All CVEs — 2020 (Page 4/122)

Browse all CVEs by publication year. Use filters to refine.

CVSS ≥ 0.0

2020-12-23

Medium

CVE-2020-25192

The built-in WEB server for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower allows sensitive information to be displayed without proper authorization.

CVSS: 5.3 CWE: CWE-200

High

CVE-2020-25190

The built-in WEB server for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower stores and transmits the credentials of third-party services in cleartext.

CVSS: 7.5 CWE: CWE-319

Critical

CVE-2020-25153

The built-in web service for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower does not require users to have strong passwords.

CVSS: 9.8 CWE: CWE-521

Medium

CVE-2020-35658

SpamTitan before 7.09 allows attackers to tamper with backups, because backups are not encrypted.

CVSS: 5.3 CWE: CWE-312

High

CVE-2020-35657

Jaws through 1.8.0 allows remote authenticated administrators to execute arbitrary code via crafted use of UploadTheme to upload a theme ZIP archive containing a .php file that is able to execute OS…

CVSS: 7.2 CWE: CWE-434

High

CVE-2020-35656

Jaws through 1.8.0 allows remote authenticated administrators to execute arbitrary code via crafted use of admin.php?reqGadget=Components&reqAction=InstallGadget&comp=FileBrowser and admin.php?reqGad…

CVSS: 7.2 CWE: CWE-434

2020-12-22

High

CVE-2020-28641

In Malwarebytes Free 4.1.0.56, a symbolic link may be used delete an arbitrary file on the system by exploiting the local quarantine system.

CVSS: 7.1 CWE: CWE-59

Critical

CVE-2020-29583

Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This accoun…

CVSS: 9.8 CWE: CWE-522

Medium

CVE-2020-27338

An issue was discovered in Treck IPv6 before 6.0.1.68. Improper Input Validation in the DHCPv6 client component allows an unauthenticated remote attacker to cause an Out of Bounds Read, and possibly…

CVSS: 5.9 CWE: CWE-20

High

CVE-2020-27337

An issue was discovered in Treck IPv6 before 6.0.1.68. Improper Input Validation in the IPv6 component allows an unauthenticated remote attacker to cause an Out of Bounds Write, and possibly a Denial…

CVSS: 7.3 CWE: CWE-20

Low

CVE-2020-27336

An issue was discovered in Treck IPv6 before 6.0.1.68. Improper input validation in the IPv6 component when handling a packet sent by an unauthenticated remote attacker could result in an out-of-boun…

CVSS: 3.7 CWE: CWE-20

Critical

CVE-2020-25066

A heap-based buffer overflow in the Treck HTTP Server component before 6.0.1.68 allows remote attackers to cause a denial of service (crash/reset) or to possibly execute arbitrary code.

CVSS: 10.0 CWE: CWE-787

Critical

CVE-2020-24683

The affected versions of S+ Operations (version 2.1 SP1 and earlier) used an approach for user authentication which relies on validation at the client node (client-side authentication). This is not a…

CVSS: 9.8 CWE: CWE-305

High

CVE-2020-24679

A S+ Operations and S+ Historian service is subject to a DoS by special crafted messages. An attacker might use this flaw to make it crash or even execute arbitrary code on the machine where the serv…

CVSS: 7.5 CWE: CWE-20

High

CVE-2020-24678

An authenticated user might execute malicious code under the user context and take control of the system. S+ Operations or S+ Historian database is affected by multiple vulnerabilities such as the po…

CVSS: 8.8 CWE: CWE-269

High

CVE-2020-24677

Vulnerabilities in the S+ Operations and S+ Historian web applications can lead to a possible code execution and privilege escalation, redirect the user somewhere else or download unwanted data.

CVSS: 8.8 CWE: CWE-754

High

CVE-2020-24676

In Symphony Plus Operations and Symphony Plus Historian, some services can be vulnerable to privilege escalation attacks. An unprivileged (but authenticated) user could execute arbitrary code and res…

CVSS: 7.8 CWE: CWE-274

Critical

CVE-2020-24675

In S+ Operations and S+ History, it is possible that an unauthenticated user could inject values to the Operations History server (or standalone S+ History server) and ultimately write values to the…

CVSS: 9.8 CWE: CWE-287

High

CVE-2020-24674

In S+ Operations and S+ Historian, not all client commands correctly check user permission as expected. Authenticated but Unauthorized remote users could execute a Denial-of-Service (DoS) attack, exe…

CVSS: 8.8 CWE: CWE-285

Critical

CVE-2020-24673

In S+ Operations and S+ Historian, a successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the…

CVSS: 9.8 CWE: CWE-89

Medium

CVE-2020-14270

HCL Domino v9, v10, v11 is susceptible to an Information Disclosure vulnerability in XPages due to improper error handling of user input. An unauthenticated attacker could exploit this vulnerability…

CVSS: 5.3 CWE: CWE-755

Medium

CVE-2020-35609

A denial-of-service vulnerability exists in the asynchronous ioctl functionality of Microsoft Azure Sphere 20.05. A sequence of specially crafted ioctl calls can cause a denial of service. An attacke…

CVSS: 5.5 CWE: CWE-835

High

CVE-2020-35608

A code execution vulnerability exists in the normal world’s signed code execution functionality of Microsoft Azure Sphere 20.07. A specially crafted AF_PACKET socket can cause a process to create an…

CVSS: 7.8 CWE: CWE-74

High

CVE-2020-14231

A vulnerability in the input parameter handling of HCL Client Application Access v9 could potentially be exploited by an authenticated attacker resulting in a stack buffer overflow. This could allow…

CVSS: 8.8 CWE: CWE-20

High

CVE-2020-24581

An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55. It contains an execute_cmd.cgi feature (that is not reachable via the web user interface) that lets an…

CVSS: 8.0 CWE: CWE-78

High

CVE-2020-24580

An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55. Lack of authentication functionality allows an attacker to assign a static IP address that was once use…

CVSS: 7.5 CWE: CWE-306

High

CVE-2020-24579

An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55. An unauthenticated attacker could bypass authentication to access authenticated pages and functionality.

CVSS: 8.8 CWE: CWE-287

Medium

CVE-2020-24578

An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55. It has a misconfigured FTP service that allows a malicious network user to access system folders and do…

CVSS: 6.5 CWE: CWE-427

High

CVE-2020-13547

A type confusion vulnerability exists in the JavaScript engine of Foxit Software’s Foxit PDF Reader, version 10.1.0.37527. A specially crafted PDF document can trigger an improper use of an object, r…

CVSS: 8.8 CWE: CWE-843

High

CVE-2020-25106

Nanosystems SupRemo 4.1.3.2348 allows attackers to obtain LocalSystem access because File Manager can be used to rename Supremo.exe and then upload a Trojan horse with the Supremo.exe filename.

CVSS: 7.8 CWE: CWE-269

High

CVE-2020-13570

A use-after-free vulnerability exists in the JavaScript engine of Foxit Software’s PDF Reader, version 10.1.0.37527. A specially crafted PDF document can trigger the reuse of previously free memory w…

CVSS: 8.8 CWE: CWE-416

High

CVE-2020-13560

A use after free vulnerability exists in the JavaScript engine of Foxit Software’s Foxit PDF Reader, version 10.1.0.37527. A specially crafted PDF document can trigger reuse of previously free memory…

CVSS: 8.8 CWE: CWE-416

High

CVE-2020-13557

CVSS: 8.8 CWE: CWE-416

High

CVE-2020-29396

A sandboxing issue in Odoo Community 11.0 through 13.0 and Odoo Enterprise 11.0 through 13.0, when running with Python 3.6 or later, allows remote authenticated users to execute arbitrary code, leadi…

CVSS: 8.8 CWE: CWE-267

Medium

CVE-2019-11786

Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to modify translated terms, which may lead to arbitrary content modi…

CVSS: 4.3 CWE: CWE-284

Medium

CVE-2019-11785

Improper access control in mail module (followers) in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to obtain access to messages posted on bu…

CVSS: 4.3 CWE: CWE-284

Medium

CVE-2019-11784

Improper access control in mail module (notifications) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to obtain access to arbitrary message…

CVSS: 6.5 CWE: CWE-284

Medium

CVE-2019-11783

Improper access control in mail module (channel partners) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to subscribe to arbitrary mail cha…

CVSS: 6.5 CWE: CWE-284

Medium

CVE-2019-11782

Improper access control in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users with access to contact management to modify user accounts, leading t…

CVSS: 6.5 CWE: CWE-284

High

CVE-2019-11781

Improper input validation in portal component in Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier, allows remote attackers to trick victims into modifying their account via crafte…

CVSS: 8.8 CWE: CWE-20

Medium

CVE-2018-15645

Improper access control in message routing in Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier allows remote authenticated users to create arbitrary records via crafted payloads,…

CVSS: 6.5 CWE: CWE-284

Medium

CVE-2018-15641

Cross-site scripting (XSS) issue in web module in Odoo Community 11.0 through 14.0 and Odoo Enterprise 11.0 through 14.0, allows remote authenticated internal users to inject arbitrary web script in…

CVSS: 5.4 CWE: CWE-79

Medium

CVE-2018-15638

Cross-site scripting (XSS) issue in mail module in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a vic…

CVSS: 5.4 CWE: CWE-79

Medium

CVE-2018-15634

Cross-site scripting (XSS) issue in attachment management in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote attackers to inject arbitrary web script in the browse…

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2018-15633

Cross-site scripting (XSS) issue in "document" module in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of…

CVSS: 6.1 CWE: CWE-79

Critical

CVE-2018-15632

Improper input validation in database creation logic in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to initialize an empty database on which they can…

CVSS: 9.1 CWE: CWE-20

Medium

CVE-2020-28460

This affects the package multi-ini before 2.1.2. It is possible to pollute an object's prototype by specifying the constructor.proto object as part of an array. This is a bypass of CVE-2020-28448.

CVSS: 5.6 CWE: CWE-1321

Medium

CVE-2020-28448

This affects the package multi-ini before 2.1.1. It is possible to pollute an object's prototype by specifying the proto object as part of an array.

CVSS: 5.6 CWE: CWE-1321

2020-12-21

High

CVE-2020-35626

An issue was discovered in the PushToWatch extension for MediaWiki through 1.35.1. The primary form did not implement an anti-CSRF token and therefore was completely vulnerable to CSRF attacks agains…

CVSS: 8.8 CWE: CWE-352

High

CVE-2020-35625

An issue was discovered in the Widgets extension for MediaWiki through 1.35.1. Any user with the ability to edit pages within the Widgets namespace could call any static function within any class (de…

CVSS: 8.8 CWE: CWE-862

Medium

CVE-2020-35624

An issue was discovered in the SecurePoll extension for MediaWiki through 1.35.1. The non-admin vote list contains a full vote timestamp, which may provide unintended clues about how a voting process…

CVSS: 5.3 CWE: CWE-203

High

CVE-2020-35623

An issue was discovered in the CasAuth extension for MediaWiki through 1.35.1. Due to improper username validation, it allowed user impersonation with trivial manipulations of certain characters with…

CVSS: 7.5 CWE: CWE-20

Medium

CVE-2020-35622

An issue was discovered in the GlobalUsage extension for MediaWiki through 1.35.1. SpecialGlobalUsage.php calls WikiMap::makeForeignLink unsafely. The $page variable within the formatItem function wa…

CVSS: 6.1 CWE: CWE-79

High

CVE-2020-26284

Hugo is a fast and Flexible Static Site Generator built in Go. Hugo depends on Go's `os/exec` for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system `%…

CVSS: 7.7 CWE: CWE-78

Critical

CVE-2020-8995

Programi Bilanc Build 007 Release 014 31.01.2020 supplies a .exe file containing several hardcoded credentials to different servers that allow remote attackers to gain access to the complete infrastr…

CVSS: 9.8 CWE: CWE-798

High

CVE-2020-29596

MiniWeb HTTP server 0.8.19 allows remote attackers to cause a denial of service (daemon crash) via a long name for the first parameter in a POST request.

CVSS: 7.5 CWE: CWE-120

Medium

CVE-2020-26281

async-h1 is an asynchronous HTTP/1.1 parser for Rust (crates.io). There is a request smuggling vulnerability in async-h1 before version 2.3.0. This vulnerability affects any webserver that uses async…

CVSS: 6.8 CWE: CWE-444

Medium

CVE-2020-26277

DBdeployer is a tool that deploys MySQL database servers easily. In DBdeployer before version 1.58.2, users unpacking a tarball may use a maliciously packaged tarball that contains symlinks to files…

CVSS: 6.1 CWE: CWE-59

High

CVE-2020-35151

The Online Marriage Registration System 1.0 post parameter "searchdata" in the user/search.php request is vulnerable to Time Based Sql Injection.

CVSS: 8.8 CWE: CWE-89

Critical

CVE-2020-11717

An issue was discovered in Programi 014 31.01.2020. It has multiple SQL injection vulnerabilities.

CVSS: 9.8 CWE: CWE-89

High

CVE-2018-7580

Philips Hue is vulnerable to a Denial of Service attack. Sending a SYN flood on port tcp/80 will freeze Philips Hue's hub and it will stop responding. The "hub" will stop operating and be frozen unti…

CVSS: 7.5 CWE: CWE-400

High

CVE-2020-35606

Arbitrary command execution can occur in Webmin through 1.962. Any user authorized for the Package Updates module can execute arbitrary commands with root privileges via vectors involving %0A and %0C…

CVSS: 8.8 CWE: CWE-78

Critical

CVE-2020-35604

An XXE attack can occur in Kronos WebTA 5.0.4 when SAML is used.

CVSS: 9.8 CWE: CWE-611

Critical

CVE-2020-21378

SQL injection vulnerability in SeaCMS 10.1 (2020.02.08) via the id parameter in an edit action to admin_members_group.php.

CVSS: 9.8 CWE: CWE-89

Critical

CVE-2020-21377

SQL injection vulnerability in yunyecms V2.0.1 via the selcart parameter.

CVSS: 9.8 CWE: CWE-89

High

CVE-2020-6882

ZTE E8810/E8820/E8822 series routers have an information leak vulnerability, which is caused by hard-coded MQTT service access credentials on the device. The remote attacker could use this credential…

CVSS: 7.5 CWE: CWE-798

High

CVE-2020-6881

ZTE E8810/E8820/E8822 series routers have an MQTT DoS vulnerability, which is caused by the failure of the device to verify the validity of abnormal messages. A remote attacker could connect to the M…

CVSS: 7.5 CWE: CWE-346

Medium

CVE-2020-4843

IBM Security Secret Server 10.6 stores potentially sensitive information in config files that could be read by an authenticated user. IBM X-Force ID: 190048.

CVSS: 4.3 CWE: CWE-312

Medium

CVE-2020-4842

IBM Security Secret Server 10.6 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in fur…

CVSS: 4.9 CWE: CWE-209

Medium

CVE-2020-4841

IBM Security Secret Server 10.6 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this…

CVSS: 5.9 CWE: CWE-862

Medium

CVE-2020-4840

IBM Security Secret Server 10.6 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially crafted Web site, a remote attack…

CVSS: 6.1 CWE: CWE-601

Medium

CVE-2020-4794

IBM Automation Workstream Services 19.0.3, 20.0.1, 20.0.2, IBM Business Automation Workflow 18.0, 19.0, and 20.0 and IBM Business Process Manager 8.6 could allow an authenticated user to obtain sensi…

CVSS: 5.4 CWE: CWE-863

Medium

CVE-2020-4757

IBM FileNet Content Manager and IBM Content Navigator 3.0.CD is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus alteri…

CVSS: 6.4 CWE: CWE-79

Medium

CVE-2020-4555

IBM Financial Transaction Manager 3.0.6 and 3.1.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 183328.

CVSS: 5.4 CWE: CWE-384

High

CVE-2020-27254

Emerson Rosemount X-STREAM Gas AnalyzerX-STREAM enhanced XEGP, XEGK, XEFD, XEXF – all revisions, The affected products are vulnerable to improper authentication for accessing log and backup data, whi…

CVSS: 7.5 CWE: CWE-287

Low

CVE-2020-26422

Buffer overflow in QUIC dissector in Wireshark 3.4.0 to 3.4.1 allows denial of service via packet injection or crafted capture file

CVSS: 3.7 CWE: CWE-120

Medium

CVE-2020-26275

The Jupyter Server provides the backend (i.e. the core services, APIs, and REST endpoints) for Jupyter web applications like Jupyter notebook, JupyterLab, and Voila. In Jupyter Server before version…

CVSS: 6.1 CWE: CWE-601

Medium

CVE-2020-25860

The install.c module in the Pengutronix RAUC update client prior to version 1.5 has a Time-of-Check Time-of-Use vulnerability, where signature verification on an update file takes place before the fi…

CVSS: 6.6 CWE: CWE-367

Medium

CVE-2020-35497

A flaw was found in ovirt-engine 4.4.3 and earlier allowing an authenticated user to read other users' personal information, including name, email and public SSH key.

CVSS: 6.5 CWE: CWE-284

High

CVE-2020-26263

tlslite-ng is an open source python library that implements SSL and TLS cryptographic protocols. In tlslite-ng before versions 0.7.6 and 0.8.0-alpha39, the code that performs decryption and padding c…

CVSS: 7.5 CWE: CWE-326

Medium

CVE-2020-3999

VMware ESXi (7.0 prior to ESXi70U1c-17325551), VMware Workstation (16.x prior to 16.0 and 15.x prior to 15.5.7), VMware Fusion (12.x prior to 12.0 and 11.x prior to 11.5.7) and VMware Cloud Foundatio…

CVSS: 6.5 CWE: CWE-20

Critical

CVE-2020-27846

A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity,…

CVSS: 9.8 CWE: CWE-115

Medium

CVE-2019-16959

SolarWinds Web Help Desk 12.7.0 allows CSV Injection, also known as Formula Injection, via a file attached to a ticket.

CVSS: 6.5 CWE: CWE-1236

Critical

CVE-2020-35276

EgavilanMedia ECM Address Book 1.0 is affected by SQL injection. An attacker can bypass the Admin Login panel through SQLi and get Admin access and add or remove any user.

CVSS: 9.8 CWE: CWE-89

Medium

CVE-2020-35275

Coastercms v5.8.18 is affected by cross-site Scripting (XSS). A user can steal a cookie and make the user redirect to any malicious website because it is trigged on the main home page of the product/…

CVSS: 5.4 CWE: CWE-79

Medium

CVE-2020-35274

DotCMS Add Template with admin panel 20.11 is affected by cross-site Scripting (XSS) to gain remote privileges. An attacker could compromise the security of a website or web application through a sto…

CVSS: 4.8 CWE: CWE-79

High

CVE-2020-35273

EgavilanMedia User Registration & Login System with Admin Panel 1.0 is affected by Cross Site Request Forgery (CSRF) to remotely gain privileges in the User Profile panel. An attacker can update any…

CVSS: 8.0 CWE: CWE-352

Medium

CVE-2020-26049

Nifty-PM CPE 2.3 is affected by stored HTML injection. The impact is remote arbitrary code execution.

CVSS: 6.1 CWE: CWE-79

Critical

CVE-2020-35590

LimitLoginAttempts.php in the limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows a bypass of (per IP address) rate limits because the X-Forwarded-For header can be forged. When t…

CVSS: 9.8 CWE: CWE-307

Medium

CVE-2020-35589

The limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows wp-admin/options-general.php?page=limit-login-attempts&tab= XSS. A malicious user can cause an administrator user to supply…

CVSS: 5.4 CWE: CWE-79

Medium

CVE-2020-29447

Affected versions of Atlassian Crucible allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the file upload request feature of code reviews.…

CVSS: 4.3 CWE: CWE-434

2020-12-20

High

CVE-2020-35573

srs2.c in PostSRSd before 1.10 allows remote attackers to cause a denial of service (CPU consumption) via a long timestamp tag in an SRS address.

CVSS: 7.5 CWE: CWE-834

2020-12-18

High

CVE-2020-7201

A potential security vulnerability has been identified in the HPE StoreEver MSL2024 Tape Library and HPE StoreEver 1/8 G2 Tape Autoloaders. The vulnerability could be remotely exploited to allow Cros…

CVSS: 8.8 CWE: CWE-352

Medium

CVE-2020-14271

HCL iNotes v9, v10 and v11 is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability due to improper handling of message content. An unauthenticated remote attacker could exploit this vulne…

CVSS: 6.1 CWE: CWE-79

Critical

CVE-2020-14224

A vulnerability in the MIME message handling of the HCL Notes v9 client could potentially be exploited by an unauthenticated attacker resulting in a stack buffer overflow. This could allow a remote a…

CVSS: 9.8 CWE: CWE-787

Medium

CVE-2020-4080

HCL Verse v10 and v11 is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability due to improper handling of message content. An unauthenticated remote attacker could exploit this vulnerabil…

CVSS: 6.1 CWE: CWE-79

High

CVE-2020-5803

Relative Path Traversal in Marvell QConvergeConsole GUI 5.5.0.74 allows a remote, authenticated attacker to delete arbitrary files on disk as SYSTEM or root.

CVSS: 8.1 CWE: CWE-22

High

CVE-2020-27781

User credentials can be manipulated and stolen by Native CephFS consumers of OpenStack Manila, resulting in potential privilege escalation. An Open Stack Manila user can request access to a share to…

CVSS: 7.1 CWE: CWE-522

High

CVE-2020-13535

A privilege escalation vulnerability exists in Kepware LinkMaster 3.0.94.0. In its default configuration, an attacker can globally overwrite service configuration to execute arbitrary code with NT SY…

CVSS: 7.8 CWE: CWE-276

High

CVE-2020-13519

A privilege escalation vulnerability exists in the WinRing0x64 Driver IRP 0x9c402088 functionality of NZXT CAM 4.8.0. A specially crafted I/O request packet (IRP) can cause increased privileges. An a…

CVSS: 8.8 CWE: CWE-269

High

CVE-2020-13515

A privilege escalation vulnerability exists in the WinRing0x64 Driver IRP 0x9c40a148 functionality of NZXT CAM 4.8.0. A specially crafted I/O request packet (IRP) can cause an adversary to obtain ele…

CVSS: 8.8 CWE: CWE-269

High

CVE-2020-13514

A privilege escalation vulnerability exists in the WinRing0x64 Driver Privileged I/O Write IRPs functionality of NZXT CAM 4.8.0. A specially crafted I/O request packet (IRP) can cause increased privi…

CVSS: 8.8 CWE: CWE-269

High

CVE-2020-13513

CVSS: 8.8 CWE: CWE-269

High

CVE-2020-13512

CVSS: 8.8 CWE: CWE-269

High

CVE-2020-27687

ThingsBoard before v3.2 is vulnerable to Host header injection in password-reset emails. This allows an attacker to send malicious links in password-reset emails to victims, pointing to an attacker-c…

CVSS: 8.8 CWE: CWE-20

High

CVE-2020-26280

OpenSlides is a free, Web-based presentation and assembly system for managing and projecting agenda, motions, and elections of assemblies. OpenSlides version 3.2, due to unsufficient user input valid…

CVSS: 8.9 CWE: CWE-79

Critical

CVE-2020-20300

SQL injection vulnerability in the wp_where function in WeiPHP 5.0.

CVSS: 9.8 CWE: CWE-89

Critical

CVE-2020-20298

Eval injection vulnerability in the parserCommom method in the ParserTemplate class in zzz_template.php in zzzphp 1.7.2 allows remote attackers to execute arbitrary commands.

CVSS: 9.8 CWE: CWE-94

Medium

CVE-2020-20285

There is a XSS in the user login page in zzcms 2019. Users can inject js code by the referer header via user/login.php

CVSS: 5.4 CWE: CWE-79

Critical

CVE-2020-20277

There are multiple unauthenticated directory traversal vulnerabilities in different FTP commands in uftpd FTP server versions 2.7 to 2.10 due to improper implementation of a chroot jail in common.c's…

CVSS: 9.8 CWE: CWE-22

Critical

CVE-2020-20276

An unauthenticated stack-based buffer overflow vulnerability in common.c's handle_PORT in uftpd FTP server versions 2.10 and earlier can be abused to cause a crash and could potentially lead to remot…

CVSS: 9.8 CWE: CWE-787

Medium

CVE-2020-26251

Open Zaak is a modern, open-source data- and services-layer to enable zaakgericht werken, a Dutch approach to case management. In Open Zaak before version 1.3.3 the Cross-Origin-Resource-Sharing poli…

CVSS: 4.7 CWE: CWE-346

Medium

CVE-2020-4764

IBM Planning Analytics 2.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM…

CVSS: 6.5 CWE: CWE-352

Medium

CVE-2020-25901

Host Header Injection in Spiceworks 7.5.7.0 allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages.

CVSS: 6.1 CWE: CWE-601

Medium

CVE-2020-25495

A reflected Cross-site scripting (XSS) vulnerability in Xinuo (formerly SCO) Openserver version 5 and 6 allows remote attackers to inject arbitrary web script or HTML tag via the parameter 'section'.

CVSS: 6.1 CWE: CWE-79

Critical

CVE-2020-25494

Xinuos (formerly SCO) Openserver v5 and v6 allows attackers to execute arbitrary commands via shell metacharacters in outputform or toclevels parameter to cgi-bin/printbook.

CVSS: 9.8 CWE: CWE-78

Medium

CVE-2020-26178

In tangro Business Workflow before 1.18.1, knowing an attachment ID, it is possible to download workitem attachments without being authenticated.

CVSS: 5.3 CWE: CWE-639

Medium

CVE-2020-26177

In tangro Business Workflow before 1.18.1, a user's profile contains some items that are greyed out and thus are not intended to be edited by regular users. However, this restriction is only applied…

CVSS: 4.3 CWE: CWE-669

Medium

CVE-2020-26176

An issue was discovered in tangro Business Workflow before 1.18.1. No (or broken) access control checks exist on the /api/document/<DocumentID>/attachments API endpoint. Knowing a document ID, an att…

CVSS: 4.3 CWE: CWE-922

Medium

CVE-2020-26175

In tangro Business Workflow before 1.18.1, an attacker can manipulate the value of PERSON in requests to /api/profile in order to change profile information of other users.

CVSS: 6.5 CWE: CWE-639