2020-11-18
2020-11-18 14:15Z
HIGH

CVE-2020-7563 — Schneider-electric Modicon_tsxety4103_firmware: A CWE-787: Out-of-bounds Write vulnerability exists in the Web Server on Modicon M340, Modicon

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-7563

A CWE-787: Out-of-bounds Write vulnerability exists in the Web Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy offers and their Communication Modules (see notification for details) which could cause corruption of data, a crash, or code execution when uploading a specially crafted file on the controller over FTP. CVSSv3.1 8.8 (HIGH) · EPSS 78th percentile

CWECWE 787VNDSchneider ElectricVNDCweTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2020-11-18
2020-11-18 14:15Z
HIGH

CVE-2020-7562 — Schneider-electric Modicon_tsxety4103_firmware: A CWE-125: Out-of-Bounds Read vulnerability exists in the Web Server on Modicon M340, Modicon

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-7562

A CWE-125: Out-of-Bounds Read vulnerability exists in the Web Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy offers and their Communication Modules (see notification for details) which could cause a segmentation fault or a buffer overflow when uploading a specially crafted file on the controller over FTP. CVSSv3.1 8.1 (HIGH) · EPSS 67th percentile

CWECWE 125VNDSchneider ElectricVNDCweTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2020-11-12
2020-11-12 18:15Z
CRIT

CVE-2020-28271 — Sharpred Deephas: Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-28271

Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service and may lead to remote code execution. CVSSv3.1 9.8 (CRITICAL) · EPSS 86th percentile

CWECWE 1321VNDSharpredVNDPrototypeTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2020-11-02
2020-11-02 21:15Z
CRIT

CVE-2020-24881 — Enhancesoft Osticket: SSRF exists in osTicket before 1.14.3, where an attacker can add malicious file to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-24881

SSRF exists in osTicket before 1.14.3, where an attacker can add malicious file to server or perform port scanning. CVSSv3.1 9.8 (CRITICAL) · EPSS 99th percentile

CWECWE 918VNDSsrfVNDEnhancesoftTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2020-10-23
2020-10-23 15:15Z
CRIT

CVE-2020-25466 — Crmeb Crmeb: A SSRF vulnerability exists in the downloadimage interface of CRMEB 3.0, which can remotely

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-25466

A SSRF vulnerability exists in the downloadimage interface of CRMEB 3.0, which can remotely download arbitrary files on the server and remotely execute arbitrary code. CVSSv3.1 9.8 (CRITICAL) · EPSS 86th percentile

CWECWE 918VNDSsrfVNDCrmebTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2020-10-12
2020-10-12 14:15Z
CRIT

CVE-2020-26867 — Arcinformatique Pcvue: ARC Informatique PcVue prior to version 12.0.17 is vulnerable due to the deserialization of

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-26867

ARC Informatique PcVue prior to version 12.0.17 is vulnerable due to the deserialization of untrusted data, which may allow an attacker to remotely execute arbitrary code on the web and mobile back-end server. CVSSv3.1 9.8 (CRITICAL) · EPSS 88th percentile

CWECWE 502VNDArcinformatiqueVNDArcTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2020-09-30
2020-09-30 18:15Z
HIGH

CVE-2018-5354 — Anixis Password_reset_client: The custom GINA/CP module in ANIXIS Password Reset Client before version 3.22 allows remote

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2018-5354

The custom GINA/CP module in ANIXIS Password Reset Client before version 3.22 allows remote attackers to execute code and escalate privileges via spoofing. When the client is configured to use HTTP, it does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable of conducting a spoofing attack can redirect the browser to gain execution in the context of the WinLogon.exe process. If Network Level Authentication is not enforced, CVSSv3.1 8.8 (HIGH) · EPSS 84th percentile

CWECWE 290VNDAnixisTYPVulnerability
8.8
CVSS v3.1
95
Edit Score
728 × 90 / responsive · programmatic ad slot
2020-09-30
2020-09-30 18:15Z
CRIT

CVE-2018-5353 — Zohocorp Manageengine_adselfservice_plus: The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2018-5353

The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. It does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable of conducting a spoofing attack can redirect the browser to gain execution in the context of the WinLogon.exe process. If Network Level Authentication is not enforced, the vulnerability can be exploit CVSSv3.1 9.8 (CRITICAL) · EPSS 94th percentile

CWECWE 290VNDZohoVNDZohocorpTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2020-09-22
2020-09-22 18:15Z
HIGH

CVE-2020-25514 — Simple_library_management_system_project Simple_library_management_system: Sourcecodester Simple Library Management System 1.0 is affected by Incorrect Access Control via the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-25514

Sourcecodester Simple Library Management System 1.0 is affected by Incorrect Access Control via the Login Panel, http://<site>/lms/admin.php. CVSSv3.1 8.4 (HIGH) · EPSS 46th percentile

CWECWE 89VNDSourcecodesterVNDSimple Library Management System ProjectTYPVulnerability
8.4
CVSS v3.1
92
Edit Score
2020-09-15
2020-09-15 14:15Z
HIGH

CVE-2020-23451 — Spiceworks Spiceworks: Version <= 7.5.00107 is affected by CSRF which can lead to privilege escalation

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-23451

Spiceworks Version <= 7.5.00107 is affected by CSRF which can lead to privilege escalation via "/settings/v1/users" function. CVSSv3.1 8.8 (HIGH) · EPSS 44th percentile

CWECWE 352VNDSpiceworksTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2020-09-09
2020-09-09 19:15Z
CRIT

CVE-2020-15786 — Siemens Simatic_hmi_basic_panels_2nd_generation_firmware: This could allow a remote attacker to discover user passwords and obtain access to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-15786

A vulnerability has been identified in SIMATIC HMI Basic Panels 2nd Generation (incl. SIPLUS variants) (All versions < V16), SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions <= V16), SIMATIC HMI Mobile Panels (All versions <= V16), SIMATIC HMI Unified Comfort Panels (All versions <= V16). Affected devices insufficiently block excessive authentication attempts. This could allow a remote attacker to discover user passwords and obtain access to the Sm@rt Server v CVSSv3.1 9.8 (CRITICAL) · EPSS 62th percentile

CWECWE 307VNDSiemensTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2020-09-03
2020-09-03 18:15Z
CRIT

CVE-2020-24193 — Daily_tracker_system_project Daily_tracker_system: A SQL injection vulnerability in login in Sourcecodetester Daily Tracker System 1.0 allows unauthenticated

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-24193

A SQL injection vulnerability in login in Sourcecodetester Daily Tracker System 1.0 allows unauthenticated user to execute authentication bypass with SQL injection via the email parameter. CVSSv3.1 9.8 (CRITICAL) · EPSS 84th percentile

CWECWE 89VNDDaily Tracker System ProjectTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2020-08-19
2020-08-19 14:15Z
HIGH

CVE-2020-9715 — Adobe Acrobat_dc: Acrobat and Reader versions 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-9715in the wild

Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523 and earlier have an use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution . CVSSv3.1 7.8 (HIGH) · EPSS 99th percentile

CWECWE 416VNDAdobeTYPVulnerabilitySTAitw exploited
7.8
CVSS v3.1
100
Edit Score
2020-07-14
2020-07-14 13:15Z
HIGH

CVE-2020-15711 — Misp-project Misp: In MISP before 2.4.129, setting a favourite homepage was not CSRF protected.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-15711

In MISP before 2.4.129, setting a favourite homepage was not CSRF protected. CVSSv3.1 8.8 (HIGH) · EPSS 38th percentile

CWECWE 352VNDMispVNDMisp ProjectTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2020-06-30
2020-06-30 14:15Z
CRIT

CVE-2020-15411 — Misp-project Misp: app/Controller/AttributesController.php has insufficient ACL checks in the attachment downloader.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-15411

An issue was discovered in MISP 2.4.128. app/Controller/AttributesController.php has insufficient ACL checks in the attachment downloader. CVSSv3.1 9.8 (CRITICAL)

VNDMispVNDMisp ProjectTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2020-06-22
2020-06-22 12:15Z
CRIT

CVE-2020-14968 — Kjur Jsrsasign: Also, an attacker might prepend these bytes with the goal of triggering memory corruption

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-14968

An issue was discovered in the jsrsasign package before 8.0.17 for Node.js. Its RSASSA-PSS (RSA-PSS) implementation does not detect signature manipulation/modification by prepending '\0' bytes to a signature (it accepts these modified signatures as valid). An attacker can abuse this behavior in an application by creating multiple valid signatures where only one signature should exist. Also, an attacker might prepend these bytes with the goal of triggering memory corruption is CVSSv3.1 9.8 (CRITICAL) · EPSS 85th percentile

CWECWE 119VNDNetappVNDKjurTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2020-06-22
2020-06-22 12:15Z
CRIT

CVE-2020-14967 — Kjur Jsrsasign: An attacker might prepend these bytes with the goal of triggering memory corruption issues.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-14967

An issue was discovered in the jsrsasign package before 8.0.18 for Node.js. Its RSA PKCS1 v1.5 decryption implementation does not detect ciphertext modification by prepending '\0' bytes to ciphertexts (it decrypts modified ciphertexts without error). An attacker might prepend these bytes with the goal of triggering memory corruption issues. CVSSv3.1 9.8 (CRITICAL) · EPSS 83th percentile

CWECWE 119VNDNetappVNDKjurTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2020-06-14
2020-06-14 21:15Z
HIGH

CVE-2020-14060 — Fasterxml Jackson-databind: 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-14060

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill). CVSSv3.1 8.1 (HIGH) · EPSS 93th percentile

CWECWE 502VNDNetappVNDFasterxmlTYPVulnerability
8.1
CVSS v3.1
93
Edit Score
2020-06-14
2020-06-14 20:15Z
HIGH

CVE-2020-14062 — Fasterxml Jackson-databind: 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-14062

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2). CVSSv3.1 8.1 (HIGH) · EPSS 92th percentile

CWECWE 502VNDNetappVNDFasterxmlTYPVulnerability
8.1
CVSS v3.1
93
Edit Score
2020-04-22
2020-04-22 19:15Z
CRIT

CVE-2020-7489 — Schneider-electric Ecostruxure_machine_expert: A CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-7489

A CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability exists on EcoStruxure Machine Expert – Basic or SoMachine Basic programming software (versions in security notification). The result of this vulnerability, DLL substitution, could allow the transference of malicious code to the controller. CVSSv3.1 9.8 (CRITICAL) · EPSS 71th percentile

CWECWE 74VNDSchneider ElectricVNDCweTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2020-04-07
2020-04-07 23:15Z
HIGH

CVE-2020-11619 — Fasterxml Jackson-databind: 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-11619

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop). CVSSv3.1 8.1 (HIGH) · EPSS 80th percentile

CWECWE 502VNDNetappVNDFasterxmlTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2020-03-31
2020-03-31 05:15Z
HIGH

CVE-2020-11113 — Fasterxml Jackson-databind: 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-11113

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa). CVSSv3.1 8.8 (HIGH) · EPSS 98th percentile

CWECWE 502VNDOracleVNDNetappVNDFasterxmlTYPVulnerability
8.8
CVSS v3.1
100
Edit Score
2020-03-31
2020-03-31 05:15Z
HIGH

CVE-2020-11112 — Fasterxml Jackson-databind: 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-11112

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy). CVSSv3.1 8.8 (HIGH) · EPSS 91th percentile

CWECWE 502VNDOracleVNDNetappVNDFasterxmlTYPVulnerability
8.8
CVSS v3.1
96
Edit Score
2020-03-26
2020-03-26 21:20Z
HIGH

impacket 0.9.21

Impacket releases·github.com

Impacket 0.9.21 release adds significant offensive capabilities including keytab file support, gMSA password dumping, LAPS password extraction, Kerberos delegation enumeration, and enhanced NTLM relay attacks with SID-based escalation. New tools like ticketConverter.py, findDelegation.py, and addcomputer.py expand post-exploitation and lateral movement options.

SRFNetworkTACTA0006TACTA0007SRFIdentityTACTA0008VNDImpacketTYPToolSTGDiscovery
78
Edit Score
2020-03-16
2020-03-16 16:15Z
CRIT

CVE-2020-6990 — Rockwellautomation Micrologix_1400_a_firmware: Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-6990

Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, The cryptographic key utilized to help protect the account password is hard coded into the RSLogix 500 binary file. An attacker could identify cryptographic keys and use it for further cryptographic attacks that could ultimately lead to a remote attacker gaining unauthorized access to the controll CVSSv3.1 9.8 (CRITICAL) · EPSS 34th percentile

CWECWE 798CWECWE 321VNDRockwellautomationVNDRockwellTYPVulnerability
9.8
CVSS v3.1
99
Edit Score