Total
3551 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-12145 | 1 Silver-peak | 1 Unity Orchestrator | 2024-11-21 | 7.5 HIGH | 6.6 MEDIUM |
| Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+ uses HTTP headers to authenticate REST API calls from localhost. This makes it possible to log in to Orchestrator by introducing an HTTP HOST header set to 127.0.0.1 or localhost. Orchestrator instances that are hosted by customers –on-premise or in a public cloud provider –are affected by this vulnerability. | |||||
| CVE-2020-12126 | 1 Wavlink | 2 Wn530h4, Wn530h4 Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple authentication bypass vulnerabilities in the /cgi-bin/ endpoint of the WAVLINK WN530H4 M30H4.V5030.190403 allow an attacker to leak router settings, change configuration variables, and cause denial of service via an unauthenticated endpoint. | |||||
| CVE-2020-11965 | 1 Evenroute | 2 Iqrouter, Iqrouter Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In IQrouter through 3.3.1, there is a root user without a password, which allows attackers to gain full remote access via SSH. Note: The vendor claims that this vulnerability can only occur on a brand-new network that, after initiating the forced initial configuration (which has a required step for setting a secure password on the system), makes this CVE invalid. This vulnerability is “true for any unconfigured release of OpenWRT, and true of many other new Linux distros prior to being configured for the first time” | |||||
| CVE-2020-11964 | 1 Evenroute | 2 Iqrouter, Iqrouter Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In IQrouter through 3.3.1, the Lua function diag_set_password in the web-panel allows remote attackers to change the root password arbitrarily. Note: The vendor claims that this vulnerability can only occur on a brand-new network that, after initiating the forced initial configuration (which has a required step for setting a secure password on the system), makes this CVE invalid. This vulnerability is “true for any unconfigured release of OpenWRT, and true of many other new Linux distros prior to being configured for the first time” | |||||
| CVE-2020-11796 | 1 Jetbrains | 1 Space | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In JetBrains Space through 2020-04-22, the password authentication implementation was insecure. | |||||
| CVE-2020-11551 | 1 Netgear | 6 Rbs50y, Rbs50y Firmware, Srr60 and 3 more | 2024-11-21 | 5.8 MEDIUM | 8.8 HIGH |
| An issue was discovered on NETGEAR Orbi Tri-Band Business WiFi Add-on Satellite (SRS60) AC3000 V2.5.1.106, Outdoor Satellite (RBS50Y) V2.5.1.106, and Pro Tri-Band Business WiFi Router (SRR60) AC3000 V2.5.1.106. The administrative SOAP interface allows an unauthenticated remote write of arbitrary Wi-Fi configuration data such as authentication details (e.g., the Web-admin password), network settings, DNS settings, system administration interface configuration, etc. | |||||
| CVE-2020-11542 | 1 3xlogic | 3 Infinias Eidc32, Infinias Eidc32 Firmware, Infinias Eidc32 Web | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| 3xLOGIC Infinias eIDC32 2.213 devices with Web 1.107 allow Authentication Bypass via CMD.HTM?CMD= because authentication depends on the client side's interpretation of the <KEY>MYKEY</KEY> substring. | |||||
| CVE-2020-11301 | 1 Qualcomm | 534 Apq8009, Apq8009 Firmware, Apq8017 and 531 more | 2024-11-21 | 5.0 MEDIUM | 9.1 CRITICAL |
| Improper authentication of un-encrypted plaintext Wi-Fi frames in an encrypted network can lead to information disclosure in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking | |||||
| CVE-2020-11264 | 1 Qualcomm | 252 Apq8053, Apq8053 Firmware, Apq8064au and 249 more | 2024-11-21 | 10.0 HIGH | 9.1 CRITICAL |
| Improper authentication of Non-EAPOL/WAPI plaintext frames during four-way handshake can lead to arbitrary network packet injection in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music | |||||
| CVE-2020-11020 | 1 Faye Project | 1 Faye | 2024-11-21 | 7.5 HIGH | 8.5 HIGH |
| Faye (NPM, RubyGem) versions greater than 0.5.0 and before 1.0.4, 1.1.3 and 1.2.5, has the potential for authentication bypass in the extension system. The vulnerability allows any client to bypass checks put in place by server-side extensions, by appending extra segments to the message channel. It is patched in versions 1.0.4, 1.1.3 and 1.2.5. | |||||
| CVE-2020-10965 | 1 Teradici | 1 Pcoip Management Console | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| Teradici PCoIP Management Console 20.01.0 and 19.11.1 is vulnerable to unauthenticated password resets via login/resetadminpassword of the default admin account. This vulnerability only exists when the default admin account is not disabled. It is fixed in 20.01.1 and 19.11.2. | |||||
| CVE-2020-10918 | 1 Automationdirect | 13 C-more Hmi Ea9 Firmware, Ea9-pgmsw, Ea9-rhmi and 10 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| This vulnerability allows remote attackers to bypass authentication on affected installations of C-MORE HMI EA9 Firmware version 6.52 touch screen panels. Authentication is not required to exploit this vulnerability. The specific flaw exists within the authentication mechanism. The issue is due to insufficient authentication on post-authentication requests. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from unauthenticated users. Was ZDI-CAN-10182. | |||||
| CVE-2020-10916 | 1 Tp-link | 2 Tl-wa855re, Tl-wa855re Firmware | 2024-11-21 | 5.2 MEDIUM | 8.0 HIGH |
| This vulnerability allows network-adjacent attackers to escalate privileges on affected installations of TP-Link TL-WA855RE Firmware Ver: 855rev4-up-ver1-0-1-P1[20191213-rel60361] Wi-Fi extenders. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the first-time setup process. The issue results from the lack of proper validation on first-time setup requests. An attacker can leverage this vulnerability to reset the password for the Admin account and execute code in the context of the device. Was ZDI-CAN-10003. | |||||
| CVE-2020-10888 | 1 Tp-link | 2 Ac1750, Ac1750 Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| This vulnerability allows remote attackers to bypass authentication on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of SSH port forwarding requests during initial setup. The issue results from the lack of proper authentication prior to establishing SSH port forwarding rules. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from the WAN interface. Was ZDI-CAN-9664. | |||||
| CVE-2020-10847 | 2 Google, Samsung | 3 Android, Galaxy Note8, Galaxy S8 | 2024-11-21 | 4.6 MEDIUM | 6.8 MEDIUM |
| An issue was discovered on Samsung mobile devices with P(9.0) (Galaxy S8 and Note8) software. Facial recognition can be spoofed. The Samsung ID is SVE-2019-16614 (February 2020). | |||||
| CVE-2020-10846 | 1 Google | 1 Android | 2024-11-21 | 1.9 LOW | 5.5 MEDIUM |
| An issue was discovered on Samsung mobile devices with P(9.x) and Q(10.x) software. Attackers can enable the OEM unlock feature on a KG-enrolled devices, leading to potentially unwanted binaries being downloaded. The Samsung ID is SVE-2019-16554 (February 2020). | |||||
| CVE-2020-10816 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Zoho ManageEngine Applications Manager 14780 and before allows a remote unauthenticated attacker to register managed servers via AAMRequestProcessor servlet. | |||||
| CVE-2020-10709 | 1 Redhat | 1 Ansible Tower | 2024-11-21 | 3.6 LOW | 7.1 HIGH |
| A security flaw was found in Ansible Tower when requesting an OAuth2 token with an OAuth2 application. Ansible Tower uses the token to provide authentication. This flaw allows an attacker to obtain a refresh token that does not expire. The original token granted to the user still has access to Ansible Tower, which allows any user that can gain access to the token to be fully authenticated to Ansible Tower. This flaw affects Ansible Tower versions before 3.6.4 and Ansible Tower versions before 3.5.6. | |||||
| CVE-2020-10669 | 1 Canon | 2 Oce Colorwave 500, Oce Colorwave 500 Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 printer is vulnerable to authentication bypass on the page /home.jsp. An unauthenticated attacker able to connect to the device's web interface can get a copy of the documents uploaded by any users. NOTE: this is fixed in the latest version. | |||||
| CVE-2020-10594 | 1 Styria | 1 Django-rest-framework-json Web Tokens | 2024-11-21 | 5.8 MEDIUM | 9.1 CRITICAL |
| An issue was discovered in drf-jwt 1.15.x before 1.15.1. It allows attackers with access to a notionally invalidated token to obtain a new, working token via the refresh endpoint, because the blacklist protection mechanism is incompatible with the token-refresh feature. NOTE: drf-jwt is a fork of jpadilla/django-rest-framework-jwt, which is unmaintained. | |||||