• Skip to primary navigation
  • Skip to main content
CVE Vulnerability

CVE Vulnerability

  • CVE’s
  • Products
  • Vendors

CWE-94

CVE-2020-7694

February 26, 2023 by

This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request crafted URLs with percent-encoded escape sequences, the logging component will log the URL after it’s been processed with urllib.parse.unquote, therefore converting any percent-encoded characters into their single-character equivalent, which can have special meaning in terminal emulators. By requesting URLs with crafted paths, attackers can: * Pollute uvicorn’s access logs, therefore jeopardising the integrity of such files. * Use ANSI sequence codes to attempt to interact with the terminal emulator that’s displaying the logs (either in real time or from a file).

CVE-2020-7710

February 26, 2023 by

This affects all versions of package safe-eval. It is possible for an attacker to run an arbitrary command on the host machine.

CVE-2020-7609

February 26, 2023 by

node-rules including 3.0.0 and prior to 5.0.0 allows injection of arbitrary commands. The argument rules of function “fromJSON()” can be controlled by users without any sanitization.

CVE-2020-7480

February 26, 2023 by

A CWE-94: Improper Control of Generation of Code (‘Code Injection’) vulnerability exists in Andover Continuum (All versions), which could cause files on the application server filesystem to be viewable when an attacker interferes with an application’s processing of XML data.

CVE-2020-7373

February 26, 2023 by

vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. ALSO NOTE: CVE-2020-7373 is a duplicate of CVE-2020-17496. CVE-2020-17496 is the preferred CVE ID to track this vulnerability.

CVE-2020-7381

February 26, 2023 by

In Rapid7 Nexpose installer versions prior to 6.6.40, the Nexpose installer calls an executable which can be placed in the appropriate directory by an attacker with access to the local machine. This would prevent the installer from distinguishing between a valid executable called during a Security Console installation and any arbitrary code executable using the same file name.

  • « Go to Previous Page
  • Go to page 1
  • Interim pages omitted …
  • Go to page 141
  • Go to page 142
  • Go to page 143
  • Go to page 144
  • Go to page 145
  • Interim pages omitted …
  • Go to page 225
  • Go to Next Page »

Copyright CVE Vulnerabilities 2023
Data Sources:

  • NIST
  • MITRE
  • CVE Search
  • Open CVE