Total
1780 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-28872 | 1 Monitorr | 1 Monitorr | 2024-08-04 | 9.8 Critical |
| An authorization bypass vulnerability in Monitorr v1.7.6m in Monitorr/assets/config/_installation/_register.php allows an unauthorized person to create valid credentials. | ||||
| CVE-2020-28397 | 1 Siemens | 111 Cpu1510sp F-1, Cpu1510sp F-1 Firmware, Cpu 1211c and 108 more | 2024-08-04 | 5.3 Medium |
| A vulnerability has been identified in SIMATIC Drive Controller family (All versions < V2.9.2), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) (All versions < V21.9), SIMATIC S7 PLCSIM Advanced (All versions > V2 < V4), SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (Version V4.4), SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants) (All versions > V2.5 < V2.9.2), SIMATIC S7-1500 Software Controller (All versions > V2.5 < V21.9), TIM 1531 IRC (incl. SIPLUS NET variants) (Version V2.1). Due to an incorrect authorization check in the affected component, an attacker could extract information about access protected PLC program variables over port 102/tcp from an affected device when reading multiple attributes at once. | ||||
| CVE-2020-28211 | 1 Schneider-electric | 1 Ecostruxure Control Expert | 2024-08-04 | 7.8 High |
| A CWE-863: Incorrect Authorization vulnerability exists in PLC Simulator on EcoStruxureª Control Expert (now Unity Pro) (all versions) that could cause bypass of authentication when overwriting memory using a debugger. | ||||
| CVE-2020-28053 | 1 Hashicorp | 1 Consul | 2024-08-04 | 6.5 Medium |
| HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key configuration. Fixed in 1.6.10, 1.7.10, and 1.8.6. | ||||
| CVE-2020-27901 | 1 Apple | 1 Macos | 2024-08-04 | 6.3 Medium |
| A logic issue was addressed with improved restrictions. This issue is fixed in macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave, macOS Big Sur 11.0.1. A sandboxed process may be able to circumvent sandbox restrictions. | ||||
| CVE-2020-27873 | 1 Netgear | 38 Ac2100, Ac2100 Firmware, Ac2400 and 35 more | 2024-08-04 | 6.5 Medium |
| This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR R7450 1.2.0.62_1.0.1 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SOAP API endpoint, which listens on TCP port 80 by default. The issue results from the lack of proper access control. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-11559. | ||||
| CVE-2020-27609 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-08-04 | 5.3 Medium |
| BigBlueButton through 2.2.28 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant. | ||||
| CVE-2020-27362 | 1 Akkadianlabs | 1 Akkadian Provisioning Manager | 2024-08-04 | 8.8 High |
| An issue exists within the SSH console of Akkadian Provisioning Manager 4.50.02 which allows a low-level privileged user to escape the web configuration file editor and escalate privileges. | ||||
| CVE-2020-27156 | 1 Veritas | 1 Aptare | 2024-08-04 | 9.8 Critical |
| Veritas APTARE versions prior to 10.5 did not perform adequate authorization checks. This vulnerability could allow for remote code execution by an unauthenticated user. | ||||
| CVE-2020-26506 | 1 Marmind | 1 Marmind | 2024-08-04 | 4.3 Medium |
| An Authorization Bypass vulnerability in the Marmind web application with version 4.1.141.0 allows users with lower privileges to gain control to files uploaded by administrative users. The accessed files were not visible by the low privileged users in the web GUI. | ||||
| CVE-2020-26560 | 1 Bluetooth | 1 Mesh Profile | 2024-08-04 | 8.1 High |
| Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device, reflecting the authentication evidence from a Provisioner, to complete authentication without possessing the AuthValue, and potentially acquire a NetKey and AppKey. | ||||
| CVE-2020-26555 | 4 Bluetooth, Fedoraproject, Intel and 1 more | 33 Bluetooth Core Specification, Fedora, Ac 3165 and 30 more | 2024-08-04 | 5.4 Medium |
| Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification 1.0B through 5.2 may permit an unauthenticated nearby device to spoof the BD_ADDR of the peer device to complete pairing without knowledge of the PIN. | ||||
| CVE-2020-26559 | 1 Bluetooth | 1 Mesh Profile | 2024-08-04 | 8.8 High |
| Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (participating in the provisioning protocol) to identify the AuthValue used given the Provisioner’s public key, and the confirmation number and nonce provided by the provisioning device. This could permit a device without the AuthValue to complete provisioning without brute-forcing the AuthValue. | ||||
| CVE-2020-26250 | 1 Jupyter | 1 Oauthenticator | 2024-08-04 | 6.3 Medium |
| OAuthenticator is an OAuth login mechanism for JupyterHub. In oauthenticator from version 0.12.0 and before 0.12.2, the deprecated (in jupyterhub 1.2) configuration `Authenticator.whitelist`, which should be transparently mapped to `Authenticator.allowed_users` with a warning, is instead ignored by OAuthenticator classes, resulting in the same behavior as if this configuration has not been set. If this is the only mechanism of authorization restriction (i.e. no group or team restrictions in configuration) then all authenticated users will be allowed. Provider-based restrictions, including deprecated values such as `GitHubOAuthenticator.org_whitelist` are **not** affected. All users of OAuthenticator 0.12.0 and 0.12.1 with JupyterHub 1.2 (JupyterHub Helm chart 0.10.0-0.10.5) who use the `admin.whitelist.users` configuration in the jupyterhub helm chart or the `c.Authenticator.whitelist` configuration directly. Users of other deprecated configuration, e.g. `c.GitHubOAuthenticator.team_whitelist` are **not** affected. If you see a log line like this and expect a specific list of allowed usernames: "[I 2020-11-27 16:51:54.528 JupyterHub app:1717] Not using allowed_users. Any authenticated user will be allowed." you are likely affected. Updating oauthenticator to 0.12.2 is recommended. A workaround is to replace the deprecated `c.Authenticator.whitelist = ...` with `c.Authenticator.allowed_users = ...`. If any users have been authorized during this time who should not have been, they must be deleted via the API or admin interface, per the referenced documentation. | ||||
| CVE-2020-26223 | 1 Spreecommerce | 1 Spree | 2024-08-04 | 7.7 High |
| Spree is a complete open source e-commerce solution built with Ruby on Rails. In Spree from version 3.7 and before versions 3.7.13, 4.0.5, and 4.1.12, there is an authorization bypass vulnerability. The perpetrator could query the API v2 Order Status endpoint with an empty string passed as an Order token. This is patched in versions 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. Users of Spree < 3.7 are not affected. | ||||
| CVE-2020-26141 | 4 Alfa, Cisco, Redhat and 1 more | 191 Awus036h, Awus036h Firmware, Ip Conference Phone 8832 and 188 more | 2024-08-04 | 6.5 Medium |
| An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. | ||||
| CVE-2020-26121 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2024-08-04 | 7.5 High |
| An issue was discovered in the FileImporter extension for MediaWiki before 1.34.4. An attacker can import a file even when the target page is protected against "page creation" and the attacker should not be able to create it. This occurs because of a mishandled distinction between an upload restriction and a create restriction. An attacker cannot leverage this to overwrite anything, but can leverage this to force a wiki to have a page with a disallowed title. | ||||
| CVE-2020-26028 | 1 Zammad | 1 Zammad | 2024-08-04 | 4.9 Medium |
| An issue was discovered in Zammad before 3.4.1. Admin Users without a ticket.* permission can access Tickets. | ||||
| CVE-2020-26029 | 1 Zammad | 1 Zammad | 2024-08-04 | 6.5 Medium |
| An issue was discovered in Zammad before 3.4.1. There are wrong authorization checks for impersonation requests via X-On-Behalf-Of. The authorization checks are performed for the actual user and not the one given in the X-On-Behalf-Of header. | ||||
| CVE-2020-25869 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2024-08-04 | 7.5 High |
| An information leak was discovered in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. Handling of actor ID does not necessarily use the correct database or correct wiki. | ||||