Total
29064 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-15181 | 1 Alfresco | 1 Reset Password | 2024-11-21 | 10.0 HIGH | 9.3 CRITICAL |
| The Alfresco Reset Password add-on before version 1.2.0 relies on untrusted inputs in a security decision. Intruders can get admin's access to the system using the vulnerability in the project. Impacts all servers where this add-on is installed. The problem is fixed in version 1.2.0 | |||||
| CVE-2020-15174 | 1 Electronjs | 1 Electron | 2024-11-21 | 5.8 MEDIUM | 7.5 HIGH |
| In Electron before versions 11.0.0-beta.1, 10.0.1, 9.3.0 or 8.5.1 the `will-navigate` event that apps use to prevent navigations to unexpected destinations as per our security recommendations can be bypassed when a sub-frame performs a top-frame navigation across sites. The issue is patched in versions 11.0.0-beta.1, 10.0.1, 9.3.0 or 8.5.1 As a workaround sandbox all your iframes using the sandbox attribute. This will prevent them creating top-frame navigations and is good practice anyway. | |||||
| CVE-2020-15170 | 1 Ctrip | 1 Apollo | 2024-11-21 | 6.8 MEDIUM | 7.0 HIGH |
| apollo-adminservice before version 1.7.1 does not implement access controls. If users expose apollo-adminservice to internet(which is not recommended), there are potential security issues since apollo-adminservice is designed to work in intranet and it doesn't have access control built-in. Malicious hackers may access apollo-adminservice apis directly to access/edit the application's configurations. To fix the potential issue without upgrading, simply follow the advice that do not expose apollo-adminservice to internet. | |||||
| CVE-2020-15106 | 2 Etcd, Fedoraproject | 2 Etcd, Fedora | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that can unintentionally panic at the expense of any RAFT participant trying to decode the WAL. | |||||
| CVE-2020-15096 | 1 Electronjs | 1 Electron | 2024-11-21 | 4.0 MEDIUM | 6.8 MEDIUM |
| In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affected. There are no app-side workarounds, you must update your Electron version to be protected. This is fixed in versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21. | |||||
| CVE-2020-15087 | 1 Prestosql | 1 Presto | 2024-11-21 | 6.5 MEDIUM | 7.4 HIGH |
| In Presto before version 337, authenticated users can bypass authorization checks by directly accessing internal APIs. This impacts Presto server installations with secure internal communication configured. This does not affect installations that have not configured secure internal communication, as these installations are inherently insecure. This only affects Presto server installations. This does NOT affect clients such as the CLI or JDBC driver. This vulnerability has been fixed in version 337. Additionally, this issue can be mitigated by blocking network access to internal APIs on the coordinator and workers. | |||||
| CVE-2020-15086 | 1 Typo3 | 1 Mediace | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In TYPO3 installations with the "mediace" extension from version 7.6.2 and before version 7.6.5, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. The allows to inject arbitrary data having a valid cryptographic message authentication code and can lead to remote code execution. To successfully exploit this vulnerability, an attacker must have access to at least one `Extbase` plugin or module action in a TYPO3 installation. This is fixed in version 7.6.5 of the "mediace" extension for TYPO3. | |||||
| CVE-2020-15082 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 7.5 HIGH | 7.1 HIGH |
| In PrestaShop from version 1.6.0.1 and before version 1.7.6.6, the dashboard allows rewriting all configuration variables. The problem is fixed in 1.7.6.6 | |||||
| CVE-2020-15000 | 1 Yubico | 2 Yubikey 5 Nfc, Yubikey 5 Nfc Firmware | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| A PIN management problem was discovered on Yubico YubiKey 5 devices 5.2.0 to 5.2.6. OpenPGP has three passwords: Admin PIN, Reset Code, and User PIN. The Reset Code is used to reset the User PIN, but it is disabled by default. A flaw in the implementation of OpenPGP sets the Reset Code to a known value upon initialization. If the retry counter for the Reset Code is set to non-zero without changing the Reset Code, this known value can be used to reset the User PIN. To set the retry counters, the Admin PIN is required. | |||||
| CVE-2020-14929 | 3 Alpine Project, Debian, Fedoraproject | 3 Alpine, Debian Linux, Fedora | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Alpine before 2.23 silently proceeds to use an insecure connection after a /tls is sent in certain circumstances involving PREAUTH, which is a less secure behavior than the alternative of closing the connection and letting the user decide what they would like to do. | |||||
| CVE-2020-14883 | 1 Oracle | 1 Weblogic Server | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). | |||||
| CVE-2020-14882 | 1 Oracle | 1 Weblogic Server | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | |||||
| CVE-2020-14525 | 1 Philips | 1 Clinical Collaboration Platform | 2024-11-21 | 2.7 LOW | 3.5 LOW |
| Philips Clinical Collaboration Platform, Versions 12.2.1 and prior. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a webpage that is served to other users. | |||||
| CVE-2020-14509 | 1 Wibu | 1 Codemeter | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple memory corruption vulnerabilities exist in CodeMeter (All versions prior to 7.10) where the packet parser mechanism does not verify length fields. An attacker could send specially crafted packets to exploit these vulnerabilities. | |||||
| CVE-2020-14499 | 1 Advantech | 1 Iview | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Advantech iView, versions 5.6 and prior, has an improper access control vulnerability. Successful exploitation of this vulnerability may allow an attacker to obtain all user accounts credentials. | |||||
| CVE-2020-14487 | 1 Freemedsoftware | 1 Openclinic Ga | 2024-11-21 | 7.5 HIGH | 9.4 CRITICAL |
| OpenClinic GA 5.09.02 contains a hidden default user account that may be accessed if an administrator has not expressly turned off this account, which may allow an attacker to login and execute arbitrary commands. | |||||
| CVE-2020-14483 | 1 Tridium | 2 Niagara, Niagara Enterprise Security | 2024-11-21 | 3.3 LOW | 4.3 MEDIUM |
| A timeout during a TLS handshake can result in the connection failing to terminate. This can result in a Niagara thread hanging and requires a manual restart of Niagara (Versions 4.6.96.28, 4.7.109.20, 4.7.110.32, 4.8.0.110) and Niagara Enterprise Security (Versions 2.4.31, 2.4.45, 4.8.0.35) to correct. | |||||
| CVE-2020-14400 | 4 Canonical, Debian, Libvncserver Project and 1 more | 4 Ubuntu Linux, Debian Linux, Libvncserver and 1 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in LibVNCServer before 0.9.13. Byte-aligned data is accessed through uint16_t pointers in libvncserver/translate.c. NOTE: Third parties do not consider this to be a vulnerability as there is no known path of exploitation or cross of a trust boundary | |||||
| CVE-2020-14399 | 4 Canonical, Debian, Libvncserver Project and 1 more | 4 Ubuntu Linux, Debian Linux, Libvncserver and 1 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in LibVNCServer before 0.9.13. Byte-aligned data is accessed through uint32_t pointers in libvncclient/rfbproto.c. NOTE: there is reportedly "no trust boundary crossed. | |||||
| CVE-2020-14388 | 1 Redhat | 1 3scale Api Management | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| A flaw was found in the Red Hat 3scale API Management Platform, where member permissions for an API's admin portal were not properly enforced. This flaw allows an authenticated user to bypass normal account restrictions and access API services where they do not have permission. | |||||