CVE-2020-37248

creationtimestamp| type| source ---|---|--- 2026-06-08 17:22:18+00:00| seen| https://bsky.app/profile/infosec.skyfleet.blue/post/3mns72d7tvl2l...

ROOT-OS-UBUNTU-2204-CVE-2020-14304 CVE-2020-14304 in rootio-linux - Patched by Root

Root has patched CVE-2020-14304 in the rootio-linux package for Root:Ubuntu:22.04. Multiple fixed versions available...

WeiPHP 5.0 - SQL Injection

WeiPHP 5.0 contains a SQL injection vulnerability via the wpwhere function. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. id: CVE-2020-20300 info: name: WeiPHP 5.0 - SQL...

Jeesns 1.4.2 - Cross-Site Scripting

Jeesns 1.4.2 is vulnerable to reflected cross-site scripting that allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the system error message's text field. id: CVE-2020-19282 info: name: Jeesns 1.4.2 - Cross-Site Scripting author: pikpikcu severity: medium...

Artica Web Proxy 4.30 - OS Command Injection

Artica Web Proxy 4.30 allows an authenticated remote attacker to inject commands via the service-cmds parameter in cyrus.php. These commands are executed with root privileges via servicecmdspeform. id: CVE-2020-17505 info: name: Artica Web Proxy 4.30 - OS Command Injection author: dwisiswant0...

Contentful <=2020-05-21 - Cross-Site Scripting

Contentful through 2020-05-21 for Python contains a reflected cross-site scripting vulnerability via the api parameter to the-example-app.py. id: CVE-2020-13258 info: name: Contentful alert...

Prometheus Blackbox Exporter - Server-Side Request Forgery (SSRF)

Prometheus Blackbox Exporter through 0.17.0 contains a server-side request forgery caused by unsanitized target parameter in /probe, letting attackers perform SSRF attacks, exploit requires sending crafted target parameter. id: CVE-2020-16248 info: name: Prometheus Blackbox Exporter - Server-Side...

IceWarp WebMail Server <=11.4.4.1 - Cross-Site Scripting

IceWarp Webmail Server through 11.4.4.1 contains a cross-site scripting vulnerability in the /webmail/ color parameter. id: CVE-2020-8512 info: name: IceWarp WebMail Server =11.4.4.2 or apply the vendor-provided patch to mitigate the vulnerability. reference: -...

TerraMaster TOS < 4.2.06 - User Enumeration

User Enumeration vulnerability in TerraMaster TOS = 4.2.06 allows remote unauthenticated attackers to identify valid users within the system via the username parameter to wizard/initialise.php. id: CVE-2020-28185 info: name: TerraMaster TOS 4.2.06 - User Enumeration author: pussycat0x severity:...

Rukovoditel <= 2.7.2 - Cross Site Scripting

A stored cross site scripting XSS vulnerability in the 'Users Access Groups' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter. id: CVE-2020-35986 info: name: Rukovoditel = 2.7.2 - Cross Sit...

Jira Server Pre-Auth - Arbitrary File Retrieval (WEB-INF, META-INF)

The CachingResourceDownloadRewriteRule class in Jira Server and Jira Data Center allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check. id: CVE-2020-29453 info: name: Jira Server Pre-Auth - Arbitrary File...

RosarioSIS 6.7.2 - Cross-Site Scripting

RosarioSIS version 6.7.2 and earlier contains a reflected cross-site scripting XSS vulnerability in the Preferences module. The 'tab' parameter in Modules.php is not properly sanitized, allowing an attacker to inject arbitrary JavaScript code via a crafted URL. id: CVE-2020-15718 info: name:...

Rank Math SEO <= 1.0.40.2 - Privilege Escalation via Unprotected REST API Endpoint

The Rank Math plugin through 1.0.40.2 for WordPress allows unauthenticated remote attackers to update arbitrary WordPress metadata, including the ability to escalate or revoke administrative privileges for existing users via the unsecured rankmath/v1/updateMeta REST API endpoint. id: CVE-2020-115...

WordPress WP Fastest Cache <= 0.9.0.2 - Authenticated Arbitrary File Deletion

The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized arbitrary file deletion in versions up to, and including, 0.9.0.2 due to a lack of capability checking and insufficient path validation. This makes it possible for authenticated users with minimal permissions to delete...

Roundcube Webmail - Command Injection

Roundcube Webmail before 1.4.4 contains a command injection caused by shell metacharacters in configuration settings for imconvertpath or imidentifypath, letting attackers execute arbitrary code, exploit requires attacker to control configuration settings. id: CVE-2020-12641 info: name: Roundcube...

WordPress WP Courses Plugin Information Disclosure

WordPress WP Courses Plugin 2.0.29 contains a critical information disclosure which exposes private course videos and materials. id: CVE-2020-26876 info: name: WordPress WP Courses Plugin Information Disclosure author: dwisiswant0 severity: high description: WordPress WP Courses Plugin 2.0.29...

D-Link DSL 2888a - Authentication Bypass/Remote Command Execution

D-Link DSL-2888A devices with firmware prior to AU2.31V1.1.47ae55 are vulnerable to authentication bypass issues which can lead to remote command execution. An unauthenticated attacker could bypass authentication to access authenticated pages and functionality. id: CVE-2020-24579 info: name: D-Li...

Apache Airflow <=1.10.10 - Remote Code Execution

Apache Airflow versions 1.10.10 and below are vulnerable to remote code/command injection vulnerabilities in one of the example DAGs shipped with Airflow. This could allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler depending on the executor in us...

phpMyAdmin < 5.0.3 - SQL Injection

phpMyAdmin before 4.9.6 and 5.x before 5.0.3 contains a SQL injection caused by improper processing of SQL statements in the search feature, letting attackers inject malicious SQL, exploit requires crafted search input. id: CVE-2020-26935 info: name: phpMyAdmin 5.0.3 - SQL Injection author: 0xAko...

Oracle iPlanet Web Server 7.0.x - Authentication Bypass

Oracle iPlanet Web Server 7.0.x has incorrect access control for admingui/version URIs in the Administration console, as demonstrated by unauthenticated read access to encryption keys. NOTE a related support policy can be found in the www.oracle.com references attached to this CVE. id:...