Total
9615 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-14335 | 1 Redhat | 1 Satellite | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
A flaw was found in Red Hat Satellite, which allows a privileged attacker to read OMAPI secrets through the ISC DHCP of Smart-Proxy. This flaw allows an attacker to gain control of DHCP records from the network. The highest threat from this vulnerability is to system availability.
|
|||||
| CVE-2020-14329 | 1 Redhat | 1 Ansible Tower | 2024-11-21 | 2.1 LOW | 3.3 LOW |
|
A data exposure flaw was found in Ansible Tower in versions before 3.7.2, where sensitive data can be exposed from the /api/v2/labels/ endpoint. This flaw allows users from other organizations in the system to retrieve any label from the organization and also disclose organization names. The highest threat from this vulnerability is to confidentiality.
|
|||||
| CVE-2020-14192 | 1 Atlassian | 2 Crucible, Fisheye | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Affected versions of Atlassian Fisheye and Crucible allow remote attackers to view a product's SEN via an Information Disclosure vulnerability in the x-asen response header from Atlassian Analytics. The affected versions are before version 4.8.4.
|
|||||
| CVE-2020-14183 | 1 Atlassian | 1 Jira | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Affected versions of Jira Server & Data Center allow a remote attacker with limited (non-admin) privileges to view a Jira instance's Support Entitlement Number (SEN) via an Information Disclosure vulnerability in the HTTP Response headers. The affected versions are before version 7.13.18, from version 8.0.0 before 8.5.9, and from version 8.6.0 before 8.12.1.
|
|||||
| CVE-2020-14181 | 1 Atlassian | 3 Data Center, Jira, Jira Server | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the /ViewUserHover.jspa endpoint. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, and from version 8.6.0 before 8.12.0.
|
|||||
| CVE-2020-14112 | 1 Mi | 2 Ax6000, Ax6000 Firmware | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
Information Leak Vulnerability exists in the Xiaomi Router AX6000. The vulnerability is caused by incorrect routing configuration. Attackers can exploit this vulnerability to download part of the files in Xiaomi Router AX6000.
|
|||||
| CVE-2020-13764 | 1 Rocketgenius | 1 Gravityforms | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
common.php in the Gravity Forms plugin before 2.4.9 for WordPress can leak hashed passwords because user_pass is not considered a special case for a $current_user->get($property) call.
|
|||||
| CVE-2020-13702 | 1 The Rolling Proximity Identifier Project | 1 The Rolling Proximity Identifier | 2024-11-21 | 6.4 MEDIUM | 4.3 MEDIUM |
|
The Rolling Proximity Identifier used in the Apple/Google Exposure Notification API beta through 2020-05-29 enables attackers to circumvent Bluetooth Smart Privacy because there is a secondary temporary UID. An attacker with access to Beacon or IoT networks can seamlessly track individual device movement via a Bluetooth LE discovery mechanism.
|
|||||
| CVE-2020-13597 | 1 Projectcalico | 1 Calico | 2024-11-21 | 2.1 LOW | 6.0 MEDIUM |
|
Clusters using Calico (version 3.14.0 and below), Calico Enterprise (version 2.8.2 and below), may be vulnerable to information disclosure if IPv6 is enabled but unused. A compromised pod with sufficient privilege is able to reconfigure the node’s IPv6 interface due to the node accepting route advertisement by default, allowing the attacker to redirect full or partial network traffic from the node to the compromised pod.
|
|||||
| CVE-2020-13523 | 1 Softperfect | 1 Ram Disk | 2024-11-21 | 2.1 LOW | 3.3 LOW |
|
An exploitable information disclosure vulnerability exists in SoftPerfect’s RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can cause the disclosure of sensitive information. An attacker can send a malicious IRP to trigger this vulnerability.
|
|||||
| CVE-2020-13268 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A specially crafted request could be used to confirm the existence of files hosted on object storage services, without disclosing their contents. This vulnerability affects GitLab CE/EE 12.10 and later through 13.0.1
|
|||||
| CVE-2020-13264 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
Kubernetes cluster token disclosure in GitLab CE/EE 10.3 and later through 13.0.1 allows other group maintainers to view Kubernetes cluster token
|
|||||
| CVE-2020-13261 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 5.3 MEDIUM |
|
Amazon EKS credentials disclosure in GitLab CE/EE 12.6 and later through 13.0.1 allows other administrators to view Amazon EKS credentials via HTML source code
|
|||||
| CVE-2020-13179 | 1 Teradici | 2 Graphics Agent, Pcoip Standard Agent | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
Broker Protocol messages in Teradici PCoIP Standard Agent for Windows and Graphics Agent for Windows prior to 20.04.1 are not cleaned up in server memory, which may allow an attacker to read confidential information from a memory dump via forcing a crashing during the single sign-on procedure.
|
|||||
| CVE-2020-13129 | 1 Heinekingmedia | 1 Stashcat | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
|
An issue was discovered in the stashcat app through 3.9.1 for macOS, Windows, Android, iOS, and possibly other platforms. The GET method is used with client_key and device_id data in the query string, which allows attackers to obtain sensitive information by reading web-server logs.
|
|||||
| CVE-2020-12987 | 2 Amd, Microsoft | 3 Radeon Pro Software, Radeon Software, Windows 10 | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
A heap information leak/kernel pool address disclosure vulnerability in the AMD Graphics Driver for Windows 10 may lead to KASLR bypass.
|
|||||
| CVE-2020-12966 | 1 Amd | 214 Epyc 7001, Epyc 7001 Firmware, Epyc 7002 and 211 more | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
AMD EPYC™ Processors contain an information disclosure vulnerability in the Secure Encrypted Virtualization with Encrypted State (SEV-ES) and Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP). A local authenticated attacker could potentially exploit this vulnerability leading to leaking guest data by the malicious hypervisor.
|
|||||
| CVE-2020-12802 | 3 Fedoraproject, Libreoffice, Opensuse | 3 Fedora, Libreoffice, Leap | 2024-11-21 | 4.3 MEDIUM | 5.3 MEDIUM |
|
LibreOffice has a 'stealth mode' in which only documents from locations deemed 'trusted' are allowed to retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to disable LibreOffice's ability to include remote resources within a document. A flaw existed where remote graphic links loaded from docx documents were omitted from this protection prior to version 6.4.4. This issue affects: The Document Foundation LibreOffice versions prior to 6.4.4.
|
|||||
| CVE-2020-12777 | 1 Combodo | 1 Itop | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information.
|
|||||
| CVE-2020-12772 | 2 Igniterealtime, Microsoft | 2 Spark, Windows | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered in Ignite Realtime Spark 2.8.3 (and the ROAR plugin for it) on Windows. A chat message can include an IMG element with a SRC attribute referencing an external host's IP address. Upon access to this external host, the (NT)LM hashes of the user are sent with the HTTP request. This allows an attacker to collect these hashes, crack them, and potentially compromise the computer. (ROAR can be configured for automatic access. Also, access can occur if the user clicks.)
|
|||||
| CVE-2020-12518 | 1 Phoenixcontact | 7 Axc F 1152, Axc F 2152, Axc F 2152 Starterkit and 4 more | 2024-11-21 | 5.0 MEDIUM | 5.5 MEDIUM |
|
On Phoenix Contact PLCnext Control Devices versions before 2021.0 LTS an attacker can use the knowledge gained by reading the insufficiently protected sensitive information to plan further attacks.
|
|||||
| CVE-2020-12496 | 1 Endress | 8 Orsg35, Orsg35 Firmware, Orsg45 and 5 more | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Endress+Hauser Ecograph T (Neutral/Private Label) (RSG35, ORSG35) and Memograph M (Neutral/Private Label) (RSG45, ORSG45) with Firmware version V2.0.0 and above is prone to exposure of sensitive information to an unauthorized actor. The firmware release has a dynamic token for each request submitted to the server, which makes repeating requests and analysis complex enough. Nevertheless, it's possible and during the analysis it was discovered that it also has an issue with the access-control matr ...
Show More |
|||||
| CVE-2020-12070 | 1 Advanced-woo-search | 1 Advanced Woo Search | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
The Advanced Woo Search plugin version through 1.99 for Wordpress suffers from a sensitive information disclosure vulnerability in every ajax search request via the sql field to includes/class-aws-search.php.
|
|||||
| CVE-2020-12027 | 1 Rockwellautomation | 1 Factorytalk View | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
All versions of FactoryTalk View SE disclose the hostnames and file paths for certain files within the system. A remote, authenticated attacker may be able to leverage this information for reconnaissance efforts. Rockwell Automation recommends enabling built in security features found within FactoryTalk View SE. Users should follow guidance found in knowledge base articles 109056 and 1126943 to set up IPSec and/or HTTPs.
|
|||||
| CVE-2020-11922 | 1 Wizconnected | 2 A60 Colors, A60 Colors Firmware | 2024-11-21 | 3.3 LOW | 4.3 MEDIUM |
|
An issue was discovered in WiZ Colors A60 1.14.0. The device sends unnecessary information to the cloud controller server. Although this information is sent encrypted and has low risk in isolation, it decreases the privacy of the end user. The information sent includes the local IP address being used and the SSID of the Wi-Fi network the device is connected to. (Various resources such as wigle.net can be use for mapping of SSIDs to physical locations.)
|
|||||
| CVE-2020-11843 | 1 Netiq | 1 Access Manager | 2024-11-21 | N/A | 6.5 MEDIUM |
|
This allows the information exposure to unauthorized users. This issue affects NetIQ Access Manager using version 4.5 or before
|
|||||
| CVE-2020-11687 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
In JetBrains TeamCity before 2019.2.2, password values were shown in an unmasked format on several pages.
|
|||||
| CVE-2020-11447 | 1 Bell | 2 Home Hub 3000, Home Hub 3000 Firmware | 2024-11-21 | N/A | 4.3 MEDIUM |
|
An issue was discovered on Bell HomeHub 3000 SG48222070 devices. Remote authenticated users can retrieve the serial number via cgi/json-req - this is an information leak because the serial number is intended to prove an actor's physical access to the device.
|
|||||
| CVE-2020-11281 | 1 Qualcomm | 694 Aqt1000, Aqt1000 Firmware, Ar8031 and 691 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Allowing RTT frames to be linked with non randomized MAC address by comparing the sequence numbers can lead to information disclosure. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking
|
|||||
| CVE-2020-11221 | 1 Qualcomm | 802 Apq8009, Apq8009 Firmware, Apq8009w and 799 more | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
Usage of syscall by non-secure entity can allow extraction of secure QTEE diagnostic information in clear text form due to insufficient checks in the syscall handler and leads to information disclosure in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking
|
|||||
| CVE-2020-11199 | 1 Qualcomm | 802 Apq8009, Apq8009 Firmware, Apq8009w and 799 more | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
HLOS to access EL3 stack canary by just mapping imem region due to Improper access control and can lead to information exposure in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking
|
|||||
| CVE-2020-11059 | 1 Aegir Project | 1 Aegir | 2024-11-21 | 5.0 MEDIUM | 9.6 CRITICAL |
|
In AEgir greater than or equal to 21.7.0 and less than 21.10.1, aegir publish and aegir build may leak secrets from environment variables in the browser bundle published to npm. This has been fixed in 21.10.1.
|
|||||
| CVE-2020-11033 | 2 Fedoraproject, Glpi-project | 2 Fedora, Glpi | 2024-11-21 | 6.0 MEDIUM | 6.6 MEDIUM |
|
In GLPI from version 9.1 and before version 9.4.6, any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User. The response contains: - All api_tokens which can be used to do privileges escalations or read/update/delete data normally non accessible to the current user. - All personal_tokens can display another users planning. Exploiting this vulnerability requires the api to be enabled, a technician account. It can be mitigated by adding a ...
Show More |
|||||
| CVE-2020-11024 | 1 Moonlight-stream | 1 Moonlight | 2024-11-21 | 4.9 MEDIUM | 6.1 MEDIUM |
|
In Moonlight iOS/tvOS before 4.0.1, the pairing process is vulnerable to a man-in-the-middle attack. The bug has been fixed in Moonlight v4.0.1 for iOS and tvOS.
|
|||||
| CVE-2020-11021 | 1 Http-client Project | 1 Http-client | 2024-11-21 | 5.0 MEDIUM | 6.3 MEDIUM |
|
Actions Http-Client (NPM @actions/http-client) before version 1.0.8 can disclose Authorization headers to incorrect domain in certain redirect scenarios. The conditions in which this happens are if consumers of the http-client: 1. make an http request with an authorization header 2. that request leads to a redirect (302) and 3. the redirect url redirects to another domain or hostname Then the authorization header will get passed to the other domain. The problem is fixed in version 1.0.8.
|
|||||
| CVE-2020-11013 | 1 Helm | 1 Helm | 2024-11-21 | 4.0 MEDIUM | 8.5 HIGH |
|
Their is an information disclosure vulnerability in Helm from version 3.1.0 and before version 3.2.0. `lookup` is a Helm template function introduced in Helm v3. It is able to lookup resources in the cluster to check for the existence of specific resources and get details about them. This can be used as part of the process to render templates. The documented behavior of `helm template` states that it does not attach to a remote cluster. However, a the recently added `lookup` template function ci ...
Show More |
|||||
| CVE-2020-11009 | 1 Pagerduty | 1 Rundeck | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
In Rundeck before version 3.2.6, authenticated users can craft a request that reveals Execution data and logs and Job details that they are not authorized to see. Depending on the configuration and the way that Rundeck is used, this could result in anything between a high severity risk, or a very low risk. If access is tightly restricted and all users on the system have access to all projects, this is not really much of an issue. If access is wider and allows login for users that do not have acc ...
Show More |
|||||
| CVE-2020-10997 | 1 Percona | 1 Xtrabackup | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Percona XtraBackup before 2.4.20 unintentionally writes the command line to any resulting backup file output. This may include sensitive arguments passed at run time. In addition, when --history is passed at run time, this command line is also written to the PERCONA_SCHEMA.xtrabackup_history table.
|
|||||
| CVE-2020-10976 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
GitLab EE/CE 8.17 to 12.9 is vulnerable to information leakage when querying a merge request widget.
|
|||||
| CVE-2020-10945 | 1 Centreon | 2 Centreon, Widget-host-monitoring | 2024-11-21 | 3.3 LOW | 4.3 MEDIUM |
|
Centreon before 19.10.7 exposes Session IDs in server responses.
|
|||||