The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2020-24916 | CGI implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to OS command injection. | HIGH | Sep 9, 2020 |
| CVE-2020-24914 | A PHP object injection bug in profile.php in qcubed (all versions including 3.1.1) unserializes the untrusted data of the POST-variable strProfileData and allows an unauthenticated attacker to execute code via a crafted POST request. | HIGH | Mar 4, 2021 |
| CVE-2020-24913 | A SQL injection vulnerability in qcubed (all versions including 3.1.1) in profile.php via the strQuery parameter allows an unauthenticated attacker to access the database by injecting SQL code via a crafted POST request. | HIGH | Mar 5, 2021 |
| CVE-2020-24912 | A reflected cross-site scripting (XSS) vulnerability in qcubed (all versions including 3.1.1) in profile.php via the stQuery-parameter allows unauthenticated attackers to steal sessions of authenticated users. | MEDIUM | Mar 4, 2021 |
| CVE-2020-24908 | Checkmk before 1.6.0p17 allows local users to obtain SYSTEM privileges via a Trojan horse shell script in the %PROGRAMDATA%\\checkmk\\agent\\local directory. | HIGH | Feb 19, 2021 |
| CVE-2020-24904 | An issue was discovered in attach parameter in GNOME Gmail version 2.5.4, allows remote attackers to gain sensitive information via crafted mailto link. | -- | Aug 11, 2023 |
| CVE-2020-24903 | Cute Editor for ASP.NET 6.4 is vulnerable to reflected cross-site scripting (XSS) caused by improper validation of user supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim\'s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim\'s cookie-based authentication credentials. | MEDIUM | Jan 7, 2021 |
| CVE-2020-24902 | Quixplorer <=2.4.1 is vulnerable to reflected cross-site scripting (XSS) caused by improper validation of user supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim\'s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim\'s cookie-based authentication credentials. | MEDIUM | Jan 7, 2021 |
| CVE-2020-24901 | The default installation of Krpano Panorama Viewer version <=1.20.8 is vulnerable to Reflected XSS due to insecure remote js load in file viewer/krpano.html, parameter plugin[test].url. | MEDIUM | Jan 7, 2021 |
| CVE-2020-24900 | The default installation of Krpano Panorama Viewer version <=1.20.8 is prone to Reflected XSS due to insecure XML load in file /viewer/krpano.html, parameter xml. | MEDIUM | Jan 7, 2021 |
| CVE-2020-24899 | Nagios XI 5.7.2 is affected by a remote code execution (RCE) vulnerability. An authenticated user can inject additional commands into normal webapp query. | MEDIUM | Feb 16, 2021 |
| CVE-2020-24898 | The Table Filter and Charts for Confluence Server app before 5.3.26 (for Atlassian Confluence) allows SSRF via the Table from CSV macro (URL parameter). | MEDIUM | Aug 29, 2020 |
| CVE-2020-24897 | The Table Filter and Charts for Confluence Server app before 5.3.25 (for Atlassian Confluence) allow remote attackers to inject arbitrary HTML or JavaScript via cross site scripting (XSS) through the provided Markdown markup to the Table from CSV macro. | LOW | Aug 29, 2020 |
| CVE-2020-24891 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none | -- | Nov 7, 2023 |
| CVE-2020-24890 | libraw 20.0 has a null pointer dereference vulnerability in parse_tiff_ifd in src/metadata/tiff.cpp, which may result in context-dependent arbitrary code execution. Note: this vulnerability occurs only if you compile the software in a certain way | LOW | Sep 16, 2020 |
| CVE-2020-24889 | A buffer overflow vulnerability in LibRaw version < 20.0 LibRaw::GetNormalizedModel in src/metadata/normalize_model.cpp may lead to context-dependent arbitrary code execution. | MEDIUM | Sep 16, 2020 |
| CVE-2020-24881 | SSRF exists in osTicket before 1.14.3, where an attacker can add malicious file to server or perform port scanning. | HIGH | Nov 3, 2020 |
| CVE-2020-24877 | A SQL injection vulnerability in zzzphp v1.8.0 through /form/index.php?module=getjson may lead to a possible access restriction bypass. | HIGH | Mar 16, 2021 |
| CVE-2020-24876 | Use of a hard-coded cryptographic key in Pancake versions < 4.13.29 allows an attacker to forge session cookies, which may lead to remote privilege escalation. | MEDIUM | Sep 3, 2020 |
| CVE-2020-24872 | Cross Site Scripting (XSS) vulnerability in backend/pages/modify.php in Lepton-CMS version 4.7.0, allows remote attackers to execute arbitrary code. | -- | Aug 11, 2023 |
| CVE-2020-24870 | Libraw before 0.20.1 has a stack buffer overflow via LibRaw::identify_process_dng_fields in identify.cpp. | MEDIUM | Jun 2, 2021 |
| CVE-2020-24863 | A memory corruption vulnerability was found in the kernel function kern_getfsstat in MidnightBSD before 1.2.7 and 1.3 through 2020-08-19, and FreeBSD through 11.4, that allows an attacker to trigger an invalid free and crash the system via a crafted size value in conjunction with an invalid mode. | MEDIUM | Sep 3, 2020 |
| CVE-2020-24862 | The catID parameter in Pharmacy Medical Store and Sale Point v1.0 has been found to be vulnerable to a Time-Based blind SQL injection via the /medical/inventories.php path which allows attackers to retrieve all databases. | MEDIUM | Jun 2, 2021 |
| CVE-2020-24861 | GetSimple CMS 3.3.16 allows in parameter \'permalink\' on the Settings page persistent Cross Site Scripting which is executed when you create and open a new page | LOW | Oct 8, 2020 |
| CVE-2020-24860 | CMS Made Simple 2.2.14 allows an authenticated user with access to the Content Manager to edit content and put persistent XSS payload in the affected text fields. The user can get cookies from every authenticated user who visits the website. | LOW | Oct 8, 2020 |
| CVE-2020-24857 | Cross Site Scripting vulnerabilty found in IXPManager v.5.6.0 allows attackers to excute arbitrary code via the looking glass component. | -- | Mar 24, 2023 |
| CVE-2020-24855 | Directory Traversal vulnerability in easywebpack-cli before 4.5.2 allows attackers to obtain sensitive information via crafted GET request. | -- | Dec 15, 2022 |
| CVE-2020-24849 | A remote code execution vulnerability is identified in FruityWifi through 2.4. Due to improperly escaped shell metacharacters obtained from the POST request at the page_config_adv.php page, it is possible to perform remote code execution by an authenticated attacker. This is similar to CVE-2018-17317. | MEDIUM | Nov 5, 2020 |
| CVE-2020-24848 | FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system. | HIGH | Oct 23, 2020 |
| CVE-2020-24847 | A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticated attacker can change the newSSID and hostapd_wpa_passphrase. | MEDIUM | Oct 23, 2020 |
| CVE-2020-24842 | PNPSCADA 2.200816204020 allows cross-site scripting (XSS), which can execute arbitrary JavaScript in the victim\'s browser. | MEDIUM | Feb 13, 2021 |
| CVE-2020-24841 | PNPSCADA 2.200816204020 allows SQL injection via parameter \'interf\' in /browse.jsp. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. | HIGH | Feb 19, 2021 |
| CVE-2020-24838 | An integer overflow has been found in the the latest version of Issuer. The total issuedCount can be zero if the parameter is overly large. An attacker can obtain the private key of the owner issued with a certain \'amount\', and the issuedCount can be zero if there is an overflow. | MEDIUM | Feb 17, 2021 |
| CVE-2020-24837 | An integer underflow has been found in the latest version of ZCFees. The variables \'currPeriodIdx\' and \'lastPeriodExecIdx\' are both unsigned integers, and the result of the minus operation may be a negative integer which leads to an underflow. The attackers can modify the current timestamp of the transaction somehow and block the execution of the process function. | MEDIUM | Feb 17, 2021 |
| CVE-2020-24829 | An issue was discovered in GPAC v0.8.0, as demonstrated by MP4Box. It contains a heap-based buffer overflow in gf_m2ts_section_complete in media_tools/mpegts.c that can cause a denial of service (DOS) via a crafted MP4 file. | MEDIUM | Aug 5, 2021 |
| CVE-2020-24827 | A vulnerability in the dwarf::cursor::skip_form function of Libelfin v0.3 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted ELF file. | MEDIUM | Aug 4, 2021 |
| CVE-2020-24826 | A vulnerability in the elf::section::as_strtab function of Libelfin v0.3 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted ELF file. | MEDIUM | Aug 4, 2021 |
| CVE-2020-24825 | A vulnerability in the line_table::line_table function of Libelfin v0.3 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted ELF file. | MEDIUM | Aug 4, 2021 |
| CVE-2020-24824 | A global buffer overflow issue in the dwarf::line_table::line_table function of Libelfin v0.3 allows attackers to cause a denial of service (DOS). | MEDIUM | Aug 4, 2021 |
| CVE-2020-24823 | A vulnerability in the dwarf::to_string function of Libelfin v0.3 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted ELF file. | MEDIUM | Aug 4, 2021 |
| CVE-2020-24822 | A vulnerability in the dwarf::cursor::uleb function of Libelfin v0.3 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted ELF file. | MEDIUM | Aug 4, 2021 |
| CVE-2020-24821 | A vulnerability in the dwarf::cursor::skip_form function of Libelfin v0.3 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted ELF file. | MEDIUM | Aug 4, 2021 |
| CVE-2020-24815 | A Server-Side Request Forgery (SSRF) affecting the PDF generation in MicroStrategy 10.4, 2019 before Update 6, and 2020 before Update 2 allows authenticated users to access the content of internal network resources or leak files from the local system via HTML containers embedded in a dossier/dashboard document. NOTE: 10.4., no fix will be released as version will reach end-of-life on 31/12/2020. | MEDIUM | Nov 24, 2020 |
| CVE-2020-24807 | The socket.io-file package through 2.0.31 for Node.js relies on client-side validation of file types, which allows remote attackers to execute arbitrary code by uploading an executable file via a modified JSON name field. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | MEDIUM | Oct 6, 2020 |
| CVE-2020-24804 | Plaintext Password vulnerability in AddAdmin.py in cms-dev/cms v1.4.rc1, allows attackers to gain sensitive information via audit logs. | -- | Aug 11, 2023 |
| CVE-2020-24794 | Cross Site Scripting (XSS) vulnerability in Kentico before 12.0.75. | MEDIUM | Sep 9, 2020 |
| CVE-2020-24791 | FUEL CMS 1.4.8 allows SQL injection via the \'fuel_replace_id\' parameter in pages/replace/1. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. | HIGH | Mar 12, 2021 |
| CVE-2020-24786 | An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService Plus before build number 5817, DataSecurity Plus before build number 6033, RecoverManager Plus before build number 6017, EventLog Analyzer before build number 12136, ADAudit Plus before build number 6052, O365 Manager Plus before build number 4334, Cloud Security Plus before build number 4110, ADManager Plus before build number 7055, and Log360 before build number 5166. The remotely accessible Java servlet com.manageengine.ads.fw.servlet.UpdateProductDetails is prone to an authentication bypass. System integration properties can be modified and lead to full ManageEngine suite compromise. | HIGH | Aug 31, 2020 |
| CVE-2020-24772 | In Dreamacro Clash for Windows v0.11.4, an attacker could embed a malicious iframe in a website with a crafted URL that would launch the Clash Windows client and force it to open a remote SMB share. Windows will perform NTLM authentication when opening the SMB share and that request can be relayed (using a tool like responder) for code execution (or captured for hash cracking). | MEDIUM | Mar 23, 2022 |
| CVE-2020-24771 | Incorrect access control in NexusPHP 1.5.beta5.20120707 allows unauthorized attackers to access published content. | MEDIUM | Apr 5, 2022 |
