Skip to main content
CVE-2020-15086 CRITICAL POC PATCH Act Now

In TYPO3 installations with the "mediace" extension from version 7.6.2 and before version 7.6.5, it has been discovered that an internal verification mechanism can be used to generate arbitrary. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Mediace
NVD GitHub
CVSS 3.1
9.8
EPSS
2.7%
CVE-2020-7697 CRITICAL POC Act Now

This affects all versions of package mock2easy. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Mock2Easy
NVD
CVSS 3.1
9.8
EPSS
2.0%
CVE-2020-5763 HIGH POC This Week

Grandstream HT800 series firmware version 1.0.17.5 and below contain a backdoor in the SSH service. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Ht801 Firmware Ht802 Firmware Ht812 Firmware Ht814 Firmware +2
NVD
CVSS 3.1
8.8
EPSS
2.7%
CVE-2020-13699 HIGH POC THREAT This Week

TeamViewer Desktop for Windows before 15.8.3 does not properly quote its custom URI handlers. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Microsoft Information Disclosure Teamviewer
NVD GitHub
CVSS 3.1
8.8
EPSS
25.9%
CVE-2020-4463 HIGH POC PATCH THREAT This Week

IBM Maximo Asset Management 7.6.0.1 and 7.6.0.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

IBM XXE Maximo Asset Management
NVD
CVSS 3.1
8.2
EPSS
31.6%
CVE-2020-16143 HIGH POC This Week

The seafile-client client 7.0.8 for Seafile is vulnerable to DLL hijacking because it loads exchndl.dll from the current working directory. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Seafile Client
NVD GitHub
CVSS 3.1
7.8
EPSS
0.4%
CVE-2020-5760 HIGH POC This Week

Grandstream HT800 series firmware version 1.0.17.5 and below is vulnerable to an OS command injection vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Ht801 Firmware Ht802 Firmware Ht812 Firmware Ht814 Firmware +2
NVD
CVSS 3.1
7.8
EPSS
5.5%
CVE-2020-5762 HIGH POC This Week

Grandstream HT800 series firmware version 1.0.17.5 and below is vulnerable to a denial of service attack against the TR-069 service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Null Pointer Dereference Denial Of Service Ht801 Firmware Ht802 Firmware Ht812 Firmware +3
NVD
CVSS 3.1
7.5
EPSS
3.4%
CVE-2020-5761 HIGH POC This Week

Grandstream HT800 series firmware version 1.0.17.5 and below is vulnerable to CPU exhaustion due to an infinite loop in the TR-069 service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Ht801 Firmware Ht802 Firmware Ht812 Firmware Ht814 Firmware +2
NVD
CVSS 3.1
7.5
EPSS
4.1%
CVE-2020-16118 HIGH POC PATCH This Week

In GNOME Balsa before 2.6.0, a malicious server operator or man in the middle can trigger a NULL pointer dereference and client crash by sending a PREAUTH response to imap_mbox_connect in. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Null Pointer Dereference Denial Of Service Balsa Backports Sle Leap
NVD
CVSS 3.1
7.5
EPSS
2.1%
CVE-2020-15707 MEDIUM POC PATCH This Month

Integer overflows were discovered in the functions grub_cmd_initrd and grub_initrd_init in the efilinux component of GRUB2, as shipped in Debian, Red Hat, and Ubuntu (the functionality is not. Rated medium severity (CVSS 6.4). Public exploit code available.

Ubuntu Buffer Overflow Race Condition Debian RCE +16
NVD
CVSS 3.1
6.4
EPSS
1.6%
CVE-2020-16135 MEDIUM POC PATCH This Month

libssh 0.9.4 has a NULL pointer dereference in tftpserver.c if ssh_buffer_new returns NULL. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Null Pointer Dereference Denial Of Service Libssh Debian Linux Fedora +2
NVD
CVSS 3.1
5.9
EPSS
4.1%
CVE-2020-14316 CRITICAL PATCH Act Now

A flaw was found in kubevirt 0.29 and earlier. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Kubevirt Openshift Virtualization
NVD
CVSS 3.1
9.9
EPSS
1.6%
CVE-2020-16117 MEDIUM POC PATCH This Month

In GNOME evolution-data-server before 3.35.91, a malicious server can crash the mail client with a NULL pointer dereference by sending an invalid (e.g., minimal) CAPABILITY line on a connection. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Null Pointer Dereference Denial Of Service Evolution Data Server Debian Linux
NVD
CVSS 3.1
5.9
EPSS
2.1%
CVE-2020-15588 CRITICAL Act Now

An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.552.W. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Zoho RCE Integer Overflow Manageengine Desktop Central
NVD
CVSS 3.1
9.8
EPSS
12.7%
CVE-2020-4567 CRITICAL PATCH Act Now

IBM Tivoli Key Lifecycle Manager 3.0.1 and 4.0 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM Information Disclosure Security Key Lifecycle Manager
NVD
CVSS 3.1
9.8
EPSS
2.3%
CVE-2020-2076 CRITICAL Act Now

SICK Package Analytics software up to and including version V04.0.0 are vulnerable to an authentication bypass by directly interfacing with the REST API. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Package Analytics
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2020-14487 CRITICAL Act Now

OpenClinic GA 5.09.02 contains a hidden default user account that may be accessed if an administrator has not expressly turned off this account, which may allow an attacker to login and execute. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Openclinic Ga
NVD
CVSS 3.1
9.8
EPSS
2.2%
CVE-2020-7698 CRITICAL PATCH Act Now

This affects the package Gerapy from 0 and before 0.9.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Command Injection Gerapy
NVD GitHub
CVSS 3.1
9.8
EPSS
1.7%
CVE-2020-9691 CRITICAL PATCH Act Now

Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a dom-based cross-site scripting vulnerability. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS RCE Adobe Magento
NVD
CVSS 3.1
9.6
EPSS
6.0%
CVE-2020-15098 HIGH PATCH This Week

In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, it has been discovered that an internal verification mechanism can be used. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Privilege Escalation Deserialization Typo3
NVD GitHub
CVSS 3.1
8.8
EPSS
2.2%
CVE-2020-14488 HIGH This Week

OpenClinic GA 5.09.02 and 5.89.05b does not properly verify uploaded files, which may allow a low-privilege user to upload and execute arbitrary files on the system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload Openclinic Ga
NVD
CVSS 3.1
8.8
EPSS
1.7%
CVE-2020-14486 HIGH This Week

An attacker may bypass permission/authorization checks in OpenClinic GA 5.09.02 and 5.89.05b by ignoring the redirect of a permission failure, which may allow unauthorized execution of commands. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Openclinic Ga
NVD
CVSS 3.1
8.8
EPSS
1.3%
CVE-2020-14493 HIGH This Week

A low-privilege user may use SQL syntax to write arbitrary files to the OpenClinic GA 5.09.02 and 5.89.05b server, which may allow the execution of arbitrary commands. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Openclinic Ga
NVD
CVSS 3.1
8.8
EPSS
1.7%
CVE-2020-14490 HIGH This Week

OpenClinic GA 5.09.02 and 5.89.05b includes arbitrary local files specified within its parameter and executes some files, which may allow disclosure of sensitive files or the execution of malicious. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Openclinic Ga
NVD
CVSS 3.1
8.8
EPSS
2.5%
CVE-2020-15099 HIGH PATCH This Week

In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, in a case where an attacker manages to generate a valid cryptographic. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE PHP Typo3
NVD GitHub
CVSS 3.1
8.1
EPSS
1.8%
CVE-2020-15125 HIGH PATCH This Week

In auth0 (npm package) versions before 2.27.1, a DenyList of specific keys that should be sanitized from the request object contained in the error object is used. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity.

Node.js Information Disclosure Auth0 Js
NVD GitHub
CVSS 3.1
7.7
EPSS
1.5%
CVE-2020-4574 HIGH PATCH This Week

IBM Tivoli Key Lifecycle Manager does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure IBM Brute Force Security Key Lifecycle Manager
NVD
CVSS 3.1
7.5
EPSS
1.9%
CVE-2020-2077 HIGH This Week

SICK Package Analytics software up to and including version V04.0.0 are vulnerable due to incorrect default permissions settings. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Information Disclosure Package Analytics
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2020-14489 HIGH This Week

OpenClinic GA 5.09.02 and 5.89.05b stores passwords using inadequate hashing complexity, which may allow an attacker to recover passwords using known password cracking techniques. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Openclinic Ga
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2020-11933 MEDIUM This Month

cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices was run without restrictions on every boot, which a physical attacker could exploit by crafting cloud-init. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Ubuntu Privilege Escalation Snapd Ubuntu Linux
NVD
CVSS 3.1
6.8
EPSS
0.2%
CVE-2020-4569 MEDIUM PATCH This Month

IBM Tivoli Key Lifecycle Manager 3.0.1 and 4.0 uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM Authentication Bypass Security Key Lifecycle Manager
NVD
CVSS 3.1
6.5
EPSS
1.2%
CVE-2020-2078 MEDIUM This Month

Passwords are stored in plain text within the configuration of SICK Package Analytics software up to and including V04.1.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Package Analytics
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2020-9692 MEDIUM PATCH This Month

Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a security mitigation bypass vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity.

Adobe RCE Magento
NVD
CVSS 3.1
6.5
EPSS
3.8%
CVE-2020-9689 MEDIUM PATCH This Month

Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a path traversal vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity.

Adobe RCE Path Traversal Magento
NVD
CVSS 3.1
6.5
EPSS
4.1%
CVE-2020-14308 MEDIUM This Month

In grub2 versions before 2.06 the grub memory allocator doesn't check for possible arithmetic overflows on the requested allocation size. Rated medium severity (CVSS 6.4). No vendor patch available.

Buffer Overflow Integer Overflow Grub2 Leap
NVD
CVSS 3.1
6.4
EPSS
0.4%
CVE-2020-15706 MEDIUM PATCH This Month

GRUB2 contains a race condition in grub_script_function_create() leading to a use-after-free vulnerability which can be triggered by redefining a function whilst the same function is already. Rated medium severity (CVSS 6.4).

Race Condition RCE Grub2 Enterprise Linux Atomic Host Openshift Container Platform +11
NVD
CVSS 3.1
6.4
EPSS
1.0%
CVE-2020-15705 MEDIUM PATCH This Month

GRUB2 fails to validate kernel signature when booted directly without shim, allowing secure boot to be bypassed. Rated medium severity (CVSS 6.4).

Jwt Attack Authentication Bypass Grub2 Enterprise Linux Atomic Host Openshift Container Platform +11
NVD
CVSS 3.1
6.4
EPSS
1.4%
CVE-2020-16095 MEDIUM PATCH This Month

The dlf (aka Kitodo.Presentation) extension before 3.1.2 for TYPO3 allows XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Kitodo Presentation
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2020-14492 MEDIUM This Month

OpenClinic GA 5.09.02 and 5.89.05b does not properly neutralize user-controllable input, which may allow the execution of malicious code within the user’s browser. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Openclinic Ga
NVD
CVSS 3.1
6.1
EPSS
1.2%
CVE-2020-5613 MEDIUM This Month

Cross-site scripting vulnerability in KonaWiki 3.1.0 and earlier allows remote attackers to execute an arbitrary script via a specially crafted URL. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Konawiki
NVD
CVSS 3.1
6.1
EPSS
1.1%
CVE-2020-5612 MEDIUM This Month

Cross-site scripting vulnerability in KonaWiki 2.2.0 and earlier allows remote attackers to execute an arbitrary script via a specially crafted URL. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Konawiki
NVD
CVSS 3.1
6.1
EPSS
1.1%
CVE-2020-11934 MEDIUM This Month

It was discovered that snapctl user-open allowed altering the $XDG_DATA_DIRS environment variable when calling the system xdg-open. Rated medium severity (CVSS 5.9), this vulnerability is low attack complexity. No vendor patch available.

Ubuntu Information Disclosure Ubuntu Linux
NVD
CVSS 3.1
5.9
EPSS
0.4%
CVE-2020-8553 MEDIUM PATCH This Month

The Kubernetes ingress-nginx component prior to version 0.28.0 allows a user with the ability to create namespaces and to read and create ingress objects to overwrite the password file of another. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Kubernetes Nginx Ingress Nginx
NVD GitHub
CVSS 3.1
5.9
EPSS
0.9%
CVE-2020-4645 MEDIUM PATCH This Month

IBM Planning Analytics Local 2.0.0 through 2.0.9.1 is vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS IBM Planning Analytics Local
NVD
CVSS 3.1
5.4
EPSS
0.6%
CVE-2020-4644 MEDIUM PATCH This Month

IBM Planning Analytics Local 2.0.0 through 2.0.9.1 could allow a remote attacker to hijack the clicking action of the victim. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS IBM Planning Analytics Local
NVD
CVSS 3.1
5.4
EPSS
1.2%
CVE-2020-4573 MEDIUM PATCH This Month

IBM Tivoli Key Lifecycle Manager 3.0.1 and 4.0 could disclose sensitive information due to responding to unauthenticated HTTP requests. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM Information Disclosure Security Key Lifecycle Manager
NVD
CVSS 3.1
5.3
EPSS
1.3%
CVE-2020-4572 MEDIUM PATCH This Month

IBM Tivoli Key Lifecycle Manager 3.0.1 and 4.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM Information Disclosure Security Key Lifecycle Manager
NVD
CVSS 3.1
5.3
EPSS
1.7%
CVE-2020-5614 MEDIUM This Month

Directory traversal vulnerability in KonaWiki 3.1.0 and earlier allows remote attackers to read arbitrary files via unspecified vectors. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Konawiki
NVD
CVSS 3.1
5.3
EPSS
2.2%
CVE-2020-9690 MEDIUM PATCH This Month

Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have an observable timing discrepancy vulnerability. Rated medium severity (CVSS 4.2), this vulnerability is low attack complexity.

Adobe Authentication Bypass Magento
NVD
CVSS 3.1
4.2
EPSS
1.6%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy