Total
1368 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-13276 | 1 Gitlab | 1 Gitlab | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| User is allowed to set an email as a notification email even without verifying the new email in all previous GitLab CE/EE versions through 13.0.1 | |||||
| CVE-2020-0276 | 1 Google | 1 Android | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| In Telephony, there is a possible permission bypass due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-156253586 | |||||
| CVE-2020-13154 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2021-07-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Zoho ManageEngine Service Plus before 11.1 build 11112 allows low-privilege authenticated users to discover the File Protection password via a getFileProtectionSettings call to AjaxServlet. | |||||
| CVE-2020-12745 | 1 Google | 1 Android | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on Samsung mobile devices with Q(10.0) software. Attackers can bypass the locked-state protection mechanism and access clipboard content via USSD. The Samsung ID is SVE-2019-16556 (May 2020). | |||||
| CVE-2020-12700 | 1 Dkd | 1 Direct Mail | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| The direct_mail extension through 5.2.3 for TYPO3 allows Information Disclosure via a newsletter subscriber data Special Query. | |||||
| CVE-2020-12698 | 1 Dkd | 1 Direct Mail | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| The direct_mail extension through 5.2.3 for TYPO3 has Broken Access Control for newsletter subscriber tables. | |||||
| CVE-2020-12138 | 1 Amd | 1 Atillk64 | 2021-07-21 | 9.0 HIGH | 8.8 HIGH |
| AMD ATI atillk64.sys 5.11.9.0 allows low-privileged users to interact directly with physical memory by calling one of several driver routines that map physical memory into the virtual address space of the calling process. This could enable low-privileged users to achieve NT AUTHORITY\SYSTEM privileges via a DeviceIoControl call associated with MmMapIoSpace, IoAllocateMdl, MmBuildMdlForNonPagedPool, or MmMapLockedPages. | |||||
| CVE-2020-11680 | 1 Castel | 2 Nextgen Dvr, Nextgen Dvr Firmware | 2021-07-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Castel NextGen DVR v1.0.0 is vulnerable to authorization bypass on all administrator functionality. The application fails to check that a request was submitted by an administrator. Consequently, a normal user can perform actions including, but not limited to, creating/modifying the file store, creating/modifying alerts, creating/modifying users, etc. | |||||
| CVE-2020-11679 | 1 Castel | 2 Nextgen Dvr, Nextgen Dvr Firmware | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| Castel NextGen DVR v1.0.0 is vulnerable to privilege escalation through the Adminstrator/Users/Edit/:UserId functionality. Adminstrator/Users/Edit/:UserId fails to check that the request was submitted by an Administrator. This allows a normal user to escalate their privileges by adding additional roles to their account. | |||||
| CVE-2020-11671 | 1 Teampass | 1 Teampass | 2021-07-21 | 5.8 MEDIUM | 8.1 HIGH |
| Lack of authorization controls in REST API functions in TeamPass through 2.1.27.36 allows any TeamPass user with a valid API token to become a TeamPass administrator and read/modify all passwords via authenticated api/index.php REST API calls. NOTE: the API is not available by default. | |||||
| CVE-2020-11514 | 1 Rankmath | 1 Rankmath | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| The Rank Math plugin through 1.0.40.2 for WordPress allows unauthenticated remote attackers to update arbitrary WordPress metadata, including the ability to escalate or revoke administrative privileges for existing users via the unsecured rankmath/v1/updateMeta REST API endpoint. | |||||
| CVE-2020-11465 | 1 Deskpro | 1 Deskpro | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Deskpro before 2019.8.0. The /api/apps/* endpoints failed to properly validate a user's privilege, allowing an attacker to control/install helpdesk applications and leak current applications' configurations, including applications used as user sources (used for authentication). This enables an attacker to forge valid authentication models that resembles any user on the system. | |||||
| CVE-2020-11463 | 1 Deskpro | 1 Deskpro | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Deskpro before 2019.8.0. The /api/email_accounts endpoint failed to properly validate a user's privilege, allowing an attacker to retrieve cleartext credentials of all helpdesk email accounts, including incoming and outgoing email credentials. This enables an attacker to get full access to all emails sent or received by the system including password reset emails, making it possible to reset any user's password. | |||||
| CVE-2020-10858 | 1 Zulip | 1 Zulip Desktop | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Zulip Desktop before 5.0.0 allows attackers to perform recording via the webcam and microphone due to a missing permission request handler. | |||||
| CVE-2020-0284 | 1 Google | 1 Android | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| In Telephony, there is a possible permission bypass due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-156253784 | |||||
| CVE-2020-0285 | 1 Google | 1 Android | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| In Telephony, there is a possible permission bypass due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-156253479 | |||||
| CVE-2020-10257 | 1 Themerex | 63 Addons, Aldo-gutenberg Wordpress Blog Theme, Amuli and 60 more | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trx_addons/v2/get/sc_layout REST API endpoint, allowing for PHP functions to be executed by any users, because includes/plugin.rest-api.php calls trx_addons_rest_get_sc_layout with an unsafe sc parameter. | |||||
| CVE-2020-10194 | 1 Zimbra | 1 Zm-mailbox | 2021-07-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| cs/service/account/AutoCompleteGal.java in Zimbra zm-mailbox before 8.8.15.p8 allows authenticated users to request any GAL account. This differs from the intended behavior in which the domain of the authenticated user must match the domain of the galsync account in the request. | |||||
| CVE-2020-10187 | 1 Doorkeeper Project | 1 Doorkeeper | 2021-07-21 | 4.3 MEDIUM | 7.5 HIGH |
| Doorkeeper version 5.0.0 and later contains an information disclosure vulnerability that allows an attacker to retrieve the client secret only intended for the OAuth application owner. After authorizing the application and allowing access, the attacker simply needs to request the list of their authorized applications in a JSON format (usually GET /oauth/authorized_applications.json). An application is vulnerable if the authorized applications controller is enabled. | |||||
| CVE-2020-10116 | 1 Cpanel | 1 Cpanel | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| cPanel before 84.0.20 allows attackers to bypass intended restrictions on features and demo accounts via WebDisk UAPI calls (SEC-541). | |||||