CWE:
 

Topic
Date
Author
Med.
Microsoft Windows Hello Face Authentication Bypass
20.12.2017
SySS


CVEMAP Search Results

CVE
Details
Description
2020-06-02
Medium
CVE-2020-10136

Vendor: DIGI
Software: Saros
 

 
Multiple products that implement the IP Encapsulation within IP standard (RFC 2003, STD 1) decapsulate and route IP-in-IP traffic without any validation, which could allow an unauthenticated remote attacker to route arbitrary traffic via an exposed network interface and lead to spoofing, access control bypass, and other unexpected network behaviors.

 
2020-05-13
Medium
CVE-2020-2002

Vendor: Paloaltonetworks
Software: Pan-os
 

 
An authentication bypass by spoofing vulnerability exists in the authentication daemon and User-ID components of Palo Alto Networks PAN-OS by failing to verify the integrity of the Kerberos key distribution center (KDC) before authenticating users. This affects all forms of authentication that use a Kerberos authentication profile. A man-in-the-middle type of attacker with the ability to intercept communication between PAN-OS and KDC can login to PAN-OS as an administrator. This issue affects: PAN-OS 7.1 versions earlier than 7.1.26; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.6; All version of PAN-OS 8.0.

 
2020-04-30
Medium
CVE-2020-11015

Vendor: Thinx-device-api project
Software: Thinx-device-api
 

 
A vulnerability has been disclosed in thinx-device-api IoT Device Management Server before version 2.5.0. Device MAC address can be spoofed. This means initial registration requests without UDID and spoofed MAC address may pass to create new UDID with same MAC address. Full impact needs to be reviewed further. Applies to all (mostly ESP8266/ESP32) users. This has been fixed in firmware version 2.5.0.

 
2020-04-27
Medium
CVE-2019-20790

Updating...
 

 
OpenDMARC through 1.3.2 and 1.4.x, when used with pypolicyd-spf 2.0.2, allows attacks that bypass SPF and DMARC authentication in situations where the HELO field is inconsistent with the MAIL FROM field.

 
2020-04-08
Medium
CVE-2020-4290

Vendor: IBM
Software: Security inf...
 

 
IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could allow any authenticated user to spoof the configuration owner of any other user which disclose sensitive information or allow for unauthorized access. IBM X-Force ID: 176333.

 
2020-03-25
Low
CVE-2020-6810

Vendor: Mozilla
Software: Firefox
 

 
After a website had entered fullscreen mode, it could have used a previously opened popup to obscure the notification that indicates the browser is in fullscreen mode. Combined with spoofing the browser chrome, this could have led to confusing the user about the current origin of the page and credential theft or other attacks. This vulnerability affects Firefox < 74.

 
Low
CVE-2020-6808

Vendor: Mozilla
Software: Firefox
 

 
When a JavaScript URL (javascript:) is evaluated and the result is a string, this string is parsed to create an HTML document, which is then presented. Previously, this document's URL (as reported by the document.location property, for example) was the originating javascript: URL which could lead to spoofing attacks; it is now correctly the URL of the originating document. This vulnerability affects Firefox < 74.

 
2020-03-18
Medium
CVE-2019-12131

Vendor: ONAP
Software: Open network...
 

 
An issue was detected in ONAP APPC through Dublin and SDC through Dublin. By setting a USER_ID parameter in an HTTP header, an attacker may impersonate an arbitrary existing user without any authentication. All APPC and SDC setups are affected.

 
2020-03-05
Low
CVE-2019-14886

Vendor: Redhat
Software: Decision manager
 

 
A vulnerability was found in business-central, as shipped in rhdm-7.5.1 and rhpam-7.5.1, where encoded passwords are stored in errai_security_context. The encoding used for storing the passwords is Base64, not an encryption algorithm, and any recovery of these passwords could lead to user passwords being exposed.

 
2020-02-20
Medium
CVE-2019-11189

Vendor: Opennetworking
Software: ONOS
 

 
Authentication Bypass by Spoofing in org.onosproject.acl (access control) and org.onosproject.mobility (host mobility) in ONOS v2.0 and earlier allows attackers to bypass network access control via data plane packet injection. To exploit the vulnerability, an attacker sends a gratuitous ARP reply that causes the host mobility application to remove existing access control flow denial rules in the network. The access control application does not re-install flow deny rules, so the attacker can bypass the intended access control policy.

 

 


Copyright 2020, cxsecurity.com

 

Back to Top