Total
9649 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-35167 | 2 Dell, Oracle | 6 Bsafe Crypto-c-micro-edition, Bsafe Micro-edition-suite, Database and 3 more | 2024-11-21 | 4.8 Medium |
| Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.6, contain an Observable Timing Discrepancy Vulnerability. | ||||
| CVE-2020-35111 | 2 Mozilla, Redhat | 6 Firefox, Firefox Esr, Thunderbird and 3 more | 2024-11-21 | 4.3 Medium |
| When an extension with the proxy permission registered to receive <all_urls>, the proxy.onRequest callback was not triggered for view-source URLs. While web content cannot navigate to such URLs, a user opening View Source could have inadvertently leaked their IP address. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6. | ||||
| CVE-2020-2732 | 1 Redhat | 2 Enterprise Linux, Rhel Extras Rt | 2024-11-21 | 5.8 Medium |
| A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest. | ||||
| CVE-2020-2307 | 2 Jenkins, Redhat | 2 Kubernetes, Openshift | 2024-11-21 | 4.3 Medium |
| Jenkins Kubernetes Plugin 1.27.3 and earlier allows low-privilege users to access possibly sensitive Jenkins controller environment variables. | ||||
| CVE-2020-2181 | 2 Jenkins, Redhat | 2 Credentials Binding, Openshift | 2024-11-21 | 6.5 Medium |
| Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets in the build log when the build contains no build steps. | ||||
| CVE-2020-2104 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-11-21 | 4.3 Medium |
| Jenkins 2.218 and earlier, LTS 2.204.1 and earlier allowed users with Overall/Read access to view a JVM memory usage chart. | ||||
| CVE-2020-2103 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-11-21 | 5.4 Medium |
| Jenkins 2.218 and earlier, LTS 2.204.1 and earlier exposed session identifiers on a user's detail object in the whoAmI diagnostic page. | ||||
| CVE-2020-2022 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 7.5 High |
| An information exposure vulnerability exists in Palo Alto Networks Panorama software that discloses the token for the Panorama web interface administrator's session to a managed device when the Panorama administrator performs a context switch into that device. This vulnerability allows an attacker to gain privileged access to the Panorama web interface. An attacker requires some knowledge of managed firewalls to exploit this issue. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.17; PAN-OS 9.0 versions earlier than PAN-OS 9.0.11; PAN-OS 9.1 versions earlier than PAN-OS 9.1.5. | ||||
| CVE-2020-29371 | 1 Linux | 1 Linux Kernel | 2024-11-21 | 3.3 Low |
| An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4. Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd. | ||||
| CVE-2020-29075 | 3 Adobe, Apple, Microsoft | 6 Acrobat, Acrobat Dc, Acrobat Reader and 3 more | 2024-11-21 | 7.1 High |
| Acrobat Reader DC versions 2020.013.20066 (and earlier), 2020.001.30010 (and earlier) and 2017.011.30180 (and earlier) are affected by an information exposure vulnerability, that could enable an attacker to get a DNS interaction and track if the user has opened or closed a PDF file when loaded from the filesystem without a prompt. User interaction is required to exploit this vulnerability. | ||||
| CVE-2020-29043 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 7.5 High |
| An issue was discovered in BigBlueButton through 2.2.29. When at attacker is able to view an account_activations/edit?token= URI, the attacker can create an approved user account associated with an email address that has an arbitrary domain name. | ||||
| CVE-2020-29005 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | 7.5 High |
| The API in the Push extension for MediaWiki through 1.35 used cleartext for ApiPush credentials, allowing for potential information disclosure. | ||||
| CVE-2020-28588 | 1 Linux | 1 Linux Kernel | 2024-11-21 | 5.5 Medium |
| An information disclosure vulnerability exists in the /proc/pid/syscall functionality of Linux Kernel 5.1 Stable and 5.4.66. More specifically, this issue has been introduced in v5.1-rc4 (commit 631b7abacd02b88f4b0795c08b54ad4fc3e7c7c0) and is still present in v5.10-rc4, so it’s likely that all versions in between are affected. An attacker can read /proc/pid/syscall to trigger this vulnerability, which leads to the kernel leaking memory contents. | ||||
| CVE-2020-28482 | 1 Fastify | 1 Fastify-csrf | 2024-11-21 | 5.9 Medium |
| This affects the package fastify-csrf before 3.0.0. 1. The generated cookie used insecure defaults, and did not have the httpOnly flag on: cookieOpts: { path: '/', sameSite: true } 2. The CSRF token was available in the GET query parameter | ||||
| CVE-2020-28368 | 3 Debian, Fedoraproject, Xen | 3 Debian Linux, Fedora, Xen | 2024-11-21 | 4.4 Medium |
| Xen through 4.14.x allows guest OS administrators to obtain sensitive information (such as AES keys from outside the guest) via a side-channel attack on a power/energy monitoring interface, aka a "Platypus" attack. NOTE: there is only one logically independent fix: to change the access control for each such interface in Xen. | ||||
| CVE-2020-28333 | 1 Barco | 2 Wepresent Wipg-1600w, Wepresent Wipg-1600w Firmware | 2024-11-21 | 9.8 Critical |
| Barco wePresent WiPG-1600W devices allow Authentication Bypass. Affected Version(s): 2.5.1.8. The Barco wePresent WiPG-1600W web interface does not use session cookies for tracking authenticated sessions. Instead, the web interface uses a "SEID" token that is appended to the end of URLs in GET requests. Thus the "SEID" would be exposed in web proxy logs and browser history. An attacker that is able to capture the "SEID" and originate requests from the same IP address (via a NAT device or web proxy) would be able to access the user interface of the device without having to know the credentials. | ||||
| CVE-2020-28199 | 1 Bestit | 1 Amazon Pay | 2024-11-21 | 9.1 Critical |
| best it Amazon Pay Plugin before 9.4.2 for Shopware exposes Sensitive Information to an Unauthorized Actor. | ||||
| CVE-2020-27612 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 4.3 Medium |
| Greenlight in BigBlueButton through 2.2.28 places usernames in room URLs, which may represent an unintended information leak to users in a room, or an information leak to outsiders if any user publishes a screenshot of a browser window. | ||||
| CVE-2020-27414 | 1 Mahadiscom | 1 Mahavitaran | 2024-11-21 | 5.9 Medium |
| Mahavitaran android application 7.50 and prior transmit sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header, MITM or browser history. | ||||
| CVE-2020-27403 | 1 Tcl | 14 32s330, 32s330 Firmware, 40s330 and 11 more | 2024-11-21 | 6.5 Medium |
| A vulnerability in the TCL Android Smart TV series V8-R851T02-LF1 V295 and below and V8-T658T01-LF1 V373 and below by TCL Technology Group Corporation allows an attacker on the adjacent network to arbitrarily browse and download sensitive files over an insecure web server running on port 7989 that lists all files & directories. An unprivileged remote attacker on the adjacent network, can download most system files, leading to serious critical information disclosure. Also, some TV models and/or FW versions may expose the webserver with the entire filesystem accessible on another port. For example, nmap scan for all ports run directly from the TV model U43P6046 (Android 8.0) showed port 7983 not mentioned in the original CVE description, but containing the same directory listing of the entire filesystem. This webserver is bound (at least) to localhost interface and accessible freely to all unprivileged installed apps on the Android such as a regular web browser. Any app can therefore read any files of any other apps including Android system settings including sensitive data such as saved passwords, private keys etc. | ||||