Total
2304 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-13957 | 1 Apache | 1 Solr | 2024-11-21 | 9.8 Critical |
| Apache Solr versions 6.6.0 to 6.6.6, 7.0.0 to 7.7.3 and 8.0.0 to 8.6.2 prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that's uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions. | ||||
| CVE-2020-13834 | 1 Google | 1 Android | 2024-11-21 | 7.5 High |
| An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) (with TEEGRIS) software. Secure Folder does not properly restrict use of Android Debug Bridge (adb) for arbitrary installations. The Samsung ID is SVE-2020-17369 (June 2020). | ||||
| CVE-2020-13696 | 5 Canonical, Debian, Fedoraproject and 2 more | 6 Ubuntu Linux, Debian Linux, Fedora and 3 more | 2024-11-21 | 4.4 Medium |
| An issue was discovered in LinuxTV xawtv before 3.107. The function dev_open() in v4l-conf.c does not perform sufficient checks to prevent an unprivileged caller of the program from opening unintended filesystem paths. This allows a local attacker with access to the v4l-conf setuid-root program to test for the existence of arbitrary files and to trigger an open on arbitrary files with mode O_RDWR. To achieve this, relative path components need to be added to the device path, as demonstrated by a v4l-conf -c /dev/../root/.bash_history command. | ||||
| CVE-2020-13676 | 1 Drupal | 1 Drupal | 2024-11-21 | 6.5 Medium |
| The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. | ||||
| CVE-2020-13335 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.3 Medium |
| Improper group membership validation when deleting a user account in GitLab >=7.12 allows a user to delete own account without deleting/transferring their group. | ||||
| CVE-2020-13334 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 5.9 Medium |
| In GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, improper authorization checks allow a non-member of a project/group to change the confidentiality attribute of issue via mutation GraphQL query | ||||
| CVE-2020-13322 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 7.2 High |
| A vulnerability was discovered in GitLab versions after 12.9. Due to improper verification of permissions, an unauthorized user can create and delete deploy tokens. | ||||
| CVE-2020-13313 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.3 Medium |
| A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. An unauthorized project maintainer could edit the subgroup badges due to the lack of authorization control. | ||||
| CVE-2020-13300 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 8 High |
| GitLab CE/EE version 13.3 prior to 13.3.4 was vulnerable to an OAuth authorization scope change without user consent in the middle of the authorization flow. | ||||
| CVE-2020-13284 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 6.5 Medium |
| A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. API Authorization Using Outdated CI Job Token | ||||
| CVE-2020-13277 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 6.3 Medium |
| An authorization issue in the mirroring logic allowed read access to private repositories in GitLab CE/EE 10.6 and later through 13.0.5 | ||||
| CVE-2020-13263 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 7.5 High |
| An authorization issue relating to project maintainer impersonation was identified in GitLab EE 9.5 and later through 13.0.1 that could allow unauthorized users to impersonate as a maintainer to perform limited actions. | ||||
| CVE-2020-12876 | 2 Microsoft, Veritas | 2 Windows, Aptare | 2024-11-21 | 7.5 High |
| Veritas APTARE versions prior to 10.4 allowed remote users to access several unintended files on the server. This vulnerability only impacts Windows server deployments. | ||||
| CVE-2020-12875 | 1 Veritas | 1 Aptare | 2024-11-21 | 6.3 Medium |
| Veritas APTARE versions prior to 10.4 did not perform adequate authorization checks. An authenticated user could gain unauthorized access to sensitive information or functionality by manipulating specific parameters within the application. | ||||
| CVE-2020-12780 | 1 Combodo | 1 Itop | 2024-11-21 | 7.5 High |
| A security misconfiguration exists in Combodo iTop, which can expose sensitive information. | ||||
| CVE-2020-12733 | 1 Depstech | 2 Wifi Digital Microscope 3, Wifi Digital Microscope 3 Firmware | 2024-11-21 | 7.5 High |
| Certain Shenzhen PENGLIXIN components on DEPSTECH WiFi Digital Microscope 3, as used by Shekar Endoscope, allow a TELNET connection with the molinkadmin password for the molink account. | ||||
| CVE-2020-12692 | 3 Canonical, Openstack, Redhat | 3 Ubuntu Linux, Keystone, Openstack | 2024-11-21 | 5.4 Medium |
| An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times. | ||||
| CVE-2020-12691 | 3 Canonical, Openstack, Redhat | 3 Ubuntu Linux, Keystone, Openstack | 2024-11-21 | 8.8 High |
| An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then perform an update to the credential user and project, allowing them to masquerade as another user. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges. | ||||
| CVE-2020-12690 | 2 Openstack, Redhat | 2 Keystone, Openstack | 2024-11-21 | 8.8 High |
| An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access. | ||||
| CVE-2020-12689 | 3 Canonical, Openstack, Redhat | 3 Ubuntu Linux, Keystone, Openstack | 2024-11-21 | 8.8 High |
| An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escalated permission, such as obtaining admin while the user is on a limited viewer role. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges. | ||||