Total
635 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-6774 | 1 Bosch | 2 Recording Station, Recording Station Firmware | 2020-05-29 | 7.2 HIGH | 8.8 HIGH |
| Improper Access Control in the Kiosk Mode functionality of Bosch Recording Station allows a local unauthenticated attacker to escape from the Kiosk Mode and access the underlying operating system. | |||||
| CVE-2020-11931 | 2 Canonical, Pulseaudio | 2 Ubuntu Linux, Pulseaudio | 2020-05-19 | 2.1 LOW | 3.3 LOW |
| An Ubuntu-specific modification to Pulseaudio to provide security mediation for Snap-packaged applications was found to have a bypass of intended access restriction for snaps which plugs any of pulseaudio, audio-playback or audio-record via unloading the pulseaudio snap policy module. This issue affects: pulseaudio 1:8.0 versions prior to 1:8.0-0ubuntu3.12; 1:11.1 versions prior to 1:11.1-1ubuntu7.7; 1:13.0 versions prior to 1:13.0-1ubuntu1.2; 1:13.99.1 versions prior to 1:13.99.1-1ubuntu3.2; | |||||
| CVE-2020-12687 | 1 Serpico Project | 1 Serpico | 2020-05-12 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Serpico before 1.3.3. The /admin/attacments_backup endpoint can be requested by non-admin authenticated users. This means that an attacker with a user account can retrieve all of the attachments of all users (including administrators) from the database. | |||||
| CVE-2020-5887 | 1 F5 | 13 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 10 more | 2020-05-04 | 6.4 MEDIUM | 9.1 CRITICAL |
| On versions 15.1.0-15.1.0.1, 15.0.0-15.0.1.2, and 14.1.0-14.1.2.3, BIG-IP Virtual Edition (VE) may expose a mechanism for remote attackers to access local daemons and bypass port lockdown settings. | |||||
| CVE-2012-1846 | 1 Google | 1 Chrome | 2020-04-16 | 10.0 HIGH | N/A |
| Google Chrome 17.0.963.66 and earlier allows remote attackers to bypass the sandbox protection mechanism by leveraging access to a sandboxed process, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2012. NOTE: the primary affected product may be clarified later; it was not identified by the researcher, who reportedly stated "it really doesn't matter if it's third-party code." | |||||
| CVE-2020-10867 | 2 Avast, Microsoft | 2 Antivirus, Windows | 2020-04-02 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Avast Antivirus before 20. The aswTask RPC endpoint for the TaskEx library in the Avast Service (AvastSvc.exe) allows attackers to bypass intended access restrictions on tasks from an untrusted process, when Self Defense is enabled. | |||||
| CVE-2013-2183 | 1 Monkey-project | 1 Monkey | 2020-03-26 | 3.6 LOW | 7.1 HIGH |
| Monkey HTTP Daemon has local security bypass | |||||
| CVE-2020-10238 | 1 Joomla | 1 Joomla\! | 2020-03-19 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Joomla! before 3.9.16. Various actions in com_templates lack the required ACL checks, leading to various potential attack vectors. | |||||
| CVE-2020-1981 | 1 Paloaltonetworks | 1 Pan-os | 2020-03-13 | 7.2 HIGH | 7.8 HIGH |
| A predictable temporary filename vulnerability in PAN-OS allows local privilege escalation. This issue allows a local attacker who bypassed the restricted shell to execute commands as a low privileged user and gain root access on the PAN-OS hardware or virtual appliance. This issue affects only PAN-OS 8.1 versions earlier than PAN-OS 8.1.13. This issue does not affect PAN-OS 7.1, PAN-OS 9.0, or later PAN-OS versions. | |||||
| CVE-2019-10805 | 1 Sideralis | 1 Valib.js | 2020-03-05 | 5.0 MEDIUM | 7.5 HIGH |
| valib through 2.0.0 allows Internal Property Tampering. A maliciously crafted JavaScript object can bypass several inspection functions provided by valib. Valib uses a built-in function (hasOwnProperty) from the unsafe user-input to examine an object. It is possible for a crafted payload to overwrite this function to manipulate the inspection results to bypass security checks. | |||||
| CVE-2020-8121 | 1 Nextcloud | 1 Nextcloud Server | 2020-02-11 | 5.5 MEDIUM | 8.1 HIGH |
| A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. | |||||
| CVE-2019-3682 | 1 Suse | 1 Caas Platform | 2020-02-06 | 4.6 MEDIUM | 7.8 HIGH |
| The docker-kubic package in SUSE CaaS Platform 3.0 before 17.09.1_ce-7.6.1 provided access to an insecure API locally on the Kubernetes master node. | |||||
| CVE-2020-7912 | 1 Jetbrains | 1 Youtrack | 2020-02-01 | 5.0 MEDIUM | 5.3 MEDIUM |
| In JetBrains YouTrack before 2019.2.59309, SMTP/Jabber settings could be accessed using backups. | |||||
| CVE-2019-4633 | 1 Ibm | 1 Security Secret Server | 2020-01-30 | 4.3 MEDIUM | 4.3 MEDIUM |
| IBM Security Secret Server 10.7 could allow an attacker to obtain sensitive information due to an overly permissive CORS policy. IBM X-Force ID: 170007. | |||||
| CVE-2019-10781 | 1 Schema-inspector Project | 1 Schema-inspector | 2020-01-29 | 7.5 HIGH | 9.8 CRITICAL |
| In schema-inspector before 1.6.9, a maliciously crafted JavaScript object can bypass the `sanitize()` and the `validate()` function used within schema-inspector. | |||||
| CVE-2019-13927 | 1 Siemens | 32 Pxa30-w0, Pxa30-w0 Firmware, Pxa30-w1 and 29 more | 2019-12-30 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability has been identified in Desigo PX automation controllers PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D with Desigo PX Web modules PXA40-W0, PXA40-W1, PXA40-W2 (All firmware versions < V6.00.320), Desigo PX automation controllers PXC00-U, PXC64-U, PXC128-U with Desigo PX Web modules PXA30-W0, PXA30-W1, PXA30-W2 (All firmware versions < V6.00.320), Desigo PX automation controllers PXC22.1-E.D, PXC36-E.D, PXC36.1-E.D with activated web server (All firmware versions < V6.00.320). The device contains a vulnerability that could allow an attacker to cause a denial of service condition on the device's web server by sending a specially crafted HTTP message to the web server port (tcp/80). The security vulnerability could be exploited by an attacker with network access to an affected device. Successful exploitation requires no system privileges and no user interaction. An attacker could use the vulnerability to compromise the availability of the device's web service. While the device itself stays operational, the web server responds with HTTP status code 404 (Not found) to any further request. A reboot is required to recover the web interface. At the time of advisory publication no public exploitation of this security vulnerability was known. | |||||
| CVE-2019-8779 | 1 Apple | 2 Ipados, Iphone Os | 2019-12-26 | 7.5 HIGH | 10.0 CRITICAL |
| A logic issue applied the incorrect restrictions. This issue was addressed by updating the logic to apply the correct restrictions. This issue is fixed in iOS 13.1.1 and iPadOS 13.1.1. Third party app extensions may not receive the correct sandbox restrictions. | |||||
| CVE-2014-2387 | 3 Debian, Opensuse, Pen Project | 3 Debian Linux, Opensuse, Pen | 2019-12-19 | 4.6 MEDIUM | 4.4 MEDIUM |
| Pen 0.18.0 has Insecure Temporary File Creation vulnerabilities | |||||
| CVE-2019-15689 | 1 Kaspersky | 4 Kaspersky Internet Security, Secure Connection, Security Cloud and 1 more | 2019-12-18 | 4.6 MEDIUM | 6.7 MEDIUM |
| Kaspersky Secure Connection, Kaspersky Internet Security, Kaspersky Total Security, Kaspersky Security Cloud prior to version 2020 patch E have bug that allows a local user to execute arbitrary code via execution compromised file placed by an attacker with administrator rights. No privilege escalation. Possible whitelisting bypass some of the security products | |||||
| CVE-2013-0163 | 1 Redhat | 1 Openshift | 2019-12-14 | 2.1 LOW | 5.5 MEDIUM |
| OpenShift haproxy cartridge: predictable /tmp in set-proxy connection hook which could facilitate DoS | |||||