CVE-2020-5899

In NGINX Controller 3.0.0-3.4.0, recovery code required to change a user's password is transmitted and stored in the database in plain text, which allows an attacker who can intercept the database connection or have read access to the database, to request a password reset using the email address ...

CVE-2020-5901

In NGINX Controller 3.3.0-3.4.0, undisclosed API endpoints may allow for a reflected Cross Site Scripting XSS attack. If the victim user is logged in as admin this could result in a complete compromise of the system...

CVE-2020-5901

In NGINX Controller 3.3.0-3.4.0, undisclosed API endpoints may allow for a reflected Cross Site Scripting XSS attack. If the victim user is logged in as admin this could result in a complete compromise of the system...

CVE-2020-5899

In NGINX Controller 3.0.0-3.4.0, recovery code required to change a user's password is transmitted and stored in the database in plain text, which allows an attacker who can intercept the database connection or have read access to the database, to request a password reset using the email address ...

Default credentials

In NGINX Controller 3.0.0-3.4.0, recovery code required to change a user's password is transmitted and stored in the database in plain text, which allows an attacker who can intercept the database connection or have read access to the database, to request a password reset using the email address ...

Cross site scripting

In NGINX Controller 3.3.0-3.4.0, undisclosed API endpoints may allow for a reflected Cross Site Scripting XSS attack. If the victim user is logged in as admin this could result in a complete compromise of the system...

CVE-2020-5900

In versions 3.0.0-3.4.0, 2.0.0-2.9.0, and 1.0.1, there is insufficient cross-site request forgery CSRF protections for the NGINX Controller user interface...

CVE-2020-5900

In versions 3.0.0-3.4.0, 2.0.0-2.9.0, and 1.0.1, there is insufficient cross-site request forgery CSRF protections for the NGINX Controller user interface...

Cross site request forgery (csrf)

In versions 3.0.0-3.4.0, 2.0.0-2.9.0, and 1.0.1, there is insufficient cross-site request forgery CSRF protections for the NGINX Controller user interface...

CVE-2020-5901

CVE-2020-5901 affects NGINX Controller 3.3.0–3.4.0 . An undisclosed API endpoint may enable a reflected Cross‑Site Scripting (XSS) attack; if the victim is logged in as an administrator, this can lead to complete system compromise. The CVSSv3 base score is 9.6 (CRITICAL) with web‑network exposure...

CVE-2020-5901

In NGINX Controller 3.3.0-3.4.0, undisclosed API endpoints may allow for a reflected Cross Site Scripting XSS attack. If the victim user is logged in as admin this could result in a complete compromise of the system...

CVE-2020-5899

The CVE-2020-5899 issue affects NGINX Controller (3.0.0–3.4.0). The recovery/token used to change a user’s password is transmitted and stored in the database in plaintext, enabling an attacker with DB access or interception to request a password reset for another user and retrieve the recovery co...

CVE-2020-5899

In NGINX Controller 3.0.0-3.4.0, recovery code required to change a user's password is transmitted and stored in the database in plain text, which allows an attacker who can intercept the database connection or have read access to the database, to request a password reset using the email address ...

CVE-2020-5900

CVE-2020-5900 affects NGINX Controller components across versions 1.0.1, 2.0.0–2.9.0, and 3.0.0–3.4.0, with insufficient CSRF protections on the user interface. The Red Hat and F5 advisories confirm the vulnerability allows an attacker to induce the victim to perform arbitrary actions in the web ...

CVE-2020-5900

In versions 3.0.0-3.4.0, 2.0.0-2.9.0, and 1.0.1, there is insufficient cross-site request forgery CSRF protections for the NGINX Controller user interface...

Directory Traversal

djangosendfile2 is vulnerable to directory traversal. The vulnerability exists as the nginx backend does not limit file paths to the SENDFILEROOT...

CVE-2020-11959

An unsafe configuration of nginx lead to information leak in Xiaomi router R3600 ROM before 1.0.50...

Design/Logic Flaw

An unsafe configuration of nginx lead to information leak in Xiaomi router R3600 ROM before 1.0.50...

CVE-2020-11959

An unsafe configuration of nginx lead to information leak in Xiaomi router R3600 ROM before 1.0.50...

CVE-2020-11959

CVE-2020-11959 : The issue arises from an unsafe configuration of nginx in the Xiaomi router R3600 ROM prior to version 1.0.50, leading to information leakage. The vulnerability affects the router’s handling of its web services, with the root cause described as an unsafe configuration rather than...