Search Results (367189 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2020-37111 3 60cyclecms Project, Davidvg, Opensourcecms 3 60cyclecms, 60cyclecms, 60cyclecms 2026-03-05 6.1 Medium
60CycleCMS 2.5.2 contains a cross-site scripting (XSS) vulnerability in news.php that allows attackers to inject malicious scripts through GET parameters. Attackers can craft malicious URLs with XSS payloads targeting the 'etsu' and 'ltsu' parameters to execute arbitrary scripts in victim's browsers. This issue does not involve SQL injection.
CVE-2020-37110 3 60cyclecms Project, Davidvg, Opensourcecms 3 60cyclecms, 60cyclecms, 60cyclecms 2026-03-05 8.2 High
60CycleCMS 2.5.2 contains an SQL injection vulnerability in news.php and common/lib.php that allows attackers to manipulate database queries through unvalidated user input. Attackers can exploit vulnerable query parameters like 'title' to inject malicious SQL code and potentially extract or modify database contents. This issue does not involve cross-site scripting.
CVE-2020-37104 2 Astpp, Inextrix 2 Astpp, Astpp 2026-03-05 7.5 High
ASTPP 4.0.1 contains an information disclosure vulnerability that allows unauthenticated attackers to download database backup files by predicting backup filename patterns. Attackers can generate a list of 6-digit PIN combinations and fuzz the backup download URL to exfiltrate sensitive database information from the /database_backup/ directory.
CVE-2020-37103 1 Dnnsoftware 1 Dotnetnuke 2026-03-05 6.4 Medium
DotNetNuke 9.5 contains a persistent cross-site scripting vulnerability that allows normal users to upload malicious XML files with executable scripts through journal tools. Attackers can upload XML files with XHTML namespace scripts to execute arbitrary JavaScript in users' browsers, potentially bypassing CSRF protections and performing more damaging attacks.
CVE-2020-37097 1 Edimax 2 Ew-7438rpn Mini, Ew-7438rpn Mini Firmware 2026-03-05 7.5 High
Edimax EW-7438RPn 1.13 contains an information disclosure vulnerability that exposes WiFi network configuration details through the wlencrypt_wiz.asp file. Attackers can access the script to retrieve sensitive information including WiFi network name and plaintext password stored in device configuration variables.
CVE-2020-37096 1 Edimax 2 Ew-7438rpn Mini, Ew-7438rpn Mini Firmware 2026-03-05 5.3 Medium
Edimax EW-7438RPn 1.13 contains a cross-site request forgery vulnerability in the MAC filtering configuration interface. Attackers can craft malicious web pages to trick users into adding unauthorized MAC addresses to the device's filtering rules without their consent.
CVE-2020-37090 1 Arox 1 School Erp Pro 2026-03-05 9.8 Critical
School ERP Pro 1.0 contains a file upload vulnerability that allows students to upload arbitrary PHP files to the messaging system. Attackers can upload malicious PHP scripts through the message attachment feature, enabling remote code execution on the server.
CVE-2020-37089 1 Arox 1 School Erp Pro 2026-03-05 8.2 High
School ERP Pro 1.0 contains a SQL injection vulnerability in the 'es_messagesid' parameter that allows attackers to manipulate database queries through GET requests. Attackers can exploit the vulnerable parameter by injecting crafted SQL statements to potentially extract, modify, or delete database information.
CVE-2020-37088 1 Arox 1 School Erp Pro 2026-03-05 7.5 High
School ERP Pro 1.0 contains a file disclosure vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the 'document' parameter in download.php. Attackers can access sensitive configuration files by supplying directory traversal paths to retrieve system credentials and configuration information.
CVE-2020-37084 1 Arox 1 School Erp Pro 2026-03-05 7.2 High
School ERP Pro 1.0 contains a remote code execution vulnerability that allows authenticated admin users to upload arbitrary PHP files as profile photos by bypassing file extension checks. Attackers can exploit improper file validation in pre-editstudent.inc.php to execute arbitrary code on the server.
CVE-2020-37082 1 Weberp 1 Weberp 2026-03-05 9.8 Critical
webERP 4.15.1 contains an unauthenticated file access vulnerability that allows remote attackers to download database backup files without authentication. Attackers can directly access generated backup files in the companies/weberp/ directory by requesting the Backup_[timestamp].sql.gz file.
CVE-2020-37079 2 Wftpserver, Winftp Server 2 Wing Ftp Server, Winftp Server 2026-03-05 4.3 Medium
Wing FTP Server versions prior to 6.2.7 contain a cross-site request forgery (CSRF) vulnerability in the web administration interface that allows attackers to delete admin users. Attackers can craft a malicious HTML page with a hidden form to submit a request that deletes the administrative user account without proper authorization.
CVE-2020-37054 1 Naviwebs 1 Navigate Cms 2026-03-05 4.3 Medium
Navigate CMS 2.8.7 contains a cross-site request forgery vulnerability that allows attackers to upload malicious extensions through a crafted HTML page. Attackers can trick authenticated administrators into executing arbitrary file uploads by leveraging the extension upload functionality without additional validation.
CVE-2020-37053 1 Naviwebs 1 Navigate Cms 2026-03-05 7.1 High
Navigate CMS 2.8.7 contains an authenticated SQL injection vulnerability that allows attackers to leak database information by manipulating the 'sidx' parameter in comments. Attackers can exploit the vulnerability to extract user activation keys by using time-based blind SQL injection techniques, potentially enabling password reset for administrative accounts.
CVE-2020-37044 2 Citeum, Opencti-platform 2 Opencti, Opencti 2026-03-05 5.4 Medium
OpenCTI 3.3.1 is vulnerable to a reflected cross-site scripting (XSS) attack via the /graphql endpoint. An attacker can inject arbitrary JavaScript code by sending a crafted GET request with a malicious payload in the query string, leading to execution of JavaScript in the victim's browser. For example, a request to /graphql?'"--></style></scRipt><scRipt>alert('Raif_Berkay')</scRipt> will trigger an alert. This vulnerability was discovered by Raif Berkay Dincel and confirmed on Linux Mint and Windows 10.
CVE-2020-37041 2 Citeum, Opencti-platform 2 Opencti, Opencti 2026-03-05 7.5 High
OpenCTI 3.3.1 is vulnerable to a directory traversal attack via the static/css endpoint. An unauthenticated attacker can read arbitrary files from the filesystem by sending crafted GET requests with path traversal sequences (e.g., '../') in the URL. For example, requesting /static/css//../../../../../../../../etc/passwd returns the contents of /etc/passwd. This vulnerability was discovered by Raif Berkay Dincel and confirmed on Linux Mint and Windows 10.
CVE-2020-37032 1 Wftpserver 1 Wing Ftp Server 2026-03-05 8.8 High
Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authenticated users to execute system commands. Attackers can leverage the console to send POST requests with malicious commands that trigger operating system execution through the os.execute() function.
CVE-2020-37007 1 Salihciftci 1 Liman 2026-03-05 5.3 Medium
Liman 0.7 contains a cross-site request forgery vulnerability that allows attackers to manipulate user account settings without proper request validation. Attackers can craft malicious HTML forms to change user passwords or modify account information by tricking logged-in users into submitting unauthorized requests.
CVE-2020-36993 1 Limesurvey 1 Limesurvey 2026-03-05 5.4 Medium
LimeSurvey 4.3.10 contains a stored cross-site scripting vulnerability in the Survey Menu functionality of the administration panel. Attackers can inject malicious SVG scripts through the Surveymenu[title] and Surveymenu[parent_id] parameters to execute arbitrary JavaScript in administrative contexts.
CVE-2020-36972 1 Smartdatasoft 1 Smartblog 2026-03-05 8.2 High
SmartBlog 2.0.1 contains a blind SQL injection vulnerability in the 'id_post' parameter of the details controller that allows attackers to extract database information. Attackers can systematically test and retrieve database contents by injecting crafted SQL queries that compare character-by-character of database information.