The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2020-23150 | A SQL injection vulnerability in config.inc.php of rConfig 3.9.5 allows attackers to access sensitive database information via a crafted GET request to install/lib/ajaxHandlers/ajaxDbInstall.php. | MEDIUM | Aug 12, 2021 | n/a |
| CVE-2020-23149 | The dbName parameter in ajaxDbInstall.php of rConfig 3.9.5 is unsanitized, allowing attackers to perform a SQL injection and access sensitive database information. | MEDIUM | Aug 12, 2021 | n/a |
| CVE-2020-23148 | The userLogin parameter in ldap/login.php of rConfig 3.9.5 is unsanitized, allowing attackers to perform a LDAP injection and obtain sensitive information via a crafted POST request. | MEDIUM | Aug 12, 2021 | n/a |
| CVE-2020-23140 | Microweber 1.1.18 is affected by insufficient session expiration. When changing passwords, both sessions for when a user changes email and old sessions in any other browser or device, the session does not expire and remains active. | MEDIUM | Nov 9, 2020 | n/a |
| CVE-2020-23139 | Microweber 1.1.18 is affected by broken authentication and session management. Local session hijacking may occur, which could result in unauthorized access to system data or functionality, or a complete system compromise. | LOW | Nov 9, 2020 | n/a |
| CVE-2020-23138 | An unrestricted file upload vulnerability was discovered in the Microweber 1.1.18 admin account page. An attacker can upload PHP code or any extension (eg- .exe) to the web server by providing image data and the image/jpeg content type with a .php extension. | HIGH | Nov 9, 2020 | n/a |
| CVE-2020-23136 | Microweber v1.1.18 is affected by no session expiry after log-out. | LOW | Nov 9, 2020 | n/a |
| CVE-2020-23130 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none | -- | Nov 7, 2023 | n/a |
| CVE-2020-23129 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none | -- | Nov 7, 2023 | n/a |
| CVE-2020-23128 | Chamilo LMS 1.11.10 does not properly manage privileges which could allow a user with Sessions administrator privilege to create a new user then use the edit user function to change this new user to administrator privilege. | MEDIUM | May 6, 2021 | n/a |
| CVE-2020-23127 | Chamilo LMS 1.11.10 is affected by Cross Site Request Forgery (CSRF) via the edit_user function by targeting an admin user. | MEDIUM | May 7, 2021 | n/a |
| CVE-2020-23126 | Chamilo LMS version 1.11.10 contains an XSS vulnerability in the personal profile edition form, affecting the user him/herself and social network friends. | MEDIUM | Nov 4, 2021 | n/a |
| CVE-2020-23109 | Buffer overflow vulnerability in function convert_colorspace in heif_colorconversion.cc in libheif v1.6.2, allows attackers to cause a denial of service and disclose sensitive information, via a crafted HEIF file. | MEDIUM | Nov 5, 2021 | n/a |
| CVE-2020-23083 | Unrestricted File Upload in JEECG v4.0 and earlier allows remote attackers to execute arbitrary code or gain privileges by uploading a crafted file to the component jeecgFormDemoController.do?commonUpload. | HIGH | May 4, 2021 | n/a |
| CVE-2020-23079 | SSRF vulnerability in Halo <=1.3.2 exists in the SMTP configuration, which can detect the server intranet. | MEDIUM | Jul 12, 2021 | n/a |
| CVE-2020-23069 | Path Traversal vulneraility exists in webTareas 2.0 via the extpath parameter in general_serv.php, which could let a malicious user read arbitrary files. | MEDIUM | Aug 18, 2021 | n/a |
| CVE-2020-23066 | Cross Site Scripting vulnerability in TinyMCE v.4.9.6 and before and v.5.0.0 thru v.5.1.4 allows an attacker to execute arbitrary code via the editor function. | -- | Jun 26, 2023 | n/a |
| CVE-2020-23065 | Cross Site Scripting vulnerabiltiy in eZ Systems AS eZPublish Platform v.5.4 and eZ Publish Legacy v.5.4 allows a remote authenticated attacker to execute arbitrary code via the video-js.swf. | -- | Jun 26, 2023 | n/a |
| CVE-2020-23064 | Cross Site Scripting vulnerability in jQuery 2.2.0 through 3.x before 3.5.0 allows a remote attacker to execute arbitrary code via the <options> element. | -- | Jun 27, 2023 | n/a |
| CVE-2020-23061 | Dropouts Technologies LLP Super Backup v2.0.5 was discovered to contain an issue in the path parameter of the `list` and `download` module which allows attackers to perform a directory traversal via a change to the path variable to request the local list command. | MEDIUM | Oct 22, 2021 | n/a |
| CVE-2020-23060 | Internet Download Manager 6.37.11.1 was discovered to contain a stack buffer overflow in the Export/Import function. This vulnerability allows attackers to escalate local process privileges via a crafted ef2 file. | MEDIUM | Oct 22, 2021 | n/a |
| CVE-2020-23058 | An issue in the authentication mechanism in Nong Ge File Explorer v1.4 unauthenticated allows to access sensitive data. | LOW | Oct 22, 2021 | n/a |
| CVE-2020-23055 | ANCOM WLAN Controller (Wireless Series & Hotspot) WLC-1000 & WLC-4006 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the /authen/start/ module via the userid and password parameters. | LOW | Oct 22, 2021 | n/a |
| CVE-2020-23054 | A cross-site scripting (XSS) vulnerability in NSK User Agent String Switcher Service v0.3.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the user agent input field. | MEDIUM | Oct 22, 2021 | n/a |
| CVE-2020-23052 | Catalyst IT Ltd Mahara CMS v19.10.2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component groupfiles.php via the Number (Nombre) and Description (Descripción) parameters. | LOW | Oct 22, 2021 | n/a |
| CVE-2020-23051 | Phpgurukul User Registration & User Management System v2.0 was discovered to contain multiple stored cross-site scripting (XSS) vulnerabilities via the firstname and lastname parameters of the registration form & loginsystem input fields. | MEDIUM | Oct 22, 2021 | n/a |
| CVE-2020-23050 | TAO Open Source Assessment Platform v3.3.0 RC02 was discovered to contain a HTML injection vulnerability in the userFirstName parameter of the user account input field. This vulnerability allows attackers to execute phishing attacks, external redirects, and arbitrary code. | MEDIUM | Oct 22, 2021 | n/a |
| CVE-2020-23049 | Fork CMS Content Management System v5.8.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the `Displayname` field when using the `Add`, `Edit` or `Register\' functions. This vulnerability allows attackers to execute arbitrary web scripts or HTML. | LOW | Oct 22, 2021 | n/a |
| CVE-2020-23048 | SeedDMS Content Management System v6.0.7 contains a persistent cross-site scripting (XSS) vulnerability in the component AddEvent.php via the name and comment parameters. | MEDIUM | Oct 22, 2021 | n/a |
| CVE-2020-23047 | Macrob7 Macs Framework Content Management System - 1.14f was discovered to contain a cross-site scripting (XSS) vulnerability in the search input field of the search module. | MEDIUM | Oct 22, 2021 | n/a |
| CVE-2020-23046 | DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component tpl.php via the `filename`, `mid`, `userid`, and `templet\' parameters. | MEDIUM | Oct 22, 2021 | n/a |
| CVE-2020-23045 | Macrob7 Macs Framework Content Management System - 1.14f was discovered to contain a SQL injection vulnerability via the \'roleId\' parameter of the `editRole` and `deletUser` modules. | MEDIUM | Oct 22, 2021 | n/a |
| CVE-2020-23044 | DedeCMS v7.5 SP2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component file_pic_view.php via the `activepath`, `keyword`, `tag`, `fmdo=x&filename`, `CKEditor` and `CKEditorFuncNum` parameters. | LOW | Oct 22, 2021 | n/a |
| CVE-2020-23043 | Tran Tu Air Sender v1.0.2 was discovered to contain an arbitrary file upload vulnerability in the upload module. This vulnerability allows attackers to execute arbitrary code via a crafted file. | MEDIUM | Oct 22, 2021 | n/a |
| CVE-2020-23042 | Dropouts Technologies LLP Super Backup v2.0.5 was discovered to contain a cross-site scripting (XSS) vulnerability in the path parameter of the `list` and `download` module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted GET request. | MEDIUM | Oct 22, 2021 | n/a |
| CVE-2020-23041 | Dropouts Technologies LLP Air Share v1.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the path parameter of the `list` and `download` exception-handling. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted GET request. | MEDIUM | Oct 22, 2021 | n/a |
| CVE-2020-23040 | Sky File v2.1.0 contains a directory traversal vulnerability in the FTP server which allows attackers to access sensitive data and files via \'null\' path commands. | MEDIUM | Oct 22, 2021 | n/a |
| CVE-2020-23039 | Folder Lock v3.4.5 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Create Folder function under the \'create\' module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload as a path or folder name. | LOW | Oct 22, 2021 | n/a |
| CVE-2020-23038 | Swift File Transfer Mobile v1.1.2 and below was discovered to contain an information disclosure vulnerability in the path parameter. This vulnerability is exploited via an error caused by including non-existent path environment variables. | MEDIUM | Oct 22, 2021 | n/a |
| CVE-2020-23037 | Portable Ltd Playable v9.18 contains a code injection vulnerability in the filename parameter, which allows attackers to execute arbitrary web scripts or HTML via a crafted POST request. | HIGH | Oct 22, 2021 | n/a |
| CVE-2020-23036 | MEDIA NAVI Inc SMACom v1.2 was discovered to contain an insecure session validation vulnerability in the session handling of the `password` authentication parameter of the wifi photo transfer module. This vulnerability allows attackers with network access privileges or on public wifi networks to read the authentication credentials and follow-up requests containing the user password via a man in the middle attack. | MEDIUM | Oct 22, 2021 | n/a |
| CVE-2020-23026 | A NULL pointer dereference in the main() function dhry_1.c of dhrystone 2.1 causes a denial of service (DoS). | MEDIUM | Jan 3, 2022 | n/a |
| CVE-2020-23015 | An open redirect issue was discovered in OPNsense through 20.1.5. The redirect parameter url in login page was not filtered and can redirect user to any website. | MEDIUM | May 4, 2021 | n/a |
| CVE-2020-23014 | APfell 1.4 is vulnerable to authenticated reflected cross-site scripting (XSS) in /apiui/command_ through the payloadtypes_callback function, which allows an attacker to steal remote admin/user session and/or adding new users to the administration panel. | LOW | Jan 29, 2021 | n/a |
| CVE-2020-22987 | Cross-Site Scripting (XSS) vulnerability in MicroStrategy Web SDK 10.11 and earlier, allows remote unauthenticated attackers to execute arbitrary code via the fileToUpload parameter to the uploadFile task. | MEDIUM | May 13, 2022 | n/a |
| CVE-2020-22986 | Cross-Site Scripting (XSS) vulnerability in MicroStrategy Web SDK 10.11 and earlier, allows remote unauthenticated attackers to execute arbitrary code via the searchString parameter to the wikiScrapper task. | MEDIUM | May 13, 2022 | n/a |
| CVE-2020-22985 | Cross-Site Scripting (XSS) vulnerability in MicroStrategy Web SDK 10.11 and earlier, allows remote unauthenticated attackers to execute arbitrary code via the key parameter to the getESRIExtraConfig task. | MEDIUM | May 13, 2022 | n/a |
| CVE-2020-22984 | Cross-Site Scripting (XSS) vulnerability in MicroStrategy Web SDK 10.11 and earlier, allows remote unauthenticated attackers to execute arbitrary code via key parameter to the getGoogleExtraConfig task. | MEDIUM | May 13, 2022 | n/a |
| CVE-2020-22983 | A Server-Side Request Forgery (SSRF) vulnerability exists in MicroStrategy Web SDK 11.1 and earlier, allows remote unauthenticated attackers to conduct a server-side request forgery (SSRF) attack via the srcURL parameter to the shortURL task. | MEDIUM | May 13, 2022 | n/a |
| CVE-2020-22937 | A remote code execution (RCE) in e/install/index.php of EmpireCMS 7.5 allows attackers to execute arbitrary PHP code via writing malicious code to the install file. | HIGH | Aug 17, 2021 | n/a |
