Total
3880 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-26214 | 1 Alerta Project | 1 Alerta | 2024-11-21 | 9.1 Critical |
| In Alerta before version 8.1.0, users may be able to bypass LDAP authentication if they provide an empty password when Alerta server is configure to use LDAP as the authorization provider. Only deployments where LDAP servers are configured to allow unauthenticated authentication mechanism for anonymous authorization are affected. A fix has been implemented in version 8.1.0 that returns HTTP 401 Unauthorized response for any authentication attempts where the password field is empty. As a workaround LDAP administrators can disallow unauthenticated bind requests by clients. | ||||
| CVE-2020-26200 | 1 Kaspersky | 2 Endpoint Security, Rescue Disk | 2024-11-21 | 6.8 Medium |
| A component of Kaspersky custom boot loader allowed loading of untrusted UEFI modules due to insufficient check of their authenticity. This component is incorporated in Kaspersky Rescue Disk (KRD) and was trusted by the Authentication Agent of Full Disk Encryption in Kaspersky Endpoint Security (KES). This issue allowed to bypass the UEFI Secure Boot security feature. An attacker would need physical access to the computer to exploit it. Otherwise, local administrator privileges would be required to modify the boot loader component. | ||||
| CVE-2020-26168 | 1 Hazelcast | 2 Hazelcast, Jet | 2024-11-21 | 9.8 Critical |
| The LDAP authentication method in LdapLoginModule in Hazelcast IMDG Enterprise 4.x before 4.0.3, and Jet Enterprise 4.x through 4.2, doesn't verify properly the password in some system-user-dn scenarios. As a result, users (clients/members) can be authenticated even if they provide invalid passwords. | ||||
| CVE-2020-26160 | 2 Jwt-go Project, Redhat | 6 Jwt-go, Container Native Virtualization, Cryostat and 3 more | 2024-11-21 | 7.5 High |
| jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check. | ||||
| CVE-2020-26139 | 6 Arista, Cisco, Debian and 3 more | 331 C-100, C-100 Firmware, C-110 and 328 more | 2024-11-21 | 5.3 Medium |
| An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. | ||||
| CVE-2020-26136 | 1 Silverstripe | 1 Silverstripe | 2024-11-21 | 6.5 Medium |
| In SilverStripe through 4.6.0-rc1, GraphQL doesn't honour MFA (multi-factor authentication) when using basic authentication. | ||||
| CVE-2020-26105 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 9.8 Critical |
| In cPanel before 88.0.3, insecure chkservd test credentials are used on a templated VM (SEC-554). | ||||
| CVE-2020-26101 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 9.8 Critical |
| In cPanel before 88.0.3, insecure RNDC credentials are used for BIND on a templated VM (SEC-549). | ||||
| CVE-2020-26030 | 1 Zammad | 1 Zammad | 2024-11-21 | 9.8 Critical |
| An issue was discovered in Zammad before 3.4.1. There is an authentication bypass in the SSO endpoint via a crafted header, when SSO is not configured. An attacker can create a valid and authenticated session that can be used to perform any actions in the name of other users. | ||||
| CVE-2020-25867 | 1 Soplanning | 1 Soplanning | 2024-11-21 | 5.3 Medium |
| SoPlanning before 1.47 doesn't correctly check the security key used to publicly share plannings. It allows a bypass to get access without authentication. | ||||
| CVE-2020-25848 | 1 Hgiga | 10 Msr45 Isherlock-antispam, Msr45 Isherlock-audit, Msr45 Isherlock-base and 7 more | 2024-11-21 | 9.8 Critical |
| HGiga MailSherlock contains weak authentication flaw that attackers grant privilege remotely with default password generation mechanism. | ||||
| CVE-2020-25719 | 5 Canonical, Debian, Fedoraproject and 2 more | 18 Ubuntu Linux, Debian Linux, Fedora and 15 more | 2024-11-21 | 7.2 High |
| A flaw was found in the way Samba, as an Active Directory Domain Controller, implemented Kerberos name-based authentication. The Samba AD DC, could become confused about the user a ticket represents if it did not strictly require a Kerberos PAC and always use the SIDs found within. The result could include total domain compromise. | ||||
| CVE-2020-25592 | 2 Debian, Saltstack | 2 Debian Linux, Salt | 2024-11-21 | 9.8 Critical |
| In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH. | ||||
| CVE-2020-25251 | 1 Hyland | 1 Onbase | 2024-11-21 | 9.1 Critical |
| An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. Client-side authentication is used for critical functions such as adding users or retrieving sensitive information. | ||||
| CVE-2020-25165 | 1 Bd | 3 Alaris 8015 Pcu, Alaris 8015 Pcu Firmware, Alaris Systems Manager | 2024-11-21 | 7.5 High |
| BD Alaris PC Unit, Model 8015, Versions 9.33.1 and earlier and BD Alaris Systems Manager, Versions 4.33 and earlier The affected products are vulnerable to a network session authentication vulnerability within the authentication process between specified versions of the BD Alaris PC Unit and the BD Alaris Systems Manager. If exploited, an attacker could perform a denial-of-service attack on the BD Alaris PC Unit by modifying the configuration headers of data in transit. A denial-of-service attack could lead to a drop in the wireless capability of the BD Alaris PC Unit, resulting in manual operation of the PC Unit. | ||||
| CVE-2020-24987 | 1 Tendacn | 2 Ac18, Ac18 Firmware | 2024-11-21 | 9.8 Critical |
| Tenda AC18 Router through V15.03.05.05_EN and through V15.03.05.19(6318) CN devices could cause a remote code execution due to incorrect authentication handling of vulnerable logincheck() function in /usr/lib/lua/ngx_authserver/ngx_wdas.lua file if the administrator UI Interface is set to "radius". | ||||
| CVE-2020-24848 | 1 Fruitywifi Project | 1 Fruitywifi | 2024-11-21 | 7.8 High |
| FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system. | ||||
| CVE-2020-24786 | 1 Zohocorp | 11 Manageengine Ad360, Manageengine Adaudit Plus, Manageengine Admanager Plus and 8 more | 2024-11-21 | 9.8 Critical |
| An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService Plus before build number 5817, DataSecurity Plus before build number 6033, RecoverManager Plus before build number 6017, EventLog Analyzer before build number 12136, ADAudit Plus before build number 6052, O365 Manager Plus before build number 4334, Cloud Security Plus before build number 4110, ADManager Plus before build number 7055, and Log360 before build number 5166. The remotely accessible Java servlet com.manageengine.ads.fw.servlet.UpdateProductDetails is prone to an authentication bypass. System integration properties can be modified and lead to full ManageEngine suite compromise. | ||||
| CVE-2020-24675 | 1 Abb | 2 Symphony \+ Historian, Symphony \+ Operations | 2024-11-21 | 9.8 Critical |
| In S+ Operations and S+ History, it is possible that an unauthenticated user could inject values to the Operations History server (or standalone S+ History server) and ultimately write values to the controlled process. | ||||
| CVE-2020-24641 | 1 Arubanetworks | 1 Airwave Glass | 2024-11-21 | 7.5 High |
| In Aruba AirWave Glass before 1.3.3, there is a Server-Side Request Forgery vulnerability through an unauthenticated endpoint that if successfully exploited can result in disclosure of sensitive information. This can be used to perform an authentication bypass and ultimately gain administrative access on the web administrative interface. | ||||