Skip to main content
CVE-2020-11939 CRITICAL POC PATCH Act Now

In nDPI through 3.2 Stable, the SSH protocol dissector has multiple KEXINIT integer overflows that result in a controlled remote heap overflow in concat_hash_string in ssh.c. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Integer Overflow Ndpi
NVD GitHub
CVSS 3.1
9.8
EPSS
3.3%
CVE-2020-12077 HIGH POC This Week

The mappress-google-maps-for-wordpress plugin before 2.53.9 for WordPress does not correctly implement AJAX functions with nonces (or capability checks), leading to remote code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Google File Upload WordPress RCE Mappress
NVD
CVSS 3.1
8.8
EPSS
5.6%
CVE-2020-12075 HIGH POC This Week

The data-tables-generator-by-supsystic plugin before 1.9.92 for WordPress lacks capability checks for AJAX actions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Privilege Escalation Data Tables Generator
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2020-12074 HIGH POC This Week

The users-customers-import-export-for-wp-woocommerce plugin before 1.3.9 for WordPress allows subscribers to import administrative accounts via CSV. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Privilege Escalation Import Export Wordpress Users
NVD
CVSS 3.1
8.8
EPSS
1.7%
CVE-2020-12073 HIGH POC This Week

The responsive-add-ons plugin before 2.2.7 for WordPress has incorrect access control for wp-admin/admin-ajax.php?action= requests. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure WordPress PHP Gutenberg Elementor Templates Importer For Responsive
NVD
CVSS 3.1
8.8
EPSS
1.6%
CVE-2020-12112 HIGH POC PATCH This Week

BigBlueButton before 2.2.5 allows remote attackers to obtain sensitive files via Local File Inclusion. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Path Traversal Bigbluebutton
NVD GitHub
CVSS 3.1
7.5
EPSS
5.3%
CVE-2020-11940 HIGH POC PATCH This Week

In nDPI through 3.2 Stable, an out-of-bounds read in concat_hash_string in ssh.c can be exploited by a network-positioned attacker that can send malformed SSH protocol messages on a network segment. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Information Disclosure Ndpi
NVD GitHub
CVSS 3.1
7.5
EPSS
1.3%
CVE-2020-8797 MEDIUM POC This Month

Juplink RX4-1500 v1.0.3 allows remote attackers to gain root access to the Linux subsystem via an unsanitized exec call (aka Command Line Injection), if the undocumented telnetd service is enabled. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Rx4 1500 Firmware
NVD
CVSS 3.1
6.7
EPSS
0.9%
CVE-2020-12054 MEDIUM POC This Month

The Catch Breadcrumb plugin before 1.5.4 for WordPress allows Reflected XSS via the s parameter (a search query). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Catch Breadcrumb
NVD
CVSS 3.1
6.1
EPSS
3.6%
CVE-2020-12079 CRITICAL Act Now

Beaker before 0.8.9 allows a sandbox escape, enabling system access and code execution. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Prototype Pollution Beaker
NVD GitHub
CVSS 3.1
10.0
EPSS
2.2%
CVE-2020-4415 CRITICAL PATCH Act Now

IBM Spectrum Protect 7.1 and 8.1 server is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Buffer Overflow RCE IBM Spectrum Protect
NVD
CVSS 3.1
9.8
EPSS
8.1%
CVE-2020-11945 CRITICAL PATCH Act Now

An issue was discovered in Squid before 5.0.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Integer Overflow vulnerability could allow attackers to cause unexpected behavior through arithmetic overflow.

RCE Integer Overflow Squid Debian Linux Leap +2
NVD GitHub
CVSS 3.1
9.8
EPSS
27.2%
CVE-2020-8798 MEDIUM POC This Month

httpd in Juplink RX4-1500 v1.0.3-v1.0.5 allows remote attackers to change or access router settings by connecting to the unauthenticated setup3.htm endpoint from the local network. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Rx4 1500 Firmware
NVD
CVSS 3.1
5.5
EPSS
0.4%
CVE-2020-7643 MEDIUM POC This Month

paypal-adaptive through 0.4.2 manipulation of JavaScript objects resulting in Prototype Pollution. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Prototype Pollution Information Disclosure Paypal Adaptive
NVD GitHub
CVSS 3.1
5.3
EPSS
1.0%
CVE-2020-4202 HIGH This Week

IBM UrbanCode Deploy (UCD) 7.0.3.0 and 7.0.4.0 could allow an authenticated user to impersonate another user if the server is configured to enable Distributed Front End (DFE). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM Information Disclosure Urbancode Deploy
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2020-12076 HIGH This Week

The data-tables-generator-by-supsystic plugin before 1.9.92 for WordPress lacks CSRF nonce checks for AJAX actions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS WordPress CSRF Data Tables Generator
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2020-12071 MEDIUM POC This Month

Anchor 0.12.7 allows admins to cause XSS via crafted post content. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Anchor
NVD GitHub
CVSS 3.1
4.8
EPSS
0.6%
CVE-2020-12118 HIGH PATCH This Week

The keygen protocol implementation in Binance tss-lib before 1.2.0 allows attackers to generate crafted h1 and h2 parameters in order to compromise a signing round or obtain sensitive information. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Incorrect Default Permissions vulnerability could allow attackers to access resources due to overly permissive default settings.

Privilege Escalation Tss Lib
NVD GitHub
CVSS 3.1
8.2
EPSS
1.2%
CVE-2020-5867 HIGH This Week

In versions prior to 3.3.0, the NGINX Controller Agent installer script 'install.sh' uses HTTP instead of HTTPS to check and install packages. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Nginx Nginx Controller Cloud Backup
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2020-11012 HIGH PATCH This Week

MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Minio
NVD GitHub
CVSS 3.1
7.5
EPSS
2.1%
CVE-2020-5571 HIGH This Week

SHARP AQUOS series (AQUOS SH-M02 build number 01.00.05 and earlier, AQUOS SH-RM02 build number 01.00.04 and earlier, AQUOS mini SH-M03 build number 01.00.04 and earlier, AQUOS Keitai SH-N01 build. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Aquos Sh M02 Firmware Aquos Sh Rm02 Firmware Aquos Mini Sh M03 Firmware Aquos L2 Firmware +6
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2020-5864 HIGH This Week

In versions of NGINX Controller prior to 3.2.0, communication between NGINX Controller and NGINX Plus instances skip TLS verification by default. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Nginx Nginx Controller
NVD
CVSS 3.1
7.4
EPSS
1.0%
CVE-2020-4311 HIGH PATCH This Week

IBM Tivoli Monitoring 6.3.0 could allow a local attacker to execute arbitrary code on the system. Rated high severity (CVSS 7.0). This Incorrect Permission Assignment vulnerability could allow attackers to access resources due to misconfigured permissions.

RCE IBM Tivoli Monitoring
NVD
CVSS 3.1
7.0
EPSS
0.3%
CVE-2020-12113 MEDIUM PATCH This Month

BigBlueButton before 2.2.4 allows XSS via closed captions because dangerouslySetInnerHTML in React is used. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Bigbluebutton
NVD GitHub
CVSS 3.1
6.1
EPSS
0.9%
CVE-2020-1760 MEDIUM PATCH This Month

A flaw was found in the Ceph Object Gateway, where it supports request sent by an anonymous user in Amazon S3. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Ceph Ceph Storage Openshift Container Platform Fedora +2
NVD
CVSS 3.1
6.1
EPSS
1.5%
CVE-2020-12105 MEDIUM This Month

OpenConnect through 8.08 mishandles negative return values from X509_check_ function calls, which might assist attackers in performing man-in-the-middle attacks. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Openconnect Leap
NVD
CVSS 3.1
5.9
EPSS
1.7%
CVE-2020-11806 MEDIUM This Month

In MailStore Outlook Add-in (and Email Archive Outlook Add-in) through 12.1.2, the login process does not validate the validity of the certificate presented by the server. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Microsoft Information Disclosure Mailstore Server
NVD
CVSS 3.1
5.9
EPSS
0.5%
CVE-2020-5866 MEDIUM This Month

In versions of NGINX Controller prior to 3.3.0, the helper.sh script, which is used optionally in NGINX Controller to change settings, uses sensitive items as command-line arguments. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Nginx Information Disclosure Nginx Controller
NVD
CVSS 3.1
5.5
EPSS
0.3%
CVE-2020-7132 MEDIUM This Month

A potential security vulnerability has been identified in HPE Onboard Administrator. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Microsoft Onboard Administrator
NVD
CVSS 3.1
5.4
EPSS
0.7%
CVE-2020-5865 MEDIUM This Month

In versions prior to 3.3.0, the NGINX Controller is configured to communicate with its Postgres database server over unencrypted channels, making the communicated data vulnerable to interception via. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure PostgreSQL Nginx Nginx Controller Cloud Backup
NVD
CVSS 3.1
4.8
EPSS
0.4%
CVE-2020-4353 MEDIUM PATCH This Month

IBM MaaS360 6.82 could allow a user with pysical access to the device to crash the application which may enable the user to access restricted applications and device settings. Rated medium severity (CVSS 4.6), this vulnerability is no authentication required, low attack complexity.

Denial Of Service IBM Maas360
NVD
CVSS 3.1
4.6
EPSS
0.3%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy