|
210711
|
5.4 |
MEDIUM
Network
|
requarks
|
wiki.js
|
In Wiki.js before version 2.5.162, an XSS payload can be injected in a page title and executed via the search results. While the title is properly escaped in both the navigation links and the actual …
|
-
|
CVE-2020-15274
|
2024-11-21 14:05 |
2020-10-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
210712
|
9.6 |
CRITICAL
Network
|
git-tag-annotation-action_project
|
git-tag-annotation-action
|
In the git-tag-annotation-action (open source GitHub Action) before version 1.0.1, an attacker can execute arbitrary (*) shell commands if they can control the value of [the `tag` input] or manage to…
|
-
|
CVE-2020-15272
|
2024-11-21 14:05 |
2020-10-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
210713
|
8.8 |
HIGH
Network
|
lookatme_project
|
lookatme
|
In lookatme (python/pypi package) versions prior to 2.3.0, the package automatically loaded the built-in "terminal" and "file_loader" extensions. Users that use lookatme to render untrusted markdown …
|
CWE-78
OS Command
|
CVE-2020-15271
|
2024-11-21 14:05 |
2020-10-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
210714
|
4.3 |
MEDIUM
Network
|
parseplatform
|
parse-server
|
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription object…
|
CWE-672
Operation on a Resource after Expiration or Release
|
CVE-2020-15270
|
2024-11-21 14:05 |
2020-10-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
210715
|
7.5 |
HIGH
Network
|
google
|
tensorflow
|
In Tensorflow before version 2.4.0, when the `boxes` argument of `tf.image.crop_and_resize` has a very large value, the CPU kernel implementation receives it as a C++ `nan` floating point value. Atte…
|
CWE-119
Incorrect Access of Indexable Resource ('Range Error')
|
CVE-2020-15266
|
2024-11-21 14:05 |
2020-10-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
210716
|
7.5 |
HIGH
Network
|
google
|
tensorflow
|
In Tensorflow before version 2.4.0, an attacker can pass an invalid `axis` value to `tf.quantization.quantize_and_dequantize`. This results in accessing a dimension outside the rank of the input tens…
|
-
|
CVE-2020-15265
|
2024-11-21 14:05 |
2020-10-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
210717
|
7.2 |
HIGH
Network
|
openmage
|
magento
|
In Magento (rubygems openmage/magento-lts package) before versions 19.4.8 and 20.0.4, an admin user can generate soap credentials that can be used to trigger RCE via PHP Object Injection through prod…
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2020-15244
|
2024-11-21 14:05 |
2020-10-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
210718
|
9.1 |
CRITICAL
Network
|
sparksolutions
|
spree
|
In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched in versions 3.7.11, 4.0.4 and 4.1.11. A workaround wit…
|
CWE-613
Insufficient Session Expiration
|
CVE-2020-15269
|
2024-11-21 14:05 |
2020-10-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
210719
|
9.1 |
CRITICAL
Network
|
auth0
|
omniauth-auth0
|
omniauth-auth0 (rubygems) versions >= 2.3.0 and < 2.4.1 improperly validate the JWT token signature when using the `jwt_validator.verify` method. Improper validation of the JWT token signature can al…
|
CWE-347
Improper Verification of Cryptographic Signature
|
CVE-2020-15240
|
2024-11-21 14:05 |
2020-10-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
210720
|
6.1 |
MEDIUM
Network
|
orchid
|
platform
|
In platform before version 9.4.4, inline attributes are not properly escaped. If the data that came from users was not escaped, then an XSS vulnerability is possible. The issue was introduced in 9.0.…
|
-
|
CVE-2020-15263
|
2024-11-21 14:05 |
2020-10-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
