The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2020-36009 | OBottle 2.0 in \\c\\g.php contains an arbitrary file download vulnerability. | MEDIUM | Jun 4, 2021 |
| CVE-2020-36011 | A cross-site scripting (XSS) issue in Add Patient Form in QDOCS Smart Hospital Management System 3.1 allows a remote attacker to inject arbitrary code via the Name, Guardian Name, Email, Address, Remarks, or Any Known Allergies field. | LOW | Jan 26, 2021 |
| CVE-2020-36012 | Stored XSS vulnerability in BDTASK Multi-Store Inventory Management System 1.0 allows a local admin to inject arbitrary code via the Customer Name Field. | LOW | Jan 29, 2021 |
| CVE-2020-36023 | An issue was discovered in freedesktop poppler version 20.12.1, allows remote attackers to cause a denial of service (DoS) via crafted .pdf file to FoFiType1C::cvtGlyph function. | -- | Aug 14, 2023 |
| CVE-2020-36024 | An issue was discovered in freedesktop poppler version 20.12.1, allows remote attackers to cause a denial of service (DoS) via crafted .pdf file to FoFiType1C::convertToType1 function. | -- | Aug 14, 2023 |
| CVE-2020-36033 | SQL injection vulnerability in SourceCodester Water Billing System 1.0 via the id parameter to edituser.php. | HIGH | Jul 22, 2021 |
| CVE-2020-36034 | SQL Injection vulnerability in oretnom23 School Faculty Scheduling System version 1.0, allows remote attacker to execute arbitrary code, escalate privilieges, and gain sensitive information via crafted payload to id parameter in manage_user.php. | -- | Aug 11, 2023 |
| CVE-2020-36037 | An issue was disocvered in wuzhicms version 4.1.0, allows remote attackers to execte arbitrary code via the setting parameter to the ueditor in index.php. | -- | Aug 15, 2023 |
| CVE-2020-36048 | Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport. | MEDIUM | Jan 8, 2021 |
| CVE-2020-36049 | socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used. | MEDIUM | Jan 8, 2021 |
| CVE-2020-36051 | Directory traversal vulnerability in page_edit.php in MiniCMS V1.10 allows remote attackers to read arbitrary files via the state parameter. | MEDIUM | Jan 8, 2021 |
| CVE-2020-36052 | Directory traversal vulnerability in post-edit.php in MiniCMS V1.10 allows remote attackers to include and execute arbitrary files via the state parameter. | HIGH | Jan 8, 2021 |
| CVE-2020-36056 | Beetel 777VR1-DI Hardware Version REV.1.01 Firmware Version V01.00.09_55 was discovered to contain a cross-site scripting (XSS) vulnerability via the Ping diagnostic option. | LOW | Feb 4, 2022 |
| CVE-2020-36062 | Dairy Farm Shop Management System v1.0 was discovered to contain hardcoded credentials in the source code which allows attackers access to the control panel if compromised. | HIGH | Feb 11, 2022 |
| CVE-2020-36064 | Online Course Registration v1.0 was discovered to contain hardcoded credentials in the source code which allows attackers access to the control panel if compromised. | MEDIUM | Feb 4, 2022 |
| CVE-2020-36065 | Cross Site Request Forgery (CSRF) vulnerability in FlyCms 1.0 allows attackers to add arbitrary administrator accounts via system/admin/admin_save. | -- | May 8, 2023 |
| CVE-2020-36066 | GJSON | MEDIUM | Jan 7, 2021 |
| CVE-2020-36067 | GJSON | MEDIUM | Jan 7, 2021 |
| CVE-2020-36070 | Insecure Permission vulnerability found in Yoyager v.1.4 and before allows a remote attacker to execute arbitrary code via a crafted .php file to the media component. | -- | Apr 27, 2023 |
| CVE-2020-36071 | SQL injection vulnerability found in Tailor Management System v.1 allows a remote authenticated attacker to execute arbitrary code via the customer parameter of the email.php page. | -- | Apr 6, 2023 |
| CVE-2020-36072 | SQL injection vulnerability found in Tailor Management System v.1 allows a remote attacker to execute arbitrary code via the id parameter. | -- | Apr 6, 2023 |
| CVE-2020-36073 | SQL injection vulnerability found in Tailor Management System v.1 allows a remote attacker to execute arbitrary code via the detail parameter of the document.php page. | -- | Apr 6, 2023 |
| CVE-2020-36074 | SQL injection vulnerability found in Tailor Mangement System v.1 allows a remote attacker to execute arbitrary code via the title parameter. | -- | Apr 6, 2023 |
| CVE-2020-36077 | SQL injection vulnerability found in Tailor Mangement System v.1 allows a remote attacker to execute arbitrary code via the customer parameter of the orderadd.php file | -- | Apr 10, 2023 |
| CVE-2020-36079 | Zenphoto through 1.5.7 is affected by authenticated arbitrary file upload, leading to remote code execution. The attacker must navigate to the uploader plugin, check the elFinder box, and then drag and drop files into the Files(elFinder) portion of the UI. This can, for example, place a .php file in the server\'s uploaded/ directory. NOTE: the vendor disputes this because exploitation can only be performed by an admin who has lots of other possibilities to harm a site. | MEDIUM | Feb 27, 2021 |
| CVE-2020-36082 | File Upload vulnerability in bloofoxCMS version 0.5.2.1, allows remote attackers to execute arbitrary code and escalate privileges via crafted webshell file to upload module. | -- | Aug 15, 2023 |
| CVE-2020-36109 | ASUS RT-AX86U router firmware below version under 9.0.0.4_386 has a buffer overflow in the blocking_request.cgi function of the httpd module that can cause code execution when an attacker constructs malicious data. | HIGH | Feb 5, 2021 |
| CVE-2020-36112 | CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php and in cart.php. A successful exploitation of this vulnerability will lead to an attacker dumping the entire database on which the web application is running. | HIGH | Jan 7, 2021 |
| CVE-2020-36115 | Stored Cross Site Scripting (XSS) vulnerability in EGavilan Media CRUD Operation with PHP, MySQL, Bootstrap, and Dompdf via First Name or Last Name parameter in the \'Add New Record Feature\'. | LOW | Jan 28, 2021 |
| CVE-2020-36120 | Buffer Overflow in the sixel_encoder_encode_bytes function of Libsixel v1.8.6 allows attackers to cause a Denial of Service (DoS). | MEDIUM | Apr 16, 2021 |
| CVE-2020-36123 | saitoha libsixel v1.8.6 was discovered to contain a double free via the component sixel_chunk_destroy at /root/libsixel/src/chunk.c. | MEDIUM | Mar 12, 2022 |
| CVE-2020-36124 | Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by XML External Entity (XXE) injection. An authenticated attacker can compromise the private keys of a JWT token and reuse them to manipulate the access tokens to access the platform as any desired user (clients and administrators). | MEDIUM | May 7, 2021 |
| CVE-2020-36125 | Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by incorrect access control where password revalidation in sensitive operations can be bypassed remotely by an authenticated attacker through requesting the endpoint directly. | MEDIUM | May 7, 2021 |
| CVE-2020-36126 | Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by incorrect access control that can lead to remote privilege escalation. PAXSTORE marketplace endpoints allow an authenticated user to read and write data not owned by them, including third-party users, application and payment terminals, where an attacker can impersonate any user which may lead to the unauthorized disclosure, modification, or destruction of information. | MEDIUM | May 7, 2021 |
| CVE-2020-36127 | Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by an information disclosure vulnerability. Through the PUK signature functionality, an administrator will not have access to the current p12 certificate and password. When accessing this functionality, the administrator has the option to replace the current certificate and it is not possible to view the certificate password (p12) already deployed on the platform. The replacement p12 certificate returns to users in base64 with its password, which can be accessed by non-administrator users. | MEDIUM | May 7, 2021 |
| CVE-2020-36128 | Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by a token spoofing vulnerability. Each payment terminal has a session token (called X-Terminal-Token) to access the marketplace. This allows the store to identify the terminal and make available the applications distributed by its reseller. By intercepting HTTPS traffic from the application store, it is possible to collect the request responsible for assigning the X-Terminal-Token to the terminal, which makes it possible to craft an X-Terminal-Token pretending to be another device. An attacker can use this behavior to authenticate its own payment terminal in the application store through token impersonation. | MEDIUM | May 7, 2021 |
| CVE-2020-36129 | AOM v2.0.1 was discovered to contain a stack buffer overflow via the component src/aom_image.c. | MEDIUM | Dec 3, 2021 |
| CVE-2020-36130 | AOM v2.0.1 was discovered to contain a NULL pointer dereference via the component av1/av1_dx_iface.c. | MEDIUM | Dec 3, 2021 |
| CVE-2020-36131 | AOM v2.0.1 was discovered to contain a stack buffer overflow via the component stats/rate_hist.c. | MEDIUM | Dec 3, 2021 |
| CVE-2020-36133 | AOM v2.0.1 was discovered to contain a global buffer overflow via the component av1/encoder/partition_search.h. | MEDIUM | Dec 3, 2021 |
| CVE-2020-36134 | AOM v2.0.1 was discovered to contain a segmentation violation via the component aom_dsp/x86/obmc_sad_avx2.c. | MEDIUM | Dec 3, 2021 |
| CVE-2020-36135 | AOM v2.0.1 was discovered to contain a NULL pointer dereference via the component rate_hist.c. | MEDIUM | Dec 3, 2021 |
| CVE-2020-36136 | SQL Injection vulnerability in cskaza cszcms version 1.2.9, allows attackers to gain sensitive information via pm_sendmail parameter in csz_model.php. | -- | Aug 15, 2023 |
| CVE-2020-36138 | An issue was discovered in decode_frame in libavcodec/tiff.c in FFmpeg version 4.3, allows remote attackers to cause a denial of service (DoS). | -- | Aug 11, 2023 |
| CVE-2020-36139 | BloofoxCMS 0.5.2.1 allows Reflected Cross-Site Scripting (XSS) vulnerability by inserting a XSS payload within the \'fileurl\' parameter. | LOW | Jun 4, 2021 |
| CVE-2020-36140 | BloofoxCMS 0.5.2.1 allows Cross-Site Request Forgery (CSRF) via \'mode=settings&page=editor\', as demonstrated by use of \'mode=settings&page=editor\' to change any file content (Locally/Remotely). | MEDIUM | Jun 4, 2021 |
| CVE-2020-36141 | BloofoxCMS 0.5.2.1 allows Unrestricted File Upload vulnerability via bypass MIME Type validation by inserting \'image/jpeg\' within the \'Content-Type\' header. | MEDIUM | Jun 4, 2021 |
| CVE-2020-36142 | BloofoxCMS 0.5.2.1 allows Directory traversal vulnerability by inserting \'../\' payloads within the \'fileurl\' parameter. | MEDIUM | Jun 4, 2021 |
| CVE-2020-36144 | Redash 8.0.0 is affected by LDAP Injection. There is an information leak through the crafting of special queries, escaping the provided template since the username included in the search filter lacks sanitization. | MEDIUM | Mar 19, 2021 |
| CVE-2020-36148 | Incorrect handling of input data in verifyAttribute function in the libmysofa library 0.5 - 1.1 will lead to NULL pointer dereference and segmentation fault error in case of restrictive memory protection or near NULL pointer overwrite in case of no memory restrictions (e.g. in embedded environments). | MEDIUM | Feb 11, 2021 |
