an attacker who is able to create

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-8554

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect. CVSSv3.1 6.3 (MEDIUM) · EPSS 96th percentile

CWECWE 283VNDOracleVNDKubernetesTYPVulnerability
6.3
CVSS v3.1
89
Edit Score
2021-01-19
2021-01-19 16:15Z
CRIT

CVE-2021-25323 — Misp-project Misp: The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-25323

The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous password when changing a password. CVSSv3.1 9.1 (CRITICAL)

CWECWE 640VNDMispVNDMisp ProjectTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2021-01-11
2021-01-11 15:15Z
HIGH

CVE-2020-23630 — Zzcms Zzcms: A blind SQL injection vulnerability exists in zzcms ver201910 based on time (cookie injection).

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-23630

A blind SQL injection vulnerability exists in zzcms ver201910 based on time (cookie injection). CVSSv3.1 8.8 (HIGH) · EPSS 66th percentile

CWECWE 89VNDZzcmsTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2021-01-07
2021-01-07 00:15Z
HIGH

CVE-2020-36183 — Fasterxml Jackson-databind: 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-36183

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. CVSSv3.1 8.1 (HIGH) · EPSS 84th percentile

CWECWE 502VNDNetappVNDFasterxmlTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2021-01-06
2021-01-06 15:15Z
CRIT

CVE-2020-27285 — Redlion Crimson: The default configuration of Crimson 3.1 (Build versions prior to 3119.001) allows a user

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-27285

The default configuration of Crimson 3.1 (Build versions prior to 3119.001) allows a user to be able to read and modify the database without authentication. CVSSv3.1 9.1 (CRITICAL) · EPSS 40th percentile

CWECWE 306VNDRedlionVNDCrimsonTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
728 × 90 / responsive · programmatic ad slot
2020-12-27
2020-12-27 05:15Z
HIGH

CVE-2020-35728 — Fasterxml Jackson-databind: 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-35728

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl). CVSSv3.1 8.1 (HIGH) · EPSS 97th percentile

CWECWE 502VNDOracleVNDNetappVNDFasterxmlTYPVulnerability
8.1
CVSS v3.1
100
Edit Score
2020-12-24
2020-12-24 15:15Z
HIGH

CVE-2020-29189 — Terra-master Tos: Incorrect Access Control vulnerability in TerraMaster TOS <= 4.2.06 allows remote authenticated attackers to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-29189

Incorrect Access Control vulnerability in TerraMaster TOS <= 4.2.06 allows remote authenticated attackers to bypass read-only restriction and obtain full access to any folder within the NAS CVSSv3.1 8.1 (HIGH) · EPSS 66th percentile

VNDTerra MasterTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2020-12-21
2020-12-21 15:15Z
CRIT

CVE-2020-35276 — Egavilanmedia Ecm_address_book: ECM Address Book 1.0 is affected by SQL injection.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-35276

EgavilanMedia ECM Address Book 1.0 is affected by SQL injection. An attacker can bypass the Admin Login panel through SQLi and get Admin access and add or remove any user. CVSSv3.1 9.8 (CRITICAL) · EPSS 75th percentile

CWECWE 89VNDEgavilanmediaTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2020-12-21
2020-12-21 15:15Z
HIGH

CVE-2020-35273 — Egavilanmedia User_registration_\&_login_system_with_admin_panel: User Registration & Login System with Admin Panel 1.0 is affected by Cross

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-35273

EgavilanMedia User Registration & Login System with Admin Panel 1.0 is affected by Cross Site Request Forgery (CSRF) to remotely gain privileges in the User Profile panel. An attacker can update any user's account. CVSSv3.1 8.0 (HIGH) · EPSS 44th percentile

CWECWE 352VNDEgavilanmediaTYPVulnerability
8.0
CVSS v3.1
90
Edit Score
2020-12-14
2020-12-14 20:15Z
HIGH

CVE-2020-28860 — Openasset Digital_asset_management: OpenAssetDigital Asset Management (DAM) through 12.0.19 does not correctly sanitize user supplied input, incorporating

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-28860

OpenAssetDigital Asset Management (DAM) through 12.0.19 does not correctly sanitize user supplied input, incorporating it into its SQL queries, allowing for authenticated blind SQL injection. CVSSv3.1 8.8 (HIGH) · EPSS 80th percentile

CWECWE 89VNDOpenassetVNDOpenassetdigitalTYPVulnerability
8.8
CVSS v3.1
95
Edit Score
2020-12-14
2020-12-14 19:15Z
HIGH

CVE-2020-28858 — Openasset Digital_asset_management: Digital Asset Management (DAM) through 12.0.19 does not correctly verify whether a request

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-28858

OpenAsset Digital Asset Management (DAM) through 12.0.19 does not correctly verify whether a request made to the application was intentionally made by the user, allowing for cross-site request forgery attacks on all user functions. CVSSv3.1 8.8 (HIGH) · EPSS 60th percentile

CWECWE 352VNDOpenassetTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2020-11-27
2020-11-27 18:15Z
HIGH

CVE-2017-15685 — Craftercms Crafter_cms: Crafter CMS Crafter Studio 3.0.1 is affected by: XML External Entity (XXE).

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-15685

Crafter CMS Crafter Studio 3.0.1 is affected by: XML External Entity (XXE). An unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band. CVSSv3.1 8.6 (HIGH) · EPSS 74th percentile

CWECWE 91VNDCraftercmsVNDCrafterTYPVulnerability
8.6
CVSS v3.1
94
Edit Score
2020-11-27
2020-11-27 18:15Z
HIGH

CVE-2017-15683 — Craftercms Crafter_cms: In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-15683

In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band. CVSSv3.1 8.6 (HIGH) · EPSS 72th percentile

CWECWE 91VNDCraftercmsVNDCrafterTYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2020-11-27
2020-11-27 18:15Z
CRIT

CVE-2017-15681 — Craftercms Crafter_cms: In Crafter CMS Crafter Studio 3.0.1 a directory traversal vulnerability exists which allows unauthenticated

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-15681

In Crafter CMS Crafter Studio 3.0.1 a directory traversal vulnerability exists which allows unauthenticated attackers to overwrite files from the operating system which can lead to RCE. CVSSv3.1 9.8 (CRITICAL) · EPSS 79th percentile

CWECWE 22VNDCraftercmsVNDCrafterTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2020-11-24
2020-11-24 15:15Z
CRIT

CVE-2020-29006 — Misp-project Misp: before 2.4.135 lacks an ACL check, related to app/Controller/GalaxyElementsController.php and app/Model/GalaxyElement.php.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-29006

MISP before 2.4.135 lacks an ACL check, related to app/Controller/GalaxyElementsController.php and app/Model/GalaxyElement.php. CVSSv3.1 9.8 (CRITICAL) · EPSS 65th percentile

CWECWE 862VNDMispVNDMisp ProjectTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2020-11-23
2020-11-23 14:43Z
HIGH

impacket 0.9.22

Impacket releases·github.com

Impacket 0.9.22 released with significant offensive capabilities including RPC over HTTP v2 protocol support, MS-NSPI/MS-OXNSPI implementations, and enhanced NTLM relay tooling. Key additions include Zerologon DCSync relay client, WCFRelayServer, RPC relay support in ntlmrelayx.py, and new tools (exchanger.py, rpcmap.py) for Exchange and RPC interface enumeration.

SRFNetworkTACTA0006SRFIdentityTACTA0008TACTA0011VNDImpacketTYPToolSTGCred Access
78
Edit Score
2020-11-18
2020-11-18 14:15Z
HIGH

CVE-2020-7564 — Schneider-electric Modicon_tsxety4103_firmware: A CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability exists

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-7564

A CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability exists in the Web Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy offers and their Communication Modules (see notification for details) which could cause write access and the execution of commands when uploading a specially crafted file on the controller over FTP. CVSSv3.1 8.8 (HIGH) · EPSS 79th percentile

CWECWE 120VNDSchneider ElectricVNDCweTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2020-11-18
2020-11-18 14:15Z
HIGH

CVE-2020-7563 — Schneider-electric Modicon_tsxety4103_firmware: A CWE-787: Out-of-bounds Write vulnerability exists in the Web Server on Modicon M340, Modicon

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-7563

A CWE-787: Out-of-bounds Write vulnerability exists in the Web Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy offers and their Communication Modules (see notification for details) which could cause corruption of data, a crash, or code execution when uploading a specially crafted file on the controller over FTP. CVSSv3.1 8.8 (HIGH) · EPSS 78th percentile

CWECWE 787VNDSchneider ElectricVNDCweTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2020-11-18
2020-11-18 14:15Z
HIGH

CVE-2020-7562 — Schneider-electric Modicon_tsxety4103_firmware: A CWE-125: Out-of-Bounds Read vulnerability exists in the Web Server on Modicon M340, Modicon

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-7562

A CWE-125: Out-of-Bounds Read vulnerability exists in the Web Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy offers and their Communication Modules (see notification for details) which could cause a segmentation fault or a buffer overflow when uploading a specially crafted file on the controller over FTP. CVSSv3.1 8.1 (HIGH) · EPSS 67th percentile

CWECWE 125VNDSchneider ElectricVNDCweTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2020-11-12
2020-11-12 18:15Z
CRIT

CVE-2020-28271 — Sharpred Deephas: Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-28271

Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service and may lead to remote code execution. CVSSv3.1 9.8 (CRITICAL) · EPSS 86th percentile

CWECWE 1321VNDSharpredVNDPrototypeTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2020-11-02
2020-11-02 21:15Z
CRIT

CVE-2020-24881 — Enhancesoft Osticket: SSRF exists in osTicket before 1.14.3, where an attacker can add malicious file to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-24881

SSRF exists in osTicket before 1.14.3, where an attacker can add malicious file to server or perform port scanning. CVSSv3.1 9.8 (CRITICAL) · EPSS 99th percentile

CWECWE 918VNDSsrfVNDEnhancesoftTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2020-10-23
2020-10-23 15:15Z
CRIT

CVE-2020-25466 — Crmeb Crmeb: A SSRF vulnerability exists in the downloadimage interface of CRMEB 3.0, which can remotely

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-25466

A SSRF vulnerability exists in the downloadimage interface of CRMEB 3.0, which can remotely download arbitrary files on the server and remotely execute arbitrary code. CVSSv3.1 9.8 (CRITICAL) · EPSS 86th percentile

CWECWE 918VNDSsrfVNDCrmebTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2020-10-12
2020-10-12 14:15Z
CRIT

CVE-2020-26867 — Arcinformatique Pcvue: ARC Informatique PcVue prior to version 12.0.17 is vulnerable due to the deserialization of

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-26867

ARC Informatique PcVue prior to version 12.0.17 is vulnerable due to the deserialization of untrusted data, which may allow an attacker to remotely execute arbitrary code on the web and mobile back-end server. CVSSv3.1 9.8 (CRITICAL) · EPSS 88th percentile

CWECWE 502VNDArcinformatiqueVNDArcTYPVulnerability
9.8
CVSS v3.1
100
Edit Score