CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 9 and 10)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1101 CVE-2020-22724 77 Exec Code 2021-10-14 2021-10-20
10.0
None Remote Low Not required Complete Complete Complete
A remote command execution vulnerability exists in add_server_service of PPTP_SERVER in Mercury Router MER1200 v1.0.1 and Mercury Router MER1200G v1.0.1.
1102 CVE-2020-22345 78 Exec Code 2021-08-18 2021-08-25
9.0
None Remote Low ??? Complete Complete Complete
/graphStatus/displayServiceStatus.php in Centreon 19.10.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the RRDdatabase_path parameter.
1103 CVE-2020-21999 78 Exec Code 2021-05-04 2021-05-11
9.0
None Remote Low ??? Complete Complete Complete
iWT Ltd FaceSentry Access Control System 6.4.8 suffers from an authenticated OS command injection vulnerability using default credentials. This can be exploited to inject and execute arbitrary shell commands as the root user via the 'strInIP' POST parameter in pingTest PHP script.
1104 CVE-2020-21992 78 Exec Code Bypass 2021-04-29 2021-05-12
9.0
None Remote Low ??? Complete Complete Complete
Inim Electronics SmartLiving SmartLAN/G/SI <=6.x suffers from an authenticated remote command injection vulnerability. The issue exist due to the 'par' POST parameter not being sanitized when called with the 'testemail' module through web.cgi binary. The vulnerable CGI binary (ELF 32-bit LSB executable, ARM) is calling the 'sh' executable via the system() function to issue a command using the mailx service and its vulnerable string format parameter allowing for OS command injection with root privileges. An attacker can remotely execute system commands as the root user using default credentials and bypass access controls in place.
1105 CVE-2020-21976 434 Exec Code 2021-08-11 2021-08-19
9.0
None Remote Low ??? Complete Complete Complete
An arbitrary file upload in the <input type="file" name="user_image"> component of NewsOne CMS v1.1.0 allows attackers to webshell and execute arbitrary commands.
1106 CVE-2020-21937 77 Exec Code 2021-07-21 2021-07-30
10.0
None Remote Low Not required Complete Complete Complete
An command injection vulnerability in HNAP1/SetWLanApcliSettings of Motorola CX2 router CX 1.0.2 Build 20190508 Rel.97360n allows attackers to execute arbitrary system commands.
1107 CVE-2020-21884 352 CSRF 2021-04-09 2021-04-14
9.3
None Remote Medium Not required Complete Complete Complete
Unibox SMB 2.4 and UniBox Enterprise Series 2.4 and UniBox Campus Series 2.4 contain a cross-site request forgery (CSRF) vulnerability in /tools/network-trace, /list_users, /list_byod?usertype=raduser, /dhcp_leases, /go?rid=202 in which a specially crafted HTTP request may reconfigure the device.
1108 CVE-2020-21883 78 2021-04-09 2021-04-14
9.0
None Remote Low ??? Complete Complete Complete
Unibox U-50 2.4 and UniBox Enterprise Series 2.4 and UniBox Campus Series 2.4 contain a OS command injection vulnerability in /tools/ping, which can leads to complete device takeover.
1109 CVE-2020-21787 434 2021-06-24 2021-06-30
10.0
None Remote Low Not required Complete Complete Complete
CRMEB 3.1.0+ is vulnerable to File Upload Getshell via /crmeb/crmeb/services/UploadService.php.
1110 CVE-2020-21523 74 Exec Code 2020-09-30 2020-10-09
10.0
None Remote Low Not required Complete Complete Complete
A Server-Side Freemarker template injection vulnerability in halo CMS v1.1.3 In the Edit Theme File function. The ftl file can be edited. This is the Freemarker template file. This file can cause arbitrary code execution when it is rendered in the background. exp: <#assign test="freemarker.template.utility.Execute"?new()> ${test("touch /tmp/freemarkerPwned")}
1111 CVE-2020-21224 88 Exec Code 2021-02-22 2021-02-26
10.0
None Remote Low Not required Complete Complete Complete
A Remote Code Execution vulnerability has been found in Inspur ClusterEngine V4.0. A remote attacker can send a malicious login packet to the control server
1112 CVE-2020-20471 863 2021-06-21 2021-06-23
9.0
None Remote Low ??? Complete Complete Complete
White Shark System (WSS) 1.3.2 has an unauthorized access vulnerability in default_user_edit.php, remote attackers can exploit this vulnerability to escalate to admin privileges.
1113 CVE-2020-20269 Exec Code 2021-01-26 2021-01-30
10.0
None Remote Low Not required Complete Complete Complete
A specially crafted Markdown document could cause the execution of malicious JavaScript code in Caret Editor before 4.0.0-rc22.
1114 CVE-2020-19527 78 Exec Code 2020-12-10 2020-12-11
10.0
None Remote Low Not required Complete Complete Complete
iCMS 7.0.14 attackers to execute arbitrary OS commands via shell metacharacters in the DB_NAME parameter to install/install.php.
1115 CVE-2020-19417 269 2021-03-10 2021-03-18
9.0
None Remote Low ??? Complete Complete Complete
Emerson Smart Wireless Gateway 1420 4.6.59 allows non-privileged users (such as the default account 'maint') to perform administrative tasks by sending specially crafted HTTP requests to the application.
1116 CVE-2020-19142 78 Exec Code 2020-12-10 2020-12-11
10.0
None Remote Low Not required Complete Complete Complete
iCMS 7 attackers to execute arbitrary OS commands via shell metacharacters in the DB_PREFIX parameter to install/install.php.
1117 CVE-2020-19138 434 Exec Code 2021-09-08 2021-09-15
10.0
None Remote Low Not required Complete Complete Complete
Unrestricted Upload of File with Dangerous Type in DotCMS v5.2.3 and earlier allow remote attackers to execute arbitrary code via the component "/src/main/java/com/dotmarketing/filters/CMSFilter.java".
1118 CVE-2020-19001 77 Exec Code 2021-08-27 2021-09-01
10.0
None Remote Low Not required Complete Complete Complete
Command Injection in Simiki v1.6.2.1 and prior allows remote attackers to execute arbitrary system commands via line 64 of the component 'simiki/blob/master/simiki/config.py'.
1119 CVE-2020-18758 77 Exec Code 2021-08-13 2021-08-25
10.0
None Remote Low Not required Complete Complete Complete
An issue in Dut Computer Control Engineering Co.'s PLC MAC1100 allows attackers to execute arbitrary code.
1120 CVE-2020-17523 863 Bypass 2021-02-03 2021-07-21
9.0
None Remote Low Not required Partial Partial Complete
Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
1121 CVE-2020-17505 78 Exec Code 2020-08-12 2020-09-22
9.0
None Remote Low ??? Complete Complete Complete
Artica Web Proxy 4.30.000000 allows an authenticated remote attacker to inject commands via the service-cmds parameter in cyrus.php. These commands are executed with root privileges via service_cmds_peform.
1122 CVE-2020-17452 434 2020-08-09 2020-08-10
9.0
None Remote Low ??? Complete Complete Complete
flatCore before 1.5.7 allows upload and execution of a .php file by an admin.
1123 CVE-2020-17407 121 Exec Code 2020-10-13 2020-10-26
10.0
None Remote Low Not required Complete Complete Complete
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microhard Bullet-LTE prior to v1.2.0-r1112. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of authentication headers. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-10596.
1124 CVE-2020-17406 78 Exec Code 2020-10-13 2020-10-26
9.0
None Remote Low ??? Complete Complete Complete
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microhard Bullet-LTE prior to v1.2.0-r1112. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of the ping parameter provided to tools.sh. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-10595.
1125 CVE-2020-17389 22 Exec Code Dir. Trav. Bypass 2020-08-25 2020-08-28
9.0
None Remote Low ??? Complete Complete Complete
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Marvell QConvergeConsole 5.5.0.64. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the decryptFile method of the GWTTestServiceImpl class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-10502.
1126 CVE-2020-17388 749 Exec Code Bypass 2020-08-25 2020-08-28
9.0
None Remote Low ??? Complete Complete Complete
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Marvell QConvergeConsole 5.5.0.64. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the Tomcat configuration file. The issue results from the lack of proper restriction to the Tomcat admin console. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-10799.
1127 CVE-2020-17387 22 Exec Code Dir. Trav. Bypass 2020-08-25 2020-08-28
9.0
None Remote Low ??? Complete Complete Complete
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Marvell QConvergeConsole 5.5.0.64. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the writeObjectToConfigFile method of the GWTTestServiceImpl class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-10565.
1128 CVE-2020-17384 78 Exec Code 2020-08-25 2020-08-27
9.0
None Remote Low ??? Complete Complete Complete
Cellopoint Cellos v4.1.10 Build 20190922 does not validate URL inputted properly. With the cookie of the system administrator, attackers can inject and remotely execute arbitrary command to manipulate the system.
1129 CVE-2020-17363 78 Exec Code 2020-12-31 2021-01-05
9.0
None Remote Low ??? Complete Complete Complete
USVN (aka User-friendly SVN) before 1.0.9 allows remote code execution via shell metacharacters in the number_start or number_end parameter to LastHundredRequest (aka lasthundredrequestAction) in the Timeline module. NOTE: this may overlap CVE-2020-25069.
1130 CVE-2020-17129 Exec Code 2020-12-10 2021-03-03
9.3
None Remote Medium Not required Complete Complete Complete
Microsoft Excel Remote Code Execution Vulnerability This CVE ID is unique from CVE-2020-17122, CVE-2020-17123, CVE-2020-17125, CVE-2020-17127, CVE-2020-17128.
1131 CVE-2020-17128 Exec Code 2020-12-10 2021-03-04
9.3
None Remote Medium Not required Complete Complete Complete
Microsoft Excel Remote Code Execution Vulnerability This CVE ID is unique from CVE-2020-17122, CVE-2020-17123, CVE-2020-17125, CVE-2020-17127, CVE-2020-17129.
1132 CVE-2020-17127 Exec Code 2020-12-10 2021-03-03
9.3
None Remote Medium Not required Complete Complete Complete
Microsoft Excel Remote Code Execution Vulnerability This CVE ID is unique from CVE-2020-17122, CVE-2020-17123, CVE-2020-17125, CVE-2020-17128, CVE-2020-17129.
1133 CVE-2020-17125 Exec Code 2020-12-10 2021-03-03
9.3
None Remote Medium Not required Complete Complete Complete
Microsoft Excel Remote Code Execution Vulnerability This CVE ID is unique from CVE-2020-17122, CVE-2020-17123, CVE-2020-17127, CVE-2020-17128, CVE-2020-17129.
1134 CVE-2020-17124 Exec Code 2020-12-10 2021-03-04
9.3
None Remote Medium Not required Complete Complete Complete
Microsoft PowerPoint Remote Code Execution Vulnerability
1135 CVE-2020-17123 Exec Code 2020-12-10 2021-03-03
9.3
None Remote Medium Not required Complete Complete Complete
Microsoft Excel Remote Code Execution Vulnerability This CVE ID is unique from CVE-2020-17122, CVE-2020-17125, CVE-2020-17127, CVE-2020-17128, CVE-2020-17129.
1136 CVE-2020-17122 Exec Code 2020-12-10 2021-03-03
9.3
None Remote Medium Not required Complete Complete Complete
Microsoft Excel Remote Code Execution Vulnerability This CVE ID is unique from CVE-2020-17123, CVE-2020-17125, CVE-2020-17127, CVE-2020-17128, CVE-2020-17129.
1137 CVE-2020-17118 Exec Code 2020-12-10 2021-03-03
10.0
None Remote Low Not required Complete Complete Complete
Microsoft SharePoint Remote Code Execution Vulnerability This CVE ID is unique from CVE-2020-17121.
1138 CVE-2020-17117 Exec Code 2020-12-10 2021-03-04
9.0
None Remote Low ??? Complete Complete Complete
Microsoft Exchange Remote Code Execution Vulnerability This CVE ID is unique from CVE-2020-17132, CVE-2020-17141, CVE-2020-17142, CVE-2020-17144.
1139 CVE-2020-17110 Exec Code 2020-11-11 2020-11-19
9.3
None Remote Medium Not required Complete Complete Complete
HEVC Video Extensions Remote Code Execution Vulnerability This CVE ID is unique from CVE-2020-17106, CVE-2020-17107, CVE-2020-17108, CVE-2020-17109.
1140 CVE-2020-17109 Exec Code 2020-11-11 2020-11-19
9.3
None Remote Medium Not required Complete Complete Complete
HEVC Video Extensions Remote Code Execution Vulnerability This CVE ID is unique from CVE-2020-17106, CVE-2020-17107, CVE-2020-17108, CVE-2020-17110.
1141 CVE-2020-17108 Exec Code 2020-11-11 2020-11-19
9.3
None Remote Medium Not required Complete Complete Complete
HEVC Video Extensions Remote Code Execution Vulnerability This CVE ID is unique from CVE-2020-17106, CVE-2020-17107, CVE-2020-17109, CVE-2020-17110.
1142 CVE-2020-17107 Exec Code 2020-11-11 2020-11-19
9.3
None Remote Medium Not required Complete Complete Complete
HEVC Video Extensions Remote Code Execution Vulnerability This CVE ID is unique from CVE-2020-17106, CVE-2020-17108, CVE-2020-17109, CVE-2020-17110.
1143 CVE-2020-17106 Exec Code 2020-11-11 2020-11-19
9.3
None Remote Medium Not required Complete Complete Complete
HEVC Video Extensions Remote Code Execution Vulnerability This CVE ID is unique from CVE-2020-17107, CVE-2020-17108, CVE-2020-17109, CVE-2020-17110.
1144 CVE-2020-17105 Exec Code 2020-11-11 2020-11-24
10.0
None Remote Low Not required Complete Complete Complete
AV1 Video Extension Remote Code Execution Vulnerability
1145 CVE-2020-17104 20 Exec Code 2020-11-11 2021-07-21
9.3
None Remote Medium Not required Complete Complete Complete
Visual Studio Code JSHint Extension Remote Code Execution Vulnerability
1146 CVE-2020-17096 Exec Code 2020-12-10 2021-03-04
9.0
None Remote Low ??? Complete Complete Complete
Windows NTFS Remote Code Execution Vulnerability
1147 CVE-2020-17095 Exec Code 2020-12-10 2021-03-03
9.0
None Remote Low ??? Complete Complete Complete
Hyper-V Remote Code Execution Vulnerability
1148 CVE-2020-17084 120 Exec Code 2020-11-11 2020-11-17
9.0
None Remote Low ??? Complete Complete Complete
Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2020-17083.
1149 CVE-2020-17066 Exec Code 2020-11-11 2020-11-16
9.3
None Remote Medium Not required Complete Complete Complete
Microsoft Excel Remote Code Execution Vulnerability This CVE ID is unique from CVE-2020-17019, CVE-2020-17064, CVE-2020-17065.
1150 CVE-2020-17065 Exec Code 2020-11-11 2020-11-16
9.3
None Remote Medium Not required Complete Complete Complete
Microsoft Excel Remote Code Execution Vulnerability This CVE ID is unique from CVE-2020-17019, CVE-2020-17064, CVE-2020-17066.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.