Skip to main content
CVE-2020-8182 HIGH POC This Week

Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permissions than they had themselves. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Nextcloud Authentication Bypass Deck
NVD
CVSS 3.1
8.0
EPSS
1.0%
CVE-2020-26061 HIGH POC This Week

ClickStudios Passwordstate Password Reset Portal prior to build 8501 is affected by an authentication bypass vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Passwordstate
NVD GitHub
CVSS 3.1
7.5
EPSS
4.5%
CVE-2020-7709 HIGH POC PATCH This Week

This affects the package json-pointer before 0.6.1. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Prototype Pollution Information Disclosure Json Pointer
NVD GitHub
CVSS 3.1
7.2
EPSS
1.8%
CVE-2020-8223 MEDIUM POC This Month

A logic error in Nextcloud Server 19.0.0 caused a privilege escalation allowing malicious users to reshare with higher permissions than they got assigned themselves. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Nextcloud Privilege Escalation Nextcloud Server Fedora
NVD
CVSS 3.1
6.5
EPSS
1.5%
CVE-2020-16226 CRITICAL Act Now

Multiple Mitsubishi Electric products are vulnerable to impersonations of a legitimate device by a malicious actor, which may allow an attacker to remotely execute arbitrary commands. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Qj71Mes96 Firmware Qj71Ws96 Firmware Q06Ccpu V Firmware Q24Dhccpu V Firmware +91
NVD
CVSS 3.1
9.8
EPSS
2.3%
CVE-2020-24231 CRITICAL Act Now

Symmetric DS <3.12.0 uses mx4j to provide access to JMX over HTTP. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Symmetricds
NVD
CVSS 3.1
9.8
EPSS
1.8%
CVE-2020-6875 CRITICAL Act Now

A ZTE product is impacted by the improper access control vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Zte Zxone 19700 Snpe Firmware
NVD
CVSS 3.1
9.8
EPSS
1.2%
CVE-2020-4493 CRITICAL PATCH Act Now

IBM Maximo Asset Management 7.6.0 and 7.6.1 could allow an attacker to bypass authentication and issue commands using a specially crafted HTTP command. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM Authentication Bypass Maximo Asset Management
NVD
CVSS 3.1
9.8
EPSS
2.7%
CVE-2020-8228 MEDIUM POC This Month

A missing rate limit in the Preferred Providers app 1.7.0 allowed an attacker to set the password an uncontrolled amount of times. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Preferred Providers Backports Sle Leap
NVD
CVSS 3.1
5.3
EPSS
1.9%
CVE-2020-26048 HIGH This Week

The file manager option in CuppaCMS before 2019-11-12 allows an authenticated attacker to upload a malicious file within an image extension and through a custom request using the rename function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload RCE PHP Cuppacms
NVD GitHub
CVSS 3.1
8.8
EPSS
1.9%
CVE-2020-8235 MEDIUM POC This Month

Missing access control in Nextcloud Deck 1.0.4 caused an insecure direct object reference allowing an attacker to view all attachments. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Nextcloud Authentication Bypass Deck
NVD
CVSS 3.1
4.3
EPSS
0.8%
CVE-2020-12302 HIGH This Week

Improper permissions in the Intel(R) Driver & Support Assistant before version 20.7.26.7 may allow an authenticated user to potentially enable escalation of privilege via local access. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Intel Driver Support Assistant
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2020-15235 HIGH PATCH This Week

In RACTF before commit f3dc89b, unauthenticated users are able to get the value of sensitive config keys that would normally be hidden to everyone except admins. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Core
NVD GitHub
CVSS 3.1
7.5
EPSS
1.0%
CVE-2020-15236 HIGH PATCH This Week

In Wiki.js before version 2.5.151, directory traversal outside of Wiki.js context is possible when a storage module with local asset cache fetching is enabled. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Wiki Js
NVD GitHub
CVSS 3.1
7.5
EPSS
1.8%
CVE-2020-25636 HIGH This Week

A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file transfers. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Ansible
NVD GitHub
CVSS 3.1
7.1
EPSS
0.3%
CVE-2020-15237 MEDIUM PATCH This Month

In Shrine before version 3.3.0, when using the `derivation_endpoint` plugin, it's possible for the attacker to use a timing attack to guess the signature of the derivation URL. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Shrine
NVD GitHub
CVSS 3.1
5.9
EPSS
1.0%
CVE-2020-8671 MEDIUM This Month

Insufficient control flow management in BIOS firmware 8th, 9th Generation Intel(R) Core(TM) Processors and Intel(R) Celeron(R) Processor 4000 Series may allow an authenticated user to potentially. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Intel Information Disclosure Bios
NVD
CVSS 3.1
5.5
EPSS
0.3%
CVE-2020-25635 MEDIUM PATCH This Month

A flaw was found in Ansible Base when using the aws_ssm connection plugin as garbage collector is not happening after playbook run is completed. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Ansible
NVD GitHub
CVSS 3.1
5.5
EPSS
0.3%
CVE-2020-0571 MEDIUM This Month

Improper conditions check in BIOS firmware for 8th Generation Intel(R) Core(TM) Processors and Intel(R) Pentium(R) Silver Processor Series may allow an authenticated user to potentially enable. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Intel Information Disclosure Bios
NVD
CVSS 3.1
5.5
EPSS
0.3%
CVE-2020-26166 MEDIUM This Month

The file upload functionality in qdPM 9.1 doesn't check the file description, which allows remote authenticated attackers to inject web script or HTML via the attachments info parameter, aka XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS File Upload Qdpm
NVD GitHub
CVSS 3.1
5.4
EPSS
0.8%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy