Total
394 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-25685 | 5 Arista, Debian, Fedoraproject and 2 more | 10 Eos, Debian Linux, Fedora and 7 more | 2024-11-21 | 3.7 Low |
| A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity. | ||||
| CVE-2020-1982 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 4.8 Medium |
| Certain communication between PAN-OS and cloud-delivered services inadvertently use TLS 1.0, which is known to be a cryptographically weak protocol. These cloud services include Cortex Data Lake, the Customer Support Portal, and the Prisma Access infrastructure. Conditions required for exploitation of known TLS 1.0 weaknesses do not exist for the communication between PAN-OS and cloud-delivered services. We do not believe that any communication is impacted as a result of known attacks against TLS 1.0. This issue impacts: All versions of PAN-OS 8.0; PAN-OS 8.1 versions earlier than PAN-OS 8.1.14; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 9.1 versions earlier than PAN-OS 9.1.3. PAN-OS 7.1 is not impacted by this issue. | ||||
| CVE-2020-18220 | 1 Html-js | 1 Doracms | 2024-11-21 | 7.5 High |
| Weak Encoding for Password in DoraCMS v2.1.1 and earlier allows attackers to obtain sensitive information as it does not use a random salt or IV for its AES-CBC encryption, causes password encrypted for users to be susceptible to dictionary attacks. | ||||
| CVE-2020-17494 | 1 Untangle | 1 Untangle Firewall Ng | 2024-11-21 | 5.3 Medium |
| Untangle Firewall NG before 16.0 uses MD5 for passwords. | ||||
| CVE-2020-16235 | 1 Emerson | 1 Openenterprise Scada Server | 2024-11-21 | 3.8 Low |
| Inadequate encryption may allow the credentials used by Emerson OpenEnterprise, up through version 3.3.5, to access field devices and external systems to be obtained. | ||||
| CVE-2020-15387 | 1 Broadcom | 2 Brocade Sannav, Fabric Operating System | 2024-11-21 | 7.4 High |
| The host SSH servers of Brocade Fabric OS before Brocade Fabric OS v7.4.2h, v8.2.1c, v8.2.2, v9.0.0, and Brocade SANnav before v2.1.1 utilize keys of less than 2048 bits, which may be vulnerable to man-in-the-middle attacks and/or insecure SSH communications. | ||||
| CVE-2020-14517 | 1 Wibu | 1 Codemeter | 2024-11-21 | 9.8 Critical |
| Protocol encryption can be easily broken for CodeMeter (All versions prior to 6.90 are affected, including Version 6.90 or newer only if CodeMeter Runtime is running as server) and the server accepts external connections, which may allow an attacker to remotely communicate with the CodeMeter API. | ||||
| CVE-2020-14481 | 1 Rockwellautomation | 1 Factorytalk View | 2024-11-21 | 7.8 High |
| The DeskLock tool provided with FactoryTalk View SE uses a weak encryption algorithm that may allow a local, authenticated attacker to decipher user credentials, including the Windows user or Windows DeskLock passwords. If the compromised user has an administrative account, an attacker could gain full access to the user’s operating system and certain components of FactoryTalk View SE. | ||||
| CVE-2020-13785 | 1 Dlink | 2 Dir-865l, Dir-865l Firmware | 2024-11-21 | 7.5 High |
| D-Link DIR-865L Ax 1.20B01 Beta devices have Inadequate Encryption Strength. | ||||
| CVE-2020-12872 | 1 Yaws | 1 Yaws | 2024-11-21 | 5.5 Medium |
| yaws_config.erl in Yaws through 2.0.2 and/or 2.0.7 loads obsolete TLS ciphers, as demonstrated by ones that allow Sweet32 attacks, if running on an Erlang/OTP virtual machine with a version less than 21.0. | ||||
| CVE-2020-12714 | 1 Ciphermail | 2 Gateway, Webmail Messenger | 2024-11-21 | 5.9 Medium |
| An issue was discovered in CipherMail Community Gateway Virtual Appliances and Professional/Enterprise Gateway Virtual Appliances versions 1.0.1 through 4.7.1-0 and CipherMail Webmail Messenger Virtual Appliances 1.1.1 through 3.1.1-0. A Diffie-Hellman parameter of insufficient size could allow man-in-the-middle compromise of communications between CipherMail products and external SMTP clients. | ||||
| CVE-2020-10919 | 1 Automationdirect | 13 C-more Hmi Ea9 Firmware, Ea9-pgmsw, Ea9-rhmi and 10 more | 2024-11-21 | 5.9 Medium |
| This vulnerability allows remote attackers to disclose sensitive information on affected installations of C-MORE HMI EA9 Firmware version 6.52 touch screen panels. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. When transmitting passwords, the process encrypts them in a recoverable format. An attacker can leverage this vulnerability to disclose credentials, leading to further compromise. Was ZDI-CAN-10185. | ||||
| CVE-2020-10866 | 2 Avast, Microsoft | 2 Antivirus, Windows | 2024-11-21 | 7.5 High |
| An issue was discovered in Avast Antivirus before 20. The aswTask RPC endpoint for the TaskEx library in the Avast Service (AvastSvc.exe) allows attackers to enumerate the network interfaces and access points from a Low Integrity process via RPC. | ||||
| CVE-2020-10636 | 1 Emerson | 1 Openenterprise Scada Server | 2024-11-21 | 6.5 Medium |
| Inadequate encryption may allow the passwords for Emerson OpenEnterprise versions through 3.3.4 user accounts to be obtained. | ||||
| CVE-2020-10601 | 1 Visam | 2 Vbase Editor, Vbase Web-remote | 2024-11-21 | 7.8 High |
| VISAM VBASE Editor version 11.5.0.2 and VBASE Web-Remote Module allow weak hashing algorithm and insecure permissions which may allow a local attacker to bypass the password-protected mechanism through brute-force attacks, cracking techniques, or overwriting the password hash. | ||||
| CVE-2020-10554 | 1 Psyprax | 1 Psyprax | 2024-11-21 | 7.5 High |
| An issue was discovered in Psyprax beforee 3.2.2. Passwords used to encrypt the data are stored in the database in an obfuscated format, which can be easily reverted. For example, the password AAAAAAAA is stored in the database as MMMMMMMM. | ||||
| CVE-2020-10375 | 1 Newmediacompany | 1 Smarty | 2024-11-21 | 5.5 Medium |
| An issue was discovered in New Media Smarty before 9.10. Passwords are stored in the database in an obfuscated format that can be easily reversed. The file data.mdb contains these obfuscated passwords in the second column. NOTE: this is unrelated to the popular Smarty template engine product. | ||||
| CVE-2020-10275 | 3 Easyrobotics, Mobile-industrial-robots, Uvd-robots | 20 Er-flex, Er-flex Firmware, Er-lite and 17 more | 2024-11-21 | 9.8 Critical |
| The access tokens for the REST API are directly derived from the publicly available default credentials for the web interface. Given a USERNAME and a PASSWORD, the token string is generated directly with base64(USERNAME:sha256(PASSWORD)). An unauthorized attacker inside the network can use the default credentials to compute the token and interact with the REST API to exfiltrate, infiltrate or delete data. | ||||
| CVE-2020-10244 | 1 Jpaseto Project | 1 Jpaseto | 2024-11-21 | 7.5 High |
| JPaseto before 0.3.0 generates weak hashes when using v2.local tokens. | ||||
| CVE-2020-10125 | 1 Ncr | 2 Aptra Xfs, Selfserv Atm | 2024-11-21 | 7.6 High |
| NCR SelfServ ATMs running APTRA XFS 04.02.01 and 05.01.00 implement 512-bit RSA certificates to validate bunch note acceptor (BNA) software updates, which can be broken by an attacker with physical access in a sufficiently short period of time, thereby enabling the attacker to sign arbitrary files and CAB archives used to update BNA software, as well as bypass application whitelisting, resulting in the ability to execute arbitrary code. | ||||