|
214191
|
8.8 |
HIGH
Network
|
rukovoditel
|
rukovoditel
|
In Rukovoditel 2.5.2 has a form_session_token value to prevent CSRF attacks. This protection mechanism can be bypassed with another user's valid token. Thus, an attacker can change the Admin password…
|
CWE-352
Origin Validation Error
|
CVE-2020-11818
|
2024-11-21 13:58 |
2020-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
214192
|
9.8 |
CRITICAL
Network
|
rukovoditel
|
rukovoditel
|
Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the reports_id (POST) parameter.
|
CWE-89
SQL Injection
|
CVE-2020-11816
|
2024-11-21 13:58 |
2020-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
214193
|
9.8 |
CRITICAL
Network
|
rukovoditel
|
rukovoditel
|
In Rukovoditel 2.5.2, attackers can upload arbitrary file to the server by just changing the content-type value. As a result of that, an attacker can execute a command on the server. This specific at…
|
CWE-434
Unrestricted Upload of File with Dangerous Type
|
CVE-2020-11815
|
2024-11-21 13:58 |
2020-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
214194
|
5.4 |
MEDIUM
Network
|
qdpm
|
qdpm
|
A Host Header Injection vulnerability in qdPM 9.1 may allow an attacker to spoof a particular header and redirect users to malicious websites.
|
CWE-74
Injection
|
CVE-2020-11814
|
2024-11-21 13:58 |
2020-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
214195
|
5.4 |
MEDIUM
Network
|
rukovoditel
|
rukovoditel
|
In Rukovoditel 2.5.2, there is a stored XSS vulnerability on the configuration page via the copyright text input. Thus, an attacker can inject a malicious script to steal all users' valuable data. Th…
|
CWE-79
Cross-site Scripting
|
CVE-2020-11813
|
2024-11-21 13:58 |
2020-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
214196
|
9.8 |
CRITICAL
Network
|
rukovoditel
|
rukovoditel
|
Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the filters[0][value] or filters[1][value] parameter.
|
CWE-89
SQL Injection
|
CVE-2020-11812
|
2024-11-21 13:58 |
2020-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
214197
|
9.8 |
CRITICAL
Network
|
qdpm
|
qdpm
|
In qdPM 9.1, an attacker can upload a malicious .php file to the server by exploiting the Add Profile Photo capability with a crafted content-type value. After that, the attacker can execute an arbit…
|
CWE-434
Unrestricted Upload of File with Dangerous Type
|
CVE-2020-11811
|
2024-11-21 13:58 |
2020-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
214198
|
6.5 |
MEDIUM
Network
|
broadcom
|
ca_api_developer_portal
|
CA API Developer Portal 4.3.1 and earlier contains an access control flaw that allows privileged users to view restricted sensitive information.
|
NVD-CWE-noinfo
|
CVE-2020-11660
|
2024-11-21 13:58 |
2020-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
214199
|
4.3 |
MEDIUM
Network
|
broadcom
|
ca_api_developer_portal
|
CA API Developer Portal 4.3.1 and earlier contains an access control flaw that allows privileged users to perform a restricted user administration action.
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2020-11659
|
2024-11-21 13:58 |
2020-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
214200
|
9.8 |
CRITICAL
Network
|
broadcom
|
ca_api_developer_portal
|
CA API Developer Portal 4.3.1 and earlier handles shared secret keys in an insecure manner, which allows attackers to bypass authorization.
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2020-11658
|
2024-11-21 13:58 |
2020-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
