Latest 7 days CVE Lists

An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There are CSRF issues with the log-clear controller action.

An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There is stored XSS in the Bulk Resize action.

A Remote code execution vulnerability exists in DEXT5Upload in DEXT5 through 2.7.1402870. An attacker can upload a PHP file via dext5handler.jsp handler because the uploaded file is stored under dext5uploadeddata/.

Cybozu Desktop for Windows 2.0.23 to 2.2.40 allows remote code execution via unspecified vectors.

ffjpeg through 2020-02-24 has an invalid read in jfif_encode in jfif.c.

ffjpeg through 2020-02-24 has a heap-based buffer over-read in jfif_decode in jfif.c.

ffjpeg through 2020-02-24 has an invalid write in bmp_load in bmp.c.

Jason2605 AdminPanel 4.0 allows SQL Injection via the editPlayer.php hidden parameter.

SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c.

SQLite through 3.32.0 has a segmentation fault in sqlite3ExprCodeTarget in expr.c.

legend.ts in the piechart-panel (aka Pie Chart Panel) plugin before 1.5.0 for Grafana allows XSS via the Values Header (aka legend header) option.

Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource.

TrackR devices through 2020-05-06 allow attackers to trigger the Beep (aka alarm) feature, which will eventually cause a denial of service when battery capacity is exhausted.

The XCloner component before 3.5.4 for Joomla! allows Authenticated Local File Disclosure.

An issue was discovered in Aviatrix Controller before 5.4.1204. An API call on the web interface lacked a session token check to control access, leading to CSRF.

An issue was discovered in Aviatrix Controller before 5.4.1204. There is a Observable Response Discrepancy from the API, which makes it easier to perform user enumeration via brute force.

An issue was discovered in Aviatrix Controller before 5.4.1204. It contains credentials unused by the software.

An issue was discovered in Aviatrix Controller through 5.1. An attacker with any signed SAML assertion from the Identity Provider can establish a connection (even if that SAML assertion has expired or is from a user who is not authorized to access Aviatrix), aka XML Signature Wrapping.

An issue was discovered in Aviatrix Controller before 5.4.1066. A Controller Web Interface session token parameter is not required on an API call, which opens the application up to a Cross Site Request Forgery (CSRF) vulnerability for password resets.

An Elevation of Privilege issue was discovered in Aviatrix VPN Client before 2.10.7, because of an incomplete fix for CVE-2020-7224. This affects Linux, macOS, and Windows installations for certain OpenSSL parameters.