Total
29064 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-24404 | 1 Magento | 1 Magento | 2024-11-21 | 5.5 MEDIUM | 2.7 LOW |
| Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability within the Integrations component. This vulnerability could be abused by users with permissions to the Pages resource to delete cms pages via the REST API without authorization. | |||||
| CVE-2020-24403 | 1 Magento | 1 Magento | 2024-11-21 | 4.0 MEDIUM | 2.7 LOW |
| Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect user permissions vulnerability within the Inventory component. This vulnerability could be abused by authenticated users with Inventory and Source permissions to make unauthorized changes to inventory source data via the REST API. | |||||
| CVE-2020-24386 | 3 Debian, Dovecot, Fedoraproject | 3 Debian Linux, Dovecot, Fedora | 2024-11-21 | 4.9 MEDIUM | 6.8 MEDIUM |
| An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users' email messages (and path disclosure). | |||||
| CVE-2020-24214 | 3 Jtechdigital, Provideoinstruments, Szuray | 105 H.264 Iptv Encoder 1080p\@60hz, H.264 Iptv Encoder 1080p\@60hz Firmware, Vecaster-4k-hevc and 102 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the box application on HiSilicon based IPTV/H.264/H.265 video encoders. Attackers can send a crafted unauthenticated RTSP request to cause a buffer overflow and application crash. The device will not be able to perform its main purpose of video encoding and streaming for up to a minute, until it automatically reboots. Attackers can send malicious requests once a minute, effectively disabling the device. | |||||
| CVE-2020-23996 | 1 Ilias | 1 Ilias | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A local file inclusion vulnerability in ILIAS before 5.3.19, 5.4.10 and 6.0 allows remote authenticated attackers to execute arbitrary code via the import of personal data. | |||||
| CVE-2020-23352 | 1 Zblogcn | 1 Z-blogphp | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Z-BlogPHP 1.6.0 Valyria is affected by incorrect access control. PHP loose comparison and a magic hash can be used to bypass authentication. zb_user/plugin/passwordvisit/include.php:passwordvisit_input_password() uses loose comparison to authenticate, which can be bypassed via magic hash values. | |||||
| CVE-2020-23349 | 1 Weibo | 1 Android Software Development Kit | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An intent redirection issue was doscovered in Sina Weibo Android SDK 4.2.7 (com.sina.weibo.sdk.share.WbShareTransActivity), any unexported Activities could be started by the com.sina.weibo.sdk.share.WbShareTransActivity. | |||||
| CVE-2020-21844 | 1 Gnu | 1 Libredwg | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| GNU LibreDWG 0.10 is affected by: memcpy-param-overlap. The impact is: execute arbitrary code (remote). The component is: read_2004_section_header ../../src/decode.c:2580. | |||||
| CVE-2020-21686 | 1 Nasm | 1 Netwide Assembler | 2024-11-21 | N/A | 5.5 MEDIUM |
| A stack-use-after-scope issue discovered in expand_mmac_params function in preproc.c in nasm before 2.15.04 allows remote attackers to cause a denial of service via crafted asm file. | |||||
| CVE-2020-20741 | 1 Beckhoff | 1 Cx9020 | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Incorrect Access Control in Beckhoff Automation GmbH & Co. KG CX9020 with firmware version CX9020_CB3011_WEC7_HPS_v602_TC31_B4016.6 allows remote attackers to bypass authentication via the "CE Remote Display Tool" as it does not close the incoming connection on the Windows CE side if the credentials are incorrect. | |||||
| CVE-2020-20467 | 1 White Shark Systems Project | 1 White Shark Systems | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
| White Shark System (WSS) 1.3.2 is vulnerable to sensitive information disclosure via default_task_add.php, remote attackers can exploit the vulnerability to create a task. | |||||
| CVE-2020-20096 | 1 Whatsapp | 1 Whatsapp | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Whatsapp iOS 2.19.80 and prior and Android 2.19.222 and prior user interface does not properly represent URI messages to the user, which results in URI spoofing via specially crafted messages. | |||||
| CVE-2020-20095 | 1 Apple | 1 Imessage | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| iMessage (Messages app) iOS 12.4 and prior user interface does not properly represent URI messages to the user, which results in URI spoofing via specially crafted messages. | |||||
| CVE-2020-20094 | 1 Facebook | 1 Instagram | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Instagram iOS 106.0 and prior and Android 107.0.0.11 and prior user interface does not properly represent URI messages to the user, which results in URI spoofing via specially crafted messages | |||||
| CVE-2020-20093 | 1 Facebook | 1 Messenger | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Facebook Messenger app for iOS 227.0 and prior and Android 228.1.0.10.116 and prior user interface does not properly represent URI messages to the user, which results in URI spoofing via specially crafted messages. | |||||
| CVE-2020-1994 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 4.9 MEDIUM | 4.1 MEDIUM |
| A predictable temporary file vulnerability in PAN-OS allows a local authenticated user with shell access to corrupt arbitrary system files affecting the integrity of the system. This issue affects: All versions of PAN-OS 7.1 and 8.0; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.7. | |||||
| CVE-2020-1938 | 7 Apache, Blackberry, Debian and 4 more | 21 Geode, Tomcat, Good Control and 18 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations. | |||||
| CVE-2020-1795 | 1 Huawei | 4 Mate 20, Mate 20 Firmware, Mate 30 Pro and 1 more | 2024-11-21 | 2.1 LOW | 2.4 LOW |
| There is a logic error vulnerability in several smartphones. The software does not properly restrict certain operation when the Digital Balance function is on. Successful exploit could allow the attacker to bypass the Digital Balance limit after a series of operations.Affected product versions include:HUAWEI Mate 20 versions Versions earlier than 10.0.0.188(C00E74R3P8);HUAWEI Mate 30 Pro versions Versions earlier than 10.0.0.203(C00E202R7P2). | |||||
| CVE-2020-1774 | 2 Debian, Otrs | 2 Debian Linux, Otrs | 2024-11-21 | 4.0 MEDIUM | 4.5 MEDIUM |
| When user downloads PGP or S/MIME keys/certificates, exported file has same name for private and public keys. Therefore it's possible to mix them and to send private key to the third-party instead of public key. This issue affects ((OTRS)) Community Edition: 5.0.42 and prior versions, 6.0.27 and prior versions. OTRS: 7.0.16 and prior versions. | |||||
| CVE-2020-1767 | 2 Debian, Otrs | 2 Debian Linux, Otrs | 2024-11-21 | 3.5 LOW | 3.5 LOW |
| Agent A is able to save a draft (i.e. for customer reply). Then Agent B can open the draft, change the text completely and send it in the name of Agent A. For the customer it will not be visible that the message was sent by another agent. This issue affects: ((OTRS)) Community Edition 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions. | |||||