Total
3293 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-7296 | 1 Mcafee | 1 Web Gateway | 2023-11-07 | 2.7 LOW | 5.7 MEDIUM |
| Privilege Escalation vulnerability in McAfee Web Gateway (MWG) prior to 9.2.1 allows authenticated user interface user to access protected configuration files via improper access control in the user interface. | |||||
| CVE-2020-7295 | 1 Mcafee | 1 Web Gateway | 2023-11-07 | 4.1 MEDIUM | 4.6 MEDIUM |
| Privilege Escalation vulnerability in McAfee Web Gateway (MWG) prior to 9.2.1 allows authenticated user interface user to delete or download protected log data via improper access controls in the user interface. | |||||
| CVE-2020-7297 | 1 Mcafee | 1 Web Gateway | 2023-11-07 | 2.7 LOW | 5.7 MEDIUM |
| Privilege Escalation vulnerability in McAfee Web Gateway (MWG) prior to 9.2.1 allows authenticated user interface user to access protected dashboard data via improper access control in the user interface. | |||||
| CVE-2020-7276 | 1 Mcafee | 1 Endpoint Security | 2023-11-07 | 4.6 MEDIUM | 6.7 MEDIUM |
| Authentication bypass vulnerability in MfeUpgradeTool in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 April 2020 Update allows administrator users to access policy settings via running this tool. | |||||
| CVE-2020-7294 | 1 Mcafee | 1 Web Gateway | 2023-11-07 | 4.1 MEDIUM | 4.6 MEDIUM |
| Privilege Escalation vulnerability in McAfee Web Gateway (MWG) prior to 9.2.1 allows authenticated user interface user to delete or download protected files via improper access controls in the REST interface. | |||||
| CVE-2020-7293 | 1 Mcafee | 1 Web Gateway | 2023-11-07 | 7.7 HIGH | 9.0 CRITICAL |
| Privilege Escalation vulnerability in McAfee Web Gateway (MWG) prior to 9.2.1 allows authenticated user interface user with low permissions to change the system's root password via improper access controls in the user interface. | |||||
| CVE-2020-3361 | 1 Cisco | 2 Webex Meetings, Webex Meetings Server | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability in Cisco Webex Meetings and Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to gain unauthorized access to a vulnerable Webex site. The vulnerability is due to improper handling of authentication tokens by a vulnerable Webex site. An attacker could exploit this vulnerability by sending crafted requests to a vulnerable Cisco Webex Meetings or Cisco Webex Meetings Server site. If successful, the attacker could gain the privileges of another user within the affected Webex site. | |||||
| CVE-2020-36548 | 1 Ge | 2 Voluson S8, Voluson S8 Firmware | 2023-11-07 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability classified as problematic has been found in GE Voluson S8. Affected is the file /uscgi-bin/users.cgi of the Service Browser. The manipulation leads to improper authentication and elevated access possibilities. It is possible to launch the attack on the local host. | |||||
| CVE-2020-3565 | 1 Cisco | 1 Firepower Threat Defense | 2023-11-07 | 4.3 MEDIUM | 5.8 MEDIUM |
| A vulnerability in the TCP Intercept functionality of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass configured Access Control Policies (including Geolocation) and Service Polices on an affected system. The vulnerability exists because TCP Intercept is invoked when the embryonic connection limit is reached, which can cause the underlying detection engine to process the packet incorrectly. An attacker could exploit this vulnerability by sending a crafted stream of traffic that matches a policy on which TCP Intercept is configured. A successful exploit could allow the attacker to match on an incorrect policy, which could allow the traffic to be forwarded when it should be dropped. In addition, the traffic could incorrectly be dropped. | |||||
| CVE-2020-29668 | 3 Debian, Fedoraproject, Sympa | 3 Debian Linux, Fedora, Sympa | 2023-11-07 | 4.3 MEDIUM | 3.7 LOW |
| Sympa before 6.2.59b.2 allows remote attackers to obtain full SOAP API access by sending any arbitrary string (except one from an expired cookie) as the cookie value to authenticateAndRun. | |||||
| CVE-2020-24786 | 1 Zohocorp | 11 Manageengine Ad360, Manageengine Adaudit Plus, Manageengine Admanager Plus and 8 more | 2023-11-07 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService Plus before build number 5817, DataSecurity Plus before build number 6033, RecoverManager Plus before build number 6017, EventLog Analyzer before build number 12136, ADAudit Plus before build number 6052, O365 Manager Plus before build number 4334, Cloud Security Plus before build number 4110, ADManager Plus before build number 7055, and Log360 before build number 5166. The remotely accessible Java servlet com.manageengine.ads.fw.servlet.UpdateProductDetails is prone to an authentication bypass. System integration properties can be modified and lead to full ManageEngine suite compromise. | |||||
| CVE-2020-26558 | 5 Bluetooth, Debian, Fedoraproject and 2 more | 34 Bluetooth Core Specification, Debian Linux, Fedora and 31 more | 2023-11-07 | 4.3 MEDIUM | 4.2 MEDIUM |
| Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. | |||||
| CVE-2020-25592 | 2 Debian, Saltstack | 2 Debian Linux, Salt | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH. | |||||
| CVE-2020-1718 | 1 Redhat | 3 Jboss Fuse, Keycloak, Openshift Application Runtimes | 2023-11-07 | 6.5 MEDIUM | 8.8 HIGH |
| A flaw was found in the reset credential flow in all Keycloak versions before 8.0.0. This flaw allows an attacker to gain unauthorized access to the application. | |||||
| CVE-2020-17510 | 2 Apache, Debian | 2 Shiro, Debian Linux | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. | |||||
| CVE-2020-17523 | 1 Apache | 1 Shiro | 2023-11-07 | 9.0 HIGH | 9.8 CRITICAL |
| Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. | |||||
| CVE-2020-10709 | 1 Redhat | 1 Ansible Tower | 2023-11-07 | 3.6 LOW | 7.1 HIGH |
| A security flaw was found in Ansible Tower when requesting an OAuth2 token with an OAuth2 application. Ansible Tower uses the token to provide authentication. This flaw allows an attacker to obtain a refresh token that does not expire. The original token granted to the user still has access to Ansible Tower, which allows any user that can gain access to the token to be fully authenticated to Ansible Tower. This flaw affects Ansible Tower versions before 3.6.4 and Ansible Tower versions before 3.5.6. | |||||
| CVE-2019-9497 | 2 Fedoraproject, W1.fi | 3 Fedora, Hostapd, Wpa Supplicant | 2023-11-07 | 6.8 MEDIUM | 8.1 HIGH |
| The implementations of EAP-PWD in hostapd EAP Server and wpa_supplicant EAP Peer do not validate the scalar and element values in EAP-pwd-Commit. This vulnerability may allow an attacker to complete EAP-PWD authentication without knowing the password. However, unless the crypto library does not implement additional checks for the EC point, the attacker will not be able to derive the session key or complete the key exchange. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.4 are affected. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected. | |||||
| CVE-2019-9499 | 6 Debian, Fedoraproject, Freebsd and 3 more | 9 Debian Linux, Fedora, Freebsd and 6 more | 2023-11-07 | 6.8 MEDIUM | 8.1 HIGH |
| The implementations of EAP-PWD in wpa_supplicant EAP Peer, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit. An attacker may complete authentication, session key and control of the data connection with a client. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.4 are affected. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected. | |||||
| CVE-2019-9498 | 6 Debian, Fedoraproject, Freebsd and 3 more | 9 Debian Linux, Fedora, Freebsd and 6 more | 2023-11-07 | 6.8 MEDIUM | 8.1 HIGH |
| The implementations of EAP-PWD in hostapd EAP Server, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit. An attacker may be able to use invalid scalar/element values to complete authentication, gaining session key and network access without needing or learning the password. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.4 are affected. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected. | |||||