Total
2172 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-1998 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 5.4 Medium |
| An improper authorization vulnerability in PAN-OS that mistakenly uses the permissions of local linux users instead of the intended SAML permissions of the account when the username is shared for the purposes of SSO authentication. This can result in authentication bypass and unintended resource access for the user. This issue affects: PAN-OS 7.1 versions earlier than 7.1.26; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.6; PAN-OS 9.1 versions earlier than 9.1.1; All versions of PAN-OS 8.0. | ||||
| CVE-2020-1963 | 1 Apache | 1 Ignite | 2024-11-21 | 9.1 Critical |
| Apache Ignite uses H2 database to build SQL distributed execution engine. H2 provides SQL functions which could be used by attacker to access to a filesystem. | ||||
| CVE-2020-1831 | 1 Huawei | 2 Mate 20, Mate 20 Firmware | 2024-11-21 | 2.4 Low |
| HUAWEI Mate 20 smartphones with versions earlier than 10.0.0.195(SP31C00E74R3P8) have an improper authorization vulnerability. The digital balance function does not sufficiently restrict the using time of certain user, successful exploit could allow the user break the limit of digital balance function after a series of operations with a PC. | ||||
| CVE-2020-1796 | 1 Huawei | 4 Mate 20, Mate 20 Firmware, Mate 30 Pro and 1 more | 2024-11-21 | 6.6 Medium |
| There is an improper authorization vulnerability in several smartphones. The software incorrectly performs an authorization to certain user, successful exploit could allow a low privilege user to do certain operation which the user are supposed not to do.Affected product versions include:HUAWEI Mate 20 versions Versions earlier than 10.0.0.188(C00E74R3P8);HUAWEI Mate 30 Pro versions Versions earlier than 10.0.0.203(C00E202R7P2). | ||||
| CVE-2020-1729 | 1 Redhat | 3 Jboss Enterprise Application Platform, Openshift Application Runtimes, Smallrye Config | 2024-11-21 | 4.4 Medium |
| A flaw was found in SmallRye's API through version 1.6.1. The API can allow other code running within the application server to potentially obtain the ClassLoader, bypassing any permissions checks that should have been applied. The largest threat from this vulnerability is a threat to data confidentiality. This is fixed in SmallRye 1.6.2 | ||||
| CVE-2020-1725 | 1 Redhat | 1 Keycloak | 2024-11-21 | 5.4 Medium |
| A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token. | ||||
| CVE-2020-19765 | 1 Proofofdiligencetoken Project | 1 Proofofdiligencetoken | 2024-11-21 | 7.5 High |
| An issue in the noReentrance() modifier of the Ethereum-based contract Accounting 1.0 allows attackers to carry out a reentrancy attack. | ||||
| CVE-2020-19551 | 1 Wuzhicms | 1 Wuzhicms | 2024-11-21 | 8.8 High |
| Blacklist bypass issue exists in WUZHI CMS up to and including 4.1.0 in common.func.php, which when uploaded can cause remote code executiong. | ||||
| CVE-2020-19301 | 1 Vaethink | 1 Vaethink | 2024-11-21 | 9.8 Critical |
| A vulnerability in the vae_admin_rule database table of vaeThink v1.0.1 allows attackers to execute arbitrary code via a crafted payload in the condition parameter. | ||||
| CVE-2020-19005 | 1 Zrlog | 1 Zrlog | 2024-11-21 | 5.7 Medium |
| zrlog v2.1.0 has a vulnerability with the permission check. If admin account is logged in, other unauthorized users can download the database backup file directly. | ||||
| CVE-2020-18701 | 1 Talelin | 1 Lin-cms-flask | 2024-11-21 | 9.8 Critical |
| Incorrect Access Control in Lin-CMS-Flask v0.1.1 allows remote attackers to obtain sensitive information and/or gain privileges due to the application not invalidating a user's authentication token upon logout, which allows for replaying packets. | ||||
| CVE-2020-17520 | 1 Apache | 1 Pulsar Manager | 2024-11-21 | 6.5 Medium |
| In the Pulsar manager 0.1.0 version, malicious users will be able to bypass pulsar-manager's admin, permission verification mechanism by constructing special URLs, thereby accessing any HTTP API. | ||||
| CVE-2020-17448 | 1 Telegram | 1 Telegram Desktop | 2024-11-21 | 7.8 High |
| Telegram Desktop through 2.1.13 allows a spoofed file type to bypass the Dangerous File Type Execution protection mechanism, as demonstrated by use of the chat window with a filename that lacks an extension. | ||||
| CVE-2020-17049 | 3 Microsoft, Redhat, Samba | 13 Windows Server 1903, Windows Server 1909, Windows Server 2004 and 10 more | 2024-11-21 | 6.6 Medium |
| A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD). To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it. The update addresses this vulnerability by changing how the KDC validates service tickets used with KCD. | ||||
| CVE-2020-16904 | 1 Microsoft | 1 Azure Functions | 2024-11-21 | 5.3 Medium |
| <p>An elevation of privilege vulnerability exists in the way Azure Functions validate access keys.</p> <p>An unauthenticated attacker who successfully exploited this vulnerability could invoke an HTTP Function without proper authorization.</p> <p>This security update addresses the vulnerability by correctly validating access keys used to access HTTP Functions.</p> | ||||
| CVE-2020-16630 | 1 Ti | 7 15.4-stack, Ble5-stack, Dynamic Multi-protocal Manager and 4 more | 2024-11-21 | 6.8 Medium |
| TI’s BLE stack caches and reuses the LTK’s property for a bonded mobile. A LTK can be an unauthenticated-and-no-MITM-protection key created by Just Works or an authenticated-and-MITM-protection key created by Passkey Entry, Numeric Comparison or OOB. Assume that a victim mobile uses secure pairing to pair with a victim BLE device based on TI chips and generate an authenticated-and-MITM-protection LTK. If a fake mobile with the victim mobile’s MAC address uses Just Works and pairs with the victim device, the generated LTK still has the property of authenticated-and-MITM-protection. Therefore, the fake mobile can access attributes with the authenticated read/write permission. | ||||
| CVE-2020-16241 | 1 Philips | 2 Suresigns Vs4, Suresigns Vs4 Firmware | 2024-11-21 | 2.1 Low |
| Philips SureSigns VS4, A.07.107 and prior. The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor. | ||||
| CVE-2020-15664 | 2 Mozilla, Redhat | 6 Firefox, Firefox Esr, Thunderbird and 3 more | 2024-11-21 | 6.5 Medium |
| By holding a reference to the eval() function from an about:blank window, a malicious webpage could have gained access to the InstallTrigger object which would allow them to prompt the user to install an extension. Combined with user confusion, this could result in an unintended or malicious extension being installed. This vulnerability affects Firefox < 80, Thunderbird < 78.2, Thunderbird < 68.12, Firefox ESR < 68.12, Firefox ESR < 78.2, and Firefox for Android < 80. | ||||
| CVE-2020-15590 | 1 Privateinternetaccess | 1 Private Internet Access Vpn Client | 2024-11-21 | 7.5 High |
| A vulnerability in the Private Internet Access (PIA) VPN Client for Linux 1.5 through 2.3+ allows remote attackers to bypass an intended VPN kill switch mechanism and read sensitive information via intercepting network traffic. Since 1.5, PIA has supported a “split tunnel” OpenVPN bypass option. The PIA killswitch & associated iptables firewall is designed to protect you while using the Internet. When the kill switch is configured to block all inbound and outbound network traffic, privileged applications can continue sending & receiving network traffic if net.ipv4.ip_forward has been enabled in the system kernel parameters. For example, a Docker container running on a host with the VPN turned off, and the kill switch turned on, can continue using the internet, leaking the host IP (CWE 200). In PIA 2.4.0+, policy-based routing is enabled by default and is used to direct all forwarded packets to the VPN interface automatically. | ||||
| CVE-2020-15513 | 1 Mittwald | 1 Typo3 Forum | 2024-11-21 | 5.3 Medium |
| The typo3_forum extension before 1.2.1 for TYPO3 has Incorrect Access Control. | ||||