Skip to main content
CVE-2020-8466 CRITICAL POC THREAT Act Now

A command injection vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2, with the improved password hashing method enabled, could allow an unauthenticated attacker to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Trend Micro Command Injection Interscan Web Security Virtual Appliance
NVD
CVSS 3.1
9.8
EPSS
63.7%
CVE-2020-8465 CRITICAL POC Act Now

A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to manipulate system updates using a combination of CSRF bypass (CVE-2020-8461) and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Trend Micro CSRF Authentication Bypass Interscan Web Security Virtual Appliance
NVD
CVSS 3.1
9.8
EPSS
2.6%
CVE-2020-22083 CRITICAL POC PATCH Act Now

jsonpickle through 1.4.1 allows remote code execution during deserialization of a malicious payload through the decode() function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Jsonpickle
NVD GitHub
CVSS 3.1
9.8
EPSS
6.1%
CVE-2020-25094 CRITICAL POC Act Now

LogRhythm Platform Manager 7.4.9 allows Command Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Platform Manager
NVD
CVSS 3.1
9.8
EPSS
3.1%
CVE-2020-8461 HIGH POC This Week

A CSRF protection bypass vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to get a victim's browser to send a specifically encoded request without. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Trend Micro CSRF Interscan Web Security Virtual Appliance
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2020-35491 HIGH POC PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Apache Deserialization Jackson Databind Service Level Manager Debian Linux +23
NVD GitHub
CVSS 3.1
8.1
EPSS
9.5%
CVE-2020-35490 HIGH POC PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Apache Deserialization Jackson Databind Service Level Manager Debian Linux +22
NVD GitHub
CVSS 3.1
8.1
EPSS
7.7%
CVE-2020-8464 HIGH POC This Week

A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to send requests that appear to come from the localhost which could expose the product's admin. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Trend Micro SSRF Interscan Web Security Virtual Appliance
NVD
CVSS 3.1
7.5
EPSS
6.3%
CVE-2020-8463 HIGH POC This Week

A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to bypass a global authorization check for anonymous users by manipulating request paths. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Trend Micro Path Traversal Interscan Web Security Virtual Appliance
NVD
CVSS 3.1
7.5
EPSS
5.9%
CVE-2020-27199 HIGH POC This Week

The Magic Home Pro application 1.5.1 for Android allows Authentication Bypass. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Google Authentication Bypass Magic Home Pro
NVD
CVSS 3.1
7.5
EPSS
2.9%
CVE-2020-20142 MEDIUM POC This Month

Cross Site Scripting (XSS) vulnerability in the "To Remote CSV" component under "Open" Menu in Flexmonster Pivot Table & Charts 2.7.17. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Pivot Table Charts
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
1.6%
CVE-2020-20141 MEDIUM POC This Month

Cross Site Scripting (XSS) vulnerability in the To OLAP (XMLA) component Under the Connect menu in Flexmonster Pivot Table & Charts 2.7.17. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Pivot Table Charts
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
1.6%
CVE-2020-20140 MEDIUM POC This Month

Cross Site Scripting (XSS) vulnerability in Remote Report component under the Open menu in Flexmonster Pivot Table & Charts 2.7.17. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Pivot Table Charts
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
1.6%
CVE-2020-20139 MEDIUM POC This Month

Cross Site Scripting (XSS) vulnerability in the Remote JSON component Under the Connect menu in Flexmonster Pivot Table & Charts 2.7.17. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Pivot Table Charts
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
1.6%
CVE-2020-20138 MEDIUM POC This Month

Cross Site Scripting (XSS) vulnerability in the Showtime2 Slideshow module in CMS Made Simple (CMSMS) 2.2.4. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Cms Made Simple
NVD
CVSS 3.1
6.1
EPSS
3.3%
CVE-2020-35489 CRITICAL Act Now

The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload WordPress RCE Contact Form 7
NVD WPScan
CVSS 3.1
10.0
EPSS
89.6%
CVE-2020-12522 CRITICAL Act Now

The reported vulnerability allows an attacker who has network access to the device to execute code with specially crafted packets in WAGO Series PFC 100 (750-81xx/xxx-xxx), Series PFC 200. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Pfc 100 Firmware Pfc 200 Firmware Touch Panel 600 Standard Firmware Touch Panel 600 Advanced Firmware +1
NVD
CVSS 3.1
9.8
EPSS
2.9%
CVE-2020-12519 CRITICAL Act Now

On Phoenix Contact PLCnext Control Devices versions before 2021.0 LTS an attacker can use this vulnerability i.e. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Plcnext Firmware
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2020-35545 CRITICAL Act Now

Time-based SQL injection exists in Spotweb 1.4.9 via the query string. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Spotweb
NVD GitHub
CVSS 3.1
9.8
EPSS
3.8%
CVE-2020-26276 CRITICAL PATCH Act Now

Fleet is an open source osquery manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Mattermost Authentication Bypass Fleet
NVD GitHub
CVSS 3.1
9.8
EPSS
2.2%
CVE-2020-25011 CRITICAL Act Now

A sensitive information disclosure vulnerability in Kyland KPS2204 6 Port Managed Din-Rail Programmable Serial Device Servers Software Version:R0002.P05 allows remote attackers to get username and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Kps2204 6 Port Managed Din Rail Programmable Serial Device Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
1.6%
CVE-2020-25010 CRITICAL Act Now

An arbitrary code execution vulnerability in Kyland KPS2204 6 Port Managed Din-Rail Programmable Serial Device Servers Software Version:R0002.P05 allows remote attackers to upload a malicious script. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload RCE Kps2204 6 Port Managed Din Rail Programmable Serial Device Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
2.4%
CVE-2020-35197 CRITICAL Act Now

The official memcached docker images before 1.5.11-alpine (Alpine specific) contain a blank password for a root user. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Docker Authentication Bypass Memcached Docker Image
NVD GitHub
CVSS 3.1
9.8
EPSS
2.1%
CVE-2020-35196 CRITICAL Act Now

The official rabbitmq docker images before 3.7.13-beta.1-management-alpine (Alpine specific) contain a blank password for a root user. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Docker Authentication Bypass Rabbitmq Docker Image
NVD GitHub
CVSS 3.1
9.8
EPSS
2.1%
CVE-2020-35195 CRITICAL Act Now

The official haproxy docker images before 1.8.18-alpine (Alpine specific) contain a blank password for a root user. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Docker Authentication Bypass Haproxy Docker Image
NVD GitHub
CVSS 3.1
9.8
EPSS
2.2%
CVE-2020-35192 CRITICAL Act Now

The official vault docker images before 0.11.6 contain a blank password for a root user. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Docker Authentication Bypass Vault
NVD GitHub
CVSS 3.1
9.8
EPSS
2.9%
CVE-2020-35191 CRITICAL Act Now

The official drupal docker images before 8.5.10-fpm-alpine (Alpine specific) contain a blank password for a root user. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Docker Authentication Bypass Drupal Docker Images
NVD GitHub
CVSS 3.1
9.8
EPSS
4.6%
CVE-2020-35190 CRITICAL Act Now

The official plone Docker images before version of 4.3.18-alpine (Alpine specific) contain a blank password for a root user. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Docker Authentication Bypass Plone
NVD GitHub
CVSS 3.1
9.8
EPSS
2.2%
CVE-2020-35186 CRITICAL Act Now

The official adminer docker images before 4.7.0-fastcgi contain a blank password for a root user. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Docker Authentication Bypass Adminer
NVD GitHub
CVSS 3.1
9.8
EPSS
2.9%
CVE-2020-35184 CRITICAL Act Now

The official composer docker images before 1.8.3 contain a blank password for a root user. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Docker Authentication Bypass Composer Docker Image
NVD GitHub
CVSS 3.1
9.8
EPSS
3.0%
CVE-2020-35189 CRITICAL Act Now

The official kong docker images before 1.0.2-alpine (Alpine specific) contain a blank password for a root user. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Docker Authentication Bypass Kong Alpine Docker Image
NVD GitHub
CVSS 3.1
9.8
EPSS
2.2%
CVE-2020-35187 CRITICAL Act Now

The official telegraf docker images before 1.9.4-alpine (Alpine specific) contain a blank password for a root user. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Docker Authentication Bypass Telegraf
NVD GitHub
CVSS 3.1
9.8
EPSS
2.2%
CVE-2020-35185 CRITICAL Act Now

The official ghost docker images before 2.16.1-alpine (Alpine specific) contain a blank password for a root user. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Docker Authentication Bypass Ghost Alpine Docker Image
NVD GitHub
CVSS 3.1
9.8
EPSS
2.8%
CVE-2020-12523 CRITICAL Act Now

On Phoenix Contact mGuard Devices versions before 8.8.3 LAN ports get functional after reboot even if they are disabled in the device configuration. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Tc Mguard Rs4000 4G Vzw Vpn Firmware Tc Mguard Rs4000 4G Att Vpn Firmware Fl Mguard Rs4004 Tx Dtx Firmware Fl Mguard Rs4004 Tx Dtx Vpn Firmware +5
NVD
CVSS 3.1
9.1
EPSS
0.9%
CVE-2020-12517 CRITICAL Act Now

On Phoenix Contact PLCnext Control Devices versions before 2021.0 LTS an authenticated low privileged user could embed malicious Javascript code to gain admin rights when the admin user visits the. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Privilege Escalation Plcnext Firmware
NVD
CVSS 3.1
9.0
EPSS
1.1%
CVE-2020-8462 MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to tamper with the web interface of the product. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Trend Micro Interscan Web Security Virtual Appliance
NVD
CVSS 3.1
4.8
EPSS
1.1%
CVE-2020-25096 HIGH This Week

LogRhythm Platform Manager (PM) 7.4.9 has Incorrect Access Control. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Platform Manager
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2020-25095 HIGH This Week

LogRhythm Platform Manager (PM) 7.4.9 allows CSRF. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Platform Manager
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2020-29652 HIGH PATCH This Week

A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Null Pointer Dereference Denial Of Service SSH
NVD
CVSS 3.1
7.5
EPSS
3.2%
CVE-2020-15294 HIGH This Week

Compiler Optimization Removal or Modification of Security-critical Code vulnerability in IntPeParseUnwindData() results in multiple dereferences to the same pointer. Rated high severity (CVSS 7.0). No vendor patch available.

RCE Hypervisor Introspection
NVD
CVSS 3.1
7.0
EPSS
0.3%
CVE-2020-12521 MEDIUM This Month

On Phoenix Contact PLCnext Control Devices versions before 2021.0 LTS a specially crafted LLDP packet may lead to a high system load in the PROFINET stack. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Plcnext Firmware
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2020-35123 MEDIUM This Month

In Zimbra Collaboration Suite Network Edition versions < 9.0.0 P10 and 8.8.15 P17, there exists an XXE vulnerability in the saml consumer store extension, which is vulnerable to XXE attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Collaboration
NVD
CVSS 3.1
6.5
EPSS
1.5%
CVE-2020-29436 MEDIUM This Month

Sonatype Nexus Repository Manager 3.x before 3.29.0 allows a user with admin privileges to configure the system to gain access to content outside of NXRM via an XXE vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Nexus Repository Manager
NVD
CVSS 3.1
6.5
EPSS
1.4%
CVE-2020-12518 MEDIUM This Month

On Phoenix Contact PLCnext Control Devices versions before 2021.0 LTS an attacker can use the knowledge gained by reading the insufficiently protected sensitive information to plan further attacks. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Plcnext Firmware
NVD
CVSS 3.1
5.5
EPSS
0.7%
CVE-2020-15293 MEDIUM This Month

Memory corruption in IntLixCrashDumpDmesg, IntLixTaskFetchCmdLine, IntLixFileReadDentry and IntLixFileGetPath due to insufficient guest-data input validation may lead to denial of service conditions. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Denial Of Service Hypervisor Introspection
NVD
CVSS 3.1
5.5
EPSS
0.3%
CVE-2020-15292 MEDIUM PATCH This Month

Lack of validation on data read from guest memory in IntPeGetDirectory, IntPeParseUnwindData, IntLogExceptionRecord, IntKsymExpandSymbol and IntLixTaskDumpTree may lead to out-of-bounds read or it. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Buffer Overflow Hypervisor Introspection
NVD
CVSS 3.1
5.5
EPSS
0.3%
CVE-2020-4845 MEDIUM PATCH This Month

IBM Security Key Lifecycle Manager 3.0.1 and 4.0 is vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS IBM Security Key Lifecycle Manager
NVD
CVSS 3.1
5.4
EPSS
0.6%
CVE-2020-35453 MEDIUM This Month

HashiCorp Vault Enterprise’s Sentinel EGP policy feature incorrectly allowed requests to be processed in parent and sibling namespaces. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Vault
NVD GitHub
CVSS 3.1
5.3
EPSS
0.8%
CVE-2020-35177 MEDIUM PATCH This Month

HashiCorp Vault and Vault Enterprise 1.4.1 and newer allowed the enumeration of users via the LDAP auth method. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Vault
NVD GitHub
CVSS 3.1
5.3
EPSS
1.3%
CVE-2020-27010 MEDIUM This Month

A cross-site scripting (XSS) vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to tamper with the web interface of the product in a manner separate. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Trend Micro Interscan Web Security Virtual Appliance
NVD
CVSS 3.1
4.8
EPSS
0.7%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy