Skip to main content
CVE-2020-28188 CRITICAL POC THREAT Emergency

Remote Command Execution (RCE) vulnerability in TerraMaster TOS <= 4.2.06 allow remote unauthenticated attackers to inject OS commands via /include/makecvs.php in Event parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection PHP Tos
NVD
CVSS 3.1
9.8
EPSS
96.6%
CVE-2020-26282 CRITICAL POC PATCH Act Now

BrowserUp Proxy allows you to manipulate HTTP requests and responses, capture HTTP content, and export performance data as a HAR file. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Java RCE Browserup Proxy
NVD GitHub
CVSS 3.1
10.0
EPSS
4.6%
CVE-2020-29474 CRITICAL POC Act Now

EGavilan Media EGM Address Book 1.0 contains a SQL injection vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE SQLi Egm Address Book
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
4.1%
CVE-2020-29472 CRITICAL POC Act Now

EGavilan Media Under Construction page with cPanel 1.0 contains a SQL injection vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE SQLi Under Construction Page With Cpanel
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
4.1%
CVE-2020-28187 CRITICAL POC THREAT Act Now

Multiple directory traversal vulnerabilities in TerraMaster TOS <= 4.2.06 allow remote authenticated attackers to read, edit or delete any file within the filesystem via the (1) filename parameter to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Path Traversal Tos
NVD
CVSS 3.1
9.8
EPSS
16.4%
CVE-2020-35693 HIGH POC This Week

On some Samsung phones and tablets running Android through 7.1.1, it is possible for an attacker-controlled Bluetooth Low Energy (BLE) device to pair silently with a vulnerable target device, without. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Google Samsung Information Disclosure Android
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2020-29189 HIGH POC This Week

Incorrect Access Control vulnerability in TerraMaster TOS <= 4.2.06 allows remote authenticated attackers to bypass read-only restriction and obtain full access to any folder within the NAS. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Tos
NVD VulDB
CVSS 3.1
8.1
EPSS
1.2%
CVE-2020-11093 HIGH POC PATCH This Week

Hyperledger Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Jwt Attack Authentication Bypass Indy Node
NVD GitHub
CVSS 3.1
7.5
EPSS
0.9%
CVE-2020-28186 HIGH POC This Week

Email Injection in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to abuse the forget password functionality and achieve account takeover. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Tos
NVD
CVSS 3.1
7.3
EPSS
4.1%
CVE-2020-28169 HIGH POC PATCH This Week

The td-agent-builder plugin before 2020-12-18 for Fluentd allows attackers to gain privileges because the bin directory is writable by a user account, but a file in bin is executed as NT. Rated high severity (CVSS 7.0). Public exploit code available.

Information Disclosure Td Agent Builder Debian Linux
NVD GitHub Exploit-DB
CVSS 3.1
7.0
EPSS
1.2%
CVE-2020-35676 MEDIUM POC This Month

BigProf Online Invoicing System before 3.1 fails to correctly sanitize an XSS payload when a user registers using the self-registration functionality. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Online Invoicing System
NVD GitHub
CVSS 3.1
6.1
EPSS
0.7%
CVE-2020-35669 MEDIUM POC This Month

An issue was discovered in the http package through 0.12.2 for Dart. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Http
NVD GitHub
CVSS 3.1
6.1
EPSS
2.2%
CVE-2020-28190 MEDIUM POC This Month

TerraMaster TOS <= 4.2.06 was found to check for updates (of both system and applications) via an insecure channel (HTTP). Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure Tos
NVD
CVSS 3.1
5.9
EPSS
0.8%
CVE-2020-28184 MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in TerraMaster TOS <= 4.2.06 allows remote authenticated users to inject arbitrary web script or HTML via the mod parameter to /module/index.php. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Tos
NVD
CVSS 3.1
5.4
EPSS
0.7%
CVE-2020-28185 MEDIUM POC THREAT This Month

User Enumeration vulnerability in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to identify valid users within the system via the username parameter to wizard/initialise.php. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP Tos
NVD
CVSS 3.1
5.3
EPSS
18.1%
CVE-2020-29247 MEDIUM POC This Month

WonderCMS 3.1.3 is affected by cross-site scripting (XSS) in the Admin Panel. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Wondercms
NVD Exploit-DB VulDB
CVSS 3.1
4.8
EPSS
1.1%
CVE-2020-24658 HIGH This Week

Arm Compiler 5 through 5.06u6 has an error in a stack protection feature designed to help spot stack-based buffer overflows in local arrays. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Denial Of Service Arm Compiler
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2020-9200 HIGH This Week

There has a CSV injection vulnerability in iManager NetEco 6000 versions V600R021C00. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Code Injection Imanager Neteco 6000
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2020-5681 HIGH This Week

Untrusted search path vulnerability in self-extracting files created by EpsonNet SetupManager versions 2.2.14 and earlier, and Offirio SynergyWare PrintDirector versions 1.6x/1.6y and earlier allows. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Epsonnet Setupmanager Offirio Synergyware Printdirector
NVD
CVSS 3.1
7.8
EPSS
0.9%
CVE-2020-9120 HIGH This Week

CloudEngine 1800V versions V100R019C10SPC500 has a resource management error vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Cloudengine 1800V
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2020-35680 HIGH PATCH This Week

smtpd/lka_filter.c in OpenSMTPD before 6.8.0p1, in certain configurations, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted pattern of. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Null Pointer Dereference Denial Of Service Opensmtpd Fedora
NVD GitHub
CVSS 3.1
7.5
EPSS
3.6%
CVE-2020-35679 HIGH PATCH This Week

smtpd/table.c in OpenSMTPD before 6.8.0p1 lacks a certain regfree, which might allow attackers to trigger a "very significant" memory leak via messages to an instance that performs many regex lookups. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Opensmtpd Fedora
NVD GitHub
CVSS 3.1
7.5
EPSS
2.8%
CVE-2020-27728 HIGH This Week

On BIG-IP ASM & Advanced WAF versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, and 14.1.0-14.1.3, under certain conditions, Analytics, Visibility, and Reporting daemon (AVRD) may generate a core file and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Big Ip Advanced Web Application Firewall Big Ip Application Security Manager
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2020-27723 HIGH This Week

In versions 14.1.0-14.1.3 and 13.1.0-13.1.3.4, a BIG-IP APM virtual server processing PingAccess requests may lead to a restart of the Traffic Management Microkernel (TMM) process. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Big Ip Access Policy Manager
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2020-27720 HIGH This Week

On BIG-IP LTM/CGNAT version 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, 14.1.0-14.1.3, and 13.1.0-13.1.3.5, when processing NAT66 traffic with Port Block Allocation (PBA) mode and SP-DAG enabled, and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Big Ip Carrier Grade Nat Big Ip Local Traffic Manager
NVD
CVSS 3.1
7.5
EPSS
1.4%
CVE-2020-27717 HIGH This Week

On BIG-IP DNS 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, 14.1.0-14.1.3, 13.1.0-13.1.3.4, and 12.1.0-12.1.5.2, undisclosed series of DNS requests may cause TMM to restart and generate a core file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Big Ip Domain Name System
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2020-27716 HIGH This Week

On versions 15.1.0-15.1.0.5, 14.1.0-14.1.3, 13.1.0-13.1.3.5, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2, when a BIG-IP APM virtual server processes traffic of an undisclosed nature, the Traffic Management. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Big Ip Access Policy Manager
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2020-27715 HIGH This Week

On BIG-IP 15.1.0-15.1.0.5 and 14.1.0-14.1.3, crafted TLS request to the BIG-IP management interface via port 443 can cause high (~100%) CPU utilization by the httpd daemon. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Big Ip Access Policy Manager Big Ip Advanced Firewall Manager Big Ip Analytics Big Ip Application Acceleration Manager +7
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2020-27714 HIGH This Week

On the BIG-IP AFM version 15.1.0-15.1.0.5, 14.1.0-14.1.3, and 13.1.0-13.1.3.5, when a Protocol Inspection Profile is attached to a FastL4 virtual server with the protocol field configured to either. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Big Ip Advanced Firewall Manager
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2020-27721 HIGH This Week

In versions 16.0.0-16.0.0.1, 15.1.0-15.1.1, 14.1.0-14.1.3, 13.1.0-13.1.3.5, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2, in a BIG-IP DNS / BIG-IP LTM GSLB deployment, under certain circumstances, the BIG-IP. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Big Ip Domain Name System Big Ip Global Traffic Manager
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2020-27718 HIGH This Week

When a BIG-IP ASM or Advanced WAF system running version 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, 14.1.0-14.1.3, 13.1.0-13.1.3.4, 12.1.0-12.1.5.2, or 11.6.1-11.6.5.2 processes requests with JSON payload, an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Big Ip Advanced Web Application Firewall Big Ip Application Security Manager
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2020-2504 HIGH This Week

If exploited, this absolute path traversal vulnerability could allow attackers to traverse files in File Station. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Qnap Path Traversal Qes
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2020-2499 HIGH This Week

A hard-coded password vulnerability has been reported to affect earlier versions of QES. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Qnap Authentication Bypass Qes
NVD
CVSS 3.1
7.2
EPSS
1.4%
CVE-2020-28912 HIGH This Week

With MariaDB running on Windows, when local clients connect to the server over named pipes, it's possible for an unprivileged user with an ability to run code on the server machine to intercept the. Rated high severity (CVSS 7.0). No vendor patch available.

Microsoft Information Disclosure MariaDB
NVD
CVSS 3.1
7.0
EPSS
0.4%
CVE-2020-9137 MEDIUM This Month

There is a privilege escalation vulnerability in some versions of CloudEngine 12800,CloudEngine 5800,CloudEngine 6800 and CloudEngine 7800. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Cloudengine 12800 Firmware Cloudengine 5800 Firmware Cloudengine 6800 Firmware Cloudengine 7800 Firmware
NVD
CVSS 3.1
6.7
EPSS
0.2%
CVE-2020-9201 MEDIUM This Month

There is an out-of-bounds read vulnerability in some versions of NIP6800, Secospace USG6600 and USG9500. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Nip6800 Firmware Secospace Usg6600 Firmware Usg9500 Firmware
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2020-27722 MEDIUM This Month

In BIG-IP APM versions 15.0.0-15.0.1.3, 14.1.0-14.1.3, and 13.1.0-13.1.3.4, under certain conditions, the VDI plugin does not observe plugin flow-control protocol causing excessive resource. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Big Ip Access Policy Manager
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2020-27724 MEDIUM This Month

In BIG-IP APM versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.4, 15.0.0-15.0.1.3, 14.1.0-14.1.3, 13.1.0-13.1.3.4, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2, on systems running more than one TMM instance,. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Big Ip Access Policy Manager
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2020-9119 MEDIUM This Month

There is a privilege escalation vulnerability on some Huawei smart phones due to design defects. Rated medium severity (CVSS 6.2), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Huawei Mate 10 Firmware Mate 30 Firmware Mate 30 Pro Firmware +2
NVD
CVSS 3.1
6.2
EPSS
0.2%
CVE-2020-35659 MEDIUM PATCH This Month

The DNS query log in Pi-hole before 5.2.2 is vulnerable to stored XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Pi Hole
NVD GitHub
CVSS 3.1
6.1
EPSS
0.9%
CVE-2020-27729 MEDIUM This Month

In versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, 14.1.0-14.1.3, 13.1.0-13.1.3.4, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2, an undisclosed link on the BIG-IP APM virtual server allows a malicious user to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Big Ip Access Policy Manager
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2020-27726 MEDIUM This Month

In versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, 14.1.0-14.1.3, 13.1.0-13.1.3.4, and 12.1.0-12.1.5.2, a reflected cross-site scripting (XSS) vulnerability exists in the resource information page for. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Big Ip Access Policy Manager
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2020-27719 MEDIUM This Month

On BIG-IP 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, and 14.1.0-14.1.3, a cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Big Ip Access Policy Manager Big Ip Advanced Firewall Manager Big Ip Advanced Web Application Firewall Big Ip Analytics +10
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2020-2503 MEDIUM This Month

If exploited, this stored cross-site scripting vulnerability could allow remote attackers to inject malicious code in File Station. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Qnap Qes
NVD
CVSS 3.1
5.4
EPSS
0.8%
CVE-2020-27727 MEDIUM This Month

On BIG-IP version 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, 14.1.0-14.1.3, and 13.1.0-13.1.3.4, when an authenticated administrative user installs RPMs using the iAppsLX REST installer, the BIG-IP system. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Big Ip Access Policy Manager Big Ip Advanced Firewall Manager Big Ip Analytics Big Ip Application Acceleration Manager +7
NVD
CVSS 3.1
4.9
EPSS
0.8%
CVE-2020-35677 MEDIUM This Month

BigProf Online Invoicing System before 4.0 fails to adequately sanitize fields for HTML characters upon an administrator using admin/pageEditGroup.php to create a new group, resulting in Stored XSS. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS CSRF PHP Online Invoicing System
NVD
CVSS 3.1
4.8
EPSS
0.3%
CVE-2020-5684 MEDIUM This Month

iSM client versions from V5.1 prior to V12.1 running on NEC Storage Manager or NEC Storage Manager Express does not verify a server certificate properly, which allows a man-in-the-middle attacker to. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Ism Server
NVD
CVSS 3.1
4.8
EPSS
0.3%
CVE-2020-9202 MEDIUM This Month

There is an information disclosure vulnerability in TE Mobile software versions V600R006C10,V600R006C10SPC100. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Te Mobile
NVD
CVSS 3.1
4.4
EPSS
0.2%
CVE-2020-27725 MEDIUM This Month

In version 15.1.0-15.1.0.5, 14.1.0-14.1.3, 13.1.0-13.1.3.4, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2 of BIG-IP DNS, GTM, and Link Controller, zxfrd leaks memory when listing DNS zones. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Big Ip Domain Name System Big Ip Global Traffic Manager Big Ip Link Controller
NVD
CVSS 3.1
4.3
EPSS
0.8%
CVE-2020-2505 LOW Monitor

If exploited, this vulnerability could allow attackers to gain sensitive information via generation of error messages. Rated low severity (CVSS 2.3), this vulnerability is low attack complexity. No vendor patch available.

Qnap Information Disclosure Qes
NVD
CVSS 3.1
2.3
EPSS
0.3%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy