Skip to main content
CVE-2020-35729 CRITICAL POC THREAT Emergency

KLog Server 2.4.1 allows OS command injection via shell metacharacters in the actions/authenticate.php user parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection PHP Klog Server
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
88.0%
CVE-2020-35728 HIGH PATCH Act Now

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 41.1%.

Apache Oracle Deserialization Jackson Databind Debian Linux +38
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
41.1%
CVE-2020-8290 HIGH POC This Week

Backblaze for Windows and Backblaze for macOS before 7.0.0.439 suffer from improper privilege management in `bztransmit` helper due to lack of permission handling and validation before creation of. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Microsoft Apple Backblaze
NVD GitHub
CVSS 3.1
7.8
EPSS
0.6%
CVE-2020-8289 HIGH POC This Week

Backblaze for Windows before 7.0.1.433 and Backblaze for macOS before 7.0.1.434 suffer from improper certificate validation in `bztransmit` helper due to hardcoded whitelist of strings in URLs where. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Microsoft Apple Backblaze
NVD GitHub
CVSS 3.1
7.8
EPSS
4.7%
CVE-2020-35736 HIGH POC THREAT This Week

GateOne 1.1 allows arbitrary file download without authentication via /downloads/.. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Gateone
NVD GitHub
CVSS 3.1
7.5
EPSS
15.4%
CVE-2020-29250 MEDIUM POC This Month

CXUUCMS V3 allows XSS via the first and third input fields to /public/admin.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Cxuucms
NVD GitHub
CVSS 3.1
6.1
EPSS
0.7%
CVE-2020-29249 MEDIUM POC This Month

CXUUCMS V3 allows class="layui-input" XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Cxuucms
NVD GitHub
CVSS 3.1
6.1
EPSS
0.7%
CVE-2020-29204 MEDIUM POC PATCH This Month

XXL-JOB 2.2.0 allows Stored XSS (in Add User) to bypass the 20-character limit via xxl-job-admin/src/main/java/com/xxl/job/admin/controller/UserController.java. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Java Xxl Job
NVD GitHub
CVSS 3.1
6.1
EPSS
0.9%
CVE-2020-7845 CRITICAL Act Now

Spamsniper 5.0 ~ 5.2.7 contain a stack-based buffer overflow vulnerability caused by improper boundary checks when parsing MAIL FROM command. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Stack Overflow Spamsniper
NVD
CVSS 3.1
9.8
EPSS
2.7%
CVE-2020-29156 MEDIUM POC PATCH This Month

The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Woocommerce
NVD GitHub
CVSS 3.1
5.3
EPSS
4.0%
CVE-2020-35448 LOW POC Monitor

An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35.1. Rated low severity (CVSS 3.3), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Information Disclosure Binutils Ontap Select Deploy Administration Utility
NVD
CVSS 3.1
3.3
EPSS
1.3%
CVE-2020-29299 HIGH This Week

Certain Zyxel products allow command injection by an admin via an input string to chg_exp_pwd during a password-change action. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Zyxel Command Injection Vpn Orchestrator Zld Nsg Firmware +1
NVD
CVSS 3.1
7.2
EPSS
2.3%
CVE-2020-35678 MEDIUM PATCH This Month

Autobahn|Python before 20.12.3 allows redirect header injection. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Python Open Redirect Autobahn
NVD GitHub
CVSS 3.1
6.1
EPSS
1.4%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy