Total
2789 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-35938 | 1 Pickplugins | 2 Post Grid, Team Showcase | 2024-11-21 | 6.0 MEDIUM | 7.5 HIGH |
| PHP Object injection vulnerabilities in the Post Grid plugin before 2.0.73 for WordPress allow remote authenticated attackers to inject arbitrary PHP objects due to insecure unserialization of data supplied in a remotely hosted crafted payload in the source parameter via AJAX. The action must be set to post_grid_import_xml_layouts. | |||||
| CVE-2020-35775 | 1 Citsmart | 1 Citsmart | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| CITSmart before 9.1.2.23 allows LDAP Injection. | |||||
| CVE-2020-35754 | 1 Opensolution | 2 Quick.cart, Quick.cms | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| OpenSolution Quick.CMS < 6.7 and Quick.Cart < 6.7 allow an authenticated user to perform code injection (and consequently Remote Code Execution) via the input fields of the Language tab. | |||||
| CVE-2020-35734 | 1 Batflat | 1 Batflat | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| ** UNSUPPORTED WHEN ASSIGNED ** Sruu.pl in Batflat 1.3.6 allows an authenticated user to perform code injection (and consequently Remote Code Execution) via the input fields of the Users tab. To exploit this, one must login to the administration panel and edit an arbitrary user's data (username, displayed name, etc.). NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2020-35669 | 1 Dart | 1 Http | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in the http package through 0.12.2 for Dart. If the attacker controls the HTTP method and the app is using Request directly, it's possible to achieve CRLF injection in an HTTP request. | |||||
| CVE-2020-35609 | 1 Microsoft | 1 Azure Sphere | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| A denial-of-service vulnerability exists in the asynchronous ioctl functionality of Microsoft Azure Sphere 20.05. A sequence of specially crafted ioctl calls can cause a denial of service. An attacker can write shellcode to trigger this vulnerability. | |||||
| CVE-2020-35608 | 1 Microsoft | 1 Azure Sphere | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| A code execution vulnerability exists in the normal world’s signed code execution functionality of Microsoft Azure Sphere 20.07. A specially crafted AF_PACKET socket can cause a process to create an executable memory mapping with controllable content. An attacker can execute a shellcode that uses the PACKET_MMAP functionality to trigger this vulnerability. | |||||
| CVE-2020-35564 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an outdated and unused component allowing for malicious user input of active code. | |||||
| CVE-2020-35226 | 1 Netgear | 4 Gs116e, Gs116e Firmware, Jgs516pe and 1 more | 2024-11-21 | 4.8 MEDIUM | 7.1 HIGH |
| NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices allow unauthenticated users to modify the switch DHCP configuration by sending the corresponding write request command. | |||||
| CVE-2020-35213 | 1 Atomix | 1 Atomix | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false link event messages sent to a master ONOS node. | |||||
| CVE-2020-29655 | 1 Asus | 2 Rt-ac88u, Rt-ac88u Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An injection vulnerability exists in RT-AC88U Download Master before 3.1.0.108. Accessing Main_Login.asp?flag=1&productname=FOOBAR&url=/downloadmaster/task.asp will redirect to the login site, which will show the value of the parameter productname within the title. An attacker might be able to influence the appearance of the login page, aka text injection. | |||||
| CVE-2020-29135 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 3.5 LOW | 4.1 MEDIUM |
| cPanel before 90.0.17 has multiple instances of URL parameter injection (SEC-567). | |||||
| CVE-2020-28848 | 1 Churchcrm | 1 Churchcrm | 2024-11-21 | N/A | 8.8 HIGH |
| CSV Injection vulnerability in ChurchCRM version 4.2.0, allows remote attackers to execute arbitrary code via crafted CSV file. | |||||
| CVE-2020-28470 | 1 Scully | 1 Scully | 2024-11-21 | 4.3 MEDIUM | 7.3 HIGH |
| This affects the package @scullyio/scully before 1.0.9. The transfer state is serialised with the JSON.stringify() function and then written into the HTML page. | |||||
| CVE-2020-28246 | 1 Form | 1 Form.io | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A Server-Side Template Injection (SSTI) was discovered in Form.io 2.0.0. This leads to Remote Code Execution during deletion of the default Email template URL. NOTE: the email templating service was removed after 2020. Additionally, the vendor disputes this issue indicating this is sandboxed and only executable by admins. | |||||
| CVE-2020-28031 | 1 Eramba | 1 Eramba | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| eramba through c2.8.1 allows HTTP Host header injection with (for example) resultant wkhtml2pdf PDF printing by authenticated users. | |||||
| CVE-2020-27687 | 1 Thingsboard | 1 Thingsboard | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| ThingsBoard before v3.2 is vulnerable to Host header injection in password-reset emails. This allows an attacker to send malicious links in password-reset emails to victims, pointing to an attacker-controlled server. Lack of validation of the Host header allows this to happen. | |||||
| CVE-2020-27627 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| JetBrains TeamCity before 2020.1.2 was vulnerable to URL injection. | |||||
| CVE-2020-27602 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | N/A | 9.8 CRITICAL |
| BigBlueButton before 2.2.7 does not have a protection mechanism for separator injection in meetingId, userId, and authToken. | |||||
| CVE-2020-27260 | 1 Innokasmedical | 2 Vital Signs Monitor Vc150, Vital Signs Monitor Vc150 Firmware | 2024-11-21 | 2.1 LOW | 5.3 MEDIUM |
| Innokas Yhtymä Oy Vital Signs Monitor VC150 prior to Version 1.7.15 HL7 v2.x injection vulnerabilities exist in the affected products that allow physically proximate attackers with a connected barcode reader to inject HL7 v2.x segments into specific HL7 v2.x messages via multiple expected parameters. | |||||