Total
29431 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-15096 | 1 Electronjs | 1 Electron | 2024-11-21 | 4.0 MEDIUM | 6.8 MEDIUM |
| In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affected. There are no app-side workarounds, you must update your Electron version to be protected. This is fixed in versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21. | |||||
| CVE-2020-15087 | 1 Prestosql | 1 Presto | 2024-11-21 | 6.5 MEDIUM | 7.4 HIGH |
| In Presto before version 337, authenticated users can bypass authorization checks by directly accessing internal APIs. This impacts Presto server installations with secure internal communication configured. This does not affect installations that have not configured secure internal communication, as these installations are inherently insecure. This only affects Presto server installations. This does NOT affect clients such as the CLI or JDBC driver. This vulnerability has been fixed in version 337. Additionally, this issue can be mitigated by blocking network access to internal APIs on the coordinator and workers. | |||||
| CVE-2020-15086 | 1 Typo3 | 1 Mediace | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In TYPO3 installations with the "mediace" extension from version 7.6.2 and before version 7.6.5, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. The allows to inject arbitrary data having a valid cryptographic message authentication code and can lead to remote code execution. To successfully exploit this vulnerability, an attacker must have access to at least one `Extbase` plugin or module action in a TYPO3 installation. This is fixed in version 7.6.5 of the "mediace" extension for TYPO3. | |||||
| CVE-2020-15082 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 7.5 HIGH | 7.1 HIGH |
| In PrestaShop from version 1.6.0.1 and before version 1.7.6.6, the dashboard allows rewriting all configuration variables. The problem is fixed in 1.7.6.6 | |||||
| CVE-2020-15000 | 1 Yubico | 2 Yubikey 5 Nfc, Yubikey 5 Nfc Firmware | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| A PIN management problem was discovered on Yubico YubiKey 5 devices 5.2.0 to 5.2.6. OpenPGP has three passwords: Admin PIN, Reset Code, and User PIN. The Reset Code is used to reset the User PIN, but it is disabled by default. A flaw in the implementation of OpenPGP sets the Reset Code to a known value upon initialization. If the retry counter for the Reset Code is set to non-zero without changing the Reset Code, this known value can be used to reset the User PIN. To set the retry counters, the Admin PIN is required. | |||||
| CVE-2020-14929 | 3 Alpine Project, Debian, Fedoraproject | 3 Alpine, Debian Linux, Fedora | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Alpine before 2.23 silently proceeds to use an insecure connection after a /tls is sent in certain circumstances involving PREAUTH, which is a less secure behavior than the alternative of closing the connection and letting the user decide what they would like to do. | |||||
| CVE-2020-14525 | 1 Philips | 1 Clinical Collaboration Platform | 2024-11-21 | 2.7 LOW | 3.5 LOW |
| Philips Clinical Collaboration Platform, Versions 12.2.1 and prior. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a webpage that is served to other users. | |||||
| CVE-2020-14509 | 1 Wibu | 1 Codemeter | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple memory corruption vulnerabilities exist in CodeMeter (All versions prior to 7.10) where the packet parser mechanism does not verify length fields. An attacker could send specially crafted packets to exploit these vulnerabilities. | |||||
| CVE-2020-14499 | 1 Advantech | 1 Iview | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Advantech iView, versions 5.6 and prior, has an improper access control vulnerability. Successful exploitation of this vulnerability may allow an attacker to obtain all user accounts credentials. | |||||
| CVE-2020-14487 | 1 Freemedsoftware | 1 Openclinic Ga | 2024-11-21 | 7.5 HIGH | 9.4 CRITICAL |
| OpenClinic GA 5.09.02 contains a hidden default user account that may be accessed if an administrator has not expressly turned off this account, which may allow an attacker to login and execute arbitrary commands. | |||||
| CVE-2020-14483 | 1 Tridium | 2 Niagara, Niagara Enterprise Security | 2024-11-21 | 3.3 LOW | 4.3 MEDIUM |
| A timeout during a TLS handshake can result in the connection failing to terminate. This can result in a Niagara thread hanging and requires a manual restart of Niagara (Versions 4.6.96.28, 4.7.109.20, 4.7.110.32, 4.8.0.110) and Niagara Enterprise Security (Versions 2.4.31, 2.4.45, 4.8.0.35) to correct. | |||||
| CVE-2020-14400 | 4 Canonical, Debian, Libvncserver Project and 1 more | 4 Ubuntu Linux, Debian Linux, Libvncserver and 1 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in LibVNCServer before 0.9.13. Byte-aligned data is accessed through uint16_t pointers in libvncserver/translate.c. NOTE: Third parties do not consider this to be a vulnerability as there is no known path of exploitation or cross of a trust boundary | |||||
| CVE-2020-14399 | 4 Canonical, Debian, Libvncserver Project and 1 more | 4 Ubuntu Linux, Debian Linux, Libvncserver and 1 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in LibVNCServer before 0.9.13. Byte-aligned data is accessed through uint32_t pointers in libvncclient/rfbproto.c. NOTE: there is reportedly "no trust boundary crossed. | |||||
| CVE-2020-14388 | 1 Redhat | 1 3scale Api Management | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| A flaw was found in the Red Hat 3scale API Management Platform, where member permissions for an API's admin portal were not properly enforced. This flaw allows an authenticated user to bypass normal account restrictions and access API services where they do not have permission. | |||||
| CVE-2020-14383 | 2 Redhat, Samba | 2 Enterprise Linux, Samba | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| A flaw was found in samba's DNS server. An authenticated user could use this flaw to the RPC server to crash. This RPC server, which also serves protocols other than dnsserver, will be restarted after a short delay, but it is easy for an authenticated non administrative attacker to crash it again as soon as it returns. The Samba DNS server itself will continue to operate, but many RPC services will not. | |||||
| CVE-2020-14340 | 2 Oracle, Redhat | 14 Communications Cloud Native Core Console, Communications Cloud Native Core Network Repository Function, Communications Cloud Native Core Policy and 11 more | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| A vulnerability was discovered in XNIO where file descriptor leak caused by growing amounts of NIO Selector file handles between garbage collection cycles. It may allow the attacker to cause a denial of service. It affects XNIO versions 3.6.0.Beta1 through 3.8.1.Final. | |||||
| CVE-2020-14326 | 2 Netapp, Redhat | 3 Oncommand Insight, Integration Camel K, Resteasy | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability was found in RESTEasy, where RootNode incorrectly caches routes. This issue results in hash flooding, leading to slower requests with higher CPU time spent searching and adding the entry. This flaw allows an attacker to cause a denial of service. | |||||
| CVE-2020-14312 | 1 Fedoraproject | 1 Fedora | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| A flaw was found in the default configuration of dnsmasq, as shipped with Fedora versions prior to 31 and in all versions Red Hat Enterprise Linux, where it listens on any interface and accepts queries from addresses outside of its local subnet. In particular, the option `local-service` is not enabled. Running dnsmasq in this manner may inadvertently make it an open resolver accessible from any address on the internet. This flaw allows an attacker to conduct a Distributed Denial of Service (DDoS) against other systems. | |||||
| CVE-2020-14232 | 1 Hcltech | 1 Notes | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| A vulnerability in the input parameter handling of HCL Notes v9 could potentially be exploited by an authenticated attacker resulting in a stack buffer overflow. This could allow the attacker to crash the program or inject code into the system which would execute with the privileges of the currently logged in user. | |||||
| CVE-2020-14225 | 2 Hcltech, Hcltechsw | 2 Hcl Inotes, Hcl Inotes | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| HCL iNotes is susceptible to a Tabnabbing vulnerability caused by improper sanitization of message content. A remote unauthenticated attacker could use this vulnerability to trick the end user into entering sensitive information such as credentials, e.g. as part of a phishing attack. | |||||