| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
801 |
CVE-2020-5734 |
120 |
|
DoS Overflow |
2020-04-07 |
2020-04-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Classic buffer overflow in SolarWinds Dameware allows a remote, unauthenticated attacker to cause a denial of service by sending a large 'SigPubkeyLen' during ECDH key exchange. |
|
802 |
CVE-2020-5733 |
601 |
|
|
2020-04-17 |
2020-04-23 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
In OpenMRS 2.9 and prior, the export functionality of the Data Exchange Module does not properly redirect to a login page when an unauthenticated user attempts to access it. This allows the export of potentially sensitive information. |
|
803 |
CVE-2020-5732 |
601 |
|
|
2020-04-17 |
2020-04-23 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
In OpenMRS 2.9 and prior, he import functionality of the Data Exchange Module does not properly redirect to a login page when an unauthenticated user attempts to access it. This allows unauthenticated users to use a feature typically restricted to administrators. |
|
804 |
CVE-2020-5731 |
79 |
|
XSS |
2020-04-17 |
2020-04-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In OpenMRS 2.9 and prior, the app parameter for the ActiveVisit's page is vulnerable to cross-site scripting. |
|
805 |
CVE-2020-5730 |
79 |
|
XSS |
2020-04-17 |
2020-04-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In OpenMRS 2.9 and prior, the sessionLocation parameter for the login page is vulnerable to cross-site scripting. |
|
806 |
CVE-2020-5729 |
79 |
|
XSS |
2020-04-17 |
2020-04-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In OpenMRS 2.9 and prior, the UI Framework Error Page reflects arbitrary, user-supplied input back to the browser, which can result in XSS. Any page that is able to trigger a UI Framework Error is susceptible to this issue. |
|
807 |
CVE-2020-5728 |
20 |
|
XSS |
2020-04-17 |
2021-07-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
OpenMRS 2.9 and prior copies "Referrer" header values into an html element named "redirectUrl" within many webpages (such as login.htm). There is insufficient validation for this parameter, which allows for the possibility of cross-site scripting. |
|
808 |
CVE-2020-5721 |
522 |
|
|
2020-04-15 |
2020-04-28 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
MikroTik WinBox 3.22 and below stores the user's cleartext password in the settings.cfg.viw configuration file when the Keep Password field is set and no Master Password is set. Keep Password is set by default and, by default Master Password is not set. An attacker with access to the configuration file can extract a username and password to gain access to the router. |
|
809 |
CVE-2020-5571 |
200 |
|
+Info |
2020-04-23 |
2020-04-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
SHARP AQUOS series (AQUOS SH-M02 build number 01.00.05 and earlier, AQUOS SH-RM02 build number 01.00.04 and earlier, AQUOS mini SH-M03 build number 01.00.04 and earlier, AQUOS Keitai SH-N01 build number 01.00.01 and earlier, AQUOS L2 (UQ mobile/J:COM) build number 01.00.05 and earlier, AQUOS sense lite SH-M05 build number 03.00.04 and earlier, AQUOS sense (UQ mobile) build number 03.00.03 and earlier, AQUOS compact SH-M06 build number 02.00.02 and earlier, AQUOS sense plus SH-M07 build number 02.00.02 and earlier, AQUOS sense2 SH-M08 build number 02.00.05 and earlier, and AQUOS sense2 (UQ mobile) build number 02.00.06 and earlier) allow an attacker to obtain the sensitive information of the device via malicious applications installed on the device. |
|
810 |
CVE-2020-5570 |
79 |
|
XSS |
2020-04-28 |
2020-05-01 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting vulnerability in Sales Force Assistant version 11.2.48 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
811 |
CVE-2020-5569 |
428 |
|
|
2020-04-20 |
2020-05-05 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
An unquoted search path vulnerability exists in HDD Password tool (for Windows) version 1.20.6620 and earlier which is stored in CANVIO PREMIUM 3TB(HD-MB30TY, HD-MA30TY, HD-MB30TS, HD-MA30TS), CANVIO PREMIUM 2TB(HD-MB20TY, HD-MA20TY, HD-MB20TS, HD-MA20TS), CANVIO PREMIUM 1TB(HD-MB10TY, HD-MA10TY, HD-MB10TS, HD-MA10TS), CANVIO SLIM 1TB(HD-SB10TK, HD-SB10TS), and CANVIO SLIM 500GB(HD-SB50GK, HD-SA50GK, HD-SB50GS, HD-SA50GS), and which was downloaded before 2020 May 10. Since it registers Windows services with unquoted file paths, when a registered path contains spaces, and a malicious executable is placed on a certain path, it may be executed with the privilege of the Windows service. |
|
812 |
CVE-2020-5568 |
79 |
|
XSS |
2020-04-28 |
2020-04-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting vulnerability in Cybozu Garoon 4.6.0 to 5.0.0 allows remote attackers to inject arbitrary web script or HTML via the applications 'Messages' and 'Bulletin Board'. |
|
813 |
CVE-2020-5567 |
287 |
|
|
2020-04-28 |
2020-04-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Improper authentication vulnerability in Cybozu Garoon 4.0.0 to 4.10.3 allows remote attackers to obtain data in Application Menu. |
|
814 |
CVE-2020-5566 |
862 |
|
|
2020-04-28 |
2021-07-21 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
Improper authorization vulnerability in Cybozu Garoon 4.0.0 to 4.10.3 allows remote authenticated attackers to alter the application's data via the applications 'E-mail' and 'Messages'. |
|
815 |
CVE-2020-5565 |
20 |
|
|
2020-04-28 |
2020-04-30 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
Improper input validation vulnerability in Cybozu Garoon 4.0.0 to 4.10.3 allows a remote authenticated attacker to alter the application's data via the applications 'Workflow' and 'MultiReport'. |
|
816 |
CVE-2020-5564 |
79 |
|
XSS |
2020-04-28 |
2020-04-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting vulnerability in Cybozu Garoon 4.0.0 to 4.10.3 allows remote attackers to inject arbitrary web script or HTML via the application 'E-mail'. |
|
817 |
CVE-2020-5563 |
287 |
|
|
2020-04-28 |
2020-04-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Improper authentication vulnerability in Cybozu Garoon 4.0.0 to 4.10.3 allows remote attackers to obtain data in the affected product via the API. |
|
818 |
CVE-2020-5562 |
918 |
|
|
2020-04-28 |
2020-05-01 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
Server-side request forgery (SSRF) vulnerability in Cybozu Garoon 4.6.0 to 4.6.3 allows a remote attacker with an administrative privilege to issue arbitrary HTTP requests to other web servers via V-CUBE Meeting function. |
|
819 |
CVE-2020-5550 |
384 |
|
|
2020-04-08 |
2020-04-09 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Session fixation vulnerability in EasyBlocks IPv6 Ver. 2.0.1 and earlier, and Enterprise Ver. 2.0.1 and earlier allows remote attackers to impersonate a registered user and log in the management console, that may result in information alteration/disclosure via unspecified vectors. |
|
820 |
CVE-2020-5549 |
352 |
|
CSRF |
2020-04-08 |
2020-04-08 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in EasyBlocks IPv6 Ver. 2.0.1 and earlier and Enterprise Ver. 2.0.1 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. |
|
821 |
CVE-2020-5548 |
|
|
DoS |
2020-04-01 |
2020-04-02 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
Yamaha LTE VoIP Router(NVR700W firmware Rev.15.00.15 and earlier), Yamaha Gigabit VoIP Router(NVR510 firmware Rev.15.01.14 and earlier), Yamaha Gigabit VPN Router(RTX810 firmware Rev.11.01.33 and earlier, RTX830 firmware Rev.15.02.09 and earlier, RTX1200 firmware Rev.10.01.76 and earlier, RTX1210 firmware Rev.14.01.33 and earlier, RTX3500 firmware Rev.14.00.26 and earlier, and RTX5000 firmware Rev.14.00.26 and earlier), Yamaha Broadband VoIP Router(NVR500 firmware Rev.11.00.38 and earlier), and Yamaha Firewall(FWX120 firmware Rev.11.03.27 and earlier) allow remote attackers to cause a denial of service via unspecified vectors. |
|
822 |
CVE-2020-5406 |
522 |
|
|
2020-04-10 |
2020-04-13 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
VMware Tanzu Application Service for VMs, 2.6.x versions prior to 2.6.18, 2.7.x versions prior to 2.7.11, and 2.8.x versions prior to 2.8.5, includes a version of PCF Autoscaling that writes database connection properties to its log, including database username and password. A malicious user with access to those logs may gain unauthorized access to the database being used by Autoscaling. |
|
823 |
CVE-2020-5392 |
79 |
|
XSS |
2020-04-01 |
2020-04-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A stored cross-site scripting (XSS) vulnerability exists in the Auth0 plugin before 4.0.0 for WordPress via the settings page. |
|
824 |
CVE-2020-5391 |
352 |
|
CSRF |
2020-04-01 |
2020-04-01 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerabilities exist in the Auth0 plugin before 4.0.0 for WordPress via the domain field. |
|
825 |
CVE-2020-5350 |
78 |
|
Exec Code |
2020-04-15 |
2020-04-23 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
Dell EMC Integrated Data Protection Appliance versions 2.0, 2.1, 2.2, 2.3, 2.4 contain a command injection vulnerability in the ACM component. A remote authenticated malicious user with root privileges could inject parameters in the ACM component APIs that could lead to manipulation of passwords and execution of malicious commands on ACM component. |
|
826 |
CVE-2020-5348 |
416 |
|
Exec Code |
2020-04-04 |
2020-04-06 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Dell Latitude 7202 Rugged Tablet BIOS versions prior to A28 contain a UAF vulnerability in EFI_BOOT_SERVICES in system management mode. A local unauthenticated attacker may exploit this vulnerability by overwriting the EFI_BOOT_SERVICES structure to execute arbitrary code in system management mode. |
|
827 |
CVE-2020-5347 |
400 |
|
DoS |
2020-04-04 |
2020-04-06 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Dell EMC Isilon OneFS versions 8.2.2 and earlier contain a denial of service vulnerability. SmartConnect had an error condition that may be triggered to loop, using CPU and potentially preventing other SmartConnect DNS responses. |
|
828 |
CVE-2020-5346 |
79 |
|
Exec Code XSS |
2020-04-15 |
2020-08-31 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
RSA Authentication Manager versions prior to 8.4 P11 contain a stored cross-site scripting vulnerability in the Security Console. A malicious RSA Authentication Manager Security Console administrator with advanced privileges could exploit this vulnerability to store arbitrary HTML or JavaScript code through the Security Console web interface. When other Security Console administrators open the affected page, the injected scripts could potentially be executed in their browser. |
|
829 |
CVE-2020-5330 |
200 |
|
+Info |
2020-04-10 |
2020-04-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Dell EMC Networking X-Series firmware versions 3.0.1.2 and older, Dell EMC Networking PC5500 firmware versions 4.1.0.22 and older and Dell EMC PowerEdge VRTX Switch Modules firmware versions 2.0.0.77 and older contain an information disclosure vulnerability. A remote unauthenticated attacker could exploit this vulnerability to retrieve sensitive data by sending a specially crafted request to the affected endpoints. |
|
830 |
CVE-2020-5303 |
787 |
|
DoS |
2020-04-10 |
2020-06-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Tendermint before versions 0.33.3, 0.32.10, and 0.31.12 has a denial-of-service vulnerability. Tendermint does not limit the number of P2P connection requests. For each p2p connection, it allocates XXX bytes. Even though this memory is garbage collected once the connection is terminated (due to duplicate IP or reaching a maximum number of inbound peers), temporary memory spikes can lead to OOM (Out-Of-Memory) exceptions. Additionally, Tendermint does not reclaim activeID of a peer after it's removed in Mempool reactor. This does not happen all the time. It only happens when a connection fails (for any reason) before the Peer is created and added to all reactors. RemovePeer is therefore called before AddPeer, which leads to always growing memory (activeIDs map). The activeIDs map has a maximum size of 65535 and the node will panic if this map reaches the maximum. An attacker can create a lot of connection attempts (exploiting above denial of service), which ultimately will lead to the node panicking. These issues are patched in Tendermint 0.33.3 and 0.32.10. |
|
831 |
CVE-2020-5302 |
269 |
|
|
2020-04-07 |
2020-04-09 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
MH-WikiBot (an IRC Bot for interacting with the Miraheze API), had a bug that allowed any unprivileged user to access the steward commands on the IRC interface by impersonating the Nickname used by a privileged user as no check was made to see if they were logged in. The issue has been fixed in commit 23d9d5b0a59667a5d6816fdabb960b537a5f9ed1. |
|
832 |
CVE-2020-5301 |
178 |
|
|
2020-04-21 |
2021-09-14 |
3.5 |
None |
Remote |
Medium |
??? |
Partial |
None |
None |
|
SimpleSAMLphp versions before 1.18.6 contain an information disclosure vulnerability. The module controller in `SimpleSAML\Module` that processes requests for pages hosted by modules, has code to identify paths ending with `.php` and process those as PHP code. If no other suitable way of handling the given path exists it presents the file to the browser. The check to identify paths ending with `.php` does not account for uppercase letters. If someone requests a path ending with e.g. `.PHP` and the server is serving the code from a case-insensitive file system, such as on Windows, the processing of the PHP code does not occur, and the source code is instead presented to the browser. An attacker may use this issue to gain access to the source code in third-party modules that is meant to be private, or even sensitive. However, the attack surface is considered small, as the attack will only work when SimpleSAMLphp serves such content from a file system that is not case-sensitive, such as on Windows. This issue is fixed in version 1.18.6. |
|
833 |
CVE-2020-5300 |
294 |
|
|
2020-04-06 |
2020-04-07 |
3.5 |
None |
Remote |
Medium |
??? |
Partial |
None |
None |
|
In Hydra (an OAuth2 Server and OpenID Certified™ OpenID Connect Provider written in Go), before version 1.4.0+oryOS.17, when using client authentication method 'private_key_jwt' [1], OpenId specification says the following about assertion `jti`: "A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, unless conditions for reuse were negotiated between the parties". Hydra does not check the uniqueness of this `jti` value. Exploiting this vulnerability is somewhat difficult because: - TLS protects against MITM which makes it difficult to intercept valid tokens for replay attacks - The expiry time of the JWT gives only a short window of opportunity where it could be replayed This has been patched in version v1.4.0+oryOS.17 |
|
834 |
CVE-2020-5294 |
79 |
|
XSS |
2020-04-16 |
2020-04-22 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
PrestaShop module ps_facetedsearch versions before 2.1.0 has a reflected XSS with social networks fields The problem is fixed in 2.1.0 |
|
835 |
CVE-2020-5293 |
863 |
|
|
2020-04-20 |
2020-04-27 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
In PrestaShop between versions 1.7.0.0 and 1.7.6.5, there are improper access controls on product page with combinations, attachments and specific prices. The problem is fixed in 1.7.6.5. |
|
836 |
CVE-2020-5290 |
384 |
|
XSS |
2020-04-01 |
2020-04-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In RedpwnCTF before version 2.3, there is a session fixation vulnerability in exploitable through the `#token=$ssid` hash when making a request to the `/verify` endpoint. An attacker team could potentially steal flags by, for example, exploiting a stored XSS payload in a CTF challenge so that victim teams who solve the challenge are unknowingly (and against their will) signed into the attacker team's account. Then, the attacker can gain points / value off the backs of the victims. This is patched in version 2.3. |
|
837 |
CVE-2020-5288 |
863 |
|
|
2020-04-20 |
2020-04-27 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
"In PrestaShop between versions 1.7.0.0 and 1.7.6.5, there is improper access controls on product attributes page. The problem is fixed in 1.7.6.5. |
|
838 |
CVE-2020-5287 |
863 |
|
|
2020-04-20 |
2020-04-27 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
In PrestaShop between versions 1.5.5.0 and 1.7.6.5, there is improper access control on customers search. The problem is fixed in 1.7.6.5. |
|
839 |
CVE-2020-5286 |
79 |
|
XSS |
2020-04-20 |
2020-04-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In PrestaShop between versions 1.7.4.0 and 1.7.6.5, there is a reflected XSS when uploading a wrong file. The problem is fixed in 1.7.6.5 |
|
840 |
CVE-2020-5285 |
79 |
|
XSS |
2020-04-20 |
2020-04-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In PrestaShop between versions 1.7.6.0 and 1.7.6.5, there is a reflected XSS with `back` parameter. The problem is fixed in 1.7.6.5 |
|
841 |
CVE-2020-5283 |
79 |
|
XSS |
2020-04-03 |
2020-05-15 |
2.1 |
None |
Remote |
High |
??? |
None |
Partial |
None |
|
ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS show_subdir_lastmod support. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the `show_subdir_lastmod` feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. This vulnerability is patched in versions 1.2.1 and 1.1.28. |
|
842 |
CVE-2020-5279 |
863 |
|
|
2020-04-20 |
2020-04-29 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
In PrestaShop between versions 1.5.0.0 and 1.7.6.5, there are improper access control since the the version 1.5.0.0 for legacy controllers. - admin-dev/index.php/configure/shop/customer-preferences/ - admin-dev/index.php/improve/international/translations/ - admin-dev/index.php/improve/international/geolocation/ - admin-dev/index.php/improve/international/localization - admin-dev/index.php/configure/advanced/performance - admin-dev/index.php/sell/orders/delivery-slips/ - admin-dev/index.php?controller=AdminStatuses The problem is fixed in 1.7.6.5 |
|
843 |
CVE-2020-5278 |
79 |
|
XSS |
2020-04-20 |
2020-04-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In PrestaShop between versions 1.5.4.0 and 1.7.6.5, there is a reflected XSS on Exception page The problem is fixed in 1.7.6.5 |
|
844 |
CVE-2020-5276 |
79 |
|
XSS |
2020-04-20 |
2020-04-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In PrestaShop between versions 1.7.1.0 and 1.7.6.5, there is a reflected XSS on AdminCarts page with `cartBox` parameter The problem is fixed in 1.7.6.5 |
|
845 |
CVE-2020-5273 |
79 |
|
XSS |
2020-04-16 |
2020-04-22 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
In PrestaShop module ps_linklist versions before 3.1.0, there is a stored XSS when using custom URLs. The problem is fixed in version 3.1.0 |
|
846 |
CVE-2020-5272 |
79 |
|
XSS |
2020-04-20 |
2020-04-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In PrestaShop between versions 1.5.5.0 and 1.7.6.5, there is a reflected XSS on Search page with `alias` and `search` parameters. The problem is patched in 1.7.6.5 |
|
847 |
CVE-2020-5271 |
79 |
|
XSS |
2020-04-20 |
2020-04-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In PrestaShop between versions 1.6.0.0 and 1.7.6.5, there is a reflected XSS with `date_from` and `date_to` parameters in the dashboard page This problem is fixed in 1.7.6.5 |
|
848 |
CVE-2020-5270 |
601 |
|
XSS |
2020-04-20 |
2020-04-23 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
In PrestaShop between versions 1.7.6.0 and 1.7.6.5, there is an open redirection when using back parameter. The impacts can be many, and vary from the theft of information and credentials to the redirection to malicious websites containing attacker-controlled content, which in some cases even cause XSS attacks. So even though an open redirection might sound harmless at first, the impacts of it can be severe should it be exploitable. The problem is fixed in 1.7.6.5 |
|
849 |
CVE-2020-5269 |
79 |
|
XSS |
2020-04-20 |
2020-04-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In PrestaShop between versions 1.7.6.1 and 1.7.6.5, there is a reflected XSS on AdminFeatures page by using the `id_feature` parameter. The problem is fixed in 1.7.6.5 |
|
850 |
CVE-2020-5268 |
287 |
|
|
2020-04-21 |
2020-05-06 |
4.9 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
None |
|
In Saml2 Authentication Services for ASP.NET versions before 1.0.2, and between 2.0.0 and 2.6.0, there is a vulnerability in how tokens are validated in some cases. Saml2 tokens are usually used as bearer tokens - a caller that presents a token is assumed to be the subject of the token. There is also support in the Saml2 protocol for issuing tokens that is tied to a subject through other means, e.g. holder-of-key where possession of a private key must be proved. The Sustainsys.Saml2 library incorrectly treats all incoming tokens as bearer tokens, even though they have another subject confirmation method specified. This could be used by an attacker that could get access to Saml2 tokens with another subject confirmation method than bearer. The attacker could then use such a token to create a log in session. This vulnerability is patched in versions 1.0.2 and 2.7.0. |
