Total
2818 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2020-25017 | 2 Envoyproxy, Redhat | 2 Envoy, Service Mesh | 2024-08-04 | 8.3 High |
Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers. Envoy’s setCopy() header map API does not replace all existing occurences of a non-inline header. | ||||
CVE-2020-16844 | 2 Istio, Redhat | 2 Istio, Service Mesh | 2024-08-04 | 6.8 Medium |
In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes (e.g. *-some-suffix) for source principals or namespace fields, callers will never be denied access, bypassing the intended policy. | ||||
CVE-2020-16261 | 1 Winstonprivacy | 2 Winston, Winston Firmware | 2024-08-04 | 6.8 Medium |
Winston 1.5.4 devices allow a U-Boot interrupt, resulting in local root access. | ||||
CVE-2020-16241 | 1 Philips | 2 Suresigns Vs4, Suresigns Vs4 Firmware | 2024-08-04 | 2.1 Low |
Philips SureSigns VS4, A.07.107 and prior. The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor. | ||||
CVE-2020-15780 | 4 Canonical, Linux, Opensuse and 1 more | 6 Ubuntu Linux, Linux Kernel, Leap and 3 more | 2024-08-04 | 6.7 Medium |
An issue was discovered in drivers/acpi/acpi_configfs.c in the Linux kernel before 5.7.7. Injection of malicious ACPI tables via configfs could be used by attackers to bypass lockdown and secure boot restrictions, aka CID-75b0cea7bf30. | ||||
CVE-2020-15181 | 1 Alfresco | 1 Reset Password | 2024-08-04 | 9.3 Critical |
The Alfresco Reset Password add-on before version 1.2.0 relies on untrusted inputs in a security decision. Intruders can get admin's access to the system using the vulnerability in the project. Impacts all servers where this add-on is installed. The problem is fixed in version 1.2.0 | ||||
CVE-2020-15102 | 1 Prestashop | 1 Dashboard Products | 2024-08-04 | 6.5 Medium |
In PrestaShop Dashboard Productions before version 2.1.0, there is improper authorization which enables an attacker to change the configuration. The problem is fixed in 2.1.0. | ||||
CVE-2020-15079 | 1 Prestashop | 1 Prestashop | 2024-08-04 | 6.4 Medium |
In PrestaShop from version 1.5.0.0 and before version 1.7.6.6, there is improper access control in Carrier page, Module Manager and Module Positions. The problem is fixed in version 1.7.6.6 | ||||
CVE-2020-14499 | 1 Advantech | 1 Iview | 2024-08-04 | 7.5 High |
Advantech iView, versions 5.6 and prior, has an improper access control vulnerability. Successful exploitation of this vulnerability may allow an attacker to obtain all user accounts credentials. | ||||
CVE-2020-14388 | 1 Redhat | 1 3scale Api Management | 2024-08-04 | 6.3 Medium |
A flaw was found in the Red Hat 3scale API Management Platform, where member permissions for an API's admin portal were not properly enforced. This flaw allows an authenticated user to bypass normal account restrictions and access API services where they do not have permission. | ||||
CVE-2020-14312 | 1 Fedoraproject | 1 Fedora | 2024-08-04 | 5.9 Medium |
A flaw was found in the default configuration of dnsmasq, as shipped with Fedora versions prior to 31 and in all versions Red Hat Enterprise Linux, where it listens on any interface and accepts queries from addresses outside of its local subnet. In particular, the option `local-service` is not enabled. Running dnsmasq in this manner may inadvertently make it an open resolver accessible from any address on the internet. This flaw allows an attacker to conduct a Distributed Denial of Service (DDoS) against other systems. | ||||
CVE-2020-14316 | 2 Kubevirt, Redhat | 3 Kubevirt, Container Native Virtualization, Openshift Virtualization | 2024-08-04 | 9.9 Critical |
A flaw was found in kubevirt 0.29 and earlier. Virtual Machine Instances (VMIs) can be used to gain access to the host's filesystem. Successful exploitation allows an attacker to assume the privileges of the VM process on the host system. In worst-case scenarios an attacker can read and modify any file on the system where the VMI is running. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | ||||
CVE-2024-25811 | 2024-08-04 | 6.5 Medium | ||
An access control issue in Dreamer CMS v4.0.1 allows attackers to download backup files and leak sensitive information. | ||||
CVE-2020-13941 | 1 Apache | 1 Solr | 2024-08-04 | 8.8 High |
Reported in SOLR-14515 (private) and fixed in SOLR-14561 (public), released in Solr version 8.6.0. The Replication handler (https://lucene.apache.org/solr/guide/8_6/index-replication.html#http-api-commands-for-the-replicationhandler) allows commands backup, restore and deleteBackup. Each of these take a location parameter, which was not validated, i.e you could read/write to any location the solr user can access. | ||||
CVE-2020-13677 | 1 Drupal | 1 Drupal | 2024-08-04 | 7.5 High |
Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass. Sites that do not have the JSON:API module enabled are not affected. | ||||
CVE-2020-13753 | 6 Canonical, Debian, Fedoraproject and 3 more | 6 Ubuntu Linux, Debian Linux, Fedora and 3 more | 2024-08-04 | 10.0 Critical |
The bubblewrap sandbox of WebKitGTK and WPE WebKit, prior to 2.28.3, failed to properly block access to CLONE_NEWUSER and the TIOCSTI ioctl. CLONE_NEWUSER could potentially be used to confuse xdg-desktop-portal, which allows access outside the sandbox. TIOCSTI can be used to directly execute commands outside the sandbox by writing to the controlling terminal's input buffer, similar to CVE-2017-5226. | ||||
CVE-2020-13675 | 1 Drupal | 1 Drupal | 2024-08-04 | 9.8 Critical |
Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site. | ||||
CVE-2020-13676 | 1 Drupal | 1 Drupal | 2024-08-04 | 6.5 Medium |
The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. | ||||
CVE-2020-13379 | 5 Fedoraproject, Grafana, Netapp and 2 more | 11 Fedora, Grafana, E-series Performance Analyzer and 8 more | 2024-08-04 | 8.2 High |
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault. | ||||
CVE-2020-12389 | 2 Microsoft, Mozilla | 3 Windows, Firefox, Firefox Esr | 2024-08-04 | 10.0 Critical |
The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape. *Note: this issue only affects Firefox on Windows operating systems.*. This vulnerability affects Firefox ESR < 68.8 and Firefox < 76. |