Common Vulnerabilities and Exposures

Total CVE count: 145380

CVE-2020-16123

Published 1 hour ago

An Ubuntu-specific patch in PulseAudio created a race condition where the snap policy module would fail to identify a client connection from a snap as coming from a snap if SCM_CREDENTIALS were missing, allowing the snap to connect to PulseAudio without proper confinement. This could be exploited by an attacker to expose sensitive information. Fixed in 1:13.99.3-1ubuntu2, 1:13.99.2-1ubuntu2.1, 1:13.99.1-1ubuntu3.8, 1:11.1-1ubuntu7.11, and 1:8.0-0ubuntu3.15.

CVE-2018-21270

Published 4 hours ago

Versions less than 0.0.6 of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream (when using Node.js 4.x).

CVE-2020-26248

Published 4 hours ago

In the PrestaShop module "productcomments" before version 4.2.1, an attacker can use a Blind SQL injection to retrieve data or stop the MySQL service. The problem is fixed in 4.2.1 of the module.

CVE-2020-29529

Published 5 hours ago

HashiCorp go-slug before 0.5.0 does not address attempts at directory traversal involving ../ and symlinks.

CVE-2020-29534

Published 5 hours ago

An issue was discovered in the Linux kernel before 5.9.3. io_uring takes a non-refcounted reference to the files_struct of the process that submitted a request, causing execve() to incorrectly optimize unshare_fd(), aka CID-0f2122045b94.

CVE-2020-17527

Published 6 hours ago

While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.

CVE-2020-23736

Published 6 hours ago

There is a local denial of service vulnerability in DaDa accelerator 5.6.19.816,, attackers can use constructed programs to cause computer crashes (BSOD).

CVE-2020-23738

Published 6 hours ago

There is a local denial of service vulnerability in Advanced SystemCare 13 PRO 13.5.0.174. Attackers can use a constructed program to cause a computer crash (BSOD)

CVE-2020-23740

Published 6 hours ago

In DriverGenius 9.61.5480.28 there is a local privilege escalation vulnerability in the driver wizard, attackers can use constructed programs to increase user privileges.

CVE-2020-23741

Published 6 hours ago

In AnyView (network police) network monitoring software 4.6.0.1, there is a local denial of service vulnerability in AnyView, attackers can use a constructed program to cause a computer crash (BSOD).

CVE-2020-13524

Published 7 hours ago

An out-of-bounds memory corruption vulnerability exists in the way Pixar OpenUSD 20.05 uses SPECS data from binary USD files. A specially crafted malformed file can trigger an out-of-bounds memory access and modification which results in memory corruption. To trigger this vulnerability, the victim needs to access an attacker-provided malformed file.

CVE-2020-13525

Published 7 hours ago

The sort parameter in the download page /sysworkflow/en/neoclassic/reportTables/reportTables_Ajax is vulnerable to SQL injection in ProcessMaker 3.4.11. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.

CVE-2020-23726

Published 7 hours ago

There is a local denial of service vulnerability in Wise Care 365 5.5.4, attackers can cause computer crash (BSOD).

CVE-2020-23727

Published 7 hours ago

There is a local denial of service vulnerability in the Antiy Zhijia Terminal Defense System 5.0.2.10121559 and an attacker can cause a computer crash (BSOD).

CVE-2020-28175

Published 7 hours ago

There is a local privilege escalation vulnerability in Alfredo Milani Comparetti SpeedFan 4.52. Attackers can use constructed programs to increase user privileges

CVE-2020-13531

Published 8 hours ago

A use-after-free vulnerability exists in a way Pixar OpenUSD 20.08 processes reference paths textual USD files. A specially crafted file can trigger the reuse of a freed memory which can result in further memory corruption and arbitrary code execution. To trigger this vulnerability, the victim needs to open an attacker-provided malformed file.

CVE-2020-13542

Published 8 hours ago

A local privilege elevation vulnerability exists in the file system permissions of LogicalDoc 8.5.1 installation. Depending on the vector chosen, an attacker can either replace the service binary or replace DLL files loaded by the service, both which get executed by a service thus executing arbitrary commands with System privileges.

CVE-2020-13543

Published 8 hours ago

A code execution vulnerability exists in the WebSocket functionality of Webkit WebKitGTK 2.30.0. A specially crafted web page can trigger a use-after-free vulnerability which can lead to remote code execution. An attacker can get a user to visit a webpage to trigger this vulnerability.

CVE-2020-13584

Published 8 hours ago

An exploitable use-after-free vulnerability exists in WebKitGTK browser version 2.30.1 x64. A specially crafted HTML web page can cause a use-after-free condition, resulting in a remote code execution. The victim needs to visit a malicious web site to trigger this vulnerability.

CVE-2020-14339

Published 8 hours ago

A flaw was found in libvirt, where it leaked a file descriptor for `/dev/mapper/control` into the QEMU process. This file descriptor allows for privileged operations to happen against the device-mapper on the host. This flaw allows a malicious guest user or process to perform operations outside of their standard permissions, potentially causing serious damage to the host operating system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.