CVE-2020-1704

An insecure modification vulnerability in the /etc/passwd file was found in all versions of OpenShift ServiceMesh (maistra) before 1.0.8 in the openshift/istio-kialia-rhel7-operator-container. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges.

Source: CVE-2020-1704

CVE-2019-12954

SolarWinds Network Performance Monitor (Orion Platform 2018, NPM 12.3, NetPath 1.1.3) allows XSS by authenticated users via a crafted onerror attribute of a VIDEO element in an action for an ALERT.

Source: CVE-2019-12954

CVE-2015-1387

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2015-1454. Reason: This candidate is a reservation duplicate of CVE-2015-1454. Notes: All CVE users should reference CVE-2015-1454 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

Source: CVE-2015-1387

CVE-2013-3722

A Denial of Service (infinite loop) exists in OpenSIPS before 1.10 in lookup.c.

Source: CVE-2013-3722

CVE-2020-9038

Joplin through 1.0.184 allows Arbitrary File Read via XSS.

Source: CVE-2020-9038

CVE-2020-6850

Utilities.php in the miniorange-saml-20-single-sign-on plugin before 4.8.84 for WordPress allows XSS via a crafted SAML XML Response to wp-login.php. This is related to the SAMLResponse and RelayState variables, and the Destination parameter of the samlp:Response XML element.

Source: CVE-2020-6850

CVE-2020-1692

Moodle before version 3.7.2 is vulnerable to information exposure of service tokens for users enrolled in the same course.

Source: CVE-2020-1692

CVE-2013-3738

A File Inclusion vulnerability exists in Zabbix 2.0.6 due to inadequate sanitization of request strings in CGI scripts, which could let a remote malicious user execute arbitrary code.

Source: CVE-2013-3738

CVE-2020-9006

The Popup Builder plugin 2.2.8 through 2.6.7.6 for WordPress is vulnerable to SQL injection (in the sgImportPopups function in sg_popup_ajax.php) via PHP Deserialization on attacker-controlled data with the attachmentUrl POST variable. This allows creation of an arbitrary WordPress Administrator account, leading to possible Remote Code Execution because Administrators can run PHP code on WordPress instances. (This issue has been fixed in the 3.x branch of popup-builder.)

Source: CVE-2020-9006

CVE-2020-8518

Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, leading to remote code execution.

Source: CVE-2020-8518