ReportizFlow
Filtered by vendor
Subscriptions
Total
4190 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-35470 | 1 Envoyproxy | 1 Envoy | 2024-11-21 | 8.8 High |
| Envoy before 1.16.1 logs an incorrect downstream address because it considers only the directly connected peer, not the information in the proxy protocol header. This affects situations with tcp-proxy as the network filter (not HTTP filters). | ||||
| CVE-2020-2504 | 1 Qnap | 1 Qes | 2024-11-21 | 5.8 Medium |
| If exploited, this absolute path traversal vulnerability could allow attackers to traverse files in File Station. QNAP has already fixed these issues in QES 2.1.1 Build 20201006 and later. | ||||
| CVE-2020-2500 | 1 Qnap | 1 Helpdesk | 2024-11-21 | 9.8 Critical |
| This improper access control vulnerability in Helpdesk allows attackers to get control of QNAP Kayako service. Attackers can access the sensitive data on QNAP Kayako server with API keys. We have replaced the API key to mitigate the vulnerability, and already fixed the issue in Helpdesk 3.0.1 and later versions. | ||||
| CVE-2020-2025 | 1 Katacontainers | 1 Runtime | 2024-11-21 | 8.8 High |
| Kata Containers before 1.11.0 on Cloud Hypervisor persists guest filesystem changes to the underlying image file on the host. A malicious guest can overwrite the image file to gain control of all subsequent guest VMs. Since Kata Containers uses the same VM image file with all VMMs, this issue may also affect QEMU and Firecracker based guests. | ||||
| CVE-2020-29020 | 1 Secomea | 2 Sitemanager, Sitemanager Firmware | 2024-11-21 | 9.1 Critical |
| Improper Access Control vulnerability in web service of Secomea SiteManager allows remote attacker to access the web UI from the internet using the configured credentials. This issue affects: Secomea SiteManager All versions prior to 9.4.620527004 on Hardware. | ||||
| CVE-2020-27873 | 1 Netgear | 38 Ac2100, Ac2100 Firmware, Ac2400 and 35 more | 2024-11-21 | 6.5 Medium |
| This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR R7450 1.2.0.62_1.0.1 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SOAP API endpoint, which listens on TCP port 80 by default. The issue results from the lack of proper access control. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-11559. | ||||
| CVE-2020-27831 | 1 Redhat | 1 Quay | 2024-11-21 | 4.3 Medium |
| A flaw was found in Red Hat Quay, where it does not properly protect the authorization token when authorizing email addresses for repository email notifications. This flaw allows an attacker to add email addresses they do not own to repository notifications. | ||||
| CVE-2020-27195 | 1 Hashicorp | 1 Nomad | 2024-11-21 | 9.1 Critical |
| HashiCorp Nomad and Nomad Enterprise version 0.9.0 up to 0.12.5 client file sandbox feature can be subverted using either the template or artifact stanzas. Fixed in 0.12.6, 0.11.5, and 0.10.6 | ||||
| CVE-2020-26224 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 7.5 High |
| In PrestaShop before version 1.7.6.9 an attacker is able to list all the orders placed on the website without being logged by abusing the function that allows a shopping cart to be recreated from an order already placed. The problem is fixed in 1.7.6.9. | ||||
| CVE-2020-26160 | 2 Jwt-go Project, Redhat | 6 Jwt-go, Container Native Virtualization, Cryostat and 3 more | 2024-11-21 | 7.5 High |
| jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check. | ||||
| CVE-2020-26080 | 1 Cisco | 1 Iot Field Network Director | 2024-11-21 | 4.1 Medium |
| A vulnerability in the user management functionality of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to manage user information for users in different domains on an affected system. The vulnerability is due to improper domain access control. An attacker could exploit this vulnerability by manipulating JSON payloads to target different domains on an affected system. A successful exploit could allow the attacker to manage user information for users in different domains on an affected system. | ||||
| CVE-2020-26077 | 1 Cisco | 1 Iot Field Network Director | 2024-11-21 | 4.3 Medium |
| A vulnerability in the access control functionality of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to view lists of users from different domains that are configured on an affected system. The vulnerability is due to improper access control. An attacker could exploit this vulnerability by sending an API request that alters the domain for a requested user list on an affected system. A successful exploit could allow the attacker to view lists of users from different domains on the affected system. | ||||
| CVE-2020-26072 | 1 Cisco | 1 Iot Field Network Director | 2024-11-21 | 8.7 High |
| A vulnerability in the SOAP API of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to access and modify information on devices that belong to a different domain. The vulnerability is due to insufficient authorization in the SOAP API. An attacker could exploit this vulnerability by sending SOAP API requests to affected devices for devices that are outside their authorized domain. A successful exploit could allow the attacker to access and modify information on devices that belong to a different domain. | ||||
| CVE-2020-25816 | 1 Hashicorp | 1 Vault | 2024-11-21 | 6.8 Medium |
| HashiCorp Vault and Vault Enterprise versions 1.0 and newer allowed leases created with a batch token to outlive their TTL because expiration time was not scheduled correctly. Fixed in 1.4.7 and 1.5.4. | ||||
| CVE-2020-25716 | 1 Redhat | 2 Cloudforms, Cloudforms Managementengine | 2024-11-21 | 8.1 High |
| A flaw was found in Cloudforms. A role-based privileges escalation flaw where export or import of administrator files is possible. An attacker with a specific group can perform actions restricted only to system administrator. This is the affect of an incomplete fix for CVE-2020-10783. The highest threat from this vulnerability is to data confidentiality and integrity. Versions before cfme 5.11.10.1 are affected | ||||
| CVE-2020-25701 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2024-11-21 | 5.3 Medium |
| If the upload course tool in Moodle was used to delete an enrollment method which did not exist or was not already enabled, the tool would erroneously enable that enrollment method. This could lead to unintended users gaining access to the course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10. | ||||
| CVE-2020-25698 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2024-11-21 | 7.5 High |
| Users' enrollment capabilities were not being sufficiently checked in Moodle when they are restored into an existing course. This could lead to them unenrolling users without having permission to do so. Versions affected: 3.5 to 3.5.14, 3.7 to 3.7.8, 3.8 to 3.8.5, 3.9 to 3.9.2 and earlier unsupported versions. Fixed in 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10. | ||||
| CVE-2020-25662 | 1 Redhat | 1 Enterprise Linux | 2024-11-21 | 5.3 Medium |
| A Red Hat only CVE-2020-12352 regression issue was found in the way the Linux kernel's Bluetooth stack implementation handled the initialization of stack memory when handling certain AMP packets. This flaw allows a remote attacker in an adjacent range to leak small portions of stack memory on the system by sending specially crafted AMP packets. The highest threat from this vulnerability is to data confidentiality. | ||||
| CVE-2020-25654 | 3 Clusterlabs, Debian, Redhat | 4 Pacemaker, Debian Linux, Enterprise Linux and 1 more | 2024-11-21 | 7.2 High |
| An ACL bypass flaw was found in pacemaker. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration. | ||||
| CVE-2020-25634 | 1 Redhat | 2 3scale, 3scale Api Management | 2024-11-21 | 5.4 Medium |
| A flaw was found in Red Hat 3scale’s API docs URL, where it is accessible without credentials. This flaw allows an attacker to view sensitive information or modify service APIs. Versions before 3scale-2.10.0-ER1 are affected. | ||||