Total
791 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-9048 | 2 Johnsoncontrols, Tyco | 2 Victor Web Client, C-cure Web Client | 2024-11-21 | 7.1 High |
| A vulnerability in specified versions of American Dynamics victor Web Client and Software House CCURE Web Client could allow a remote unauthenticated attacker on the network to delete arbitrary files on the system or render the system unusable by conducting a Denial of Service attack. | ||||
| CVE-2020-8920 | 1 Google | 1 Gerrit | 2024-11-21 | 3.5 Low |
| An information leak vulnerability exists in Gerrit versions prior to 2.14.22, 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where an overoptimization with the FilteredRepository wrapper skips the verification of access on All-Users repositories, allowing an attacker to get read access to all users' personal information associated with their accounts. | ||||
| CVE-2020-8919 | 1 Google | 1 Gerrit | 2024-11-21 | 3.5 Low |
| An information leak vulnerability exists in Gerrit versions prior to 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where a missing access check on the branch REST API allows an attacker with only the default set of priviledges to read all other user's personal account data as well as sub-trees with restricted access. | ||||
| CVE-2020-8595 | 2 Istio, Redhat | 4 Istio, Enterprise Linux, Openshift Service Mesh and 1 more | 2024-11-21 | 7.3 High |
| Istio versions 1.2.10 (End of Life) and prior, 1.3 through 1.3.7, and 1.4 through 1.4.3 allows authentication bypass. The Authentication Policy exact-path matching logic can allow unauthorized access to HTTP paths even if they are configured to be only accessed after presenting a valid JWT token. For example, an attacker can add a ? or # character to a URI that would otherwise satisfy an exact-path match. | ||||
| CVE-2020-8172 | 3 Nodejs, Oracle, Redhat | 8 Node.js, Banking Extensibility Workbench, Blockchain Platform and 5 more | 2024-11-21 | 7.4 High |
| TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0. | ||||
| CVE-2020-8119 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | 4.3 Medium |
| Improper authorization in Nextcloud server 17.0.0 causes leaking of previews and files when a file-drop share link is opened via the gallery app. | ||||
| CVE-2020-7692 | 2 Google, Redhat | 3 Oauth Client Library For Java, Ocp Tools, Openshift | 2024-11-21 | 7.4 High |
| PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0. | ||||
| CVE-2020-7583 | 1 Siemens | 1 Automation License Manager | 2024-11-21 | 7.8 High |
| A vulnerability has been identified in Automation License Manager 5 (All versions), Automation License Manager 6 (All versions < V6.0.8). The application does not properly validate the users' privileges when executing some operations, which could allow a user with low permissions to arbitrary modify files that should be protected against writing. | ||||
| CVE-2020-7530 | 1 Schneider-electric | 1 Scadapack 7x Remote Connect | 2024-11-21 | 8.8 High |
| A CWE-285 Improper Authorization vulnerability exists in SCADAPack 7x Remote Connect (V3.6.3.574 and prior) which allows improper access to executable code folders. | ||||
| CVE-2020-6311 | 1 Sap | 2 Bank Analyzer, S\/4hana For Financial Products Subledger | 2024-11-21 | 6.5 Medium |
| Banking services from SAP 9.0 (Bank Analyzer), version - 500, and SAP S/4HANA for financial products subledger, version � 100, does not correctly perform necessary authorization checks for an authenticated user due to Improper Authorization checks, that may cause a system administrator to create incorrect authorization proposals. This may result in privilege escalation and may expose restricted banking data. | ||||
| CVE-2020-5362 | 1 Dell | 708 Chengming 3967, Chengming 3967 Firmware, Chengming 3977 and 705 more | 2024-11-21 | 7.1 High |
| Dell Client Consumer and Commercial platforms include an improper authorization vulnerability in the Dell Manageability interface for which an unauthorized actor, with local system access with OS administrator privileges, could bypass the BIOS Administrator authentication to restore BIOS Setup configuration to default values. | ||||
| CVE-2020-5356 | 1 Dell | 3 Powerprotect Data Manager, Powerprotect X400, Powerprotect X400 Firmware | 2024-11-21 | 7.7 High |
| Dell PowerProtect Data Manager (PPDM) versions prior to 19.4 and Dell PowerProtect X400 versions prior to 3.2 contain an improper authorization vulnerability. A remote authenticated malicious user may download any file from the affected PowerProtect virtual machines. | ||||
| CVE-2020-5333 | 1 Rsa | 1 Archer | 2024-11-21 | 4.3 Medium |
| RSA Archer, versions prior to 6.7 P3 (6.7.0.3), contain an authorization bypass vulnerability in the REST API. A remote authenticated malicious Archer user could potentially exploit this vulnerability to view unauthorized information. | ||||
| CVE-2020-5318 | 1 Dell | 1 Emc Isilon Onefs | 2024-11-21 | 7.5 High |
| Dell EMC Isilon OneFS versions 8.1.2, 8.1.0.4, 8.1.0.3, and 8.0.0.7 contain a vulnerability in some configurations. An attacker may exploit this vulnerability to gain access to restricted files. The non-RAN HTTP and WebDAV file-serving components have a vulnerability wherein when either are enabled, and Basic Authentication is enabled for either or both components, files are accessible without authentication. | ||||
| CVE-2020-5289 | 1 Elide | 1 Elide | 2024-11-21 | 6.8 Medium |
| In Elide before 4.5.14, it is possible for an adversary to "guess and check" the value of a model field they do not have access to assuming they can read at least one other field in the model. The adversary can construct filter expressions for an inaccessible field to filter a collection. The presence or absence of models in the returned collection can be used to reconstruct the value of the inaccessible field. Resolved in Elide 4.5.14 and greater. | ||||
| CVE-2020-5275 | 1 Sensiolabs | 1 Symfony | 2024-11-21 | 7.6 High |
| In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that should have been take into account in an unanimous strategy. The accessDecisionManager is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute. This issue is patched in versions 4.4.7 and 5.0.7. | ||||
| CVE-2020-5251 | 1 Parseplatform | 1 Parse-server | 2024-11-21 | 7.7 High |
| In parser-server before version 4.1.0, you can fetch all the users objects, by using regex in the NoSQL query. Using the NoSQL, you can use a regex on sessionToken and find valid accounts this way. | ||||
| CVE-2020-5250 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 7.6 High |
| In PrestaShop before version 1.7.6.4, when a customer edits their address, they can freely change the id_address in the form, and thus steal someone else's address. It is the same with CustomerForm, you are able to change the id_customer and change all information of all accounts. The problem is patched in version 1.7.6.4. | ||||
| CVE-2020-5240 | 1 Labdigital | 1 Wagtail-2fa | 2024-11-21 | 7.6 High |
| In wagtail-2fa before 1.4.1, any user with access to the CMS can view and delete other users 2FA devices by going to the correct path. The user does not require special permissions in order to do so. By deleting the other users device they can disable the target users 2FA devices and potentially compromise the account if they figure out their password. The problem has been patched in version 1.4.1. | ||||
| CVE-2020-5232 | 1 Ens.domains | 1 Ethereum Name Service | 2024-11-21 | 8.7 High |
| A user who owns an ENS domain can set a trapdoor, allowing them to transfer ownership to another user, and later regain ownership without the new owners consent or awareness. A new ENS deployment is being rolled out that fixes this vulnerability in the ENS registry. | ||||