Search
Total
1247 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-26822 | 1 Sap | 1 Solution Manager | 2021-07-21 | 6.4 MEDIUM | 10.0 CRITICAL |
| SAP Solution Manager (JAVA stack), version - 7.20, allows an unauthenticated attacker to compromise the system because of missing authorization checks in the Outside Discovery Configuration Service, this has an impact to the integrity and availability of the service. | |||||
| CVE-2020-26821 | 1 Sap | 1 Solution Manager | 2021-07-21 | 6.4 MEDIUM | 10.0 CRITICAL |
| SAP Solution Manager (JAVA stack), version - 7.20, allows an unauthenticated attacker to compromise the system because of missing authorization checks in the SVG Converter Service, this has an impact to the integrity and availability of the service. | |||||
| CVE-2020-29138 | 1 Sagemcom | 2 F\@st 3486 Router, F\@st 3486 Router Firmware | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Incorrect Access Control in the configuration backup path in SAGEMCOM F@ST3486 NET DOCSIS 3.0, software NET_4.109.0, allows remote unauthenticated users to download the router configuration file via the /backupsettings.conf URI, when any valid session is running. | |||||
| CVE-2020-7131 | 1 Hp | 3 Blade Maintenance Entity, Integrated Maintenance Entity, Maintenance Entity | 2021-07-21 | 9.0 HIGH | 9.0 CRITICAL |
| This document describes a security vulnerability in Blade Maintenance Entity, Integrated Maintenance Entity and Maintenance Entity products. All J/H-series NonStop systems have a security vulnerability associated with an open UDP port 17185 on the Maintenance LAN which could result in information disclosure, denial-of-service attacks or local memory corruption against the affected system and a complete control of the system may also be possible. This vulnerability exists only if one gains access to the Maintenance LAN to which Blade Maintenance Entity, Integrated Maintenance Entity or Maintenance Entity product is connected. **Workaround:** Block the UDP port 17185(In the Maintenance LAN Network Switch/Firewall). Fix: Install following SPRs, which are already available: * T1805A01^AAI (Integrated Maintenance Entity) * T4805A01^AAZ (Blade Maintenance Entity). These SPRs are also usable with the following RVUs: * J06.19.00 ? J06.23.01. No fix planned for the following RVUs: J06.04.00 ? J06.18.01. No fix planned for H-Series NonStop systems. No fix planned for the product T2805 (Maintenance Entity). | |||||
| CVE-2020-26506 | 1 Marmind | 1 Marmind | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| An Authorization Bypass vulnerability in the Marmind web application with version 4.1.141.0 allows users with lower privileges to gain control to files uploaded by administrative users. The accessed files were not visible by the low privileged users in the web GUI. | |||||
| CVE-2020-9982 | 1 Apple | 1 Music | 2021-07-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in Apple Music 3.4.0 for Android. A malicious application may be able to leak a user's credentials. | |||||
| CVE-2020-26650 | 1 Atomx | 1 Atomxcms | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| AtomXCMS 2.0 is affected by Arbitrary File Read via admin/dump.php | |||||
| CVE-2020-7124 | 1 Arubanetworks | 1 Airwave Glass | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| A remote unauthorized access vulnerability was discovered in Aruba Airwave Software version(s): Prior to 1.3.2. | |||||
| CVE-2020-26649 | 1 Atomx | 1 Atomxcms 2 | 2021-07-21 | 5.5 MEDIUM | 8.1 HIGH |
| AtomXCMS 2.0 is affected by Incorrect Access Control via admin/dump.php | |||||
| CVE-2020-26160 | 1 Jwt-go Project | 1 Jwt-go | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check. | |||||
| CVE-2020-15958 | 1 1crm | 1 1crm | 2021-07-21 | 5.0 MEDIUM | 8.6 HIGH |
| An issue was discovered in 1CRM System through 8.6.7. An insecure direct object reference to internally stored files allows a remote attacker to access various sensitive information via an unauthenticated request with a predictable URL. | |||||
| CVE-2020-13316 | 1 Gitlab | 1 Gitlab | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was not validating a Deploy-Token and allowed a disabled repository be accessible via a git command line. | |||||
| CVE-2020-10239 | 1 Joomla | 1 Joomla\! | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Joomla! before 3.9.16. Incorrect Access Control in the SQL fieldtype of com_fields allows access for non-superadmin users. | |||||
| CVE-2020-0061 | 1 Google | 1 Android | 2021-07-21 | 4.9 MEDIUM | 5.5 MEDIUM |
| In Pixel Recorder, there is a possible permissions bypass allowing arbitrary apps to record audio. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-145504977 | |||||
| CVE-2020-25025 | 1 Localization Manager Project | 1 Localization Manager | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| The l10nmgr (aka Localization Manager) extension before 7.4.0, 8.x before 8.7.0, and 9.x before 9.2.0 for TYPO3 allows Information Disclosure (translatable fields). | |||||
| CVE-2020-14457 | 1 Mattermost | 1 Mattermost Server | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Mattermost Server before 5.20.0. Non-members can receive broadcasted team details via the update_team WebSocket event, aka MMSA-2020-0012. | |||||
| CVE-2020-10779 | 1 Redhat | 1 Cloudforms | 2021-07-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Red Hat CloudForms 4.7 and 5 leads to insecure direct object references (IDOR) and functional level access control bypass due to missing privilege check. Therefore, if an attacker knows the right criteria, it is possible to access some sensitive data within the CloudForms. | |||||
| CVE-2020-11911 | 1 Treck | 1 Tcp\/ip | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Treck TCP/IP stack before 6.0.1.66 has Improper ICMPv4 Access Control. | |||||
| CVE-2020-9411 | 2 Ibm, Tibco | 2 I, Managed File Transfer Platform Server | 2021-07-21 | 9.3 HIGH | 9.8 CRITICAL |
| The file transfer component of TIBCO Software Inc.'s TIBCO Managed File Transfer Platform Server for IBM i contains a vulnerability that theoretically allows an attacker to perform unauthorized network file transfers to and from the file system accessible to the affected component. This vulnerability is exploitable when the configuration option 'Require Node Resp' is set to 'No'. In the event of a successful exploit, the attacker could theoretically read and write any file on the file system accessible to the affected component, thus fully affecting the confidentiality, integrity, and availability of the operating system hosting the deployment of the affected system. Affected releases are TIBCO Software Inc.'s TIBCO Managed File Transfer Platform Server for IBM i: versions 7.1.0 and below, version 8.0.0. | |||||
| CVE-2020-11470 | 1 Zoom | 1 Meetings | 2021-07-21 | 2.1 LOW | 3.3 LOW |
| Zoom Client for Meetings through 4.6.8 on macOS has the disable-library-validation entitlement, which allows a local process (with the user's privileges) to obtain unprompted microphone and camera access by loading a crafted library and thereby inheriting Zoom Client's microphone and camera access. | |||||
| CVE-2019-20801 | 1 Readdle | 1 Documents | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in the Readdle Documents app before 6.9.7 for iOS. The application's file-transfer web server allows for cross-origin requests from any domain, and the WebSocket server lacks authorization control. Any web site can execute JavaScript code (that accesses a user's data) via cross-origin requests. | |||||
| CVE-2020-5566 | 1 Cybozu | 1 Garoon | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Improper authorization vulnerability in Cybozu Garoon 4.0.0 to 4.10.3 allows remote authenticated attackers to alter the application's data via the applications 'E-mail' and 'Messages'. | |||||
| CVE-2020-7133 | 1 Hp | 1 Hpe Iot \+ Gcp | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| A unauthorized remote access vulnerability was discovered in HPE IOT + GCP version(s): 1.4.0, 1.4.1, 1.4.2, 1.2.4.2. | |||||
| CVE-2020-3861 | 1 Apple | 1 Itunes | 2021-07-21 | 3.6 LOW | 7.1 HIGH |
| The issue was addressed with improved permissions logic. This issue is fixed in iTunes for Windows 12.10.4. A user may gain access to protected parts of the file system. | |||||
| CVE-2019-4446 | 1 Ibm | 19 Control Desk, Maximo Asset Configuration Manager, Maximo Asset Health Insights and 16 more | 2021-07-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| IBM Maximo Asset Management 7.6 could allow an authenticated user perform actions they are not authorized to by modifying request parameters. IBM X-Force ID: 163490. | |||||
| CVE-2020-11601 | 1 Google | 1 Android | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software. There is unauthorized access to applications in the Secure Folder via floating icons. The Samsung ID is SVE-2019-16195 (April 2020). | |||||
| CVE-2020-11856 | 1 Microfocus | 1 Operation Bridge Reporter | 2021-07-21 | 10.0 HIGH | 9.8 CRITICAL |
| Arbitrary code execution vulnerability on Micro Focus Operation Bridge Reporter, affecting version 10.40 and earlier. The vulnerability could allow remote attackers to execute arbitrary code on affected installations of OBR. | |||||
| CVE-2020-8439 | 1 Monstra | 1 Monstra | 2021-07-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Monstra CMS through 3.0.4 allows remote authenticated users to take over arbitrary user accounts via a modified login parameter to an edit URI, as demonstrated by login=victim to the users/21/edit URI. | |||||
| CVE-2020-4151 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2021-07-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM QRadar SIEM 7.3.0 through 7.3.3 could allow an authenticated attacker to perform unauthorized actions due to improper input validation. IBM X-Force ID: 174201. | |||||
| CVE-2019-8855 | 1 Apple | 1 Mac Os X | 2021-07-21 | 4.3 MEDIUM | 6.3 MEDIUM |
| An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Catalina 10.15. A malicious application may be able to access restricted files. | |||||
| CVE-2019-8856 | 1 Apple | 4 Ipados, Iphone Os, Mac Os X and 1 more | 2021-07-21 | 4.3 MEDIUM | 3.3 LOW |
| An API issue existed in the handling of outgoing phone calls initiated with Siri. This issue was addressed with improved state handling. This issue is fixed in iOS 13.3 and iPadOS 13.3, watchOS 6.1.1, macOS Catalina 10.15.2, Security Update 2019-002 Mojave, and Security Update 2019-007 High Sierra. Calls made using Siri may be initiated using the wrong cellular plan on devices with two active plans. | |||||
| CVE-2019-8857 | 1 Apple | 2 Ipados, Iphone Os | 2021-07-21 | 2.1 LOW | 3.3 LOW |
| The issue was addressed with improved validation when an iCloud Link is created. This issue is fixed in iOS 13.3 and iPadOS 13.3. Live Photo audio and video data may be shared via iCloud links even if Live Photo is disabled in the Share Sheet carousel. | |||||
| CVE-2020-12785 | 1 Cpanel | 1 Cpanel | 2021-07-21 | 5.5 MEDIUM | 8.1 HIGH |
| cPanel before 86.0.14 allows attackers to obtain access to the current working directory via the account backup feature (SEC-540). | |||||
| CVE-2020-10073 | 1 Gitlab | 1 Gitlab | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| GitLab EE 12.4.2 through 12.8.1 allows Denial of Service. It was internally discovered that a potential denial of service involving permissions checks could impact a project home page. | |||||
| CVE-2020-13850 | 1 Pandorafms | 1 Pandora Fms | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| Artica Pandora FMS 7.44 has inadequate access controls on a web folder. | |||||
| CVE-2020-26878 | 1 Commscope | 2 Ruckus Iot Module, Ruckus Vriot | 2021-07-21 | 9.0 HIGH | 8.8 HIGH |
| Ruckus through 1.5.1.0.21 is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint), injecting arbitrary commands that will be executed as root user via web.py. | |||||
| CVE-2020-4499 | 1 Ibm | 2 Security Access Manager, Security Verify Access | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| IBM Security Access Manager 9.0.7 and IBM Security Verify Access 10.0.0 could allow an unauthorized public Oauth client to bypass some or all of the authentication checks and gain access to applications. IBM X-Force ID: 182216. | |||||
| CVE-2020-3891 | 1 Apple | 3 Ipad Os, Iphone Os, Watchos | 2021-07-21 | 2.1 LOW | 2.4 LOW |
| A logic issue was addressed with improved state management. This issue is fixed in iOS 13.4 and iPadOS 13.4, watchOS 6.2. A person with physical access to a locked iOS device may be able to respond to messages even when replies are disabled. | |||||
| CVE-2020-14191 | 1 Atlassian | 2 Crucible, Fisheye | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| Affected versions of Atlassian Fisheye/Crucible allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the MessageBundleResource within Atlassian Gadgets. The affected versions are before version 4.8.4. | |||||
| CVE-2020-35219 | 1 Asus | 2 Dsl-n17u, Dsl-n17u Firmware | 2021-07-21 | 10.0 HIGH | 9.8 CRITICAL |
| The ASUS DSL-N17U modem with firmware 1.1.0.2 allows attackers to access the admin interface by changing the admin password without authentication via a POST request to Advanced_System_Content.asp with the uiViewTools_username=admin&uiViewTools_Password= and uiViewTools_PasswordConfirm= substrings. | |||||
| CVE-2019-18666 | 1 D-link | 2 Dap-1360 Revision F, Dap-1360 Revision F Firmware | 2021-07-21 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered on D-Link DAP-1360 revision F devices. Remote attackers can start a telnet service without authorization via an undocumented HTTP request. Although this is the primary vulnerability, the impact depends on the firmware version. Versions 609EU through 613EUbeta were tested. Versions through 6.12b01 have weak root credentials, allowing an attacker to gain remote root access. After 6.12b01, the root credentials were changed but the telnet service can still be started without authorization. | |||||
| CVE-2020-14214 | 1 Zammad | 1 Zammad | 2021-07-21 | 5.8 MEDIUM | 6.5 MEDIUM |
| Zammad before 3.3.1, when Domain Based Assignment is enabled, relies on a claimed e-mail address for authorization decisions. An attacker can register a new account that will have access to all tickets of an arbitrary Organization. | |||||
| CVE-2020-15943 | 1 Gantt-chart Project | 1 Gantt-chart | 2021-07-21 | 5.5 MEDIUM | 8.1 HIGH |
| An issue was discovered in the Gantt-Chart module before 5.5.4 for Jira. Due to a missing privilege check, it is possible to read and write to the module configuration of other users. This can also be used to deliver an XSS payload to other users' dashboards. To exploit this vulnerability, an attacker has to be authenticated. | |||||
| CVE-2020-25824 | 1 Telegram | 1 Telegram Desktop | 2021-07-21 | 2.1 LOW | 2.4 LOW |
| Telegram Desktop through 2.4.3 does not require passcode entry upon pushing the Export key within the Export Telegram Data wizard. The threat model is a victim who has voluntarily opened Export Wizard but is then distracted. An attacker then approaches the unattended desktop and pushes the Export key. This attacker may consequently gain access to all chat conversation and media files. | |||||
| CVE-2020-15408 | 1 Pulsesecure | 2 Pulse Connect Secure, Pulse Secure Desktop Client | 2021-07-21 | 5.8 MEDIUM | 4.6 MEDIUM |
| An issue was discovered in Pulse Secure Pulse Connect Secure before 9.1R8. An authenticated attacker can access the admin page console via the end-user web interface because of a rewrite. | |||||
| CVE-2021-21674 | 1 Jenkins | 1 Requests | 2021-07-07 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins requests-plugin Plugin 2.2.6 and earlier allows attackers with Overall/Read permission to view the list of pending requests. | |||||
| CVE-2021-0547 | 1 Google | 1 Android | 2021-06-25 | 4.6 MEDIUM | 7.8 HIGH |
| In onReceive of NetInitiatedActivity.java, there is a possible way to supply an attacker-controlled value to a GPS HAL handler due to a missing permission check. This could lead to local escalation of privilege that may result in undefined behavior in some HAL implementations with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-174151048 | |||||
| CVE-2021-0568 | 1 Google | 1 Android | 2021-06-24 | 4.6 MEDIUM | 7.8 HIGH |
| In onReceive of DevicePolicyManagerService.java, there is a possible enabling of disabled profiles due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-170121238 | |||||
| CVE-2021-0554 | 1 Google | 1 Android | 2021-06-23 | 2.1 LOW | 5.5 MEDIUM |
| In isBackupServiceActive of BackupManagerService.java, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-158482162 | |||||
| CVE-2021-0521 | 1 Google | 1 Android | 2021-06-23 | 2.1 LOW | 5.5 MEDIUM |
| In getAllPackages of PackageManagerService, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure of cross-user permissions with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-174661955 | |||||