Total
334 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-1234 | 1 Microsoft | 1 Azure Stack | 2024-08-04 | 7.5 High |
| A spoofing vulnerability exists when Azure Stack fails to validate certain requests, aka 'Azure Stack Spoofing Vulnerability'. | ||||
| CVE-2019-0608 | 1 Microsoft | 10 Edge, Internet Explorer, Windows 10 and 7 more | 2024-08-04 | 4.3 Medium |
| A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content, aka 'Microsoft Browser Spoofing Vulnerability'. This CVE ID is unique from CVE-2019-1357. | ||||
| CVE-2019-0388 | 1 Sap | 1 Ui | 2024-08-04 | 5.3 Medium |
| SAP UI5 HTTP Handler (corrected in SAP_UI versions 7.5, 7.51, 7.52, 7.53, 7.54 and SAP UI_700 version 2.0) allows an attacker to manipulate content due to insufficient URL validation. | ||||
| CVE-2019-0283 | 1 Sap | 1 Netweaver Process Integration | 2024-08-04 | N/A |
| SAP NetWeaver Process Integration (Adapter Engine), fixed in versions 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50; is vulnerable to Digital Signature Spoofing. It is possible to spoof XML signatures and send arbitrary requests to the server via PI Axis adapter. These requests will be accepted by the PI Axis adapter even if the payload has been altered, especially when the signed element is the body of the xml document. | ||||
| CVE-2020-36516 | 3 Linux, Netapp, Redhat | 32 Linux Kernel, Bootstrap Os, Cloud Volumes Ontap Mediator and 29 more | 2024-08-04 | 5.9 Medium |
| An issue was discovered in the Linux kernel through 5.16.11. The mixed IPID assignment method with the hash-based IPID assignment policy allows an off-path attacker to inject data into a victim's TCP session or terminate that session. | ||||
| CVE-2020-36128 | 1 Paxtechnology | 1 Paxstore | 2024-08-04 | 8.2 High |
| Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by a token spoofing vulnerability. Each payment terminal has a session token (called X-Terminal-Token) to access the marketplace. This allows the store to identify the terminal and make available the applications distributed by its reseller. By intercepting HTTPS traffic from the application store, it is possible to collect the request responsible for assigning the X-Terminal-Token to the terminal, which makes it possible to craft an X-Terminal-Token pretending to be another device. An attacker can use this behavior to authenticate its own payment terminal in the application store through token impersonation. | ||||
| CVE-2020-28856 | 1 Openasset | 1 Digital Asset Management | 2024-08-04 | 7.5 High |
| OpenAsset Digital Asset Management (DAM) through 12.0.19 does not correctly determine the HTTP request's originating IP address, allowing attackers to spoof it using X-Forwarded-For in the header, by supplying localhost address such as 127.0.0.1, effectively bypassing all IP address based access controls. | ||||
| CVE-2020-27970 | 1 Yandex | 1 Yandex Browser | 2024-08-04 | 5.3 Medium |
| Yandex Browser before 20.10.0 allows remote attackers to spoof the address bar | ||||
| CVE-2020-27847 | 1 Linuxfoundation | 1 Dex | 2024-08-04 | 9.8 Critical |
| A vulnerability exists in the SAML connector of the github.com/dexidp/dex library used to process SAML Signature Validation. This flaw allows an attacker to bypass SAML authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. This flaw affects dex versions before 2.27.0. | ||||
| CVE-2020-27276 | 1 Sooil | 6 Anydana-a, Anydana-a Firmware, Anydana-i and 3 more | 2024-08-04 | 5.7 Medium |
| SOOIL Developments Co Ltd DiabecareRS,AnyDana-i & AnyDana-A, the communication protocol of the insulin pump and its AnyDana-i & AnyDana-A mobile apps doesn't use adequate measures to authenticate the communicating entities before exchanging keys, which allows unauthenticated, physically proximate attackers to eavesdrop the authentication sequence via Bluetooth Low Energy. | ||||
| CVE-2020-26276 | 1 Fleetdm | 1 Fleet | 2024-08-04 | 10 Critical |
| Fleet is an open source osquery manager. In Fleet before version 3.5.1, due to issues in Go's standard library XML parsing, a valid SAML response may be mutated by an attacker to modify the trusted document. This can result in allowing unverified logins from a SAML IdP. Users that configure Fleet with SSO login may be vulnerable to this issue. This issue is patched in 3.5.1. The fix was made using https://github.com/mattermost/xml-roundtrip-validator If upgrade to 3.5.1 is not possible, users should disable SSO authentication in Fleet. | ||||
| CVE-2020-26254 | 1 Omniauth-apple Project | 1 Omniauth-apple | 2024-08-04 | 7.7 High |
| omniauth-apple is the OmniAuth strategy for "Sign In with Apple" (RubyGem omniauth-apple). In omniauth-apple before version 1.0.1 attackers can fake their email address during authentication. This vulnerability impacts applications using the omniauth-apple strategy of OmniAuth and using the info.email field of OmniAuth's Auth Hash Schema for any kind of identification. The value of this field may be set to any value of the attacker's choice including email addresses of other users. Applications not using info.email for identification but are instead using the uid field are not impacted in the same manner. Note, these applications may still be negatively affected if the value of info.email is being used for other purposes. Applications using affected versions of omniauth-apple are advised to upgrade to omniauth-apple version 1.0.1 or later. | ||||
| CVE-2020-26144 | 4 Arista, Redhat, Samsung and 1 more | 37 C-100, C-100 Firmware, C-110 and 34 more | 2024-08-04 | 6.5 Medium |
| An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. | ||||
| CVE-2020-25686 | 5 Arista, Debian, Fedoraproject and 2 more | 10 Eos, Debian Linux, Fedora and 7 more | 2024-08-04 | 3.7 Low |
| A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the "Birthday Attacks" section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity. | ||||
| CVE-2020-24375 | 1 Free | 3 Freebox Server, Freebox V5, Freebox V5 Firmware | 2024-08-04 | 6.5 Medium |
| A DNS rebinding vulnerability in the UPnP MediaServer implementation in Freebox Server before 4.2.3. | ||||
| CVE-2020-22001 | 1 Homeautomation Project | 1 Homeautomation | 2024-08-04 | 9.8 Critical |
| HomeAutomation 3.3.2 suffers from an authentication bypass vulnerability when spoofing client IP address using the X-Forwarded-For header with the local (loopback) IP address value allowing remote control of the smart home solution. | ||||
| CVE-2020-19003 | 1 Liftoffsoftware | 1 Gate One | 2024-08-04 | 5.3 Medium |
| An issue in Gate One 1.2.0 allows attackers to bypass to the verification check done by the origins list and connect to Gate One instances used by hosts not on the origins list. | ||||
| CVE-2020-17510 | 3 Apache, Debian, Redhat | 3 Shiro, Debian Linux, Jboss Fuse | 2024-08-04 | 9.8 Critical |
| Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. | ||||
| CVE-2020-17516 | 1 Apache | 1 Cassandra | 2024-08-04 | 7.5 High |
| Apache Cassandra versions 2.1.0 to 2.1.22, 2.2.0 to 2.2.19, 3.0.0 to 3.0.23, and 3.11.0 to 3.11.9, when using 'dc' or 'rack' internode_encryption setting, allows both encrypted and unencrypted internode connections. A misconfigured node or a malicious user can use the unencrypted connection despite not being in the same rack or dc, and bypass mutual TLS requirement. | ||||
| CVE-2020-16250 | 2 Hashicorp, Redhat | 3 Vault, Openshift, Openshift Data Foundation | 2024-08-04 | 8.2 High |
| HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1.. | ||||