Total
1780 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-12875 | 1 Veritas | 1 Aptare | 2024-08-04 | 6.3 Medium |
| Veritas APTARE versions prior to 10.4 did not perform adequate authorization checks. An authenticated user could gain unauthorized access to sensitive information or functionality by manipulating specific parameters within the application. | ||||
| CVE-2020-12876 | 2 Microsoft, Veritas | 2 Windows, Aptare | 2024-08-04 | 7.5 High |
| Veritas APTARE versions prior to 10.4 allowed remote users to access several unintended files on the server. This vulnerability only impacts Windows server deployments. | ||||
| CVE-2020-12692 | 3 Canonical, Openstack, Redhat | 3 Ubuntu Linux, Keystone, Openstack | 2024-08-04 | 5.4 Medium |
| An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times. | ||||
| CVE-2020-12733 | 1 Depstech | 2 Wifi Digital Microscope 3, Wifi Digital Microscope 3 Firmware | 2024-08-04 | 7.5 High |
| Certain Shenzhen PENGLIXIN components on DEPSTECH WiFi Digital Microscope 3, as used by Shekar Endoscope, allow a TELNET connection with the molinkadmin password for the molink account. | ||||
| CVE-2020-12689 | 3 Canonical, Openstack, Redhat | 3 Ubuntu Linux, Keystone, Openstack | 2024-08-04 | 8.8 High |
| An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escalated permission, such as obtaining admin while the user is on a limited viewer role. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges. | ||||
| CVE-2020-12691 | 3 Canonical, Openstack, Redhat | 3 Ubuntu Linux, Keystone, Openstack | 2024-08-04 | 8.8 High |
| An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then perform an update to the credential user and project, allowing them to masquerade as another user. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges. | ||||
| CVE-2020-12690 | 2 Openstack, Redhat | 2 Keystone, Openstack | 2024-08-04 | 8.8 High |
| An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access. | ||||
| CVE-2020-12668 | 1 Hubspot | 1 Jinjava | 2024-08-04 | 6.5 Medium |
| Jinjava before 2.5.4 allow access to arbitrary classes by calling Java methods on objects passed into a Jinjava context. This could allow for abuse of the application class loader, including Arbitrary File Disclosure. | ||||
| CVE-2020-12477 | 1 Teampass | 1 Teampass | 2024-08-04 | 7.5 High |
| The REST API functions in TeamPass 2.1.27.36 allow any user with a valid API token to bypass IP address whitelist restrictions via an X-Forwarded-For client HTTP header to the getIp function. | ||||
| CVE-2020-12391 | 1 Mozilla | 1 Firefox | 2024-08-04 | 7.5 High |
| Documents formed using data: URLs in an OBJECT element failed to inherit the CSP of the creating context. This allowed the execution of scripts that should have been blocked, albeit with a unique opaque origin. This vulnerability affects Firefox < 76. | ||||
| CVE-2020-12053 | 1 Unisys | 1 Stealth | 2024-08-04 | 9.8 Critical |
| In Unisys Stealth 3.4.x, 4.x and 5.x before 5.0.026, if certificate-based authorization is used without HTTPS, an endpoint could be authorized without a private key. | ||||
| CVE-2020-11753 | 1 Sonatype | 1 Nexus Repository Manager 3 | 2024-08-04 | 8.8 High |
| An issue was discovered in Sonatype Nexus Repository Manager in versions 3.21.1 and 3.22.0. It is possible for a user with appropriate privileges to create, modify, and execute scripting tasks without use of the UI or API. NOTE: in 3.22.0, scripting is disabled by default (making this not exploitable). | ||||
| CVE-2020-11844 | 1 Microfocus | 1 Service Management Automation | 2024-08-04 | 10 Critical |
| Incorrect Authorization vulnerability in Micro Focus Container Deployment Foundation component affects products: - Hybrid Cloud Management. Versions 2018.05 to 2019.11. - ArcSight Investigate. versions 2.4.0, 3.0.0 and 3.1.0. - ArcSight Transformation Hub. versions 3.0.0, 3.1.0, 3.2.0. - ArcSight Interset. version 6.0.0. - ArcSight ESM (when ArcSight Fusion 1.0 is installed). version 7.2.1. - Service Management Automation (SMA). versions 2018.05 to 2020.02 - Operation Bridge Suite (Containerized). Versions 2018.05 to 2020.02. - Network Operation Management. versions 2017.11 to 2019.11. - Data Center Automation Containerized. versions 2018.05 to 2019.11 - Identity Intelligence. versions 1.1.0 and 1.1.1. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation. | ||||
| CVE-2020-11707 | 1 Provideserver | 1 Provide Ftp Server | 2024-08-04 | 8.8 High |
| An issue was discovered in ProVide (formerly zFTPServer) through 13.1. It doesn't enforce permission over Windows Symlinks or Junctions. As a result, a low-privileged user (non-admin) can craft a Junction Link in a directory he has full control of, breaking out of the sandbox. | ||||
| CVE-2020-11628 | 1 Primekey | 1 Ejbca | 2024-08-04 | 5.3 Medium |
| An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2. It is intended to support restriction of available remote protocols (CMP, ACME, REST, etc.) through the system configuration. These restrictions can be bypassed by modifying the URI string from a client. (EJBCA's internal access control restrictions are still in place, and each respective protocol must be configured to allow for enrollment.) | ||||
| CVE-2020-11209 | 1 Qualcomm | 26 Qcs603, Qcs603 Firmware, Qcs605 and 23 more | 2024-08-04 | 5.5 Medium |
| Improper authorization in DSP process could allow unauthorized users to downgrade the library versions in SD820, SD821, SD820, QCS603, QCS605, SDA855, SA6155P, SA6145P, SA6155, SA6155P, SD855, SD 675, SD660, SD429, SD439 | ||||
| CVE-2020-10786 | 1 Vestacp | 1 Vesta Control Panel | 2024-08-04 | 8.8 High |
| A remote command execution in Vesta Control Panel through 0.9.8-26 allows any authenticated user to execute arbitrary commands on the system via cron jobs. | ||||
| CVE-2020-10778 | 1 Redhat | 2 Cloudforms, Cloudforms Managementengine | 2024-08-04 | 6.0 Medium |
| In Red Hat CloudForms 4.7 and 5, the read only widgets can be edited by inspecting the forms and dropping the disabled attribute from the fields since there is no server-side validation. This business logic flaw violate the expected behavior. | ||||
| CVE-2020-10676 | 1 Suse | 1 Rancher | 2024-08-04 | 8.8 High |
| In Rancher 2.x before 2.6.13 and 2.7.x before 2.7.4, an incorrectly applied authorization check allows users who have certain access to a namespace to move that namespace to a different project. | ||||
| CVE-2020-10534 | 1 Mediawiki | 1 Mediawiki | 2024-08-04 | 9.8 Critical |
| In the GlobalBlocking extension before 2020-03-10 for MediaWiki through 1.34.0, an issue related to IP range evaluation resulted in blocked users re-gaining escalated privileges. This is related to the case in which an IP address is contained in two ranges, one of which is locally disabled. | ||||