Skip to main content
CVE-2020-13146 HIGH POC This Week

Studio in Open edX Ironwood 2.5 allows CSV injection because an added cohort in Course>Instructor>Cohorts may contain a formula that is exported via the "Course>Data Downloads>Reports>Download. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Open Edx Platform
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2020-13144 HIGH POC THREAT This Week

Studio in Open edX Ironwood 2.5, when CodeJail is not used, allows a user to go to the "Create New course>New section>New subsection>New unit>Add new component>Problem button>Advanced tab>Custom. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Python Open Edx Platform
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
11.0%
CVE-2020-6074 HIGH POC THREAT This Week

An exploitable code execution vulnerability exists in the PDF parser of Nitro Pro 13.9.1.155. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Use After Free Memory Corruption RCE Nitro Pro
NVD
CVSS 3.1
8.8
EPSS
40.9%
CVE-2020-11551 HIGH POC This Week

An issue was discovered on NETGEAR Orbi Tri-Band Business WiFi Add-on Satellite (SRS60) AC3000 V2.5.1.106, Outdoor Satellite (RBS50Y) V2.5.1.106, and Pro Tri-Band Business WiFi Router (SRR60) AC3000. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Netgear Authentication Bypass Rbs50Y Firmware Srr60 Firmware Srs60 Firmware
NVD GitHub
CVSS 3.1
8.8
EPSS
1.7%
CVE-2020-11549 HIGH POC This Week

An issue was discovered on NETGEAR Orbi Tri-Band Business WiFi Add-on Satellite (SRS60) AC3000 V2.5.1.106, Outdoor Satellite (RBS50Y) V2.5.1.106, and Pro Tri-Band Business WiFi Router (SRR60) AC3000. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Netgear Authentication Bypass RCE Rbs50Y Firmware Srr60 Firmware +1
NVD GitHub
CVSS 3.1
8.8
EPSS
4.1%
CVE-2020-12257 HIGH POC This Week

rConfig 3.9.4 is vulnerable to cross-site request forgery (CSRF) because it lacks implementation of CSRF protection such as a CSRF token. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Rconfig
NVD GitHub
CVSS 3.1
8.8
EPSS
1.4%
CVE-2020-13149 HIGH POC This Week

Weak permissions on the "%PROGRAMDATA%\MSI\Dragon Center" folder in Dragon Center before 2.6.2003.2401, shipped with Micro-Star MSI Gaming laptops, allows local authenticated users to overwrite. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Dragon Center
NVD GitHub
CVSS 3.1
7.8
EPSS
0.4%
CVE-2020-6092 HIGH POC THREAT This Week

An exploitable code execution vulnerability exists in the way Nitro Pro 13.9.1.155 parses Pattern objects. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Integer Overflow Nitro Pro
NVD
CVSS 3.1
7.8
EPSS
42.3%
CVE-2020-10957 HIGH POC This Week

In Dovecot before 2.3.10.1, unauthenticated sending of malformed parameters to a NOOP command causes a NULL Pointer Dereference and crash in submission-login, submission, or lmtp. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Null Pointer Dereference Denial Of Service Dovecot
NVD
CVSS 3.1
7.5
EPSS
7.2%
CVE-2020-13128 HIGH POC This Week

An issue was discovered in Manolo GWTUpload 1.0.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Java Denial Of Service Gwtupload
NVD GitHub
CVSS 3.1
7.5
EPSS
1.6%
CVE-2020-13154 MEDIUM POC This Month

Zoho ManageEngine Service Plus before 11.1 build 11112 allows low-privilege authenticated users to discover the File Protection password via a getFileProtectionSettings call to AjaxServlet. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Authentication Bypass Manageengine Servicedesk Plus
NVD
CVSS 3.1
6.5
EPSS
3.1%
CVE-2020-11550 MEDIUM POC This Month

An issue was discovered on NETGEAR Orbi Tri-Band Business WiFi Add-on Satellite (SRS60) AC3000 V2.5.1.106, Outdoor Satellite (RBS50Y) V2.5.1.106, and Pro Tri-Band Business WiFi Router (SRR60) AC3000. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Netgear Information Disclosure Rbs50Y Firmware Srr60 Firmware Srs60 Firmware
NVD GitHub
CVSS 3.1
6.5
EPSS
1.6%
CVE-2020-1897 CRITICAL Act Now

A use-after-free is possible due to an error in lifetime management in the request adaptor when a malicious client invokes request error handling in a specific sequence.05.18.00. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Memory Corruption Information Disclosure Proxygen
NVD
CVSS 3.1
9.8
EPSS
1.1%
CVE-2020-12856 CRITICAL Act Now

OpenTrace, as used in COVIDSafe through v1.0.17, TraceTogether, ABTraceTogether, and other applications on iOS and Android, allows remote attackers to conduct long-term re-identification attacks and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Information Disclosure Apple Abtracetogether Covidsafe +1
NVD GitHub
CVSS 3.1
9.8
EPSS
5.1%
CVE-2020-6093 MEDIUM POC This Month

An exploitable information disclosure vulnerability exists in the way Nitro Pro 13.9.1.155 does XML error handling. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Information Disclosure Nitro Pro
NVD
CVSS 3.1
5.5
EPSS
2.6%
CVE-2020-13094 MEDIUM POC PATCH This Month

Dolibarr before 11.0.4 allows XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Dolibarr
NVD GitHub
CVSS 3.1
5.4
EPSS
1.1%
CVE-2020-13145 MEDIUM POC This Month

Studio in Open edX Ironwood 2.5 allows users to upload SVG files via the "Content>File Uploads" screen. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Open Edx Platform
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2020-12256 MEDIUM POC THREAT This Month

rConfig 3.9.4 is vulnerable to reflected XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Rconfig
NVD GitHub
CVSS 3.1
5.4
EPSS
95.8%
CVE-2020-12259 MEDIUM POC THREAT This Month

rConfig 3.9.4 is vulnerable to reflected XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP Rconfig
NVD GitHub
CVSS 3.1
5.4
EPSS
94.8%
CVE-2020-10967 MEDIUM POC This Month

In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash the lmtp or submission process by sending mail with an empty localpart. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Dovecot
NVD
CVSS 3.1
5.3
EPSS
8.2%
CVE-2020-10958 MEDIUM POC This Month

In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an unauthenticated use-after-free bug in submission-login, submission, or lmtp, and can lead to a crash under circumstances involving. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Use After Free Denial Of Service Memory Corruption Dovecot
NVD
CVSS 3.1
5.3
EPSS
6.1%
CVE-2020-12258 CRITICAL Act Now

rConfig 3.9.4 is vulnerable to session fixation because session expiry and randomization are mishandled. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Rconfig
NVD GitHub
CVSS 3.1
9.1
EPSS
1.7%
CVE-2020-12255 HIGH This Week

rConfig 3.9.4 is vulnerable to remote code execution due to improper validation in the file upload functionality. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload RCE PHP Rconfig
NVD GitHub
CVSS 3.1
8.8
EPSS
52.6%
CVE-2020-13136 HIGH This Week

D-Link DSP-W215 1.26b03 devices send an obfuscated hash that can be retrieved and understood by a network sniffer. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

D-Link Information Disclosure Dsp W215 Firmware
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2020-12858 HIGH This Week

Non-reinitialisation of random data in the advertising payload in COVIDSafe v1.0.15 and v1.0.16 allows a remote attacker to re-identify Android devices running COVIDSafe by scanning for their. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Information Disclosure Covidsafe
NVD
CVSS 3.1
7.5
EPSS
1.8%
CVE-2020-12857 HIGH This Week

Caching of GATT characteristic values (TempID) in COVIDSafe v1.0.15 and v1.0.16 allows a remote attacker to long-term re-identify an Android device running COVIDSafe. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Information Disclosure Covidsafe
NVD
CVSS 3.1
7.5
EPSS
1.6%
CVE-2020-13129 HIGH This Week

An issue was discovered in the stashcat app through 3.9.1 for macOS, Windows, Android, iOS, and possibly other platforms. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Google Apple Microsoft Information Disclosure Stashcat
NVD
CVSS 3.1
7.2
EPSS
1.7%
CVE-2020-13143 MEDIUM PATCH This Month

gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c in the Linux kernel 3.16 through 5.6.13 relies on kstrdup without considering the possibility of an internal '\0' value, which allows. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Linux Information Disclosure Linux Kernel Leap +22
NVD
CVSS 3.1
6.5
EPSS
4.5%
CVE-2020-13135 MEDIUM This Month

D-Link DSP-W215 1.26b03 devices allow information disclosure by intercepting messages on the local network, as demonstrated by a Squid Proxy. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

D-Link Information Disclosure Dsp W215 Firmware
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2020-13153 MEDIUM PATCH This Month

app/View/Events/resolved_attributes.ctp in MISP before 2.4.126 has XSS in the resolved attributes view. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Misp
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.8%
CVE-2020-8034 MEDIUM PATCH This Month

Gollem before 3.0.13, as used in Horde Groupware Webmail Edition 5.2.22 and other products, is affected by a reflected Cross-Site Scripting (XSS) vulnerability via the HTTP GET dir parameter in the. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Gollem Groupware
NVD GitHub
CVSS 3.1
6.1
EPSS
1.0%
CVE-2020-8035 MEDIUM This Month

The image view functionality in Horde Groupware Webmail Edition before 5.2.22 is affected by a stored Cross-Site Scripting (XSS) vulnerability via an SVG image upload containing a JavaScript payload. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Groupware
NVD GitHub
CVSS 3.1
6.1
EPSS
0.9%
CVE-2020-9524 MEDIUM This Month

Cross Site scripting vulnerability on Micro Focus Enterprise Server and Enterprise developer, affecting all versions prior to version 5.0 Patch Update 8. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Enterprise Developer Enterprise Server
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2020-12801 MEDIUM This Month

If LibreOffice has an encrypted document open and crashes, that document is auto-saved encrypted. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Libreoffice Leap
NVD
CVSS 3.1
5.3
EPSS
1.3%
CVE-2020-12860 MEDIUM This Month

COVIDSafe through v1.0.17 allows a remote attacker to access phone name and model information because a BLE device can have four roles and COVIDSafe uses all of them. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Covidsafe
NVD
CVSS 3.1
5.3
EPSS
1.0%
CVE-2020-12859 MEDIUM This Month

Unnecessary fields in the OpenTrace/BlueTrace protocol in COVIDSafe through v1.0.17 allow a remote attacker to identify a device model by observing cleartext payload data. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Covidsafe
NVD
CVSS 3.1
5.3
EPSS
0.7%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy