Total
433 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-19768 | 1 Tokensale Project | 1 Tokensale | 2024-08-04 | 7.5 High |
| A lack of target address verification in the selfdestructs() function of ICOVO 1.0 allows attackers to steal tokens from victim users via a crafted script. | ||||
| CVE-2020-19769 | 1 Rtb1 Project | 1 Rtb1 | 2024-08-04 | 7.5 High |
| A lack of target address verification in the BurnMe() function of Rob The Bank 1.0 allows attackers to steal tokens from victim users via a crafted script. | ||||
| CVE-2020-16250 | 2 Hashicorp, Redhat | 3 Vault, Openshift, Openshift Data Foundation | 2024-08-04 | 8.2 High |
| HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1.. | ||||
| CVE-2020-15899 | 1 Grin | 1 Grin | 2024-08-04 | 7.5 High |
| Grin 3.0.0 before 4.0.0 has insufficient validation of data related to Mimblewimble. | ||||
| CVE-2020-15699 | 1 Joomla | 1 Joomla\! | 2024-08-04 | 5.3 Medium |
| An issue was discovered in Joomla! through 3.9.19. Missing validation checks on the usergroups table object can result in a broken site configuration. | ||||
| CVE-2020-15262 | 1 Webpack-subresource-integrity Project | 1 Webpack-subresource-integrity | 2024-08-04 | 3.7 Low |
| In webpack-subresource-integrity before version 1.5.1, all dynamically loaded chunks receive an invalid integrity hash that is ignored by the browser, and therefore the browser cannot validate their integrity. This removes the additional level of protection offered by SRI for such chunks. Top-level chunks are unaffected. This issue is patched in version 1.5.1. | ||||
| CVE-2020-15222 | 1 Ory | 1 Fosite | 2024-08-04 | 8.1 High |
| In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) before version 0.31.0, when using "private_key_jwt" authentication the uniqueness of the `jti` value is not checked. When using client authentication method "private_key_jwt", OpenId specification says the following about assertion `jti`: "A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, unless conditions for reuse were negotiated between the parties". Hydra does not seem to check the uniqueness of this `jti` value. This problem is fixed in version 0.31.0. | ||||
| CVE-2020-15163 | 1 Linuxfoundation | 1 The Update Framework | 2024-08-04 | 8.7 High |
| Python TUF (The Update Framework) reference implementation before version 0.12 it will incorrectly trust a previously downloaded root metadata file which failed verification at download time. This allows an attacker who is able to serve multiple new versions of root metadata (i.e. by a person-in-the-middle attack) culminating in a version which has not been correctly signed to control the trust chain for future updates. This is fixed in version 0.12 and newer. | ||||
| CVE-2020-14453 | 1 Mattermost | 1 Mattermost Server | 2024-08-04 | 7.5 High |
| An issue was discovered in Mattermost Server before 5.21.0. Socket read operations are not appropriately restricted, which allows attackers to cause a denial of service, aka MMSA-2020-0005. | ||||
| CVE-2020-14111 | 1 Mi | 2 Ax3600, Ax3600 Firmware | 2024-08-04 | 7.8 High |
| A command injection vulnerability exists in the Xiaomi Router AX3600. The vulnerability is caused by a lack of inspection for incoming data detection. Attackers can exploit this vulnerability to execute code. | ||||
| CVE-2020-14116 | 1 Mi | 1 Mi Browser | 2024-08-04 | 7.5 High |
| An intent redirection vulnerability in the Mi Browser product. This vulnerability is caused by the Mi Browser does not verify the validity of the incoming data. Attackers can perform sensitive operations by exploiting this. | ||||
| CVE-2020-14122 | 1 Mi | 1 Miui | 2024-08-04 | 5.5 Medium |
| Some Xiaomi phones have information leakage vulnerabilities, and some of them may be able to forge a specific identity due to the lack of parameter verification, resulting in user information leakage. | ||||
| CVE-2020-14115 | 1 Mi | 2 Ax3600, Ax3600 Firmware | 2024-08-04 | 9.8 Critical |
| A command injection vulnerability exists in the Xiaomi Router AX3600. The vulnerability is caused by a lack of inspection for incoming data detection. Attackers can exploit this vulnerability to execute code. | ||||
| CVE-2020-13777 | 5 Canonical, Debian, Fedoraproject and 2 more | 7 Ubuntu Linux, Debian Linux, Fedora and 4 more | 2024-08-04 | 7.4 High |
| GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application. | ||||
| CVE-2020-12063 | 1 Postfix | 1 Postfix | 2024-08-04 | 5.3 Medium |
| A certain Postfix 2.10.1-7 package could allow an attacker to send an email from an arbitrary-looking sender via a homoglyph attack, as demonstrated by the similarity of \xce\xbf to the 'o' character. This is potentially relevant when the /etc/postfix/sender_login feature is used, because a spoofed outbound message that uses a configured sender address is blocked with a "Sender address rejected: not logged in" error message, but a spoofed outbound message that uses a homoglyph of a configured sender address is not blocked. NOTE: some third parties argue that any missed blocking of spoofed outbound messages - except for exact matches to a sender address in the /etc/postfix/sender_login file - is outside the design goals of Postfix and thus cannot be considered a Postfix vulnerability | ||||
| CVE-2020-13265 | 1 Gitlab | 1 Gitlab | 2024-08-04 | 4.3 Medium |
| User email verification bypass in GitLab CE/EE 12.5 and later through 13.0.1 allows user to bypass email verification | ||||
| CVE-2020-13272 | 1 Gitlab | 1 Gitlab | 2024-08-04 | 7.5 High |
| OAuth flow missing verification checks CE/EE 12.3 and later through 13.0.1 allows unverified user to use OAuth authorization code flow | ||||
| CVE-2020-13178 | 1 Teradici | 2 Graphics Agent, Pcoip Standard Agent | 2024-08-04 | 6.7 Medium |
| A function in the Teradici PCoIP Standard Agent for Windows and Graphics Agent for Windows prior to version 20.04.1 does not properly validate the signature of an external binary, which could allow an attacker to gain elevated privileges via execution in the context of the PCoIP Agent process. | ||||
| CVE-2020-12406 | 3 Canonical, Mozilla, Redhat | 7 Ubuntu Linux, Firefox, Firefox Esr and 4 more | 2024-08-04 | 8.8 High |
| Mozilla Developer Iain Ireland discovered a missing type check during unboxed objects removal, resulting in a crash. We presume that with enough effort that it could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9. | ||||
| CVE-2020-12119 | 1 Ledger | 1 Ledger Live | 2024-08-04 | 8.1 High |
| Ledger Live before 2.7.0 does not handle Bitcoin's Replace-By-Fee (RBF). It increases the user's balance with the value of an unconfirmed transaction as soon as it is received (before the transaction is confirmed) and does not decrease the balance when it is canceled. As a result, users are exposed to basic double spending attacks, amplified double spending attacks, and DoS attacks without user consent. | ||||