Export limit exceeded: 363345 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (363345 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-23185 | 1 Php-fusion | 1 Php-fusion | 2024-11-21 | 5.4 Medium |
| A stored cross site scripting (XSS) vulnerability in /administration/setting_security.php of PHP-Fusion 9.03.60 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload. | ||||
| CVE-2020-23184 | 1 Php-fusion | 1 Php-fusion | 2024-11-21 | 5.4 Medium |
| A stored cross site scripting (XSS) vulnerability in /administration/settings_registration.php of PHP-Fusion 9.03.60 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Registration" field. | ||||
| CVE-2020-23182 | 1 Php-fusion | 1 Php-fusion | 2024-11-21 | 5.4 Medium |
| The component /php-fusion/infusions/shoutbox_panel/shoutbox_archive.php in PHP-Fusion 9.03.60 allows attackers to redirect victim users to malicious websites via a crafted payload entered into the Shoutbox message panel. | ||||
| CVE-2020-23181 | 1 Php-fusion | 1 Php-fusion | 2024-11-21 | 5.4 Medium |
| A reflected cross site scripting (XSS) vulnerability in /administration/theme.php of PHP-Fusion 9.03.60 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Manage Theme" field. | ||||
| CVE-2020-23179 | 1 Php-fusion | 1 Php-fusion | 2024-11-21 | 5.4 Medium |
| A stored cross site scripting (XSS) vulnerability in administration/settings_main.php of PHP-Fusion 9.03.50 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Site footer" field. | ||||
| CVE-2020-23178 | 1 Php-fusion | 1 Php-fusion | 2024-11-21 | 5.4 Medium |
| An issue exists in PHP-Fusion 9.03.50 where session cookies are not deleted once a user logs out, allowing for an attacker to perform a session replay attack and impersonate the victim user. | ||||
| CVE-2020-23172 | 1 Kuba Project | 1 Kuba | 2024-11-21 | 5.5 Medium |
| A vulnerability in all versions of Kuba allows attackers to overwrite arbitrary files in arbitrary directories with crafted Zip files due to improper validation of file paths in .zip archives. | ||||
| CVE-2020-23171 | 1 Nim-lang | 1 Nim-lang | 2024-11-21 | 5.5 Medium |
| A vulnerability in all versions of Nim-lang allows unauthenticated attackers to write files to arbitrary directories via a crafted zip file with dot-slash characters included in the name of the crafted file. | ||||
| CVE-2020-23162 | 1 Pyres | 2 Termod4, Termod4 Firmware | 2024-11-21 | 7.5 High |
| Sensitive information disclosure and weak encryption in Pyrescom Termod4 time management devices before 10.04k allows remote attackers to read a session-file and obtain plain-text user credentials. | ||||
| CVE-2020-23161 | 1 Pyres | 2 Termod4, Termod4 Firmware | 2024-11-21 | 6.5 Medium |
| Local file inclusion in Pyrescom Termod4 time management devices before 10.04k allows authenticated remote attackers to traverse directories and read sensitive files via the Maintenance > Logs menu and manipulating the file-path in the URL. | ||||
| CVE-2020-23160 | 1 Pyres | 2 Termod4, Termod4 Firmware | 2024-11-21 | 8.8 High |
| Remote code execution in Pyrescom Termod4 time management devices before 10.04k allows authenticated remote attackers to arbitrary commands as root on the devices. | ||||
| CVE-2020-23151 | 1 Rconfig | 1 Rconfig | 2024-11-21 | 9.8 Critical |
| rConfig 3.9.5 allows command injection by sending a crafted GET request to lib/ajaxHandlers/ajaxArchiveFiles.php since the path parameter is passed directly to the exec function without being escaped. | ||||
| CVE-2020-23150 | 1 Rconfig | 1 Rconfig | 2024-11-21 | 7.5 High |
| A SQL injection vulnerability in config.inc.php of rConfig 3.9.5 allows attackers to access sensitive database information via a crafted GET request to install/lib/ajaxHandlers/ajaxDbInstall.php. | ||||
| CVE-2020-23149 | 1 Rconfig | 1 Rconfig | 2024-11-21 | 7.5 High |
| The dbName parameter in ajaxDbInstall.php of rConfig 3.9.5 is unsanitized, allowing attackers to perform a SQL injection and access sensitive database information. | ||||
| CVE-2020-23148 | 1 Rconfig | 1 Rconfig | 2024-11-21 | 7.5 High |
| The userLogin parameter in ldap/login.php of rConfig 3.9.5 is unsanitized, allowing attackers to perform a LDAP injection and obtain sensitive information via a crafted POST request. | ||||
| CVE-2020-23140 | 1 Microweber | 1 Microweber | 2024-11-21 | 8.1 High |
| Microweber 1.1.18 is affected by insufficient session expiration. When changing passwords, both sessions for when a user changes email and old sessions in any other browser or device, the session does not expire and remains active. | ||||
| CVE-2020-23139 | 1 Microweber | 1 Microweber | 2024-11-21 | 5.5 Medium |
| Microweber 1.1.18 is affected by broken authentication and session management. Local session hijacking may occur, which could result in unauthorized access to system data or functionality, or a complete system compromise. | ||||
| CVE-2020-23138 | 1 Microweber | 1 Microweber | 2024-11-21 | 9.8 Critical |
| An unrestricted file upload vulnerability was discovered in the Microweber 1.1.18 admin account page. An attacker can upload PHP code or any extension (eg- .exe) to the web server by providing image data and the image/jpeg content type with a .php extension. | ||||
| CVE-2020-23136 | 1 Microweber | 1 Microweber | 2024-11-21 | 5.5 Medium |
| Microweber v1.1.18 is affected by no session expiry after log-out. | ||||
| CVE-2020-23128 | 1 Chamilo | 1 Chamilo Lms | 2024-11-21 | 4.9 Medium |
| Chamilo LMS 1.11.10 does not properly manage privileges which could allow a user with Sessions administrator privilege to create a new user then use the edit user function to change this new user to administrator privilege. | ||||