LiveActive security incident?Get immediate response
CVE archive

2020 CVE Archive

Browse CVE records published in 2020 CVE Archive, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 19384 matching CVEs · Page 1 of 388.

High · CVSS 8.6

CVE-2020-37094: EspoCRM 5.7.0 < 5.9.0 - Two-Factor Authentication Bypass via Auth Token Reuse Between Accounts with Identical Passwords

EspoCRM 5.7.0 prior to 5.9.0 contains an authentication token reuse vulnerability that allows authenticated attackers to bypass two-factor authentication by exploiting token-to-password-hash mapping in application/Espo/Core/Utils/Authentication/Espo.php. Attackers can obtain an authentication token for a controlled account and replay it against any victim account sharing the same password, since tokens are bound to password hashes rather than unique per-user values, bypassing the victim's 2FA protections.

Published Feb 3, 2026 · Updated Jul 10, 2026

Unknown · CVSS Not scored

CVE-2020-29231: EGavilanMedia User Registration and Login System With Admin Panel 1.0 is affected by cross-site scripting (...

EGavilanMedia User Registration and Login System With Admin Panel 1.0 is affected by cross-site scripting (XSS) in the Admin Profile Page. This vulnerability can result in the attacker injecting the XSS payload in Admin Full Name and each time admin visits the Profile page from the admin panel, the XSS triggers.

Published Dec 30, 2020 · Updated Jul 9, 2026

Unknown · CVSS Not scored

CVE-2020-29230: EGavilanMedia User Registration and Login System With Admin Panel 1.0 is affected by cross-site scripting (...

EGavilanMedia User Registration and Login System With Admin Panel 1.0 is affected by cross-site scripting (XSS) in the Admin Panel - Manage User tab using the Full Name of the user. This vulnerability can result in the attacker injecting the XSS payload in the User Registration section and each time admin visits the manage user section from the admin panel, the XSS triggers and the attacker can steal the cookie according to the crafted payload.

Published Dec 30, 2020 · Updated Jul 9, 2026

Unknown · CVSS Not scored

CVE-2020-28856: OpenAsset Digital Asset Management (DAM) through 12.0.19 does not correctly determine the HTTP request's or...

OpenAsset Digital Asset Management (DAM) through 12.0.19 does not correctly determine the HTTP request's originating IP address, allowing attackers to spoof it using X-Forwarded-For in the header, by supplying localhost address such as 127.0.0.1, effectively bypassing all IP address based access controls.

Published Dec 14, 2020 · Updated Jul 9, 2026

Unknown · CVSS Not scored

CVE-2020-28707: The Stockdio Historical Chart plugin before 2.8.1 for WordPress is affected by Cross Site Scripting (XSS) v...

The Stockdio Historical Chart plugin before 2.8.1 for WordPress is affected by Cross Site Scripting (XSS) via stockdio_chart_historical-wp.js in wp-content/plugins/stockdio-historical-chart/assets/ because the origin of a postMessage() event is not validated. The stockdio_eventer function listens for any postMessage event. After a message event is sent to the application, this function sets the "e" variable as the event and checks that the types of the data and data.method are not undefined (empty) before proceeding to eval the data.method received from the postMessage. However, on a different website. JavaScript code can call window.open for the vulnerable WordPress instance and do a postMessage(msg,'*') for that object.

Published Jan 19, 2021 · Updated Jul 9, 2026

Unknown · CVSS Not scored

CVE-2020-27509: Persistent XSS in Galaxkey Secure Mail Client in Galaxkey up to 5.6.11.5 allows an attacker to perform an a...

Persistent XSS in Galaxkey Secure Mail Client in Galaxkey up to 5.6.11.5 allows an attacker to perform an account takeover by intercepting the HTTP Post request when sending an email and injecting a specially crafted XSS payload in the 'subject' field. The payload executes when the recipient logs into their mailbox.

Published Jun 26, 2022 · Updated Jul 9, 2026

Unknown · CVSS Not scored

CVE-2020-26680: In vFairs 3.3, any user logged in to a vFairs virtual conference or event can modify any other users profil...

In vFairs 3.3, any user logged in to a vFairs virtual conference or event can modify any other users profile information to include a cross-site scripting payload. The user data stored by the database includes HTML tags that are intentionally rendered out onto the page, and this can be abused to perform XSS attacks.

Published May 26, 2021 · Updated Jul 9, 2026

Unknown · CVSS Not scored

CVE-2020-26679: vFairs 3.3 is affected by Insecure Permissions.

vFairs 3.3 is affected by Insecure Permissions. Any user logged in to a vFairs virtual conference or event can modify any other users profile information or profile picture. After receiving any user's unique identification number and their own, an HTTP POST request can be made update their profile description or supply a new profile image. This can lead to potential cross-site scripting attacks on any user, or upload malicious PHP webshells as "profile pictures." The user IDs can be easily determined by other responses from the API for an event or chat room.

Published May 26, 2021 · Updated Jul 9, 2026

Unknown · CVSS Not scored

CVE-2020-26678: vFairs 3.3 is affected by Remote Code Execution.

vFairs 3.3 is affected by Remote Code Execution. Any user logged in to a vFairs virtual conference or event can abuse the functionality to upload a profile picture in order to place a malicious PHP file on the server and gain code execution.

Published May 26, 2021 · Updated Jul 9, 2026