Skip to main content
CVE-2020-15227 CRITICAL POC PATCH THREAT Act Now

Nette versions before 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, 3.0.6 are vulnerable to an code injection attack by passing specially formed parameters to URL that may possibly leading to RCE. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection PHP Application Debian Linux
NVD GitHub
CVSS 3.1
9.8
EPSS
35.2%
CVE-2020-25990 CRITICAL POC Act Now

WebsiteBaker 2.12.2 allows SQL Injection via parameter 'display_name' in /websitebaker/admin/preferences/save.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Websitebaker
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
1.7%
CVE-2020-5786 HIGH POC This Week

Cross-site request forgery in Teltonika firmware TRB2_R_00.02.04.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Trb245 Firmware
NVD
CVSS 3.1
8.8
EPSS
8.8%
CVE-2020-25017 HIGH POC This Week

Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Envoy
NVD GitHub
CVSS 3.1
8.3
EPSS
1.3%
CVE-2020-16844 MEDIUM POC PATCH This Month

In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes (e.g. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Authentication Bypass Istio
NVD GitHub
CVSS 3.1
6.8
EPSS
1.1%
CVE-2020-5789 MEDIUM POC This Month

Relative Path Traversal in Teltonika firmware TRB2_R_00.02.04.3 allows a remote, authenticated attacker to read the contents of arbitrary files on disk. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Trb245 Firmware
NVD
CVSS 3.1
6.5
EPSS
1.4%
CVE-2020-5788 MEDIUM POC This Month

Relative Path Traversal in Teltonika firmware TRB2_R_00.02.04.3 allows a remote, authenticated attacker to delete arbitrary files on disk via the admin/system/admin/certificates/delete action. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Trb245 Firmware
NVD
CVSS 3.1
6.5
EPSS
1.2%
CVE-2020-5787 MEDIUM POC This Month

Relative Path Traversal in Teltonika firmware TRB2_R_00.02.04.3 allows a remote, authenticated attacker to delete arbitrary files on disk via the admin/services/packages/remove action. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Trb245 Firmware
NVD
CVSS 3.1
6.5
EPSS
1.7%
CVE-2020-5784 MEDIUM POC This Month

Server-Side Request Forgery in Teltonika firmware TRB2_R_00.02.04.3 allows a low privileged user to cause the application to perform HTTP GET requests to arbitrary URLs. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Trb245 Firmware
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2020-15666 MEDIUM POC This Month

When trying to load a non-video in an audio/video context the exact status code (200, 302, 404, 500, 412, 403, etc.) was disclosed via the MediaError Message. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Google Mozilla Information Disclosure Firefox
NVD
CVSS 3.1
6.5
EPSS
1.2%
CVE-2020-5785 MEDIUM POC This Month

Insufficient output sanitization in Teltonika firmware TRB2_R_00.02.04.3 allows an unauthenticated attacker to conduct reflected cross-site scripting via a crafted ‘action’ or ‘pkg_name’ parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Trb245 Firmware
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2020-15533 CRITICAL Act Now

In Zoho ManageEngine Application Manager 14.7 Build 14730 (before 14684, and between 14689 and 14750), the AlarmEscalation module is vulnerable to unauthenticated SQL Injection attack. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho SQLi Manageengine Applications Manager
NVD
CVSS 3.1
9.8
EPSS
4.2%
CVE-2020-24861 MEDIUM POC This Month

GetSimple CMS 3.3.16 allows in parameter 'permalink' on the Settings page persistent Cross Site Scripting which is executed when you create and open a new page. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Getsimple Cms
NVD Exploit-DB
CVSS 3.1
5.4
EPSS
0.9%
CVE-2020-24860 MEDIUM POC This Month

CMS Made Simple 2.2.14 allows an authenticated user with access to the Content Manager to edit content and put persistent XSS payload in the affected text fields. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Cms Made Simple
NVD Exploit-DB
CVSS 3.1
5.4
EPSS
1.1%
CVE-2020-25200 MEDIUM POC This Month

Pritunl 1.29.2145.25 allows attackers to enumerate valid VPN usernames via a series of /auth/session login attempts. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Pritunl
NVD GitHub
CVSS 3.1
5.3
EPSS
7.5%
CVE-2020-15228 MEDIUM POC PATCH This Month

In the `@actions/core` npm module before version 1.2.6,`addPath` and `exportVariable` functions communicate with the Actions Runner over stdout by generating a string in a specific format. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Information Disclosure Toolkit
NVD GitHub
CVSS 3.1
5.0
EPSS
1.5%
CVE-2020-15678 HIGH This Week

When recursing through graphical layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Mozilla Memory Corruption Information Disclosure Firefox +4
NVD
CVSS 3.1
8.8
EPSS
1.9%
CVE-2020-15675 HIGH This Week

When processing surfaces, the lifetime may outlive a persistent buffer leading to memory corruption and a potentially exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Use After Free Mozilla Memory Corruption Firefox
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2020-15674 HIGH This Week

Mozilla developers reported memory safety bugs present in Firefox 80. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla Firefox
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2020-15673 HIGH This Week

Mozilla developers reported memory safety bugs present in Firefox 80 and Firefox ESR 78.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Buffer Overflow Memory Corruption RCE Use After Free +5
NVD
CVSS 3.1
8.8
EPSS
2.0%
CVE-2020-15670 HIGH This Week

Mozilla developers reported memory safety bugs present in Firefox for Android 79. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Buffer Overflow Race Condition RCE Google +3
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2020-15669 HIGH This Week

When aborting an operation, such as a fetch, an abort signal may be deleted while alerting the objects to be notified. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Mozilla Memory Corruption RCE Firefox Esr +1
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2020-15667 HIGH This Week

When processing a MAR update file, after the signature has been validated, an invalid name length could result in a heap overflow, leading to memory corruption and potentially arbitrary code. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Mozilla Memory Corruption Firefox
NVD
CVSS 3.1
8.8
EPSS
1.6%
CVE-2020-15663 HIGH This Week

If Firefox is installed to a user-writable directory, the Mozilla Maintenance Service would execute updater.exe from the install location with system privileges. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Mozilla Microsoft Firefox Firefox Esr +1
NVD
CVSS 3.1
8.8
EPSS
2.7%
CVE-2020-15665 MEDIUM POC This Month

Firefox did not reset the address bar after the beforeunload dialog was shown if the user chose to remain on the page. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Mozilla Information Disclosure Firefox
NVD
CVSS 3.1
4.3
EPSS
0.7%
CVE-2020-24620 HIGH This Week

Unisys Stealth(core) before 4.0.134 stores passwords in a recoverable format. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Stealth
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2020-9491 HIGH PATCH This Week

In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Nifi
NVD
CVSS 3.1
7.5
EPSS
2.9%
CVE-2020-9487 HIGH PATCH This Week

In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Authentication Bypass Nifi
NVD
CVSS 3.1
7.5
EPSS
3.0%
CVE-2020-9486 HIGH PATCH This Week

In Apache NiFi 1.10.0 to 1.11.4, the NiFi stateless execution engine produced log output which included sensitive property values. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Nifi
NVD
CVSS 3.1
7.5
EPSS
3.6%
CVE-2020-11979 HIGH PATCH This Week

As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Code Injection Ant Gradle Fedora +34
NVD GitHub
CVSS 3.1
7.5
EPSS
8.2%
CVE-2020-25018 HIGH This Week

Envoy master between 2d69e30 and 3b5acb2 may fail to parse request URL that requires host canonicalization. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Envoy
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2020-4576 HIGH This Week

IBM WebSphere Application Server 7.5, 8.0, 8.5, and 9.0 traditional could allow a remote attacker to obtain sensitive information with a specially-crafted sequence of serialized objects. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM Information Disclosure Websphere Application Server
NVD
CVSS 3.1
7.5
EPSS
2.0%
CVE-2020-8109 HIGH This Week

A vulnerability has been discovered in the ace.xmd parser that results from a lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Memory Corruption Engines
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2020-15664 MEDIUM This Month

By holding a reference to the eval() function from an about:blank window, a malicious webpage could have gained access to the InstallTrigger object which would allow them to prompt the user to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Mozilla Authentication Bypass Firefox Firefox Esr +1
NVD
CVSS 3.1
6.5
EPSS
1.4%
CVE-2020-14223 MEDIUM PATCH This Month

HCL Digital Experience 8.5, 9.0, 9.5 is susceptible to cross-site scripting (XSS). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Digital Experience
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2020-15677 MEDIUM This Month

By exploiting an Open Redirect vulnerability on a website, an attacker could have spoofed the site displayed in the download file dialog to show the original site (the one suffering from the open. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Open Redirect Firefox Firefox Esr Thunderbird +2
NVD
CVSS 3.1
6.1
EPSS
1.6%
CVE-2020-15676 MEDIUM This Month

Firefox sometimes ran the onload handler for SVG elements that the DOM sanitizer decided to remove, resulting in JavaScript being executed after pasting attacker-controlled data into a. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox Firefox Esr Thunderbird +2
NVD
CVSS 3.1
6.1
EPSS
1.6%
CVE-2020-13940 MEDIUM PATCH This Month

In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Apache XXE Nifi
NVD
CVSS 3.1
5.5
EPSS
1.9%
CVE-2020-5387 MEDIUM This Month

Dell XPS 13 9370 BIOS versions prior to 1.13.1 contains an Improper Exception Handling vulnerability. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.

Dell Information Disclosure Xps 13 9370 Firmware
NVD
CVSS 3.1
4.4
EPSS
0.3%
CVE-2020-15668 MEDIUM This Month

A lock was missing when accessing a data structure and importing certificate information into the trust database. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Mozilla Information Disclosure Firefox
NVD
CVSS 3.1
4.3
EPSS
0.5%
CVE-2020-15671 LOW Monitor

When typing in a password under certain conditions, a race may have occured where the InputContext was not being correctly set for the input field, resulting in the typed password being saved to the. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Google Mozilla Information Disclosure Firefox
NVD
CVSS 3.1
3.1
EPSS
0.5%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy