Total
3371 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-29668 | 3 Debian, Fedoraproject, Sympa | 3 Debian Linux, Fedora, Sympa | 2024-11-21 | 4.3 MEDIUM | 3.7 LOW |
| Sympa before 6.2.59b.2 allows remote attackers to obtain full SOAP API access by sending any arbitrary string (except one from an expired cookie) as the cookie value to authenticateAndRun. | |||||
| CVE-2020-29563 | 1 Westerndigital | 6 My Cloud Ex2 Ultra, My Cloud Ex4100, My Cloud Mirror Gen 2 and 3 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered on Western Digital My Cloud OS 5 devices before 5.07.118. A NAS Admin authentication bypass vulnerability could allow an unauthenticated user to gain access to the device. | |||||
| CVE-2020-29392 | 1 Lock Password Manager Safe App Project | 1 Lock Password Manager Safe App | 2024-11-21 | 2.1 LOW | 4.6 MEDIUM |
| The Estil Hill Lock Password Manager Safe app 2.3 for iOS has a *#06#* backdoor password. An attacker with physical access can unlock the password manager without knowing the master password set by the user. | |||||
| CVE-2020-29378 | 1 Vsolcn | 10 V1600d, V1600d-mini, V1600d-mini Firmware and 7 more | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password !j@l#y$z%x6x7q8c9z) for the enable command. | |||||
| CVE-2020-29127 | 1 Fujitsu | 2 Eternus Storage Dx200 S4, Eternus Storage Dx200 S4 Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered on Fujitsu Eternus Storage DX200 S4 devices through 2020-11-25. After logging into the portal as a root user (using any web browser), the portal can be accessed with root privileges when the URI cgi-bin/csp?cspid={XXXXXXXXXX}&csppage=cgi_PgOverview&csplang=en is visited from a different web browser. | |||||
| CVE-2020-28973 | 1 Abus | 2 Secvest Wireless Alarm System Fuaa50000, Secvest Wireless Alarm System Fuaa50000 Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The ABUS Secvest wireless alarm system FUAA50000 (v3.01.17) fails to properly authenticate some requests to its built-in HTTPS interface. Someone can use this vulnerability to obtain sensitive information from the system, such as usernames and passwords. This information can then be used to reconfigure or disable the alarm system. | |||||
| CVE-2020-28971 | 1 Westerndigital | 6 My Cloud Ex2 Ultra, My Cloud Ex4100, My Cloud Mirror Gen 2 and 3 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered on Western Digital My Cloud OS 5 devices before 5.06.115. A NAS Admin authentication bypass vulnerability could allow an unauthenticated user to execute privileged commands on the device via a cookie, because of insufficient validation of URI paths. | |||||
| CVE-2020-28970 | 1 Westerndigital | 6 My Cloud Ex2 Ultra, My Cloud Ex4100, My Cloud Mirror Gen 2 and 3 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered on Western Digital My Cloud OS 5 devices before 5.06.115. A NAS Admin authentication bypass vulnerability could allow an unauthenticated user to execute privileged commands on the device via a cookie. (In addition, an upload endpoint could then be used by an authenticated administrator to upload executable PHP scripts.) | |||||
| CVE-2020-28940 | 1 Westerndigital | 6 My Cloud Ex2 Ultra, My Cloud Ex4100, My Cloud Mirror Gen 2 and 3 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| On Western Digital My Cloud OS 5 devices before 5.06.115, the NAS Admin dashboard has an authentication bypass vulnerability that could allow an unauthenticated user to execute privileged commands on the device. | |||||
| CVE-2020-28896 | 3 Debian, Mutt, Neomutt | 3 Debian Linux, Mutt, Neomutt | 2024-11-21 | 2.6 LOW | 5.3 MEDIUM |
| Mutt before 2.0.2 and NeoMutt before 2020-11-20 did not ensure that $ssl_force_tls was processed if an IMAP server's initial server response was invalid. The connection was not properly closed, and the code could continue attempting to authenticate. This could result in authentication credentials being exposed on an unencrypted connection, or to a machine-in-the-middle. | |||||
| CVE-2020-28874 | 1 Projectsend | 1 Projectsend | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| reset-password.php in ProjectSend before r1295 allows remote attackers to reset a password because of incorrect business logic. Errors are not properly considered (an invalid token parameter). | |||||
| CVE-2020-28638 | 1 Dyne | 1 Tomb | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| ask_password in Tomb 2.0 through 2.7 returns a warning when pinentry-curses is used and $DISPLAY is non-empty, causing affected users' files to be encrypted with "tomb {W] Detected DISPLAY, but only pinentry-curses is found." as the encryption key. | |||||
| CVE-2020-28333 | 1 Barco | 2 Wepresent Wipg-1600w, Wepresent Wipg-1600w Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Barco wePresent WiPG-1600W devices allow Authentication Bypass. Affected Version(s): 2.5.1.8. The Barco wePresent WiPG-1600W web interface does not use session cookies for tracking authenticated sessions. Instead, the web interface uses a "SEID" token that is appended to the end of URLs in GET requests. Thus the "SEID" would be exposed in web proxy logs and browser history. An attacker that is able to capture the "SEID" and originate requests from the same IP address (via a NAT device or web proxy) would be able to access the user interface of the device without having to know the credentials. | |||||
| CVE-2020-28050 | 1 Zohocorp | 1 Manageengine Desktop Central | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| Zoho ManageEngine Desktop Central before build 10.0.647 allows a single authentication secret from multiple agents to communicate with the server. | |||||
| CVE-2020-28002 | 1 Sonarsource | 1 Sonarqube | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| In SonarQube 8.4.2.36762, an external attacker can achieve authentication bypass through SonarScanner. With an empty value for the -D sonar.login option, anonymous authentication is forced. This allows creating and overwriting public and private projects via the /api/ce/submit endpoint. | |||||
| CVE-2020-27838 | 1 Redhat | 2 Keycloak, Single Sign-on | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality. | |||||
| CVE-2020-27780 | 1 Linux-pam | 1 Linux-pam | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| A flaw was found in Linux-Pam in versions prior to 1.5.1 in the way it handle empty passwords for non-existing users. When the user doesn't exist PAM try to authenticate with root and in the case of an empty password it successfully authenticate. | |||||
| CVE-2020-27558 | 1 Basetech | 2 Ge-131 Bt-1837836, Ge-131 Bt-1837836 Firmware | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Use of an undocumented user in BASETech GE-131 BT-1837836 firmware 20180921 allows remote attackers to view the video stream. | |||||
| CVE-2020-27488 | 1 Loxone | 2 Miniserver Gen 1, Miniserver Gen 1 Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Loxone Miniserver devices with firmware before 11.1 (aka 11.1.9.3) are unable to use an authentication method that is based on the "signature of the update package." Therefore, these devices (or attackers who are spoofing these devices) can continue to use an unauthenticated cloud service for an indeterminate time period (possibly forever). Once an individual device's firmware is updated, and authentication occurs once, the cloud service recategorizes the device so that authentication is subsequently always required, and spoofing cannot occur. | |||||
| CVE-2020-27408 | 1 Os4ed | 1 Opensis | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| OpenSIS Community Edition through 7.6 is affected by incorrect access controls for the file ResetUserInfo.php that allow an unauthenticated attacker to change the password of arbitrary users. | |||||