Skip to main content
CVE-2020-35245 CRITICAL POC Act Now

Flamingo (aka FlamingoIM) through 2020-09-29 has a SQL injection vulnerability in UserManager::addUser. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Flamingo
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2020-35244 CRITICAL POC Act Now

Flamingo (aka FlamingoIM) through 2020-09-29 has a SQL injection vulnerability in UserManager::addGroup. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Flamingo
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2020-35243 CRITICAL POC Act Now

Flamingo (aka FlamingoIM) through 2020-09-29 has a SQL injection vulnerability in UserManager::updateUserInfoInDb. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Flamingo
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2020-35242 CRITICAL POC Act Now

Flamingo (aka FlamingoIM) through 2020-09-29 has a SQL injection vulnerability in UserManager::updateUserTeamInfoInDbAndMemory. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Flamingo
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2020-29203 CRITICAL POC Act Now

struct2json before 2020-11-18 is affected by a Buffer Overflow because strcpy is used for S2J_STRUCT_GET_string_ELEMENT. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Struct2Json
NVD GitHub
CVSS 3.1
9.8
EPSS
1.3%
CVE-2020-35364 CRITICAL POC Act Now

Beijing Huorong Internet Security 5.0.55.2 allows a non-admin user to escalate privileges by injecting code into a process, and then waiting for a Huorong services restart or a system reboot. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Internet Security
NVD GitHub
CVSS 3.1
9.8
EPSS
1.9%
CVE-2020-35575 CRITICAL POC Act Now

A password-disclosure issue in the web interface on certain TP-Link devices allows a remote attacker to get full administrative access to the web panel. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure TP-Link Wa901Nd Firmware Archer C5 Firmware Archer C7 Firmware +24
NVD
CVSS 3.1
9.8
EPSS
7.6%
CVE-2020-35713 CRITICAL POC THREAT Act Now

Belkin LINKSYS RE6500 devices before 1.0.012.001 allow remote attackers to execute arbitrary commands or set a new password via shell metacharacters to the goform/setSysAdm page. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Linksys Re6500 Firmware
NVD
CVSS 3.1
9.8
EPSS
32.7%
CVE-2020-26766 HIGH POC This Week

A Cross Site Request Forgery (CSRF) vulnerability exists in the loginsystem page in PHPGurukul User Registration & Login and User Management System With Admin Panel 2.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF User Registration Login And User Management System With Admin Panel
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2020-25917 HIGH POC This Week

Stratodesk NoTouch Center before 4.4.68 is affected by: Incorrect Access Control. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Notouch Center
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2020-35715 HIGH POC This Week

Belkin LINKSYS RE6500 devices before 1.0.012.001 allow remote authenticated users to execute arbitrary commands via shell metacharacters in a filename to the upload_settings.cgi page. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Linksys Re6500 Firmware
NVD
CVSS 3.1
8.8
EPSS
3.7%
CVE-2020-35714 HIGH POC This Week

Belkin LINKSYS RE6500 devices before 1.0.11.001 allow remote authenticated users to execute arbitrary commands via goform/systemCommand?command= in conjunction with the goform/pingstart program. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Linksys Re6500 Firmware
NVD
CVSS 3.1
8.8
EPSS
2.7%
CVE-2020-35362 HIGH POC This Week

DEXT5Upload 2.7.1262310 and earlier is affected by Directory Traversal in handler/dext5handler.jsp. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Dext5Upload
NVD GitHub
CVSS 3.1
7.5
EPSS
1.6%
CVE-2020-35284 HIGH POC This Week

Flamingo (aka FlamingoIM) through 2020-09-29 allows ../ directory traversal because the only ostensibly unpredictable part of a file-transfer request is an MD5 computation; however, this computation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Flamingoim
NVD GitHub
CVSS 3.1
7.5
EPSS
1.6%
CVE-2020-35450 HIGH POC This Week

Gobby 0.4.11 allows a NULL pointer dereference in the D-Bus handler for certain set_language calls. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Null Pointer Dereference Denial Of Service Gobby
NVD GitHub
CVSS 3.1
7.5
EPSS
1.4%
CVE-2020-35359 HIGH POC This Week

Pure-FTPd 1.0.48 allows remote attackers to prevent legitimate server use by making enough connections to exceed the connection limit. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Pure Ftpd
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
4.7%
CVE-2020-35376 HIGH POC This Week

Xpdf 4.02 allows stack consumption because of an incorrect subroutine reference in a Type 1C font charstring, related to the FoFiType1C::getOp() function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Memory Corruption Xpdf Fedora
NVD
CVSS 3.1
7.5
EPSS
2.1%
CVE-2020-35388 HIGH POC This Week

rainrocka xinhu 2.1.9 allows remote attackers to obtain sensitive information via an index.php?a=gettotal request in which the ajaxbool value is manipulated to be true. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP Xinhu
NVD GitHub
CVSS 3.1
7.5
EPSS
1.5%
CVE-2020-35716 HIGH POC This Week

Belkin LINKSYS RE6500 devices before 1.0.012.001 allow remote attackers to cause a persistent denial of service (segmentation fault) via a long /goform/langSwitch langSelectionOnly parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Linksys Re6500 Firmware
NVD
CVSS 3.1
7.5
EPSS
3.9%
CVE-2020-35347 MEDIUM POC This Month

CXUUCMS V3 3.1 has a CSRF vulnerability that can add an administrator account via admin.php?c=adminuser&a=add. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF PHP Cxuucms
NVD GitHub
CVSS 3.1
6.5
EPSS
0.4%
CVE-2020-20412 MEDIUM POC This Month

lib/codebook.c in libvorbis before 1.3.6, as used in StepMania 5.0.12 and other products, has insufficient array bounds checking via a crafted OGG file. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Stepmania Libvorbis
NVD GitHub
CVSS 3.1
6.5
EPSS
1.0%
CVE-2020-35437 MEDIUM POC This Month

Subrion CMS 4.2.1 is affected by: Cross Site Scripting (XSS) through the avatar[path] parameter in a POST request to the /_core/profile/ URI. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Subrion Cms
NVD GitHub Exploit-DB
CVSS 3.1
6.1
EPSS
3.0%
CVE-2020-27515 MEDIUM POC This Month

A Cross Site Scripting (XSS) vulnerability in Savsoft Quiz v5.0 allows remote attackers to inject arbitrary web script or HTML via the Skype ID field. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Savsoft Quiz
NVD GitHub Exploit-DB
CVSS 3.1
6.1
EPSS
1.3%
CVE-2020-35712 CRITICAL Act Now

Esri ArcGIS Server before 10.8 is vulnerable to SSRF in some configurations. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Arcgis Server
NVD
CVSS 3.1
9.8
EPSS
1.6%
CVE-2020-28759 MEDIUM POC This Month

The serializer module in OAID Tengine lite-v1.0 has a Buffer Overflow and crash. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Tengine
NVD GitHub
CVSS 3.1
5.5
EPSS
0.7%
CVE-2020-35349 MEDIUM POC This Month

Savsoft Quiz 5 is affected by: Cross Site Scripting (XSS) via field_title (aka a title on the custom fields page). Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Savsoft Quiz
NVD Exploit-DB
CVSS 3.1
4.8
EPSS
0.6%
CVE-2020-35346 MEDIUM POC This Month

CXUUCMS V3 3.1 is affected by a reflected XSS vulnerability that allows remote attackers to inject arbitrary web script or HTML via the imgurl parameter of admin.php?c=content&a=add. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Cxuucms
NVD GitHub
CVSS 3.1
4.8
EPSS
0.7%
CVE-2020-29172 MEDIUM This Month

A cross-site scripting (XSS) vulnerability in the LiteSpeed Cache plugin before 3.6.1 for WordPress can be exploited via the Server IP setting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS WordPress Litespeed Cache
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2020-29385 MEDIUM PATCH This Month

GNOME gdk-pixbuf (aka GdkPixbuf) before 2.42.2 allows a denial of service (infinite loop) in lzw.c in the function write_indexes. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity.

Denial Of Service Gdk Pixbuf Ubuntu Linux Fedora
NVD
CVSS 3.1
5.5
EPSS
1.5%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy