LiveActive security incident?Get immediate response
CVE archive

January 2020

Browse CVE records published in January 2020, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 1592 matching CVEs · Page 1 of 32.

Unknown · CVSS Not scored

CVE-2020-28707: The Stockdio Historical Chart plugin before 2.8.1 for WordPress is affected by Cross Site Scripting (XSS) v...

The Stockdio Historical Chart plugin before 2.8.1 for WordPress is affected by Cross Site Scripting (XSS) via stockdio_chart_historical-wp.js in wp-content/plugins/stockdio-historical-chart/assets/ because the origin of a postMessage() event is not validated. The stockdio_eventer function listens for any postMessage event. After a message event is sent to the application, this function sets the "e" variable as the event and checks that the types of the data and data.method are not undefined (empty) before proceeding to eval the data.method received from the postMessage. However, on a different website. JavaScript code can call window.open for the vulnerable WordPress instance and do a postMessage(msg,'*') for that object.

Published Jan 19, 2021 · Updated Jul 9, 2026

Unknown · CVSS Not scored

CVE-2020-20950: Bleichenbacher's attack on PKCS #1 v1.5 padding for RSA in Microchip Libraries for Applications 2018-11-26...

Bleichenbacher's attack on PKCS #1 v1.5 padding for RSA in Microchip Libraries for Applications 2018-11-26 All up to 2018-11-26. The vulnerability can allow one to use Bleichenbacher's oracle attack to decrypt an encrypted ciphertext by making successive queries to the server using the vulnerable library, resulting in remote information disclosure.

Published Jan 19, 2021 · Updated Jul 9, 2026

Unknown · CVSS Not scored

CVE-2020-20949: Bleichenbacher's attack on PKCS #1 v1.5 padding for RSA in STM32 cryptographic firmware library software ex...

Bleichenbacher's attack on PKCS #1 v1.5 padding for RSA in STM32 cryptographic firmware library software expansion for STM32Cube (UM1924). The vulnerability can allow one to use Bleichenbacher's oracle attack to decrypt an encrypted ciphertext by making successive queries to the server using the vulnerable library, resulting in remote information disclosure.

Published Jan 20, 2021 · Updated Jul 9, 2026

Medium · CVSS 6.3

CVE-2020-8554: Kubernetes man in the middle using LoadBalancer or ExternalIPs

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

Published Jan 21, 2021 · Updated Jun 1, 2026

Medium · CVSS 6.1

CVE-2020-36919: WPForms 1.7.8 - Cross-Site Scripting (XSS)

WPForms 1.7.8 contains a cross-site scripting vulnerability in the slider import search feature and tab parameter. Attackers can inject malicious scripts through the ListTable.php endpoint to execute arbitrary JavaScript in victim's browser.

Published Jan 13, 2026 · Updated May 24, 2026

Medium · CVSS 6.4

CVE-2020-37014: Tryton 5.4 - Persistent Cross-Site Scripting

Tryton 5.4 contains a persistent cross-site scripting vulnerability in the user profile name input that allows remote attackers to inject malicious scripts. Attackers can exploit the vulnerability by inserting script payloads in the name field, which execute in the frontend and backend user interfaces.

Published Jan 30, 2026 · Updated May 14, 2026

Medium · CVSS 6.4

CVE-2020-37003: Sellacious eCommerce 4.6 - Persistent Cross-Site Scripting

Sellacious eCommerce 4.6 contains a persistent cross-site scripting vulnerability in the Manage Your Addresses module that allows attackers to inject malicious scripts. Attackers can exploit multiple address input fields like full name, company, and address to execute persistent script code that can hijack user sessions and manipulate application modules.

Published Jan 30, 2026 · Updated May 14, 2026

Medium · CVSS 6.4

CVE-2020-36998: forma.lms The E-Learning Suite 2.3.0.2 - Persistent Cross-Site Scripting

Forma.lms The E-Learning Suite 2.3.0.2 contains a persistent cross-site scripting vulnerability in multiple course and profile parameters. Attackers can inject malicious scripts in course code, name, description fields, and email parameter to execute arbitrary JavaScript without proper input sanitization.

Published Jan 30, 2026 · Updated May 14, 2026

Medium · CVSS 6.4

CVE-2020-36996: PHPFusion 9.03.50 - Persistent Cross-Site Scripting

PHPFusion 9.03.50 contains a persistent cross-site scripting vulnerability in the print.php page that fails to properly sanitize user-submitted message content. Attackers can inject malicious JavaScript through forum messages that will execute when the print page is generated, allowing script execution in victim browsers.

Published Jan 30, 2026 · Updated May 14, 2026

Medium · CVSS 5.4

CVE-2020-36988: PDW File Browser <= v1.3 - Cross-Site Scripting (XSS)

PDW File Browser version 1.3 contains stored and reflected cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts through file rename and path parameters. Attackers can craft malicious URLs or rename files with XSS payloads to execute arbitrary JavaScript in victims' browsers when they access the file browser.

Published Jan 28, 2026 · Updated May 14, 2026

Medium · CVSS 6.4

CVE-2020-36960: Forma LMS 2.3 - 'First & Last Name' Stored Cross-Site Scripting

Forma LMS 2.3 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into user profile first and last name fields. Attackers can craft scripts like '<script>alert(document.cookie)</script>' to execute arbitrary JavaScript when the profile is viewed by other users.

Published Jan 26, 2026 · Updated May 14, 2026

High · CVSS 8.5

CVE-2020-36959: IDT PC Audio 1.0.6499.0 - 'STacSV' Unquoted Service Path

IDT PC Audio 1.0.6499.0 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the STacSV service to inject malicious code that would execute with LocalSystem account permissions during service startup.

Published Jan 26, 2026 · Updated May 14, 2026

High · CVSS 8.5

CVE-2020-36958: Kite 1.2020.1119.0 - 'KiteService' Unquoted Service Path

Kite 1.2020.1119.0 contains an unquoted service path vulnerability in the KiteService Windows service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Kite\KiteService.exe' to inject malicious executables and escalate privileges on the system.

Published Jan 26, 2026 · Updated May 14, 2026

Medium · CVSS 6.4

CVE-2020-36954: Xeroneit Library Management System 3.1 - "Add Book Category " Stored XSS

Xeroneit Library Management System 3.1 contains a stored cross-site scripting vulnerability in the Book Category feature that allows administrators to inject malicious scripts. Attackers can insert a payload in the Category Name field to execute arbitrary JavaScript code when the page is loaded.

Published Jan 26, 2026 · Updated May 14, 2026

High · CVSS 8.5

CVE-2020-36953: MiniTool ShadowMaker 3.2 - 'MTAgentService' Unquoted Service Path

MiniTool ShadowMaker 3.2 contains an unquoted service path vulnerability in the MTAgentService that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\MiniTool ShadowMaker\AgentService.exe' to inject malicious executables and escalate privileges.

Published Jan 26, 2026 · Updated May 14, 2026

Medium · CVSS 6.1

CVE-2020-36932: Seacms 11.1 - 'checkuser' Stored XSS

SeaCMS 11.1 contains a stored cross-site scripting vulnerability in the checkuser parameter of the admin settings page. Attackers can inject malicious JavaScript payloads that will execute in users' browsers when the page is loaded.

Published Jan 25, 2026 · Updated May 14, 2026

Critical · CVSS 9.8

CVE-2020-36911: Covenant 0.5 - Remote Code Execution (RCE)

Covenant 0.1.3 - 0.5 contains a remote code execution vulnerability that allows attackers to craft malicious JWT tokens with administrative privileges. Attackers can generate forged tokens with admin roles and upload custom DLL payloads to execute arbitrary commands on the target system.

Published Jan 13, 2026 · Updated May 14, 2026

High · CVSS 7.1

CVE-2020-37005: TimeClock Software 1.01 Authenticated Time-Based SQL Injection

TimeClock Software 1.01 contains an authenticated time-based SQL injection vulnerability that allows attackers to enumerate valid usernames by manipulating the 'notes' parameter. Attackers can inject conditional time delays in the add_entry.php endpoint to determine user existence by measuring response time differences.

Published Jan 29, 2026 · Updated Apr 7, 2026

High · CVSS 8.2

CVE-2020-37004: Ultimate Project Manager CRM PRO 2.0.5 - SQLi Credentials Leakage

Ultimate Project Manager CRM PRO 2.0.5 contains a blind SQL injection vulnerability that allows attackers to extract usernames and password hashes from the tbl_users database table. Attackers can exploit the /frontend/get_article_suggestion/ endpoint by crafting malicious search parameters to progressively guess and retrieve user credentials through boolean-based inference techniques.

Published Jan 29, 2026 · Updated Apr 7, 2026

Critical · CVSS 9.8

CVE-2020-37002: Ajenti 2.1.36 - Remote Code Execution

Ajenti 2.1.36 contains an authentication bypass vulnerability that allows remote attackers to execute arbitrary commands after successful login. Attackers can leverage the /api/terminal/create endpoint to send a netcat reverse shell payload targeting a specified IP and port.

Published Jan 29, 2026 · Updated Apr 7, 2026

High · CVSS 8.5

CVE-2020-36983: Quick 'n Easy FTP Service 3.2 - Unquoted Service Path

Quick 'n Easy FTP Service 3.2 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code during service startup. Attackers can exploit the misconfigured service binary path to inject malicious executables with elevated LocalSystem privileges during system boot or service restart.

Published Jan 27, 2026 · Updated Apr 7, 2026

High · CVSS 8.5

CVE-2020-36975: EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path

EPSON Status Monitor 3 version 8.0 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code by exploiting the service binary path. Attackers can leverage the unquoted path in 'C:\Program Files\Common Files\EPSON\EPW!3SSRP\E_S60RPB.EXE' to inject malicious executables and escalate privileges.

Published Jan 27, 2026 · Updated Apr 7, 2026

Critical · CVSS 9.8

CVE-2020-36967: Zortam Mp3 Media Studio 27.60 - Remote Code Execution (SEH)

Zortam Mp3 Media Studio 27.60 contains a buffer overflow vulnerability in the library creation file selection process that allows remote code execution. Attackers can craft a malicious text file with shellcode to trigger a structured exception handler (SEH) overwrite and execute arbitrary commands on the target system.

Published Jan 28, 2026 · Updated Apr 7, 2026

High · CVSS 8.7

CVE-2020-36963: Intelbras Router RF 301K 1.1.2 - Authentication Bypass

Intelbras Router RF 301K firmware version 1.1.2 contains an authentication bypass vulnerability that allows unauthenticated attackers to download router configuration files. Attackers can send a specific HTTP GET request to /cgi-bin/DownloadCfg/RouterCfm.cfg to retrieve sensitive router configuration without authentication.

Published Jan 28, 2026 · Updated Apr 7, 2026

Medium · CVSS 6.4

CVE-2020-36956: Openfire 4.6.0 - 'path' Stored XSS

Openfire 4.6.0 contains a stored cross-site scripting vulnerability in the nodejs plugin that allows attackers to inject malicious scripts through the 'path' parameter. Attackers can craft a payload with script tags to execute arbitrary JavaScript in the context of administrative users viewing the nodejs configuration page.

Published Jan 26, 2026 · Updated Apr 7, 2026

High · CVSS 8.5

CVE-2020-36952: IObit Uninstaller 10 Pro - Unquoted Service Path

IObit Uninstaller 10 Pro contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted service path in the IObit Uninstaller Service to insert malicious code that would execute with SYSTEM-level permissions during service startup.

Published Jan 26, 2026 · Updated Apr 7, 2026

High · CVSS 8.7

CVE-2020-36950: Laravel Nova 3.7.0 - 'range' DoS

Laravel Nova 3.7.0 contains a denial of service vulnerability that allows authenticated users to crash the application by manipulating the 'range' parameter. Attackers can send simultaneous requests with an extremely high range value to overwhelm and crash the server.

Published Jan 27, 2026 · Updated Apr 7, 2026

High · CVSS 8.7

CVE-2020-36946: SyncBreeze 10.0.28 - 'login' Denial of Service

SyncBreeze 10.0.28 contains a denial of service vulnerability in the login endpoint that allows remote attackers to crash the service. Attackers can send an oversized payload in the login request to overwhelm the application and potentially disrupt service availability.

Published Jan 27, 2026 · Updated Apr 7, 2026

High · CVSS 8.7

CVE-2020-36939: Cassandra Web 0.5.0 - Remote File Read

Cassandra Web 0.5.0 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating path traversal parameters. Attackers can exploit the disabled Rack::Protection module to read sensitive system files like /etc/passwd and retrieve Apache Cassandra database credentials.

Published Jan 27, 2026 · Updated Apr 7, 2026

High · CVSS 7.5

CVE-2020-36926: SmarterTools SmarterTrack 7922 -Information Disclosure

SmarterTrack 7922 contains an information disclosure vulnerability in the Chat Management search form that reveals agent identification details. Attackers can access the vulnerable /Management/Chat/frmChatSearch.aspx endpoint to retrieve agents' first and last names along with their unique identifiers.

Published Jan 15, 2026 · Updated Apr 7, 2026

High · CVSS 8.5

CVE-2020-37059: Popcorn Time 6.2 - 'Update service' Unquoted Service Path

Popcorn Time 6.2.1.14 contains an unquoted service path vulnerability that allows local non-privileged users to potentially execute code with elevated system privileges. Attackers can insert malicious executables in Program Files (x86) or system root directories to be executed with SYSTEM-level permissions during service startup.

Published Jan 30, 2026 · Updated Mar 5, 2026