Total
4422 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-24441 | 1 Adobe | 1 Acrobat Reader | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
|
Adobe Acrobat Reader for Android version 20.6.2 (and earlier) does not properly restrict access to directories created by the application. This could result in disclosure of sensitive information stored in databases used by the application. Exploitation requires a victim to download and run a malicious application.
|
|||||
| CVE-2020-24433 | 3 Adobe, Apple, Microsoft | 6 Acrobat, Acrobat Dc, Acrobat Reader and 3 more | 2024-11-21 | 9.3 HIGH | 7.8 HIGH |
|
Adobe Acrobat Reader DC versions 2020.012.20048 (and earlier), 2020.001.30005 (and earlier) and 2017.011.30175 (and earlier) are affected by a local privilege escalation vulnerability that could enable a user without administrator privileges to delete arbitrary files and potentially execute arbitrary code as SYSTEM. Exploitation of this issue requires an attacker to socially engineer a victim, or the attacker must already have some access to the environment.
|
|||||
| CVE-2020-1754 | 1 Moodle | 1 Moodle | 2024-11-21 | N/A | 4.3 MEDIUM |
|
In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, users viewing the grade history report without the 'access all groups' capability were not restricted to viewing grades of users within their own groups.
|
|||||
| CVE-2020-1732 | 1 Redhat | 4 Jboss Enterprise Application Platform, Jboss Enterprise Application Platform Continuous Delivery, Openshift Application Runtimes and 1 more | 2024-11-21 | 4.9 MEDIUM | 4.2 MEDIUM |
|
A flaw was found in Soteria before 1.0.1, in a way that multiple requests occurring concurrently causing security identity corruption across concurrent threads when using EE Security with WildFly Elytron which can lead to the possibility of being handled using the identity from another request.
|
|||||
| CVE-2020-1666 | 1 Juniper | 1 Junos Os Evolved | 2024-11-21 | 7.2 HIGH | 6.6 MEDIUM |
|
The system console configuration option 'log-out-on-disconnect' In Juniper Networks Junos OS Evolved fails to log out an active CLI session when the console cable is disconnected. This could allow a malicious attacker with physical access to the console the ability to resume a previous interactive session and possibly gain administrative privileges. This issue affects all Juniper Networks Junos OS Evolved versions after 18.4R1-EVO, prior to 20.2R1-EVO.
|
|||||
| CVE-2020-1604 | 1 Juniper | 7 Ex4300, Ex4600, Junos and 4 more | 2024-11-21 | 5.0 MEDIUM | 6.5 MEDIUM |
|
On EX4300, EX4600, QFX3500, and QFX5100 Series, a vulnerability in the IP firewall filter component may cause the firewall filter evaluation of certain packets to fail. This issue only affects firewall filter evaluation of certain packets destined to the device Routing Engine (RE). This issue does not affect the Layer 2 firewall filter evaluation nor does it affect the Layer 3 firewall filter evaluation destined to connected hosts. This issue may occur when evaluating both IPv4 or IPv6 packets. ...
Show More |
|||||
| CVE-2020-16261 | 1 Winstonprivacy | 2 Winston, Winston Firmware | 2024-11-21 | 7.2 HIGH | 6.8 MEDIUM |
|
Winston 1.5.4 devices allow a U-Boot interrupt, resulting in local root access.
|
|||||
| CVE-2020-15279 | 1 Bitdefender | 1 Endpoint Security Tools | 2024-11-21 | 2.1 LOW | 4.0 MEDIUM |
|
An Improper Access Control vulnerability in the logging component of Bitdefender Endpoint Security Tools for Windows versions prior to 6.6.23.320 allows a regular user to learn the scanning exclusion paths. This issue was discovered during external security research.
|
|||||
| CVE-2020-15181 | 1 Alfresco | 1 Reset Password | 2024-11-21 | 10.0 HIGH | 9.3 CRITICAL |
|
The Alfresco Reset Password add-on before version 1.2.0 relies on untrusted inputs in a security decision. Intruders can get admin's access to the system using the vulnerability in the project. Impacts all servers where this add-on is installed. The problem is fixed in version 1.2.0
|
|||||
| CVE-2020-15102 | 1 Prestashop | 1 Dashboard Products | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
In PrestaShop Dashboard Productions before version 2.1.0, there is improper authorization which enables an attacker to change the configuration. The problem is fixed in 2.1.0.
|
|||||
| CVE-2020-15079 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 5.5 MEDIUM | 6.4 MEDIUM |
|
In PrestaShop from version 1.5.0.0 and before version 1.7.6.6, there is improper access control in Carrier page, Module Manager and Module Positions. The problem is fixed in version 1.7.6.6
|
|||||
| CVE-2020-14499 | 1 Advantech | 1 Iview | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Advantech iView, versions 5.6 and prior, has an improper access control vulnerability. Successful exploitation of this vulnerability may allow an attacker to obtain all user accounts credentials.
|
|||||
| CVE-2020-14388 | 1 Redhat | 1 3scale Api Management | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A flaw was found in the Red Hat 3scale API Management Platform, where member permissions for an API's admin portal were not properly enforced. This flaw allows an authenticated user to bypass normal account restrictions and access API services where they do not have permission.
|
|||||
| CVE-2020-14312 | 1 Fedoraproject | 1 Fedora | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
|
A flaw was found in the default configuration of dnsmasq, as shipped with Fedora versions prior to 31 and in all versions Red Hat Enterprise Linux, where it listens on any interface and accepts queries from addresses outside of its local subnet. In particular, the option `local-service` is not enabled. Running dnsmasq in this manner may inadvertently make it an open resolver accessible from any address on the internet. This flaw allows an attacker to conduct a Distributed Denial of Service (DDoS ...
Show More |
|||||
| CVE-2020-13677 | 1 Drupal | 1 Drupal | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
|
Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass. Sites that do not have the JSON:API module enabled are not affected.
|
|||||
| CVE-2020-13676 | 1 Drupal | 1 Drupal | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.
|
|||||
| CVE-2020-13675 | 1 Drupal | 1 Drupal | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site.
|
|||||
| CVE-2020-12493 | 1 Swarco | 1 Cpu Ls4000 Firmware | 2024-11-21 | 10.0 HIGH | 10.0 CRITICAL |
|
An open port used for debugging in SWARCOs CPU LS4000 Series with versions starting with G4... grants root access to the device without access control via network. A malicious user could use this vulnerability to get access to the device and disturb operations with connected devices.
|
|||||
| CVE-2020-12488 | 1 Vivo | 1 Jovi Smart Scene | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
The attacker can access the sensitive information stored within the jovi Smart Scene module by entering carefully constructed commands without requesting permission.
|
|||||
| CVE-2020-12030 | 1 Emerson | 6 Wireless 1410 Gateway, Wireless 1410 Gateway Firmware, Wireless 1420 Gateway and 3 more | 2024-11-21 | 6.8 MEDIUM | 10.0 CRITICAL |
|
There is a flaw in the code used to configure the internal gateway firewall when the gateway's VLAN feature is enabled. If a user enables the VLAN setting, the internal gateway firewall becomes disabled resulting in exposure of all ports used by the gateway.
|
|||||
| CVE-2020-12024 | 1 Baxter | 4 Em1200, Em1200 Firmware, Em2400 and 1 more | 2024-11-21 | 3.6 LOW | 6.1 MEDIUM |
|
Baxter ExactaMix EM 2400 versions 1.10, 1.11, 1.13, 1.14 and ExactaMix EM1200 Versions 1.1, 1.2, 1.4 and 1.5 does not restrict access to the USB interface from an unauthorized user with physical access. Successful exploitation of this vulnerability may allow an attacker with physical access to the system the ability to load an unauthorized payload or unauthorized access to the hard drive by booting a live USB OS. This could impact confidentiality and integrity of the system and risk exposure of ...
Show More |
|||||
| CVE-2020-11931 | 2 Canonical, Pulseaudio | 2 Ubuntu Linux, Pulseaudio | 2024-11-21 | 2.1 LOW | 3.3 LOW |
|
An Ubuntu-specific modification to Pulseaudio to provide security mediation for Snap-packaged applications was found to have a bypass of intended access restriction for snaps which plugs any of pulseaudio, audio-playback or audio-record via unloading the pulseaudio snap policy module. This issue affects: pulseaudio 1:8.0 versions prior to 1:8.0-0ubuntu3.12; 1:11.1 versions prior to 1:11.1-1ubuntu7.7; 1:13.0 versions prior to 1:13.0-1ubuntu1.2; 1:13.99.1 versions prior to 1:13.99.1-1ubuntu3.2;
|
|||||
| CVE-2020-11028 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-11-21 | 4.3 MEDIUM | 5.8 MEDIUM |
|
In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
|
|||||
| CVE-2020-10930 | 1 Netgear | 2 R6700, R6700 Firmware | 2024-11-21 | 3.3 LOW | 6.5 MEDIUM |
|
This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR R6700 V1.0.4.84_10.0.58 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of URLs. The issue results from the lack of proper routing of URLs. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-9618.
|
|||||
| CVE-2020-10731 | 1 Redhat | 1 Openstack Platform | 2024-11-21 | 6.5 MEDIUM | 9.9 CRITICAL |
|
A flaw was found in the nova_libvirt container provided by the Red Hat OpenStack Platform 16, where it does not have SELinux enabled. This flaw causes sVirt, an important isolation mechanism, to be disabled for all running virtual machines.
|
|||||
| CVE-2020-10641 | 1 Inductiveautomation | 1 Ignition Gateway | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An unprotected logging route may allow an attacker to write endless log statements into the database without space limits or authentication. This results in consuming the entire available hard-disk space on the Ignition 8 Gateway (versions prior to 8.0.10), causing a denial-of-service condition.
|
|||||
| CVE-2020-10627 | 1 Insulet | 2 Omnipod Insulin Management System, Omnipod Insulin Management System Firmware | 2024-11-21 | 4.8 MEDIUM | 7.3 HIGH |
|
Insulet Omnipod Insulin Management System insulin pump product ID 19191 and 40160 is designed to communicate using a wireless RF with an Insulet manufactured Personal Diabetes Manager device. This wireless RF communication protocol does not properly implement authentication or authorization. An attacker with access to one of the affected insulin pump models may be able to modify and/or intercept data. This vulnerability could also allow attackers to change pump settings and control insulin deliv ...
Show More |
|||||
| CVE-2020-10612 | 1 Opto22 | 1 Softpac Project | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
Opto 22 SoftPAC Project Version 9.6 and prior. SoftPACAgent communicates with SoftPACMonitor over network Port 22000. However, this port is open without any restrictions. This allows an attacker with network access to control the SoftPACAgent service including updating SoftPAC firmware, starting or stopping service, or writing to certain registry values.
|
|||||
| CVE-2020-10288 | 2 Abb, Windriver | 4 Irb140, Irc5, Robotware and 1 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
IRC5 exposes an ftp server (port 21). Upon attempting to gain access you are challenged with a request of username and password, however you can input whatever you like. As long as the field isn't empty it will be accepted.
|
|||||
| CVE-2020-10278 | 4 Aliasrobotics, Enabled-robotics, Mobile-industrial-robotics and 1 more | 20 Mir100, Mir1000, Mir1000 Firmware and 17 more | 2024-11-21 | 5.0 MEDIUM | 4.6 MEDIUM |
|
The BIOS onboard MiR's Computer is not protected by password, therefore, it allows a Bad Operator to modify settings such as boot order. This can be leveraged by a Malicious operator to boot from a Live Image.
|
|||||
| CVE-2020-10145 | 1 Adobe | 1 Coldfusion | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
The Adobe ColdFusion installer fails to set a secure access-control list (ACL) on the default installation directory, such as C:\ColdFusion2021\. By default, unprivileged users can create files in this directory structure, which creates a privilege-escalation vulnerability.
|
|||||
| CVE-2020-10143 | 1 Macrium | 1 Reflect | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
Macrium Reflect includes an OpenSSL component that specifies an OPENSSLDIR variable as C:\openssl\. Macrium Reflect contains a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted openssl.cnf file to achieve arbitrary code execution with SYSTEM privileges.
|
|||||
| CVE-2020-10139 | 1 Acronis | 1 True Image | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
Acronis True Image 2021 includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory within C:\jenkins_agent\. Acronis True Image contains a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted openssl.cnf file to achieve arbitrary code execution with SYSTEM privileges.
|
|||||
| CVE-2020-10138 | 1 Acronis | 2 Cyber Backup, Cyber Protect | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
Acronis Cyber Backup 12.5 and Cyber Protect 15 include an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory within C:\jenkins_agent\. Acronis Cyber Backup and Cyber Protect contain a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted openssl.cnf file to achieve arbitrary code execution with SYSTEM privileges.
|
|||||
| CVE-2019-9886 | 1 Eclass | 1 Eclass Ip | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Any URLs with download_attachment.php under templates or home folders can allow arbitrary files downloaded without login in BroadLearning eClass before version ip.2.5.10.2.1.
|
|||||
| CVE-2019-9884 | 1 Eclass | 1 Eclass Ip | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
eClass platform < ip.2.5.10.2.1 allows an attacker to use GETS method to request /admin page to bypass the password validation and access management page.
|
|||||
| CVE-2019-9531 | 1 Cobham | 2 Explorer 710, Explorer 710 Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
The web application portal of the Cobham EXPLORER 710, firmware version 1.07, allows unauthenticated access to port 5454. This could allow an unauthenticated, remote attacker to connect to this port via Telnet and execute 86 Attention (AT) commands, including some that provide unauthenticated, shell-like access to the device.
|
|||||
| CVE-2019-9530 | 1 Cobham | 2 Explorer 710, Explorer 710 Firmware | 2024-11-21 | 4.9 MEDIUM | 5.5 MEDIUM |
|
The web root directory of the Cobham EXPLORER 710, firmware version 1.07, has no access restrictions on downloading and reading all files. This could allow an unauthenticated, local attacker connected to the device to access and download any file found in the web root directory.
|
|||||
| CVE-2019-9529 | 1 Cobham | 2 Explorer 710, Explorer 710 Firmware | 2024-11-21 | 4.9 MEDIUM | 5.5 MEDIUM |
|
The web application portal of the Cobham EXPLORER 710, firmware version 1.07, has no authentication by default. This could allow an unauthenticated, local attacker connected to the device to access the portal and to make any change to the device.
|
|||||
| CVE-2019-8456 | 1 Checkpoint | 1 Ipsec Vpn | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
|
Check Point IKEv2 IPsec VPN up to R80.30, in some less common conditions, may allow an attacker with knowledge of the internal configuration and setup to successfully connect to a site-to-site VPN server.
|
|||||