Skip to main content
CVE-2020-7931 HIGH POC This Week

In JFrog Artifactory 5.x and 6.x, insecure FreeMarker template processing leads to remote code execution, e.g., by modifying a .ssh/authorized_keys file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Java RCE Artifactory
NVD GitHub
CVSS 3.1
8.8
EPSS
5.5%
CVE-2020-6007 HIGH POC This Week

Philips Hue Bridge model 2.X prior to and including version 1935144020 contains a Heap-based Buffer Overflow when handling a long ZCL string during the commissioning phase, resulting in a remote code. Rated high severity (CVSS 7.9), this vulnerability is no authentication required. Public exploit code available and no vendor patch available.

Buffer Overflow RCE Heap Overflow Hue Bridge V2 Firmware
NVD
CVSS 3.1
7.9
EPSS
2.1%
CVE-2020-7245 CRITICAL Act Now

Incorrect username validation in the registration process of CTFd v2.0.0 - v2.2.2 allows an attacker to take over an arbitrary account if the username is known and emails are enabled on the CTFd. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Ctfd
NVD GitHub
CVSS 3.1
9.8
EPSS
1.2%
CVE-2020-7941 CRITICAL PATCH Act Now

A privilege escalation issue in plone.app.contenttypes in Plone 4.3 through 5.2.1 allows users to PUT (overwrite) some content without needing write permission. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Plone
NVD
CVSS 3.1
9.8
EPSS
2.3%
CVE-2020-5217 MEDIUM POC PATCH This Month

In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection Secure Headers
NVD GitHub
CVSS 3.1
5.8
EPSS
1.8%
CVE-2020-5216 MEDIUM POC PATCH This Month

In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection Secure Headers
NVD GitHub
CVSS 3.1
5.8
EPSS
1.1%
CVE-2020-7939 HIGH PATCH This Week

SQL Injection in DTML or in connection objects in Plone 4.0 through 5.2.1 allows users to perform unwanted SQL queries. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Plone
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2020-7938 HIGH PATCH This Week

plone.restapi in Plone 5.2.0 through 5.2.1 allows users with a certain privilege level to escalate their privileges up to the highest level. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Plone
NVD
CVSS 3.1
8.8
EPSS
1.5%
CVE-2020-6843 MEDIUM POC This Month

Zoho ManageEngine ServiceDesk Plus 11.0 Build 11007 allows XSS. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Zoho Manageengine Servicedesk Plus
NVD
CVSS 3.1
4.8
EPSS
2.4%
CVE-2020-5223 MEDIUM POC PATCH This Month

In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. Public exploit code available.

XSS Privatebin
NVD GitHub
CVSS 3.1
4.4
EPSS
0.7%
CVE-2020-7210 MEDIUM POC PATCH This Month

Umbraco CMS 8.2.2 allows CSRF to enable/disable or delete user accounts. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Umbraco Cms
NVD
CVSS 3.1
4.3
EPSS
1.0%
CVE-2020-7940 HIGH PATCH This Week

Missing password strength checks on some forms in Plone 4.3 through 5.2.0 allow users to set weak passwords, leading to easier cracking. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Brute Force Plone
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2020-7220 HIGH PATCH This Week

HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails, in certain circumstances, to revoke dynamic secrets for a mount in a deleted namespace. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Vault
NVD GitHub
CVSS 3.1
7.5
EPSS
1.4%
CVE-2020-7936 MEDIUM PATCH This Month

An open redirect on the login form (and possibly other places) in Plone 4.0 through 5.2.1 allows an attacker to craft a link to a Plone Site that, when followed, and possibly after login, will. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Plone
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2020-7937 MEDIUM PATCH This Month

An XSS issue in the title field in Plone 5.0 through 5.2.1 allows users with a certain privilege level to insert JavaScript that will be executed when other users access the site. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Plone
NVD
CVSS 3.1
5.4
EPSS
0.8%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy