Complete comprehensive archive of all 1,949 exploits added to Packet Storm in 2020.
a5d031acba3e32827788d3050c5abd0ff0f32325216b70daf93680ea26afb379
Zoom version 4.6.239.20200613 suffers from a Meeting Connector post-authentication remote root code execution vulnerability via the proxy server functionality. The latest Zoom client has this issue patched per Zoom.
a841b2931fe578788c8622d32483f5ecfa1a1ef799aac55dcc45a85daf624fc2
Openpilot has a default SSH key that can allow attackers remote access if not changed. This script port scans and attempts to login to Openpilot SSH servers with the default key.
7dc874bafc8e1284b57778d532d5d0599963bfb86f1318f023153827514112f5
qdPM versions 9.1 and below suffer from an executeExport PHP object injection vulnerability.
b112518046e2d985fa9df4e1d428c12274ab5e4bf070ee7383978e0a73695f45
EgavilanMedia My To Do List version 1.0 suffers from a persistent cross site scripting vulnerability.
17fe110ea5fbb0b1a887fad9ab4dee2c3062b2356a74f94bbfd0a48deb6e5f8c
HPE Edgeline Infrastructure Manager suffers from multiple broken authorization flows that allow for administrative function access without authenticating and can allow for arbitrary password changes.
87121a708a5d58e0787d22fbc3bc5c2a8bf7f3c2c03fd87d6efdd1247efe1119
Cassandra Web is vulnerable to directory traversal due to the disabled Rack::Protection module. Apache Cassandra credentials are passed via the CLI in order for the server to auth to it and provide the web access, so they are also one thing that can be captured via the arbitrary file read. Version 0.5.0 is affected.
be82376a69ccf9d5d95a794429f042870509dba311154ba5e350b1dd69148aec
SEOPanel version 4.6.0 suffers from multiple cross site scripting vulnerabilities.
e273b4ab14648d8de38ebb0305fab1d8255d78d56a50c4f75e08025f1327a487
CHMSC Elearning System version 1.0 suffers from a remote SQL injection vulnerability.
c338dee624e0a3c1188d6eb7b4dbe8289b2c065fd59b716a7e067cbcb688516b
URVE Software build version 24.03.2020 suffers from an information disclosure vulnerability that leaks passwords.
6199f87d0e51f1396cb792820464ba5845e147f83c62285034cbbc37df02dd05
URVE Software build version 24.03.2020 suffers from a missing authorization vulnerability.
5b50fb6ac4e7f08d9e0044e8d698f81756c260f1010c2d75ae42018e91683f6b
Philips Hue hubs suffer from a denial of service vulnerability via simple SYN floods.
fc85db25adb7477517ef4a218498ebec0f8321832ade36ad5607d01441c1225f
URVE Software build version 24.03.2020 suffers from an authentication bypass that allows for remote code execution.
160a33a05aadafb26e1ae403a476e993a77dcee0164cdffda083878ccc7c5f82
The Apache Struts framework, when forced, performs double evaluation of attribute values assigned to certain tags attributes such as id. It is therefore possible to pass in a value to Struts that will be evaluated again when a tag's attributes are rendered. With a carefully crafted request, this can lead to remote code execution. This vulnerability is application dependant. A server side template must make an affected use of request data to render an HTML tag attribute.
3cfe28296a3b91c815100d9996280537326adc728304ac8036ea7dcb8ca37586
The session identifier used by Arteco Web Client DVR/NVR is of an insufficient length and can be brute forced, allowing a remote attacker to obtain a valid session, bypass authentication, and disclose the live camera stream.
8e36cd6e0e9d8313fa5d69ac8a251f028f0917623224801c73dabef67e8e781f
Adning Advertising plugin version 1.5.5 suffers from a remote shell upload vulnerability.
b8557316f332094f6672bb8c0004bcbd1f143157334bb43bddaa829f3b02d82b
WordPress WP-PostRatings plugin version 1.86 suffers from a cross site scripting vulnerability.
4793c8182487c97db6aa9340ab7faa718760a288daf10bad4294bc1b27209ea1
GitLab version 11.4.7 authenticated remote code execution exploit. Original discovery of this issue attributed to Mohin Paramasivam in December of 2020.
c9c6f0c8706abfa0c67bcf3a71b777f57f857eb79b6d8aa441fb831112e3fa13
CVE-2020-0986, which was exploited in the wild, was not fixed. The vulnerability still exists, just the exploitation method had to change. A low integrity process can send LPC messages to splwow64.exe (Medium integrity) and gain a write-what-where primitive in splwow64’s memory space. The attacker controls the destination, the contents that are copied, and the number of bytes copied through a memcpy call.
2deda0d9cacd17b84943f485aeea236f1b4dc0389dcdbb9cc34a1cf168d4a259
usrsctp suffers from a use-after-free write when handling a malicious COOKIE-ECHO.
f252bba03489bc8f9be449d6b5822e8198fada928b67bb244011cc520b0a698c
Sales and Inventory System for Grocery Store version 1.0 suffers from multiple persistent cross site scripting vulnerabilities.
98c5ae9b0429981b3325616f4e0234af3bd69a9c60236617202b83e68eaf16b5
Online Learning Management System version 1.0 suffers from multiple cross site scripting vulnerabilities.
4bf56aad0d98f96c15bdec5d6080b28d2e6740f6f43c13f099402268a28602b0
Online Learning Management System version 1.0 suffers from multiple remote SQL injection vulnerabilities.
b4f2626eb55cf30dce5e24cada5945ab5668c14d92899b1bd07b9cabfaf6ed24
Class Scheduling System version 1.0 suffers from multiple persistent cross site scripting vulnerabilities.
adbb192a182c5be01024e5377112931a76283874d7ee2370350f93a0aa3d9cd1
Baby Care System version 1.0 suffers from a remote SQL injection vulnerability.
ac259d2e4f434636c58f29410add7476b9d96d6ec914f3704b0d95819170f896