The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2020-26807 | SAP ERP Client for E-Bilanz, version - 1.0, installation sets Incorrect default filesystem permissions are set in its installation folder which allows anyone to modify the files in the folder. | LOW | Nov 10, 2020 |
| CVE-2020-26806 | admin/file.do in ObjectPlanet Opinio before 7.15 allows Unrestricted File Upload of executable JSP files, resulting in remote code execution, because filePath can have directory traversal and fileContent can be valid JSP code. | MEDIUM | Jul 31, 2021 |
| CVE-2020-26805 | In Sentrifugo 3.2, admin can edit employee\'s informations via this endpoint --> /sentrifugo/index.php/empadditionaldetails/edit/userid/2. In this POST request, employeeNumId parameter is affected by SQLi vulnerability. Attacker can inject SQL commands into query, read data from database or write data into the database. | MEDIUM | Nov 12, 2020 |
| CVE-2020-26804 | In Sentrifugo 3.2, users can share an announcement under Organization -> Announcements tab. Also, in this page, users can upload attachments with the shared announcements. This Upload Attachment functionality is suffered from Unrestricted File Upload vulnerability so attacker can upload malicious files using this functionality and control the server. | MEDIUM | Nov 12, 2020 |
| CVE-2020-26803 | In Sentrifugo 3.2, users can upload an image under Assets -> Add tab. This Upload Images functionality is suffered from Unrestricted File Upload vulnerability so attacker can upload malicious files using this functionality and control the server. | MEDIUM | Nov 12, 2020 |
| CVE-2020-26802 | forma.lms 2.3.0.2 is affected by Cross Site Request Forgery (CSRF) in formalms/appCore/index.php?r=lms/profile/show&ap=saveinfo via a GET request to change the admin email address in order to accomplish an account takeover. | MEDIUM | Oct 8, 2020 |
| CVE-2020-26801 | A stored cross-site scripting (XSS) vulnerability was discovered in /Forms/device_vars_1 on TrippLite SU2200RTXL2Ua with firmware version 12.04.0055. This vulnerability allows authenticated attackers to obtain other users\' information via a crafted POST request. | LOW | Jun 25, 2021 |
| CVE-2020-26800 | A stack overflow vulnerability in Aleth Ethereum C++ client version <= 1.8.0 using a specially crafted a config.json file may result in a denial of service. | MEDIUM | Jan 13, 2021 |
| CVE-2020-26797 | Mediainfo before version 20.08 has a heap buffer overflow vulnerability via MediaInfoLib::File_Gxf::ChooseParser_ChannelGrouping. | MEDIUM | Mar 19, 2021 |
| CVE-2020-26773 | Restaurant Reservation System 1.0 suffers from an authenticated SQL injection vulnerability, which allows a remote, authenticated attacker to execute arbitrary SQL commands via the date parameter in includes/reservation.inc.php. | MEDIUM | Jan 7, 2021 |
| CVE-2020-26772 | Command Injection in PPGo_Jobs v2.8.0 allows remote attackers to execute arbitrary code via the \'AjaxRun()\' function. | HIGH | Sep 9, 2021 |
| CVE-2020-26768 | Formstone <=1.4.16 is vulnerable to a Reflected Cross-Site Scripting (XSS) vulnerability caused by improper validation of user supplied input in the upload-target.php and upload-chunked.php files. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim\'s Web browser within the security context of the hosting Web site once the URL is clicked or visited. An attacker could use this vulnerability to steal the victim\'s cookie-based authentication credentials, force malware execution, user redirection and others. | MEDIUM | Jan 7, 2021 |
| CVE-2020-26766 | A Cross Site Request Forgery (CSRF) vulnerability exists in the loginsystem page in PHPGurukul User Registration & Login and User Management System With Admin Panel 2.1. | MEDIUM | Dec 26, 2020 |
| CVE-2020-26763 | The Rocket.Chat desktop application 2.17.11 opens external links without user interaction. | MEDIUM | Jul 8, 2021 |
| CVE-2020-26762 | A stack-based buffer-overflow exists in Edimax IP-Camera IC-3116W (v3.06) and IC-3140W (v3.07), which allows an unauthenticated, unauthorized attacker to perform remote-code-execution due to a crafted GET-Request. The overflow occurs in binary ipcam_cgi due to a missing type check in function doGetSysteminfo(). This has been fixed in version: IC-3116W v3.08. | HIGH | Dec 4, 2020 |
| CVE-2020-26759 | clickhouse-driver before 0.1.5 allows a malicious clickhouse server to trigger a crash or execute arbitrary code (on a database client) via a crafted server response, due to a buffer overflow. | HIGH | Jan 8, 2021 |
| CVE-2020-26733 | Cross Site Scripting (XSS) in Configuration page in SKYWORTH GN542VF Hardware Version 2.0 and Software Version 2.0.0.16 allows authenticated attacker to inject their own script into the page via DDNS Configuration Section. | LOW | Jan 14, 2021 |
| CVE-2020-26732 | SKYWORTH GN542VF Hardware Version 2.0 and Software Version 2.0.0.16 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session. | MEDIUM | Jan 14, 2021 |
| CVE-2020-26728 | A vulnerability was discovered in Tenda AC9 v3.0 V15.03.06.42_multi and Tenda AC9 V1.0 V15.03.05.19(6318)_CN which allows for remote code execution via shell metacharacters in the guestuser field to the __fastcall function with a POST request. | HIGH | Feb 11, 2022 |
| CVE-2020-26713 | REDCap 10.3.4 contains a XSS vulnerability in the ToDoList function with parameter sort. The information submitted by the user is immediately returned in the response and not escaped leading to the reflected XSS vulnerability. Attackers can exploit vulnerabilities to steal login session information or borrow user rights to perform unauthorized acts. | MEDIUM | Jan 14, 2021 |
| CVE-2020-26712 | REDCap 10.3.4 contains a SQL injection vulnerability in the ToDoList function via sort parameter. The application uses the addition of a string of information from the submitted user that is not validated well in the database query, resulting in an SQL injection vulnerability where an attacker can exploit and compromise all databases. | HIGH | Jan 15, 2021 |
| CVE-2020-26710 | easy-parse v0.1.1 was discovered to contain a XML External Entity Injection (XXE) vulnerability which allows attackers to execute arbitrary code via a crafted XML file. | -- | Jun 29, 2023 |
| CVE-2020-26709 | py-xml v1.0 was discovered to contain an XML External Entity Injection (XXE) vulnerability which allows attackers to execute arbitrary code via a crafted XML file. | -- | Jun 29, 2023 |
| CVE-2020-26708 | requests-xml v0.2.3 was discovered to contain an XML External Entity Injection (XXE) vulnerability which allows attackers to execute arbitrary code via a crafted XML file. | -- | Jun 29, 2023 |
| CVE-2020-26707 | An issue was discovered in the add function in Shenzhim AAPTJS 1.3.1 which allows attackers to execute arbitrary code via the filePath parameter. | HIGH | Oct 31, 2021 |
| CVE-2020-26705 | The parseXML function in Easy-XML 0.5.0 was discovered to have a XML External Entity (XXE) vulnerability which allows for an attacker to expose sensitive data or perform a denial of service (DOS) via a crafted external entity entered into the XML content as input. | MEDIUM | Oct 31, 2021 |
| CVE-2020-26701 | Cross-site scripting (XSS) vulnerability in Dashboards section in Kaa IoT Platform v1.2.0 allows remote attackers to inject malicious web scripts or HTML Injection payloads via the Description parameter. | LOW | Nov 17, 2020 |
| CVE-2020-26693 | A stored cross-site scripting (XSS) vulnerability was discovered in pfSense 2.4.5-p1 which allows an authenticated attacker to execute arbitrary web scripts via exploitation of the load_balancer_monitor.php function. | LOW | Jun 1, 2021 |
| CVE-2020-26683 | A memory leak issue discovered in /pdf/pdf-font-add.c in Artifex Software MuPDF 1.17.0 allows attackers to obtain sensitive information. | -- | Aug 22, 2023 |
| CVE-2020-26682 | In libass 0.14.0, the `ass_outline_construct`\'s call to `outline_stroke` causes a signed integer overflow. | MEDIUM | Oct 16, 2020 |
| CVE-2020-26680 | In vFairs 3.3, any user logged in to a vFairs virtual conference or event can modify any other users profile information to include a cross-site scripting payload. The user data stored by the database includes HTML tags that are intentionally rendered out onto the page, and this can be abused to perform XSS attacks. | LOW | May 26, 2021 |
| CVE-2020-26679 | vFairs 3.3 is affected by Insecure Permissions. Any user logged in to a vFairs virtual conference or event can modify any other users profile information or profile picture. After receiving any user\'s unique identification number and their own, an HTTP POST request can be made update their profile description or supply a new profile image. This can lead to potential cross-site scripting attacks on any user, or upload malicious PHP webshells as profile pictures. The user IDs can be easily determined by other responses from the API for an event or chat room. | MEDIUM | May 26, 2021 |
| CVE-2020-26678 | vFairs 3.3 is affected by Remote Code Execution. Any user logged in to a vFairs virtual conference or event can abuse the functionality to upload a profile picture in order to place a malicious PHP file on the server and gain code execution. | MEDIUM | May 26, 2021 |
| CVE-2020-26677 | Any user logged in to a vFairs 3.3 virtual conference or event can perform SQL injection with a malicious query to the API. | MEDIUM | May 26, 2021 |
| CVE-2020-26672 | Testimonial Rotator Wordpress Plugin 3.0.2 is affected by Cross Site Scripting (XSS) in /wp-admin/post.php. If a user intercepts a request and inserts a payload in cite parameter, the payload will be stored in the database. | LOW | Oct 16, 2020 |
| CVE-2020-26670 | A vulnerability has been discovered in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to execute arbitrary commands through a crafted request sent to the server via the \'Create a New Setting\' function. | MEDIUM | Jun 1, 2021 |
| CVE-2020-26669 | A stored cross-site scripting (XSS) vulnerability was discovered in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to execute arbitrary web scripts or HTML via the page content to site/index.php/admin/pages/update. | LOW | Jun 1, 2021 |
| CVE-2020-26668 | A SQL injection vulnerability was discovered in /core/feeds/custom.php in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to inject a malicious SQL query to the applications via the \'Create New Feed\' function. | MEDIUM | Jun 1, 2021 |
| CVE-2020-26664 | A vulnerability in EbmlTypeDispatcher::send in VideoLAN VLC media player 3.0.11 allows attackers to trigger a heap-based buffer overflow via a crafted .mkv file. | MEDIUM | Jan 8, 2021 |
| CVE-2020-26652 | An issue was discovered in function nl80211_send_chandef in rtl8812au v5.6.4.2 allows attackers to cause a denial of service. | -- | Aug 22, 2023 |
| CVE-2020-26650 | AtomXCMS 2.0 is affected by Arbitrary File Read via admin/dump.php | MEDIUM | Oct 22, 2020 |
| CVE-2020-26649 | AtomXCMS 2.0 is affected by Incorrect Access Control via admin/dump.php | MEDIUM | Oct 22, 2020 |
| CVE-2020-26642 | A cross-site scripting (XSS) vulnerability has been discovered in the login page of SeaCMS version 11 which allows an attacker to inject arbitrary web script or HTML. | MEDIUM | May 28, 2021 |
| CVE-2020-26641 | A Cross Site Request Forgery (CSRF) vulnerability was discovered in iCMS 7.0.16 which can allow an attacker to execute arbitrary web scripts. | MEDIUM | May 28, 2021 |
| CVE-2020-26630 | A Time-Based SQL Injection vulnerability was discovered in Hospital Management System V4.0 which can allow an attacker to dump database information via a special payload in the \'Doctor Specialization\' field under the \'Go to Doctors\' tab after logging in as an admin. | -- | Jan 10, 2024 |
| CVE-2020-26629 | A JQuery Unrestricted Arbitrary File Upload vulnerability was discovered in Hospital Management System V4.0 which allows an unauthenticated attacker to upload any file to the server. | -- | Jan 10, 2024 |
| CVE-2020-26628 | A Cross-Site Scripting (XSS) vulnerability was discovered in Hospital Management System V4.0 which allows an attacker to execute arbitrary web scripts or HTML code via a malicious payload appended to a username on the \'Edit Profile page and triggered by another user visiting the profile. | -- | Jan 10, 2024 |
| CVE-2020-26627 | A Time-Based SQL Injection vulnerability was discovered in Hospital Management System V4.0 which can allow an attacker to dump database information via a crafted payload entered into the \'Admin Remark\' parameter under the \'Contact Us Queries -> Unread Query\' tab. | -- | Jan 10, 2024 |
| CVE-2020-26625 | A SQL injection vulnerability was discovered in Gila CMS 1.15.4 and earlier which allows a remote attacker to execute arbitrary web scripts via the \'user_id\' parameter after the login portal. | -- | Jan 2, 2024 |
| CVE-2020-26624 | A SQL injection vulnerability was discovered in Gila CMS 1.15.4 and earlier which allows a remote attacker to execute arbitrary web scripts via the ID parameter after the login portal. | -- | Jan 2, 2024 |
