Total
602 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-18646 | 1 5none | 1 Nonecms | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Information Disclosure in NoneCMS v1.3 allows remote attackers to obtain sensitive information via the component "/public/index.php". | |||||
| CVE-2020-16263 | 1 Winstonprivacy | 2 Winston, Winston Firmware | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| Winston 1.5.4 devices have a CORS configuration that trusts arbitrary origins. This allows requests to be made and viewed by arbitrary origins. | |||||
| CVE-2020-16212 | 1 Philips | 1 Patient Information Center Ix | 2024-11-21 | 4.6 MEDIUM | 6.8 MEDIUM |
| In Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, the product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. The application on the surveillance station operates in kiosk mode, which is vulnerable to local breakouts that could allow an attacker with physical access to escape the restricted environment with limited privileges. | |||||
| CVE-2020-15877 | 1 Librenms | 1 Librenms | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in LibreNMS before 1.65.1. It has insufficient access control for normal users because of "'guard' => 'admin'" instead of "'middleware' => ['can:admin']" in routes/web.php. | |||||
| CVE-2020-15264 | 1 Chocolatey | 1 Boxstarter | 2024-11-21 | 7.2 HIGH | 8.0 HIGH |
| The Boxstarter installer before version 2.13.0 configures C:\ProgramData\Boxstarter to be in the system-wide PATH environment variable. However, this directory is writable by normal, unprivileged users. To exploit the vulnerability, place a DLL in this directory that a privileged service is looking for. For example, WptsExtensions.dll When Windows starts, it'll execute the code in DllMain() with SYSTEM privileges. Any unprivileged user can execute code with SYSTEM privileges. The issue is fixed in version 3.13.0 | |||||
| CVE-2020-15215 | 1 Electronjs | 1 Electron | 2024-11-21 | 6.8 MEDIUM | 5.6 MEDIUM |
| Electron before versions 11.0.0-beta.6, 10.1.2, 9.3.1 or 8.5.2 is vulnerable to a context isolation bypass. Apps using both `contextIsolation` and `sandbox: true` are affected. Apps using both `contextIsolation` and `nodeIntegrationInSubFrames: true` are affected. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. | |||||
| CVE-2020-14130 | 1 Mi | 1 Xiaomi | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Some js interfaces in the Xiaomi community were exposed, causing sensitive functions to be maliciously called on Xiaomi community app Affected Version <3.0.210809 | |||||
| CVE-2020-14064 | 1 Icewarp | 1 Mail Server | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| IceWarp Email Server 12.3.0.1 has Incorrect Access Control for user accounts. | |||||
| CVE-2020-13946 | 2 Apache, Netapp | 2 Cassandra, Oncommand Insight | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorised operations. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables this issue to be exploited remotely. | |||||
| CVE-2020-13670 | 1 Drupal | 1 Drupal | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6. | |||||
| CVE-2020-13472 | 1 Gigadevice | 2 Gd32f103, Gd32f103 Firmware | 2024-11-21 | 2.1 LOW | 4.6 MEDIUM |
| The flash memory readout protection in Gigadevice GD32F103 devices allows physical attackers to extract firmware via the debug interface by utilizing the DMA module. | |||||
| CVE-2020-13470 | 1 Gigadevice | 4 Gd32f103, Gd32f103 Firmware, Gd32f130 and 1 more | 2024-11-21 | 2.1 LOW | 4.6 MEDIUM |
| Gigadevice GD32F103 and GD32F130 devices allow physical attackers to extract data via the probing of easily accessible bonding wires and de-obfuscation of the observed data. | |||||
| CVE-2020-13469 | 1 Gigadevice | 2 Gd32vf103, Gd32vf103 Firmware | 2024-11-21 | 2.1 LOW | 4.6 MEDIUM |
| The flash memory readout protection in Gigadevice GD32VF103 devices allows physical attackers to extract firmware via the debug interface by utilizing the CPU. | |||||
| CVE-2020-13343 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 7.5 HIGH |
| An issue has been discovered in GitLab affecting all versions starting from 11.2. Unauthorized Users Can View Custom Project Template | |||||
| CVE-2020-12687 | 1 Serpico Project | 1 Serpico | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Serpico before 1.3.3. The /admin/attacments_backup endpoint can be requested by non-admin authenticated users. This means that an attacker with a user account can retrieve all of the attachments of all users (including administrators) from the database. | |||||
| CVE-2020-12488 | 1 Vivo | 1 Jovi Smart Scene | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| The attacker can access the sensitive information stored within the jovi Smart Scene module by entering carefully constructed commands without requesting permission. | |||||
| CVE-2020-12142 | 1 Silver-peak | 44 Nx-1000, Nx-1000 Firmware, Nx-10k and 41 more | 2024-11-21 | 4.0 MEDIUM | 4.8 MEDIUM |
| 1. IPSec UDP key material can be retrieved from machine-to-machine interfaces and human-accessible interfaces by a user with admin credentials. Such a user, with the required system knowledge, could use this material to decrypt in-flight communication. 2. The vulnerability requires administrative access and shell access to the EdgeConnect appliance. An admin user can access IPSec seed and nonce parameters using the CLI, REST APIs, and the Linux shell. | |||||
| CVE-2020-12020 | 1 Baxter | 4 Em1200, Em1200 Firmware, Em2400 and 1 more | 2024-11-21 | 3.6 LOW | 6.1 MEDIUM |
| Baxter ExactaMix EM 2400 Versions 1.10, 1.11, and 1.13 and ExactaMix EM1200 Versions 1.1, 1.2, and 1.4 does not restrict non administrative users from gaining access to the operating system and editing the application startup script. Successful exploitation of this vulnerability may allow an attacker to alter the startup script as the limited-access user. | |||||
| CVE-2020-11934 | 1 Canonical | 1 Ubuntu Linux | 2024-11-21 | 1.9 LOW | 5.9 MEDIUM |
| It was discovered that snapctl user-open allowed altering the $XDG_DATA_DIRS environment variable when calling the system xdg-open. OpenURL() in usersession/userd/launcher.go would alter $XDG_DATA_DIRS to append a path to a directory controlled by the calling snap. A malicious snap could exploit this to bypass intended access restrictions to control how the host system xdg-open script opens the URL and, for example, execute a script shipped with the snap without confinement. This issue did not affect Ubuntu Core systems. Fixed in snapd versions 2.45.1ubuntu0.2, 2.45.1+18.04.2 and 2.45.1+20.04.2. | |||||
| CVE-2020-11931 | 2 Canonical, Pulseaudio | 2 Ubuntu Linux, Pulseaudio | 2024-11-21 | 2.1 LOW | 3.3 LOW |
| An Ubuntu-specific modification to Pulseaudio to provide security mediation for Snap-packaged applications was found to have a bypass of intended access restriction for snaps which plugs any of pulseaudio, audio-playback or audio-record via unloading the pulseaudio snap policy module. This issue affects: pulseaudio 1:8.0 versions prior to 1:8.0-0ubuntu3.12; 1:11.1 versions prior to 1:11.1-1ubuntu7.7; 1:13.0 versions prior to 1:13.0-1ubuntu1.2; 1:13.99.1 versions prior to 1:13.99.1-1ubuntu3.2; | |||||