| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2012-0955 |
295 |
|
|
2020-12-02 |
2020-12-08 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
software-properties was vulnerable to a person-in-the-middle attack due to incorrect TLS certificate validation in softwareproperties/ppa.py. software-properties didn't check TLS certificates under python2 and only checked certificates under python3 if a valid certificate bundle was provided. Fixed in software-properties version 0.92. |
|
2 |
CVE-2016-9021 |
20 |
|
|
2020-12-31 |
2021-01-04 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Exponent CMS before 2.6.0 has improper input validation in storeController.php. |
|
3 |
CVE-2016-9022 |
20 |
|
|
2020-12-31 |
2021-01-04 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Exponent CMS before 2.6.0 has improper input validation in usersController.php. |
|
4 |
CVE-2016-9023 |
20 |
|
|
2020-12-31 |
2021-01-04 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Exponent CMS before 2.6.0 has improper input validation in cron/find_help.php. |
|
5 |
CVE-2016-9025 |
20 |
|
|
2020-12-31 |
2021-01-04 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Exponent CMS before 2.6.0 has improper input validation in purchaseOrderController.php. |
|
6 |
CVE-2016-9026 |
20 |
|
|
2020-12-31 |
2021-01-04 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Exponent CMS before 2.6.0 has improper input validation in fileController.php. |
|
7 |
CVE-2017-2910 |
787 |
|
Exec Code Mem. Corr. |
2020-12-02 |
2020-12-04 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An exploitable Out-of-bounds Write vulnerability exists in the xls_addCell function of libxls 2.0. A specially crafted xls file can cause a memory corruption resulting in remote code execution. An attacker can send malicious xls file to trigger this vulnerability. |
|
8 |
CVE-2017-14451 |
125 |
|
Exec Code |
2020-12-02 |
2020-12-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An exploitable out-of-bounds read vulnerability exists in libevm (Ethereum Virtual Machine) of CPP-Ethereum. A specially crafted smart contract code can cause an out-of-bounds read which can subsequently trigger an out-of-bounds write resulting in remote code execution. An attacker can create/send malicious smart contract to trigger this vulnerability. |
|
9 |
CVE-2018-7580 |
|
|
DoS |
2020-12-21 |
2020-12-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Philips Hue is vulnerable to a Denial of Service attack. Sending a SYN flood on port tcp/80 will freeze Philips Hue's hub and it will stop responding. The "hub" will stop operating and be frozen until the flood stops. During the flood, the user won't be able to turn on/off the lights, and all of the hub's functionality will be unresponsive. The cloud service also won't work with the hub. |
|
10 |
CVE-2018-14067 |
77 |
|
Exec Code |
2020-12-31 |
2021-01-06 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Green Packet WiMax DV-360 2.10.14-g1.0.6.1 devices allow Command Injection, with unauthenticated remote command execution, via a crafted payload to the HTTPS port, because lighttpd listens on all network interfaces (including the external Internet) by default. NOTE: this may overlap CVE-2017-9980. |
|
11 |
CVE-2018-15632 |
20 |
|
|
2020-12-22 |
2020-12-22 |
8.5 |
None |
Remote |
Low |
Not required |
None |
Partial |
Complete |
|
Improper input validation in database creation logic in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to initialize an empty database on which they can connect with default credentials. |
|
12 |
CVE-2018-15633 |
79 |
|
XSS |
2020-12-22 |
2020-12-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) issue in "document" module in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted attachment filenames. |
|
13 |
CVE-2018-15634 |
79 |
|
XSS |
2020-12-22 |
2020-12-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) issue in attachment management in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via a crafted link. |
|
14 |
CVE-2018-15638 |
79 |
|
XSS |
2020-12-22 |
2020-12-22 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) issue in mail module in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted channel names. |
|
15 |
CVE-2018-15641 |
79 |
|
XSS |
2020-12-22 |
2020-12-22 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) issue in web module in Odoo Community 11.0 through 14.0 and Odoo Enterprise 11.0 through 14.0, allows remote authenticated internal users to inject arbitrary web script in the browser of a victim via crafted calendar event attributes. |
|
16 |
CVE-2018-15645 |
732 |
|
|
2020-12-22 |
2020-12-23 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
Improper access control in message routing in Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier allows remote authenticated users to create arbitrary records via crafted payloads, which may allow privilege escalation. |
|
17 |
CVE-2018-16243 |
79 |
|
XSS |
2020-12-15 |
2020-12-17 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
SolarWinds Database Performance Analyzer (DPA) 11.1.468 and 12.0.3074 have several persistent XSS vulnerabilities, related to logViewer.iwc, centralManage.cen, userAdministration.iwc, database.iwc, alertManagement.iwc, eventAnnotations.iwc, and central.cen. |
|
18 |
CVE-2018-16795 |
352 |
|
CSRF |
2020-12-31 |
2021-01-05 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
OpenEMR 5.0.1.3 allows Cross-Site Request Forgery (CSRF) via library/ajax and interface/super, as demonstrated by use of interface/super/manage_site_files.php to upload a .php file. |
|
19 |
CVE-2018-19941 |
312 |
|
|
2020-12-31 |
2021-01-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A vulnerability has been reported to affect QNAP NAS. If exploited, this vulnerability allows an attacker to access sensitive information stored in cleartext inside cookies via certain widely-available tools. QNAP have already fixed this vulnerability in the following versions: QTS 4.5.1.1456 build 20201015 (and later) QuTS hero h4.5.1.1472 build 20201031 (and later) QuTScloud c4.5.2.1379 build 20200730 (and later) |
|
20 |
CVE-2018-19944 |
319 |
|
|
2020-12-31 |
2021-01-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A cleartext transmission of sensitive information vulnerability has been reported to affect certain QTS devices. If exploited, this vulnerability allows a remote attacker to gain access to sensitive information. QNAP have already fixed this vulnerability in the following versions: QTS 4.4.3.1354 build 20200702 (and later) |
|
21 |
CVE-2018-19945 |
22 |
|
Dir. Trav. |
2020-12-31 |
2021-01-06 |
8.5 |
None |
Remote |
Low |
Not required |
None |
Partial |
Complete |
|
A vulnerability has been reported to affect earlier QNAP devices running QTS 4.3.4 to 4.3.6. Caused by improper limitations of a pathname to a restricted directory, this vulnerability allows for renaming arbitrary files on the target system, if exploited. QNAP have already fixed this vulnerability in the following versions: QTS 4.3.6.0895 build 20190328 (and later) QTS 4.3.4.0899 build 20190322 (and later) This issue does not affect QTS 4.4.x or QTS 4.5.x. |
|
22 |
CVE-2018-21270 |
125 |
|
|
2020-12-03 |
2021-02-16 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
None |
Partial |
|
Versions less than 0.0.6 of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream (when using Node.js 4.x). |
|
23 |
CVE-2018-25001 |
416 |
|
|
2020-12-31 |
2021-01-05 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
An issue was discovered in the libpulse-binding crate before 2.5.0 for Rust. proplist::Iterator can cause a use-after-free. |
|
24 |
CVE-2018-1000891 |
400 |
|
|
2020-12-23 |
2020-12-23 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Bitcoin SV before 0.1.1 allows uncontrolled resource consumption when receiving messages with invalid checksums. |
|
25 |
CVE-2018-1000892 |
400 |
|
|
2020-12-23 |
2020-12-23 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Bitcoin SV before 0.1.1 allows uncontrolled resource consumption when receiving sendheaders messages. |
|
26 |
CVE-2018-1000893 |
400 |
|
|
2020-12-23 |
2020-12-23 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Bitcoin SV before 0.1.1 allows uncontrolled resource consumption when deserializing transactions. |
|
27 |
CVE-2019-4738 |
312 |
|
|
2020-12-10 |
2020-12-11 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5 and 6.0.0.0 through 6.0.3.1 discloses sensitive information to an authenticated user from the dashboard UI which could be used in further attacks against the system. IBM X-Force ID: 172753. |
|
28 |
CVE-2019-7198 |
77 |
|
Exec Code |
2020-12-10 |
2021-06-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
This command injection vulnerability allows attackers to execute arbitrary commands in a compromised application. QNAP have already fixed this vulnerability in the following versions of QTS and QuTS hero. QuTS hero h4.5.1.1472 build 20201031 and later QTS 4.5.1.1456 build 20201015 and later QTS 4.4.3.1354 build 20200702 and later |
|
29 |
CVE-2019-7725 |
502 |
|
|
2020-12-31 |
2021-01-05 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
includes/core/is_user.php in NukeViet before 4.3.04 deserializes the untrusted nvloginhash cookie (i.e., the code relies on PHP's serialization format when JSON can be used to eliminate the risk). |
|
30 |
CVE-2019-7726 |
89 |
|
Sql |
2020-12-31 |
2021-01-05 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
modules/banners/funcs/click.php in NukeViet before 4.3.04 has a SQL INSERT statement with raw header data from an HTTP request (e.g., Referer and User-Agent). |
|
31 |
CVE-2019-11781 |
20 |
|
|
2020-12-22 |
2020-12-23 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Improper input validation in portal component in Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier, allows remote attackers to trick victims into modifying their account via crafted links, leading to privilege escalation. |
|
32 |
CVE-2019-11782 |
|
|
|
2020-12-22 |
2021-11-02 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
Improper access control in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users with access to contact management to modify user accounts, leading to privilege escalation. |
|
33 |
CVE-2019-11783 |
862 |
|
|
2020-12-22 |
2021-10-28 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Improper access control in mail module (channel partners) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to subscribe to arbitrary mail channels uninvited. |
|
34 |
CVE-2019-11784 |
862 |
|
|
2020-12-22 |
2021-10-28 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Improper access control in mail module (notifications) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to obtain access to arbitrary messages in conversations they were not a party to. |
|
35 |
CVE-2019-11785 |
862 |
|
|
2020-12-22 |
2021-10-28 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Improper access control in mail module (followers) in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to obtain access to messages posted on business records there were not given access to, and subscribe to receive future messages. |
|
36 |
CVE-2019-11786 |
|
|
|
2020-12-22 |
2021-11-02 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to modify translated terms, which may lead to arbitrary content modification on translatable elements. |
|
37 |
CVE-2019-12768 |
287 |
|
Bypass |
2020-12-30 |
2021-07-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered on D-Link DAP-1650 devices through v1.03b07 before 1.04B02_J65H Hot Fix. Attackers can bypass authentication via forceful browsing. |
|
38 |
CVE-2019-12953 |
200 |
|
+Info |
2020-12-30 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Dropbear 2011.54 through 2018.76 has an inconsistent failure delay that may lead to revealing valid usernames, a different issue than CVE-2018-15599. |
|
39 |
CVE-2019-14476 |
918 |
|
|
2020-12-16 |
2020-12-18 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
AdRem NetCrunch 10.6.0.4587 has a Server-Side Request Forgery (SSRF) vulnerability in the NetCrunch server. Every user can trick the server into performing SMB requests to other systems. |
|
40 |
CVE-2019-14477 |
522 |
|
|
2020-12-16 |
2020-12-17 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
AdRem NetCrunch 10.6.0.4587 has Improper Credential Storage since the internal user database is readable by low-privileged users and passwords in the database are weakly encoded or encrypted. |
|
41 |
CVE-2019-14478 |
79 |
|
Exec Code XSS |
2020-12-16 |
2020-12-17 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
AdRem NetCrunch 10.6.0.4587 has a stored Cross-Site Scripting (XSS) vulnerability in the NetCrunch web client. The user's input data is not properly encoded when being echoed back to the user. This data can be interpreted as executable code by the browser and allows an attacker to execute JavaScript code in the context of the user's browser if the victim opens or searches for a node whose "Display Name" contains an XSS payload. |
|
42 |
CVE-2019-14479 |
732 |
|
Exec Code |
2020-12-16 |
2021-07-21 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
AdRem NetCrunch 10.6.0.4587 allows Remote Code Execution. In the NetCrunch web client, a read-only administrator can execute arbitrary code on the server running the NetCrunch server software. |
|
43 |
CVE-2019-14480 |
287 |
|
Bypass |
2020-12-16 |
2021-07-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
AdRem NetCrunch 10.6.0.4587 has an Improper Session Handling vulnerability in the NetCrunch web client, which can lead to an authentication bypass or escalation of privileges. |
|
44 |
CVE-2019-14481 |
352 |
|
CSRF |
2020-12-16 |
2020-12-17 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
AdRem NetCrunch 10.6.0.4587 has a Cross-Site Request Forgery (CSRF) vulnerability in the NetCrunch web client. Successful exploitation requires a logged-in user to open a malicious page and leads to account takeover. |
|
45 |
CVE-2019-14482 |
798 |
|
|
2020-12-16 |
2020-12-17 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
AdRem NetCrunch 10.6.0.4587 has a hardcoded SSL private key vulnerability in the NetCrunch web client. The same hardcoded SSL private key is used across different customers' installations when no other SSL certificate is installed, which allows remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge of this key from another installation. |
|
46 |
CVE-2019-14483 |
522 |
|
|
2020-12-16 |
2021-07-21 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
AdRem NetCrunch 10.6.0.4587 allows Credentials Disclosure. Every user can read the BSD, Linux, MacOS and Solaris private keys, private keys' passwords, and root passwords stored in the credential manager. Every administrator can read the ESX and Windows passwords stored in the credential manager. |
|
47 |
CVE-2019-15078 |
|
|
|
2020-12-30 |
2021-01-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
An issue was discovered in a smart contract implementation for AIRDROPX BORN through 2019-05-29, an Ethereum token. The name of the constructor has a typo (wrong case: XBornID versus XBORNID) that allows an attacker to change the owner of the contract and obtain cryptocurrency for free. |
|
48 |
CVE-2019-15079 |
|
|
|
2020-12-30 |
2021-01-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
A typo exists in the constructor of a smart contract implementation for EAI through 2019-06-05, an Ethereum token. This vulnerability could be used by an attacker to acquire EAI tokens for free. |
|
49 |
CVE-2019-15080 |
|
|
|
2020-12-30 |
2021-01-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
An issue was discovered in a smart contract implementation for MORPH Token through 2019-06-05, an Ethereum token. A typo in the constructor of the Owned contract (which is inherited by MORPH Token) allows attackers to acquire contract ownership. A new owner can subsequently obtain MORPH Tokens for free and can perform a DoS attack. |
|
50 |
CVE-2019-15523 |
252 |
|
|
2020-12-30 |
2021-01-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
An issue was discovered in LINBIT csync2 through 2.0. It does not correctly check for the return value GNUTLS_E_WARNING_ALERT_RECEIVED of the gnutls_handshake() function. It neglects to call this function again, as required by the design of the API. |
