CVE-2020-9350

Graph Builder in SAS Visual Analytics 8.5 allows XSS via a graph template that is accessed directly.

Source: CVE-2020-9350

CVE-2020-9342

The F-Secure AV parsing engine before 2020-02-05 allows virus-detection bypass via crafted Compression Method data in a GZIP archive. This affects versions before 17.0.605.474 (on Linux) of Cloud Protection For Salesforce, Email and Server Security, and Internet GateKeeper.

Source: CVE-2020-9342

CVE-2020-9341

CandidATS 2.1.0 is vulnerable to CSRF that allows for an administrator account to be added via the index.php?m=settings&a=addUser URI.

Source: CVE-2020-9341

CVE-2020-9340

fauzantrif eLection 2.0 has SQL Injection via the admin/ajax/op_kandidat.php id parameter.

Source: CVE-2020-9340

CVE-2020-9339

SOPlanning 1.45 allows XSS via the Name or Comment to status.php.

Source: CVE-2020-9339

CVE-2020-9338

SOPlanning 1.45 allows XSS via the "Your SoPlanning url" field.

Source: CVE-2020-9338

CVE-2020-9336

fauzantrif eLection 2.0 has XSS via the Admin Dashboard -> Settings -> Election -> "message if election is closed" field.

Source: CVE-2020-9336

CVE-2020-8813

graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.

Source: CVE-2020-8813

CVE-2020-9039

Couchbase Server 4.x and 5.x before 6.0.0 has Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).

Source: CVE-2020-9039

CVE-2020-8861

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-1330 1.10B01 BETA Wi-Fi range extenders. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the handling of HNAP login requests. The issue results from the lack of proper handling of cookies. An attacker can leverage this vulnerability to execute arbitrary code on the router. Was ZDI-CAN-9554.

Source: CVE-2020-8861