Total
316986 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-12700 | 1 Dkd | 1 Direct Mail | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| The direct_mail extension through 5.2.3 for TYPO3 allows Information Disclosure via a newsletter subscriber data Special Query. | |||||
| CVE-2020-12699 | 1 Dkd | 1 Direct Mail | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| The direct_mail extension through 5.2.3 for TYPO3 has an Open Redirect via jumpUrl. | |||||
| CVE-2020-12698 | 1 Dkd | 1 Direct Mail | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| The direct_mail extension through 5.2.3 for TYPO3 has Broken Access Control for newsletter subscriber tables. | |||||
| CVE-2020-12697 | 1 Dkd | 1 Direct Mail | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The direct_mail extension through 5.2.3 for TYPO3 allows Denial of Service via log entries. | |||||
| CVE-2020-12696 | 1 Iframe Project | 1 Iframe | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The iframe plugin before 4.5 for WordPress does not sanitize a URL. | |||||
| CVE-2020-12695 | 21 Asus, Broadcom, Canon and 18 more | 217 Rt-n11, Adsl, Selphy Cp1200 and 214 more | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
| The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue. | |||||
| CVE-2020-12693 | 4 Debian, Fedoraproject, Opensuse and 1 more | 4 Debian Linux, Fedora, Leap and 1 more | 2024-11-21 | 5.1 MEDIUM | 8.1 HIGH |
| Slurm 19.05.x before 19.05.7 and 20.02.x before 20.02.3, in the rare case where Message Aggregation is enabled, allows Authentication Bypass via an Alternate Path or Channel. A race condition allows a user to launch a process as an arbitrary user. | |||||
| CVE-2020-12692 | 2 Canonical, Openstack | 2 Ubuntu Linux, Keystone | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times. | |||||
| CVE-2020-12691 | 2 Canonical, Openstack | 2 Ubuntu Linux, Keystone | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then perform an update to the credential user and project, allowing them to masquerade as another user. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges. | |||||
| CVE-2020-12690 | 1 Openstack | 1 Keystone | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access. | |||||
| CVE-2020-12689 | 2 Canonical, Openstack | 2 Ubuntu Linux, Keystone | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escalated permission, such as obtaining admin while the user is on a limited viewer role. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges. | |||||
| CVE-2020-12687 | 1 Serpico Project | 1 Serpico | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Serpico before 1.3.3. The /admin/attacments_backup endpoint can be requested by non-admin authenticated users. This means that an attacker with a user account can retrieve all of the attachments of all users (including administrators) from the database. | |||||
| CVE-2020-12685 | 1 Redhat | 1 Interchange | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS in the admin help system admin/help.html and admin/quicklinks.html in Interchange 4.7.0 through 5.11.x allows remote attackers to steal credentials or data via browser JavaScript. | |||||
| CVE-2020-12684 | 1 Inetsoftware | 1 I-net Clear Reports | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| XXE injection can occur in i-net Clear Reports 2019 19.0.287 (Designer), as used in i-net HelpDesk and other products, when XML input containing a reference to an external entity is processed by a weakly configured XML parser. | |||||
| CVE-2020-12683 | 1 Katyshop2 Project | 1 Katyshop2 | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Katyshop2 before 2.12 has multiple stored XSS issues. | |||||
| CVE-2020-12681 | 1 3xlogic | 2 Infinias Eidc32, Infinias Eidc32 Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Missing TLS certificate validation on 3xLogic Infinias eIDC32 devices through 3.4.125 allows an attacker to intercept/control the channel by which door lock policies are applied. | |||||
| CVE-2020-12680 | 1 Avira | 1 Free Antivirus | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| ** DISPUTED ** Avira Free Antivirus through 15.0.2005.1866 allows local users to discover user credentials. The functions of the executable file Avira.PWM.NativeMessaging.exe are aimed at collecting credentials stored in Chrome, Firefox, Opera, and Edge. The executable does not verify the calling program and thus a request such as fetchChromePasswords or fetchCredentials will succeed. NOTE: some third parties have stated that this is "not a vulnerability." | |||||
| CVE-2020-12679 | 1 Mitel | 2 Mivoice Connect, Shoretel Conference Web | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in the Mitel ShoreTel Conference Web Application 19.50.1000.0 before MiVoice Connect 18.7 SP2 allows remote attackers to inject arbitrary JavaScript and HTML via the PATH_INFO to home.php. | |||||
| CVE-2020-12677 | 1 Progress | 1 Moveit Automation | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Progress MOVEit Automation Web Admin. A Web Admin application endpoint failed to adequately sanitize malicious input, which could allow an unauthenticated attacker to execute arbitrary code in a victim's browser, aka XSS. This affects 2018 - 2018.0 prior to 2018.0.3, 2018 SP1 - 2018.2 prior to 2018.2.3, 2018 SP2 - 2018.3 prior to 2018.3.7, 2019 - 2019.0 prior to 2019.0.3, 2019.1 - 2019.1 prior to 2019.1.2, and 2019.2 - 2019.2 prior to 2019.2.2. | |||||
| CVE-2020-12676 | 1 Fusionauth | 1 Samlv2 | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| FusionAuth fusionauth-samlv2 0.2.3 allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack". | |||||