CVE-2020-2504
If exploited, this absolute path traversal vulnerability could allow attackers to traverse files in File Station. QNAP has already fixed these issues in QES 2.1.1 Build 20201006 and later.
Source: CVE-2020-2504
[월:] 2020년 12월
CVE-2020-5684
CVE-2020-5684
iSM client versions from V5.1 prior to V12.1 running on NEC Storage Manager or NEC Storage Manager Express does not verify a server certificate properly, which allows a man-in-the-middle attacker to eavesdrop on an encrypted communication or alter the communication via a crafted certificate.
Source: CVE-2020-5684
CVE-2020-5681
CVE-2020-5681
Untrusted search path vulnerability in self-extracting files created by EpsonNet SetupManager versions 2.2.14 and earlier, and Offirio SynergyWare PrintDirector versions 1.6x/1.6y and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
Source: CVE-2020-5681
CVE-2020-2505
CVE-2020-2505
If exploited, this vulnerability could allow attackers to gain sensitive information via generation of error messages. QNAP has already fixed these issues in QES 2.1.1 Build 20201006 and later.
Source: CVE-2020-2505
CVE-2020-2499
CVE-2020-2499
A hard-coded password vulnerability has been reported to affect earlier versions of QES. If exploited, this vulnerability could allow attackers to log in with a hard-coded password. QNAP has already fixed the issue in QES 2.1.1 Build 20200515 and later.
Source: CVE-2020-2499
CVE-2020-35668
CVE-2020-35668
RedisGraph 2.x through 2.2.11 has a NULL Pointer Dereference that leads to a server crash because it mishandles an unquoted string, such as an alias that has not yet been introduced.
Source: CVE-2020-35668
CVE-2020-35666 (steedos)
CVE-2020-35666 (steedos)
Steedos Platform through 1.21.24 allows NoSQL injection because the /api/collection/findone implementation in server/packages/steedos_base.js mishandles req.body validation, as demonstrated by MongoDB operator attacks such as an X-User-Id[$ne]=1 value.
Source: CVE-2020-35666 (steedos)
CVE-2020-35665 (terramaster_operating_system)
CVE-2020-35665 (terramaster_operating_system)
An unauthenticated command-execution vulnerability exists in TerraMaster TOS through 4.2.06 via shell metacharacters in the Event parameter in include/makecvs.php during CSV creation.
CVE-2020-35252 (user_registration_and_login_system_with_admin_panel)
CVE-2020-35252 (user_registration_and_login_system_with_admin_panel)
Cross Site Scripting (XSS) vulnerability via the ‘Full Name’ parameter in the User Registration section of User Registration & Login System with Admin Panel 1.0.
Source: CVE-2020-35252 (user_registration_and_login_system_with_admin_panel)
CVE-2020-35598 (advanced_comment_system)
CVE-2020-35598 (advanced_comment_system)
ACS Advanced Comment System 1.0 is affected by Directory Traversal via an advanced_component_system/index.php?ACS_path=..%2f URI.