Vulnerabilities (CVE)

Total 315269 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-26045 1 Thedaylightstudio 1 Fuel Cms 2024-11-21 7.5 HIGH 9.8 CRITICAL
FUEL CMS 1.4.11 allows SQL Injection via parameter 'name' in /fuel/permissions/create/. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
CVE-2020-26043 1 Hoosk 1 Hoosk 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in Hoosk CMS v1.8.0. There is a XSS vulnerability in install/index.php
CVE-2020-26042 1 Hoosk 1 Hoosk 2024-11-21 7.5 HIGH 9.8 CRITICAL
An issue was discovered in Hoosk CMS v1.8.0. There is a SQL injection vulnerability in install/index.php
CVE-2020-26041 1 Hoosk 1 Hoosk 2024-11-21 7.5 HIGH 9.8 CRITICAL
An issue was discovered in Hoosk CmS v1.8.0. There is an Remote Code Execution vulnerability in install/index.php
CVE-2020-26037 1 Evenbalance 1 Punkbuster 2024-11-21 N/A 9.8 CRITICAL
Directory Traversal vulnerability in Server functionalty in Even Balance Punkbuster version 1.902 before 1.905 allows remote attackers to execute arbitrary code.
CVE-2020-26035 1 Zammad 1 Zammad 2024-11-21 3.5 LOW 5.4 MEDIUM
An issue was discovered in Zammad before 3.4.1. There is Stored XSS via a Tags element in a TIcket.
CVE-2020-26034 1 Zammad 1 Zammad 2024-11-21 4.0 MEDIUM 4.3 MEDIUM
An account-enumeration issue was discovered in Zammad before 3.4.1. The Create User functionality is implemented in a way that would enable an anonymous user to guess valid user email addresses. The application responds differently depending on whether the input supplied was recognized as associated with a valid user.
CVE-2020-26033 1 Zammad 1 Zammad 2024-11-21 5.8 MEDIUM 5.4 MEDIUM
An issue was discovered in Zammad before 3.4.1. The Tag and Link REST API endpoints (for add and delete) lack a CSRF token check.
CVE-2020-26032 1 Zammad 1 Zammad 2024-11-21 5.0 MEDIUM 7.5 HIGH
An SSRF issue was discovered in Zammad before 3.4.1. The SMS configuration interface for Massenversand is implemented in a way that renders the result of a test request to the User. An attacker can use this to request any URL via a GET request from the network interface of the server. This may lead to disclosure of information from intranet systems.
CVE-2020-26031 1 Zammad 1 Zammad 2024-11-21 4.0 MEDIUM 4.3 MEDIUM
An issue was discovered in Zammad before 3.4.1. The global-search feature leaks Knowledge Base drafts to Knowledge Base readers (who are authenticated but have insufficient permissions).
CVE-2020-26030 1 Zammad 1 Zammad 2024-11-21 7.5 HIGH 9.8 CRITICAL
An issue was discovered in Zammad before 3.4.1. There is an authentication bypass in the SSO endpoint via a crafted header, when SSO is not configured. An attacker can create a valid and authenticated session that can be used to perform any actions in the name of other users.
CVE-2020-26029 1 Zammad 1 Zammad 2024-11-21 4.0 MEDIUM 6.5 MEDIUM
An issue was discovered in Zammad before 3.4.1. There are wrong authorization checks for impersonation requests via X-On-Behalf-Of. The authorization checks are performed for the actual user and not the one given in the X-On-Behalf-Of header.
CVE-2020-26028 1 Zammad 1 Zammad 2024-11-21 4.0 MEDIUM 4.9 MEDIUM
An issue was discovered in Zammad before 3.4.1. Admin Users without a ticket.* permission can access Tickets.
CVE-2020-26008 1 Shopxo 1 Shopxo 2024-11-21 6.8 MEDIUM 7.8 HIGH
The PluginsUpload function in application/service/PluginsAdminService.php of ShopXO v1.9.0 contains an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via uploading a crafted PHP file.
CVE-2020-26007 1 Shopxo 1 Shopxo 2024-11-21 6.8 MEDIUM 7.8 HIGH
An arbitrary file upload vulnerability in the upload payment plugin of ShopXO v1.9.0 allows attackers to execute arbitrary code via uploading a crafted PHP file.
CVE-2020-26006 1 Online Examination System Project 1 Online Examination System 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
Project Worlds Online Examination System 1.0 is affected by Cross Site Scripting (XSS) via account.php.
CVE-2020-25990 1 Websitebaker 1 Websitebaker 2024-11-21 7.5 HIGH 9.8 CRITICAL
WebsiteBaker 2.12.2 allows SQL Injection via parameter 'display_name' in /websitebaker/admin/preferences/save.php. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
CVE-2020-25989 1 Pritunl 1 Pritunl-client-electron 2024-11-21 7.2 HIGH 7.8 HIGH
Privilege escalation via arbitrary file write in pritunl electron client 1.0.1116.6 through v1.2.2550.20. Successful exploitation of the issue may allow an attacker to execute code on the effected system with root privileges.
CVE-2020-25988 1 Genexis 2 Platinum 4410, Platinum 4410 Firmware 2024-11-21 3.3 LOW 6.5 MEDIUM
UPNP Service listening on port 5555 in Genexis Platinum 4410 Router V2.1 (P4410-V2–1.34H) has an action 'X_GetAccess' which leaks the credentials of 'admin', provided that the attacker is network adjacent.
CVE-2020-25987 1 Monocms 1 Monocms 2024-11-21 5.0 MEDIUM 7.5 HIGH
MonoCMS Blog 1.0 stores hard-coded admin hashes in the log.xml file in the source files for MonoCMS Blog. Hash type is bcrypt and hashcat mode 3200 can be used to crack the hash.