Total
3177 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-15109 | 1 Nebulab | 1 Solidus | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| In solidus before versions 2.8.6, 2.9.6, and 2.10.2, there is an bility to change order address without triggering address validations. This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipment costs associated with the new shipment. All stores with at least two shipping zones and different costs of shipment per zone are impacted. This problem comes from how checkout permitted attributes are structured. We have a single list of attributes that are permitted across the whole checkout, no matter the step that is being submitted. See the linked reference for more information. As a workaround, if it is not possible to upgrade to a supported patched version, please use this gist in the references section. | |||||
| CVE-2020-15102 | 1 Prestashop | 1 Dashboard Products | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| In PrestaShop Dashboard Productions before version 2.1.0, there is improper authorization which enables an attacker to change the configuration. The problem is fixed in 2.1.0. | |||||
| CVE-2020-15080 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| In PrestaShop from version 1.7.4.0 and before version 1.7.6.6, some files should not be in the release archive, and others should not be accessible. The problem is fixed in version 1.7.6.6 A possible workaround is to make sure `composer.json` and `docker-compose.yml` are not accessible on your server. | |||||
| CVE-2020-15001 | 1 Yubico | 2 Yubikey 5 Nfc, Yubikey 5 Nfc Firmware | 2024-11-21 | 2.9 LOW | 5.3 MEDIUM |
| An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when updating NFC specific components of the OTP configurations. This may allow an attacker to access configured OTPs and passwords stored in slots that were not configured by the user to be read over NFC, despite a user having set an access code. (Users who have not set an access code, or who have not configured the OTP slots, are not impacted by this issue.) | |||||
| CVE-2020-14987 | 1 Bloomreach | 1 Experience Manager | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| An issue was discovered in Bloomreach Experience Manager (brXM) 4.1.0 through 14.2.2. It allows remote attackers to execute arbitrary code because there is a mishandling of the capability for administrators to write and run Groovy scripts within the updater editor. An attacker must use an AST transforming annotation such as @Grab. | |||||
| CVE-2020-14971 | 1 Pi-hole | 1 Pi-hole | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| Pi-hole through 5.0 allows code injection in piholedhcp (the Static DHCP Leases section) by modifying Teleporter backup files and then restoring them. This occurs in settings.php. To exploit this, an attacker would request a backup of limited files via teleporter.php. These are placed into a .tar.gz archive. The attacker then modifies the host parameter in dnsmasq.d files, and then compresses and uploads these files again. | |||||
| CVE-2020-14969 | 1 Misp | 1 Misp | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| app/Model/Attribute.php in MISP 2.4.127 lacks an ACL lookup on attribute correlations. This occurs when querying the attribute restsearch API, revealing metadata about a correlating but unreachable attribute. | |||||
| CVE-2020-14944 | 1 Globalradar | 1 Bsa Radar | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Global RADAR BSA Radar 1.6.7234.24750 and earlier lacks valid authorization controls in multiple functions. This can allow for manipulation and takeover of user accounts if successfully exploited. The following vulnerable functions are exposed: ChangePassword, SaveUserProfile, and GetUser. | |||||
| CVE-2020-14520 | 1 Inductiveautomation | 1 Ignition Gateway | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The affected product is vulnerable to an information leak, which may allow an attacker to obtain sensitive information on the Ignition 8 (all versions prior to 8.0.13). | |||||
| CVE-2020-14491 | 1 Openclinic Ga Project | 1 Openclinic Ga | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| OpenClinic GA versions 5.09.02 and 5.89.05b do not properly check permissions before executing SQL queries, which may allow a low-privilege user to access privileged information. | |||||
| CVE-2020-14306 | 1 Istio-operator Project | 1 Istio-operator | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An incorrect access control flaw was found in the operator, openshift-service-mesh/istio-rhel8-operator all versions through 1.1.3. This flaw allows an attacker with a basic level of access to the cluster to deploy a custom gateway/pod to any namespace, potentially gaining access to privileged service account tokens. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | |||||
| CVE-2020-14213 | 1 Zammad | 1 Zammad | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| In Zammad before 3.3.1, a Customer has ticket access that should only be available to an Agent (e.g., read internal data, split, or merge). | |||||
| CVE-2020-14205 | 1 Divebook Project | 1 Divebook | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The DiveBook plugin 1.1.4 for WordPress is prone to improper access control in the Log Dive form because it fails to perform authorization checks. An attacker may leverage this issue to manipulate the integrity of dive logs. | |||||
| CVE-2020-14185 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Affected versions of Jira Server allow remote unauthenticated attackers to enumerate issue keys via a missing permissions check in the ActionsAndOperations resource. The affected versions are before 7.13.18, from version 8.0.0 before 8.5.9, and from version 8.6.0 before version 8.12.2. | |||||
| CVE-2020-14001 | 4 Canonical, Debian, Fedoraproject and 1 more | 4 Ubuntu Linux, Debian Linux, Fedora and 1 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum. | |||||
| CVE-2020-13938 | 4 Apache, Mcafee, Microsoft and 1 more | 4 Http Server, Epolicy Orchestrator, Windows and 1 more | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| Apache HTTP Server versions 2.4.0 to 2.4.46 Unprivileged local users can stop httpd on Windows | |||||
| CVE-2020-13794 | 1 Linuxfoundation | 1 Harbor | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Harbor 1.9.* 1.10.* and 2.0.* allows Exposure of Sensitive Information to an Unauthorized Actor. | |||||
| CVE-2020-13626 | 1 Oneplus | 1 App Locker | 2024-11-21 | 2.1 LOW | 4.6 MEDIUM |
| OnePlus App Locker through 2020-10-06 allows physically proximate attackers to use Google Assistant to bypass an authorization check in order to send an SMS message when the SMS application is locked. | |||||
| CVE-2020-13523 | 1 Softperfect | 1 Ram Disk | 2024-11-21 | 2.1 LOW | 3.3 LOW |
| An exploitable information disclosure vulnerability exists in SoftPerfect’s RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can cause the disclosure of sensitive information. An attacker can send a malicious IRP to trigger this vulnerability. | |||||
| CVE-2020-13519 | 1 Nzxt | 1 Cam | 2024-11-21 | 7.2 HIGH | 8.8 HIGH |
| A privilege escalation vulnerability exists in the WinRing0x64 Driver IRP 0x9c402088 functionality of NZXT CAM 4.8.0. A specially crafted I/O request packet (IRP) can cause increased privileges. An attacker can send a malicious IRP to trigger this vulnerability. | |||||