Total
141 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-26961 | 2 Mozilla, Redhat | 6 Firefox, Firefox Esr, Thunderbird and 3 more | 2024-08-04 | 6.5 Medium |
| When DNS over HTTPS is in use, it intentionally filters RFC1918 and related IP ranges from the responses as these do not make sense coming from a DoH resolver. However when an IPv4 address was mapped through IPv6, these addresses were erroneously let through, leading to a potential DNS Rebinding attack. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5. | ||||
| CVE-2020-25686 | 5 Arista, Debian, Fedoraproject and 2 more | 10 Eos, Debian Linux, Fedora and 7 more | 2024-08-04 | 3.7 Low |
| A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the "Birthday Attacks" section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity. | ||||
| CVE-2020-25684 | 5 Arista, Debian, Fedoraproject and 2 more | 10 Eos, Debian Linux, Fedora and 7 more | 2024-08-04 | 3.7 Low |
| A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity. | ||||
| CVE-2020-25602 | 4 Debian, Fedoraproject, Opensuse and 1 more | 4 Debian Linux, Fedora, Leap and 1 more | 2024-08-04 | 6.0 Medium |
| An issue was discovered in Xen through 4.14.x. An x86 PV guest can trigger a host OS crash when handling guest access to MSR_MISC_ENABLE. When a guest accesses certain Model Specific Registers, Xen first reads the value from hardware to use as the basis for auditing the guest access. For the MISC_ENABLE MSR, which is an Intel specific MSR, this MSR read is performed without error handling for a #GP fault, which is the consequence of trying to read this MSR on non-Intel hardware. A buggy or malicious PV guest administrator can crash Xen, resulting in a host Denial of Service. Only x86 systems are vulnerable. ARM systems are not vulnerable. Only Xen versions 4.11 and onwards are vulnerable. 4.10 and earlier are not vulnerable. Only x86 systems that do not implement the MISC_ENABLE MSR (0x1a0) are vulnerable. AMD and Hygon systems do not implement this MSR and are vulnerable. Intel systems do implement this MSR and are not vulnerable. Other manufacturers have not been checked. Only x86 PV guests can exploit the vulnerability. x86 HVM/PVH guests cannot exploit the vulnerability. | ||||
| CVE-2020-16013 | 2 Google, Redhat | 2 Chrome, Rhel Extras | 2024-08-04 | 8.8 High |
| Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.198 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | ||||
| CVE-2020-13817 | 5 Fujitsu, Netapp, Ntp and 2 more | 41 M10-1, M10-1 Firmware, M10-4 and 38 more | 2024-08-04 | 7.4 High |
| ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attacker who can query time from the victim's ntpd instance. | ||||
| CVE-2020-12391 | 1 Mozilla | 1 Firefox | 2024-08-04 | 7.5 High |
| Documents formed using data: URLs in an OBJECT element failed to inherit the CSP of the creating context. This allowed the execution of scripts that should have been blocked, albeit with a unique opaque origin. This vulnerability affects Firefox < 76. | ||||
| CVE-2020-12279 | 2 Debian, Libgit2 | 2 Debian Linux, Libgit2 | 2024-08-04 | 9.8 Critical |
| An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. checkout.c mishandles equivalent filenames that exist because of NTFS short names. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1353. | ||||
| CVE-2020-10743 | 2 Elastic, Redhat | 3 Kibana, Openshift, Openshift Container Platform | 2024-08-04 | 4.3 Medium |
| It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana, such as clickjacking. | ||||
| CVE-2020-8660 | 2 Envoyproxy, Redhat | 2 Envoy, Service Mesh | 2024-08-04 | 5.3 Medium |
| CNCF Envoy through 1.13.0 TLS inspector bypass. TLS inspector could have been bypassed (not recognized as a TLS client) by a client using only TLS 1.3. Because TLS extensions (SNI, ALPN) were not inspected, those connections might have been matched to a wrong filter chain, possibly bypassing some security restrictions in the process. | ||||
| CVE-2020-8352 | 1 Lenovo | 32 Qitian 4500, Qitian 4500 Firmware, Qitian B4550 and 29 more | 2024-08-04 | 2.4 Low |
| In some Lenovo Desktop models, the Configuration Change Detection BIOS setting failed to detect SATA configuration changes. | ||||
| CVE-2020-7251 | 1 Mcafee | 1 Endpoint Security | 2024-08-04 | 5 Medium |
| Improper access control vulnerability in Configuration Tool in McAfee Mcafee Endpoint Security (ENS) Prior to 10.6.1 February 2020 Update allows local users to disable security features via unauthorised use of the configuration tool from older versions of ENS. | ||||
| CVE-2020-6823 | 1 Mozilla | 1 Firefox | 2024-08-04 | 9.8 Critical |
| A malicious extension could have called <code>browser.identity.launchWebAuthFlow</code>, controlling the redirect_uri, and through the Promise returned, obtain the Auth code and gain access to the user's account at the service provider. This vulnerability affects Firefox < 75. | ||||
| CVE-2020-6561 | 5 Debian, Fedoraproject, Google and 2 more | 6 Debian Linux, Fedora, Chrome and 3 more | 2024-08-04 | 6.5 Medium |
| Inappropriate implementation in Content Security Policy in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | ||||
| CVE-2020-6538 | 4 Debian, Fedoraproject, Google and 1 more | 4 Debian Linux, Fedora, Chrome and 1 more | 2024-08-04 | 6.5 Medium |
| Inappropriate implementation in WebView in Google Chrome on Android prior to 84.0.4147.105 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | ||||
| CVE-2020-6503 | 2 Google, Redhat | 2 Chrome, Rhel Extras | 2024-08-04 | 6.5 Medium |
| Inappropriate implementation in accessibility in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | ||||
| CVE-2020-6506 | 2 Google, Redhat | 3 Android, Chrome, Rhel Extras | 2024-08-04 | 6.5 Medium |
| Insufficient policy enforcement in WebView in Google Chrome on Android prior to 83.0.4103.106 allowed a remote attacker to bypass site isolation via a crafted HTML page. | ||||
| CVE-2020-6453 | 2 Google, Redhat | 2 Chrome, Rhel Extras | 2024-08-04 | 8.8 High |
| Inappropriate implementation in V8 in Google Chrome prior to 80.0.3987.162 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | ||||
| CVE-2020-6504 | 2 Google, Redhat | 2 Chrome, Rhel Extras | 2024-08-04 | 4.3 Medium |
| Insufficient policy enforcement in notifications in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to bypass notification restrictions via a crafted HTML page. | ||||
| CVE-2020-6420 | 4 Debian, Fedoraproject, Google and 1 more | 4 Debian Linux, Fedora, Chrome and 1 more | 2024-08-04 | 8.8 High |
| Insufficient policy enforcement in media in Google Chrome prior to 80.0.3987.132 allowed a remote attacker to bypass same origin policy via a crafted HTML page. | ||||