Skip to main content
CVE-2020-8518 CRITICAL POC THREAT Emergency

Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, leading to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection PHP Groupware Fedora +1
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
71.7%
CVE-2020-1693 CRITICAL POC PATCH Act Now

A flaw was found in Spacewalk up to version 2.9 where it was vulnerable to XML internal entity attacks via the /rpc/api endpoint. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Denial Of Service XXE Spacewalk
NVD GitHub
CVSS 3.1
9.8
EPSS
4.3%
CVE-2020-9006 CRITICAL POC Act Now

The Popup Builder plugin 2.2.8 through 2.6.7.6 for WordPress is vulnerable to SQL injection (in the sgImportPopups function in sg_popup_ajax.php) via PHP Deserialization on attacker-controlled data. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization WordPress RCE SQLi PHP +1
NVD
CVSS 3.1
9.8
EPSS
8.6%
CVE-2020-9027 CRITICAL POC Act Now

ELTEX NTP-RG-1402G 1v10 3.25.3.32 devices allow OS command injection via the TRACE field of the resource ping.cmd. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Ntp 2 Firmware Ntp Rg 1402G Firmware
NVD
CVSS 3.1
9.8
EPSS
3.0%
CVE-2020-9026 CRITICAL POC Act Now

ELTEX NTP-RG-1402G 1v10 3.25.3.32 devices allow OS command injection via the PING field of the resource ping.cmd. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Ntp 2 Firmware Ntp Rg 1402G Firmware
NVD
CVSS 3.1
9.8
EPSS
3.1%
CVE-2020-9024 CRITICAL POC Act Now

Iteris Vantage Velocity Field Unit 2.3.1 and 2.4.2 devices have world-writable permissions for the /root/cleardata.pl (executed as root by crond) and /root/loadperl.sh (executed as root at boot time). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Vantage Velocity Firmware
NVD
CVSS 3.1
9.8
EPSS
1.8%
CVE-2020-9023 CRITICAL POC Act Now

Iteris Vantage Velocity Field Unit 2.3.1 and 2.4.2 devices have two users that are not documented and are configured with weak passwords (User bluetooth, password bluetooth; User eclipse, password. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Brute Force Vantage Velocity Firmware
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2020-9021 CRITICAL POC Act Now

Post Oak AWAM Bluetooth Field Device 7400v2.08.21.2018, 7800SD.2015.1.16, 2011.3, 7400v2.02.01.2019, and 7800SD.2012.12.5 is vulnerable to injections of operating system commands through. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Awam Bluetooth Field Device Firmware
NVD
CVSS 3.1
9.8
EPSS
2.1%
CVE-2020-9020 CRITICAL POC Act Now

Iteris Vantage Velocity Field Unit 2.3.1, 2.4.2, and 3.0 devices allow the injection of OS commands into cgi-bin/timeconfig.py via shell metacharacters in the NTP Server field. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Vantage Velocity Firmware
NVD
CVSS 3.1
9.8
EPSS
2.5%
CVE-2020-7597 HIGH POC PATCH This Week

codecov-node npm module before 3.6.5 allows remote attackers to execute arbitrary commands.The value provided as part of the gcov-root argument is executed by the exec function within lib/codecov.js. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Node.js Command Injection Codecov
NVD GitHub
CVSS 3.1
8.8
EPSS
2.9%
CVE-2020-9043 HIGH POC PATCH This Week

The wpCentral plugin before 1.5.1 for WordPress allows disclosure of the connection key. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress Information Disclosure Wpcentral
NVD
CVSS 3.1
8.8
EPSS
8.2%
CVE-2020-9005 HIGH POC This Week

meshsystem.dll in Valve Dota 2 through 2020-02-17 allows remote attackers to achieve code execution or denial of service by creating a gaming server with a crafted map, and inviting a victim to this. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE Denial Of Service Memory Corruption Dota 2
NVD GitHub
CVSS 3.1
7.8
EPSS
2.2%
CVE-2020-9034 HIGH POC This Week

Symmetricom SyncServer S100 2.90.70.3, S200 1.30, S250 1.25, S300 2.65.0, and S350 2.80.1 devices mishandle session validation, leading to unauthenticated creation, modification, or elimination of. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Syncserver S100 Firmware Syncserver S200 Firmware Syncserver S250 Firmware Syncserver S300 Firmware +1
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2020-9033 MEDIUM POC This Month

Symmetricom SyncServer S100 2.90.70.3, S200 1.30, S250 1.25, S300 2.65.0, and S350 2.80.1 devices allow Directory Traversal via the FileName parameter to authlog.php. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Path Traversal Syncserver S100 Firmware Syncserver S200 Firmware Syncserver S250 Firmware +2
NVD
CVSS 3.1
6.5
EPSS
1.3%
CVE-2020-9032 MEDIUM POC This Month

Symmetricom SyncServer S100 2.90.70.3, S200 1.30, S250 1.25, S300 2.65.0, and S350 2.80.1 devices allow Directory Traversal via the FileName parameter to kernlog.php. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Path Traversal Syncserver S100 Firmware Syncserver S200 Firmware Syncserver S250 Firmware +2
NVD
CVSS 3.1
6.5
EPSS
1.1%
CVE-2020-9031 MEDIUM POC This Month

Symmetricom SyncServer S100 2.90.70.3, S200 1.30, S250 1.25, S300 2.65.0, and S350 2.80.1 devices allow Directory Traversal via the FileName parameter to daemonlog.php. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Path Traversal Syncserver S100 Firmware Syncserver S200 Firmware Syncserver S250 Firmware +2
NVD
CVSS 3.1
6.5
EPSS
1.1%
CVE-2020-9030 MEDIUM POC This Month

Symmetricom SyncServer S100 2.90.70.3, S200 1.30, S250 1.25, S300 2.65.0, and S350 2.80.1 devices allow Directory Traversal via the FileName parameter to the syslog.php. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Path Traversal Syncserver S100 Firmware Syncserver S200 Firmware Syncserver S250 Firmware +2
NVD
CVSS 3.1
6.5
EPSS
1.1%
CVE-2020-9029 MEDIUM POC This Month

Symmetricom SyncServer S100 2.90.70.3, S200 1.30, S250 1.25, S300 2.65.0, and S350 2.80.1 devices allow Directory Traversal via the FileName parameter to messagelog.php. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Path Traversal Syncserver S100 Firmware Syncserver S200 Firmware Syncserver S250 Firmware +2
NVD
CVSS 3.1
6.5
EPSS
1.2%
CVE-2020-6850 MEDIUM POC This Month

Utilities.php in the miniorange-saml-20-single-sign-on plugin before 4.8.84 for WordPress allows XSS via a crafted SAML XML Response to wp-login.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress PHP Saml Sp Single Sign On
NVD
CVSS 3.1
6.1
EPSS
1.4%
CVE-2020-9028 MEDIUM POC This Month

Symmetricom SyncServer S100 2.90.70.3, S200 1.30, S250 1.25, S300 2.65.0, and S350 2.80.1 devices allow stored XSS via the newUserName parameter on the "User Creation, Deletion and Password. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Syncserver S100 Firmware Syncserver S200 Firmware Syncserver S250 Firmware Syncserver S300 Firmware +1
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2020-9025 MEDIUM POC This Month

Iteris Vantage Velocity Field Unit 2.4.2 devices have multiple stored XSS issues in all parameters of the Start Data Viewer feature of the /cgi-bin/loaddata.py script. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Vantage Velocity Firmware
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2020-9022 MEDIUM POC This Month

An issue was discovered on Xirrus XR520, XR620, XR2436, and XH2-120 devices. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Xh2 120 Firmware Xr2436 Firmware Xr520 Firmware Xr620 Firmware
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2020-8427 CRITICAL Act Now

In Unitrends Backup before 10.4.1, an HTTP request parameter was not properly sanitized, allowing for SQL injection that resulted in an authentication bypass. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Authentication Bypass Backup
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2020-5531 CRITICAL Act Now

Mitsubishi Electric MELSEC C Controller Module and MELIPC Series MI5000 MELSEC-Q Series C Controller Module(Q24DHCCPU-V, Q24DHCCPU-VG User Ethernet port (CH1, CH2): First 5 digits of serial number. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Mi5122 Vw Firmware Q24Dhccpu V Firmware Q24Dhccpu Vg Firmware R12Ccpu V Firmware +1
NVD
CVSS 3.1
9.8
EPSS
2.0%
CVE-2020-8768 CRITICAL Act Now

An issue was discovered on Phoenix Contact Emalytics Controller ILC 2050 BI before 1.2.3 and BI-L before 1.2.3 devices. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Ilc 2050 Bi Firmware Ilc 2050 Bi L Firmware
NVD
CVSS 3.1
9.4
EPSS
1.8%
CVE-2020-9038 MEDIUM POC PATCH This Month

Joplin through 1.0.184 allows Arbitrary File Read via XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Joplin
NVD GitHub Exploit-DB
CVSS 3.1
5.4
EPSS
3.6%
CVE-2020-7959 MEDIUM POC This Month

LabVantage LIMS 8.3 does not properly maintain the confidentiality of database names. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Labvantage
NVD GitHub Exploit-DB
CVSS 3.1
5.3
EPSS
1.4%
CVE-2020-1704 HIGH This Week

An insecure modification vulnerability in the /etc/passwd file was found in all versions of OpenShift ServiceMesh (maistra) before 1.0.8 in the openshift/istio-kialia-rhel7-operator-container. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Openshift Service Mesh
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2020-1856 HIGH This Week

Huawei NGFW Module, NIP6300, NIP6600, Secospace USG6500, Secospace USG6600, and USG9500 versions V500R001C30, V500R001C60, and V500R005C00 have an information leakage vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Huawei Information Disclosure Ngfw Module Firmware Nip6300 Firmware Nip6600 Firmware +3
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2020-1841 HIGH This Week

Huawei CloudLink Board version 20.0.0; DP300 version V500R002C00; RSE6500 versions V100R001C00, V500R002C00, and V500R002C00SPC900; and TE60 versions V500R002C00, V600R006C00, V600R006C00SPC200,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Huawei Information Disclosure Cloudlink Board Firmware Dp300 Firmware Rse6500 Firmware +1
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2020-1829 HIGH This Week

Huawei NIP6800 versions V500R001C30 and V500R001C60SPC500; and Secospace USG6600 and USG9500 versions V500R001C30SPC200, V500R001C30SPC600, and V500R001C60SPC500 have a vulnerability that the IPSec. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Huawei Information Disclosure Nip6800 Firmware Secospace Usg6600 Firmware Usg9500 Firmware
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2020-1827 HIGH This Week

Huawei NIP6800 versions V500R001C30, V500R001C60SPC500, and V500R005C00SPC100; and Secospace USG6600 and USG9500 versions V500R001C30SPC200, V500R001C30SPC600, V500R001C60SPC500, and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Huawei Information Disclosure Nip6800 Firmware Secospace Usg6600 Firmware Usg9500 Firmware
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2020-1858 HIGH This Week

Huawei products NIP6800 versions V500R001C30, V500R001C60SPC500, and V500R005C00SPC100; Secospace USG6600 versions V500R001C30SPC600, V500R001C60SPC500, and V500R005C00SPC100; and USG9500 versions. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Huawei Nip6800 Firmware Secospace Usg6600 Firmware Usg9500 Firmware
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2020-1828 HIGH This Week

Huawei NIP6800 versions V500R001C30, V500R001C60SPC500, and V500R005C00; and Secospace USG6600 and USG9500 versions V500R001C30SPC200, V500R001C30SPC600, V500R001C60SPC500, and V500R005C00 have an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Huawei Information Disclosure Nip6800 Firmware Secospace Usg6600 Firmware Usg9500 Firmware
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2020-8795 HIGH This Week

In GitLab Enterprise Edition (EE) 12.5.0 through 12.7.5, sharing a group with a group could grant project access to unauthorized users. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Gitlab Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2020-1853 MEDIUM This Month

GaussDB 200 with version of 6.5.1 have a path traversal vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Gaussdb 200
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2020-1692 MEDIUM PATCH This Month

Moodle before version 3.7.2 is vulnerable to information exposure of service tokens for users enrolled in the same course. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

CSRF Information Disclosure Moodle
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2020-1857 MEDIUM This Month

Huawei NIP6800 versions V500R001C30, V500R001C60SPC500, and V500R005C00SPC100; and Secospace USG6600 and USG9500 versions V500R001C30SPC200, V500R001C30SPC600, V500R001C60SPC500, and. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Huawei Information Disclosure Nip6800 Firmware Secospace Usg6600 Firmware Usg9500 Firmware
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2020-7252 MEDIUM This Month

Unquoted service executable path in DXL Broker in McAfee Data eXchange Layer (DXL) Framework 6.0.0 and earlier allows local users to cause a denial of service and malicious file execution via. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Privilege Escalation Microsoft Data Exchange Layer
NVD
CVSS 3.1
5.5
EPSS
0.5%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy