Export limit exceeded: 336257 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (336257 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-37152 | 1 Php-fusion | 2 Php-fusion, Phpfusion | 2026-03-05 | 6.1 Medium |
| PHP-Fusion 9.03.50 panels.php is vulnerable to cross-site scripting (XSS) via the 'panel_content' POST parameter. The application fails to properly sanitize user input before rendering it in the browser, allowing attackers to inject arbitrary JavaScript. This can be exploited by submitting crafted input to the 'panel_content' field in panels.php, resulting in execution of malicious scripts in the context of the affected site. | ||||
| CVE-2020-37150 | 1 Edimax | 2 Ew-7438rpn Mini, Ew-7438rpn Mini Firmware | 2026-03-05 | 7.5 High |
| Edimax EW-7438RPn-v3 Mini 1.27 allows unauthenticated attackers to access the /wizard_reboot.asp page in unsetup mode, which discloses the Wi-Fi SSID and security key. Attackers can retrieve the wireless password by sending a GET request to this endpoint, exposing sensitive information without authentication. | ||||
| CVE-2020-37149 | 1 Edimax | 2 Ew-7438rpn Mini, Ew-7438rpn Mini Firmware | 2026-03-05 | 8.1 High |
| Edimax EW-7438RPn-v3 Mini 1.27 is vulnerable to cross-site request forgery (CSRF) that can lead to command execution. An attacker can trick an authenticated user into submitting a crafted form to the /goform/mp endpoint, resulting in arbitrary command execution on the device with the user's privileges. | ||||
| CVE-2020-37147 | 1 Atutor | 1 Atutor | 2026-03-05 | 7.1 High |
| ATutor 2.2.4 contains a SQL injection vulnerability in the admin user deletion page that allows authenticated attackers to manipulate database queries through the 'id' parameter. Attackers can exploit the vulnerability by injecting malicious SQL code into the 'id' parameter of the admin_delete.php script to potentially extract or modify database information. | ||||
| CVE-2020-37145 | 1 Hrsale | 1 Hrsale | 2026-03-05 | 4.3 Medium |
| HRSALE 1.1.8 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized administrative users through the employee registration form. Attackers can craft a malicious HTML page with hidden form fields to trick authenticated administrators into creating new user accounts with elevated privileges. | ||||
| CVE-2020-37144 | 1 Exagate | 2 Sysguard 3001 Firmware, Sysguard 6001 | 2026-03-05 | 5.3 Medium |
| Exagate SYSGuard 6001 contains a cross-site request forgery vulnerability that allows attackers to create unauthorized admin accounts through a crafted HTML form. Attackers can trick users into submitting a malicious form to /kulyon.php that adds a new user with administrative privileges without the victim's consent. | ||||
| CVE-2020-37142 | 1 10-strike | 1 Network Inventory Explorer | 2026-03-05 | 8.4 High |
| 10-Strike Network Inventory Explorer 8.54 contains a structured exception handler buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting SEH records. Attackers can craft a malicious payload targeting the 'Computer' parameter during the 'Add' function to trigger remote code execution. | ||||
| CVE-2020-37140 | 2 Finalwire, Linuxfoundation | 2 Everest, Everest | 2026-03-05 | 5.5 Medium |
| Everest, later referred to as AIDA64, 5.50.2100 contains a denial of service vulnerability that allows local attackers to crash the application by manipulating file open functionality. Attackers can generate a 450-byte buffer of repeated characters and paste it into the file open dialog to trigger an application crash. | ||||
| CVE-2020-37138 | 1 10-strike | 1 Network Inventory Explorer | 2026-03-05 | 9.8 Critical |
| 10-Strike Network Inventory Explorer 9.03 contains a buffer overflow vulnerability in the file import functionality that allows remote attackers to execute arbitrary code. Attackers can craft a malicious text file with carefully constructed payload to trigger a stack-based buffer overflow and bypass data execution prevention through a ROP chain. | ||||
| CVE-2020-37135 | 3 Amss++ Project, Amss\+\+ Project, Amssplus | 3 Amss++, Amss\+\+, Amss Plus | 2026-03-05 | 7.5 High |
| AMSS++ 4.7 contains an authentication bypass vulnerability that allows attackers to access administrative accounts using hardcoded credentials. Attackers can log in with the default admin username and password '1234' to gain unauthorized administrative access to the system. | ||||
| CVE-2020-37134 | 1 Ultravnc | 2 Ultravnc, Vnc Viewer | 2026-03-05 | 7.5 High |
| UltraVNC Viewer 1.2.4.0 contains a denial of service vulnerability that allows attackers to crash the application by manipulating VNC Server input. Attackers can generate a malformed 256-byte payload and paste it into the VNC Server connection dialog to trigger an application crash. | ||||
| CVE-2020-37131 | 1 Nsauditor | 1 Product Key Explorer | 2026-03-05 | 6.2 Medium |
| Nsauditor Product Key Explorer 4.2.2.0 contains a denial of service vulnerability that allows local attackers to crash the application by inputting a specially crafted registration key. Attackers can generate a payload of 1000 bytes of repeated characters and paste it into the 'Key' input field to trigger the application crash. | ||||
| CVE-2020-37129 | 1 Microvirt | 2 Memu, Memu Play | 2026-03-05 | 9.8 Critical |
| Memu Play 7.1.3 contains an insecure folder permissions vulnerability that allows low-privileged users to modify the MemuService.exe executable. Attackers can replace the service executable with a malicious file during system restart to gain SYSTEM-level privileges by exploiting unrestricted file modification permissions. | ||||
| CVE-2020-37125 | 1 Edimax | 2 Ew-7438rpn Mini, Ew-7438rpn Mini Firmware | 2026-03-05 | 9.8 Critical |
| Edimax EW-7438RPn-v3 Mini 1.27 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands through the /goform/mp endpoint. Attackers can exploit the vulnerability by sending crafted POST requests with command injection payloads to download and execute malicious scripts on the device. | ||||
| CVE-2020-37117 | 1 Jizhicms | 1 Jizhicms | 2026-03-05 | 8.8 High |
| jizhiCMS 1.6.7 contains a file download vulnerability in the admin plugins update endpoint that allows authenticated administrators to download arbitrary files. Attackers can exploit the vulnerability by sending crafted POST requests with malicious filepath and download_url parameters to trigger unauthorized file downloads. | ||||
| CVE-2020-37112 | 2 Gunet, Openeclass | 2 Open Eclass Platform, Openeclass | 2026-03-05 | 7.1 High |
| GUnet OpenEclass 1.7.3 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries through unvalidated parameters. Attackers can exploit the 'month' parameter in the agenda module and other endpoints to extract sensitive database information using error-based or time-based injection techniques. | ||||
| CVE-2020-37111 | 3 60cyclecms Project, Davidvg, Opensourcecms | 3 60cyclecms, 60cyclecms, 60cyclecms | 2026-03-05 | 6.1 Medium |
| 60CycleCMS 2.5.2 contains a cross-site scripting (XSS) vulnerability in news.php that allows attackers to inject malicious scripts through GET parameters. Attackers can craft malicious URLs with XSS payloads targeting the 'etsu' and 'ltsu' parameters to execute arbitrary scripts in victim's browsers. This issue does not involve SQL injection. | ||||
| CVE-2020-37110 | 3 60cyclecms Project, Davidvg, Opensourcecms | 3 60cyclecms, 60cyclecms, 60cyclecms | 2026-03-05 | 8.2 High |
| 60CycleCMS 2.5.2 contains an SQL injection vulnerability in news.php and common/lib.php that allows attackers to manipulate database queries through unvalidated user input. Attackers can exploit vulnerable query parameters like 'title' to inject malicious SQL code and potentially extract or modify database contents. This issue does not involve cross-site scripting. | ||||
| CVE-2020-37107 | 1 Coreftp | 1 Core Ftp Le | 2026-03-05 | 7.5 High |
| Core FTP LE 2.2 contains a denial of service vulnerability that allows attackers to crash the application by overwriting the account field with a large buffer. Attackers can create a text file with 20,000 repeated characters and paste it into the account field to cause the application to become unresponsive and require reinstallation. | ||||
| CVE-2020-37105 | 2 Redmine, Sigb | 2 Pmb, Pmb | 2026-03-05 | 7.1 High |
| PMB 5.6 contains a SQL injection vulnerability in the administration download script that allows authenticated attackers to execute arbitrary SQL commands through the 'logid' parameter. Attackers can leverage this vulnerability by sending crafted requests to the /admin/sauvegarde/download.php endpoint with manipulated logid values to interact with the database. | ||||