Total
3604 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-15027 | 1 Connectwise | 1 Automate | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| ConnectWise Automate through 2020.x has insufficient validation on certain authentication paths, allowing authentication bypass via a series of attempts. This was patched in 2020.7 and in a hotfix for 2019.12. | |||||
| CVE-2020-14485 | 1 Openclinic Ga Project | 1 Openclinic Ga | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| OpenClinic GA versions 5.09.02 and 5.89.05b may allow an attacker to bypass client-side access controls or use a crafted request to initiate a session with limited functionality, which may allow execution of admin functions such as SQL queries. | |||||
| CVE-2020-14455 | 1 Mattermost | 1 Mattermost Desktop | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Mattermost Desktop App before 4.4.0. Prompting for HTTP Basic Authentication is mishandled, allowing phishing, aka MMSA-2020-0007. | |||||
| CVE-2020-14380 | 1 Redhat | 1 Satellite | 2024-11-21 | 6.0 MEDIUM | 7.5 HIGH |
| An account takeover flaw was found in Red Hat Satellite 6.7.2 onward. A potential attacker with proper authentication to the relevant external authentication source (SSO or Open ID) can claim the privileges of already existing local users of Satellite. | |||||
| CVE-2020-14299 | 1 Redhat | 3 Jboss Enterprise Application Platform, Openshift Application Runtimes, Single Sign-on | 2024-11-21 | 6.3 MEDIUM | 6.5 MEDIUM |
| A flaw was found in JBoss EAP, where the authentication configuration is set-up using a legacy SecurityRealm, to delegate to a legacy PicketBox SecurityDomain, and then reloaded to admin-only mode. This flaw allows an attacker to perform a complete authentication bypass by using an arbitrary user and password. The highest threat to vulnerability is to system availability. | |||||
| CVE-2020-14158 | 1 Abus | 2 Secvest Hybrid Fumo50110, Secvest Hybrid Fumo50110 Firmware | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| The ABUS Secvest FUMO50110 hybrid module does not have any security mechanism that ensures confidentiality or integrity of RF packets that are exchanged with an alarm panel. This makes it easier to conduct wAppLoxx authentication-bypass attacks. | |||||
| CVE-2020-14070 | 1 Mk-auth | 1 Mk-auth | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in MK-AUTH 19.01. There is authentication bypass in the web login functionality because guessable credentials to admin/executar_login.php result in admin access. | |||||
| CVE-2020-13859 | 1 Mofinetwork | 2 Mofi4500-4gxelte, Mofi4500-4gxelte Firmware | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.0.8-std devices. A format error in /etc/shadow, coupled with a logic bug in the LuCI - OpenWrt Configuration Interface framework, allows the undocumented system account mofidev to login to the cgi-bin/luci/quick/wizard management interface without a password by abusing a forgotten-password feature. | |||||
| CVE-2020-13365 | 1 Zyxel | 8 Nas326, Nas326 Firmware, Nas520 and 5 more | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Certain Zyxel products have a locally accessible binary that allows a non-root user to generate a password for an undocumented user account that can be used for a TELNET session as root. This affects NAS520 V5.21(AASZ.4)C0, V5.21(AASZ.0)C0, V5.11(AASZ.3)C0, and V5.11(AASZ.0)C0; NAS542 V5.11(ABAG.0)C0, V5.20(ABAG.1)C0, and V5.21(ABAG.3)C0; NSA325 v2_V4.81(AALS.0)C0 and V4.81(AAAJ.1)C0; NSA310 4.22(AFK.0)C0 and 4.22(AFK.1)C0; NAS326 V5.21(AAZF.8)C0, V5.11(AAZF.4)C0, V5.11(AAZF.2)C0, and V5.11(AAZF.3)C0; NSA310S V4.75(AALH.2)C0; NSA320S V4.75(AANV.2)C0 and V4.75(AANV.1)C0; NSA221 V4.41(AFM.1)C0; and NAS540 V5.21(AATB.5)C0 and V5.21(AATB.3)C0. | |||||
| CVE-2020-13303 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 7.1 HIGH |
| A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Due to improper verification of permissions, an unauthorized user can access a private repository within a public project. | |||||
| CVE-2020-13292 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 5.5 MEDIUM | 9.6 CRITICAL |
| In GitLab before 13.0.12, 13.1.6 and 13.2.3, it is possible to bypass E-mail verification which is required for OAuth Flow. | |||||
| CVE-2020-13290 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 6.5 MEDIUM | 7.5 HIGH |
| In GitLab before 13.0.12, 13.1.6, and 13.2.3, improper access control was used on the Applications page | |||||
| CVE-2020-13185 | 1 Teradici | 1 Cloud Access Connector | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Certain web application pages in the authenticated section of the Teradici Cloud Access Connector prior to v18 were accessible without the need to specify authentication tokens, which allowed an attacker in the ability to execute sensitive functions without credentials. | |||||
| CVE-2020-12874 | 1 Veritas | 1 Aptare | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Veritas APTARE versions prior to 10.4 included code that bypassed the normal login process when specific authentication credentials were provided to the server. | |||||
| CVE-2020-12848 | 1 Pydio | 1 Cells | 2024-11-21 | 5.8 MEDIUM | 5.4 MEDIUM |
| In Pydio Cells 2.0.4, once an authenticated user shares a file selecting the create a public link option, a hidden shared user account is created in the backend with a random username. An anonymous user that obtains a valid public link can get the associated hidden account username and password and proceed to login to the web application. Once logged into the web application with the hidden user account, some actions that were not available with the public share link can now be performed. | |||||
| CVE-2020-12638 | 1 Espressif | 3 Esp-idf, Esp8266 Nonos Sdk, Esp8266 Rtos Sdk | 2024-11-21 | 4.3 MEDIUM | 6.8 MEDIUM |
| An encryption-bypass issue was discovered on Espressif ESP-IDF devices through 4.2, ESP8266_NONOS_SDK devices through 3.0.3, and ESP8266_RTOS_SDK devices through 3.3. Broadcasting forged beacon frames forces a device to change its authentication mode to OPEN, effectively disabling its 802.11 encryption. | |||||
| CVE-2020-12145 | 1 Silver-peak | 1 Unity Orchestrator | 2024-11-21 | 7.5 HIGH | 6.6 MEDIUM |
| Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+ uses HTTP headers to authenticate REST API calls from localhost. This makes it possible to log in to Orchestrator by introducing an HTTP HOST header set to 127.0.0.1 or localhost. Orchestrator instances that are hosted by customers –on-premise or in a public cloud provider –are affected by this vulnerability. | |||||
| CVE-2020-12126 | 1 Wavlink | 2 Wn530h4, Wn530h4 Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple authentication bypass vulnerabilities in the /cgi-bin/ endpoint of the WAVLINK WN530H4 M30H4.V5030.190403 allow an attacker to leak router settings, change configuration variables, and cause denial of service via an unauthenticated endpoint. | |||||
| CVE-2020-11965 | 1 Evenroute | 2 Iqrouter, Iqrouter Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In IQrouter through 3.3.1, there is a root user without a password, which allows attackers to gain full remote access via SSH. Note: The vendor claims that this vulnerability can only occur on a brand-new network that, after initiating the forced initial configuration (which has a required step for setting a secure password on the system), makes this CVE invalid. This vulnerability is “true for any unconfigured release of OpenWRT, and true of many other new Linux distros prior to being configured for the first time” | |||||
| CVE-2020-11964 | 1 Evenroute | 2 Iqrouter, Iqrouter Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In IQrouter through 3.3.1, the Lua function diag_set_password in the web-panel allows remote attackers to change the root password arbitrarily. Note: The vendor claims that this vulnerability can only occur on a brand-new network that, after initiating the forced initial configuration (which has a required step for setting a secure password on the system), makes this CVE invalid. This vulnerability is “true for any unconfigured release of OpenWRT, and true of many other new Linux distros prior to being configured for the first time” | |||||