Total
1780 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-15120 | 1 Ihatemoney | 1 I Hate Money | 2024-08-04 | 4.9 Medium |
| In "I hate money" before version 4.1.5, an authenticated member of one project can modify and delete members of another project, without knowledge of this other project's private code. This can be further exploited to access all bills of another project without knowledge of this other project's private code. With the default configuration, anybody is allowed to create a new project. An attacker can create a new project and then use it to become authenticated and exploit this flaw. As such, the exposure is similar to an unauthenticated attack, because it is trivial to become authenticated. This is fixed in version 4.1.5. | ||||
| CVE-2020-15084 | 1 Auth0 | 1 Express-jwt | 2024-08-04 | 7.7 High |
| In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this vulnerability if all of the following conditions apply: - You are using express-jwt - You do not have **algorithms** configured in your express-jwt configuration. - You are using libraries such as jwks-rsa as the **secret**. You can fix this by specifying **algorithms** in the express-jwt configuration. See linked GHSA for example. This is also fixed in version 6.0.0. | ||||
| CVE-2020-14321 | 1 Moodle | 1 Moodle | 2024-08-04 | 8.8 High |
| In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, teachers of a course were able to assign themselves the manager role within that course. | ||||
| CVE-2020-14196 | 1 Powerdns | 1 Recursor | 2024-08-04 | 5.3 Medium |
| In PowerDNS Recursor versions up to and including 4.3.1, 4.2.2 and 4.1.16, the ACL restricting access to the internal web server is not properly enforced. | ||||
| CVE-2020-14110 | 1 Mi | 2 Ax3600, Ax3600 Firmware | 2024-08-04 | 7.8 High |
| AX3600 router sensitive information leaked.There is an unauthorized interface through luci to obtain sensitive information and log in to the web background. | ||||
| CVE-2020-14214 | 1 Zammad | 1 Zammad | 2024-08-04 | 6.5 Medium |
| Zammad before 3.3.1, when Domain Based Assignment is enabled, relies on a claimed e-mail address for authorization decisions. An attacker can register a new account that will have access to all tickets of an arbitrary Organization. | ||||
| CVE-2020-14121 | 1 Mi | 1 Mi App Store | 2024-08-04 | 5.5 Medium |
| A business logic vulnerability exists in Mi App Store. The vulnerability is caused by incomplete permission checks of the products being bypassed, and an attacker can exploit the vulnerability to perform a local silent installation. | ||||
| CVE-2020-14106 | 1 Mi | 1 Miui | 2024-08-04 | 5.5 Medium |
| The application in the mobile phone can unauthorized access to the list of running processes in the mobile phone, Xiaomi Mobile Phone MIUI < 2021.01.26. | ||||
| CVE-2020-13957 | 1 Apache | 1 Solr | 2024-08-04 | 9.8 Critical |
| Apache Solr versions 6.6.0 to 6.6.6, 7.0.0 to 7.7.3 and 8.0.0 to 8.6.2 prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that's uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions. | ||||
| CVE-2020-13834 | 1 Google | 1 Android | 2024-08-04 | 7.5 High |
| An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) (with TEEGRIS) software. Secure Folder does not properly restrict use of Android Debug Bridge (adb) for arbitrary installations. The Samsung ID is SVE-2020-17369 (June 2020). | ||||
| CVE-2020-13696 | 5 Canonical, Debian, Fedoraproject and 2 more | 6 Ubuntu Linux, Debian Linux, Fedora and 3 more | 2024-08-04 | 4.4 Medium |
| An issue was discovered in LinuxTV xawtv before 3.107. The function dev_open() in v4l-conf.c does not perform sufficient checks to prevent an unprivileged caller of the program from opening unintended filesystem paths. This allows a local attacker with access to the v4l-conf setuid-root program to test for the existence of arbitrary files and to trigger an open on arbitrary files with mode O_RDWR. To achieve this, relative path components need to be added to the device path, as demonstrated by a v4l-conf -c /dev/../root/.bash_history command. | ||||
| CVE-2020-13676 | 1 Drupal | 1 Drupal | 2024-08-04 | 6.5 Medium |
| The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. | ||||
| CVE-2020-13334 | 1 Gitlab | 1 Gitlab | 2024-08-04 | 5.9 Medium |
| In GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, improper authorization checks allow a non-member of a project/group to change the confidentiality attribute of issue via mutation GraphQL query | ||||
| CVE-2020-13335 | 1 Gitlab | 1 Gitlab | 2024-08-04 | 4.3 Medium |
| Improper group membership validation when deleting a user account in GitLab >=7.12 allows a user to delete own account without deleting/transferring their group. | ||||
| CVE-2020-13322 | 1 Gitlab | 1 Gitlab | 2024-08-04 | 7.2 High |
| A vulnerability was discovered in GitLab versions after 12.9. Due to improper verification of permissions, an unauthorized user can create and delete deploy tokens. | ||||
| CVE-2020-13313 | 1 Gitlab | 1 Gitlab | 2024-08-04 | 4.3 Medium |
| A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. An unauthorized project maintainer could edit the subgroup badges due to the lack of authorization control. | ||||
| CVE-2020-13300 | 1 Gitlab | 1 Gitlab | 2024-08-04 | 8 High |
| GitLab CE/EE version 13.3 prior to 13.3.4 was vulnerable to an OAuth authorization scope change without user consent in the middle of the authorization flow. | ||||
| CVE-2020-13277 | 1 Gitlab | 1 Gitlab | 2024-08-04 | 6.3 Medium |
| An authorization issue in the mirroring logic allowed read access to private repositories in GitLab CE/EE 10.6 and later through 13.0.5 | ||||
| CVE-2020-13284 | 1 Gitlab | 1 Gitlab | 2024-08-04 | 6.5 Medium |
| A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. API Authorization Using Outdated CI Job Token | ||||
| CVE-2020-13263 | 1 Gitlab | 1 Gitlab | 2024-08-04 | 7.5 High |
| An authorization issue relating to project maintainer impersonation was identified in GitLab EE 9.5 and later through 13.0.1 that could allow unauthorized users to impersonate as a maintainer to perform limited actions. | ||||