Skip to main content
CVE-2020-26124 HIGH POC PATCH THREAT Act Now

openmediavault before 4.1.36 and 5.x before 5.5.12 allows authenticated PHP code injection attacks, via the sortfield POST parameter of rpc.php, because json_encode_safe is not used in. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Code Injection PHP Openmediavault
NVD GitHub
CVSS 3.1
8.8
EPSS
67.2%
CVE-2020-26527 CRITICAL POC Act Now

An issue was discovered in API/api/Version in Damstra Smart Asset 2020.7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Smart Asset
NVD GitHub
CVSS 3.1
9.8
EPSS
0.9%
CVE-2020-18185 CRITICAL POC Act Now

class.plx.admin.php in PluXml 5.7 allows attackers to execute arbitrary PHP code by modify the configuration file in a linux environment. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection PHP Pluxml
NVD GitHub
CVSS 3.1
9.8
EPSS
1.8%
CVE-2020-7737 CRITICAL POC Act Now

All versions of package safetydance are vulnerable to Prototype Pollution via the set function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Prototype Pollution Information Disclosure Safetydance
NVD
CVSS 3.1
9.8
EPSS
1.4%
CVE-2020-7736 CRITICAL POC PATCH Act Now

The package bmoor before 0.8.12 are vulnerable to Prototype Pollution via the set function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Prototype Pollution Information Disclosure Bmoor
NVD GitHub
CVSS 3.1
9.8
EPSS
1.5%
CVE-2020-12124 CRITICAL POC THREAT Act Now

A remote command-line injection vulnerability in the /cgi-bin/live_api.cgi endpoint of the WAVLINK WN530H4 M30H4.V5030.190403 allows an attacker to execute arbitrary Linux commands as root without. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Wn530H4 Firmware
NVD
CVSS 3.1
9.8
EPSS
74.7%
CVE-2020-26518 CRITICAL POC Act Now

Artica Pandora FMS before 743 allows unauthenticated attackers to conduct SQL injection attacks via the pandora_console/include/chart_generator.php session_id parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Pandora Fms
NVD
CVSS 3.1
9.8
EPSS
2.1%
CVE-2020-12676 CRITICAL POC Act Now

FusionAuth fusionauth-samlv2 0.2.3 allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack". Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Jwt Attack Samlv2
NVD GitHub
CVSS 3.1
9.1
EPSS
2.9%
CVE-2020-18191 CRITICAL POC Act Now

GetSimpleCMS-3.3.15 is affected by directory traversal. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Path Traversal Getsimplecms
NVD GitHub
CVSS 3.1
9.1
EPSS
2.1%
CVE-2020-18190 CRITICAL POC Act Now

Bludit v3.8.1 is affected by directory traversal. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Bludit
NVD GitHub
CVSS 3.1
9.1
EPSS
2.0%
CVE-2020-17382 HIGH POC This Week

The MSI AmbientLink MsIo64 driver 1.0.0.8 has a Buffer Overflow (0x80102040, 0x80102044, 0x80102050,and 0x80102054). Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Memory Corruption Ambientlink Mslo64 Firmware
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
2.1%
CVE-2020-14293 HIGH POC This Week

conf_datetime in Secudos DOMOS 5.8 allows remote attackers to execute arbitrary commands as root via shell metacharacters in the zone field (obtained from the web interface). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Command Injection Domos
NVD GitHub
CVSS 3.1
7.5
EPSS
5.3%
CVE-2020-12127 HIGH POC This Week

An information disclosure vulnerability in the /cgi-bin/ExportAllSettings.sh endpoint of the WAVLINK WN530H4 M30H4.V5030.190403 allows an attacker to leak router settings, including cleartext login. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Information Disclosure Wn530H4 Firmware
NVD
CVSS 3.1
7.5
EPSS
7.4%
CVE-2020-18184 HIGH POC This Week

In PluxXml V5.7,the theme edit function /PluXml/core/admin/parametres_edittpl.php allows remote attackers to execute arbitrary PHP code by placing this code into a template. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Pluxxml
NVD GitHub
CVSS 3.1
7.2
EPSS
1.4%
CVE-2020-26541 MEDIUM POC This Month

The Linux kernel through 5.8.13 does not properly enforce the Secure Boot Forbidden Signature Database (aka dbx) protection mechanism. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Linux Information Disclosure Linux Kernel
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2020-26135 MEDIUM POC PATCH This Month

Live Helper Chat before 3.44v allows reflected XSS via the setsettingajax PATH_INFO. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Live Helper Chat
NVD GitHub
CVSS 3.1
6.1
EPSS
1.0%
CVE-2020-26134 MEDIUM POC PATCH This Month

Live Helper Chat before 3.44v allows stored XSS in chat messages with an operator via BBCode. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Live Helper Chat
NVD GitHub
CVSS 3.1
6.1
EPSS
1.1%
CVE-2020-14294 MEDIUM POC This Month

An issue was discovered in Secudos Qiata FTA 1.70.19. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Qiata Fta
NVD GitHub
CVSS 3.1
6.1
EPSS
1.2%
CVE-2020-13168 MEDIUM POC This Month

SysAid 20.1.11b26 allows reflected XSS via the ForgotPassword.jsp accountid parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Sysaid On Premises Sysaidsy On Premises
NVD GitHub
CVSS 3.1
6.1
EPSS
1.0%
CVE-2020-24698 CRITICAL Act Now

An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Authoritative
NVD
CVSS 3.1
9.8
EPSS
3.2%
CVE-2020-12126 CRITICAL Act Now

Multiple authentication bypass vulnerabilities in the /cgi-bin/ endpoint of the WAVLINK WN530H4 M30H4.V5030.190403 allow an attacker to leak router settings, change configuration variables, and cause. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Authentication Bypass Wn530H4 Firmware
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2020-12125 CRITICAL Act Now

A remote buffer overflow vulnerability in the /cgi-bin/makeRequest.cgi endpoint of the WAVLINK WN530H4 M30H4.V5030.190403 allows an attacker to execute arbitrary machine instructions as root without. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Wn530H4 Firmware
NVD
CVSS 3.1
9.8
EPSS
3.6%
CVE-2020-26539 CRITICAL PATCH Act Now

An issue was discovered in Foxit Reader and PhantomPDF before 10.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Use After Free Memory Corruption RCE Foxit Reader Phantompdf
NVD
CVSS 3.1
9.8
EPSS
2.2%
CVE-2020-26537 CRITICAL PATCH Act Now

An issue was discovered in Foxit Reader and PhantomPDF before 10.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.

Buffer Overflow Memory Corruption Foxit Reader Phantompdf
NVD
CVSS 3.1
9.8
EPSS
1.1%
CVE-2020-26535 CRITICAL PATCH Act Now

An issue was discovered in Foxit Reader and PhantomPDF before 10.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.

Buffer Overflow Memory Corruption Foxit Reader Phantompdf
NVD
CVSS 3.1
9.8
EPSS
1.7%
CVE-2020-26534 CRITICAL PATCH Act Now

An issue was discovered in Foxit Reader and PhantomPDF before 10.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Use After Free Memory Corruption Information Disclosure Foxit Reader Phantompdf
NVD
CVSS 3.1
9.8
EPSS
2.4%
CVE-2020-13338 MEDIUM POC This Month

An issue has been discovered in GitLab affecting versions prior to 12.10.13, 13.0.8, 13.1.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Gitlab
NVD
CVSS 3.1
5.4
EPSS
0.7%
CVE-2020-7070 MEDIUM POC This Month

In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP Fedora Debian Linux Leap +3
NVD
CVSS 3.1
5.3
EPSS
5.0%
CVE-2020-26525 CRITICAL Act Now

Damstra Smart Asset 2020.7 has SQL injection via the API/api/Asset originator parameter. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Smart Asset
NVD GitHub
CVSS 3.1
9.1
EPSS
25.5%
CVE-2020-15232 CRITICAL PATCH Act Now

In mapfish-print before version 3.24, a user can do to an XML External Entity (XXE) attack with the provided SDL style. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XXE Print
NVD GitHub
CVSS 3.1
9.1
EPSS
1.3%
CVE-2020-24628 HIGH This Week

A remote code injection vulnerability was discovered in HPE KVM IP Console Switches version(s): G2 4x1Ex32 Prior to 2.8.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Kvm Ip Console Switch G2 Firmware
NVD
CVSS 3.1
8.8
EPSS
1.3%
CVE-2020-7738 HIGH This Week

All versions of package shiba are vulnerable to Arbitrary Code Execution due to the default usage of the function load() of the package js-yaml instead of its secure replacement , safeLoad(). Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Shiba
NVD
CVSS 3.1
8.3
EPSS
1.6%
CVE-2020-15589 HIGH This Week

A design issue was discovered in GetInternetRequestHandle, InternetSendRequestEx and InternetSendRequestByBitrate in the client side of Zoho ManageEngine Desktop Central 10.0.552.W and Remote Access. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Zoho RCE Manageengine Desktop Central Manageengine Remote Access Plus
NVD
CVSS 3.1
8.1
EPSS
8.3%
CVE-2020-24696 HIGH This Week

An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Race Condition RCE Authoritative
NVD
CVSS 3.1
8.1
EPSS
1.4%
CVE-2020-12123 HIGH This Week

CSRF vulnerabilities in the /cgi-bin/ directory of the WAVLINK WN530H4 M30H4.V5030.190403 allow an attacker to remotely access router endpoints, because these endpoints do not contain CSRF tokens. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Wn530H4 Firmware
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2020-25776 HIGH This Week

Trend Micro Antivirus for Mac 2020 (Consumer) is vulnerable to a symbolic link privilege escalation attack where an attacker could exploit a critical file on the system to escalate their privileges. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Trend Micro Privilege Escalation Antivirus
NVD
CVSS 3.1
7.8
EPSS
0.6%
CVE-2020-5987 HIGH This Week

NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin in which guest-supplied parameters remain writable by the guest after the plugin has validated them, which may lead to the guest. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service Nvidia Virtual Gpu Manager
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2020-5984 HIGH This Week

NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin in which it may have the use-after-free vulnerability while freeing some resources, which may lead to denial of service, code. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service Memory Corruption RCE Nvidia Use After Free +2
NVD
CVSS 3.1
7.8
EPSS
0.4%
CVE-2020-5981 HIGH This Week

NVIDIA Windows GPU Display Driver, all versions, contains a vulnerability in the DirectX11 user mode driver (nvwgf2um/x.dll), in which a specially crafted shader can cause an out of bounds access,. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service Microsoft Buffer Overflow Memory Corruption RCE +2
NVD
CVSS 3.1
7.8
EPSS
0.4%
CVE-2020-5980 HIGH This Week

NVIDIA Windows GPU Display Driver, all versions, contains a vulnerability in multiple components in which a securely loaded system DLL will load its dependencies in an insecure fashion, which may. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service RCE Nvidia Microsoft Virtual Gpu Manager
NVD
CVSS 3.1
7.8
EPSS
0.4%
CVE-2020-5979 HIGH This Week

NVIDIA Windows GPU Display Driver, all versions, contains a vulnerability in the NVIDIA Control Panel component in which a user is presented with a dialog box for input by a high-privilege process,. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Nvidia Microsoft Virtual Gpu Manager
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2020-24356 HIGH PATCH This Week

`cloudflared` versions prior to 2020.8.1 contain a local privilege escalation vulnerability on Windows systems. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Microsoft Cloudflared
NVD GitHub
CVSS 3.1
7.8
EPSS
0.3%
CVE-2020-26538 HIGH PATCH This Week

An issue was discovered in Foxit Reader and PhantomPDF before 10.1. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Foxit Reader Phantompdf
NVD
CVSS 3.1
7.8
EPSS
0.5%
CVE-2020-25623 HIGH This Week

Erlang/OTP 22.3.x before 22.3.4.6 and 23.x before 23.1 allows Directory Traversal. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Erlang Otp
NVD GitHub
CVSS 3.1
7.5
EPSS
3.2%
CVE-2020-8110 HIGH This Week

A vulnerability has been discovered in the ceva_emu.cvd module that results from a lack of proper validation of user-supplied data, which can result in a pointer that is fetched from uninitialized. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Information Disclosure Engines
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2020-24697 HIGH This Week

An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Authoritative
NVD
CVSS 3.1
7.5
EPSS
4.4%
CVE-2020-26540 HIGH PATCH This Week

An issue was discovered in Foxit Reader and PhantomPDF before 4.1 on macOS. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Jwt Attack Apple Foxit Reader Phantompdf
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2020-26511 HIGH PATCH This Week

The wpo365-login plugin before v11.7 for WordPress allows use of a symmetric algorithm to decrypt a JWT token. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

WordPress Authentication Bypass Wordpress Azure Ad Microsoft Office 365
NVD
CVSS 3.1
7.5
EPSS
2.1%
CVE-2020-24397 HIGH This Week

An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.0.SP-534. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Buffer Overflow Zoho RCE Integer Overflow Manageengine Desktop Central
NVD
CVSS 3.1
7.2
EPSS
27.8%
CVE-2020-5988 HIGH This Week

NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin, in which allocated memory can be freed twice, which may lead to information disclosure or denial of service. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service Nvidia Information Disclosure Virtual Gpu Manager
NVD
CVSS 3.1
7.1
EPSS
0.3%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy