The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2020-25394 | A stored cross site scripting (XSS) vulnerability in moziloCMS 2.0 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the Content parameter. | LOW | Jul 10, 2021 |
| CVE-2020-25392 | A cross site scripting (XSS) vulnerability in CSZ CMS 1.2.9 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the \'New Article\' field under the \'Article\' plugin. | LOW | Jul 10, 2021 |
| CVE-2020-25391 | A cross site scripting vulnerability in CSZ CMS 1.2.9 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the \'New Pages\' field under the \'Pages Content\' module. | LOW | Jul 10, 2021 |
| CVE-2020-25385 | Nagios Log Server 2.1.7 contains a cross-site scripting (XSS) vulnerability in /nagioslogserver/configure/create_snapshot through the snapshot_name parameter, which may impact users who open a maliciously crafted link or third-party web page. | MEDIUM | Jan 22, 2021 |
| CVE-2020-25380 | Wordpress Plugin Store / Mike Rooijackers Recall Products V0.8 is affected by: Cross Site Scripting (XSS) via the \'Recall Settings\' field in admin.php. An attacker can inject JavaScript code that will be stored and executed. | LOW | Sep 18, 2020 |
| CVE-2020-25379 | Wordpress Plugin Store / Mike Rooijackers Recall Products V0.8 fails to sanitize input from the \'Manufacturer[]\' parameter which allows an authenticated attacker to inject a malicious SQL query. | MEDIUM | Sep 18, 2020 |
| CVE-2020-25378 | Wordpress Plugin Store / AccessPress Themes WP Floating Menu V1.3.0 is affected by: Cross Site Scripting (XSS) via the id GET parameter. | MEDIUM | Sep 17, 2020 |
| CVE-2020-25375 | Wordpress Plugin Store / SoftradeWeb SNC WP SMART CRM V1.8.7 is affected by: Cross Site Scripting via the Business Name field, Tax Code field, First Name field, Address field, Town field, Phone field, Mobile field, Place of Birth field, Web Site field, VAT Number field, Last Name field, Fax field, Email field, and Skype field. | LOW | Sep 18, 2020 |
| CVE-2020-25374 | CyberArk Privileged Session Manager (PSM) 10.9.0.15 allows attackers to discover internal pathnames by reading an error popup message after two hours of idle time. | MEDIUM | Oct 29, 2020 |
| CVE-2020-25368 | A command injection vulnerability was discovered in the HNAP1 protocol in D-Link DIR-823G devices with firmware V1.0.2B05. An attacker is able to execute arbitrary web scripts via shell metacharacters in the PrivateLogin field to Login. | HIGH | Nov 4, 2021 |
| CVE-2020-25367 | A command injection vulnerability was discovered in the HNAP1 protocol in D-Link DIR-823G devices with firmware V1.0.2B05. An attacker is able to execute arbitrary web scripts via shell metacharacters in the Captcha field to Login. | HIGH | Nov 5, 2021 |
| CVE-2020-25366 | An issue in the component /cgi-bin/upload_firmware.cgi of D-Link DIR-823G REVA1 1.02B05 allows attackers to cause a denial of service (DoS) via unspecified vectors. | HIGH | Nov 6, 2021 |
| CVE-2020-25362 | The id paramater in Online Shopping Alphaware 1.0 has been discovered to be vulnerable to an Error-Based blind SQL injection in the /alphaware/details.php path. This allows an attacker to retrieve all databases. | MEDIUM | Jun 2, 2021 |
| CVE-2020-25359 | An arbitrary file deletion vulnerability in rConfig 3.9.5 has been fixed for 3.9.6. This vulnerability gave attackers the ability to send a crafted request to /lib/ajaxHandlers/ajaxDeleteAllLoggingFiles.php by specifying a path in the path parameter and an extension in the ext parameter and delete all the files with that extension in that path. | MEDIUM | Aug 20, 2021 |
| CVE-2020-25353 | A server-side request forgery (SSRF) vulnerability in rConfig 3.9.5 has been fixed for 3.9.6. This vulnerability allowed remote authenticated attackers to open a connection to the machine via the deviceIpAddr and connPort parameters. | MEDIUM | Aug 20, 2021 |
| CVE-2020-25352 | A stored cross-site scripting (XSS) vulnerability in the /devices.php function inrConfig 3.9.5 has been fixed for version 3.9.6. This vulnerability allowed remote attackers to perform arbitrary Javascript execution through entering a crafted payload into the \'Model\' field then saving. | LOW | Aug 20, 2021 |
| CVE-2020-25351 | An information disclosure vulnerability in rConfig 3.9.5 has been fixed for version 3.9.6. This vulnerability allowed remote authenticated attackers to read files on the system via a crafted request sent to to the /lib/crud/configcompare.crud.php script. | MEDIUM | Aug 20, 2021 |
| CVE-2020-25343 | Cross-site scripting (XSS) vulnerabilities in Symphony CMS 3.0.0 allow remote attackers to inject arbitrary web script or HTML to fields[\'body\'] param via events\\event.publish_article.php | LOW | Oct 7, 2020 |
| CVE-2020-25340 | An issue was discovered in NFStream 5.2.0. Because some allocated modules are not correctly freed, if the nfstream object is directly destroyed without being used after it is created, it will cause a memory leak that may result in a local denial of service (DoS). | LOW | Feb 19, 2021 |
| CVE-2020-25291 | GdiDrawHoriLineIAlt in Kingsoft WPS Office before 11.2.0.9403 allows remote heap corruption via a crafted PLTE chunk in PNG data within a Word document. This is related to QBrush::setMatrix in gui/painting/qbrush.cpp in Qt 4.x. | MEDIUM | Sep 13, 2020 |
| CVE-2020-25289 | The VPN service in AVAST SecureLine before 5.6.4982.470 allows local users to write to arbitrary files via an Object Manager symbolic link from the log directory (which has weak permissions). | LOW | Sep 13, 2020 |
| CVE-2020-25288 | An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input\'s pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitrary JavaScript. | LOW | Oct 1, 2020 |
| CVE-2020-25287 | Pligg 2.0.3 allows remote authenticated users to execute arbitrary commands because the template editor can edit any file, as demonstrated by an admin/admin_editor.php the_file=..%2Findex.php&open=Open request. | MEDIUM | Sep 13, 2020 |
| CVE-2020-25286 | In wp-includes/comment-template.php in WordPress before 5.4.2, comments from a post or page could sometimes be seen in the latest comments even if the post or page was not public. | MEDIUM | Sep 13, 2020 |
| CVE-2020-25285 | A race condition between hugetlb sysctl handlers in mm/hugetlb.c in the Linux kernel before 5.8.8 could be used by local attackers to corrupt memory, cause a NULL pointer dereference, or possibly have unspecified other impact, aka CID-17743798d812. | MEDIUM | Sep 13, 2020 |
| CVE-2020-25284 | The rbd block device driver in drivers/block/rbd.c in the Linux kernel through 5.8.9 used incomplete permission checking for access to rbd devices, which could be leveraged by local attackers to map or unmap rbd block devices, aka CID-f44d04e696fe. | LOW | Sep 13, 2020 |
| CVE-2020-25283 | An issue was discovered on LG mobile devices with Android OS 8.0, 8.1, 9.0, and 10 software. BT manager allows attackers to bypass intended access restrictions on a certain mode. The LG ID is LVE-SMP-200021 (September 2020). | HIGH | Sep 13, 2020 |
| CVE-2020-25282 | An issue was discovered on LG mobile devices with Android OS 10 software. The lguicc software (for the LG Universal Integrated Circuit Card) allows attackers to bypass intended access restrictions on property values. The LG ID is LVE-SMP-200020 (September 2020). | HIGH | Sep 13, 2020 |
| CVE-2020-25281 | An issue was discovered on LG mobile devices with Android OS 7.0, 7.1, 7.2, 8.0, and 8.1 software. Applications with sensitive security settings (such as the package verifier application) mishandle unknown-source installations. The LG ID is LVE-SMP-190002 (September 2020). | MEDIUM | Sep 13, 2020 |
| CVE-2020-25280 | An issue was discovered on Samsung mobile devices with Q(10.0) (Exynos and MediaTek chipsets) software. Unauthenticated attackers can execute LTE/5G commands by sending a debugging command over USB. The Samsung ID is SVE-2020-16979 (September 2020). | MEDIUM | Sep 13, 2020 |
| CVE-2020-25279 | An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) (Exynos chipsets) software. The baseband component has a buffer overflow via an abnormal SETUP message, leading to execution of arbitrary code. The Samsung ID is SVE-2020-18098 (September 2020). | HIGH | Sep 13, 2020 |
| CVE-2020-25278 | An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. The Quram image codec library allows attackers to overwrite memory and execute arbitrary code via crafted JPEG data that is mishandled during decoding. The Samsung IDs are SVE-2020-18088, SVE-2020-18225, SVE-2020-18301 (September 2020). | HIGH | Sep 13, 2020 |
| CVE-2020-25276 | An issue was discovered in PrimeKey EJBCA 6.x and 7.x before 7.4.1. When using a client certificate to enroll over the EST protocol, no revocation check is performed on that certificate. This vulnerability can only affect a system that has EST configured, uses client certificates to authenticate enrollment, and has had such a certificate revoked. This certificate needs to belong to a role that is authorized to enroll new end entities. (To completely mitigate this problem prior to upgrade, remove any revoked client certificates from their respective roles.) | MEDIUM | Sep 11, 2020 |
| CVE-2020-25275 | Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash via a crafted email message with certain choices for ten thousand MIME parts. | MEDIUM | Jan 10, 2021 |
| CVE-2020-25273 | In SourceCodester Online Bus Booking System 1.0, there is Authentication bypass on the Admin Login screen in admin.php via username or password SQL injection. | HIGH | Oct 8, 2020 |
| CVE-2020-25272 | In SourceCodester Online Bus Booking System 1.0, there is XSS through the name parameter in book_now.php. | MEDIUM | Oct 8, 2020 |
| CVE-2020-25271 | PHPGurukul hospital-management-system-in-php 4.0 allows XSS via admin/patient-search.php, doctor/search.php, book-appointment.php, doctor/appointment-history.php, or admin/appointment-history.php. | LOW | Oct 8, 2020 |
| CVE-2020-25270 | PHPGurukul hostel-management-system 2.1 allows XSS via Guardian Name, Guardian Relation, Guardian Contact no, Address, or City. | LOW | Oct 8, 2020 |
| CVE-2020-25269 | An issue was discovered in InspIRCd 2 before 2.0.29 and 3 before 3.6.0. The pgsql module contains a use after free vulnerability. When combined with the sqlauth or sqloper modules, this vulnerability can be used for remote crashing of an InspIRCd server by any user able to connect to a server. | MEDIUM | Sep 11, 2020 |
| CVE-2020-25268 | Remote Code Execution can occur via the external news feed in ILIAS 6.4 because of incorrect parameter sanitization for Magpie RSS data. | MEDIUM | Nov 10, 2020 |
| CVE-2020-25267 | An XSS issue exists in the question-pool file-upload preview feature in ILIAS 6.4. | LOW | Nov 10, 2020 |
| CVE-2020-25266 | AppImage appimaged before 1.0.3 does not properly check whether a downloaded file is a valid appimage. For example, it will accept a crafted mp3 file that contains an appimage, and install it. | MEDIUM | Dec 2, 2020 |
| CVE-2020-25265 | AppImage libappimage before 1.0.3 allows attackers to trigger an overwrite of a system-installed .desktop file by providing a .desktop file that contains Name= with path components. | MEDIUM | Dec 2, 2020 |
| CVE-2020-25263 | PyroCMS 3.7 is vulnerable to cross-site request forgery (CSRF) via the admin/addons/uninstall/anomaly.module.blocks URI: an arbitrary plugin will be deleted. | MEDIUM | Oct 8, 2020 |
| CVE-2020-25262 | PyroCMS 3.7 is vulnerable to cross-site request forgery (CSRF) via the admin/pages/delete/ URI: pages will be deleted. | MEDIUM | Oct 8, 2020 |
| CVE-2020-25260 | An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows remote attackers to execute arbitrary code because of unsafe JSON deserialization. | HIGH | Sep 11, 2020 |
| CVE-2020-25259 | An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It uses XML deserialization libraries in an unsafe manner. | HIGH | Sep 11, 2020 |
| CVE-2020-25258 | An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It uses ASP.NET BinaryFormatter.Deserialize in a manner that allows attackers to transmit and execute bytecode in SOAP messages. | HIGH | Sep 11, 2020 |
| CVE-2020-25257 | An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows XXE attacks for read/write access to arbitrary files. | HIGH | Sep 11, 2020 |
| CVE-2020-25256 | An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. PKI certificates have a private key that is the same across different customers\' installations. | MEDIUM | Sep 11, 2020 |
