Total
3717 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-26160 | 1 Jwt-go Project | 1 Jwt-go | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check. | |||||
| CVE-2020-26139 | 5 Arista, Cisco, Debian and 2 more | 330 C-100, C-100 Firmware, C-110 and 327 more | 2024-11-21 | 2.9 LOW | 5.3 MEDIUM |
| An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. | |||||
| CVE-2020-26136 | 1 Silverstripe | 1 Silverstripe | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| In SilverStripe through 4.6.0-rc1, GraphQL doesn't honour MFA (multi-factor authentication) when using basic authentication. | |||||
| CVE-2020-26105 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| In cPanel before 88.0.3, insecure chkservd test credentials are used on a templated VM (SEC-554). | |||||
| CVE-2020-26101 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| In cPanel before 88.0.3, insecure RNDC credentials are used for BIND on a templated VM (SEC-549). | |||||
| CVE-2020-26030 | 1 Zammad | 1 Zammad | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Zammad before 3.4.1. There is an authentication bypass in the SSO endpoint via a crafted header, when SSO is not configured. An attacker can create a valid and authenticated session that can be used to perform any actions in the name of other users. | |||||
| CVE-2020-25867 | 1 Soplanning | 1 Soplanning | 2024-11-21 | 4.3 MEDIUM | 5.3 MEDIUM |
| SoPlanning before 1.47 doesn't correctly check the security key used to publicly share plannings. It allows a bypass to get access without authentication. | |||||
| CVE-2020-25848 | 1 Hgiga | 10 Msr45 Isherlock-antispam, Msr45 Isherlock-audit, Msr45 Isherlock-base and 7 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| HGiga MailSherlock contains weak authentication flaw that attackers grant privilege remotely with default password generation mechanism. | |||||
| CVE-2020-25719 | 5 Canonical, Debian, Fedoraproject and 2 more | 17 Ubuntu Linux, Debian Linux, Fedora and 14 more | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| A flaw was found in the way Samba, as an Active Directory Domain Controller, implemented Kerberos name-based authentication. The Samba AD DC, could become confused about the user a ticket represents if it did not strictly require a Kerberos PAC and always use the SIDs found within. The result could include total domain compromise. | |||||
| CVE-2020-25592 | 2 Debian, Saltstack | 2 Debian Linux, Salt | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH. | |||||
| CVE-2020-25251 | 1 Hyland | 1 Onbase | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. Client-side authentication is used for critical functions such as adding users or retrieving sensitive information. | |||||
| CVE-2020-25183 | 1 Medtronic | 2 Mycarelink Smart Model 25000, Mycarelink Smart Model 25000 Firmware | 2024-11-21 | 5.8 MEDIUM | 8.8 HIGH |
| Medtronic MyCareLink Smart 25000 all versions contain an authentication protocol vuln where the method used to auth between MCL Smart Patient Reader and MyCareLink Smart mobile app is vulnerable to bypass. This vuln allows attacker to use other mobile device or malicious app on smartphone to auth to the patient’s Smart Reader, fools the device into thinking its communicating with the actual smart phone application when executed in range of Bluetooth. | |||||
| CVE-2020-25165 | 1 Bd | 3 Alaris 8015 Pcu, Alaris 8015 Pcu Firmware, Alaris Systems Manager | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| BD Alaris PC Unit, Model 8015, Versions 9.33.1 and earlier and BD Alaris Systems Manager, Versions 4.33 and earlier The affected products are vulnerable to a network session authentication vulnerability within the authentication process between specified versions of the BD Alaris PC Unit and the BD Alaris Systems Manager. If exploited, an attacker could perform a denial-of-service attack on the BD Alaris PC Unit by modifying the configuration headers of data in transit. A denial-of-service attack could lead to a drop in the wireless capability of the BD Alaris PC Unit, resulting in manual operation of the PC Unit. | |||||
| CVE-2020-24987 | 1 Tendacn | 2 Ac18, Ac18 Firmware | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| Tenda AC18 Router through V15.03.05.05_EN and through V15.03.05.19(6318) CN devices could cause a remote code execution due to incorrect authentication handling of vulnerable logincheck() function in /usr/lib/lua/ngx_authserver/ngx_wdas.lua file if the administrator UI Interface is set to "radius". | |||||
| CVE-2020-24848 | 1 Fruitywifi Project | 1 Fruitywifi | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system. | |||||
| CVE-2020-24786 | 1 Zohocorp | 11 Manageengine Ad360, Manageengine Adaudit Plus, Manageengine Admanager Plus and 8 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService Plus before build number 5817, DataSecurity Plus before build number 6033, RecoverManager Plus before build number 6017, EventLog Analyzer before build number 12136, ADAudit Plus before build number 6052, O365 Manager Plus before build number 4334, Cloud Security Plus before build number 4110, ADManager Plus before build number 7055, and Log360 before build number 5166. The remotely accessible Java servlet com.manageengine.ads.fw.servlet.UpdateProductDetails is prone to an authentication bypass. System integration properties can be modified and lead to full ManageEngine suite compromise. | |||||
| CVE-2020-24675 | 1 Abb | 2 Symphony \+ Historian, Symphony \+ Operations | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In S+ Operations and S+ History, it is possible that an unauthenticated user could inject values to the Operations History server (or standalone S+ History server) and ultimately write values to the controlled process. | |||||
| CVE-2020-24641 | 1 Arubanetworks | 1 Airwave Glass | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In Aruba AirWave Glass before 1.3.3, there is a Server-Side Request Forgery vulnerability through an unauthenticated endpoint that if successfully exploited can result in disclosure of sensitive information. This can be used to perform an authentication bypass and ultimately gain administrative access on the web administrative interface. | |||||
| CVE-2020-24629 | 1 Hp | 1 Intelligent Management Center | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| A remote urlaccesscontroller authentication bypass vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07). | |||||
| CVE-2020-24612 | 1 Fedoraproject | 1 Selinux-policy | 2024-11-21 | 1.9 LOW | 6.7 MEDIUM |
| An issue was discovered in the selinux-policy (aka Reference Policy) package 3.14 through 2020-08-24 because the .config/Yubico directory is mishandled. Consequently, when SELinux is in enforced mode, pam-u2f is not allowed to read the user's U2F configuration file. If configured with the nouserok option (the default when configured by the authselect tool), and that file cannot be read, the second factor is disabled. An attacker with only the knowledge of the password can then log in, bypassing 2FA. | |||||