Search Results (332177 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2020-23831 1 Stock Management System Project 1 Stock Management System 2024-11-21 6.4 Medium
A Reflected Cross-Site Scripting (XSS) vulnerability in the index.php login-portal webpage of SourceCodester Stock Management System v1.0 allows remote attackers to harvest login credentials and session cookies when an unauthenticated victim clicks on a malicious URL and enters credentials.
CVE-2020-23830 1 Stock Management System Project 1 Stock Management System 2024-11-21 7.1 High
A Cross-Site Request Forgery (CSRF) vulnerability in changeUsername.php in SourceCodester Stock Management System v1.0 allows remote attackers to deny future logins by changing an authenticated victim's username when they visit a third-party site.
CVE-2020-23829 1 Librehealth 1 Librehealth Ehr 2024-11-21 8.8 High
interface/new/new_comprehensive_save.php in LibreHealth EHR 2.0.0 suffers from an authenticated file upload vulnerability, allowing remote attackers to achieve remote code execution (RCE) on the hosting webserver by uploading a maliciously crafted image.
CVE-2020-23828 1 Online Course Registration Project 1 Online Course Registration 2024-11-21 9.8 Critical
A File Upload vulnerability in SourceCodester Online Course Registration v1.0 allows remote attackers to achieve Remote Code Execution (RCE) on the hosting webserver by uploading a crafted PHP web-shell that bypasses the image upload filters. An attack uses /Online%20Course%20Registration/my-profile.php with the POST parameter photo.
CVE-2020-23826 1 Assaabloy 2 Yale Wipc-303w, Yale Wipc-303w Firmware 2024-11-21 8.8 High
The Yale WIPC-303W 2.21 through 2.31 camera is vulnerable to remote command execution (RCE) through command injection via the HTTP API. NOTE: This may be a duplicate of CVE-2020-10176
CVE-2020-23824 1 Argosoft 1 Mail Server 2024-11-21 8.8 High
ArGo Soft Mail Server 1.8.8.9 is affected by Cross Site Request Forgery (CSRF) for perform remote arbitrary code execution. The component is the Administration dashboard. When using admin/user credentials, if the admin/user admin opens a website with the malicious page that will run the CSRF.
CVE-2020-23814 1 Xuxueli 1 Xxl-job 2024-11-21 6.1 Medium
Multiple cross-site scripting (XSS) vulnerabilities in xxl-job v2.2.0 allow remote attackers to inject arbitrary web script or HTML via (1) AppName and (2)AddressList parameter in JobGroupController.java file.
CVE-2020-23811 1 Xuxueli 1 Xxl-job 2024-11-21 7.5 High
xxl-job 2.2.0 allows Information Disclosure of username, model, and password via job/admin/controller/UserController.java.
CVE-2020-23804 2 Debian, Freedesktop 2 Debian Linux, Poppler 2024-11-21 7.5 High
Uncontrolled Recursion in pdfinfo, and pdftops in poppler 0.89.0 allows remote attackers to cause a denial of service via crafted input.
CVE-2020-23793 1 Spice-space 1 Spice-server 2024-11-21 8.6 High
An issue was discovered in spice-server spice-server-0.14.0-6.el7_6.1.x86_64 of Redhat's VDI product. There is a security vulnerablility that can restart KVMvirtual machine without any authorization. It is not yet known if there will be other other effects.
CVE-2020-23790 1 Uxper 1 Golo 2024-11-21 9.8 Critical
An Arbitrary File Upload vulnerability was discovered in the Golo Laravel theme v 1.1.5.
CVE-2020-23776 1 Winmail Project 1 Winmail 2024-11-21 7.5 High
A SSRF vulnerability exists in Winmail 6.5 in app.php in the key parameter when HTTPS is on. An attacker can use this vulnerability to cause the server to send a request to a specific URL. An attacker can modify the request header 'HOST' value to cause the server to send the request.
CVE-2020-23774 1 Winmail Project 1 Winmail 2024-11-21 6.1 Medium
A reflected XSS vulnerability exists in tohtml/convert.php of Winmail 6.5, which can cause JavaScript code to be executed.
CVE-2020-23768 1 Phpyun 1 Phpyun 2024-11-21 7.5 High
An information disclosure vulnerability was discovered in alipay_function.php in the log file of Alibaba payment interface on PHPPYUN prior to version 5.0.1. If exploited, this vulnerability will allow attackers to obtain users' personally identifiable information including e-mail address and telephone numbers.
CVE-2020-23766 1 Htmly 1 Htmly 2024-11-21 6.5 Medium
An arbitrary file deletion vulnerability was discovered on htmly v2.7.5 which allows remote attackers to use any absolute path to delete any file in the server should they gain Administrator privileges.
CVE-2020-23765 1 Bludit 1 Bludit 2024-11-21 7.2 High
A file upload vulnerability was discovered in the file path /bl-plugins/backup/plugin.php on Bludit version 3.12.0. If an attacker is able to gain Administrator rights they will be able to use unsafe plugins to upload a backup file and control the server.
CVE-2020-23763 1 Online Book Store Project 1 Online Book Store 2024-11-21 9.8 Critical
SQL injection in admin.php in Online Book Store 1.0 allows remote attackers to execute arbitrary SQL commands and bypass authentication.
CVE-2020-23762 1 Larsens Calendar Project 1 Larsens Calendar 2024-11-21 5.4 Medium
Cross Site Scripting (XSS) vulnerability in the Larsens Calender plugin Version <= 1.2 for WordPress allows remote attackers to execute arbitrary web script via the "titel" column on the "Eintrage hinzufugen" tab.
CVE-2020-23761 1 Intelliants 1 Subrion 2024-11-21 6.1 Medium
Cross Site Scripting (XSS) vulnerability in subrion CMS Version <= 4.2.1 allows remote attackers to execute arbitrary web script via the "payment gateway" column on transactions tab.
CVE-2020-23754 1 Php-fusion 1 Phpfusion 2024-11-21 9.6 Critical
Cross Site Scripting (XSS) vulnerability in infusions/member_poll_panel/poll_admin.php in PHP-Fusion 9.03.50, allows attackers to execute arbitrary code, via the polls feature.