| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
251 |
CVE-2020-11443 |
732 |
|
|
2020-05-04 |
2021-07-21 |
8.5 |
None |
Remote |
Low |
??? |
None |
Complete |
Complete |
|
The Zoom IT installer for Windows (ZoomInstallerFull.msi) prior to version 4.6.10 deletes files located in %APPDATA%\Zoom before installing an updated version of the client. Standard users are able to write to this directory, and can write links to other directories on the machine. As the installer runs with SYSTEM privileges and follows these links, a user can cause the installer to delete files that otherwise cannot be deleted by the user. |
|
252 |
CVE-2020-11431 |
22 |
|
Dir. Trav. |
2020-05-07 |
2020-05-12 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
The documentation component in i-net Clear Reports 16.0 to 19.2, HelpDesk 8.0 to 8.3, and PDFC 4.3 to 6.2 allows a remote unauthenticated attacker to read arbitrary system files and directories on the target server via Directory Traversal. |
|
253 |
CVE-2020-11108 |
434 |
|
Exec Code |
2020-05-11 |
2020-05-27 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
The Gravity updater in Pi-hole through 4.4 allows an authenticated adversary to upload arbitrary files. This can be abused for Remote Code Execution by writing to a PHP file in the web directory. (Also, it can be used in conjunction with the sudo rule for the www-data user to escalate privileges to root.) The code error is in gravity_DownloadBlocklistFromUrl in gravity.sh. |
|
254 |
CVE-2020-11089 |
125 |
|
|
2020-05-29 |
2020-07-27 |
6.0 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
Partial |
|
In FreeRDP before 2.1.0, there is an out-of-bound read in irp functions (parallel_process_irp_create, serial_process_irp_create, drive_process_irp_write, printer_process_irp_write, rdpei_recv_pdu, serial_process_irp_write). This has been fixed in 2.1.0. |
|
255 |
CVE-2020-11088 |
125 |
|
|
2020-05-29 |
2020-07-27 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
None |
Partial |
|
In FreeRDP less than or equal to 2.0.0, there is an out-of-bound read in ntlm_read_NegotiateMessage. This has been fixed in 2.1.0. |
|
256 |
CVE-2020-11087 |
125 |
|
|
2020-05-29 |
2020-07-27 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
None |
Partial |
|
In FreeRDP less than or equal to 2.0.0, there is an out-of-bound read in ntlm_read_AuthenticateMessage. This has been fixed in 2.1.0. |
|
257 |
CVE-2020-11086 |
125 |
|
|
2020-05-29 |
2020-07-27 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
None |
Partial |
|
In FreeRDP less than or equal to 2.0.0, there is an out-of-bound read in ntlm_read_ntlm_v2_client_challenge that reads up to 28 bytes out-of-bound to an internal structure. This has been fixed in 2.1.0. |
|
258 |
CVE-2020-11085 |
125 |
|
|
2020-05-29 |
2020-07-27 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
In FreeRDP before 2.1.0, there is an out-of-bounds read in cliprdr_read_format_list. Clipboard format data read (by client or server) might read data out-of-bounds. This has been fixed in 2.1.0. |
|
259 |
CVE-2020-11082 |
79 |
|
XSS |
2020-05-28 |
2021-11-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In Kaminari before 1.2.1, there is a vulnerability that would allow an attacker to inject arbitrary code into pages with pagination links. This has been fixed in 1.2.1. |
|
260 |
CVE-2020-11079 |
77 |
|
Exec Code |
2020-05-28 |
2021-11-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
node-dns-sync (npm module dns-sync) through 0.2.0 allows execution of arbitrary commands . This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This has been fixed in 0.2.1. |
|
261 |
CVE-2020-11078 |
93 |
|
|
2020-05-20 |
2020-08-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0. |
|
262 |
CVE-2020-11077 |
444 |
|
|
2020-05-22 |
2020-10-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This is a similar but different vulnerability from CVE-2020-11076. The problem has been fixed in Puma 3.12.6 and Puma 4.3.5. |
|
263 |
CVE-2020-11076 |
444 |
|
|
2020-05-22 |
2020-10-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4. |
|
264 |
CVE-2020-11075 |
|
|
Exec Code |
2020-05-27 |
2020-06-03 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
In Anchore Engine version 0.7.0, a specially crafted container image manifest, fetched from a registry, can be used to trigger a shell escape flaw in the anchore engine analyzer service during an image analysis process. The image analysis operation can only be executed by an authenticated user via a valid API request to anchore engine, or if an already added image that anchore is monitoring has its manifest altered to exploit the same flaw. A successful attack can be used to execute commands that run in the analyzer environment, with the same permissions as the user that anchore engine is run as - including access to the credentials that Engine uses to access its own database which have read-write ability, as well as access to the running engien analyzer service environment. By default Anchore Engine is released and deployed as a container where the user is non-root, but if users run Engine directly or explicitly set the user to 'root' then that level of access may be gained in the execution environment where Engine runs. This issue is fixed in version 0.7.1. |
|
265 |
CVE-2020-11073 |
22 |
|
Dir. Trav. |
2020-05-13 |
2021-11-04 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In Autoswitch Python Virtualenv before version 0.16.0, a user who enters a directory with a malicious `.venv` file could run arbitrary code without any user interaction. This is fixed in version: 1.16.0 |
|
266 |
CVE-2020-11072 |
697 |
|
|
2020-05-12 |
2020-05-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
In SLP Validate (npm package slp-validate) before version 1.2.1, users could experience false-negative validation outcomes for MINT transaction operations. A poorly implemented SLP wallet could allow spending of the affected tokens which would result in the destruction of a user's minting baton. This has been fixed in slp-validate in version 1.2.1. Additonally, slpjs version 0.27.2 has a related fix under related CVE-2020-11071. |
|
267 |
CVE-2020-11071 |
697 |
|
|
2020-05-12 |
2020-05-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
SLPJS (npm package slpjs) before version 0.27.2, has a vulnerability where users could experience false-negative validation outcomes for MINT transaction operations. A poorly implemented SLP wallet could allow spending of the affected tokens which would result in the destruction of a user's minting baton. This is fixed in version 0.27.2. |
|
268 |
CVE-2020-11069 |
|
|
+Priv XSS CSRF |
2020-05-14 |
2021-11-04 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that the backend user interface and install tool are vulnerable to a same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously managed to upload to the web server. Scripts are then executed with the privileges of the victims' user session. In a worst-case scenario, new admin users can be created which can directly be used by an attacker. The vulnerability is basically a cross-site request forgery (CSRF) triggered by a cross-site scripting vulnerability (XSS) - but happens on the same target host - thus, it's actually a same-site request forgery. Malicious payload such as HTML containing JavaScript might be provided by either an authenticated backend user or by a non-authenticated user using a third party extension, e.g. file upload in a contact form with knowing the target location. To be successful, the attacked victim requires an active and valid backend or install tool user session at the time of the attack. This has been fixed in 9.5.17 and 10.4.2. The deployment of additional mitigation techniques is suggested as described below. - Sudo Mode Extension This TYPO3 extension intercepts modifications to security relevant database tables, e.g. those storing user accounts or storages of the file abstraction layer. Modifications need to confirmed again by the acting user providing their password again. This technique is known as sudo mode. This way, unintended actions happening in the background can be mitigated. - https://github.com/FriendsOfTYPO3/sudo-mode - https://extensions.typo3.org/extension/sudo_mode - Content Security Policy Content Security Policies tell (modern) browsers how resources served a particular site are handled. It is also possible to disallow script executions for specific locations. In a TYPO3 context, it is suggested to disallow direct script execution at least for locations /fileadmin/ and /uploads/. |
|
269 |
CVE-2020-11067 |
502 |
|
Exec Code |
2020-05-14 |
2020-05-15 |
6.0 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
Partial |
|
In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that backend user settings (in $BE_USER->uc) are vulnerable to insecure deserialization. In combination with vulnerabilities of third party components, this can lead to remote code execution. A valid backend user account is needed to exploit this vulnerability. This has been fixed in 9.5.17 and 10.4.2. |
|
270 |
CVE-2020-11066 |
915 |
|
|
2020-05-14 |
2020-05-15 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
|
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, calling unserialize() on malicious user-submitted content can lead to modification of dynamically-determined object attributes and result in triggering deletion of an arbitrary directory in the file system, if it is writable for the web server. It can also trigger message submission via email using the identity of the web site (mail relay). Another insecure deserialization vulnerability is required to actually exploit mentioned aspects. This has been fixed in 9.5.17 and 10.4.2. |
|
271 |
CVE-2020-11063 |
203 |
|
|
2020-05-13 |
2020-05-15 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
In TYPO3 CMS versions 10.4.0 and 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts. This has been fixed in 10.4.2. |
|
272 |
CVE-2020-11060 |
352 |
|
Exec Code CSRF |
2020-05-12 |
2021-11-04 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable by an account having Maintenance privileges and the right to add WIFI networks. This is fixed in version 9.4.6. |
|
273 |
CVE-2020-11059 |
200 |
|
+Info |
2020-05-27 |
2021-10-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In AEgir greater than or equal to 21.7.0 and less than 21.10.1, aegir publish and aegir build may leak secrets from environment variables in the browser bundle published to npm. This has been fixed in 21.10.1. |
|
274 |
CVE-2020-11057 |
94 |
|
|
2020-05-12 |
2021-11-04 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
In XWiki Platform 7.2 through 11.10.2, registered users without scripting/programming permissions are able to execute python/groovy scripts while editing personal dashboards. This has been fixed 11.3.7 , 11.10.3 and 12.0. |
|
275 |
CVE-2020-11056 |
74 |
|
Exec Code |
2020-05-07 |
2021-10-26 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
In Sprout Forms before 3.9.0, there is a potential Server-Side Template Injection vulnerability when using custom fields in Notification Emails which could lead to the execution of Twig code. This has been fixed in 3.9.0. |
|
276 |
CVE-2020-11054 |
684 |
|
|
2020-05-07 |
2020-09-21 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
In qutebrowser versions less than 1.11.1, reloading a page with certificate errors shows a green URL. After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (colors.statusbar.url.success_https). While the user already has seen a certificate error prompt at this point (or set content.ssl_strict to false, which is not recommended), this could still provide a false sense of security. This has been fixed in 1.11.1 and 1.12.0. All versions of qutebrowser are believed to be affected, though versions before v0.11.x couldn't be tested. Backported patches for older versions (greater than or equal to 1.4.0 and less than or equal to 1.10.2) are available, but no further releases are planned. |
|
277 |
CVE-2020-11053 |
601 |
|
Bypass |
2020-05-07 |
2020-05-13 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
In OAuth2 Proxy before 5.1.1, there is an open redirect vulnerability. Users can provide a redirect address for the proxy to send the authenticated user to at the end of the authentication flow. This is expected to be the original URL that the user was trying to access. This redirect URL is checked within the proxy and validated before redirecting the user to prevent malicious actors providing redirects to potentially harmful sites. However, by crafting a redirect URL with HTML encoded whitespace characters the validation could be bypassed and allow a redirect to any URL provided. This has been patched in 5.1.1. |
|
278 |
CVE-2020-11052 |
307 |
|
|
2020-05-07 |
2020-05-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In Sorcery before 0.15.0, there is a brute force vulnerability when using password authentication via Sorcery. The brute force protection submodule will prevent a brute force attack for the defined lockout period, but once expired, protection will not be re-enabled until a user or malicious actor logs in successfully. This does not affect users that do not use the built-in brute force protection submodule, nor users that use permanent account lockout. This has been patched in 0.15.0. |
|
279 |
CVE-2020-11050 |
295 |
|
|
2020-05-07 |
2021-10-07 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
In Java-WebSocket less than or equal to 1.4.1, there is an Improper Validation of Certificate with Host Mismatch where WebSocketClient does not perform SSL hostname validation. This has been patched in 1.5.0. |
|
280 |
CVE-2020-11047 |
125 |
|
|
2020-05-07 |
2020-06-09 |
4.9 |
None |
Remote |
Medium |
??? |
Partial |
None |
Partial |
|
In FreeRDP after 1.1 and before 2.0.0, there is an out-of-bounds read in autodetect_recv_bandwidth_measure_results. A malicious server can extract up to 8 bytes of client memory with a manipulated message by providing a short input and reading the measurement result data. This has been patched in 2.0.0. |
|
281 |
CVE-2020-11045 |
125 |
|
|
2020-05-07 |
2020-08-30 |
4.9 |
None |
Remote |
Medium |
??? |
Partial |
None |
Partial |
|
In FreeRDP after 1.0 and before 2.0.0, there is an out-of-bound read in in update_read_bitmap_data that allows client memory to be read to an image buffer. The result displayed on screen as colour. |
|
282 |
CVE-2020-11043 |
125 |
|
|
2020-05-29 |
2020-07-27 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
In FreeRDP less than or equal to 2.0.0, there is an out-of-bounds read in rfx_process_message_tileset. Invalid data fed to RFX decoder results in garbage on screen (as colors). This has been patched in 2.1.0. |
|
283 |
CVE-2020-11042 |
125 |
|
|
2020-05-07 |
2020-08-30 |
4.9 |
None |
Remote |
Medium |
??? |
Partial |
None |
Partial |
|
In FreeRDP greater than 1.1 and before 2.0.0, there is an out-of-bounds read in update_read_icon_info. It allows reading a attacker-defined amount of client memory (32bit unsigned -> 4GB) to an intermediate buffer. This can be used to crash the client or store information for later retrieval. This has been patched in 2.0.0. |
|
284 |
CVE-2020-11041 |
129 |
|
|
2020-05-29 |
2020-07-27 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
In FreeRDP less than or equal to 2.0.0, an outside controlled array index is used unchecked for data used as configuration for sound backend (alsa, oss, pulse, ...). The most likely outcome is a crash of the client instance followed by no or distorted sound or a session disconnect. If a user cannot upgrade to the patched version, a workaround is to disable sound for the session. This has been patched in 2.1.0. |
|
285 |
CVE-2020-11040 |
125 |
|
|
2020-05-29 |
2020-07-27 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
In FreeRDP less than or equal to 2.0.0, there is an out-of-bound data read from memory in clear_decompress_subcode_rlex, visualized on screen as color. This has been patched in 2.1.0. |
|
286 |
CVE-2020-11039 |
190 |
|
Overflow |
2020-05-29 |
2020-07-27 |
6.0 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
Partial |
|
In FreeRDP less than or equal to 2.0.0, when using a manipulated server with USB redirection enabled (nearly) arbitrary memory can be read and written due to integer overflows in length checks. This has been patched in 2.1.0. |
|
287 |
CVE-2020-11038 |
190 |
|
Overflow |
2020-05-29 |
2021-09-14 |
5.5 |
None |
Remote |
Low |
??? |
None |
Partial |
Partial |
|
In FreeRDP less than or equal to 2.0.0, an Integer Overflow to Buffer Overflow exists. When using /video redirection, a manipulated server can instruct the client to allocate a buffer with a smaller size than requested due to an integer overflow in size calculation. With later messages, the server can manipulate the client to write data out of bound to the previously allocated buffer. This has been patched in 2.1.0. |
|
288 |
CVE-2020-11035 |
327 |
|
CSRF |
2020-05-05 |
2021-10-26 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are generated using an insecure algorithm. The implementation uses rand and uniqid and MD5 which does not provide secure values. This is fixed in version 9.4.6. |
|
289 |
CVE-2020-11034 |
601 |
|
Bypass |
2020-05-05 |
2020-05-15 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. This is fixed in version 9.4.6. |
|
290 |
CVE-2020-11033 |
200 |
|
+Info |
2020-05-05 |
2021-09-14 |
6.0 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
Partial |
|
In GLPI from version 9.1 and before version 9.4.6, any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User. The response contains: - All api_tokens which can be used to do privileges escalations or read/update/delete data normally non accessible to the current user. - All personal_tokens can display another users planning. Exploiting this vulnerability requires the api to be enabled, a technician account. It can be mitigated by adding an application token. This is fixed in version 9.4.6. |
|
291 |
CVE-2020-11032 |
89 |
|
Sql |
2020-05-05 |
2020-05-07 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
In GLPI before version 9.4.6, there is a SQL injection vulnerability for all helpdesk instances. Exploiting this vulnerability requires a technician account. This is fixed in version 9.4.6. |
|
292 |
CVE-2020-11019 |
125 |
|
|
2020-05-29 |
2020-07-27 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
In FreeRDP less than or equal to 2.0.0, when running with logger set to "WLOG_TRACE", a possible crash of application could occur due to a read of an invalid array index. Data could be printed as string to local terminal. This has been fixed in 2.1.0. |
|
293 |
CVE-2020-11018 |
125 |
|
|
2020-05-29 |
2020-07-27 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
In FreeRDP less than or equal to 2.0.0, a possible resource exhaustion vulnerability can be performed. Malicious clients could trigger out of bound reads causing memory allocation with random size. This has been fixed in 2.1.0. |
|
294 |
CVE-2020-11017 |
415 |
|
|
2020-05-29 |
2020-07-27 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
In FreeRDP less than or equal to 2.0.0, by providing manipulated input a malicious client can create a double free condition and crash the server. This is fixed in version 2.1.0. |
|
295 |
CVE-2020-10995 |
400 |
|
|
2020-05-19 |
2022-04-26 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
PowerDNS Recursor from 4.1.0 up to and including 4.3.0 does not sufficiently defend against amplification attacks. An issue in the DNS protocol has been found that allow malicious parties to use recursive DNS services to attack third party authoritative name servers. The attack uses a crafted reply by an authoritative name server to amplify the resulting traffic between the recursive and other authoritative name servers. Both types of service can suffer degraded performance as an effect. This is triggered by random subdomains in the NSDNAME in NS records. PowerDNS Recursor 4.1.16, 4.2.2 and 4.3.1 contain a mitigation to limit the impact of this DNS protocol issue. |
|
296 |
CVE-2020-10974 |
306 |
|
|
2020-05-07 |
2022-04-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered affecting a backup feature where a crafted POST request returns the current configuration of the device in cleartext, including the administrator password. No authentication is required. Affected devices: Wavlink WN575A3, Wavlink WN579G3, Wavlink WN531A6, Wavlink WN535G3, Wavlink WN530H4, Wavlink WN57X93, Wavlink WN572HG3, Wavlink WN575A4, Wavlink WN578A2, Wavlink WN579G3, Wavlink WN579X3, and Jetstream AC3000/ERAC3000 |
|
297 |
CVE-2020-10973 |
306 |
|
|
2020-05-07 |
2022-04-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in Wavlink WN530HG4, Wavlink WN531G3, Wavlink WN533A8, and Wavlink WN551K1 affecting /cgi-bin/ExportAllSettings.sh where a crafted POST request returns the current configuration of the device, including the administrator password. No authentication is required. The attacker must perform a decryption step, but all decryption information is readily available. |
|
298 |
CVE-2020-10972 |
306 |
|
|
2020-05-07 |
2022-04-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered where a page is exposed that has the current administrator password in cleartext in the source code of the page. No authentication is required in order to reach the page (a certain live_?.shtml page with the variable syspasswd). Affected Devices: Wavlink WN530HG4, Wavlink WN531G3, and Wavlink WN572HG3 |
|
299 |
CVE-2020-10971 |
20 |
|
Exec Code |
2020-05-07 |
2020-12-04 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
An issue was discovered on Wavlink Jetstream devices where a crafted POST request can be sent to adm.cgi that will result in the execution of the supplied command if there is an active session at the same time. The POST request itself is not validated to ensure it came from the active session. Affected devices are: Wavlink WN530HG4, Wavlink WN575A3, Wavlink WN579G3,Wavlink WN531G3, Wavlink WN533A8, Wavlink WN531A6, Wavlink WN551K1, Wavlink WN535G3, Wavlink WN530H4, Wavlink WN57X93, WN572HG3, Wavlink WN578A2, Wavlink WN579G3, Wavlink WN579X3, and Jetstream AC3000/ERAC3000 |
|
300 |
CVE-2020-10967 |
20 |
|
|
2020-05-18 |
2020-10-13 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash the lmtp or submission process by sending mail with an empty localpart. |
