Total
1963 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-6380 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Insufficient policy enforcement in extensions in Google Chrome prior to 79.0.3945.130 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted Chrome Extension. | |||||
| CVE-2020-6362 | 1 Sap | 1 Banking Services | 2024-11-21 | 6.8 MEDIUM | 6.5 MEDIUM |
| SAP Banking Services version 500, use an incorrect authorization object in some of its reports. Although the affected reports are protected with otherauthorization objects, exploitation of the vulnerability could lead to privilege escalation and violation in segregation of duties, which in turn could lead to Service interruptions and system unavailability for the victim and users of the component. | |||||
| CVE-2020-6307 | 1 Sap | 1 Basis | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Automated Note Search Tool (update provided in SAP Basis 7.0, 7.01, 7.02, 7.31, 7.4, 7.5, 7.51, 7.52, 7.53 and 7.54) does not perform sufficient authorization checks leading to the reading of sensitive information. | |||||
| CVE-2020-6214 | 1 Sap | 1 S\/4hana | 2024-11-21 | 6.5 MEDIUM | 4.7 MEDIUM |
| SAP S/4HANA (Financial Products Subledger), version 100, uses an incorrect authorization object in some reports. Although the affected reports are protected with other authorization objects, exploitation of the vulnerability would allow an authenticated attacker to view, change, or delete data, thereby preventing the proper segregation of duties in the system. | |||||
| CVE-2020-5418 | 1 Cloudfoundry | 2 Capi-release, Cf-deployment | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Cloud Foundry CAPI (Cloud Controller) versions prior to 1.98.0 allow authenticated users having only the "cloud_controller.read" scope, but no roles in any spaces, to list all droplets in all spaces (whereas they should see none). | |||||
| CVE-2020-5372 | 1 Dell | 10 Emc Powerstore 1000, Emc Powerstore 1000 Firmware, Emc Powerstore 3000 and 7 more | 2024-11-21 | 5.0 MEDIUM | 8.6 HIGH |
| Dell EMC PowerStore versions prior to 1.0.1.0.5.002 contain a vulnerability that exposes test interface ports to external network. A remote unauthenticated attacker could potentially cause Denial of Service via test interface ports which are not used during run time environment. | |||||
| CVE-2020-5343 | 1 Dell | 1 Os Recovery Image For Microsoft Windows 10 | 2024-11-21 | 7.2 HIGH | 7.3 HIGH |
| Dell Client platforms restored using a Dell OS recovery image downloaded before December 20, 2019, may contain an insecure inherited permissions vulnerability. A local authenticated malicious user with low privileges could exploit this vulnerability to gain unauthorized access on the root folder. | |||||
| CVE-2020-5333 | 1 Rsa | 1 Archer | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| RSA Archer, versions prior to 6.7 P3 (6.7.0.3), contain an authorization bypass vulnerability in the REST API. A remote authenticated malicious Archer user could potentially exploit this vulnerability to view unauthorized information. | |||||
| CVE-2020-5318 | 1 Dell | 1 Emc Isilon Onefs | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Dell EMC Isilon OneFS versions 8.1.2, 8.1.0.4, 8.1.0.3, and 8.0.0.7 contain a vulnerability in some configurations. An attacker may exploit this vulnerability to gain access to restricted files. The non-RAN HTTP and WebDAV file-serving components have a vulnerability wherein when either are enabled, and Basic Authentication is enabled for either or both components, files are accessible without authentication. | |||||
| CVE-2020-5293 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
| In PrestaShop between versions 1.7.0.0 and 1.7.6.5, there are improper access controls on product page with combinations, attachments and specific prices. The problem is fixed in 1.7.6.5. | |||||
| CVE-2020-5288 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 6.4 MEDIUM | 4.1 MEDIUM |
| "In PrestaShop between versions 1.7.0.0 and 1.7.6.5, there is improper access controls on product attributes page. The problem is fixed in 1.7.6.5. | |||||
| CVE-2020-5287 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 6.4 MEDIUM | 4.1 MEDIUM |
| In PrestaShop between versions 1.5.5.0 and 1.7.6.5, there is improper access control on customers search. The problem is fixed in 1.7.6.5. | |||||
| CVE-2020-5279 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 6.4 MEDIUM | 4.1 MEDIUM |
| In PrestaShop between versions 1.5.0.0 and 1.7.6.5, there are improper access control since the the version 1.5.0.0 for legacy controllers. - admin-dev/index.php/configure/shop/customer-preferences/ - admin-dev/index.php/improve/international/translations/ - admin-dev/index.php/improve/international/geolocation/ - admin-dev/index.php/improve/international/localization - admin-dev/index.php/configure/advanced/performance - admin-dev/index.php/sell/orders/delivery-slips/ - admin-dev/index.php?controller=AdminStatuses The problem is fixed in 1.7.6.5 | |||||
| CVE-2020-5275 | 1 Sensiolabs | 1 Symfony | 2024-11-21 | 5.5 MEDIUM | 7.6 HIGH |
| In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that should have been take into account in an unanimous strategy. The accessDecisionManager is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute. This issue is patched in versions 4.4.7 and 5.0.7. | |||||
| CVE-2020-5251 | 1 Parseplatform | 1 Parse-server | 2024-11-21 | 5.0 MEDIUM | 7.7 HIGH |
| In parser-server before version 4.1.0, you can fetch all the users objects, by using regex in the NoSQL query. Using the NoSQL, you can use a regex on sessionToken and find valid accounts this way. | |||||
| CVE-2020-5242 | 1 Openhab | 1 Openhab | 2024-11-21 | 9.3 HIGH | 7.7 HIGH |
| openHAB before 2.5.2 allow a remote attacker to use REST calls to install the EXEC binding or EXEC transformation service and execute arbitrary commands on the system with the privileges of the user running openHAB. Starting with version 2.5.2 all commands need to be whitelisted in a local file which cannot be changed via REST calls. | |||||
| CVE-2020-5240 | 1 Labdigital | 1 Wagtail-2fa | 2024-11-21 | 5.5 MEDIUM | 7.6 HIGH |
| In wagtail-2fa before 1.4.1, any user with access to the CMS can view and delete other users 2FA devices by going to the correct path. The user does not require special permissions in order to do so. By deleting the other users device they can disable the target users 2FA devices and potentially compromise the account if they figure out their password. The problem has been patched in version 1.4.1. | |||||
| CVE-2020-4877 | 2 Ibm, Microsoft | 2 Cognos Controller, Windows | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 could be vulnerable to unauthorized modifications by using public fields in public classes. IBM X-Force ID: 190843. | |||||
| CVE-2020-4873 | 1 Ibm | 1 Planning Analytics | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| IBM Planning Analytics 2.0 could allow an attacker to obtain sensitive information due to an overly permissive CORS policy. IBM X-Force ID: 190836. | |||||
| CVE-2020-4794 | 1 Ibm | 3 Automation Workstream Services, Business Automation Workflow, Business Process Manager | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| IBM Automation Workstream Services 19.0.3, 20.0.1, 20.0.2, IBM Business Automation Workflow 18.0, 19.0, and 20.0 and IBM Business Process Manager 8.6 could allow an authenticated user to obtain sensitive information or cuase a denial of service due to iimproper authorization checking. IBM X-Force ID: 189445. | |||||