CVE-2020-13997

In Shopware before 6.2.3, the database password is leaked to an unauthenticated user when a DriverException occurs and verbose error handling is enabled.

Source: CVE-2020-13997

CVE-2020-11474

NCP Secure Enterprise Client before 10.15 r47589 allows a symbolic link attack on enumusb.reg via Support Assistant.

Source: CVE-2020-11474

CVE-2020-13970

Shopware before 6.2.3 is vulnerable to a Server-Side Request Forgery (SSRF) in its "Mediabrowser upload by URL" feature. This allows an authenticated user to send HTTP, HTTPS, FTP, and SFTP requests on behalf of the Shopware platform server.

Source: CVE-2020-13970

CVE-2020-11476

Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file.

Source: CVE-2020-11476

CVE-2020-13971

In Shopware before 6.2.3, authenticated users are allowed to use the Mediabrowser fileupload feature to upload SVG images containing JavaScript. This leads to Persistent XSS. An uploaded image can be accessed without authentication.

Source: CVE-2020-13971

CVE-2020-10985

Gambio GX before 4.0.1.0 allows XSS in admin/coupon_admin.php.

Source: CVE-2020-10985

CVE-2020-10984

Gambio GX before 4.0.1.0 allows admin/admin.php CSRF.

Source: CVE-2020-10984

CVE-2020-10983

Gambio GX before 4.0.1.0 allows SQL Injection in admin/mobile.php.

Source: CVE-2020-10983

CVE-2020-10982

Gambio GX before 4.0.1.0 allows SQL Injection in admin/gv_mail.php.

Source: CVE-2020-10982

CVE-2020-16094

In imap_scan_tree_recursive in Claws Mail through 3.17.6, a malicious IMAP server can trigger stack consumption because of unlimited recursion into subdirectories during a rebuild of the folder tree.

Source: CVE-2020-16094