|
210731
|
9.1 |
CRITICAL
Network
|
auth0
|
omniauth-auth0
|
omniauth-auth0 (rubygems) versions >= 2.3.0 and < 2.4.1 improperly validate the JWT token signature when using the `jwt_validator.verify` method. Improper validation of the JWT token signature can al…
|
CWE-347
Improper Verification of Cryptographic Signature
|
CVE-2020-15240
|
2024-11-21 14:05 |
2020-10-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
210732
|
6.1 |
MEDIUM
Network
|
orchid
|
platform
|
In platform before version 9.4.4, inline attributes are not properly escaped. If the data that came from users was not escaped, then an XSS vulnerability is possible. The issue was introduced in 9.0.…
|
-
|
CVE-2020-15263
|
2024-11-21 14:05 |
2020-10-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
210733
|
3.7 |
LOW
Network
|
webpack-subresource-integrity_project
|
webpack-subresource-integrity
|
In webpack-subresource-integrity before version 1.5.1, all dynamically loaded chunks receive an invalid integrity hash that is ignored by the browser, and therefore the browser cannot validate their …
|
CWE-345
Insufficient Verification of Data Authenticity
|
CVE-2020-15262
|
2024-11-21 14:05 |
2020-10-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
210734
|
7.8 |
HIGH
Local
|
chocolatey
|
boxstarter
|
The Boxstarter installer before version 2.13.0 configures C:\ProgramData\Boxstarter to be in the system-wide PATH environment variable. However, this directory is writable by normal, unprivileged use…
|
-
|
CVE-2020-15264
|
2024-11-21 14:05 |
2020-10-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
210735
|
6.7 |
MEDIUM
Local
|
veyon
|
veyon
|
On Windows the Veyon Service before version 4.4.2 contains an unquoted service path vulnerability, allowing locally authenticated users with administrative privileges to run malicious executables wit…
|
-
|
CVE-2020-15261
|
2024-11-21 14:05 |
2020-10-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
210736
|
9.8 |
CRITICAL
Network
|
object-path_project
|
object-path
|
A prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is u…
|
NVD-CWE-Other
|
CVE-2020-15256
|
2024-11-21 14:05 |
2020-10-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
210737
|
4.3 |
MEDIUM
Network
|
sylius
|
sylius
|
In Sylius before versions 1.6.9, 1.7.9 and 1.8.3, the user may register in a shop by email mail@example.com, verify it, change it to the mail another@domain.com and stay verified and enabled. This ma…
|
CWE-862
Missing Authorization
|
CVE-2020-15245
|
2024-11-21 14:05 |
2020-10-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
210738
|
7.3 |
HIGH
Local
|
anuko
|
time_tracker
|
In Anuko Time Tracker before verion 1.19.23.5325, due to not properly filtered user input a CSV export of a report could contain cells that are treated as formulas by spreadsheet software (for exampl…
|
CWE-1236
Improper Neutralization of Formula Elements in a CSV File
|
CVE-2020-15255
|
2024-11-21 14:05 |
2020-10-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
210739
|
8.8 |
HIGH
Network
|
xwiki
|
xwiki
|
In XWiki before version 12.5 and 11.10.6, any user with SCRIPT right (EDIT right before XWiki 7.4) can gain access to the application server Servlet context which contains tools allowing to instantia…
|
CWE-74
Injection
|
CVE-2020-15252
|
2024-11-21 14:05 |
2020-10-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
210740
|
8.0 |
HIGH
Network
|
wire
|
wire
|
In Wire before 3.20.x, `shell.openExternal` was used without checking the URL. This vulnerability allows an attacker to execute code on the victims machine by sending messages containing links with a…
|
-
|
CVE-2020-15258
|
2024-11-21 14:05 |
2020-10-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
