‼ CVE-2020-26415 ‼
📖 Read
via "National Vulnerability Database".
Information about the starred projects for private user profiles was exposed via the GraphQL API starting from 12.2 via the REST API. This affects GitLab >=12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-13357 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Gitlab CE/EE versions >= 13.1 to <13.4.7, >= 13.5 to <13.5.5, and >= 13.6 to <13.6.2 allowed an unauthorized user to access the user list corresponding to a feature flag in a project.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-7789 ‼
📖 Read
via "National Vulnerability Database".
This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-7792 ‼
📖 Read
via "National Vulnerability Database".
This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn 'mixes objects into the target object, recursively mixing existing child objects as well'. In both cases, the key used to access the target object recursively is not checked, leading to a Prototype Pollution.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-7788 ‼
📖 Read
via "National Vulnerability Database".
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-7790 ‼
📖 Read
via "National Vulnerability Database".
This affects the package spatie/browsershot from 0.0.0. By specifying a URL in the file:// protocol an attacker is able to include arbitrary files in the resultant PDF.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-7536 ‼
📖 Read
via "National Vulnerability Database".
A CWE-754:Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M340 CPUs (BMXP34* versions prior to V3.30) Modicon M340 Communication Ethernet modules (BMXNOE0100 (H) versions prior to V3.4 BMXNOE0110 (H) versions prior to V6.6 BMXNOR0200H all versions), that could cause the device to be unreachable when modifying network parameters over SNMP.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-7542 ‼
📖 Read
via "National Vulnerability Database".
A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-13530 ‼
📖 Read
via "National Vulnerability Database".
A denial-of-service vulnerability exists in the Ethernet/IP server functionality of the EIP Stack Group OpENer 2.3 and development commit 8c73bf3. A large number of network requests in a small span of time can cause the running program to stop. An attacker can send a sequence of requests to trigger this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-7543 ‼
📖 Read
via "National Vulnerability Database".
A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-7541 ‼
📖 Read
via "National Vulnerability Database".
A CWE-425: Direct Request ('Forced Browsing') vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of sensitive data when sending a specially crafted request to the controller over HTTP.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-26416 ‼
📖 Read
via "National Vulnerability Database".
Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-25838 ‼
📖 Read
via "National Vulnerability Database".
Unauthorized disclosure of sensitive information vulnerability in Micro Focus Filr product. Affecting all 3.x and 4.x versions. The vulnerability could be exploited to disclose unauthorized sensitive information.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-7537 ‼
📖 Read
via "National Vulnerability Database".
A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-28220 ‼
📖 Read
via "National Vulnerability Database".
A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Modicon M258 Firmware (All versions prior to V5.0.4.11) and SoMachine/SoMachine Motion software (All versions), that could cause a buffer overflow when the length of a file transferred to the webserver is not verified.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-7535 ‼
📖 Read
via "National Vulnerability Database".
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal' Vulnerability Type) vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of information when sending a specially crafted request to the controller over HTTP.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-26409 ‼
📖 Read
via "National Vulnerability Database".
A DOS vulnerability exists in Gitlab CE/EE >=10.3, <13.4.7,>=13.5, <13.5.5,>=13.6, <13.6.2 that allows an attacker to trigger uncontrolled resource by bypassing input validation in markdown fields.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-7539 ‼
📖 Read
via "National Vulnerability Database".
A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause a denial of service vulnerability when a specially crafted packet is sent to the controller over HTTP.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-28214 ‼
📖 Read
via "National Vulnerability Database".
A CWE-760: Use of a One-Way Hash with a Predictable Salt vulnerability exists in Modicon M221 (all references, all versions), that could allow an attacker to pre-compute the hash value using dictionary attack technique such as rainbow tables, effectively disabling the protection that an unpredictable salt would provide.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-26415 ‼
📖 Read
via "National Vulnerability Database".
Information about the starred projects for private user profiles was exposed via the GraphQL API starting from 12.2 via the REST API. This affects GitLab >=12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-13357 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Gitlab CE/EE versions >= 13.1 to <13.4.7, >= 13.5 to <13.5.5, and >= 13.6 to <13.6.2 allowed an unauthorized user to access the user list corresponding to a feature flag in a project.📖 Read
via "National Vulnerability Database".