CVSS: 9.3EPSS: 94%CPEs: 8EXPL: 14CVE-2020-8813 – Cacti 1.2.8 - Unauthenticated Remote Code Execution
https://notcve.org/view.php?id=CVE-2020-8813
22 Feb 2020 — graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege. El archivo graph_realtime.php en Cacti versión 1.2.8, permite a atacantes remotos ejecutar comandos arbitrarios de Sistema Operativo por medio de metacaracteres de shell en una cookie, si un usuario invitado posee el privilegio graph real-time. graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS comma... • https://packetstorm.news/files/id/156538 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 4.9EPSS: 0%CPEs: 4EXPL: 1CVE-2019-15624
https://notcve.org/view.php?id=CVE-2019-15624
04 Feb 2020 — Improper Input Validation in Nextcloud Server 15.0.7 allows group admins to create users with IDs of system folders. Una Comprobación de Entrada Inapropiada en Nextcloud Server versión 15.0.7, permite a los administradores de grupo crear usuarios con los ID de carpetas del sistema. • http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00019.html • CWE-20: Improper Input Validation •
CVSS: 5.0EPSS: 0%CPEs: 4EXPL: 1CVE-2020-8118
https://notcve.org/view.php?id=CVE-2020-8118
04 Feb 2020 — An authenticated server-side request forgery in Nextcloud server 16.0.1 allowed to detect local and remote services when adding a new subscription in the calendar application. Un ataque de tipo server-side request forgery autenticado en Nextcloud versión 16.0.1, permitió detectar servicios locales y remotos al agregar una nueva suscripción en la aplicación calendar. • http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00019.html • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 4.0EPSS: 0%CPEs: 6EXPL: 0CVE-2019-18900 – libzypp stores cookies world readable
https://notcve.org/view.php?id=CVE-2019-18900
24 Jan 2020 — : Incorrect Default Permissions vulnerability in libzypp of SUSE CaaS Platform 3.0, SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allowed local attackers to read a cookie store used by libzypp, exposing private cookies. This issue affects: SUSE CaaS Platform 3.0 libzypp versions prior to 16.21.2-27.68.1. SUSE Linux Enterprise Server 12 libzypp versions prior to 16.21.2-2.45.1. SUSE Linux Enterprise Server 15 17.19.0-3.34.1. Una vulnerabilidad de Permisos Predeterminados Incorrectos en lib... • http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00036.html • CWE-276: Incorrect Default Permissions •
CVSS: 8.8EPSS: 25%CPEs: 4EXPL: 2CVE-2020-5504 – Ubuntu Security Notice USN-4639-1
https://notcve.org/view.php?id=CVE-2020-5504
09 Jan 2020 — In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server. En phpMyAdmin versiones 4 anteriores a 4.9.4 y versiones 5 anteriores a 5.0.1, una inyección SQL se presenta en la página de cuentas de usuario. Un usuario malicioso podría inyectar SQL personalizado en lugar de su propio nombre de usuario c... • https://github.com/xMohamed0/CVE-2020-5504-phpMyAdmin • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2019-3688 – squid: /usr/sbin/pinger packaged with wrong permission
https://notcve.org/view.php?id=CVE-2019-3688
07 Oct 2019 — The /usr/sbin/pinger binary packaged with squid in SUSE Linux Enterprise Server 15 before and including version 4.8-5.8.1 and in SUSE Linux Enterprise Server 12 before and including 3.5.21-26.17.1 had squid:root, 0750 permissions. This allowed an attacker that compromissed the squid user to gain persistence by changing the binary El binario /usr/sbin/pinger empaquetado con squid en SUSE Linux Enterprise Server 15 anterior e incluyendo la versión 4.8-5.8.1 y en SUSE Linux Enterprise Server 12 anterior e incl... • http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html • CWE-276: Incorrect Default Permissions •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 2CVE-2018-19655
https://notcve.org/view.php?id=CVE-2018-19655
29 Nov 2018 — A stack-based buffer overflow in the find_green() function of dcraw through 9.28, as used in ufraw-batch and many other products, may allow a remote attacker to cause a control-flow hijack, denial-of-service, or unspecified other impact via a maliciously crafted raw photo file. Un desbordamiento de búfer basado en pila en la función find_green() de dcraw hasta la versión 9.28, tal y como se emplea en ufraw-batch y muchos otros productos, podría permitir que un atacante remoto provoque el secuestro de un flu... • https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890086 • CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2018-12116 – nodejs: HTTP request splitting
https://notcve.org/view.php?id=CVE-2018-12116
28 Nov 2018 — Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server. Node.js: Todas las versiones anteriores a la 6.15.0 y 8.14.0: separación de petición HTTP. Si se puede convencer a Node.js para que emplee datos Unicode no saneados proporcionados por el us... • https://access.redhat.com/errata/RHSA-2019:1821 • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') CWE-115: Misinterpretation of Input •
CVSS: 7.5EPSS: 1%CPEs: 9EXPL: 0CVE-2018-12122 – nodejs: Slowloris HTTP Denial of Service
https://notcve.org/view.php?id=CVE-2018-12122
28 Nov 2018 — Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time. Node.js: Todas las versiones anteriores a la 6.15.0, 8.14.0, 10.14.0 y 11.3.0: Denegación de servicio (DoS) HTTP mediante Slowloris. Un atacante puede provocar una denegación de servicio (DoS) enviando cabeceras muy lentamente, mant... • http://www.securityfocus.com/bid/106043 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 39%CPEs: 13EXPL: 2CVE-2018-19052
https://notcve.org/view.php?id=CVE-2018-19052
07 Nov 2018 — An issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. There is potential ../ path traversal of a single directory above an alias target, with a specific mod_alias configuration where the matched alias lacks a trailing '/' character, but the alias target filesystem path does have a trailing '/' character. Se ha descubierto un problema en mod_alias_physical_handler en mod_alias.c en lighttpd en versiones anteriores a la 1.4.50. Hay un salto de directorio ../ de un úni... • https://github.com/iveresk/cve-2018-19052 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •