|
211271
|
7.5 |
HIGH
Network
|
wpo365
|
wordpress_\+_azure_ad_\/_microsoft_office_365
|
The wpo365-login plugin before v11.7 for WordPress allows use of a symmetric algorithm to decrypt a JWT token. This leads to authentication bypass.
|
CWE-287
Improper Authentication
|
CVE-2020-26511
|
2024-11-21 14:19 |
2020-10-2 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
211272
|
9.8 |
CRITICAL
Network
|
websitebaker
|
websitebaker
|
WebsiteBaker 2.12.2 allows SQL Injection via parameter 'display_name' in /websitebaker/admin/preferences/save.php. Exploiting this issue could allow an attacker to compromise the application, access …
|
CWE-89
SQL Injection
|
CVE-2020-25990
|
2024-11-21 14:19 |
2020-10-1 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
211273
|
8.8 |
HIGH
Network
|
bigbluebutton
|
greenlight
|
BigBlueButton Greenlight before 2.5.6 allows HTTP header (Host and Origin) attacks, which can result in Account Takeover if a victim follows a spoofed password-reset link.
|
NVD-CWE-Other
|
CVE-2020-26163
|
2024-11-21 14:19 |
2020-10-1 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
211274
|
7.5 |
HIGH
Network
|
jwt-go_project
|
jwt-go
|
jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fai…
|
CWE-287
CWE-755
Improper Authentication
Improper Handling of Exceptional Conditions
|
CVE-2020-26160
|
2024-11-21 14:19 |
2020-10-1 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
211275
|
9.6 |
CRITICAL
Network
|
leanote
|
leanote
|
Leanote Desktop through 2.6.2 allows XSS because a note's title is mishandled when the batch feature is triggered. This leads to remote code execution because of Node integration.
|
CWE-79
Cross-site Scripting
|
CVE-2020-26158
|
2024-11-21 14:19 |
2020-10-1 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
211276
|
9.6 |
CRITICAL
Network
|
leanote
|
leanote
|
Leanote Desktop through 2.6.2 allows XSS because a note's title is mishandled during syncing. This leads to remote code execution because of Node integration.
|
CWE-79
Cross-site Scripting
|
CVE-2020-26157
|
2024-11-21 14:19 |
2020-10-1 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
211277
|
9.8 |
CRITICAL
Network
|
libproxy_project
fedoraproject
debian
opensuse
|
libproxy
fedora
debian_linux
leap
|
url.cpp in libproxy through 0.4.15 is prone to a buffer overflow when PAC is enabled, as demonstrated by a large PAC file that is delivered without a Content-length header.
|
CWE-120
Classic Buffer Overflow
|
CVE-2020-26154
|
2024-11-21 14:19 |
2020-10-1 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
211278
|
7.5 |
HIGH
Network
|
logaritmo
|
aware_callmanager
|
info.php in Logaritmo Aware CallManager 2012 allows remote attackers to obtain sensitive information via a direct request, which calls the phpinfo function.
|
CWE-425
Direct Request ('Forced Browsing')
|
CVE-2020-26150
|
2024-11-21 14:19 |
2020-10-1 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
211279
|
7.5 |
HIGH
Network
|
linuxfoundation
|
nats.deno
nats.js
nats.ws
|
NATS nats.js before 2.0.0-209, nats.ws before 1.0.0-111, and nats.deno before 1.0.0-9 allow credential disclosure from a client to a server.
|
CWE-522
Insufficiently Protected Credentials
|
CVE-2020-26149
|
2024-11-21 14:19 |
2020-10-1 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
211280
|
7.5 |
HIGH
Network
|
md4c_project
|
md4c
|
md_push_block_bytes in md4c.c in md4c 0.4.5 allows attackers to trigger use of uninitialized memory, and cause a denial of service (e.g., assertion failure) via a malformed Markdown document.
|
CWE-908
Use of Uninitialized Resource
|
CVE-2020-26148
|
2024-11-21 14:19 |
2020-10-1 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
