Skip to main content
CVE-2020-26596 HIGH POC This Week

The Dynamic OOO widget for the Elementor Pro plugin through 3.0.5 for WordPress allows remote authenticated users to execute arbitrary code because only the Editor role is needed to upload executable. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress RCE Privilege Escalation PHP Elementor Pro
NVD
CVSS 3.1
8.8
EPSS
5.6%
CVE-2020-25985 HIGH POC This Week

MonoCMS Blog 1.0 is affected by: Arbitrary File Deletion. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Path Traversal Monocms
NVD Exploit-DB
CVSS 3.1
8.1
EPSS
1.7%
CVE-2020-26876 HIGH POC This Week

The wp-courses plugin through 2.0.27 for WordPress allows remote attackers to bypass the intended payment step (for course videos and materials) by using the /wp-json REST API, as exploited in the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Wp Courses
NVD
CVSS 3.1
7.5
EPSS
9.2%
CVE-2020-24246 HIGH POC This Week

Peplink Balance before 8.1.0rc1 allows an unauthenticated attacker to download PHP configuration files (/filemanager/php/connector.php) from Web Admin. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP Balance 20X Firmware Balance 310X Firmware Mbx Firmware +52
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2020-7742 HIGH POC PATCH This Week

This affects the package simpl-schema before 1.10.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Simpl Schema
NVD GitHub
CVSS 3.1
7.5
EPSS
1.5%
CVE-2020-15501 MEDIUM POC This Month

Smarter Coffee Maker before 2nd generation allows firmware replacement without authentication or authorization. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Smarter Coffee Maker 1St Generation
NVD
CVSS 3.1
6.5
EPSS
1.1%
CVE-2020-26870 MEDIUM POC PATCH This Month

Cure53 DOMPurify before 2.0.17 allows mutation XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Dompurify Debian Linux Visual Studio 2017 Visual Studio 2019 +1
NVD GitHub
CVSS 3.1
6.1
EPSS
4.9%
CVE-2020-24722 MEDIUM POC This Month

An issue was discovered in the GAEN (aka Google/Apple Exposure Notifications) protocol through 2020-10-05, as used in COVID-19 applications on Android and iOS. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Google Information Disclosure Apple Exposure Notifications
NVD GitHub
CVSS 3.1
5.9
EPSS
2.5%
CVE-2020-11800 CRITICAL Act Now

Zabbix Server 2.2.x and 3.0.x before 3.0.31, and 3.2 allows remote attackers to execute arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Zabbix Backports Sle Leap Debian Linux
NVD
CVSS 3.1
9.8
EPSS
9.2%
CVE-2020-25343 MEDIUM POC This Month

Cross-site scripting (XSS) vulnerabilities in Symphony CMS 3.0.0 allow remote attackers to inject arbitrary web script or HTML to fields['body'] param via events\event.publish_article.php. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Symphony
NVD Exploit-DB
CVSS 3.1
5.4
EPSS
0.7%
CVE-2020-25867 MEDIUM POC This Month

SoPlanning before 1.47 doesn't correctly check the security key used to publicly share plannings. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Soplanning
NVD GitHub
CVSS 3.1
5.3
EPSS
2.8%
CVE-2020-15175 CRITICAL PATCH Act Now

In GLPI before version 9.5.2, the `​pluginimage.send.php​` endpoint allows a user to specify an image from a plugin. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Path Traversal PHP Information Disclosure Glpi
NVD GitHub
CVSS 3.1
9.1
EPSS
71.4%
CVE-2020-13347 CRITICAL Act Now

A command injection vulnerability was discovered in Gitlab runner versions prior to 13.2.4, 13.3.2 and 13.4.1. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Microsoft Docker Gitlab Path Traversal
NVD
CVSS 3.1
9.1
EPSS
2.3%
CVE-2020-17551 MEDIUM POC PATCH This Month

ImpressCMS 1.4.0 is affected by XSS in modules/system/admin.php which may result in arbitrary remote code execution. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS RCE PHP Impresscms
NVD GitHub
CVSS 3.1
4.8
EPSS
1.1%
CVE-2020-15176 HIGH PATCH This Week

In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi Glpi
NVD GitHub
CVSS 3.1
8.6
EPSS
1.1%
CVE-2020-15226 MEDIUM POC PATCH This Month

In GLPI before version 9.5.2, there is a SQL Injection in the API's search function. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SQLi Glpi
NVD GitHub
CVSS 3.1
4.3
EPSS
1.0%
CVE-2020-7316 HIGH This Week

Unquoted service path vulnerability in McAfee File and Removable Media Protection (FRP) prior to 5.3.0 allows local users to execute arbitrary code, with higher privileges, via execution and from a. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE File And Removable Media Protection
NVD
CVSS 3.1
7.8
EPSS
0.4%
CVE-2020-26880 HIGH This Week

Sympa through 6.2.57b.2 allows a local privilege escalation from the sympa user account to full root access by modifying the sympa.conf configuration file (which is owned by sympa) and parsing it. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Sympa Fedora Debian Linux
NVD GitHub
CVSS 3.1
7.8
EPSS
0.4%
CVE-2020-13334 HIGH This Week

In GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, improper authorization checks allow a non-member of a project/group to change the confidentiality attribute of issue via mutation GraphQL query. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Gitlab Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
1.5%
CVE-2020-14355 MEDIUM PATCH This Month

Multiple buffer overflow vulnerabilities were found in the QUIC image decoding process of the SPICE remote display system, before spice-0.14.2-1. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, low attack complexity. This Buffer Copy without Size Check vulnerability could allow attackers to overflow a buffer to corrupt adjacent memory.

Buffer Overflow RCE Spice Openstack Ubuntu Linux +7
NVD
CVSS 3.1
6.6
EPSS
2.7%
CVE-2020-13346 MEDIUM This Month

Membership changes are not reflected in ToDo subscriptions in GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, allowing guest users to access confidential issues through API. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Gitlab Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
1.3%
CVE-2020-15177 MEDIUM PATCH This Month

In GLPI before version 9.5.2, the `install/install.php` endpoint insecurely stores user input into the database as `url_base` and `url_base_api`. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS PHP Glpi
NVD GitHub
CVSS 3.1
6.1
EPSS
0.8%
CVE-2020-26164 MEDIUM PATCH This Month

In kdeconnect-kde (aka KDE Connect) before 20.08.2, an attacker on the local network could send crafted packets that trigger use of large amounts of CPU, memory, or network connection slots, aka a. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Kdeconnect Backports Sle Leap
NVD GitHub
CVSS 3.1
5.5
EPSS
0.6%
CVE-2020-25768 MEDIUM PATCH This Month

Contao before 4.4.52, 4.9.x before 4.9.6, and 4.10.x before 4.10.1 have Improper Input Validation. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Contao
NVD
CVSS 3.1
5.3
EPSS
0.8%
CVE-2020-15217 MEDIUM PATCH This Month

In GLPI before version 9.5.2, there is a leakage of user information through the public FAQ. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Glpi
NVD GitHub
CVSS 3.1
5.3
EPSS
1.0%
CVE-2020-13335 MEDIUM This Month

Improper group membership validation when deleting a user account in GitLab >=7.12 allows a user to delete own account without deleting/transferring their group. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Gitlab Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.8%
CVE-2020-13342 LOW Monitor

An issue has been discovered in GitLab affecting versions prior to 13.2.10, 13.3.7 and 13.4.2: Lack of Rate Limiting at Re-Sending Confirmation Email. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Gitlab Denial Of Service
NVD
CVSS 3.1
2.7
EPSS
0.9%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy