Total
1628 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-0571 | 1 Google | 1 Android | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| In ActivityTaskManagerService.startActivity() and AppTaskImpl.startActivity() of ActivityTaskManagerService.java and AppTaskImpl.java, there is possible access to restricted activities due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-137395936 | |||||
| CVE-2021-0472 | 1 Google | 1 Android | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| In shouldLockKeyguard of LockTaskController.java, there is a possible way to exit App Pinning without a PIN due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-9 Android-10Android ID: A-176801033 | |||||
| CVE-2021-0382 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| In checkSlicePermission of SliceManagerService.java, there is a possible resource exposure due to an incorrect permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-140727941 | |||||
| CVE-2021-0376 | 1 Google | 1 Android | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| In checkUriPermission and related functions of MediaProvider.java, there is a possible way to access external files due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-115619667 | |||||
| CVE-2021-0319 | 1 Google | 1 Android | 2024-11-21 | 4.4 MEDIUM | 7.3 HIGH |
| In checkCallerIsSystemOr of CompanionDeviceManagerService.java, there is a possible way to get a nearby Bluetooth device's MAC address without appropriate permissions due to a permissions bypass. This could lead to local escalation of privilege that grants access to nearby MAC addresses, with User execution privileges needed. User interaction is needed for exploitation. Product: Android; Versions: Android-8.0, Android-8.1, Android-9, Android-10, Android-11; Android ID: A-167244818. | |||||
| CVE-2021-0317 | 1 Google | 1 Android | 2024-11-21 | 4.4 MEDIUM | 7.8 HIGH |
| In createOrUpdate of Permission.java and related code, there is possible permission escalation due to a logic error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android; Versions: Android-10, Android-11, Android-8.0, Android-8.1, Android-9; Android ID: A-168319670. | |||||
| CVE-2020-9712 | 3 Adobe, Apple, Microsoft | 4 Acrobat Dc, Acrobat Reader Dc, Macos and 1 more | 2024-11-21 | 7.1 HIGH | 5.5 MEDIUM |
| Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523 and earlier have a security bypass vulnerability. Successful exploitation could lead to security feature bypass. | |||||
| CVE-2020-9492 | 2 Apache, Oracle | 3 Hadoop, Solr, Financial Services Crime And Compliance Management Studio | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification. | |||||
| CVE-2020-9381 | 1 Totaljs | 1 Total.js Cms | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| controllers/admin.js in Total.js CMS 13 allows remote attackers to execute arbitrary code via a POST to the /admin/api/widgets/ URI. This can be exploited in conjunction with CVE-2019-15954. | |||||
| CVE-2020-8919 | 1 Google | 1 Gerrit | 2024-11-21 | 2.7 LOW | 3.5 LOW |
| An information leak vulnerability exists in Gerrit versions prior to 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where a missing access check on the branch REST API allows an attacker with only the default set of priviledges to read all other user's personal account data as well as sub-trees with restricted access. | |||||
| CVE-2020-8806 | 1 Electriccoin | 1 Zcashd | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Electric Coin Company Zcashd before 2.1.1-1 allows attackers to trigger consensus failure and double spending. A valid chain could be incorrectly rejected because timestamp requirements on block headers were not properly enforced. | |||||
| CVE-2020-8278 | 1 Nextcloud | 1 Social | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Improper access control in Nextcloud Social app version 0.3.1 allowed to read posts of any user. | |||||
| CVE-2020-8212 | 1 Citrix | 1 Xenmobile Server | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Improper access control in Citrix XenMobile Server 10.12 before RP3, Citrix XenMobile Server 10.11 before RP6, Citrix XenMobile Server 10.10 RP6 and Citrix XenMobile Server before 10.9 RP5 allows access to privileged functionality. | |||||
| CVE-2020-8151 | 2 Fedoraproject, Rubyonrails | 2 Fedora, Active Resource | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| There is a possible information disclosure issue in Active Resource <v5.1.1 that could allow an attacker to create specially crafted requests to access data in an unexpected way and possibly leak information. | |||||
| CVE-2020-8142 | 1 Revive-adserver | 1 Revive Adserver | 2024-11-21 | 4.6 MEDIUM | 6.8 MEDIUM |
| A security restriction bypass vulnerability has been discovered in Revive Adserver version < 5.0.5 by HackerOne user hoangn144. Revive Adserver, like many other applications, requires the logged in user to type the current password in order to change the e-mail address or the password. It was however possible for anyone with access to a Revive Adserver admin user interface to bypass such check and change e-email address or password of the currently logged in user by altering the form payload.The attack requires physical access to the user interface of a logged in user. If the POST payload was altered by turning the “pwold” parameter into an array, Revive Adserver would fetch and authorise the operation even if no password was provided. | |||||
| CVE-2020-8119 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Improper authorization in Nextcloud server 17.0.0 causes leaking of previews and files when a file-drop share link is opened via the gallery app. | |||||
| CVE-2020-8086 | 2 Debian, Prosody | 3 Debian Linux, Mod Auth Ldap, Mod Auth Ldap2 | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| The mod_auth_ldap and mod_auth_ldap2 Community Modules through 2020-01-27 for Prosody incompletely verify the XMPP address passed to the is_admin() function. This grants remote entities admin-only functionality if their username matches the username of a local admin. | |||||
| CVE-2020-7955 | 1 Hashicorp | 1 Consul | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3. | |||||
| CVE-2020-7921 | 1 Mongodb | 1 Mongodb | 2024-11-21 | 3.5 LOW | 4.6 MEDIUM |
| Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This issue affects MongoDB Server v4.2 versions prior to 4.2.3; MongoDB Server v4.0 versions prior to 4.0.15; MongoDB Server v4.3 versions prior to 4.3.3and MongoDB Server v3.6 versions prior to 3.6.18. | |||||
| CVE-2020-7692 | 1 Google | 1 Oauth Client Library For Java | 2024-11-21 | 6.4 MEDIUM | 7.4 HIGH |
| PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0. | |||||