Total
505 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-20950 | 5 Apple, Ietf, Linux and 2 more | 5 Macos, Public Key Cryptography Standards \#1, Linux Kernel and 2 more | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| Bleichenbacher's attack on PKCS #1 v1.5 padding for RSA in Microchip Libraries for Applications 2018-11-26 All up to 2018-11-26. The vulnerability can allow one to use Bleichenbacher's oracle attack to decrypt an encrypted ciphertext by making successive queries to the server using the vulnerable library, resulting in remote information disclosure. | |||||
| CVE-2020-20949 | 2 Ietf, St | 22 Public Key Cryptography Standards \#1, Stm32cubef0, Stm32cubef1 and 19 more | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| Bleichenbacher's attack on PKCS #1 v1.5 padding for RSA in STM32 cryptographic firmware library software expansion for STM32Cube (UM1924). The vulnerability can allow one to use Bleichenbacher's oracle attack to decrypt an encrypted ciphertext by making successive queries to the server using the vulnerable library, resulting in remote information disclosure. | |||||
| CVE-2020-1826 | 1 Huawei | 2 Honor Magic2, Honor Magic2 Firmware | 2024-11-21 | 2.1 LOW | 4.4 MEDIUM |
| Huawei Honor Magic2 mobile phones with versions earlier than 10.0.0.175(C00E59R2P11) have an information leak vulnerability. Due to a module using weak encryption tool, an attacker with the root permission may exploit the vulnerability to obtain some information. | |||||
| CVE-2020-1810 | 1 Huawei | 6 Cloudengine 12800, Cloudengine 12800 Firmware, S5700 and 3 more | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| There is a weak algorithm vulnerability in some Huawei products. The affected products use the RSA algorithm in the SSL key exchange algorithm which have been considered as a weak algorithm. Attackers may exploit this vulnerability to leak some information. | |||||
| CVE-2020-1596 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2024-11-21 | 2.9 LOW | 5.4 MEDIUM |
| <p>A information disclosure vulnerability exists when TLS components use weak hash algorithms. An attacker who successfully exploited this vulnerability could obtain information to further compromise a users's encrypted transmission channel.</p> <p>To exploit the vulnerability, an attacker would have to conduct a man-in-the-middle attack.</p> <p>The update addresses the vulnerability by correcting how TLS components use hash algorithms.</p> | |||||
| CVE-2020-15128 | 1 Octobercms | 1 October | 2024-11-21 | 3.5 LOW | 6.1 MEDIUM |
| In OctoberCMS before version 1.0.468, encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code (nothing exploitable in the core project itself) had a higher chance of succeeding. Specifically, if your usage exposed a way for users to provide unfiltered user input and have it returned to them as an encrypted cookie (ex. storing a user provided search query in a cookie) they could then use the generated cookie in place of other more tightly controlled cookies; or if your usage exposed the plaintext version of an encrypted cookie at any point to the user they could theoretically provide encrypted content from your application back to it as an encrypted cookie and force the framework to decrypt it for them. Issue has been fixed in build 468 (v1.0.468). | |||||
| CVE-2020-15098 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic message authentication code (HMAC-SHA1) and can lead to various attack chains including potential privilege escalation, insecure deserialization & remote code execution. The overall severity of this vulnerability is high based on mentioned attack chains and the requirement of having a valid backend user session (authenticated). This has been patched in versions 9.5.20 and 10.4.6. | |||||
| CVE-2020-14517 | 1 Wibu | 1 Codemeter | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Protocol encryption can be easily broken for CodeMeter (All versions prior to 6.90 are affected, including Version 6.90 or newer only if CodeMeter Runtime is running as server) and the server accepts external connections, which may allow an attacker to remotely communicate with the CodeMeter API. | |||||
| CVE-2020-14264 | 1 Hcltech | 1 Traveler Companion | 2024-11-21 | 2.1 LOW | 3.9 LOW |
| "HCL Traveler Companion is vulnerable to an iOS weak cryptographic process vulnerability via the included MobileIron AppConnect SDK" | |||||
| CVE-2020-14254 | 1 Hcltech | 1 Bigfix Platform | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
| TLS-RSA cipher suites are not disabled in HCL BigFix Inventory up to v10.0.2. If TLS 2.0 and secure ciphers are not enabled then an attacker can passively record traffic and later decrypt it. | |||||
| CVE-2020-14246 | 1 Hcltechsw | 1 Onetest Performance | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| HCL OneTest Performance V9.5, V10.0, V10.1 uses basic authentication which is relatively weak. An attacker could potentially decode the encoded credentials. | |||||
| CVE-2020-13777 | 4 Canonical, Debian, Fedoraproject and 1 more | 4 Ubuntu Linux, Debian Linux, Fedora and 1 more | 2024-11-21 | 5.8 MEDIUM | 7.4 HIGH |
| GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application. | |||||
| CVE-2020-13757 | 3 Canonical, Fedoraproject, Python-rsa Project | 3 Ubuntu Linux, Fedora, Python-rsa | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Python-RSA before 4.1 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation). | |||||
| CVE-2020-13135 | 1 Dlink | 2 Dsp-w215, Dsp-w215 Firmware | 2024-11-21 | 3.3 LOW | 6.5 MEDIUM |
| D-Link DSP-W215 1.26b03 devices allow information disclosure by intercepting messages on the local network, as demonstrated by a Squid Proxy. | |||||
| CVE-2020-12702 | 1 Coolkit | 1 Ewelink | 2024-11-21 | 2.1 LOW | 4.6 MEDIUM |
| Weak encryption in the Quick Pairing mode in the eWeLink mobile application (Android application V4.9.2 and earlier, iOS application V4.9.1 and earlier) allows physically proximate attackers to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during the pairing process. | |||||
| CVE-2020-11876 | 1 Zoom | 1 Meetings | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| airhost.exe in Zoom Client for Meetings 4.6.11 uses the SHA-256 hash of 0123425234234fsdfsdr3242 for initialization of an OpenSSL EVP AES-256 CBC context. NOTE: the vendor states that this initialization only occurs within unreachable code | |||||
| CVE-2020-11872 | 1 Bluetrace | 1 Opentrace | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The Cloud Functions subsystem in OpenTrace 1.0 might allow fabrication attacks by making billions of TempID requests before an AES-256-GCM key rotation occurs. | |||||
| CVE-2020-11500 | 1 Zoom | 1 Meetings | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Zoom Client for Meetings through 4.6.9 uses the ECB mode of AES for video and audio encryption. Within a meeting, all participants use a single 128-bit key. | |||||
| CVE-2020-11035 | 2 Fedoraproject, Glpi-project | 2 Fedora, Glpi | 2024-11-21 | 6.4 MEDIUM | 7.5 HIGH |
| In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are generated using an insecure algorithm. The implementation uses rand and uniqid and MD5 which does not provide secure values. This is fixed in version 9.4.6. | |||||
| CVE-2020-11031 | 1 Glpi-project | 1 Glpi | 2024-11-21 | 5.0 MEDIUM | 7.8 HIGH |
| In GLPI before version 9.5.0, the encryption algorithm used is insecure. The security of the data encrypted relies on the password used, if a user sets a weak/predictable password, an attacker could decrypt data. This is fixed in version 9.5.0 by using a more secure encryption library. The library chosen is sodium. | |||||