CVE-2020-29156 - The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action.
Published: December 27, 2020; 2:15:11 PM -0500

V3.1: 5.3 MEDIUM
V2.0: 5.0 MEDIUM

CVE-2020-35359 - Pure-FTPd 1.0.48 allows remote attackers to prevent legitimate server use by making enough connections to exceed the connection limit.
Published: December 26, 2020; 12:15:11 AM -0500

V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM

CVE-2020-35736 - GateOne 1.1 allows arbitrary file download without authentication via /downloads/.. directory traversal because os.path.join is misused.
Published: December 27, 2020; 3:15:12 PM -0500

V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM

CVE-2020-35242 - Flamingo (aka FlamingoIM) through 2020-09-29 has a SQL injection vulnerability in UserManager::updateUserTeamInfoInDbAndMemory.
Published: December 26, 2020; 3:15:13 PM -0500

V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH

CVE-2020-35243 - Flamingo (aka FlamingoIM) through 2020-09-29 has a SQL injection vulnerability in UserManager::updateUserInfoInDb.
Published: December 26, 2020; 3:15:13 PM -0500

V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH

CVE-2020-35244 - Flamingo (aka FlamingoIM) through 2020-09-29 has a SQL injection vulnerability in UserManager::addGroup.
Published: December 26, 2020; 3:15:13 PM -0500

V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH

CVE-2020-35245 - Flamingo (aka FlamingoIM) through 2020-09-29 has a SQL injection vulnerability in UserManager::addUser.
Published: December 26, 2020; 3:15:13 PM -0500

V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH

CVE-2020-28759 - ** DISPUTED ** The serializer module in OAID Tengine lite-v1.0 has a Buffer Overflow and crash. NOTE: another person has stated "I don't think there is an proof of overflow so far."
Published: December 26, 2020; 3:15:12 PM -0500

V3.1: 5.5 MEDIUM
V2.0: 4.3 MEDIUM

CVE-2020-35575 - A password-disclosure issue in the web interface on certain TP-Link devices allows a remote attacker to get full administrative access to the web panel. This affects WA901ND devices before 3.16.9(201211) beta, and Archer C5, Archer C7, MR3420, MR6... read CVE-2020-35575
Published: December 25, 2020; 9:15:12 PM -0500

V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH

CVE-2020-35729 - KLog Server 2.4.1 allows OS command injection via shell metacharacters in the actions/authenticate.php user parameter.
Published: December 27, 2020; 12:15:11 AM -0500

V3.1: 9.8 CRITICAL
V2.0: 10.0 HIGH

CVE-2020-35680 - smtpd/lka_filter.c in OpenSMTPD before 6.8.0p1, in certain configurations, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted pattern of client activity, because the filter state machine ... read CVE-2020-35680
Published: December 24, 2020; 11:15:15 AM -0500

V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM

CVE-2020-35450 - Gobby 0.4.11 allows a NULL pointer dereference in the D-Bus handler for certain set_language calls.
Published: December 26, 2020; 12:15:11 AM -0500

V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM

CVE-2020-29204 - XXL-JOB 2.2.0 allows Stored XSS (in Add User) to bypass the 20-character limit via xxl-job-admin/src/main/java/com/xxl/job/admin/controller/UserController.java.
Published: December 27, 2020; 1:15:12 AM -0500

V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM

CVE-2020-35376 - Xpdf 4.02 allows stack consumption because of an incorrect subroutine reference in a Type 1C font charstring, related to the FoFiType1C::getOp() function.
Published: December 25, 2020; 11:15:12 PM -0500

V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM

CVE-2020-35437 - Subrion CMS 4.2.1 is affected by: Cross Site Scripting (XSS) through the avatar[path] parameter in a POST request to the /_core/profile/ URI.
Published: December 25, 2020; 11:15:12 PM -0500

V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM

CVE-2020-35388 - rainrocka xinhu 2.1.9 allows remote attackers to obtain sensitive information via an index.php?a=gettotal request in which the ajaxbool value is manipulated to be true.
Published: December 25, 2020; 10:15:14 PM -0500

V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM

CVE-2020-35349 - Savsoft Quiz 5 is affected by: Cross Site Scripting (XSS) via field_title (aka a title on the custom fields page).
Published: December 25, 2020; 11:15:12 PM -0500

V3.1: 4.8 MEDIUM
V2.0: 3.5 LOW

CVE-2020-29249 - CXUUCMS V3 allows class="layui-input" XSS.
Published: December 27, 2020; 2:15:12 AM -0500

V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM

CVE-2020-29250 - CXUUCMS V3 allows XSS via the first and third input fields to /public/admin.php.
Published: December 27, 2020; 2:15:12 AM -0500

V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM

CVE-2020-29158 - An issue was discovered in Zammad before 3.5.1. An Agent with Customer permissions in a Group can bypass intended access control on internal Articles via the Ticket detail view.
Published: December 28, 2020; 3:15:11 AM -0500

V3.1: 4.3 MEDIUM
V2.0: 4.0 MEDIUM