Skip to main content
CVE-2020-35665 CRITICAL POC THREAT Emergency

An unauthenticated command-execution vulnerability exists in TerraMaster TOS through 4.2.06 via shell metacharacters in the Event parameter in include/makecvs.php during CSV creation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection PHP Terramaster Operating System
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
78.1%
CVE-2020-28073 CRITICAL POC Act Now

SourceCodester Library Management System 1.0 is affected by SQL Injection allowing an attacker to bypass the user authentication and impersonate any user on the system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Library Management System
NVD
CVSS 3.1
9.8
EPSS
2.8%
CVE-2020-28070 CRITICAL POC THREAT Act Now

SourceCodester Alumni Management System 1.0 is affected by SQL injection causing arbitrary remote code execution from GET input in view_event.php via the 'id' parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE SQLi PHP Alumni Management System
NVD
CVSS 3.1
9.8
EPSS
22.9%
CVE-2020-13968 CRITICAL POC Act Now

CRK Business Platform <= 2019.1 allows can inject SQL statements against the DB on any path using the 'strSessao' parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Business Platform
NVD GitHub
CVSS 3.1
9.8
EPSS
1.3%
CVE-2020-29552 CRITICAL POC Act Now

An issue was discovered in URVE Build 24.03.2020. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection PHP Urve
NVD
CVSS 3.1
9.8
EPSS
4.8%
CVE-2020-29551 CRITICAL POC Act Now

An issue was discovered in URVE Build 24.03.2020. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP Urve
NVD
CVSS 3.1
9.1
EPSS
2.8%
CVE-2020-35666 HIGH POC This Week

Steedos Platform through 1.21.24 allows NoSQL injection because the /api/collection/findone implementation in server/packages/steedos_base.js mishandles req.body validation, as demonstrated by. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Steedos
NVD GitHub
CVSS 3.1
8.8
EPSS
1.1%
CVE-2020-35370 HIGH POC This Week

A RCE vulnerability exists in Raysync below 3.3.3.8. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Path Traversal Raysync
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
7.5%
CVE-2020-27397 HIGH POC This Week

Marital - Online Matrimonial Project In PHP version 1.0 suffers from an authenticated file upload vulnerability allowing remote attackers to gain remote code execution (RCE) on the Hosting web server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE PHP Online Matrimonial Project
NVD
CVSS 3.1
8.8
EPSS
2.6%
CVE-2020-35668 HIGH POC PATCH This Week

RedisGraph 2.x through 2.2.11 has a NULL Pointer Dereference that leads to a server crash because it mishandles an unquoted string, such as an alias that has not yet been introduced. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Null Pointer Dereference Denial Of Service Redisgraph
NVD GitHub
CVSS 3.1
7.5
EPSS
1.6%
CVE-2020-35598 HIGH POC THREAT This Week

ACS Advanced Comment System 1.0 is affected by Directory Traversal via an advanced_component_system/index.php?ACS_path=..%2f URI. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Path Traversal Advanced Comment System
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
21.0%
CVE-2020-29550 HIGH POC This Week

An issue was discovered in URVE Build 24.03.2020. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Microsoft Information Disclosure Urve
NVD
CVSS 3.1
7.5
EPSS
1.4%
CVE-2020-35586 HIGH POC This Week

In Solstice Pod before 3.3.0 (or Open4.3), the Administrator password can be enumerated using brute-force attacks via the /Config/service/initModel?password= Solstice Open Control API because there. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Solstice Pod Firmware
NVD GitHub
CVSS 3.1
7.5
EPSS
1.4%
CVE-2020-35585 HIGH POC This Week

In Solstice Pod before 3.3.0 (or Open4.3), the screen key can be enumerated using brute-force attacks via the /lookin/info Solstice Open Control API because there are only 1.7 million possibilities. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Solstice Pod Firmware
NVD GitHub
CVSS 3.1
7.5
EPSS
1.4%
CVE-2020-11718 HIGH POC This Week

An issue was discovered in Programi Bilanc build 007 release 014 31.01.2020 and below. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure Bilanc
NVD
CVSS 3.1
7.4
EPSS
0.8%
CVE-2020-35136 HIGH POC PATCH This Week

Dolibarr 12.0.3 is vulnerable to authenticated Remote Code Execution. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE PHP Dolibarr Erp Crm
NVD GitHub
CVSS 3.1
7.2
EPSS
6.4%
CVE-2020-35657 HIGH POC This Week

Jaws through 1.8.0 allows remote authenticated administrators to execute arbitrary code via crafted use of UploadTheme to upload a theme ZIP archive containing a .php file that is able to execute OS. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE PHP Jaws
NVD GitHub
CVSS 3.1
7.2
EPSS
2.4%
CVE-2020-35656 HIGH POC This Week

Jaws through 1.8.0 allows remote authenticated administrators to execute arbitrary code via crafted use of admin.php?reqGadget=Components&reqAction=InstallGadget&comp=FileBrowser and. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE PHP Jaws
NVD GitHub
CVSS 3.1
7.2
EPSS
2.4%
CVE-2020-35252 MEDIUM POC This Month

Cross Site Scripting (XSS) vulnerability via the 'Full Name' parameter in the User Registration section of User Registration & Login System with Admin Panel 1.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS User Registration And Login System With Admin Panel
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
1.0%
CVE-2020-13969 MEDIUM POC This Month

CRK Business Platform <= 2019.1 allows reflected XSS via erro.aspx on 'CRK', 'IDContratante', 'Erro', or 'Mod' parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Business Platform
NVD GitHub
CVSS 3.1
6.1
EPSS
0.7%
CVE-2020-35584 MEDIUM POC This Month

In Solstice Pod before 3.0.3, the web services allow users to connect to them over unencrypted channels via the Browser Look-in feature. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure Solstice Pod Firmware
NVD GitHub
CVSS 3.1
5.9
EPSS
0.8%
CVE-2020-28074 CRITICAL Act Now

SourceCodester Online Health Care System 1.0 is affected by SQL Injection which allows a potential attacker to bypass the authentication system and become an admin. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Online Health Care System
NVD
CVSS 3.1
9.8
EPSS
2.3%
CVE-2020-11720 CRITICAL Act Now

An issue was discovered in Programi Bilanc build 007 release 014 31.01.2020 and possibly below. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Bilanc
NVD
CVSS 3.1
9.8
EPSS
1.8%
CVE-2020-25196 CRITICAL Act Now

The built-in WEB server for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower allows SSH/Telnet sessions, which may be vulnerable to brute force attacks to bypass authentication. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Nport Iaw5000A I O Firmware
NVD
CVSS 3.1
9.8
EPSS
1.4%
CVE-2020-25190 CRITICAL Act Now

The built-in WEB server for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower stores and transmits the credentials of third-party services in cleartext. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Nport Iaw5000A I O Firmware
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2020-35658 MEDIUM POC This Month

SpamTitan before 7.09 allows attackers to tamper with backups, because backups are not encrypted. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Spamtitan
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2020-35269 HIGH This Week

Nagios Core application version 4.2.4 is vulnerable to Site-Wide Cross-Site Request Forgery (CSRF) in many functions, like adding - deleting for hosts or servers. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Nagios Core
NVD GitHub
CVSS 3.1
8.8
EPSS
2.3%
CVE-2020-28071 MEDIUM POC This Month

SourceCodester Alumni Management System 1.0 is affected by cross-site Scripting (XSS) in /admin/gallery.php. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Alumni Management System
NVD
CVSS 3.1
4.8
EPSS
0.6%
CVE-2020-25198 HIGH This Week

The built-in WEB server for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower has incorrectly implemented protections from session fixation, which may allow an attacker to gain access to a. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Nport Iaw5000A I O Firmware
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2020-25194 HIGH This Week

The built-in WEB server for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower has improper privilege management, which may allow an attacker with user privileges to perform requests with. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Nport Iaw5000A I O Firmware
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2020-11719 HIGH This Week

An issue was discovered in Programi Bilanc build 007 release 014 31.01.2020 and possibly below. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Bilanc
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2020-35587 HIGH This Week

In Solstice Pod before 3.0.3, the firmware can easily be decompiled/disassembled. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Solstice Firmware
NVD GitHub
CVSS 3.1
7.5
EPSS
1.5%
CVE-2020-25153 HIGH This Week

The built-in web service for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower does not require users to have strong passwords. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Brute Force Nport Iaw5000A I O Firmware
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2020-9439 MEDIUM This Month

Multiple cross-site scripting (XSS) vulnerabilities in Uncanny Owl Tin Canny LearnDash Reporting before 3.4.4 allows authenticated remote attackers to inject arbitrary web script or HTML via the. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS PHP Tin Canny Reporting For Learndash
NVD GitHub
CVSS 3.1
6.1
EPSS
0.8%
CVE-2020-6159 MEDIUM This Month

URLs using “javascript:” have the protocol removed when pasted into the address bar to protect users from cross-site scripting (XSS) attacks, but in certain circumstances this removal was not. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Google Opera
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2020-35650 MEDIUM This Month

Multiple cross-site scripting (XSS) vulnerabilities in Uncanny Groups for LearnDash before v3.7 allow authenticated remote attackers to inject arbitrary JavaScript or HTML via the ulgm_code_redeem. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS PHP Uncanny Groups For Learndash
NVD GitHub
CVSS 3.1
6.1
EPSS
0.8%
CVE-2020-4642 MEDIUM This Month

IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow local attacker to cause a denial of service inside the "DB2 Management Service". Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service IBM Microsoft Db2
NVD
CVSS 3.1
5.5
EPSS
0.4%
CVE-2020-25192 MEDIUM This Month

The built-in WEB server for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower allows sensitive information to be displayed without proper authorization. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Nport Iaw5000A I O Firmware
NVD
CVSS 3.1
5.3
EPSS
0.9%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy