Total
1228 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-12478 | 1 Teampass | 1 Teampass | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| TeamPass 2.1.27.36 allows an unauthenticated attacker to retrieve files from the TeamPass web root. This may include backups or LDAP debug files. | |||||
| CVE-2020-12266 | 1 Wavlink | 30 Jetstream Ac3000, Jetstream Ac3000 Firmware, Jetstream Erac3000 and 27 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered where there are multiple externally accessible pages that do not require any sort of authentication, and store system information for internal usage. The devices automatically query these pages to update dashboards and other statistics, but the pages can be accessed externally without any authentication. All the pages follow the naming convention live_(string).shtml. Among the information disclosed is: interface status logs, IP address of the device, MAC address of the device, model and current firmware version, location, all running processes, all interfaces and their statuses, all current DHCP leases and the associated hostnames, all other wireless networks in range of the router, memory statistics, and components of the configuration of the device such as enabled features. Affected devices: Affected devices are: Wavlink WN530HG4, Wavlink WN575A3, Wavlink WN579G3,Wavlink WN531G3, Wavlink WN533A8, Wavlink WN531A6, Wavlink WN551K1, Wavlink WN535G3, Wavlink WN530H4, Wavlink WN57X93, WN572HG3, Wavlink WN578A2, Wavlink WN579G3, Wavlink WN579X3, and Jetstream AC3000/ERAC3000 | |||||
| CVE-2020-12127 | 1 Wavlink | 2 Wn530h4, Wn530h4 Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An information disclosure vulnerability in the /cgi-bin/ExportAllSettings.sh endpoint of the WAVLINK WN530H4 M30H4.V5030.190403 allows an attacker to leak router settings, including cleartext login details, DNS settings, and other sensitive information without authentication. | |||||
| CVE-2020-12117 | 1 Moxa | 2 Nport 5100a, Nport 5100a Firmware | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Moxa Service in Moxa NPort 5150A firmware version 1.5 and earlier allows attackers to obtain sensitive configuration values via a crafted packet to UDP port 4800. NOTE: Moxa Service is an unauthenticated service that runs upon a first-time installation but can be disabled without ill effect. | |||||
| CVE-2020-12106 | 1 Stengg | 2 Vpncrypt M10, Vpncrypt M10 Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The Web portal of the WiFi module of VPNCrypt M10 2.6.5 allows unauthenticated users to send HTTP POST request to several critical Administrative functions such as, changing credentials of the Administrator account or connect the product to a rogue access point. | |||||
| CVE-2020-12028 | 1 Rockwellautomation | 1 Factorytalk View | 2024-11-21 | 5.5 MEDIUM | 7.3 HIGH |
| In all versions of FactoryTalk View SEA remote, an authenticated attacker may be able to utilize certain handlers to interact with the data on the remote endpoint since those handlers do not enforce appropriate permissions. Rockwell Automation recommends enabling built in security features found within FactoryTalk View SE. Users should follow guidance found in knowledge base articles 109056 and 1126943 to set up IPSec and/or HTTPs. | |||||
| CVE-2020-12017 | 1 Ge | 6 Rt430, Rt430 Firmware, Rt431 and 3 more | 2024-11-21 | 9.0 HIGH | 9.8 CRITICAL |
| GE Grid Solutions Reason RT Clocks, RT430, RT431, and RT434, all firmware versions prior to 08A05. The device’s vulnerability in the web application could allow multiple unauthenticated attacks that could cause serious impact. The vulnerability may allow an unauthenticated attacker to execute arbitrary commands and send a request to a specific URL that could cause the device to become unresponsive. The unauthenticated attacker may change the password of the 'configuration' user account, allowing the attacker to modify the configuration of the device via the web interface using the new password. This vulnerability may also allow an unauthenticated attacker to bypass the authentication required to configure the device and reboot the system. | |||||
| CVE-2020-12004 | 1 Inductiveautomation | 1 Ignition Gateway | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The affected product lacks proper authentication required to query the server on the Ignition 8 Gateway (versions prior to 8.0.10) and Ignition 7 Gateway (versions prior to 7.9.14), allowing an attacker to obtain sensitive information. | |||||
| CVE-2020-11969 | 1 Apache | 1 Tomee | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| If Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker URI includes the useJMX=true parameter, a JMX port is opened on TCP port 1099, which does not include authentication. This affects Apache TomEE 8.0.0-M1 - 8.0.1, Apache TomEE 7.1.0 - 7.1.2, Apache TomEE 7.0.0-M1 - 7.0.7, Apache TomEE 1.0.0 - 1.7.5. | |||||
| CVE-2020-11961 | 1 Mi | 2 Xiaomi R3600, Xiaomi R3600 Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Xiaomi router R3600 ROM before 1.0.50 is affected by a sensitive information leakage caused by an insecure interface get_config_result without authentication | |||||
| CVE-2020-11946 | 1 Zohocorp | 1 Manageengine Opmanager | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Zoho ManageEngine OpManager before 125120 allows an unauthenticated user to retrieve an API key via a servlet call. | |||||
| CVE-2020-11856 | 1 Microfocus | 1 Operation Bridge Reporter | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Arbitrary code execution vulnerability on Micro Focus Operation Bridge Reporter, affecting version 10.40 and earlier. The vulnerability could allow remote attackers to execute arbitrary code on affected installations of OBR. | |||||
| CVE-2020-11673 | 1 Total-soft | 1 Responsive Poll | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the Responsive Poll through 1.3.4 for Wordpress. It allows an unauthenticated user to manipulate polls, e.g., delete, clone, or view a hidden poll. This is due to the usage of the callback wp_ajax_nopriv function in Includes/Total-Soft-Poll-Ajax.php for sensitive operations. | |||||
| CVE-2020-11649 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in GitLab CE and EE 8.15 through 12.9.2. Members of a group could still have access after the group is deleted. | |||||
| CVE-2020-11599 | 1 Cipplanner | 1 Cipace | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in CIPPlanner CIPAce 6.80 Build 2016031401. GetDistributedPOP3 allows attackers to obtain the username and password of the SMTP user. | |||||
| CVE-2020-11598 | 1 Cipplanner | 1 Cipace | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. Upload.ashx allows remote attackers to execute arbitrary code by uploading and executing an ASHX file. | |||||
| CVE-2020-11579 | 2 Chadhaajay, Php | 2 Phpkb, Php | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Chadha PHPKB 9.0 Enterprise Edition. installer/test-connection.php (part of the installation process) allows a remote unauthenticated attacker to disclose local files on hosts running PHP before 7.2.16, or on hosts where the MySQL ALLOW LOCAL DATA INFILE option is enabled. | |||||
| CVE-2020-11547 | 1 Paessler | 1 Prtg Network Monitor | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated attackers to obtain information about probes running or the server itself (CPU usage, memory, Windows version, and internal statistics) via an HTTP request, as demonstrated by type=probes to login.htm or index.htm. | |||||
| CVE-2020-11539 | 1 Titan | 2 Sf Rush Smart Band, Sf Rush Smart Band Firmware | 2024-11-21 | 4.8 MEDIUM | 8.1 HIGH |
| An issue was discovered on Tata Sonata Smart SF Rush 1.12 devices. It has been identified that the smart band has no pairing (mode 0 Bluetooth LE security level) The data being transmitted over the air is not encrypted. Adding to this, the data being sent to the smart band doesn't have any authentication or signature verification. Thus, any attacker can control a parameter of the device. | |||||
| CVE-2020-11028 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-11-21 | 4.3 MEDIUM | 5.8 MEDIUM |
| In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). | |||||