Skip to main content
CVE-2020-14092 CRITICAL POC THREAT Act Now

The CodePeople Payment Form for PayPal Pro plugin before 1.1.65 for WordPress allows SQL Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress SQLi Paypal Pro
NVD
CVSS 3.1
9.8
EPSS
94.5%
CVE-2020-8163 HIGH POC PATCH THREAT This Week

The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the `locals` argument of a `render` call to perform a RCE. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Code Injection Rails Debian Linux
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
83.1%
CVE-2020-15091 MEDIUM POC PATCH This Month

TenderMint from version 0.33.0 and before version 0.33.6 allows block proposers to include signatures for the wrong block. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Jwt Attack Information Disclosure Tendermint
NVD GitHub
CVSS 3.1
6.5
EPSS
0.9%
CVE-2020-8176 MEDIUM POC PATCH This Month

A cross-site scripting vulnerability exists in koa-shopify-auth v3.1.61-v3.1.62 that allows an attacker to inject JS payloads into the `shop` parameter on the `/shopify/auth/enable_cookies` endpoint. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Koa Shopify Auth
NVD GitHub
CVSS 3.1
6.1
EPSS
1.0%
CVE-2020-4074 CRITICAL PATCH Act Now

In PrestaShop from version 1.5.0.0 and before version 1.7.6.6, the authentication system is malformed and an attacker is able to forge requests and execute admin commands. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Authentication Bypass Prestashop
NVD GitHub
CVSS 3.1
9.8
EPSS
1.8%
CVE-2020-7821 CRITICAL Act Now

Nexacro14/17 ExtCommonApiV13 Library under 2019.9.6 version contain a vulnerability that could allow remote attacker to execute arbitrary code by modifying the value of registry path. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Nexacro 14 Nexacro 17
NVD
CVSS 3.1
9.8
EPSS
1.6%
CVE-2020-7820 CRITICAL Act Now

Nexacro14/17 ExtCommonApiV13 Library under 2019.9.6 version contain a vulnerability that could allow remote attacker to execute arbitrary code by setting the arguments to the vulnerable API. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Nexacro 14 Nexacro 17
NVD
CVSS 3.1
9.8
EPSS
1.6%
CVE-2020-3297 CRITICAL Act Now

A vulnerability in session management for the web-based interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to defeat authentication. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cisco Authentication Bypass Sg250X 24 Firmware Sg250X 24P Firmware Sg250X 48 Firmware +115
NVD
CVSS 3.1
9.8
EPSS
3.0%
CVE-2020-4061 MEDIUM POC PATCH This Month

In October from version 1.0.319 and before version 1.0.467, pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS October
NVD GitHub
CVSS 3.1
5.4
EPSS
0.8%
CVE-2020-15081 MEDIUM POC PATCH This Month

In PrestaShop from version 1.5.0.0 and before 1.7.6.6, there is information exposure in the upload directory. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure PHP Prestashop
NVD GitHub
CVSS 3.1
5.3
EPSS
1.6%
CVE-2020-8188 HIGH This Week

We have recently released new version of UniFi Protect firmware v1.13.3 and v1.14.10 for Unifi Cloud Key Gen2 Plus and UniFi Dream Machine Pro/UNVR respectively that fixes vulnerabilities found on. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Ubiquiti Command Injection Unifi Protect Firmware
NVD
CVSS 3.1
8.8
EPSS
1.3%
CVE-2020-15082 HIGH PATCH This Week

In PrestaShop from version 1.6.0.1 and before version 1.7.6.6, the dashboard allows rewriting all configuration variables. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Prestashop
NVD GitHub
CVSS 3.1
8.8
EPSS
1.2%
CVE-2020-2211 HIGH This Week

Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin 1.3 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Kubernetes RCE Deserialization Jenkins Kubernetes Ci
NVD
CVSS 3.1
8.8
EPSS
2.3%
CVE-2020-8161 HIGH PATCH This Week

A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Path Traversal Rack Debian Linux Ubuntu Linux
NVD
CVSS 3.1
8.6
EPSS
3.6%
CVE-2020-8166 MEDIUM POC PATCH This Month

A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6.0.4 that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag,. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF Rails Debian Linux
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2020-12119 HIGH PATCH This Week

Ledger Live before 2.7.0 does not handle Bitcoin's Replace-By-Fee (RBF). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Ledger Live
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2020-15503 HIGH PATCH This Week

LibRaw before 0.20-RC1 lacks a thumbnail size range check. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Libraw Fedora Debian Linux
NVD GitHub
CVSS 3.1
7.5
EPSS
3.7%
CVE-2020-5910 HIGH This Week

In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Nginx Nginx Controller
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2020-15502 HIGH PATCH This Week

The DuckDuckGo application through 5.58.0 for Android, and through 7.47.1.0 for iOS, sends hostnames of visited web sites within HTTPS .ico requests to servers in the duckduckgo.com domain, which. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Google Information Disclosure Duckduckgo
NVD GitHub
CVSS 3.1
7.5
EPSS
1.5%
CVE-2020-3402 HIGH This Week

A vulnerability in the Java Remote Method Invocation (RMI) interface of Cisco Unified Customer Voice Portal (CVP) could allow an unauthenticated, remote attacker to access sensitive information on an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Cisco Authentication Bypass Unified Customer Voice Portal
NVD
CVSS 3.1
7.5
EPSS
1.6%
CVE-2020-5911 HIGH This Week

In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ubuntu Nginx Debian Kubernetes Information Disclosure +1
NVD
CVSS 3.1
7.3
EPSS
1.0%
CVE-2020-9498 MEDIUM This Month

Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. Rated medium severity (CVSS 6.7). No vendor patch available.

Buffer Overflow Apache Memory Corruption RCE Guacamole +2
NVD
CVSS 3.1
6.7
EPSS
0.7%
CVE-2020-8185 MEDIUM PATCH This Month

A denial of service vulnerability exists in Rails <6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Rails Fedora
NVD
CVSS 3.1
6.5
EPSS
2.2%
CVE-2020-3391 MEDIUM This Month

A vulnerability in Cisco Digital Network Architecture (DNA) Center could allow an authenticated, remote attacker to view sensitive information in clear text. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco Information Disclosure Digital Network Architecture Center
NVD
CVSS 3.1
6.5
EPSS
1.3%
CVE-2020-15083 MEDIUM PATCH This Month

In PrestaShop from version 1.7.0.0 and before version 1.7.6.6, if a target sends a corrupted file, it leads to a reflected XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Prestashop
NVD GitHub
CVSS 3.1
6.1
EPSS
0.7%
CVE-2020-13653 MEDIUM This Month

An XSS vulnerability exists in the Webmail component of Zimbra Collaboration Suite before 8.8.15 Patch 11. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zimbra Collaboration Suite
NVD
CVSS 3.1
6.1
EPSS
1.4%
CVE-2020-2217 MEDIUM This Month

Jenkins Compatibility Action Storage Plugin 1.0 and earlier does not escape the content coming from the MongoDB in the testConnection form validation endpoint, resulting in a reflected cross-site. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Jenkins Compatibility Action Storage
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2020-2207 MEDIUM PATCH This Month

Jenkins VncViewer Plugin 1.7 and earlier does not escape a parameter value in the checkVncServ form validation endpoint, resulting in a reflected cross-site scripting (XSS) vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Jenkins Vncviewer
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2020-2206 MEDIUM PATCH This Month

Jenkins VncRecorder Plugin 1.25 and earlier does not escape a parameter value in the checkVncServ form validation endpoint, resulting in a reflected cross-site scripting (XSS) vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Jenkins Vncrecorder
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2020-3282 MEDIUM This Month

A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Cisco Unified Communications Manager Unified Communications Manager Im And Presence Service Unity Connection
NVD
CVSS 3.1
6.1
EPSS
0.8%
CVE-2020-15079 MEDIUM PATCH This Month

In PrestaShop from version 1.5.0.0 and before version 1.7.6.6, there is improper access control in Carrier page, Module Manager and Module Positions. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Prestashop
NVD GitHub
CVSS 3.1
5.4
EPSS
0.6%
CVE-2020-11074 MEDIUM PATCH This Month

In PrestaShop from version 1.5.3.0 and before version 1.7.6.6, there is a stored XSS when using the name of a quick access item. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Prestashop
NVD GitHub
CVSS 3.1
5.4
EPSS
0.6%
CVE-2020-2219 MEDIUM This Month

Jenkins Link Column Plugin 1.0 and earlier does not filter URLs of links created by users with View/Configure permission, resulting in a stored cross-site scripting vulnerability. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Jenkins Link Column
NVD
CVSS 3.1
5.4
EPSS
0.7%
CVE-2020-2214 MEDIUM PATCH This Month

Jenkins ZAP Pipeline Plugin 1.9 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Jenkins Zap Pipeline
NVD
CVSS 3.1
5.4
EPSS
0.7%
CVE-2020-2204 MEDIUM PATCH This Month

A missing permission check in Jenkins Fortify on Demand Plugin 5.0.1 and earlier allows attackers with Overall/Read permission to connect to the globally configured Fortify on Demand endpoint using. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins Authentication Bypass Fortify On Demand
NVD
CVSS 3.1
5.4
EPSS
0.6%
CVE-2020-2201 MEDIUM PATCH This Month

Jenkins Sonargraph Integration Plugin 3.0.0 and earlier does not escape the file path for the Log file field form validation, resulting in a stored cross-site scripting vulnerability. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Jenkins Sonargraph Integration
NVD
CVSS 3.1
5.4
EPSS
0.7%
CVE-2020-5909 MEDIUM This Month

In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Nginx Nginx Controller
NVD
CVSS 3.1
5.4
EPSS
0.4%
CVE-2020-15080 MEDIUM PATCH This Month

In PrestaShop from version 1.7.4.0 and before version 1.7.6.6, some files should not be in the release archive, and others should not be accessible. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Docker Information Disclosure Prestashop
NVD GitHub
CVSS 3.1
5.3
EPSS
0.9%
CVE-2020-2205 MEDIUM PATCH This Month

Jenkins VncRecorder Plugin 1.25 and earlier does not escape a tool path in the `checkVncServ` form validation endpoint, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Jenkins Vncrecorder
NVD
CVSS 3.1
4.8
EPSS
0.7%
CVE-2020-3340 MEDIUM This Month

Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker with administrative credentials to conduct a. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Cisco Identity Services Engine
NVD
CVSS 3.1
4.8
EPSS
0.6%
CVE-2020-9497 MEDIUM This Month

Apache Guacamole 1.1.0 and older do not properly validate datareceived from RDP servers via static virtual channels. Rated medium severity (CVSS 4.4). No vendor patch available.

Apache Information Disclosure Guacamole Fedora Debian Linux
NVD
CVSS 3.1
4.4
EPSS
0.8%
CVE-2020-2216 MEDIUM This Month

A missing permission check in Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Atlassian Jenkins Authentication Bypass Zephyr For Jira Test Management
NVD
CVSS 3.1
4.3
EPSS
0.7%
CVE-2020-2215 MEDIUM This Month

A cross-site request forgery vulnerability in Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Atlassian CSRF Jenkins Zephyr For Jira Test Management
NVD
CVSS 3.1
4.3
EPSS
0.7%
CVE-2020-2213 MEDIUM PATCH This Month

Jenkins White Source Plugin 19.1.1 and earlier stores credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they can be viewed by users with. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins Information Disclosure White Source
NVD
CVSS 3.1
4.3
EPSS
0.7%
CVE-2020-2212 MEDIUM This Month

Jenkins GitHub Coverage Reporter Plugin 1.8 and earlier stores secrets unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins Information Disclosure Github Coverage Reporter
NVD
CVSS 3.1
4.3
EPSS
0.7%
CVE-2020-2210 MEDIUM This Month

Jenkins Stash Branch Parameter Plugin 0.3.0 and earlier transmits configured passwords in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins Information Disclosure Stash Branch Parameter
NVD
CVSS 3.1
4.3
EPSS
0.7%
CVE-2020-2209 MEDIUM PATCH This Month

Jenkins TestComplete support Plugin 2.4.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins Information Disclosure Testcomplete Support
NVD
CVSS 3.1
4.3
EPSS
0.7%
CVE-2020-2208 MEDIUM This Month

Jenkins Slack Upload Plugin 1.7 and earlier stores a secret unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins Information Disclosure Slack Upload
NVD
CVSS 3.1
4.3
EPSS
0.7%
CVE-2020-2203 MEDIUM PATCH This Month

A cross-site request forgery vulnerability in Jenkins Fortify on Demand Plugin 5.0.1 and earlier allows attackers to connect to the globally configured Fortify on Demand endpoint using. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Jenkins Fortify On Demand
NVD
CVSS 3.1
4.3
EPSS
0.7%
CVE-2020-2202 MEDIUM PATCH This Month

A missing permission check in Jenkins Fortify on Demand Plugin 6.0.0 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins Authentication Bypass Fortify On Demand
NVD
CVSS 3.1
4.3
EPSS
0.7%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy