Total
440 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-1677 | 1 Juniper | 1 Mist Cloud Ui | 2024-11-21 | 4.3 MEDIUM | 7.2 HIGH |
| When SAML authentication is enabled, Juniper Networks Mist Cloud UI might incorrectly handle child elements in SAML responses, allowing a remote attacker to modify a valid SAML response without invalidating its cryptographic signature to bypass SAML authentication security controls. This issue affects all Juniper Networks Mist Cloud UI versions prior to September 2 2020. | |||||
| CVE-2020-19769 | 1 Rtb1 Project | 1 Rtb1 | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A lack of target address verification in the BurnMe() function of Rob The Bank 1.0 allows attackers to steal tokens from victim users via a crafted script. | |||||
| CVE-2020-19768 | 1 Tokensale Project | 1 Tokensale | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A lack of target address verification in the selfdestructs() function of ICOVO 1.0 allows attackers to steal tokens from victim users via a crafted script. | |||||
| CVE-2020-16250 | 1 Hashicorp | 1 Vault | 2024-11-21 | 7.5 HIGH | 8.2 HIGH |
| HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1.. | |||||
| CVE-2020-16122 | 2 Canonical, Packagekit Project | 2 Ubuntu Linux, Packagekit | 2024-11-21 | 2.1 LOW | 8.2 HIGH |
| PackageKit's apt backend mistakenly treated all local debs as trusted. The apt security model is based on repository trust and not on the contents of individual files. On sites with configured PolicyKit rules this may allow users to install malicious packages. | |||||
| CVE-2020-15899 | 1 Grin | 1 Grin | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Grin 3.0.0 before 4.0.0 has insufficient validation of data related to Mimblewimble. | |||||
| CVE-2020-15699 | 1 Joomla | 1 Joomla\! | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Joomla! through 3.9.19. Missing validation checks on the usergroups table object can result in a broken site configuration. | |||||
| CVE-2020-15262 | 1 Webpack-subresource-integrity Project | 1 Webpack-subresource-integrity | 2024-11-21 | 5.0 MEDIUM | 3.7 LOW |
| In webpack-subresource-integrity before version 1.5.1, all dynamically loaded chunks receive an invalid integrity hash that is ignored by the browser, and therefore the browser cannot validate their integrity. This removes the additional level of protection offered by SRI for such chunks. Top-level chunks are unaffected. This issue is patched in version 1.5.1. | |||||
| CVE-2020-15222 | 1 Ory | 1 Fosite | 2024-11-21 | 5.8 MEDIUM | 8.1 HIGH |
| In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) before version 0.31.0, when using "private_key_jwt" authentication the uniqueness of the `jti` value is not checked. When using client authentication method "private_key_jwt", OpenId specification says the following about assertion `jti`: "A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, unless conditions for reuse were negotiated between the parties". Hydra does not seem to check the uniqueness of this `jti` value. This problem is fixed in version 0.31.0. | |||||
| CVE-2020-15163 | 1 Linuxfoundation | 1 The Update Framework | 2024-11-21 | 4.9 MEDIUM | 8.7 HIGH |
| Python TUF (The Update Framework) reference implementation before version 0.12 it will incorrectly trust a previously downloaded root metadata file which failed verification at download time. This allows an attacker who is able to serve multiple new versions of root metadata (i.e. by a person-in-the-middle attack) culminating in a version which has not been correctly signed to control the trust chain for future updates. This is fixed in version 0.12 and newer. | |||||
| CVE-2020-14453 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Mattermost Server before 5.21.0. Socket read operations are not appropriately restricted, which allows attackers to cause a denial of service, aka MMSA-2020-0005. | |||||
| CVE-2020-14122 | 1 Mi | 1 Miui | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| Some Xiaomi phones have information leakage vulnerabilities, and some of them may be able to forge a specific identity due to the lack of parameter verification, resulting in user information leakage. | |||||
| CVE-2020-14116 | 1 Mi | 1 Mi Browser | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An intent redirection vulnerability in the Mi Browser product. This vulnerability is caused by the Mi Browser does not verify the validity of the incoming data. Attackers can perform sensitive operations by exploiting this. | |||||
| CVE-2020-14115 | 1 Mi | 2 Ax3600, Ax3600 Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| A command injection vulnerability exists in the Xiaomi Router AX3600. The vulnerability is caused by a lack of inspection for incoming data detection. Attackers can exploit this vulnerability to execute code. | |||||
| CVE-2020-14111 | 1 Mi | 2 Ax3600, Ax3600 Firmware | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| A command injection vulnerability exists in the Xiaomi Router AX3600. The vulnerability is caused by a lack of inspection for incoming data detection. Attackers can exploit this vulnerability to execute code. | |||||
| CVE-2020-13272 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 6.5 MEDIUM | 7.5 HIGH |
| OAuth flow missing verification checks CE/EE 12.3 and later through 13.0.1 allows unverified user to use OAuth authorization code flow | |||||
| CVE-2020-13265 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 5.0 MEDIUM | 4.3 MEDIUM |
| User email verification bypass in GitLab CE/EE 12.5 and later through 13.0.1 allows user to bypass email verification | |||||
| CVE-2020-13178 | 1 Teradici | 2 Graphics Agent, Pcoip Standard Agent | 2024-11-21 | 4.6 MEDIUM | 6.7 MEDIUM |
| A function in the Teradici PCoIP Standard Agent for Windows and Graphics Agent for Windows prior to version 20.04.1 does not properly validate the signature of an external binary, which could allow an attacker to gain elevated privileges via execution in the context of the PCoIP Agent process. | |||||
| CVE-2020-12406 | 2 Canonical, Mozilla | 4 Ubuntu Linux, Firefox, Firefox Esr and 1 more | 2024-11-21 | 9.3 HIGH | 8.8 HIGH |
| Mozilla Developer Iain Ireland discovered a missing type check during unboxed objects removal, resulting in a crash. We presume that with enough effort that it could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9. | |||||
| CVE-2020-12119 | 1 Ledger | 1 Ledger Live | 2024-11-21 | 5.8 MEDIUM | 8.1 HIGH |
| Ledger Live before 2.7.0 does not handle Bitcoin's Replace-By-Fee (RBF). It increases the user's balance with the value of an unconfirmed transaction as soon as it is received (before the transaction is confirmed) and does not decrease the balance when it is canceled. As a result, users are exposed to basic double spending attacks, amplified double spending attacks, and DoS attacks without user consent. | |||||