ReportizFlow
Filtered by vendor
Subscriptions
Total
470 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-1677 | 1 Juniper | 1 Mist Cloud Ui | 2024-11-21 | 7.2 High |
| When SAML authentication is enabled, Juniper Networks Mist Cloud UI might incorrectly handle child elements in SAML responses, allowing a remote attacker to modify a valid SAML response without invalidating its cryptographic signature to bypass SAML authentication security controls. This issue affects all Juniper Networks Mist Cloud UI versions prior to September 2 2020. | ||||
| CVE-2020-19769 | 1 Rtb1 Project | 1 Rtb1 | 2024-11-21 | 7.5 High |
| A lack of target address verification in the BurnMe() function of Rob The Bank 1.0 allows attackers to steal tokens from victim users via a crafted script. | ||||
| CVE-2020-19768 | 1 Tokensale Project | 1 Tokensale | 2024-11-21 | 7.5 High |
| A lack of target address verification in the selfdestructs() function of ICOVO 1.0 allows attackers to steal tokens from victim users via a crafted script. | ||||
| CVE-2020-17049 | 3 Microsoft, Redhat, Samba | 13 Windows Server 1903, Windows Server 1909, Windows Server 2004 and 10 more | 2024-11-21 | 6.6 Medium |
| A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD). To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it. The update addresses this vulnerability by changing how the KDC validates service tickets used with KCD. | ||||
| CVE-2020-16250 | 2 Hashicorp, Redhat | 3 Vault, Openshift, Openshift Data Foundation | 2024-11-21 | 8.2 High |
| HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1.. | ||||
| CVE-2020-16122 | 2 Canonical, Packagekit Project | 2 Ubuntu Linux, Packagekit | 2024-11-21 | 8.2 High |
| PackageKit's apt backend mistakenly treated all local debs as trusted. The apt security model is based on repository trust and not on the contents of individual files. On sites with configured PolicyKit rules this may allow users to install malicious packages. | ||||
| CVE-2020-15899 | 1 Grin | 1 Grin | 2024-11-21 | 7.5 High |
| Grin 3.0.0 before 4.0.0 has insufficient validation of data related to Mimblewimble. | ||||
| CVE-2020-15699 | 1 Joomla | 1 Joomla\! | 2024-11-21 | 5.3 Medium |
| An issue was discovered in Joomla! through 3.9.19. Missing validation checks on the usergroups table object can result in a broken site configuration. | ||||
| CVE-2020-15262 | 1 Webpack-subresource-integrity Project | 1 Webpack-subresource-integrity | 2024-11-21 | 3.7 Low |
| In webpack-subresource-integrity before version 1.5.1, all dynamically loaded chunks receive an invalid integrity hash that is ignored by the browser, and therefore the browser cannot validate their integrity. This removes the additional level of protection offered by SRI for such chunks. Top-level chunks are unaffected. This issue is patched in version 1.5.1. | ||||
| CVE-2020-15222 | 1 Ory | 1 Fosite | 2024-11-21 | 8.1 High |
| In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) before version 0.31.0, when using "private_key_jwt" authentication the uniqueness of the `jti` value is not checked. When using client authentication method "private_key_jwt", OpenId specification says the following about assertion `jti`: "A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, unless conditions for reuse were negotiated between the parties". Hydra does not seem to check the uniqueness of this `jti` value. This problem is fixed in version 0.31.0. | ||||
| CVE-2020-15163 | 1 Linuxfoundation | 1 The Update Framework | 2024-11-21 | 8.7 High |
| Python TUF (The Update Framework) reference implementation before version 0.12 it will incorrectly trust a previously downloaded root metadata file which failed verification at download time. This allows an attacker who is able to serve multiple new versions of root metadata (i.e. by a person-in-the-middle attack) culminating in a version which has not been correctly signed to control the trust chain for future updates. This is fixed in version 0.12 and newer. | ||||
| CVE-2020-14453 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 7.5 High |
| An issue was discovered in Mattermost Server before 5.21.0. Socket read operations are not appropriately restricted, which allows attackers to cause a denial of service, aka MMSA-2020-0005. | ||||
| CVE-2020-14122 | 1 Mi | 1 Miui | 2024-11-21 | 5.5 Medium |
| Some Xiaomi phones have information leakage vulnerabilities, and some of them may be able to forge a specific identity due to the lack of parameter verification, resulting in user information leakage. | ||||
| CVE-2020-14116 | 1 Mi | 1 Mi Browser | 2024-11-21 | 7.5 High |
| An intent redirection vulnerability in the Mi Browser product. This vulnerability is caused by the Mi Browser does not verify the validity of the incoming data. Attackers can perform sensitive operations by exploiting this. | ||||
| CVE-2020-14115 | 1 Mi | 2 Ax3600, Ax3600 Firmware | 2024-11-21 | 9.8 Critical |
| A command injection vulnerability exists in the Xiaomi Router AX3600. The vulnerability is caused by a lack of inspection for incoming data detection. Attackers can exploit this vulnerability to execute code. | ||||
| CVE-2020-14111 | 1 Mi | 2 Ax3600, Ax3600 Firmware | 2024-11-21 | 7.8 High |
| A command injection vulnerability exists in the Xiaomi Router AX3600. The vulnerability is caused by a lack of inspection for incoming data detection. Attackers can exploit this vulnerability to execute code. | ||||
| CVE-2020-13777 | 5 Canonical, Debian, Fedoraproject and 2 more | 7 Ubuntu Linux, Debian Linux, Fedora and 4 more | 2024-11-21 | 7.4 High |
| GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application. | ||||
| CVE-2020-13272 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 7.5 High |
| OAuth flow missing verification checks CE/EE 12.3 and later through 13.0.1 allows unverified user to use OAuth authorization code flow | ||||
| CVE-2020-13265 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.3 Medium |
| User email verification bypass in GitLab CE/EE 12.5 and later through 13.0.1 allows user to bypass email verification | ||||
| CVE-2020-13178 | 1 Teradici | 2 Graphics Agent, Pcoip Standard Agent | 2024-11-21 | 6.7 Medium |
| A function in the Teradici PCoIP Standard Agent for Windows and Graphics Agent for Windows prior to version 20.04.1 does not properly validate the signature of an external binary, which could allow an attacker to gain elevated privileges via execution in the context of the PCoIP Agent process. | ||||