The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2020-35362 | DEXT5Upload 2.7.1262310 and earlier is affected by Directory Traversal in handler/dext5handler.jsp. This could allow remote files to be downloaded via a dext5CMD=downloadRequest action with traversal in the fileVirtualPath parameter (the attacker must provide the correct fileOrgName value). | MEDIUM | Dec 26, 2020 | n/a |
| CVE-2020-35359 | Pure-FTPd 1.0.48 allows remote attackers to prevent legitimate server use by making enough connections to exceed the connection limit. | MEDIUM | Dec 26, 2020 | n/a |
| CVE-2020-35358 | DomainMOD domainmod-v4.15.0 is affected by an insufficient session expiration vulnerability. On changing a password, both sessions using the changed password and old sessions in any other browser or device do not expire and remain active. Such flaws frequently give attackers unauthorized access to some system data or functionality. | HIGH | Mar 18, 2021 | n/a |
| CVE-2020-35357 | A buffer overflow can occur when calculating the quantile value using the Statistics Library of GSL (GNU Scientific Library), versions 2.5 and 2.6. Processing a maliciously crafted input data for gsl_stats_quantile_from_sorted_data of the library may lead to unexpected application termination or arbitrary code execution. | -- | Aug 22, 2023 | n/a |
| CVE-2020-35349 | Savsoft Quiz 5 is affected by: Cross Site Scripting (XSS) via field_title (aka a title on the custom fields page). | LOW | Dec 26, 2020 | n/a |
| CVE-2020-35347 | CXUUCMS V3 3.1 has a CSRF vulnerability that can add an administrator account via admin.php?c=adminuser&a=add. | MEDIUM | Dec 26, 2020 | n/a |
| CVE-2020-35346 | CXUUCMS V3 3.1 is affected by a reflected XSS vulnerability that allows remote attackers to inject arbitrary web script or HTML via the imgurl parameter of admin.php?c=content&a=add. | LOW | Dec 26, 2020 | n/a |
| CVE-2020-35342 | GNU Binutils before 2.34 has an uninitialized-heap vulnerability in function tic4x_print_cond (file opcodes/tic4x-dis.c) which could allow attackers to make an information leak. | LOW | Aug 22, 2023 | n/a |
| CVE-2020-35340 | A local file inclusion vulnerability in ExpertPDF 9.5.0 through 14.1.0 allows attackers to read the file contents from files that the running ExpertPDF process has access to read. | MEDIUM | Sep 15, 2021 | n/a |
| CVE-2020-35339 | In 74cms version 5.0.1, there is a remote code execution vulnerability in /Application/Admin/Controller/ConfigController.class.php and /ThinkPHP/Common/functions.php where attackers can obtain server permissions and control the server. | HIGH | Feb 17, 2021 | n/a |
| CVE-2020-35338 | The Web Administrative Interface in Mobile Viewpoint Wireless Multiplex Terminal (WMT) Playout Server 20.2.8 and earlier has a default account with a password of pokon. | HIGH | Dec 15, 2020 | n/a |
| CVE-2020-35337 | ThinkSAAS before 3.38 contains a SQL injection vulnerability through app/topic/action/admin/topic.php via the title parameter, which allows remote attackers to execute arbitrary SQL commands. | HIGH | Mar 24, 2021 | n/a |
| CVE-2020-35329 | Courier Management System 1.0 1.0 is affected by SQL Injection via \'MULTIPART street \'. | MEDIUM | Mar 4, 2021 | n/a |
| CVE-2020-35328 | Courier Management System 1.0 - \'First Name\' Stored XSS | LOW | Mar 4, 2021 | n/a |
| CVE-2020-35327 | SQL injection vulnerability was discovered in Courier Management System 1.0, which can be exploited via the ref_no (POST) parameter to admin_class.php | MEDIUM | Mar 4, 2021 | n/a |
| CVE-2020-35326 | SQL Injection vulnerability in file /inxedu/demo_inxedu_open/src/main/resources/mybatis/inxedu/website/WebsiteImagesMapper.xml in inxedu 2.0.6 via the id value. | -- | Jan 25, 2023 | n/a |
| CVE-2020-35314 | A remote code execution vulnerability in the installUpdateThemePluginAction function in index.php in WonderCMS 3.1.3, allows remote attackers to upload a custom plugin which can contain arbitrary code and obtain a webshell via the theme/plugin installer. | HIGH | Apr 23, 2021 | n/a |
| CVE-2020-35313 | A server-side request forgery (SSRF) vulnerability in the addCustomThemePluginRepository function in index.php in WonderCMS 3.1.3 allows remote attackers to execute arbitrary code via a crafted URL to the theme/plugin installer. | HIGH | Apr 23, 2021 | n/a |
| CVE-2020-35310 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none NOTE: This is disputed by the vendor; We have no records of contact with the original reporter, and have not been able to reproduce any issue. | LOW | Jan 30, 2021 | n/a |
| CVE-2020-35309 | Bakeshop Online Ordering System in PHP/MySQLi 1.0 is affected by cross-site scripting (XSS) which allows remote attackers to inject an arbitrary web script or HTML in admin dashboard - Categories. | LOW | Jan 26, 2021 | n/a |
| CVE-2020-35308 | CONQUEST DICOM SERVER before 1.5.0 has a code execution vulnerability which can be exploited by attackers to execute malicious code. | HIGH | Apr 5, 2021 | n/a |
| CVE-2020-35305 | Cross site scripting (XSS) in gollum 5.0 to 5.1.2 via the filename parameter to the \'New Page\' dialog. | -- | Jul 15, 2022 | n/a |
| CVE-2020-35296 | ThinkAdmin v6 has default administrator credentials, which allows attackers to gain unrestricted administratior dashboard access. | MEDIUM | Mar 3, 2021 | n/a |
| CVE-2020-35284 | Flamingo (aka FlamingoIM) through 2020-09-29 allows ../ directory traversal because the only ostensibly unpredictable part of a file-transfer request is an MD5 computation; however, this computation occurs on the client side, and the computation details can be easily determined because the product\'s source code is available. | MEDIUM | Dec 26, 2020 | n/a |
| CVE-2020-35276 | EgavilanMedia ECM Address Book 1.0 is affected by SQL injection. An attacker can bypass the Admin Login panel through SQLi and get Admin access and add or remove any user. | HIGH | Dec 23, 2020 | n/a |
| CVE-2020-35275 | Coastercms v5.8.18 is affected by cross-site Scripting (XSS). A user can steal a cookie and make the user redirect to any malicious website because it is trigged on the main home page of the product/application. | LOW | Dec 21, 2020 | n/a |
| CVE-2020-35274 | DotCMS Add Template with admin panel 20.11 is affected by cross-site Scripting (XSS) to gain remote privileges. An attacker could compromise the security of a website or web application through a stored XSS attack and stealing cookies using XSS. | LOW | Dec 21, 2020 | n/a |
| CVE-2020-35273 | EgavilanMedia User Registration & Login System with Admin Panel 1.0 is affected by Cross Site Request Forgery (CSRF) to remotely gain privileges in the User Profile panel. An attacker can update any user\'s account. | MEDIUM | Dec 22, 2020 | n/a |
| CVE-2020-35272 | Employee Performance Evaluation System in PHP/MySQLi with Source Code 1.0 is affected by cross-site scripting (XSS) in the Admin Portal in the Task and Description fields. | LOW | Jan 20, 2021 | n/a |
| CVE-2020-35271 | Employee Performance Evaluation System in PHP/MySQLi with Source Code 1.0 is affected by cross-site scripting (XSS) in the Employees, First Name and Last Name fields. | LOW | Jan 20, 2021 | n/a |
| CVE-2020-35270 | Student Result Management System In PHP With Source Code is affected by SQL injection. An attacker can able to access of Admin Panel and manage every account of Result. | MEDIUM | Jan 26, 2021 | n/a |
| CVE-2020-35269 | Nagios Core application version 4.2.4 is vulnerable to Site-Wide Cross-Site Request Forgery (CSRF) in many functions, like adding – deleting for hosts or servers. | MEDIUM | Dec 23, 2020 | n/a |
| CVE-2020-35263 | EgavilanMedia User Registration & Login System 1.0 is affected by SQL injection to the admin panel, which may allow arbitrary code execution. | HIGH | Jan 26, 2021 | n/a |
| CVE-2020-35262 | Cross Site Scripting (XSS) vulnerability in Digisol DG-HR3400 can be exploited via the NTP server name in Time and date module and Keyword in URL Filter. | MEDIUM | Jan 8, 2021 | n/a |
| CVE-2020-35261 | Cross Site Scripting (XSS) vulnerability in sourcecodester Multi Restaurant Table Reservation System 1.0 via the Restaurant Name field to /dashboard/profile.php. | LOW | Jul 15, 2022 | n/a |
| CVE-2020-35259 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none | -- | Nov 7, 2023 | n/a |
| CVE-2020-35257 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none | -- | Nov 7, 2023 | n/a |
| CVE-2020-35252 | Cross Site Scripting (XSS) vulnerability via the \'Full Name\' parameter in the User Registration section of User Registration & Login System with Admin Panel 1.0. | MEDIUM | Dec 23, 2020 | n/a |
| CVE-2020-35249 | Cross Site Scripting (XSS) vulnerability in ElkarBackup 1.3.3, allows attackers to execute arbitrary code via the name parameter to the add client feature. | MEDIUM | Nov 3, 2021 | n/a |
| CVE-2020-35245 | Flamingo (aka FlamingoIM) through 2020-09-29 has a SQL injection vulnerability in UserManager::addUser. | HIGH | Dec 26, 2020 | n/a |
| CVE-2020-35244 | Flamingo (aka FlamingoIM) through 2020-09-29 has a SQL injection vulnerability in UserManager::addGroup. | HIGH | Dec 26, 2020 | n/a |
| CVE-2020-35243 | Flamingo (aka FlamingoIM) through 2020-09-29 has a SQL injection vulnerability in UserManager::updateUserInfoInDb. | HIGH | Dec 26, 2020 | n/a |
| CVE-2020-35242 | Flamingo (aka FlamingoIM) through 2020-09-29 has a SQL injection vulnerability in UserManager::updateUserTeamInfoInDbAndMemory. | HIGH | Dec 26, 2020 | n/a |
| CVE-2020-35241 | FlatPress 1.0.3 is affected by cross-site scripting (XSS) in the Blog Content component. This vulnerability can allow an attacker to inject the XSS payload in Blog content via the admin panel. Each time any user will go to that blog page, the XSS triggers and the attacker can steal the cookie according to the crafted payload. | LOW | Dec 30, 2020 | n/a |
| CVE-2020-35240 | FluxBB 1.5.11 is affected by cross-site scripting (XSS in the Blog Content component. This vulnerability can allow an attacker to inject the XSS payload in Blog Content and each time any user will visit the blog, the XSS triggers and the attacker can able to steal the cookie according to the crafted payload. | LOW | Dec 30, 2020 | n/a |
| CVE-2020-35239 | A vulnerability exists in CakePHP versions 4.0.x through 4.1.3. The CsrfProtectionMiddleware component allows method override parameters to bypass CSRF checks by changing the HTTP request method to an arbitrary string that is not in the list of request methods that CakePHP checks. Additionally, the route middleware does not verify that this overriden method (which can be an arbitrary string) is actually an HTTP method. | MEDIUM | Jan 26, 2021 | n/a |
| CVE-2020-35236 | The GitLab Webhook Handler in amazee.io Lagoon before 1.12.3 has incorrect access control associated with project deletion. | MEDIUM | Dec 16, 2020 | n/a |
| CVE-2020-35235 | vendor/elfinder/php/connector.minimal.php in the secure-file-manager plugin through 2.5 for WordPress loads elFinder code without proper access control. Thus, any authenticated user can run the elFinder upload command to achieve remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | MEDIUM | Dec 15, 2020 | n/a |
| CVE-2020-35234 | The easy-wp-smtp plugin before 1.4.4 for WordPress allows Administrator account takeover, as exploited in the wild in December 2020. If an attacker can list the wp-content/plugins/easy-wp-smtp/ directory, then they can discover a log file (such as #############_debug_log.txt) that contains all password-reset links. The attacker can request a reset of the Administrator password and then use a link found there. | MEDIUM | Dec 15, 2020 | n/a |
| CVE-2020-35233 | The TFTP server fails to handle multiple connections on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices, and allows external attackers to force device reboots by sending concurrent connections, aka a denial of service attack. | MEDIUM | Mar 10, 2021 | n/a |
