The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2020-29362 | An issue was discovered in p11-kit 0.21.1 through 0.23.21. A heap-based buffer over-read has been discovered in the RPC protocol used by thep11-kit server/remote commands and the client library. When the remote entity supplies a byte array through a serialized PKCS#11 function call, the receiving entity may allow the reading of up to 4 bytes of memory past the heap allocation. | MEDIUM | Dec 16, 2020 |
| CVE-2020-29361 | An issue was discovered in p11-kit 0.21.1 through 0.23.21. Multiple integer overflows have been discovered in the array allocations in the p11-kit library and the p11-kit list command, where overflow checks are missing before calling realloc or calloc. | MEDIUM | Dec 18, 2020 |
| CVE-2020-29324 | The DLink Router DIR-895L MFC v1.21b05 is vulnerable to credentials disclosure in telnet service through decompilation of firmware, that allows an unauthenticated attacker to gain access to the firmware and to extract sensitive data. | MEDIUM | Jun 4, 2021 |
| CVE-2020-29323 | The D-link router DIR-885L-MFC 1.15b02, v1.21b05 is vulnerable to credentials disclosure in telnet service through decompilation of firmware, that allows an unauthenticated attacker to gain access to the firmware and to extract sensitive data. | MEDIUM | Jun 4, 2021 |
| CVE-2020-29322 | The D-Link router DIR-880L 1.07 is vulnerable to credentials disclosure in telnet service through decompilation of firmware, that allows an unauthenticated attacker to gain access to the firmware and to extract sensitive data. | MEDIUM | Jun 4, 2021 |
| CVE-2020-29321 | The D-Link router DIR-868L 3.01 is vulnerable to credentials disclosure in telnet service through decompilation of firmware, that allows an unauthenticated attacker to gain access to the firmware and to extract sensitive data. | MEDIUM | Jun 4, 2021 |
| CVE-2020-29315 | ThinkAdmin version v1 v6 has a stored XSS vulnerability which allows remote attackers to inject an arbitrary web script or HTML. | MEDIUM | Dec 2, 2020 |
| CVE-2020-29312 | An issue found in Zend Framework v.3.1.3 and before allow a remote attacker to execute arbitrary code via the unserialize function. | -- | Apr 4, 2023 |
| CVE-2020-29311 | Ubilling v1.0.9 allows Remote Command Execution as Root user by executing a malicious command that is injected inside the config file and being triggered by another part of the software. | HIGH | Dec 11, 2020 |
| CVE-2020-29304 | A cross-site scripting (XSS) vulnerability exists in the SabaiApps WordPress Directories Pro plugin version 1.3.45 and previous, allows attackers who have convinced a site administrator to import a specially crafted CSV file to inject arbitrary web script or HTML as the victim is proceeding through the file import workflow. | MEDIUM | Dec 15, 2020 |
| CVE-2020-29303 | A cross-site scripting (XSS) vulnerability in the SabaiApp Directories Pro plugin 1.3.45 for WordPress allows remote attackers to inject arbitrary web script or HTML via a POST to /wp-admin/admin.php?page=drts/directories&q=%2F with _drts_form_build_id parameter containing the XSS payload and _t_ parameter set to an invalid or non-existent CSRF token. | MEDIUM | Dec 15, 2020 |
| CVE-2020-29299 | Certain Zyxel products allow command injection by an admin via an input string to chg_exp_pwd during a password-change action. This affects VPN On-premise before ZLD V4.39 week38, VPN Orchestrator before SD-OS V10.03 week32, USG before ZLD V4.39 week38, USG FLEX before ZLD V4.55 week38, ATP before ZLD V4.55 week38, and NSG before 1.33 patch 4. | HIGH | Dec 27, 2020 |
| CVE-2020-29297 | Multiple SQL Injection vulnerabilities in tourist5 Online-food-ordering-system 1.0. | -- | Jan 26, 2023 |
| CVE-2020-29292 | iBall WRD12EN 1.0.0 devices allow cross-site request forgery (CSRF) attacks as demonstrated by enabling DNS settings or modifying the range for IP addresses. | MEDIUM | Dec 30, 2021 |
| CVE-2020-29288 | An SQL injection vulnerability was discovered in Gym Management System In manage_user.php file, GET parameter \'id\' is vulnerable. | HIGH | Dec 3, 2020 |
| CVE-2020-29287 | An SQL injection vulnerability was discovered in Car Rental Management System v1.0 can be exploited via the id parameter in view_car.php or the car_id parameter in booking.php. | HIGH | Dec 3, 2020 |
| CVE-2020-29285 | SQL injection vulnerability was discovered in Point of Sales in PHP/PDO 1.0, which can be exploited via the id parameter to edit_category.php. | HIGH | Dec 4, 2020 |
| CVE-2020-29284 | The file view-chair-list.php in Multi Restaurant Table Reservation System 1.0 does not perform input validation on the table_id parameter which allows unauthenticated SQL Injection. An attacker can send malicious input in the GET request to /dashboard/view-chair-list.php?table_id= to trigger the vulnerability. | HIGH | Dec 4, 2020 |
| CVE-2020-29283 | An SQL injection vulnerability was discovered in Online Doctor Appointment Booking System PHP and Mysql via the q parameter to getuser.php. | HIGH | Dec 4, 2020 |
| CVE-2020-29282 | SQL injection vulnerability in BloodX 1.0 allows attackers to bypass authentication. | HIGH | Dec 4, 2020 |
| CVE-2020-29280 | The Victor CMS v1.0 application is vulnerable to SQL injection via the \'search\' parameter on the search.php page. | HIGH | Dec 3, 2020 |
| CVE-2020-29279 | PHP remote file inclusion in the assign_resume_tpl method in Application/Common/Controller/BaseController.class.php in 74CMS before 6.0.48 allows remote code execution. | HIGH | Dec 4, 2020 |
| CVE-2020-29260 | libvncclient v0.9.13 was discovered to contain a memory leak via the function rfbClientCleanup(). | -- | Sep 3, 2022 |
| CVE-2020-29259 | Cross-site scripting (XSS) vulnerability in Online Examination System 1.0 via the subject or feedback parameter to feedback.php. | MEDIUM | Dec 11, 2020 |
| CVE-2020-29258 | Cross-site scripting (XSS) vulnerability in Online Examination System 1.0 via the w parameter to index.php. | MEDIUM | Dec 10, 2020 |
| CVE-2020-29257 | Cross-site scripting (XSS) vulnerability in Online Examination System 1.0 via the q parameter to feedback.php. | MEDIUM | Dec 10, 2020 |
| CVE-2020-29254 | TikiWiki 21.2 allows templates to be edited without CSRF protection. This could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected system. An attacker could exploit this vulnerability by persuading a user of the interface to follow a maliciously crafted link. A successful exploit could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. These action include allowing attackers to submit their own code through an authenticated user resulting in local file Inclusion. If an authenticated user who is able to edit TikiWiki templates visits an malicious website, template code can be edited. | MEDIUM | Dec 11, 2020 |
| CVE-2020-29250 | CXUUCMS V3 allows XSS via the first and third input fields to /public/admin.php. | MEDIUM | Dec 27, 2020 |
| CVE-2020-29249 | CXUUCMS V3 allows class=layui-input XSS. | MEDIUM | Dec 27, 2020 |
| CVE-2020-29247 | WonderCMS 3.1.3 is affected by cross-site scripting (XSS) in the Admin Panel. An attacker can inject the XSS payload in Page keywords and each time any user will visit the website, the XSS triggers, and the attacker can able to steal the cookie according to the crafted payload. | MEDIUM | Dec 24, 2020 |
| CVE-2020-29245 | dhowden tag before 2020-11-19 allows panic: runtime error: slice bounds out of range via readAtomData. | MEDIUM | Dec 29, 2020 |
| CVE-2020-29244 | dhowden tag before 2020-11-19 allows panic: runtime error: slice bounds out of range via readTextWithDescrFrame. | MEDIUM | Dec 29, 2020 |
| CVE-2020-29243 | dhowden tag before 2020-11-19 allows panic: runtime error: index out of range via readAPICFrame. | MEDIUM | Dec 29, 2020 |
| CVE-2020-29242 | dhowden tag before 2020-11-19 allows panic: runtime error: index out of range via readPICFrame. | MEDIUM | Dec 29, 2020 |
| CVE-2020-29241 | Online News Portal using PHP/MySQLi 1.0 is affected by cross-site scripting (XSS) which allows remote attackers to inject an arbitrary web script or HTML via the Title parameter. | LOW | Jan 26, 2021 |
| CVE-2020-29240 | Lepton-CMS 4.7.0 is affected by cross-site scripting (XSS). An attacker can inject the XSS payload in the URL field of the admin page and each time an admin visits the Menu-Pages-Pages Overview section, the XSS will be triggered. | LOW | Dec 2, 2020 |
| CVE-2020-29239 | Online Birth Certificate System Project V 1.0 is affected by cross-site scripting (XSS). This vulnerability can result in an attacker injecting the XSS payload in the User Registration section. When an admin visits the View Detail of Application section from the admin panel, the attacker can able to steal the cookie according to the crafted payload. | MEDIUM | Dec 4, 2020 |
| CVE-2020-29238 | An integer buffer overflow in the Nginx webserver of ExpressVPN Router version 1 allows remote attackers to obtain sensitive information when the server running as reverse proxy via specially crafted request. | MEDIUM | Mar 10, 2021 |
| CVE-2020-29233 | WonderCMS 3.1.3 is affected by cross-site scripting (XSS) in the Page description component. This vulnerability can allow an attacker to inject the XSS payload in the Page description and each time any user will visits the website, the XSS triggers and attacker can steal the cookie according to the crafted payload. | LOW | Dec 30, 2020 |
| CVE-2020-29231 | EGavilanMedia User Registration and Login System With Admin Panel 1.0 is affected by cross-site scripting (XSS) in the Admin Profile Page. This vulnerability can result in the attacker injecting the XSS payload in Admin Full Name and each time admin visits the Profile page from the admin panel, the XSS triggers. | LOW | Dec 30, 2020 |
| CVE-2020-29230 | EGavilanMedia User Registration and Login System With Admin Panel 1.0 is affected by cross-site scripting (XSS) in the Admin Panel - Manage User tab using the Full Name of the user. This vulnerability can result in the attacker injecting the XSS payload in the User Registration section and each time admin visits the manage user section from the admin panel, the XSS triggers and the attacker can steal the cookie according to the crafted payload. | MEDIUM | Dec 30, 2020 |
| CVE-2020-29228 | EGavilanMedia User Registration and Login System With Admin Panel 1.0 is affected by SQL injection in the User Login Page. | MEDIUM | Dec 30, 2020 |
| CVE-2020-29227 | An issue was discovered in Car Rental Management System 1.0. An unauthenticated user can perform a file inclusion attack against the /index.php file with a partial filename in the page parameter, to cause local file inclusion resulting in code execution. | HIGH | Dec 15, 2020 |
| CVE-2020-29215 | A Cross Site Scripting in SourceCodester Employee Management System 1.0 allows the user to execute alert messages via /Employee Management System/addemp.php on admin account. | LOW | Jun 15, 2021 |
| CVE-2020-29214 | SQL injection vulnerability in SourceCodester Alumni Management System 1.0 allows the user to inject SQL payload to bypass the authentication via admin/login.php. | HIGH | Jun 15, 2021 |
| CVE-2020-29205 | XSS in signup form in Project Worlds Online Examination System 1.0 allows remote attacker to inject arbitrary code via the name field | MEDIUM | May 17, 2021 |
| CVE-2020-29204 | XXL-JOB 2.2.0 allows Stored XSS (in Add User) to bypass the 20-character limit via xxl-job-admin/src/main/java/com/xxl/job/admin/controller/UserController.java. | MEDIUM | Dec 27, 2020 |
| CVE-2020-29203 | struct2json before 2020-11-18 is affected by a Buffer Overflow because strcpy is used for S2J_STRUCT_GET_string_ELEMENT. | HIGH | Dec 26, 2020 |
| CVE-2020-29194 | Panasonic Security System WV-S2231L 4.25 allows a denial of service of the admin control panel (which will require a physical reset to restore administrative control) via Randomnum=99AC8CEC6E845B28&mode=1 in a POST request to the cgi-bin/set_factory URI. | MEDIUM | Dec 30, 2020 |
| CVE-2020-29193 | Panasonic Security System WV-S2231L 4.25 has an insecure hard-coded password of lkjhgfdsa (which is just the asdf keyboard row in reverse order). | LOW | Dec 30, 2020 |
