Total
315198 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-26173 | 1 Tangro | 1 Business Workflow | 2024-11-21 | 4.0 MEDIUM | 3.1 LOW |
| An incorrect access control implementation in Tangro Business Workflow before 1.18.1 allows an attacker to download documents (PDF) by providing a valid document ID and token. No further authentication is required. | |||||
| CVE-2020-26172 | 1 Tangro | 1 Business Workflow | 2024-11-21 | 6.4 MEDIUM | 4.2 MEDIUM |
| Every login in tangro Business Workflow before 1.18.1 generates the same JWT token, which allows an attacker to reuse the token when a session is active. The JWT token does not contain an expiration timestamp. | |||||
| CVE-2020-26171 | 1 Tangro | 1 Business Workflow | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| In tangro Business Workflow before 1.18.1, the documentId of attachment uploads to /api/document/attachments/upload can be manipulated. By doing this, users can add attachments to workitems that do not belong to them. | |||||
| CVE-2020-26168 | 1 Hazelcast | 2 Hazelcast, Jet | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The LDAP authentication method in LdapLoginModule in Hazelcast IMDG Enterprise 4.x before 4.0.3, and Jet Enterprise 4.x through 4.2, doesn't verify properly the password in some system-user-dn scenarios. As a result, users (clients/members) can be authenticated even if they provide invalid passwords. | |||||
| CVE-2020-26166 | 1 Qdpm | 1 Qdpm | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The file upload functionality in qdPM 9.1 doesn't check the file description, which allows remote authenticated attackers to inject web script or HTML via the attachments info parameter, aka XSS. This can occur during creation of a ticket, project, or task. | |||||
| CVE-2020-26165 | 1 Qdpm | 1 Qdpm | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| qdPM through 9.1 allows PHP Object Injection via timeReportActions::executeExport in core/apps/qdPM/modules/timeReport/actions/actions.class.php because unserialize is used. | |||||
| CVE-2020-26164 | 2 Kde, Opensuse | 3 Kdeconnect, Backports Sle, Leap | 2024-11-21 | 4.9 MEDIUM | 5.5 MEDIUM |
| In kdeconnect-kde (aka KDE Connect) before 20.08.2, an attacker on the local network could send crafted packets that trigger use of large amounts of CPU, memory, or network connection slots, aka a Denial of Service attack. | |||||
| CVE-2020-26163 | 1 Bigbluebutton | 1 Greenlight | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| BigBlueButton Greenlight before 2.5.6 allows HTTP header (Host and Origin) attacks, which can result in Account Takeover if a victim follows a spoofed password-reset link. | |||||
| CVE-2020-26162 | 1 Xerox | 4 Workcentre Ec7836, Workcentre Ec7836 Firmware, Workcentre Ec7856 and 1 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Xerox WorkCentre EC7836 before 073.050.059.25300 and EC7856 before 073.020.059.25300 devices allow XSS via Description pages. | |||||
| CVE-2020-26161 | 1 Octopus | 1 Octopus Deploy | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| In Octopus Deploy through 2020.4.2, an attacker could redirect users to an external site via a modified HTTP Host header. | |||||
| CVE-2020-26160 | 1 Jwt-go Project | 1 Jwt-go | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check. | |||||
| CVE-2020-26158 | 1 Leanote | 1 Leanote | 2024-11-21 | 6.8 MEDIUM | 9.6 CRITICAL |
| Leanote Desktop through 2.6.2 allows XSS because a note's title is mishandled when the batch feature is triggered. This leads to remote code execution because of Node integration. | |||||
| CVE-2020-26157 | 1 Leanote | 1 Leanote | 2024-11-21 | 6.8 MEDIUM | 9.6 CRITICAL |
| Leanote Desktop through 2.6.2 allows XSS because a note's title is mishandled during syncing. This leads to remote code execution because of Node integration. | |||||
| CVE-2020-26155 | 2 Microsoft, Utimaco | 7 Windows, Block-safe Firmware, Cryptoserver Cp5 Firmware and 4 more | 2024-11-21 | 4.4 MEDIUM | 7.8 HIGH |
| Multiple files and folders in Utimaco SecurityServer 4.20.0.4 and 4.31.1.0. are installed with Read/Write permissions for authenticated users, which allows for binaries to be manipulated by non-administrator users. Additionally, entries are made to the PATH environment variable which, in conjunction with these weak permissions, could enable an attacker to perform a DLL hijacking attack. | |||||
| CVE-2020-26154 | 2 Fedoraproject, Libproxy Project | 2 Fedora, Libproxy | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| url.cpp in libproxy through 0.4.15 is prone to a buffer overflow when PAC is enabled, as demonstrated by a large PAC file that is delivered without a Content-length header. | |||||
| CVE-2020-26153 | 1 Eventespresso | 1 Event Espresso | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in wp-content/plugins/event-espresso-core-reg/admin_pages/messages/templates/ee_msg_admin_overview.template.php in the Event Espresso Core plugin before 4.10.7.p for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter. | |||||
| CVE-2020-26150 | 1 Logaritmo | 1 Aware Callmanager | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| info.php in Logaritmo Aware CallManager 2012 allows remote attackers to obtain sensitive information via a direct request, which calls the phpinfo function. | |||||
| CVE-2020-26149 | 1 Linuxfoundation | 3 Nats.deno, Nats.js, Nats.ws | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| NATS nats.js before 2.0.0-209, nats.ws before 1.0.0-111, and nats.deno before 1.0.0-9 allow credential disclosure from a client to a server. | |||||
| CVE-2020-26148 | 1 Md4c Project | 1 Md4c | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| md_push_block_bytes in md4c.c in md4c 0.4.5 allows attackers to trigger use of uninitialized memory, and cause a denial of service (e.g., assertion failure) via a malformed Markdown document. | |||||
| CVE-2020-26147 | 4 Arista, Debian, Linux and 1 more | 14 C-65, C-65 Firmware, C-75 and 11 more | 2024-11-21 | 3.2 LOW | 5.4 MEDIUM |
| An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. | |||||