National Vulnerability Database (NVD)


  • CVE-2020-35128
    on January 19, 2021 at 2:15 pm

    Mautic before 3.2.4 is affected by stored XSS. An attacker with permission to manage companies, an application feature, could attack other users, including administrators. For example, by loading an externally crafted JavaScript file, an attacker could eventually perform actions as the target user. These actions include changing the user passwords, altering user or email addresses, or adding a new administrator to the system.

  • CVE-2020-35129
    on January 19, 2021 at 2:15 pm

    Mautic before 3.2.4 is affected by stored XSS. An attacker with access to Social Monitoring, an application feature, could attack other users, including administrators. For example, an attacker could load an externally drafted JavaScript file that would allow them to eventually perform actions on the target user’s behalf, including changing the user’s password or email address or changing the attacker’s user role from a low-privileged user to an administrator account.

  • CVE-2020-23342
    on January 19, 2021 at 2:15 pm

    A CSRF vulnerability exists in Anchor CMS 0.12.7 anchor/views/users/edit.php that can change the Delete admin users.

  • CVE-2020-23522
    on January 19, 2021 at 1:15 pm

    Pixelimity 1.0 has cross-site request forgery via the admin/setting.php data [Password] parameter.

  • CVE-2020-20950
    on January 19, 2021 at 1:15 pm

    Bleichenbacher's attack on PKCS #1 v1.5 padding for RSA in Microchip Libraries for Applications 2018-11-26 All up to 2018-11-26. The vulnerability can allow one to use Bleichenbacher's oracle attack to decrypt an encrypted ciphertext by making successive queries to the server using the vulnerable library, resulting in remote information disclosure.

  • CVE-2020-28477
    on January 19, 2021 at 11:15 am

    This affects all versions of package immer.

  • CVE-2020-28472
    on January 19, 2021 at 11:15 am

    This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited further depending on the context.

  • CVE-2020-28478
    on January 19, 2021 at 11:15 am

    This affects the package gsap before 3.6.0.

  • CVE-2021-22852
    on January 19, 2021 at 10:15 am

    HGiga EIP product contains SQL Injection vulnerability. Attackers can inject SQL commands into specific URL parameter (online registration) to obtain database schema and data.

  • CVE-2021-22851
    on January 19, 2021 at 10:15 am

    HGiga EIP product contains SQL Injection vulnerability. Attackers can inject SQL commands into specific URL parameter (document management page) to obtain database schema and data.