|
|
Security Vulnerabilities Published
In October 2020
| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
101 |
CVE-2020-26935 |
89 |
|
Sql |
2020-10-10 |
2021-03-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in SearchController in phpMyAdmin before 4.9.6 and 5.x before 5.0.3. A SQL injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature. An attacker could use this flaw to inject malicious SQL in to a query. |
|
102 |
CVE-2020-26934 |
79 |
|
XSS |
2020-10-10 |
2021-01-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
phpMyAdmin before 4.9.6 and 5.x before 5.0.3 allows XSS through the transformation feature via a crafted link. |
|
103 |
CVE-2020-26932 |
732 |
|
|
2020-10-10 |
2020-12-24 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
debian/sympa.postinst for the Debian Sympa package before 6.2.40~dfsg-7 uses mode 4755 for sympa_newaliases-wrapper, whereas the intended permissions are mode 4750 (for access by the sympa group) |
|
104 |
CVE-2020-26931 |
200 |
|
+Info |
2020-10-09 |
2021-07-21 |
3.3 |
None |
Local Network |
Low |
Not required |
Partial |
None |
None |
|
Certain NETGEAR devices are affected by disclosure of sensitive information. This affects WC7500 before 6.5.5.24, WC7600 before 6.5.5.24, WC7600v2 before 6.5.5.24, and WC9500 before 6.5.5.24. |
|
105 |
CVE-2020-26930 |
1188 |
|
|
2020-10-09 |
2020-10-16 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
None |
|
NETGEAR EX7700 devices before 1.0.0.210 are affected by incorrect configuration of security settings. |
|
106 |
CVE-2020-26929 |
77 |
|
|
2020-10-09 |
2020-10-16 |
5.2 |
None |
Local Network |
Low |
??? |
Partial |
Partial |
Partial |
|
Certain NETGEAR devices are affected by command injection by an authenticated user. This affects R6220 before 1.1.0.100 and R6230 before 1.1.0.100. |
|
107 |
CVE-2020-26928 |
287 |
|
Bypass |
2020-10-09 |
2021-07-21 |
5.8 |
None |
Local Network |
Low |
Not required |
Partial |
Partial |
Partial |
|
Certain NETGEAR devices are affected by authentication bypass. This affects CBR40 before 2.5.0.10, RBK752 before 3.2.15.25, RBR750 before 3.2.15.25, RBS750 before 3.2.15.25, RBK852 before 3.2.10.11, RBR850 before 3.2.10.11, and RBS850 before 3.2.10.11. |
|
108 |
CVE-2020-26927 |
287 |
|
Bypass |
2020-10-09 |
2021-07-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Certain NETGEAR devices are affected by authentication bypass. This affects D6200 before 1.1.00.40, D7000 before 1.0.1.78, R6020 before 1.0.0.42, R6080 before 1.0.0.42, R6050 before 1.0.1.26, JR6150 before 1.0.1.26, R6120 before 1.0.0.66, R6220 before 1.1.0.100, R6260 before 1.1.0.66, R6700v2 before 1.2.0.62, R6800 before 1.2.0.62, R6900v2 before 1.2.0.62, AC2100 before 1.2.0.62, AC2400 before 1.2.0.62, AC2600 before 1.2.0.62, R7450 before 1.2.0.62, and WNR2020 before 1.1.0.62. |
|
109 |
CVE-2020-26926 |
287 |
|
Bypass |
2020-10-09 |
2021-07-21 |
5.8 |
None |
Local Network |
Low |
Not required |
Partial |
Partial |
Partial |
|
Certain NETGEAR devices are affected by authentication bypass. This affects CBR40 before 2.5.0.10, RBK752 before 3.2.15.25, RBR750 before 3.2.15.25, RBS750 before 3.2.15.25, RBK852 before 3.2.10.11, RBR850 before 3.2.10.11, and RBS850 before 3.2.10.11. |
|
110 |
CVE-2020-26925 |
|
|
DoS |
2020-10-09 |
2020-10-16 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
NETGEAR GS808E devices before 1.7.1.0 are affected by denial of service. |
|
111 |
CVE-2020-26924 |
200 |
|
+Info |
2020-10-09 |
2021-07-21 |
3.3 |
None |
Local Network |
Low |
Not required |
Partial |
None |
None |
|
Certain NETGEAR devices are affected by disclosure of sensitive information. This affects WAC720 before 3.9.1.13 and WAC730 before 3.9.1.13. |
|
112 |
CVE-2020-26923 |
79 |
|
XSS |
2020-10-09 |
2020-10-15 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Certain NETGEAR devices are affected by stored XSS. This affects WC7500 before 6.5.5.24, WC7600 before 6.5.5.24, WC7600v2 before 6.5.5.24, and WC9500 before 6.5.5.24. |
|
113 |
CVE-2020-26922 |
77 |
|
|
2020-10-09 |
2020-10-15 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Certain NETGEAR devices are affected by command injection by an authenticated user. This affects WC7500 before 6.5.5.24, WC7600 before 6.5.5.24, WC7600v2 before 6.5.5.24, and WC9500 before 6.5.5.24. |
|
114 |
CVE-2020-26921 |
|
|
Bypass |
2020-10-09 |
2021-07-21 |
5.8 |
None |
Local Network |
Low |
Not required |
Partial |
Partial |
Partial |
|
Certain NETGEAR devices are affected by authentication bypass. This affects GS110EMX before 1.0.1.7, GS810EMX before 1.7.1.3, XS512EM before 1.0.1.3, and XS724EM before 1.0.1.3. |
|
115 |
CVE-2020-26920 |
77 |
|
|
2020-10-09 |
2020-10-16 |
5.8 |
None |
Local Network |
Low |
Not required |
Partial |
Partial |
Partial |
|
Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects SRK60 before 2.5.3.110, SRR60 before 2.5.3.110, and SRS60 before 2.5.3.110. |
|
116 |
CVE-2020-26919 |
|
|
|
2020-10-09 |
2020-10-19 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
NETGEAR JGS516PE devices before 2.6.0.43 are affected by lack of access control at the function level. |
|
117 |
CVE-2020-26918 |
79 |
|
XSS |
2020-10-09 |
2020-10-19 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Certain NETGEAR devices are affected by stored XSS. This affects EX7000 before 1.0.1.78, R6250 before 1.0.4.34, R6400 before 1.0.1.46, R6400v2 before 1.0.2.66, R6700v3 before 1.0.2.66, R7100LG before 1.0.0.50, R7300DST before 1.0.0.70, R7900 before 1.0.3.8, R8300 before 1.0.2.128, and R8500 before 1.0.2.128. |
|
118 |
CVE-2020-26917 |
79 |
|
XSS |
2020-10-09 |
2020-10-16 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Certain NETGEAR devices are affected by stored XSS. This affects EX7000 before 1.0.1.78, R6250 before 1.0.4.34, R6400 before 1.0.1.46, R6400v2 before 1.0.2.66, R7100LG before 1.0.0.50, R7300DST before 1.0.0.70, R7900 before 1.0.3.8, R8300 before 1.0.2.128, and R8500 before 1.0.2.128. |
|
119 |
CVE-2020-26916 |
|
|
|
2020-10-09 |
2020-10-16 |
5.8 |
None |
Local Network |
Low |
Not required |
Partial |
Partial |
Partial |
|
Certain NETGEAR devices are affected by incorrect configuration of security settings. This affects D6200 before 1.1.00.38, D7000 before 1.0.1.78, JR6150 before 1.0.1.24, R6020 before 1.0.0.42, R6050 before 1.0.1.24, R6080 before 1.0.0.42, R6120 before 1.0.0.66, R6220 before 1.1.0.100, R6260 before 1.1.0.64, R6700v2 before 1.2.0.62, R6800 before 1.2.0.62, R6900v2 before 1.2.0.62, R7450 before 1.2.0.50, and WNR2020 before 1.1.0.62. |
|
120 |
CVE-2020-26915 |
79 |
|
XSS |
2020-10-09 |
2020-10-16 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.56, R7500v2 before 1.0.3.46, R7800 before 1.0.2.68, R8900 before 1.0.4.28, R9000 before 1.0.4.28, RAX120 before 1.0.0.78, RBK50 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, XR500 before 2.3.2.56, and XR700 before 1.0.1.10. |
|
121 |
CVE-2020-26914 |
77 |
|
|
2020-10-09 |
2020-10-16 |
5.2 |
None |
Local Network |
Low |
??? |
Partial |
Partial |
Partial |
|
Certain NETGEAR devices are affected by command injection by an authenticated user. This affects D6200 before 1.1.00.38, D7000 before 1.0.1.78, JR6150 before 1.0.1.24, R6020 before 1.0.0.42, R6050 before 1.0.1.24, R6080 before 1.0.0.42, R6120 before 1.0.0.66, R6220 before 1.1.0.100, R6260 before 1.1.0.64, R6700v2 before 1.2.0.62, R6800 before 1.2.0.62, R6900v2 before 1.2.0.62, R7450 before 1.2.0.62, and WNR2020 before 1.1.0.62. |
|
122 |
CVE-2020-26913 |
787 |
|
Overflow |
2020-10-09 |
2020-10-16 |
5.2 |
None |
Local Network |
Low |
??? |
Partial |
Partial |
Partial |
|
Certain NETGEAR devices are affected by a stack-based buffer overflow by an authenticated user. This affects D6100 before 1.0.0.63, R7800 before 1.0.2.60, R8900 before 1.0.4.26, R9000 before 1.0.4.26, RBK20 before 2.3.0.28, RBR20 before 2.3.0.28, RBS20 before 2.3.0.28, RBK50 before 2.3.0.32, RBR50 before 2.3.0.32, RBS50 before 2.3.0.32, RBK40 before 2.3.0.28, RBR40 before 2.3.0.28, RBS40 before 2.3.0.28, SRK60 before 2.2.2.20, SRR60 before 2.2.2.20, SRS60 before 2.2.2.20, WN3000RPv2 before 1.0.0.78, WNDR4300v2 before 1.0.0.58, WNDR4500v3 before 1.0.0.58, WNR2000v5 before 1.0.0.70, XR450 before 2.3.2.40, and XR500 before 2.3.2.40. |
|
123 |
CVE-2020-26912 |
352 |
|
CSRF |
2020-10-09 |
2020-10-16 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Certain NETGEAR devices are affected by CSRF. This affects D6200 before 1.1.00.38, D7000 before 1.0.1.78, JR6150 before 1.0.1.24, R6020 before 1.0.0.42, R6050 before 1.0.1.24, R6080 before 1.0.0.42, R6120 before 1.0.0.66, R6220 before 1.1.0.100, R6260 before 1.1.0.64, R6700v2 before 1.2.0.62, R6800 before 1.2.0.62, R6900v2 before 1.2.0.62, R7450 before 1.2.0.62, and WNR2020 before 1.1.0.62. |
|
124 |
CVE-2020-26911 |
|
|
|
2020-10-09 |
2020-10-16 |
5.8 |
None |
Local Network |
Low |
Not required |
Partial |
Partial |
Partial |
|
Certain NETGEAR devices are affected by lack of access control at the function level. This affects D6200 before 1.1.00.38, D7000 before 1.0.1.78, JR6150 before 1.0.1.24, R6020 before 1.0.0.42, R6050 before 1.0.1.24, R6080 before 1.0.0.42, R6120 before 1.0.0.66, R6220 before 1.1.0.100, R6260 before 1.1.0.64, R6700v2 before 1.2.0.62, R6800 before 1.2.0.62, R6900v2 before 1.2.0.62, R7450 before 1.2.0.62, and WNR2020 before 1.1.0.62. |
|
125 |
CVE-2020-26910 |
77 |
|
|
2020-10-09 |
2020-10-16 |
5.2 |
None |
Local Network |
Low |
??? |
Partial |
Partial |
Partial |
|
Certain NETGEAR devices are affected by command injection by an authenticated user. This affects CBR40 before 2.5.0.10, RBK752 before 3.2.15.25, RBR750 before 3.2.15.25, RBS750 before 3.2.15.25, RBK852 before 3.2.15.25, RBR850 before 3.2.15.25, and RBS850 before 3.2.15.25. |
|
126 |
CVE-2020-26909 |
77 |
|
|
2020-10-09 |
2020-10-16 |
8.3 |
None |
Local Network |
Low |
Not required |
Complete |
Complete |
Complete |
|
Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects D7800 before 1.0.1.58 and R7500v2 before 1.0.3.48. |
|
127 |
CVE-2020-26908 |
|
|
Bypass |
2020-10-09 |
2020-10-16 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Certain NETGEAR devices are affected by authentication bypass. This affects D6200 before 1.1.00.36, D7000 before 1.0.1.74, PR2000 before 1.0.0.30, R6020 before 1.0.0.42, R6050 before 1.0.1.22, JR6150 before 1.0.1.22, R6080 before 1.0.0.42, R6120 before 1.0.0.66, R6220 before 1.1.0.100, R6230 before 1.1.0.100, R6260 before 1.1.0.64, R6700v2 before 1.2.0.62, R6800 before 1.2.0.62, R69002 before 1.2.0.62, and WNR2020 before 1.1.0.62. |
|
128 |
CVE-2020-26907 |
77 |
|
|
2020-10-09 |
2020-10-16 |
7.7 |
None |
Local Network |
Low |
??? |
Complete |
Complete |
Complete |
|
Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects RBK852 before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before 3.2.16.6. |
|
129 |
CVE-2020-26906 |
522 |
|
|
2020-10-09 |
2021-07-21 |
8.3 |
None |
Local Network |
Low |
Not required |
Complete |
Complete |
Complete |
|
Certain NETGEAR devices are affected by disclosure of administrative credentials. This affects CBR40 before 2.5.0.10, RBK752 before 3.2.15.25, RBR750 before 3.2.15.25, RBS750 before 3.2.15.25, RBK852 before 3.2.10.11, RBR850 before 3.2.10.11, and RBS850 before 3.2.10.11. |
|
130 |
CVE-2020-26905 |
522 |
|
|
2020-10-09 |
2021-07-21 |
3.3 |
None |
Local Network |
Low |
Not required |
Partial |
None |
None |
|
Certain NETGEAR devices are affected by disclosure of administrative credentials. This affects CBR40 before 2.5.0.10, RBK752 before 3.2.15.25, RBR750 before 3.2.15.25, RBS750 before 3.2.15.25, RBK852 before 3.2.10.11, RBR850 before 3.2.10.11, and RBS850 before 3.2.10.11. |
|
131 |
CVE-2020-26904 |
522 |
|
|
2020-10-09 |
2021-07-21 |
3.3 |
None |
Local Network |
Low |
Not required |
Partial |
None |
None |
|
Certain NETGEAR devices are affected by disclosure of administrative credentials. This affects CBR40 before 2.5.0.10, RBK752 before 3.2.15.25, RBR750 before 3.2.15.25, RBS750 before 3.2.15.25, RBK852 before 3.2.10.11, RBR850 before 3.2.10.11, and RBS850 before 3.2.10.11. |
|
132 |
CVE-2020-26903 |
522 |
|
|
2020-10-09 |
2021-07-21 |
3.3 |
None |
Local Network |
Low |
Not required |
Partial |
None |
None |
|
Certain NETGEAR devices are affected by disclosure of administrative credentials. This affects CBR40 before 2.5.0.10, RBK752 before 3.2.15.25, RBR750 before 3.2.15.25, RBS750 before 3.2.15.25, RBK852 before 3.2.10.11, RBR850 before 3.2.10.11, and RBS850 before 3.2.10.11. |
|
133 |
CVE-2020-26902 |
77 |
|
|
2020-10-09 |
2020-10-16 |
8.3 |
None |
Local Network |
Low |
Not required |
Complete |
Complete |
Complete |
|
Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects RBK752 before 3.2.15.25, RBR750 before 3.2.15.25, RBS750 before 3.2.15.25, RBK852 before 3.2.15.25, RBR850 before 3.2.15.25, and RBS850 before 3.2.15.25. |
|
134 |
CVE-2020-26901 |
200 |
|
+Info |
2020-10-09 |
2021-07-21 |
3.3 |
None |
Local Network |
Low |
Not required |
Partial |
None |
None |
|
Certain NETGEAR devices are affected by disclosure of sensitive information. This affects RBK752 before 3.2.15.25, RBR750 before 3.2.15.25, RBS750 before 3.2.15.25, RBK852 before 3.2.15.25, RBR850 before 3.2.15.25, and RBS850 before 3.2.15.25. |
|
135 |
CVE-2020-26900 |
522 |
|
|
2020-10-09 |
2021-07-21 |
3.3 |
None |
Local Network |
Low |
Not required |
Partial |
None |
None |
|
Certain NETGEAR devices are affected by disclosure of administrative credentials. This affects CBR40 before 2.5.0.10, RBK752 before 3.2.15.25, RBR750 before 3.2.15.25, RBS750 before 3.2.15.25, RBK852 before 3.2.15.25, RBR850 before 3.2.15.25, and RBS850 before 3.2.15.25. |
|
136 |
CVE-2020-26899 |
200 |
|
+Info |
2020-10-09 |
2021-07-21 |
3.3 |
None |
Local Network |
Low |
Not required |
Partial |
None |
None |
|
Certain NETGEAR devices are affected by disclosure of sensitive information. This affects CBR40 before 2.5.0.10, RBK752 before 3.2.15.25, RBR750 before 3.2.15.25, RBS750 before 3.2.15.25, RBK852 before 3.2.10.11, RBR850 before 3.2.10.11, and RBS850 before 3.2.10.11. |
|
137 |
CVE-2020-26898 |
|
|
|
2020-10-09 |
2020-10-19 |
8.3 |
None |
Local Network |
Low |
Not required |
Complete |
Complete |
Complete |
|
NETGEAR RAX40 devices before 1.0.3.80 are affected by incorrect configuration of security settings. |
|
138 |
CVE-2020-26897 |
522 |
|
|
2020-10-09 |
2021-07-21 |
8.3 |
None |
Local Network |
Low |
Not required |
Complete |
Complete |
Complete |
|
Certain NETGEAR devices are affected by disclosure of administrative credentials. This affects CBR40 before 2.5.0.10, RBK752 before 3.2.15.25, RBR750 before 3.2.15.25, RBS750 before 3.2.15.25, RBK852 before 3.2.10.11, RBR850 before 3.2.10.11, and RBS850 before 3.2.10.11. |
|
139 |
CVE-2020-26896 |
354 |
|
|
2020-10-21 |
2020-11-05 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Prior to 0.11.0-beta, LND (Lightning Network Daemon) had a vulnerability in its invoice database. While claiming on-chain a received HTLC output, it didn't verify that the corresponding outgoing off-chain HTLC was already settled before releasing the preimage. In the case of a hash-and-amount collision with an invoice, the preimage for an expected payment was instead released. A malicious peer could have deliberately intercepted an HTLC intended for the victim node, probed the preimage through a colluding relayed HTLC, and stolen the intercepted HTLC. The impact is a loss of funds in certain situations, and a weakening of the victim's receiver privacy. |
|
140 |
CVE-2020-26895 |
354 |
|
|
2020-10-21 |
2020-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Prior to 0.10.0-beta, LND (Lightning Network Daemon) would have accepted a counterparty high-S signature and broadcast tx-relay invalid local commitment/HTLC transactions. This can be exploited by any peer with an open channel regardless of the victim situation (e.g., routing node, payment-receiver, or payment-sender). The impact is a loss of funds in certain situations. |
|
141 |
CVE-2020-26894 |
269 |
|
+Priv |
2020-10-08 |
2021-07-21 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
LiveCode v9.6.1 on Windows allows local, low-privileged users to gain privileges by creating a malicious "cmd.exe" in the folder of the vulnerable LiveCode application. If the application is using LiveCode's "shell()" function, it will attempt to search for "cmd.exe" in the folder of the current application and run the malicious "cmd.exe". |
|
142 |
CVE-2020-26893 |
345 |
|
|
2020-10-16 |
2020-10-21 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in ClamXAV 3 before 3.1.1. A malicious actor could use a properly signed copy of ClamXAV 2 (running with an injected malicious dylib) to communicate with ClamXAV 3's helper tool and perform privileged operations. This occurs because of inadequate client verification in the helper tool. |
|
143 |
CVE-2020-26891 |
79 |
|
XSS |
2020-10-19 |
2020-10-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
AuthRestServlet in Matrix Synapse before 1.21.0 is vulnerable to XSS due to unsafe interpolation of the session GET parameter. This allows a remote attacker to execute an XSS attack on the domain Synapse is hosted on, by supplying the victim user with a malicious URL to the /_matrix/client/r0/auth/*/fallback/web or /_matrix/client/unstable/auth/*/fallback/web Synapse endpoints. |
|
144 |
CVE-2020-26887 |
|
|
Bypass |
2020-10-23 |
2020-11-03 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
FRITZ!OS before 7.21 on FRITZ!Box devices allows a bypass of a DNS Rebinding protection mechanism. |
|
145 |
CVE-2020-26880 |
269 |
|
|
2020-10-07 |
2020-11-09 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Sympa through 6.2.57b.2 allows a local privilege escalation from the sympa user account to full root access by modifying the sympa.conf configuration file (which is owned by sympa) and parsing it through the setuid sympa_newaliases-wrapper executable. |
|
146 |
CVE-2020-26879 |
798 |
|
|
2020-10-26 |
2020-11-02 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Ruckus vRioT through 1.5.1.0.21 has an API backdoor that is hardcoded into validate_token.py. An unauthenticated attacker can interact with the service API by using a backdoor value as the Authorization header. |
|
147 |
CVE-2020-26878 |
862 |
|
Exec Code |
2020-10-26 |
2021-07-21 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
Ruckus through 1.5.1.0.21 is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint), injecting arbitrary commands that will be executed as root user via web.py. |
|
148 |
CVE-2020-26876 |
863 |
|
Bypass |
2020-10-07 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The wp-courses plugin through 2.0.27 for WordPress allows remote attackers to bypass the intended payment step (for course videos and materials) by using the /wp-json REST API, as exploited in the wild in September 2020. This occurs because show_in_rest is enabled for custom post types (e.g., /wp-json/wp/v2/course and /wp-json/wp/v2/lesson exist). |
|
149 |
CVE-2020-26870 |
79 |
|
XSS |
2020-10-07 |
2022-04-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements. |
|
150 |
CVE-2020-26869 |
|
|
|
2020-10-12 |
2021-10-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
ARC Informatique PcVue prior to version 12.0.17 is vulnerable to information exposure, allowing unauthorized users to access session data of legitimate users. This issue also affects third-party systems based on the Web Services Toolkit. |
|
|
