Skip to main content
CVE-2020-8518 CRITICAL POC THREAT Emergency

Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, leading to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection PHP Groupware Fedora +1
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
71.7%
CVE-2020-1693 CRITICAL POC PATCH Act Now

A flaw was found in Spacewalk up to version 2.9 where it was vulnerable to XML internal entity attacks via the /rpc/api endpoint. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Denial Of Service XXE Spacewalk
NVD GitHub
CVSS 3.1
9.8
EPSS
4.3%
CVE-2020-9006 CRITICAL POC Act Now

The Popup Builder plugin 2.2.8 through 2.6.7.6 for WordPress is vulnerable to SQL injection (in the sgImportPopups function in sg_popup_ajax.php) via PHP Deserialization on attacker-controlled data. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization WordPress RCE SQLi PHP +1
NVD
CVSS 3.1
9.8
EPSS
8.6%
CVE-2020-9027 CRITICAL POC Act Now

ELTEX NTP-RG-1402G 1v10 3.25.3.32 devices allow OS command injection via the TRACE field of the resource ping.cmd. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Ntp 2 Firmware Ntp Rg 1402G Firmware
NVD
CVSS 3.1
9.8
EPSS
3.0%
CVE-2020-9026 CRITICAL POC Act Now

ELTEX NTP-RG-1402G 1v10 3.25.3.32 devices allow OS command injection via the PING field of the resource ping.cmd. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Ntp 2 Firmware Ntp Rg 1402G Firmware
NVD
CVSS 3.1
9.8
EPSS
3.1%
CVE-2020-9024 CRITICAL POC Act Now

Iteris Vantage Velocity Field Unit 2.3.1 and 2.4.2 devices have world-writable permissions for the /root/cleardata.pl (executed as root by crond) and /root/loadperl.sh (executed as root at boot time). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Vantage Velocity Firmware
NVD
CVSS 3.1
9.8
EPSS
1.8%
CVE-2020-9023 CRITICAL POC Act Now

Iteris Vantage Velocity Field Unit 2.3.1 and 2.4.2 devices have two users that are not documented and are configured with weak passwords (User bluetooth, password bluetooth; User eclipse, password. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Brute Force Vantage Velocity Firmware
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2020-9021 CRITICAL POC Act Now

Post Oak AWAM Bluetooth Field Device 7400v2.08.21.2018, 7800SD.2015.1.16, 2011.3, 7400v2.02.01.2019, and 7800SD.2012.12.5 is vulnerable to injections of operating system commands through. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Awam Bluetooth Field Device Firmware
NVD
CVSS 3.1
9.8
EPSS
2.1%
CVE-2020-9020 CRITICAL POC Act Now

Iteris Vantage Velocity Field Unit 2.3.1, 2.4.2, and 3.0 devices allow the injection of OS commands into cgi-bin/timeconfig.py via shell metacharacters in the NTP Server field. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Vantage Velocity Firmware
NVD
CVSS 3.1
9.8
EPSS
2.5%
CVE-2020-8427 CRITICAL Act Now

In Unitrends Backup before 10.4.1, an HTTP request parameter was not properly sanitized, allowing for SQL injection that resulted in an authentication bypass. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Authentication Bypass Backup
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2020-5531 CRITICAL Act Now

Mitsubishi Electric MELSEC C Controller Module and MELIPC Series MI5000 MELSEC-Q Series C Controller Module(Q24DHCCPU-V, Q24DHCCPU-VG User Ethernet port (CH1, CH2): First 5 digits of serial number. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Mi5122 Vw Firmware Q24Dhccpu V Firmware Q24Dhccpu Vg Firmware R12Ccpu V Firmware +1
NVD
CVSS 3.1
9.8
EPSS
2.0%
CVE-2020-8768 CRITICAL Act Now

An issue was discovered on Phoenix Contact Emalytics Controller ILC 2050 BI before 1.2.3 and BI-L before 1.2.3 devices. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Ilc 2050 Bi Firmware Ilc 2050 Bi L Firmware
NVD
CVSS 3.1
9.4
EPSS
1.8%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy