| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
101 |
CVE-2020-8990 |
384 |
|
|
2020-02-20 |
2020-02-24 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
Western Digital My Cloud Home before 3.6.0 and ibi before 3.6.0 allow Session Fixation. |
|
102 |
CVE-2020-8989 |
203 |
|
|
2020-02-13 |
2020-02-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In the Voatz application 2020-01-01 for Android, the amount of data transmitted during a single voter's vote depends on the different lengths of the metadata across the available voting choices, which makes it easier for remote attackers to discover this voter's choice by sniffing the network. For example, a small amount of sniffed data may indicate that a vote was cast for the candidate with the least metadata. An active man-in-the-middle attacker can leverage this behavior to disrupt voters' abilities to vote for a candidate opposed by the attacker. |
|
103 |
CVE-2020-8988 |
522 |
|
|
2020-02-13 |
2021-07-21 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Voatz application 2020-01-01 for Android allows only 100 million different PINs, which makes it easier for attackers (after using root access to make a copy of the local database) to discover login credentials and voting history via an offline brute-force approach. |
|
104 |
CVE-2020-8981 |
79 |
|
Exec Code XSS |
2020-02-13 |
2020-02-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A cross-site scripting (XSS) vulnerability was discovered in the Source Integration plugin before 1.6.2 and 2.x before 2.3.1 for MantisBT. The repo_delete.php Delete Repository page allows execution of arbitrary code via a repo name (if CSP settings permit it). This is related to CVE-2018-16362. |
|
105 |
CVE-2020-8964 |
798 |
|
Bypass |
2020-02-13 |
2020-02-25 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
TimeTools SC7105 1.0.007, SC9205 1.0.007, SC9705 1.0.007, SR7110 1.0.007, SR9210 1.0.007, SR9750 1.0.007, SR9850 1.0.007, T100 1.0.003, T300 1.0.003, and T550 1.0.003 devices allow remote attackers to bypass authentication by placing t3axs=TiMEtOOlsj7G3xMm52wB in a t3.cgi request, aka a "hardcoded cookie." |
|
106 |
CVE-2020-8963 |
78 |
|
Exec Code |
2020-02-13 |
2020-02-25 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
TimeTools SC7105 1.0.007, SC9205 1.0.007, SC9705 1.0.007, SR7110 1.0.007, SR9210 1.0.007, SR9750 1.0.007, SR9850 1.0.007, T100 1.0.003, T300 1.0.003, and T550 1.0.003 devices allow remote attackers to execute arbitrary OS commands via shell metacharacters in the t3.cgi srmodel or srtime parameter. |
|
107 |
CVE-2020-8962 |
787 |
|
Overflow |
2020-02-13 |
2020-02-18 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
A stack-based buffer overflow was found on the D-Link DIR-842 REVC with firmware v3.13B09 HOTFIX due to the use of strcpy for LOGINPASSWORD when handling a POST request to the /MTFWU endpoint. |
|
108 |
CVE-2020-8960 |
79 |
|
XSS |
2020-02-20 |
2022-01-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Western Digital mycloud.com before Web Version 2.2.0-134 allows XSS. |
|
109 |
CVE-2020-8959 |
427 |
|
|
2020-02-19 |
2020-02-27 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Western Digital WesternDigitalSSDDashboardSetup.exe before 3.0.2.0 allows DLL Hijacking. |
|
110 |
CVE-2020-8955 |
120 |
|
DoS Overflow |
2020-02-12 |
2022-04-18 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
irc_mode_channel_update in plugins/irc/irc-mode.c in WeeChat through 2.7 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a malformed IRC message 324 (channel mode). |
|
111 |
CVE-2020-8953 |
287 |
|
Bypass |
2020-02-13 |
2020-02-18 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
OpenVPN Access Server 2.8.x before 2.8.1 allows LDAP authentication bypass (except when a user is enrolled in two-factor authentication). |
|
112 |
CVE-2020-8952 |
79 |
|
XSS |
2020-02-26 |
2022-01-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Fiserv Accurate Reconciliation 2.19.0, fixed in 3.0.0 or higher, allows XSS via the logout.jsp timeOut parameter. |
|
113 |
CVE-2020-8951 |
79 |
|
XSS |
2020-02-26 |
2021-12-30 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Fiserv Accurate Reconciliation 2.19.0, fixed in 3.0.0 or higher, allows XSS via the Source or Destination field of the Configuration Manager (Configuration Parameter Translation) page. |
|
114 |
CVE-2020-8950 |
59 |
|
|
2020-02-12 |
2020-02-19 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The AUEPLauncher service in Radeon AMD User Experience Program Launcher through 1.0.0.1 on Windows allows elevation of privilege by placing a crafted file in %PROGRAMDATA%\AMD\PPC\upload and then creating a symbolic link in %PROGRAMDATA%\AMD\PPC\temp that points to an arbitrary folder with an arbitrary file name. |
|
115 |
CVE-2020-8949 |
78 |
|
Exec Code |
2020-02-12 |
2020-02-25 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
Gocloud S2A_WL 4.2.7.16471, S2A 4.2.7.17278, S2A 4.3.0.15815, S2A 4.3.0.17193, S3A K2P MTK 4.2.7.16528, S3A 4.3.0.16572, and ISP3000 4.3.0.17190 devices allows remote attackers to execute arbitrary OS commands via shell metacharacters in a ping operation, as demonstrated by the cgi-bin/webui/admin/tools/app_ping/diag_ping/; substring. |
|
116 |
CVE-2020-8947 |
78 |
|
Exec Code |
2020-02-12 |
2020-02-14 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
functions_netflow.php in Artica Pandora FMS 7.0 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the index.php?operation/netflow/nf_live_view ip_dst, dst_port, or src_port parameter, a different vulnerability than CVE-2019-20224. |
|
117 |
CVE-2020-8946 |
78 |
|
Exec Code |
2020-02-12 |
2020-02-21 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
Netis WF2471 v1.2.30142 devices allow an authenticated attacker to execute arbitrary OS commands via shell metacharacters in the /cgi-bin-igd/sys_log_clean.cgi log_3g_type parameter. |
|
118 |
CVE-2020-8945 |
416 |
|
Exec Code |
2020-02-12 |
2020-07-24 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification. |
|
119 |
CVE-2020-8894 |
|
|
|
2020-02-12 |
2020-02-14 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
An issue was discovered in MISP before 2.4.121. ACLs for discussion threads were mishandled in app/Controller/ThreadsController.php and app/Model/Thread.php. |
|
120 |
CVE-2020-8893 |
|
|
|
2020-02-12 |
2020-02-14 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
An issue was discovered in MISP before 2.4.121. The Galaxy view contained an incorrectly sanitized search string in app/View/Galaxies/view.ctp. |
|
121 |
CVE-2020-8892 |
|
|
|
2020-02-12 |
2020-02-14 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in MISP before 2.4.121. It did not consider the HTTP PUT method when trying to block a brute-force series of invalid requests. |
|
122 |
CVE-2020-8891 |
|
|
|
2020-02-12 |
2020-02-14 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in MISP before 2.4.121. It did not canonicalize usernames when trying to block a brute-force series of invalid requests. |
|
123 |
CVE-2020-8890 |
367 |
|
|
2020-02-12 |
2020-02-14 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in MISP before 2.4.121. It mishandled time skew (between the machine hosting the web server and the machine hosting the database) when trying to block a brute-force series of invalid requests. |
|
124 |
CVE-2020-8862 |
287 |
|
Exec Code Bypass |
2020-02-22 |
2020-02-28 |
8.3 |
None |
Local Network |
Low |
Not required |
Complete |
Complete |
Complete |
|
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-2610 Firmware v2.01RC067 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from the lack of proper password checking. An attacker can leverage this vulnerability to execute arbitrary code in the context of root. Was ZDI-CAN-10082. |
|
125 |
CVE-2020-8861 |
287 |
|
Exec Code Bypass |
2020-02-22 |
2020-02-28 |
8.3 |
None |
Local Network |
Low |
Not required |
Complete |
Complete |
Complete |
|
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-1330 1.10B01 BETA Wi-Fi range extenders. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login requests. The issue results from the lack of proper handling of cookies. An attacker can leverage this vulnerability to execute arbitrary code on the router. Was ZDI-CAN-9554. |
|
126 |
CVE-2020-8860 |
787 |
|
Exec Code |
2020-02-22 |
2020-03-05 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samsung Galaxy S10 Firmware G973FXXS3ASJA, O(8.x), P(9.0), Q(10.0) devices with Exynos chipsets. User interaction is required to exploit this vulnerability in that the target must answer a phone call. The specific flaw exists within the Call Control Setup messages. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the baseband processor. Was ZDI-CAN-9658. |
|
127 |
CVE-2020-8858 |
78 |
|
Exec Code |
2020-02-14 |
2020-02-19 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Moxa MGate 5105-MB-EIP firmware version 4.1. Authentication is required to exploit this vulnerability. The specific flaw exists within the DestIP parameter within MainPing.asp. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9552. |
|
128 |
CVE-2020-8857 |
416 |
|
Exec Code |
2020-02-14 |
2020-02-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.0.29455. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of form Annotation objects within AcroForms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9862. |
|
129 |
CVE-2020-8856 |
416 |
|
Exec Code |
2020-02-14 |
2020-02-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
This vulnerability allows remote atackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.6.0.25608. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of watermarks. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9640. |
|
130 |
CVE-2020-8855 |
416 |
|
Exec Code |
2020-02-14 |
2020-02-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.7.0.2947. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the fxhtml2pdf.exe module. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9560. |
|
131 |
CVE-2020-8854 |
787 |
|
Exec Code |
2020-02-14 |
2020-02-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.7.0.29478. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the conversion of JPEG files to PDF. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9606. |
|
132 |
CVE-2020-8853 |
787 |
|
Exec Code |
2020-02-14 |
2020-02-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.7.0.29478. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the conversion of HTML files to PDF. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9591. |
|
133 |
CVE-2020-8852 |
125 |
|
Exec Code |
2020-02-14 |
2020-02-18 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Reader 9.7.0.29455. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of JPEG2000 files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-9416. |
|
134 |
CVE-2020-8851 |
787 |
|
Exec Code |
2020-02-14 |
2020-02-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.0.29455. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of JPG2000 images. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9406. |
|
135 |
CVE-2020-8850 |
787 |
|
Exec Code |
2020-02-14 |
2020-02-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.0.29455. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of JPEG2000 files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9415. |
|
136 |
CVE-2020-8849 |
787 |
|
Exec Code |
2020-02-14 |
2020-02-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.0.29455. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of JPEG2000 files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9413. |
|
137 |
CVE-2020-8848 |
787 |
|
Exec Code |
2020-02-14 |
2020-02-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.0.29455. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of JPG2000 images. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9407. |
|
138 |
CVE-2020-8847 |
787 |
|
Exec Code |
2020-02-14 |
2020-02-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.7.0.29455. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of JPEG2000 files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9414. |
|
139 |
CVE-2020-8846 |
416 |
|
Exec Code |
2020-02-14 |
2020-02-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
This vulnerability allows remote atackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.6.0.25114. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of text field objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9400. |
|
140 |
CVE-2020-8845 |
416 |
|
Exec Code |
2020-02-14 |
2020-02-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
This vulnerability allows remote atackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.6.0.25114. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of watermarks in AcroForms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9358. |
|
141 |
CVE-2020-8844 |
190 |
|
Exec Code Overflow |
2020-02-14 |
2020-02-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.6.0.25114. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JPEG files within CovertToPDF. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9102. |
|
142 |
CVE-2020-8843 |
20 |
|
Bypass |
2020-02-14 |
2020-02-19 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
An issue was discovered in Istio 1.3 through 1.3.6. Under certain circumstances, it is possible to bypass a specifically configured Mixer policy. Istio-proxy accepts the x-istio-attributes header at ingress that can be used to affect policy decisions when Mixer policy selectively applies to a source equal to ingress. To exploit this vulnerability, someone has to encode a source.uid in this header. This feature is disabled by default in Istio 1.3 and 1.4. |
|
143 |
CVE-2020-8841 |
89 |
|
Sql |
2020-02-10 |
2020-02-12 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
An issue was discovered in TestLink 1.9.19. The relation_type parameter of the lib/requirements/reqSearch.php endpoint is vulnerable to authenticated SQL Injection. |
|
144 |
CVE-2020-8840 |
502 |
|
|
2020-02-10 |
2021-02-22 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter. |
|
145 |
CVE-2020-8839 |
79 |
|
XSS |
2020-02-12 |
2020-02-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Stored XSS was discovered on CHIYU BF-430 232/485 TCP/IP Converter devices before 1.16.00, as demonstrated by the /if.cgi TF_submask field. |
|
146 |
CVE-2020-8825 |
79 |
|
XSS |
2020-02-10 |
2021-12-30 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
index.php?p=/dashboard/settings/branding in Vanilla 2.6.3 allows stored XSS. |
|
147 |
CVE-2020-8824 |
79 |
|
XSS |
2020-02-19 |
2020-02-27 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Hitron CODA-4582U 7.1.1.30 devices allow XSS via a Managed Device name on the Wireless > Access Control > Add Managed Device screen. |
|
148 |
CVE-2020-8823 |
79 |
|
XSS |
2020-02-10 |
2021-01-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
htmlfile in lib/transport/htmlfile.js in SockJS before 0.3.0 is vulnerable to Reflected XSS via the /htmlfile c (aka callback) parameter. |
|
149 |
CVE-2020-8822 |
79 |
|
XSS |
2020-02-10 |
2020-02-11 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Digi TransPort WR21 5.2.2.3, WR44 5.1.6.4, and WR44v2 5.1.6.9 devices allow stored XSS in the web application. |
|
150 |
CVE-2020-8819 |
346 |
|
Bypass |
2020-02-25 |
2020-03-04 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
None |
|
An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass the payment process (e.g., spoof an order status by manually sending an IPN callback request with a valid signature but without real payment) and/or receive all of the subsequent payments. |
