Total
461 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-14246 | 1 Hcltechsw | 1 Onetest Performance | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| HCL OneTest Performance V9.5, V10.0, V10.1 uses basic authentication which is relatively weak. An attacker could potentially decode the encoded credentials. | |||||
| CVE-2020-13777 | 4 Canonical, Debian, Fedoraproject and 1 more | 4 Ubuntu Linux, Debian Linux, Fedora and 1 more | 2024-11-21 | 5.8 MEDIUM | 7.4 HIGH |
| GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application. | |||||
| CVE-2020-13757 | 3 Canonical, Fedoraproject, Python-rsa Project | 3 Ubuntu Linux, Fedora, Python-rsa | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Python-RSA before 4.1 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation). | |||||
| CVE-2020-13135 | 1 Dlink | 2 Dsp-w215, Dsp-w215 Firmware | 2024-11-21 | 3.3 LOW | 6.5 MEDIUM |
| D-Link DSP-W215 1.26b03 devices allow information disclosure by intercepting messages on the local network, as demonstrated by a Squid Proxy. | |||||
| CVE-2020-12702 | 1 Coolkit | 1 Ewelink | 2024-11-21 | 2.1 LOW | 4.6 MEDIUM |
| Weak encryption in the Quick Pairing mode in the eWeLink mobile application (Android application V4.9.2 and earlier, iOS application V4.9.1 and earlier) allows physically proximate attackers to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during the pairing process. | |||||
| CVE-2020-11876 | 1 Zoom | 1 Meetings | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| airhost.exe in Zoom Client for Meetings 4.6.11 uses the SHA-256 hash of 0123425234234fsdfsdr3242 for initialization of an OpenSSL EVP AES-256 CBC context. NOTE: the vendor states that this initialization only occurs within unreachable code | |||||
| CVE-2020-11872 | 1 Bluetrace | 1 Opentrace | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The Cloud Functions subsystem in OpenTrace 1.0 might allow fabrication attacks by making billions of TempID requests before an AES-256-GCM key rotation occurs. | |||||
| CVE-2020-11500 | 1 Zoom | 1 Meetings | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Zoom Client for Meetings through 4.6.9 uses the ECB mode of AES for video and audio encryption. Within a meeting, all participants use a single 128-bit key. | |||||
| CVE-2020-11035 | 2 Fedoraproject, Glpi-project | 2 Fedora, Glpi | 2024-11-21 | 6.4 MEDIUM | 7.5 HIGH |
| In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are generated using an insecure algorithm. The implementation uses rand and uniqid and MD5 which does not provide secure values. This is fixed in version 9.4.6. | |||||
| CVE-2020-11031 | 1 Glpi-project | 1 Glpi | 2024-11-21 | 5.0 MEDIUM | 7.8 HIGH |
| In GLPI before version 9.5.0, the encryption algorithm used is insecure. The security of the data encrypted relies on the password used, if a user sets a weak/predictable password, an attacker could decrypt data. This is fixed in version 9.5.0 by using a more secure encryption library. The library chosen is sodium. | |||||
| CVE-2020-11005 | 1 Windowshello Project | 1 Windowshello | 2024-11-21 | 2.1 LOW | 5.1 MEDIUM |
| The WindowsHello open source library (NuGet HaemmerElectronics.SeppPenner.WindowsHello), before version 1.0.4, has a vulnerability where encrypted data could potentially be decrypted without needing authentication. If the library is used to encrypt text and write the output to a txt file, another executable could be able to decrypt the text using the static method NCryptDecrypt from this same library without the need to use Windows Hello Authentication again. This has been patched in version 1.0.4. | |||||
| CVE-2020-10932 | 3 Arm, Debian, Fedoraproject | 3 Mbed Tls, Debian Linux, Fedora | 2024-11-21 | 1.9 LOW | 4.7 MEDIUM |
| An issue was discovered in Arm Mbed TLS before 2.16.6 and 2.7.x before 2.7.15. An attacker that can get precise enough side-channel measurements can recover the long-term ECDSA private key by (1) reconstructing the projective coordinate of the result of scalar multiplication by exploiting side channels in the conversion to affine coordinates; (2) using an attack described by Naccache, Smart, and Stern in 2003 to recover a few bits of the ephemeral scalar from those projective coordinates via several measurements; and (3) using a lattice attack to get from there to the long-term ECDSA private key used for the signatures. Typically an attacker would have sufficient access when attacking an SGX enclave and controlling the untrusted OS. | |||||
| CVE-2020-10927 | 1 Netgear | 2 R6700, R6700 Firmware | 2024-11-21 | 8.3 HIGH | 8.8 HIGH |
| This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6700 V1.0.4.84_10.0.58 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the encryption of firmware update images. The issue results from the use of an inappropriate encryption algorithm. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of root. Was ZDI-CAN-9649. | |||||
| CVE-2020-10601 | 1 Visam | 2 Vbase Editor, Vbase Web-remote | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| VISAM VBASE Editor version 11.5.0.2 and VBASE Web-Remote Module allow weak hashing algorithm and insecure permissions which may allow a local attacker to bypass the password-protected mechanism through brute-force attacks, cracking techniques, or overwriting the password hash. | |||||
| CVE-2020-10377 | 1 Mitel | 2 Mivoice Connect, Mivoice Connect Client | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| A weak encryption vulnerability in Mitel MiVoice Connect Client before 214.100.1214.0 could allow an unauthenticated attacker to gain access to user credentials. A successful exploit could allow an attacker to access the system with compromised user credentials. | |||||
| CVE-2019-9836 | 2 Amd, Opensuse | 16 Epyc 7251, Epyc 7261, Epyc 7281 and 13 more | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Secure Encrypted Virtualization (SEV) on Advanced Micro Devices (AMD) Platform Security Processor (PSP; aka AMD Secure Processor or AMD-SP) 0.17 build 11 and earlier has an insecure cryptographic implementation. | |||||
| CVE-2019-9506 | 8 Apple, Blackberry, Canonical and 5 more | 274 Iphone Os, Mac Os X, Tvos and 271 more | 2024-11-21 | 4.8 MEDIUM | 8.1 HIGH |
| The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. This allows practical brute-force attacks (aka "KNOB") that can decrypt traffic and inject arbitrary ciphertext without the victim noticing. | |||||
| CVE-2019-9483 | 1 Amazon | 2 Ring Video Doorbell, Ring Video Doorbell Firmware | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| Amazon Ring Doorbell before 3.4.7 mishandles encryption, which allows attackers to obtain audio and video data, or insert spoofed video that does not correspond to the actual person at the door. | |||||
| CVE-2019-9399 | 1 Google | 1 Android | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| The Print Service is susceptible to man in the middle attacks due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-115635664 | |||||
| CVE-2019-9155 | 1 Openpgpjs | 1 Openpgpjs | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| A cryptographic issue in OpenPGP.js <=4.2.0 allows an attacker who is able provide forged messages and gain feedback about whether decryption of these messages succeeded to conduct an invalid curve attack in order to gain the victim's ECDH private key. | |||||