CVE-2020-1692

Moodle before version 3.7.2 is vulnerable to information exposure of service tokens for users enrolled in the same course.
Source: NIST
CVE-2020-1692

CVE-2020-6850

Utilities.php in the miniorange-saml-20-single-sign-on plugin before 4.8.84 for WordPress allows XSS via a crafted SAML XML Response to wp-login.php. This is related to the SAMLResponse and RelayState variables, and the Destination parameter of the samlp:Response XML element.
Source: NIST
CVE-2020-6850

CVE-2020-9038

Joplin through 1.0.184 allows Arbitrary File Read via XSS.
Source: NIST
CVE-2020-9038

CVE-2013-3738

A File Inclusion vulnerability exists in Zabbix 2.0.6 due to inadequate sanitization of request strings in CGI scripts, which could let a remote malicious user execute arbitrary code.
Source: NIST
CVE-2013-3738

CVE-2020-9006

The Popup Builder plugin 2.2.8 through 2.6.7.6 for WordPress is vulnerable to SQL injection (in the sgImportPopups function in sg_popup_ajax.php) via PHP Deserialization on attacker-controlled data with the attachmentUrl POST variable. This allows creation of an arbitrary WordPress Administrator account, leading to possible Remote Code Execution because Administrators can run PHP code on WordPress instances. (This issue has been fixed in the 3.x branch of popup-builder.)
Source: NIST
CVE-2020-9006

CVE-2020-8795

In GitLab Enterprise Edition (EE) 12.5.0 through 12.7.5, sharing a group with a group could grant project access to unauthorized users.
Source: NIST
CVE-2020-8795

CVE-2020-8427

Kaseya Traverse before 9.5.20 allows OS command injection attacks against user accounts, associated with a Netflow Top Applications reporting API call. This is exploitable by an authenticated attacker who submits a modified JSON field within POST data.
Source: NIST
CVE-2020-8427

CVE-2020-8518

Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, leading to remote code execution.
Source: NIST
CVE-2020-8518

CVE-2019-12825

Unauthorized Access to the Container Registry of other groups was discovered in GitLab Enterprise 12.0.0-pre. In other words, authenticated remote attackers can read Docker registries of other groups. When a legitimate user changes the path of a group, Docker registries are not adapted, leaving them in the old namespace. They are not protected and are available to all other users with no previous access to the repo.
Source: NIST
CVE-2019-12825

CVE-2020-9005

meshsystem.dll in Valve Dota 2 through 2020-02-17 allows remote attackers to achieve code execution or denial of service by creating a gaming server with a crafted map, and inviting a victim to this server. A GetValue call is mishandled.
Source: NIST
CVE-2020-9005