CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2020(Execute Code)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2020-35863 94 Exec Code 2020-12-31 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in the hyper crate before 0.12.34 for Rust. HTTP request smuggling can occur. Remote code execution can occur in certain situations with an HTTP server on the loopback interface.
2 CVE-2020-35858 400 DoS Exec Code 2020-12-31 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in the prost crate before 0.6.1 for Rust. There is stack consumption via a crafted message, causing a denial of service (e.g., x86) or possibly remote code execution (e.g., ARM).
3 CVE-2020-35851 78 Exec Code 2020-12-31 2021-01-07
10.0
None Remote Low Not required Complete Complete Complete
HGiga MailSherlock does not validate specific parameters properly. Attackers can use the vulnerability to launch Command inject attacks remotely and execute arbitrary commands of the system.
4 CVE-2020-35715 78 Exec Code 2020-12-26 2020-12-28
9.0
None Remote Low ??? Complete Complete Complete
Belkin LINKSYS RE6500 devices before 1.0.012.001 allow remote authenticated users to execute arbitrary commands via shell metacharacters in a filename to the upload_settings.cgi page.
5 CVE-2020-35714 77 Exec Code 2020-12-26 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
Belkin LINKSYS RE6500 devices before 1.0.11.001 allow remote authenticated users to execute arbitrary commands via goform/systemCommand?command= in conjunction with the goform/pingstart program.
6 CVE-2020-35713 78 Exec Code 2020-12-26 2020-12-28
10.0
None Remote Low Not required Complete Complete Complete
Belkin LINKSYS RE6500 devices before 1.0.012.001 allow remote attackers to execute arbitrary commands or set a new password via shell metacharacters to the goform/setSysAdm page.
7 CVE-2020-35665 434 Exec Code 2020-12-23 2021-07-21
10.0
None Remote Low Not required Complete Complete Complete
An unauthenticated command-execution vulnerability exists in TerraMaster TOS through 4.2.06 via shell metacharacters in the Event parameter in include/makecvs.php during CSV creation.
8 CVE-2020-35657 434 Exec Code 2020-12-23 2020-12-23
6.5
None Remote Low ??? Partial Partial Partial
Jaws through 1.8.0 allows remote authenticated administrators to execute arbitrary code via crafted use of UploadTheme to upload a theme ZIP archive containing a .php file that is able to execute OS commands. NOTE: this is unrelated to the JAWS (aka Job Access With Speech) product.
9 CVE-2020-35656 434 Exec Code 2020-12-23 2020-12-23
6.5
None Remote Low ??? Partial Partial Partial
Jaws through 1.8.0 allows remote authenticated administrators to execute arbitrary code via crafted use of admin.php?reqGadget=Components&reqAction=InstallGadget&comp=FileBrowser and admin.php?reqGadget=FileBrowser&reqAction=Files to upload a .php file. NOTE: this is unrelated to the JAWS (aka Job Access With Speech) product.
10 CVE-2020-35627 434 Exec Code 2020-12-28 2020-12-30
7.5
None Remote Low Not required Partial Partial Partial
Ultimate WooCommerce Gift Cards 3.0.2 is affected by a file upload vulnerability in the Custom GiftCard Template that can remotely execute arbitrary code. Once it contains the function "Custom Gift Card Template", the function of uploading a custom image is used, changing the name of the image extension to PHP and executing PHP code on the server.
11 CVE-2020-35608 74 Exec Code 2020-12-22 2020-12-23
7.2
None Local Low Not required Complete Complete Complete
A code execution vulnerability exists in the normal world’s signed code execution functionality of Microsoft Azure Sphere 20.07. A specially crafted AF_PACKET socket can cause a process to create an executable memory mapping with controllable content. An attacker can execute a shellcode that uses the PACKET_MMAP functionality to trigger this vulnerability.
12 CVE-2020-35606 77 Exec Code 2020-12-21 2021-07-21
9.0
None Remote Low ??? Complete Complete Complete
Arbitrary command execution can occur in Webmin through 1.962. Any user authorized for the Package Updates module can execute arbitrary commands with root privileges via vectors involving %0A and %0C. NOTE: this issue exists because of an incomplete fix for CVE-2019-12840.
13 CVE-2020-35605 Exec Code 2020-12-21 2020-12-27
7.5
None Remote Low Not required Partial Partial Partial
The Graphics Protocol feature in graphics.c in kitty before 0.19.3 allows remote attackers to execute arbitrary code because a filename containing special characters can be included in an error message.
14 CVE-2020-35489 434 Exec Code 2020-12-17 2020-12-22
10.0
None Remote Low Not required Complete Complete Complete
The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters.
15 CVE-2020-35476 77 Exec Code 2020-12-16 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
A remote code execution vulnerability occurs in OpenTSDB through 2.4.0 via command injection in the yrange parameter. The yrange value is written to a gnuplot file in the /tmp directory. This file is then executed via the mygnuplot.sh shell script. (tsd/GraphHandler.java attempted to prevent command injections by blocking backticks but this is insufficient.)
16 CVE-2020-35378 89 Exec Code Sql Bypass 2020-12-14 2020-12-14
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection in the login page in Online Bus Ticket Reservation 1.0 allows attackers to execute arbitrary SQL commands and bypass authentication via the username and password fields.
17 CVE-2020-35370 94 Exec Code 2020-12-23 2021-07-21
9.3
None Remote Medium Not required Complete Complete Complete
A RCE vulnerability exists in Raysync below 3.3.3.8. An unauthenticated unauthorized attacker sending a specifically crafted request to override the specific file in server with malicious content can login as "admin", then to modify specific shell file to achieve remote code execution(RCE) on the hosting server.
18 CVE-2020-35235 Exec Code 2020-12-14 2020-12-15
6.5
None Remote Low ??? Partial Partial Partial
** UNSUPPORTED WHEN ASSIGNED ** vendor/elfinder/php/connector.minimal.php in the secure-file-manager plugin through 2.5 for WordPress loads elFinder code without proper access control. Thus, any authenticated user can run the elFinder upload command to achieve remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
19 CVE-2020-35136 77 Exec Code 2020-12-23 2021-07-21
9.0
None Remote Low ??? Complete Complete Complete
Dolibarr 12.0.3 is vulnerable to authenticated Remote Code Execution. An attacker who has the access the admin dashboard can manipulate the backup function by inserting a payload into the filename for the zipfilename_template parameter to admin/tools/dolibarr_export.php.
20 CVE-2020-29659 120 Exec Code Overflow 2020-12-09 2020-12-17
10.0
None Remote Low Not required Complete Complete Complete
A buffer overflow in the web server of Flexense DupScout Enterprise 10.0.18 allows a remote anonymous attacker to execute code as SYSTEM by overflowing the sid parameter via a GET /settings&sid= attack.
21 CVE-2020-29607 434 Exec Code +Priv Bypass 2020-12-16 2021-05-28
6.5
None Remote Low ??? Partial Partial Partial
A file upload restriction bypass vulnerability in Pluck CMS before 4.7.13 allows an admin privileged user to gain access in the host through the "manage files" functionality, which may result in remote code execution.
22 CVE-2020-29552 78 Exec Code 2020-12-23 2020-12-29
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered in URVE Build 24.03.2020. By using the _internal/pc/vpro.php?mac=0&ip=0&operation=0&usr=0&pass=0%3bpowershell+-c+" substring, it is possible to execute a Powershell command and redirect its output to a file under the web root.
23 CVE-2020-29474 89 Exec Code Sql 2020-12-24 2021-04-22
7.5
None Remote Low Not required Partial Partial Partial
EGavilan Media EGM Address Book 1.0 contains a SQL injection vulnerability. An attacker can gain Admin Panel access using malicious SQL injection queries to perform remote arbitrary code execution.
24 CVE-2020-29472 89 Exec Code Sql 2020-12-24 2021-04-22
7.5
None Remote Low Not required Partial Partial Partial
EGavilan Media Under Construction page with cPanel 1.0 contains a SQL injection vulnerability. An attacker can gain Admin Panel access using malicious SQL injection queries to perform remote arbitrary code execution.
25 CVE-2020-29471 79 Exec Code XSS 2020-12-29 2020-12-30
3.5
None Remote Medium ??? None Partial None
OpenCart 3.0.3.6 is affected by cross-site scripting (XSS) in the Profile Image. An admin can upload a profile image as a malicious code using JavaScript. Whenever anyone will see the profile picture, the code will execute and XSS will trigger.
26 CVE-2020-29396 Exec Code 2020-12-22 2021-10-19
6.5
None Remote Low ??? Partial Partial Partial
A sandboxing issue in Odoo Community 11.0 through 13.0 and Odoo Enterprise 11.0 through 13.0, when running with Python 3.6 or later, allows remote authenticated users to execute arbitrary code, leading to privilege escalation.
27 CVE-2020-29394 787 Exec Code Overflow 2020-11-30 2021-03-18
6.8
None Remote Medium Not required Partial Partial Partial
A buffer overflow in the dlt_filter_load function in dlt_common.c from dlt-daemon through 2.18.5 (GENIVI Diagnostic Log and Trace) allows arbitrary code execution because fscanf is misused (no limit on the number of characters to be read in the format argument).
28 CVE-2020-29390 78 Exec Code 2020-11-30 2020-12-03
10.0
None Remote Low Not required Complete Complete Complete
Zeroshell 3.9.3 contains a command injection vulnerability in the /cgi-bin/kerbynet StartSessionSubmit parameter that could allow an unauthenticated attacker to execute a system command by using shell metacharacters and the %0a character.
29 CVE-2020-29385 835 DoS Exec Code 2020-12-26 2021-03-22
4.3
None Remote Medium Not required None None Partial
GNOME gdk-pixbuf (aka GdkPixbuf) before 2.42.2 allows a denial of service (infinite loop) in lzw.c in the function write_indexes. if c->self_code equals 10, self->code_table[10].extends will assign the value 11 to c. The next execution in the loop will assign self->code_table[11].extends to c, which will give the value of 10. This will make the loop run infinitely. This bug can, for example, be triggered by calling this function with a GIF image with LZW compression that is crafted in a special way.
30 CVE-2020-29311 77 Exec Code 2020-12-10 2021-07-21
10.0
None Remote Low Not required Complete Complete Complete
Ubilling v1.0.9 allows Remote Command Execution as Root user by executing a malicious command that is injected inside the config file and being triggered by another part of the software.
31 CVE-2020-29279 Exec Code File Inclusion 2020-12-02 2020-12-04
7.5
None Remote Low Not required Partial Partial Partial
PHP remote file inclusion in the assign_resume_tpl method in Application/Common/Controller/BaseController.class.php in 74CMS before 6.0.48 allows remote code execution.
32 CVE-2020-29227 Exec Code File Inclusion 2020-12-14 2020-12-15
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Car Rental Management System 1.0. An unauthenticated user can perform a file inclusion attack against the /index.php file with a partial filename in the "page" parameter, to cause local file inclusion resulting in code execution.
33 CVE-2020-28971 20 Exec Code Bypass 2020-12-01 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered on Western Digital My Cloud OS 5 devices before 5.06.115. A NAS Admin authentication bypass vulnerability could allow an unauthenticated user to execute privileged commands on the device via a cookie, because of insufficient validation of URI paths.
34 CVE-2020-28970 Exec Code Bypass 2020-12-01 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered on Western Digital My Cloud OS 5 devices before 5.06.115. A NAS Admin authentication bypass vulnerability could allow an unauthenticated user to execute privileged commands on the device via a cookie. (In addition, an upload endpoint could then be used by an authenticated administrator to upload executable PHP scripts.)
35 CVE-2020-28940 Exec Code Bypass 2020-12-01 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
On Western Digital My Cloud OS 5 devices before 5.06.115, the NAS Admin dashboard has an authentication bypass vulnerability that could allow an unauthenticated user to execute privileged commands on the device.
36 CVE-2020-28939 434 Exec Code 2020-12-03 2020-12-07
6.5
None Remote Low ??? Partial Partial Partial
OpenClinic version 0.8.2 is affected by a medical/test_new.php insecure file upload vulnerability. This vulnerability allows authenticated users (with substantial privileges) to upload malicious files, such as PHP web shells, which can lead to arbitrary code execution on the application server.
37 CVE-2020-28926 120 Exec Code Overflow 2020-11-30 2020-12-11
7.5
None Remote Low Not required Partial Partial Partial
ReadyMedia (aka MiniDLNA) before versions 1.3.0 allows remote code execution. Sending a malicious UPnP HTTP request to the miniDLNA service using HTTP chunked encoding can lead to a signedness bug resulting in a buffer overflow in calls to memcpy/memmove.
38 CVE-2020-28922 269 Exec Code 2020-11-27 2021-07-21
7.2
None Local Low Not required Complete Complete Complete
An issue was discovered in Devid Espenschied PC Analyser through 4.10. The PCADRVX64.SYS kernel driver exposes IOCTL functionality that allows low-privilege users to read and write arbitrary physical memory. This could lead to arbitrary Ring-0 code execution and escalation of privileges.
39 CVE-2020-28921 269 Exec Code 2020-11-27 2021-07-21
7.2
None Local Low Not required Complete Complete Complete
An issue was discovered in Devid Espenschied PC Analyser through 4.10. The PCADRVX64.SYS kernel driver exposes IOCTL functionality that allows low-privilege users to read and write to arbitrary Model Specific Registers (MSRs). This could lead to arbitrary Ring-0 code execution and escalation of privileges.
40 CVE-2020-28656 354 Exec Code 2020-11-16 2020-12-02
7.2
None Local Low Not required Complete Complete Complete
The update functionality of the Discover Media infotainment system in Volkswagen Polo 2019 vehicles allows physically proximate attackers to execute arbitrary code because some unsigned parts of a metainfo file are parsed, which can cause attacker-controlled files to be written to the infotainment system and executed as root.
41 CVE-2020-28648 20 Exec Code 2020-11-16 2021-05-26
9.0
None Remote Low ??? Complete Complete Complete
Improper input validation in the Auto-Discovery component of Nagios XI before 5.7.5 allows an authenticated attacker to execute remote code.
42 CVE-2020-28647 79 Exec Code XSS 2020-11-17 2020-12-18
3.5
None Remote Medium ??? None Partial None
In Progress MOVEit Transfer before 2020.1, a malicious user could craft and store a payload within the application. If a victim within the MOVEit Transfer instance interacts with the stored payload, it could invoke and execute arbitrary code within the context of the victim's browser (XSS).
43 CVE-2020-28581 78 Exec Code 2020-11-18 2020-11-28
9.0
None Remote Low ??? Complete Complete Complete
A command injection vulnerability in ModifyVLANItem of Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an authenticated, remote attacker to send specially crafted HTTP messages and execute arbitrary OS commands with elevated privileges.
44 CVE-2020-28580 78 Exec Code 2020-11-18 2020-11-28
9.0
None Remote Low ??? Complete Complete Complete
A command injection vulnerability in AddVLANItem of Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an authenticated, remote attacker to send specially crafted HTTP messages and execute arbitrary OS commands with elevated privileges.
45 CVE-2020-28579 787 Exec Code 2020-11-18 2020-12-02
6.5
None Remote Low ??? Partial Partial Partial
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an authenticated, remote attacker to send a specially crafted HTTP message and achieve remote code execution with elevated privileges.
46 CVE-2020-28578 787 Exec Code 2020-11-18 2020-11-30
7.5
None Remote Low Not required Partial Partial Partial
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an unauthenticated, remote attacker to send a specially crafted HTTP message and achieve remote code execution with elevated privileges.
47 CVE-2020-28575 787 Exec Code Overflow 2020-12-01 2020-12-02
4.6
None Local Low Not required Partial Partial Partial
A heap-based buffer overflow privilege escalation vulnerability in Trend Micro ServerProtect for Linux 3.0 may allow an attacker to escalate privileges on affected installations. An attacker must first obtain the ability to execute high-privileged code on the target in order to exploit this vulnerability.
48 CVE-2020-28415 79 Exec Code XSS 2020-11-12 2020-11-17
4.3
None Remote Medium Not required None Partial None
A reflected cross-site scripting (XSS) vulnerability exists in the TranzWare Payment Gateway 3.1.12.3.2. A remote unauthenticated attacker is able to execute arbitrary HTML code via crafted url (different vector than CVE-2020-28414).
49 CVE-2020-28414 79 Exec Code XSS 2020-11-12 2020-11-17
4.3
None Remote Medium Not required None Partial None
A reflected cross-site scripting (XSS) vulnerability exists in the TranzWare Payment Gateway 3.1.12.3.2. A remote unauthenticated attacker is able to execute arbitrary HTML code via crafted url (different vector than CVE-2020-28415).
50 CVE-2020-28373 787 Exec Code Overflow 2020-11-09 2020-11-23
8.3
None Local Network Low Not required Complete Complete Complete
upnpd on certain NETGEAR devices allows remote (LAN) attackers to execute arbitrary code via a stack-based buffer overflow. This affects R6400v2 V1.0.4.102_10.0.75, R6400 V1.0.1.62_1.0.41, R7000P V1.3.2.126_10.1.66, XR300 V1.0.3.50_10.3.36, R8000 V1.0.4.62, R8300 V1.0.2.136, R8500 V1.0.2.136, R7300DST V1.0.0.74, R7850 V1.0.5.64, R7900 V1.0.4.30, RAX20 V1.0.2.64, RAX80 V1.0.3.102, and R6250 V1.0.4.44.
Total number of vulnerabilities : 3248   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.