Total
2555 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-26028 | 1 Zammad | 1 Zammad | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
|
An issue was discovered in Zammad before 3.4.1. Admin Users without a ticket.* permission can access Tickets.
|
|||||
| CVE-2020-25869 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An information leak was discovered in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. Handling of actor ID does not necessarily use the correct database or correct wiki.
|
|||||
| CVE-2020-25722 | 4 Canonical, Debian, Fedoraproject and 1 more | 4 Ubuntu Linux, Debian Linux, Fedora and 1 more | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Multiple flaws were found in the way samba AD DC implemented access and conformance checking of stored data. An attacker could use this flaw to cause total domain compromise.
|
|||||
| CVE-2020-25701 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
If the upload course tool in Moodle was used to delete an enrollment method which did not exist or was not already enabled, the tool would erroneously enable that enrollment method. This could lead to unintended users gaining access to the course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.
|
|||||
| CVE-2020-25699 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
In moodle, insufficient capability checks could lead to users with the ability to course restore adding additional capabilities to roles within that course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.
|
|||||
| CVE-2020-25655 | 1 Redhat | 1 Advanced Cluster Management For Kubernetes | 2024-11-21 | 4.0 MEDIUM | 5.7 MEDIUM |
|
An issue was discovered in ManagedClusterView API, that could allow secrets to be disclosed to users without the correct permissions. Views created for an admin user would be made available for a short time to users with only view permission. In this short time window the user with view permission could read cluster secrets that should only be disclosed to admin users.
|
|||||
| CVE-2020-25564 | 1 Sapphireims | 1 Sapphireims | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
In SapphireIMS 5.0, it is possible to create local administrator on any client with credentials of a non-privileged user by directly accessing RemoteMgmtTaskSave (Automation Tasks) feature.
|
|||||
| CVE-2020-25284 | 3 Debian, Linux, Opensuse | 3 Debian Linux, Linux Kernel, Leap | 2024-11-21 | 1.9 LOW | 4.1 MEDIUM |
|
The rbd block device driver in drivers/block/rbd.c in the Linux kernel through 5.8.9 used incomplete permission checking for access to rbd devices, which could be leveraged by local attackers to map or unmap rbd block devices, aka CID-f44d04e696fe.
|
|||||
| CVE-2020-25240 | 1 Siemens | 1 Sinema Remote Connect Server | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0). Unpriviledged users can access services when guessing the url. An attacker could impact availability, integrity and gain information from logs and templates of the service.
|
|||||
| CVE-2020-25239 | 1 Siemens | 1 Sinema Remote Connect Server | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0). The webserver could allow unauthorized actions via special urls for unpriviledged users. The settings of the UMC authorization server could be changed to add a rogue server by an attacker authenticating with unprivilege user rights.
|
|||||
| CVE-2020-25167 | 1 Osisoft | 1 Pi Vision | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
|
OSIsoft PI Vision 2020 versions prior to 3.5.0 could disclose information to a user with insufficient privileges for an AF attribute.
|
|||||
| CVE-2020-25055 | 1 Google | 1 Android | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. The persona service allows attackers (who control an unprivileged SecureFolder process) to bypass admin restrictions in KnoxContainer. The Samsung ID is SVE-2020-18133 (August 2020).
|
|||||
| CVE-2020-25025 | 1 Localization Manager Project | 1 Localization Manager | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
The l10nmgr (aka Localization Manager) extension before 7.4.0, 8.x before 8.7.0, and 9.x before 9.2.0 for TYPO3 allows Information Disclosure (translatable fields).
|
|||||
| CVE-2020-24941 | 1 Laravel | 1 Laravel | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
|
An issue was discovered in Laravel before 6.18.35 and 7.x before 7.24.0. The $guarded property is mishandled in some situations involving requests with JSON column nesting expressions.
|
|||||
| CVE-2020-24771 | 1 Nexusphp | 1 Nexusphp | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Incorrect access control in NexusPHP 1.5.beta5.20120707 allows unauthorized attackers to access published content.
|
|||||
| CVE-2020-24716 | 2 Freebsd, Openzfs | 2 Freebsd, Openzfs | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
OpenZFS before 2.0.0-rc1, when used on FreeBSD, allows execute permissions for all directories.
|
|||||
| CVE-2020-24674 | 1 Abb | 2 Symphony \+ Historian, Symphony \+ Operations | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
|
In S+ Operations and S+ Historian, not all client commands correctly check user permission as expected. Authenticated but Unauthorized remote users could execute a Denial-of-Service (DoS) attack, execute arbitrary code, or obtain more privilege than intended on the machines.
|
|||||
| CVE-2020-24401 | 1 Magento | 1 Magento | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
|
Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect authorization vulnerability. A user can still access resources provisioned under their old role after an administrator removes the role or disables the user's account.
|
|||||
| CVE-2020-24264 | 1 Portainer | 1 Portainer | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
Portainer 1.24.1 and earlier is affected by incorrect access control that may lead to remote arbitrary code execution. The restriction checks for bind mounts are applied only on the client-side and not the server-side, which can lead to spawning a container with bind mount. Once such a container is spawned, it can be leveraged to break out of the container leading to complete Docker host machine takeover.
|
|||||
| CVE-2020-21990 | 1 Domoticz | 1 Mydomoathome | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Emmanuel MyDomoAtHome (MDAH) REST API REST API Domoticz ISS Gateway 0.2.40 is affected by an information disclosure vulnerability due to improper access control enforcement. An unauthenticated remote attacker can exploit this, via a specially crafted request to gain access to sensitive information.
|
|||||
| CVE-2020-21124 | 1 Ureport Project | 1 Ureport | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
UReport 2.2.9 allows attackers to execute arbitrary code due to a lack of access control to the designer page.
|
|||||
| CVE-2020-20471 | 1 White Shark Systems Project | 1 White Shark Systems | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
|
White Shark System (WSS) 1.3.2 has an unauthorized access vulnerability in default_user_edit.php, remote attackers can exploit this vulnerability to escalate to admin privileges.
|
|||||
| CVE-2020-20466 | 1 White Shark Systems Project | 1 White Shark Systems | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
White Shark System (WSS) 1.3.2 is vulnerable to unauthorized access via user_edit_password.php, remote attackers can modify the password of any user.
|
|||||
| CVE-2020-1998 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 6.5 MEDIUM | 5.4 MEDIUM |
|
An improper authorization vulnerability in PAN-OS that mistakenly uses the permissions of local linux users instead of the intended SAML permissions of the account when the username is shared for the purposes of SSO authentication. This can result in authentication bypass and unintended resource access for the user. This issue affects: PAN-OS 7.1 versions earlier than 7.1.26; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.6; PAN-OS 9.1 versions earlier than 9.1.1; ...
Show More |
|||||
| CVE-2020-1831 | 1 Huawei | 2 Mate 20, Mate 20 Firmware | 2024-11-21 | 1.9 LOW | 2.4 LOW |
|
HUAWEI Mate 20 smartphones with versions earlier than 10.0.0.195(SP31C00E74R3P8) have an improper authorization vulnerability. The digital balance function does not sufficiently restrict the using time of certain user, successful exploit could allow the user break the limit of digital balance function after a series of operations with a PC.
|
|||||
| CVE-2020-1796 | 1 Huawei | 4 Mate 20, Mate 20 Firmware, Mate 30 Pro and 1 more | 2024-11-21 | 4.6 MEDIUM | 6.6 MEDIUM |
|
There is an improper authorization vulnerability in several smartphones. The software incorrectly performs an authorization to certain user, successful exploit could allow a low privilege user to do certain operation which the user are supposed not to do.Affected product versions include:HUAWEI Mate 20 versions Versions earlier than 10.0.0.188(C00E74R3P8);HUAWEI Mate 30 Pro versions Versions earlier than 10.0.0.203(C00E202R7P2).
|
|||||
| CVE-2020-1729 | 1 Redhat | 1 Smallrye Config | 2024-11-21 | 2.1 LOW | 4.4 MEDIUM |
|
A flaw was found in SmallRye's API through version 1.6.1. The API can allow other code running within the application server to potentially obtain the ClassLoader, bypassing any permissions checks that should have been applied. The largest threat from this vulnerability is a threat to data confidentiality. This is fixed in SmallRye 1.6.2
|
|||||
| CVE-2020-1725 | 1 Redhat | 1 Keycloak | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
|
A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token.
|
|||||
| CVE-2020-19765 | 1 Proofofdiligencetoken Project | 1 Proofofdiligencetoken | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An issue in the noReentrance() modifier of the Ethereum-based contract Accounting 1.0 allows attackers to carry out a reentrancy attack.
|
|||||
| CVE-2020-19551 | 1 Wuzhicms | 1 Wuzhicms | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Blacklist bypass issue exists in WUZHI CMS up to and including 4.1.0 in common.func.php, which when uploaded can cause remote code executiong.
|
|||||
| CVE-2020-19301 | 1 Vaethink | 1 Vaethink | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
A vulnerability in the vae_admin_rule database table of vaeThink v1.0.1 allows attackers to execute arbitrary code via a crafted payload in the condition parameter.
|
|||||
| CVE-2020-19005 | 1 Zrlog | 1 Zrlog | 2024-11-21 | 3.5 LOW | 5.7 MEDIUM |
|
zrlog v2.1.0 has a vulnerability with the permission check. If admin account is logged in, other unauthorized users can download the database backup file directly.
|
|||||
| CVE-2020-18701 | 1 Talelin | 1 Lin-cms-flask | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Incorrect Access Control in Lin-CMS-Flask v0.1.1 allows remote attackers to obtain sensitive information and/or gain privileges due to the application not invalidating a user's authentication token upon logout, which allows for replaying packets.
|
|||||
| CVE-2020-17448 | 1 Telegram | 1 Telegram Desktop | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
|
Telegram Desktop through 2.1.13 allows a spoofed file type to bypass the Dangerous File Type Execution protection mechanism, as demonstrated by use of the chat window with a filename that lacks an extension.
|
|||||
| CVE-2020-17049 | 2 Microsoft, Samba | 4 Windows Server 2012, Windows Server 2016, Windows Server 2019 and 1 more | 2024-11-21 | 9.0 HIGH | 6.6 MEDIUM |
|
A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD).
To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it.
The update addresses this vulnerability by changing how the KDC validates service tickets used with KCD.
|
|||||
| CVE-2020-16630 | 1 Ti | 7 15.4-stack, Ble5-stack, Dynamic Multi-protocal Manager and 4 more | 2024-11-21 | 4.3 MEDIUM | 6.8 MEDIUM |
|
TI’s BLE stack caches and reuses the LTK’s property for a bonded mobile. A LTK can be an unauthenticated-and-no-MITM-protection key created by Just Works or an authenticated-and-MITM-protection key created by Passkey Entry, Numeric Comparison or OOB. Assume that a victim mobile uses secure pairing to pair with a victim BLE device based on TI chips and generate an authenticated-and-MITM-protection LTK. If a fake mobile with the victim mobile’s MAC address uses Just Works and pairs with the victim ...
Show More |
|||||
| CVE-2020-15664 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
By holding a reference to the eval() function from an about:blank window, a malicious webpage could have gained access to the InstallTrigger object which would allow them to prompt the user to install an extension. Combined with user confusion, this could result in an unintended or malicious extension being installed. This vulnerability affects Firefox < 80, Thunderbird < 78.2, Thunderbird < 68.12, Firefox ESR < 68.12, Firefox ESR < 78.2, and Firefox for Android < 80.
|
|||||
| CVE-2020-15590 | 1 Privateinternetaccess | 1 Private Internet Access Vpn Client | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A vulnerability in the Private Internet Access (PIA) VPN Client for Linux 1.5 through 2.3+ allows remote attackers to bypass an intended VPN kill switch mechanism and read sensitive information via intercepting network traffic. Since 1.5, PIA has supported a “split tunnel” OpenVPN bypass option. The PIA killswitch & associated iptables firewall is designed to protect you while using the Internet. When the kill switch is configured to block all inbound and outbound network traffic, privileged app ...
Show More |
|||||
| CVE-2020-15513 | 1 Mittwald | 1 Typo3 Forum | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
The typo3_forum extension before 1.2.1 for TYPO3 has Incorrect Access Control.
|
|||||
| CVE-2020-15278 | 1 Cogboard | 1 Red Discord Bot | 2024-11-21 | 6.0 MEDIUM | 7.7 HIGH |
|
Red Discord Bot before version 3.4.1 has an unauthorized privilege escalation exploit in the Mod module. This exploit allows Discord users with a high privilege level within the guild to bypass hierarchy checks when the application is in a specific condition that is beyond that user's control. By abusing this exploit, it is possible to perform destructive actions within the guild the user has high privileges in. This exploit has been fixed in version 3.4.1. As a workaround, unloading the Mod mod ...
Show More |
|||||