CVE-2020-21665 - In fastadmin V1.0.0.20191212_beta, when a user with administrator rights has logged in, a malicious parameter can be passed for SQL injection in URL /admin/ajax/weigh.
Published: November 17, 2020; 10:15:11 AM -0500

V3.1: 7.2 HIGH
V2.0: 6.5 MEDIUM

CVE-2020-27422 - In Anuko Time Tracker v1.19.23.5311, the password reset link emailed to the user doesn't expire once used, allowing an attacker to use the same link to takeover the account.
Published: November 16, 2020; 11:15:14 AM -0500

V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH

CVE-2020-13354 - A potential DOS vulnerability was discovered in GitLab CE/EE starting with version 12.6. The container registry name check could cause exponential number of backtracks for certain user supplied values resulting in high CPU usage. Affected versions... read CVE-2020-13354
Published: November 16, 2020; 8:15:13 PM -0500

V3.1: 4.3 MEDIUM
V2.0: 4.0 MEDIUM

CVE-2020-27191 - LionWiki before 3.2.12 allows an unauthenticated user to read files as the web server user via crafted string in the index.php f1 variable, aka Local File Inclusion. NOTE: This vulnerability only affects products that are no longer supported by th... read CVE-2020-27191
Published: November 16, 2020; 11:15:14 AM -0500

V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM

CVE-2020-25400 - Cross domain policies in Taskcafe Project Management tool before version 0.1.0 and 0.1.1 allows remote attackers to access sensitive data such as access token.
Published: November 17, 2020; 1:15:12 PM -0500

V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM

CVE-2020-28247 - The lettre library through 0.10.0-alpha for Rust allows arbitrary sendmail option injection via transport/sendmail/mod.rs.
Published: November 12, 2020; 1:15:15 PM -0500

V3.1: 5.3 MEDIUM
V2.0: 5.0 MEDIUM

CVE-2020-26510 - Airleader Master <= 6.21 devices have default credentials that can be used to access the exposed Tomcat Manager for deployment of a new .war file, with resultant remote code execution.
Published: November 16, 2020; 2:15:13 PM -0500

V3.1: 9.8 CRITICAL
V2.0: 5.0 MEDIUM

CVE-2020-25159 - 499ES EtherNet/IP (ENIP) Adaptor Source Code is vulnerable to a stack-based buffer overflow, which may allow an attacker to send a specially crafted packet that may result in a denial-of-service condition or code execution.
Published: November 24, 2020; 3:15:11 PM -0500

V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH

CVE-2020-28693 - An unrestricted file upload issue in HorizontCMS 1.0.0-beta allows an authenticated remote attacker to upload PHP code through a zip file by uploading a theme, and executing the PHP file via an HTTP GET request to /themes/<php_file_name>
Published: November 16, 2020; 4:15:13 PM -0500

V3.1: 8.8 HIGH
V2.0: 9.0 HIGH

CVE-2020-28692 - In Gila CMS 1.16.0, an attacker can upload a shell to tmp directy and abuse .htaccess through the logs function for executing PHP files.
Published: November 16, 2020; 1:15:12 PM -0500

V3.1: 7.2 HIGH
V2.0: 6.5 MEDIUM

CVE-2020-28647 - In Progress MOVEit Transfer before 2020.1, a malicious user could craft and store a payload within the application. If a victim within the MOVEit Transfer instance interacts with the stored payload, it could invoke and execute arbitrary code withi... read CVE-2020-28647
Published: November 17, 2020; 9:15:11 AM -0500

V3.1: 5.4 MEDIUM
V2.0: 3.5 LOW

CVE-2020-27623 - JetBrains IdeaVim before version 0.58 might have caused an information leak in limited circumstances.
Published: November 16, 2020; 11:15:15 AM -0500

V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM

CVE-2020-25746 - QED ResourceXpress Qubi3 devices before 1.40.9 could allow a local attacker (with physical access to the device) to obtain sensitive information via the debug interface (keystrokes over a USB cable), aka wireless password visibility.
Published: November 17, 2020; 9:15:11 AM -0500

V3.1: 4.6 MEDIUM
V2.0: 2.1 LOW

CVE-2020-4626 - IBM Cloud Pak for Security 1.3.0.1 (CP4S) could reveal sensitive information about the internal network to an authenticated user using a specially crafted HTTP request. IBM X-Force ID: 185362.
Published: November 30, 2020; 11:15:13 AM -0500

V3.1: 4.3 MEDIUM
V2.0: 4.0 MEDIUM

CVE-2020-4627 - IBM Cloud Pak for Security 1.3.0.1(CP4S) potentially vulnerable to CVS Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 185367.
Published: November 30, 2020; 11:15:13 AM -0500

V3.1: 9.0 CRITICAL
V2.0: 9.0 HIGH

CVE-2020-4696 - IBM Cloud Pak for Security 1.3.0.1(CP4S) does not invalidate session after logout which could allow an authenticated user to obtain sensitive information from the previous session. IBM X-Force ID: 186789.
Published: November 30, 2020; 11:15:13 AM -0500

V3.1: 4.3 MEDIUM
V2.0: 4.0 MEDIUM

CVE-2020-4625 - IBM Cloud Pak for Security 1.3.0.1(CP4S) could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the coo... read CVE-2020-4625
Published: November 30, 2020; 11:15:12 AM -0500

V3.1: 5.3 MEDIUM
V2.0: 5.0 MEDIUM

CVE-2020-26509 - Airleader Master and Easy <= 6.21 devices have default credentials that can be used for a denial of service.
Published: November 16, 2020; 2:15:13 PM -0500

V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM

CVE-2020-4624 - IBM Cloud Pak for Security 1.3.0.1 (CP4S) uses weaker than expected cryptographic algorithms during negotiation could allow an attacker to decrypt sensitive information.
Published: November 30, 2020; 11:15:12 AM -0500

V3.1: 5.3 MEDIUM
V2.0: 5.0 MEDIUM

CVE-2020-25640 - A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file.
Published: November 24, 2020; 2:15:10 PM -0500

V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM