CVE-2020-19554

Cross Site Scripting (XSS) vulnerability exists in ManageEngine OPManager <=12.5.174 when the API key contains an XML-based XSS payload.

Source: CVE-2020-19554

CVE-2020-35540

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2020. Notes: none.

Source: CVE-2020-35540

CVE-2020-19553

Cross Site Scripting (XSS) vlnerability exists in WUZHI CMS up to and including 4.1.0 in the config function in coreframe/app/attachment/libs/class/ckditor.class.php.

Source: CVE-2020-19553

CVE-2020-19551

Blacklist bypass issue exists in WUZHI CMS up to and including 4.1.0 in common.func.php, which when uploaded can cause remote code executiong.

Source: CVE-2020-19551

CVE-2021-41084

http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (`Header.name`Ã¥), Header values (`Header.value`), Status reason phrases (`Status.reason`), URI paths (`Uri.Path`), URI authority registered names (`URI.RegName`) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening.

Source: CVE-2021-41084

CVE-2021-40847

The update process of the Circle Parental Control Service on various NETGEAR routers allows remote attackers to achieve remote code execution as root via a MitM attack. While the parental controls themselves are not enabled by default on the routers, the Circle update daemon, circled, is enabled by default. This daemon connects to Circle and NETGEAR to obtain version information and updates to the circled daemon and its filtering database. However, database updates from NETGEAR are unsigned and downloaded via cleartext HTTP. As such, an attacker with the ability to perform a MitM attack on the device can respond to circled update requests with a crafted, compressed database file, the extraction of which gives the attacker the ability to overwrite executable files with attacker-controlled code. This affects R6400v2 1.0.4.106, R6700 1.0.2.16, R6700v3 1.0.4.106, R6900 1.0.2.16, R6900P 1.3.2.134, R7000 1.0.11.123, R7000P 1.3.2.134, R7850 1.0.5.68, R7900 1.0.4.38, R8000 1.0.4.68, and RS400 1.5.0.68.

Source: CVE-2021-40847

CVE-2021-23443

This affects the package edge.js before 5.3.2. A type confusion vulnerability can be used to bypass input sanitization when the input to be rendered is an array (instead of a string or a SafeValue), even if {{ }} are used.

Source: CVE-2021-23443

CVE-2021-39230

Butter is a system usability utility. Due to a kernel error the JPNS kernel is being discontinued. Affected users are recommend to update to the Trinity kernel. There are no workarounds.

Source: CVE-2021-39230

CVE-2021-23444

This affects the package jointjs before 3.4.2.
A type confusion vulnerability can lead to a bypass of CVE-2020-28480 when the user-provided keys used in the path parameter are arrays in the setByPath function.

Source: CVE-2021-23444

CVE-2021-40868

In Cloudron 6.2, the returnTo parameter on the login page is vulnerable to Reflected XSS.

Source: CVE-2021-40868