Topics

Sort by:
Attacker Value
Very High

CVE-2020-7961

Disclosure Date: March 20, 2020 (last updated July 30, 2020)
Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).
Attacker Value
Moderate

CVE-2020-35687

Disclosure Date: January 13, 2021 (last updated January 16, 2021)
PHPFusion version 9.03.90 is vulnerable to CSRF attack which leads to deletion of all shoutbox messages by the attacker on behalf of the logged in victim.
Attacker Value
Very High

CVE-2020-35234

Disclosure Date: December 14, 2020 (last updated December 16, 2020)
The easy-wp-smtp plugin before 1.4.4 for WordPress allows Administrator account takeover, as exploited in the wild in December 2020. If an attacker can list the wp-content/plugins/easy-wp-smtp/ directory, then they can discover a log file (such as #############_debug_log.txt) that contains all password-reset links. The attacker can request a reset of the Administrator password and then use a link found there.
Attacker Value
Moderate

CVE-2019-9053

Disclosure Date: March 26, 2019 (last updated June 05, 2020)
An issue was discovered in CMS Made Simple 2.2.8. It is possible with the News module, through a crafted URL, to achieve unauthenticated blind time-based SQL injection via the m1_idlist parameter.
Attacker Value
Moderate

CVE-2019-20361

Disclosure Date: January 08, 2020 (last updated July 27, 2020)
There was a flaw in the WordPress plugin, Email Subscribers & Newsletters before 4.3.1, that allowed SQL statements to be passed to the database in the hash parameter (a blind SQL injection vulnerability).
Attacker Value
Very High

CVE-2021-3007

Disclosure Date: January 04, 2021 (last updated January 05, 2021)
** DISPUTED ** Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a "vulnerability in the PHP language itself" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized.
1
Attacker Value
Very High

CVE-2020-28188

Disclosure Date: December 24, 2020 (last updated December 29, 2020)
Remote Command Execution (RCE) vulnerability in TerraMaster TOS <= 4.2.06 allow remote unauthenticated attackers to inject OS commands via /include/makecvs.php in Event parameter.
Attacker Value
Very High

CVE-2020-17132

Disclosure Date: December 10, 2020 (last updated January 15, 2021)
Aka 'Microsoft Exchange Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-17117, CVE-2020-17141, CVE-2020-17142, CVE-2020-17144.
Attacker Value
Very Low

CVE-2020-11530

Disclosure Date: May 08, 2020 (last updated September 02, 2020)
A blind SQL injection vulnerability is present in Chop Slider 3, a WordPress plugin. The vulnerability is introduced in the id GET parameter supplied to get_script/index.php, and allows an attacker to execute arbitrary SQL queries in the context of the WP database user.
1
Attacker Value
High

CVE-2020-28949

Disclosure Date: November 19, 2020 (last updated December 03, 2020)
Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.