Total
1780 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-19765 | 1 Proofofdiligencetoken Project | 1 Proofofdiligencetoken | 2024-08-04 | 7.5 High |
| An issue in the noReentrance() modifier of the Ethereum-based contract Accounting 1.0 allows attackers to carry out a reentrancy attack. | ||||
| CVE-2020-19551 | 1 Wuzhicms | 1 Wuzhicms | 2024-08-04 | 8.8 High |
| Blacklist bypass issue exists in WUZHI CMS up to and including 4.1.0 in common.func.php, which when uploaded can cause remote code executiong. | ||||
| CVE-2020-19301 | 1 Vaethink | 1 Vaethink | 2024-08-04 | 9.8 Critical |
| A vulnerability in the vae_admin_rule database table of vaeThink v1.0.1 allows attackers to execute arbitrary code via a crafted payload in the condition parameter. | ||||
| CVE-2020-19005 | 1 Zrlog | 1 Zrlog | 2024-08-04 | 5.7 Medium |
| zrlog v2.1.0 has a vulnerability with the permission check. If admin account is logged in, other unauthorized users can download the database backup file directly. | ||||
| CVE-2020-18701 | 1 Talelin | 1 Lin-cms-flask | 2024-08-04 | 9.8 Critical |
| Incorrect Access Control in Lin-CMS-Flask v0.1.1 allows remote attackers to obtain sensitive information and/or gain privileges due to the application not invalidating a user's authentication token upon logout, which allows for replaying packets. | ||||
| CVE-2020-17520 | 1 Apache | 1 Pulsar Manager | 2024-08-04 | 6.5 Medium |
| In the Pulsar manager 0.1.0 version, malicious users will be able to bypass pulsar-manager's admin, permission verification mechanism by constructing special URLs, thereby accessing any HTTP API. | ||||
| CVE-2020-17448 | 1 Telegram | 1 Telegram Desktop | 2024-08-04 | 7.8 High |
| Telegram Desktop through 2.1.13 allows a spoofed file type to bypass the Dangerous File Type Execution protection mechanism, as demonstrated by use of the chat window with a filename that lacks an extension. | ||||
| CVE-2020-17354 | 1 Lilypond | 1 Lilypond | 2024-08-04 | 8.6 High |
| LilyPond before 2.24 allows attackers to bypass the -dsafe protection mechanism via output-def-lookup or output-def-scope, as demonstrated by dangerous Scheme code in a .ly file that causes arbitrary code execution during conversion to a different file format. NOTE: in 2.24 and later versions, safe mode is removed, and the product no longer tries to block code execution when external files are used. | ||||
| CVE-2020-16904 | 1 Microsoft | 1 Azure Functions | 2024-08-04 | 5.3 Medium |
| <p>An elevation of privilege vulnerability exists in the way Azure Functions validate access keys.</p> <p>An unauthenticated attacker who successfully exploited this vulnerability could invoke an HTTP Function without proper authorization.</p> <p>This security update addresses the vulnerability by correctly validating access keys used to access HTTP Functions.</p> | ||||
| CVE-2020-16630 | 1 Ti | 7 15.4-stack, Ble5-stack, Dynamic Multi-protocal Manager and 4 more | 2024-08-04 | 6.8 Medium |
| TI’s BLE stack caches and reuses the LTK’s property for a bonded mobile. A LTK can be an unauthenticated-and-no-MITM-protection key created by Just Works or an authenticated-and-MITM-protection key created by Passkey Entry, Numeric Comparison or OOB. Assume that a victim mobile uses secure pairing to pair with a victim BLE device based on TI chips and generate an authenticated-and-MITM-protection LTK. If a fake mobile with the victim mobile’s MAC address uses Just Works and pairs with the victim device, the generated LTK still has the property of authenticated-and-MITM-protection. Therefore, the fake mobile can access attributes with the authenticated read/write permission. | ||||
| CVE-2020-16241 | 1 Philips | 2 Suresigns Vs4, Suresigns Vs4 Firmware | 2024-08-04 | 2.1 Low |
| Philips SureSigns VS4, A.07.107 and prior. The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor. | ||||
| CVE-2020-15590 | 1 Privateinternetaccess | 1 Private Internet Access Vpn Client | 2024-08-04 | 7.5 High |
| A vulnerability in the Private Internet Access (PIA) VPN Client for Linux 1.5 through 2.3+ allows remote attackers to bypass an intended VPN kill switch mechanism and read sensitive information via intercepting network traffic. Since 1.5, PIA has supported a “split tunnel” OpenVPN bypass option. The PIA killswitch & associated iptables firewall is designed to protect you while using the Internet. When the kill switch is configured to block all inbound and outbound network traffic, privileged applications can continue sending & receiving network traffic if net.ipv4.ip_forward has been enabled in the system kernel parameters. For example, a Docker container running on a host with the VPN turned off, and the kill switch turned on, can continue using the internet, leaking the host IP (CWE 200). In PIA 2.4.0+, policy-based routing is enabled by default and is used to direct all forwarded packets to the VPN interface automatically. | ||||
| CVE-2020-15513 | 1 Mittwald | 1 Typo3 Forum | 2024-08-04 | 5.3 Medium |
| The typo3_forum extension before 1.2.1 for TYPO3 has Incorrect Access Control. | ||||
| CVE-2020-15278 | 1 Cogboard | 1 Red Discord Bot | 2024-08-04 | 7.7 High |
| Red Discord Bot before version 3.4.1 has an unauthorized privilege escalation exploit in the Mod module. This exploit allows Discord users with a high privilege level within the guild to bypass hierarchy checks when the application is in a specific condition that is beyond that user's control. By abusing this exploit, it is possible to perform destructive actions within the guild the user has high privileges in. This exploit has been fixed in version 3.4.1. As a workaround, unloading the Mod module with unload mod or, disabling the massban command with command disable global massban can render this exploit not accessible. We still highly recommend updating to 3.4.1 to completely patch this issue. | ||||
| CVE-2020-15251 | 1 Mirahezebots | 1 Channelmgnt | 2024-08-04 | 7.7 High |
| In the Channelmgnt plug-in for Sopel (a Python IRC bot) before version 1.0.3, malicious users are able to op/voice and take over a channel. This is an ACL bypass vulnerability. This plugin is bundled with MirahezeBot-Plugins with versions from 9.0.0 and less than 9.0.2 affected. Version 9.0.2 includes 1.0.3 of channelmgnt, and thus is safe from this vulnerability. See referenced GHSA-23pc-4339-95vg. | ||||
| CVE-2020-15246 | 1 Octobercms | 1 October | 2024-08-04 | 7.5 High |
| October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.421 and before version 1.0.469, an attacker can read local files on an October CMS server via a specially crafted request. Issue has been patched in Build 469 (v1.0.469) and v1.1.0. | ||||
| CVE-2020-15248 | 1 Octobercms | 1 October | 2024-08-04 | 4 Medium |
| October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.470, backend users with the default "Publisher" system role have access to create & manage users where they can choose which role the new user has. This means that a user with "Publisher" access has the ability to escalate their access to "Developer" access. Issue has been patched in Build 470 (v1.0.470) & v1.1.1. | ||||
| CVE-2020-15163 | 1 Linuxfoundation | 1 The Update Framework | 2024-08-04 | 8.7 High |
| Python TUF (The Update Framework) reference implementation before version 0.12 it will incorrectly trust a previously downloaded root metadata file which failed verification at download time. This allows an attacker who is able to serve multiple new versions of root metadata (i.e. by a person-in-the-middle attack) culminating in a version which has not been correctly signed to control the trust chain for future updates. This is fixed in version 0.12 and newer. | ||||
| CVE-2020-15110 | 1 Jupyterhub | 1 Kubespawner | 2024-08-04 | 6.8 Medium |
| In jupyterhub-kubespawner before 0.12, certain usernames will be able to craft particular server names which will grant them access to the default server of other users who have matching usernames. This has been fixed in 0.12. | ||||
| CVE-2020-15126 | 1 Parseplatform | 1 Parse Server | 2024-08-04 | 6.5 Medium |
| In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via relation or Pointer on his User object. | ||||