Total
3555 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-5532 | 1 Extrun | 1 Ilbo | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| ilbo App (ilbo App for Android prior to version 1.1.8 and ilbo App for iOS prior to version 1.2.01) allows an attacker on the same network segment to bypass authentication and to view the images which were recorded by the other ilbo user's device via unspecified vectors. | |||||
| CVE-2020-5425 | 1 Vmware | 1 Single Sign-on For Tanzu | 2024-11-21 | 4.6 MEDIUM | 7.9 HIGH |
| Single Sign-On for Vmware Tanzu all versions prior to 1.11.3 ,1.12.x versions prior to 1.12.4 and 1.13.x prior to 1.13.1 are vulnerable to user impersonation attack.If two users are logged in to the SSO operator dashboard at the same time, with the same username, from two different identity providers, one can acquire the token of the other and thus operate with their permissions. Note: Foundation may be vulnerable only if: 1) The system zone is set up to use a SAML identity provider 2) There are internal users that have the same username as users in the external SAML provider 3) Those duplicate-named users have the scope to access the SSO operator dashboard 4) The vulnerability doesn't appear with LDAP because of chained authentication. | |||||
| CVE-2020-5384 | 1 Rsa | 1 Multifactor Authentication Agent | 2024-11-21 | 7.2 HIGH | 8.4 HIGH |
| Authentication Bypass Vulnerability RSA MFA Agent 2.0 for Microsoft Windows contains an Authentication Bypass vulnerability. A local unauthenticated attacker could potentially exploit this vulnerability by using an alternate path to bypass authentication in order to gain full access to the system. | |||||
| CVE-2020-5268 | 1 Sustainsys | 1 Saml2 | 2024-11-21 | 4.9 MEDIUM | 6.5 MEDIUM |
| In Saml2 Authentication Services for ASP.NET versions before 1.0.2, and between 2.0.0 and 2.6.0, there is a vulnerability in how tokens are validated in some cases. Saml2 tokens are usually used as bearer tokens - a caller that presents a token is assumed to be the subject of the token. There is also support in the Saml2 protocol for issuing tokens that is tied to a subject through other means, e.g. holder-of-key where possession of a private key must be proved. The Sustainsys.Saml2 library incorrectly treats all incoming tokens as bearer tokens, even though they have another subject confirmation method specified. This could be used by an attacker that could get access to Saml2 tokens with another subject confirmation method than bearer. The attacker could then use such a token to create a log in session. This vulnerability is patched in versions 1.0.2 and 2.7.0. | |||||
| CVE-2020-5206 | 1 Apereo | 1 Opencast | 2024-11-21 | 6.4 MEDIUM | 8.7 HIGH |
| In Opencast before 7.6 and 8.1, using a remember-me cookie with an arbitrary username can cause Opencast to assume proper authentication for that user even if the remember-me cookie was incorrect given that the attacked endpoint also allows anonymous access. This way, an attacker can, for example, fake a remember-me token, assume the identity of the global system administrator and request non-public content from the search service without ever providing any proper authentication. This problem is fixed in Opencast 7.6 and Opencast 8.1 | |||||
| CVE-2020-5148 | 1 Sonicwall | 1 Directory Services Connector | 2024-11-21 | 6.4 MEDIUM | 8.2 HIGH |
| SonicWall SSO-agent default configuration uses NetAPI to probe the associated IP's in the network, this client probing method allows a potential attacker to capture the password hash of the privileged user and potentially forces the SSO Agent to authenticate allowing an attacker to bypass firewall access controls. | |||||
| CVE-2020-4983 | 1 Ibm | 2 Spectrum Lsf, Spectrum Lsf Suite | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| IBM Spectrum LSF 10.1 and IBM Spectrum LSF Suite 10.2 could allow a user on the local network who has privileges to submit LSF jobs to execute arbitrary commands. IBM X-Force ID: 192586. | |||||
| CVE-2020-4879 | 2 Ibm, Microsoft | 2 Cognos Controller, Windows | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 could allow a remote attacker to bypass security restrictions, caused by improper validation of authentication cookies. IBM X-Force ID: 190847. | |||||
| CVE-2020-4821 | 1 Ibm | 2 Infosphere Change Data Capture, Infosphere Data Replication | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| IBM InfoSphere Data Replication 11.4 and IBM InfoSphere Change Data Capture for z/OS 10.2.1, under certain configurations, could allow a user to bypass authentication mechanisms using an empty password string. IBM X-Force ID: 189834 | |||||
| CVE-2020-4779 | 1 Ibm | 1 Curam Social Program Management | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| A HTTP Verb Tampering vulnerability may impact IBM Curam Social Program Management 7.0.9 and 7.0.10. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass security access controls. IBM X-Force ID: 189156. | |||||
| CVE-2020-4771 | 3 Ibm, Linux, Microsoft | 4 Aix, Spectrum Protect Operations Center, Linux Kernel and 1 more | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| IBM Spectrum Protect Operations Center 8.1.0.000 through 8.1.10.and 7.1.0.000 through 7.1.11 could allow a remote attacker to obtain sensitive information, caused by improper authentication of a websocket endpoint. By using known tools to subscribe to the websocket event stream, an attacker could exploit this vulnerability to obtain sensitive information. IBM X-Force ID: 188993. | |||||
| CVE-2020-4747 | 1 Ibm | 1 Connect\ | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| IBM Connect:Direct for UNIX 6.1.0, 6.0.0, 4.3.0, and 4.2.0 can allow a local or remote user to obtain an authenticated CLI session due to improper authentication methods. IBM X-Force ID: 188516. | |||||
| CVE-2020-4662 | 1 Ibm | 1 Event Streams | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| IBM Event Streams 10.0.0 could allow an authenticated user to perform tasks to a schema due to improper authentication validation. IBM X-Force ID: 186233. | |||||
| CVE-2020-4494 | 3 Ibm, Linux, Microsoft | 5 Aix, Spectrum Protect Client, Spectrum Protect For Space Management and 2 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| IBM Spectrum Protect Client 8.1.7.0 through 8.1.9.1 (Linux and Windows), 8.1.9.0 trough 8.1.9.1 (AIX) and IBM Spectrum Protect for Space Management 8.1.7.0 through 8.1.9.1 (Linux), 8.1.9.0 through 8.1.9.1 (AIX) web user interfaces could allow an attacker to bypass authentication due to improper session validation which can result in access to unauthorized resources. IBM X-Force ID: 182019. | |||||
| CVE-2020-4205 | 1 Ibm | 1 Datapower Gateway | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.8 could allow an authenticated user to bypass security restrictions, and continue to access the server even after authentication certificates have been revolked. IBM X-Force ID: 174961. | |||||
| CVE-2020-4167 | 1 Ibm | 1 Security Guardium Insights | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
| IBM Security Guardium Insights 2.0.1 could allow an attacker to obtain sensitive information or perform unauthorized actions due to improper authenciation mechanisms. IBM X-Force ID: 174403. | |||||
| CVE-2020-4074 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 10.0 HIGH | 8.9 HIGH |
| In PrestaShop from version 1.5.0.0 and before version 1.7.6.6, the authentication system is malformed and an attacker is able to forge requests and execute admin commands. The problem is fixed in 1.7.6.6. | |||||
| CVE-2020-3944 | 2 Microsoft, Vmware | 2 Windows, Vrealize Operations | 2024-11-21 | 5.0 MEDIUM | 8.6 HIGH |
| vRealize Operations for Horizon Adapter (6.7.x prior to 6.7.1 and 6.6.x prior to 6.6.1) has an improper trust store configuration leading to authentication bypass. An unauthenticated remote attacker who has network access to vRealize Operations, with the Horizon Adapter running, may be able to bypass Adapter authentication. | |||||
| CVE-2020-3923 | 1 Tonnet | 16 Tat-70432n, Tat-70432n Firmware, Tat-71416g1 and 13 more | 2024-11-21 | 10.0 HIGH | 8.1 HIGH |
| DVR firmware in TAT-76 and TAT-77 series of products, provided by TONNET, contain misconfigured authentication mechanism. Attackers can crack the default password and gain access to the system. | |||||
| CVE-2020-3565 | 1 Cisco | 1 Firepower Threat Defense | 2024-11-21 | 4.3 MEDIUM | 5.8 MEDIUM |
| A vulnerability in the TCP Intercept functionality of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass configured Access Control Policies (including Geolocation) and Service Polices on an affected system. The vulnerability exists because TCP Intercept is invoked when the embryonic connection limit is reached, which can cause the underlying detection engine to process the packet incorrectly. An attacker could exploit this vulnerability by sending a crafted stream of traffic that matches a policy on which TCP Intercept is configured. A successful exploit could allow the attacker to match on an incorrect policy, which could allow the traffic to be forwarded when it should be dropped. In addition, the traffic could incorrectly be dropped. | |||||