Total
29064 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-1765 | 3 Debian, Opensuse, Otrs | 4 Debian Linux, Backports Sle, Leap and 1 more | 2024-11-21 | 5.0 MEDIUM | 3.5 LOW |
| An improper control of parameters allows the spoofing of the from fields of the following screens: AgentTicketCompose, AgentTicketForward, AgentTicketBounce and AgentTicketEmailOutbound. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions. | |||||
| CVE-2020-1761 | 1 Redhat | 1 Openshift | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A flaw was found in the OpenShift web console, where the access token is stored in the browser's local storage. An attacker can use this flaw to get the access token via physical access, or an XSS attack on the victim's browser. This flaw affects openshift/console versions before openshift/console-4. | |||||
| CVE-2020-1710 | 1 Redhat | 4 Jboss Data Grid, Jboss Enterprise Application Platform, Openshift Application Runtimes and 1 more | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The issue appears to be that JBoss EAP 6.4.21 does not parse the field-name in accordance to RFC7230[1] as it returns a 200 instead of a 400. | |||||
| CVE-2020-1695 | 2 Fedoraproject, Redhat | 2 Fedora, Resteasy | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and all resteasy 4.x.x versions prior to 4.6.0.Final, where an improper input validation results in returning an illegal header that integrates into the server's response. This flaw may result in an injection, which leads to unexpected behavior when the HTTP response is constructed. | |||||
| CVE-2020-1690 | 1 Redhat | 2 Openstack-selinux, Openstack Platform | 2024-11-21 | 4.9 MEDIUM | 6.5 MEDIUM |
| An improper authorization flaw was discovered in openstack-selinux's applied policy where it does not prevent a non-root user in a container from privilege escalation. A non-root attacker in one or more Red Hat OpenStack (RHOSP) containers could send messages to the dbus. With access to the dbus, the attacker could start or stop services, possibly causing a denial of service. Versions before openstack-selinux 0.8.24 are affected. | |||||
| CVE-2020-1147 | 1 Microsoft | 14 .net Core, .net Framework, Sharepoint Enterprise Server and 11 more | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| A remote code execution vulnerability exists in .NET Framework, Microsoft SharePoint, and Visual Studio when the software fails to check the source markup of XML file input, aka '.NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability'. | |||||
| CVE-2020-1118 | 1 Microsoft | 2 Windows 10, Windows Server 2019 | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
| A denial of service vulnerability exists in the Windows implementation of Transport Layer Security (TLS) when it improperly handles certain key exchanges, aka 'Microsoft Windows Transport Layer Security Denial of Service Vulnerability'. | |||||
| CVE-2020-19896 | 1 1234n | 1 Minicms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| File inclusion vulnerability in Minicms v1.9 allows remote attackers to execute arbitary PHP code via post-edit.php. | |||||
| CVE-2020-19778 | 1 Shopxo | 1 Shopxo | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Incorrect Access Control in Shopxo v1.4.0 and v1.5.0 allows remote attackers to gain privileges in "/index.php" by manipulating the parameter "user_id" in the HTML request. | |||||
| CVE-2020-19641 | 1 Insma | 2 Wifi Mini Spy 1080p Hd Security Ip Camera, Wifi Mini Spy 1080p Hd Security Ip Camera Firmware | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in INSMA Wifi Mini Spy 1080P HD Security IP Camera 1.9.7 B. Authenticated attackers with the "Operator" Privilege can gain admin privileges via a crafted request to '/goform/formUserMng'. | |||||
| CVE-2020-19417 | 1 Emerson | 2 Wireless 1420 Gateway, Wireless 1420 Gateway Firmware | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Emerson Smart Wireless Gateway 1420 4.6.59 allows non-privileged users (such as the default account 'maint') to perform administrative tasks by sending specially crafted HTTP requests to the application. | |||||
| CVE-2020-18741 | 1 Thinksaas | 1 Thinksaas | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Improper Authorization in ThinkSAAS v2.7 allows remote attackers to modify the description of any user's photo via the "photoid%5B%5D" and "photodesc%5B%5D" parameters in the component "index.php?app=photo." | |||||
| CVE-2020-18170 | 1 Abloy | 1 Key Manager | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue in the SeChangeNotifyPrivilege component of Abloy Key Manager Version 7.14301.0.0 allows attackers to escalate privileges via a change in permissions. | |||||
| CVE-2020-17521 | 3 Apache, Netapp, Oracle | 21 Atlas, Groovy, Snapcenter and 18 more | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2. | |||||
| CVE-2020-17514 | 1 Apache | 1 Fineract | 2024-11-21 | 5.8 MEDIUM | 7.4 HIGH |
| Apache Fineract prior to 1.5.0 disables HTTPS hostname verification in ProcessorHelper in the configureClient method. Under typical deployments, a man in the middle attack could be successful. | |||||
| CVE-2020-17440 | 2 Contiki-os, Uip Project | 2 Contiki, Uip | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in uIP 1.0, as used in Contiki 3.0 and other products. The code that parses incoming DNS packets does not validate that domain names present in the DNS responses have '\0' termination. This results in errors when calculating the offset of the pointer that jumps over domain name bytes in DNS response packets when a name lacks this termination, and eventually leads to dereferencing the pointer at an invalid/arbitrary address, within newdata() and parse_name() in resolv.c. | |||||
| CVE-2020-16969 | 1 Microsoft | 1 Exchange Server | 2024-11-21 | 4.3 MEDIUM | 7.1 HIGH |
| <p>An information disclosure vulnerability exists in how Microsoft Exchange validates tokens when handling certain messages. An attacker who successfully exploited the vulnerability could use this to gain further information from a user.</p> <p>To exploit the vulnerability, an attacker could include specially crafted OWA messages that could be loaded, without warning or filtering, from the attacker-controlled URL. This callback vector provides an information disclosure tactic used in web beacons and other types of tracking systems.</p> <p>The security update corrects the way that Exchange handles these token validations.</p> | |||||
| CVE-2020-16849 | 1 Canon | 56 Ir2202n, Ir2202n Firmware, Ir2204f and 53 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on Canon MF237w 06.07 devices. An "Improper Handling of Length Parameter Inconsistency" issue in the IPv4/ICMPv4 component, when handling a packet sent by an unauthenticated network attacker, may expose Sensitive Information. | |||||
| CVE-2020-16244 | 1 Ge | 1 Asset Performance Management Classic | 2024-11-21 | 4.0 MEDIUM | 7.2 HIGH |
| GE Digital APM Classic, Versions 4.4 and prior. Salt is not used for hash calculation of passwords, making it possible to decrypt passwords. This design flaw, along with the IDOR vulnerability, puts the entire platform at high risk because an authenticated user can retrieve all user account data and then retrieve the actual passwords. | |||||
| CVE-2020-16230 | 1 Hms-networks | 4 Ewon Cosy, Ewon Cosy Firmware, Ewon Flexy and 1 more | 2024-11-21 | 2.1 LOW | 2.3 LOW |
| All version of Ewon Flexy and Cosy prior to 14.1 use wildcards such as (*) under which domains can request resources. An attacker with local access and high privileges could inject scripts into the Cross-origin Resource Sharing (CORS) configuration that could abuse this vulnerability, allowing the attacker to retrieve limited confidential information through sniffing. | |||||