Filtered by CWE-862
Total 5236 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2020-13445 1 Liferay 1 Liferay Portal 2024-11-21 8.8 High
In Liferay Portal before 7.3.2 and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 6, the template API does not restrict user access to sensitive objects, which allows remote authenticated users to execute arbitrary code via crafted FreeMarker and Velocity templates.
CVE-2020-13425 1 Thetrackr 2 Trackr, Trackr Firmware 2024-11-21 7.1 High
TrackR devices through 2020-05-06 allow attackers to trigger the Beep (aka alarm) feature, which will eventually cause a denial of service when battery capacity is exhausted.
CVE-2020-13422 1 Openiam 1 Openiam 2024-11-21 8.1 High
OpenIAM before 4.2.0.3 does not verify if a user has permissions to perform /webconsole/rest/api/* administrative actions.
CVE-2020-13319 1 Gitlab 1 Gitlab 2024-11-21 4.3 Medium
An issue has been discovered in GitLab affecting versions prior to 13.1.2, 13.0.8 and 12.10.13. Missing permission check for adding time spent on an issue.
CVE-2020-13296 1 Gitlab 1 Gitlab 2024-11-21 6.5 Medium
An issue has been discovered in GitLab affecting versions >=10.7 <13.0.14, >=13.1.0 <13.1.8, >=13.2.0 <13.2.6. Improper Access Control for Deploy Tokens
CVE-2020-13276 1 Gitlab 1 Gitlab 2024-11-21 7.4 High
User is allowed to set an email as a notification email even without verifying the new email in all previous GitLab CE/EE versions through 13.0.1
CVE-2020-13270 1 Gitlab 1 Gitlab 2024-11-21 7.5 High
Missing permission check on fork relation creation in GitLab CE/EE 11.3 and later through 13.0.1 allows guest users to create a fork relation on restricted public projects via API
CVE-2020-13266 1 Gitlab 1 Gitlab 2024-11-21 4.3 Medium
Insecure authorization in Project Deploy Keys in GitLab CE/EE 12.8 and later through 13.0.1 allows users to update permissions of other users' deploy keys under certain conditions
CVE-2020-13154 1 Zohocorp 1 Manageengine Servicedesk Plus 2024-11-21 6.5 Medium
Zoho ManageEngine Service Plus before 11.1 build 11112 allows low-privilege authenticated users to discover the File Protection password via a getFileProtectionSettings call to AjaxServlet.
CVE-2020-13144 1 Edx 1 Open Edx Platform 2024-11-21 8.8 High
Studio in Open edX Ironwood 2.5, when CodeJail is not used, allows a user to go to the "Create New course>New section>New subsection>New unit>Add new component>Problem button>Advanced tab>Custom Python evaluated code" screen, edit the problem, and execute Python code. This leads to arbitrary code execution.
CVE-2020-12745 1 Google 1 Android 2024-11-21 7.5 High
An issue was discovered on Samsung mobile devices with Q(10.0) software. Attackers can bypass the locked-state protection mechanism and access clipboard content via USSD. The Samsung ID is SVE-2019-16556 (May 2020).
CVE-2020-12734 1 Depstech 2 Wifi Digital Microscope 3, Wifi Digital Microscope 3 Firmware 2024-11-21 8.1 High
DEPSTECH WiFi Digital Microscope 3 allows remote attackers to change the SSID and password, and demand a ransom payment from the rightful device owner, because there is no way to reset to Factory Default settings.
CVE-2020-12700 1 Dkd 1 Direct Mail 2024-11-21 4.3 Medium
The direct_mail extension through 5.2.3 for TYPO3 allows Information Disclosure via a newsletter subscriber data Special Query.
CVE-2020-12698 1 Dkd 1 Direct Mail 2024-11-21 4.3 Medium
The direct_mail extension through 5.2.3 for TYPO3 has Broken Access Control for newsletter subscriber tables.
CVE-2020-12138 1 Amd 1 Atillk64 2024-11-21 8.8 High
AMD ATI atillk64.sys 5.11.9.0 allows low-privileged users to interact directly with physical memory by calling one of several driver routines that map physical memory into the virtual address space of the calling process. This could enable low-privileged users to achieve NT AUTHORITY\SYSTEM privileges via a DeviceIoControl call associated with MmMapIoSpace, IoAllocateMdl, MmBuildMdlForNonPagedPool, or MmMapLockedPages.
CVE-2020-11967 1 Evenroute 2 Iqrouter, Iqrouter Firmware 2024-11-21 9.8 Critical
In IQrouter through 3.3.1, remote attackers can control the device (restart network, reboot, upgrade, reset) because of Incorrect Access Control. Note: The vendor claims that this vulnerability can only occur on a brand-new network that, after initiating the forced initial configuration (which has a required step for setting a secure password on the system), makes this CVE invalid. This vulnerability is “true for any unconfigured release of OpenWRT, and true of many other new Linux distros prior to being configured for the first time”
CVE-2020-11741 4 Debian, Fedoraproject, Opensuse and 1 more 4 Debian Linux, Fedora, Leap and 1 more 2024-11-21 8.8 High
An issue was discovered in xenoprof in Xen through 4.13.x, allowing guest OS users (with active profiling) to obtain sensitive information about other guests, cause a denial of service, or possibly gain privileges. For guests for which "active" profiling was enabled by the administrator, the xenoprof code uses the standard Xen shared ring structure. Unfortunately, this code did not treat the guest as a potential adversary: it trusts the guest not to modify buffer size information or modify head / tail pointers in unexpected ways. This can crash the host (DoS). Privilege escalation cannot be ruled out.
CVE-2020-11740 4 Debian, Fedoraproject, Opensuse and 1 more 4 Debian Linux, Fedora, Leap and 1 more 2024-11-21 5.5 Medium
An issue was discovered in xenoprof in Xen through 4.13.x, allowing guest OS users (without active profiling) to obtain sensitive information about other guests. Unprivileged guests can request to map xenoprof buffers, even if profiling has not been enabled for those guests. These buffers were not scrubbed.
CVE-2020-11680 1 Castel 2 Nextgen Dvr, Nextgen Dvr Firmware 2024-11-21 6.5 Medium
Castel NextGen DVR v1.0.0 is vulnerable to authorization bypass on all administrator functionality. The application fails to check that a request was submitted by an administrator. Consequently, a normal user can perform actions including, but not limited to, creating/modifying the file store, creating/modifying alerts, creating/modifying users, etc.
CVE-2020-11679 1 Castel 2 Nextgen Dvr, Nextgen Dvr Firmware 2024-11-21 8.8 High
Castel NextGen DVR v1.0.0 is vulnerable to privilege escalation through the Adminstrator/Users/Edit/:UserId functionality. Adminstrator/Users/Edit/:UserId fails to check that the request was submitted by an Administrator. This allows a normal user to escalate their privileges by adding additional roles to their account.