{"vulnerability": "cve-2020-3559", "sightings": [{"uuid": "e871d03a-d547-4cda-90c6-e43b510b3e22", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-35598", "type": "seen", "source": "https://t.me/arpsyndicate/107", "content": "#ExploitObserverAlert\n\nCVE-2009-4623\n\nDESCRIPTION: Exploit Observer has 7 entries related to CVE-2009-4623. Multiple PHP remote file inclusion vulnerabilities in Advanced Comment System 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the ACS_path parameter to (1) index.php and (2) admin.php in advanced_comment_system/. NOTE: this might only be a vulnerability when the administrator has not followed installation instructions in install.php. NOTE: this might be the same as CVE-2020-35598.\n\nFIRST-EPSS: 0.011360000\nNVD-IS: 6.4\nNVD-ES: 10.0", "creation_timestamp": "2023-11-12T02:45:06.000000Z"}, {"uuid": "3239e2c4-d5c7-48bd-bddc-f05d1a75508f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-35593", "type": "seen", "source": "https://t.me/cibsecurity/69878", "content": "\u203c CVE-2020-35593 \u203c\n\nBMC PATROL Agent through 20.08.00 allows local privilege escalation via vectors involving pconfig +RESTART -host.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-09-05T22:16:40.000000Z"}, {"uuid": "f8e341e5-ceba-46c1-a0eb-bd568f769820", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-35597", "type": "seen", "source": "https://t.me/cibsecurity/44667", "content": "\u203c CVE-2020-35597 \u203c\n\nVictor CMS 1.0 is vulnerable to SQL injection via c_id parameter of admin_edit_comment.php, p_id parameter of admin_edit_post.php, u_id parameter of admin_edit_user.php, and edit parameter of admin_update_categories.php.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-06-16T22:20:42.000000Z"}, {"uuid": "3540c489-f4a9-4fdf-804a-6dc9a9a463b4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-35592", "type": "seen", "source": "https://t.me/cibsecurity/23832", "content": "\u203c CVE-2020-35592 \u203c\n\nPi-hole 5.0, 5.1, and 5.1.1 allows XSS via the Options header to the admin/ URI. A remote user is able to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and achieve a Reflected Cross-Site Scripting attack against other users and steal the session cookie.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-02-18T22:50:25.000000Z"}, {"uuid": "d6630ce6-80b2-4a3b-ab60-5517c76ccd8a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-35594", "type": "seen", "source": "https://t.me/cibsecurity/24541", "content": "\u203c CVE-2020-35594 \u203c\n\nZoho ManageEngine ADManager Plus before 7066 allows XSS.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-03-05T20:47:53.000000Z"}, {"uuid": "3f961c23-2ea2-464c-a284-1af46028d85d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-35591", "type": "seen", "source": "https://t.me/cibsecurity/23831", "content": "\u203c CVE-2020-35591 \u203c\n\nPi-hole 5.0, 5.1, and 5.1.1 allows Session Fixation. The application does not generate a new session cookie after the user is logged in. A malicious user is able to create a new session cookie value and inject it to a victim. After the victim logs in, the injected cookie becomes valid, giving the attacker access to the user's account through the active session.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-02-18T22:50:24.000000Z"}, {"uuid": "59ba1c60-ead1-40c6-9109-6aae43c78054", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-35598", "type": "seen", "source": "https://t.me/pwnwiki_zhchannel/610", "content": "CVE-2020-35598 Advanced Comment System 1.0 \u76ee\u9304\u904d\u6b77\u6f0f\u6d1e\nhttps://www.pwnwiki.org/index.php?title=CVE-2020-35598_Advanced_Comment_System_1.0_%E7%9B%AE%E9%8C%84%E9%81%8D%E6%AD%B7%E6%BC%8F%E6%B4%9E", "creation_timestamp": "2021-06-06T14:10:13.000000Z"}, {"uuid": "1cffe107-2b3d-4849-8091-7e0a0b98fd64", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-35590", "type": "seen", "source": "https://t.me/cibsecurity/21106", "content": "\u203c CVE-2020-35590 \u203c\n\nLimitLoginAttempts.php in the limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows a bypass of (per IP address) rate limits because the X-Forwarded-For header can be forged. When the plugin is configured to accept an arbitrary header for the client source IP address, a malicious user is not limited to perform a brute force attack, because the client IP header accepts any arbitrary string. When randomizing the header input, the login count does not ever reach the maximum allowed retries.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2020-12-21T12:51:49.000000Z"}]}