Total
1401 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-9480 | 2 Apache, Oracle | 2 Spark, Business Intelligence | 2024-11-21 | 9.3 HIGH | 9.8 CRITICAL |
| In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc). | |||||
| CVE-2020-9473 | 1 Siedle | 2 Sg 150-0, Sg 150-0 Firmware | 2024-11-21 | 8.5 HIGH | 6.6 MEDIUM |
| The S. Siedle & Soehne SG 150-0 Smart Gateway before 1.2.4 has a passwordless ftp ssh user. By using an exploit chain, an attacker with access to the network can get root access on the gateway. | |||||
| CVE-2020-9349 | 1 Cacagoo | 2 Tv-288zd-2mp, Tv-288zd-2mp Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The CACAGOO Cloud Storage Intelligent Camera TV-288ZD-2MP with firmware 3.4.2.0919 allows access to the RTSP service without a password. | |||||
| CVE-2020-9330 | 1 Xerox | 36 Workcentre 3655, Workcentre 3655 Firmware, Workcentre 3655i and 33 more | 2024-11-21 | 4.0 MEDIUM | 8.8 HIGH |
| Certain Xerox WorkCentre printers before 073.xxx.000.02300 do not require the user to reenter or validate LDAP bind credentials when changing the LDAP connector IP address. A malicious actor who gains access to affected devices (e.g., by using default credentials) can change the LDAP connection IP address to a system owned by the actor without knowledge of the LDAP bind credentials. After changing the LDAP connection IP address, subsequent authentication attempts will result in the printer sending plaintext LDAP (Active Directory) credentials to the actor. Although the credentials may belong to a non-privileged user, organizations frequently use privileged service accounts to bind to Active Directory. The attacker gains a foothold on the Active Directory domain at a minimum, and may use the credentials to take over control of the Active Directory domain. This affects 3655*, 3655i*, 58XX*, 58XXi*, 59XX*, 59XXi*, 6655**, 6655i**, 72XX*, 72XXi*, 78XX**, 78XXi**, 7970**, 7970i**, EC7836**, and EC7856** devices. | |||||
| CVE-2020-9325 | 1 Aquaforest | 1 Tiff Server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Aquaforest TIFF Server 4.0 allows Unauthenticated Arbitrary File Download. | |||||
| CVE-2020-9315 | 1 Oracle | 1 Iplanet Web Server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| ** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** Oracle iPlanet Web Server 7.0.x has Incorrect Access Control for admingui/version URIs in the Administration console, as demonstrated by unauthenticated read access to encryption keys. NOTE: a related support policy can be found in the www.oracle.com references attached to this CVE. | |||||
| CVE-2020-9278 | 1 Dlink | 2 Dsl-2640b, Dsl-2640b Firmware | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| An issue was discovered on D-Link DSL-2640B B2 EU_4.01B devices. The device can be reset to its default configuration by accessing an unauthenticated URL. | |||||
| CVE-2020-9275 | 1 Dlink | 2 Dsl-2640b, Dsl-2640b Firmware | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| An issue was discovered on D-Link DSL-2640B B2 EU_4.01B devices. A cfm UDP service listening on port 65002 allows remote, unauthenticated exfiltration of administrative credentials. | |||||
| CVE-2020-9208 | 1 Huawei | 1 Imanager Neteco 6000 | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| There is an information leak vulnerability in iManager NetEco 6000 versions V600R021C00. A module is lack of authentication. Attackers without access to the module can exploit this vulnerability to obtain extra information, leading to information leak. | |||||
| CVE-2020-9143 | 1 Huawei | 2 Emui, Magic Ui | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| There is a missing authentication vulnerability in some Huawei smartphone.Successful exploitation of this vulnerability may lead to low-sensitive information exposure. | |||||
| CVE-2020-9062 | 1 Dieboldnixdorf | 2 Probase, Procash 2100xe | 2024-11-21 | 2.1 LOW | 5.3 MEDIUM |
| Diebold Nixdorf ProCash 2100xe USB ATMs running Wincor Probase version 1.1.30 do not encrypt, authenticate, or verify the integrity of messages between the CCDM and the host computer, allowing an attacker with physical access to internal ATM components to commit deposit forgery by intercepting and modifying messages to the host computer, such as the amount and value of currency being deposited. | |||||
| CVE-2020-9004 | 1 Wowza | 1 Streaming Engine | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| A remote authenticated authorization-bypass vulnerability in Wowza Streaming Engine 4.8.0 and earlier allows any read-only user to issue requests to the administration panel in order to change functionality. For example, a read-only user may activate the Java JMX port in unauthenticated mode and execute OS commands under root privileges. This issue was resolved in Wowza Streaming Engine 4.8.5. | |||||
| CVE-2020-8636 | 1 Opservices | 1 Opmon | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in OpServices OpMon 9.3.2 that allows Remote Code Execution . | |||||
| CVE-2020-8598 | 1 Trendmicro | 3 Apex One, Officescan, Worry-free Business Security | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (9.0, 9.5, 10.0) server contains a vulnerable service DLL file that could allow a remote attacker to execute arbitrary code on affected installations with SYSTEM level privileges. Authentication is not required to exploit this vulnerability. | |||||
| CVE-2020-8509 | 1 Zohocorp | 1 Manageengine Desktop Central | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Zoho ManageEngine Desktop Central before 10.0.483 allows unauthenticated users to access PDFGenerationServlet, leading to sensitive information disclosure. | |||||
| CVE-2020-8497 | 1 Artica | 1 Pandora Fms | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Artica Pandora FMS through 7.42, an unauthenticated attacker can read the chat history. The file is in JSON format and it contains user names, user IDs, private messages, and timestamps. | |||||
| CVE-2020-7964 | 1 Mirumee | 1 Saleor | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Mirumee Saleor 2.x before 2.9.1. Incorrect access control in the checkoutCustomerAttach mutations allows attackers to attach their checkouts to any user ID and consequently leak user data (e.g., name, address, and previous orders of any other customer). | |||||
| CVE-2020-7954 | 1 Opservices | 1 Opmon | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| An issue was discovered in OpServices OpMon 9.3.2. Starting from the apache user account, it is possible to perform privilege escalation through the lack of correct configuration in the server's sudoers file, which by default allows the execution of programs (e.g. nmap) without the need for a password with sudo. | |||||
| CVE-2020-7953 | 1 Opservices | 1 Opmon | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in OpServices OpMon 9.3.2. Without authentication, it is possible to read server files (e.g., /etc/passwd) due to the use of the nmap -iL (aka input file) option. | |||||
| CVE-2020-7589 | 1 Siemens | 2 Logo\! 8 Bm, Logo\! 8 Bm Firmware | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions). The vulnerability could lead to an attacker reading and modifying the device configuration and obtain project files from affected devices. The security vulnerability could be exploited by an unauthenticated attacker with network access to port 135/tcp. No user interaction is required to exploit this security vulnerability. The vulnerability impacts confidentiality, integrity, and availability of the device. At the time of advisory publication no public exploitation of this security vulnerability was known. | |||||