CVE-2020-12648 (tinymce)

A cross-site scripting (XSS) vulnerability in TinyMCE 5.2.1 and earlier allows remote attackers to inject arbitrary web script when configured in classic editing mode.

Source

/by

CVE-2020-4662 (event_streams)

IBM Event Streams 10.0.0 could allow an authenticated user to perform tasks to a schema due to improper authentication validation. IBM X-Force ID: 186233.

Source

/by

CVE-2020-24346 (njs)

njs through 0.4.3, used in NGINX, has a use-after-free in njs_json_parse_iterator_call in njs_json.c.

Source

/by

CVE-2020-24345 (jerryscript)

** DISPUTED ** JerryScript through 2.3.0 allows stack consumption via function a(){new new Proxy(a,{})}JSON.parse(“[]”,a). NOTE: the vendor states that the problem is the lack of the –stack-limit option.

Source

/by

CVE-2020-13286 (gitlab)

For GitLab before 13.0.12, 13.1.6, 13.2.3 user controlled git configuration settings can be modified to result in Server Side Request Forgery.

Source

/by

CVE-2020-13281 (gitlab)

For GitLab before 13.0.12, 13.1.6, 13.2.3 a denial of service exists in the project import feature

Source

/by

CVE-2020-17463 (fuel_cms)

FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.

Source

/by

CVE-2020-13285 (gitlab)

For GitLab before 13.0.12, 13.1.6, 13.2.3 a cross-site scripting vulnerability exists in the issue reference number tooltip.

Source

/by

CVE-2020-13283 (gitlab)

For GitLab before 13.0.12, 13.1.6, 13.2.3 a cross-site scripting vulnerability exists in the issues list via milestone title.

Source

/by

CVE-2020-4589 (websphere_application_server)

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. The vulnerability only occurs if an undocumented customization has been applied by an administrator. IBM X-Force ID: 184585.

Source

/by