Shodan
Vulnerabilities
Vulnerable Software
Security Vulnerabilities - CVEs Published In 2020
CVE-2020-35713
Belkin LINKSYS RE6500 devices before 1.0.012.001 allow remote attackers to execute arbitrary commands or set a new password via shell metacharacters to the goform/setSysAdm page.
CVSS Score
9.8
EPSS Score
0.918
Published
2020-12-26
CVE-2020-35714
Belkin LINKSYS RE6500 devices before 1.0.11.001 allow remote authenticated users to execute arbitrary commands via goform/systemCommand?command= in conjunction with the goform/pingstart program.
CVSS Score
8.8
EPSS Score
0.038
Published
2020-12-26
CVE-2020-35715
Belkin LINKSYS RE6500 devices before 1.0.012.001 allow remote authenticated users to execute arbitrary commands via shell metacharacters in a filename to the upload_settings.cgi page.
CVSS Score
8.8
EPSS Score
0.047
Published
2020-12-26
CVE-2020-35716
Belkin LINKSYS RE6500 devices before 1.0.012.001 allow remote attackers to cause a persistent denial of service (segmentation fault) via a long /goform/langSwitch langSelectionOnly parameter.
CVSS Score
7.5
EPSS Score
0.014
Published
2020-12-26
CVE-2020-35712
Esri ArcGIS Server before 10.8 is vulnerable to SSRF in some configurations.
CVSS Score
9.8
EPSS Score
0.003
Published
2020-12-26
CVE-2020-35711
An issue has been discovered in the arc-swap crate before 0.4.8 (and 1.x before 1.1.0) for Rust. Use of arc_swap::access::Map with the Constant test helper (or with a user-supplied implementation of the Access trait) could sometimes lead to dangling references being returned by the map.
CVSS Score
7.5
EPSS Score
0.003
Published
2020-12-25
CVE-2020-35709
bloofoxCMS 0.5.2.1 allows admins to upload arbitrary .php files (with "Content-Type: application/octet-stream") to ../media/images/ via the admin/index.php?mode=tools&page=upload URI, aka directory traversal.
CVSS Score
4.9
EPSS Score
0.008
Published
2020-12-25
CVE-2020-35710
Parallels Remote Application Server (RAS) 18 allows remote attackers to discover an intranet IP address because submission of the login form (even with blank credentials) provides this address to the attacker's client for use as a "host" value. In other words, after an attacker's web browser sent a request to the login form, it would automatically send a second request to a RASHTML5Gateway/socket.io URI with something like "host":"192.168.###.###" in the POST data.
CVSS Score
5.3
EPSS Score
0.005
Published
2020-12-25
CVE-2020-35707
Daybyday 2.1.0 allows stored XSS via the Company Name parameter to the New Client screen.
CVSS Score
5.4
EPSS Score
0.002
Published
2020-12-25
CVE-2020-35708
phpList 3.5.9 allows SQL injection by admins who provide a crafted fourth line of a file to the "Config - Import Administrators" page.
CVSS Score
7.2
EPSS Score
0.003
Published
2020-12-25


Products
Pricing
Contact Us

Shodan ® - All rights reserved