CVE Vulnerability

CWE-863

CVE-2020-12053

by

In Unisys Stealth 3.4.x, 4.x and 5.x before 5.0.026, if certificate-based authorization is used without HTTPS, an endpoint could be authorized without a private key.

CVE-2020-11844

by

Incorrect Authorization vulnerability in Micro Focus Container Deployment Foundation component affects products: – Hybrid Cloud Management. Versions 2018.05 to 2019.11. – ArcSight Investigate. versions 2.4.0, 3.0.0 and 3.1.0. – ArcSight Transformation Hub. versions 3.0.0, 3.1.0, 3.2.0. – ArcSight Interset. version 6.0.0. – ArcSight ESM (when ArcSight Fusion 1.0 is installed). version 7.2.1. – Service Management Automation (SMA). versions 2018.05 to 2020.02 – Operation Bridge Suite (Containerized). Versions 2018.05 to 2020.02. – Network Operation Management. versions 2017.11 to 2019.11. – Data Center Automation Containerized. versions 2018.05 to 2019.11 – Identity Intelligence. versions 1.1.0 and 1.1.1. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.

CVE-2020-11753

by

An issue was discovered in Sonatype Nexus Repository Manager in versions 3.21.1 and 3.22.0. It is possible for a user with appropriate privileges to create, modify, and execute scripting tasks without use of the UI or API. NOTE: in 3.22.0, scripting is disabled by default (making this not exploitable).

CVE-2020-11707

by

An issue was discovered in ProVide (formerly zFTPServer) through 13.1. It doesn’t enforce permission over Windows Symlinks or Junctions. As a result, a low-privileged user (non-admin) can craft a Junction Link in a directory he has full control of, breaking out of the sandbox.

CVE-2020-11628

by

An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2. It is intended to support restriction of available remote protocols (CMP, ACME, REST, etc.) through the system configuration. These restrictions can be bypassed by modifying the URI string from a client. (EJBCA’s internal access control restrictions are still in place, and each respective protocol must be configured to allow for enrollment.)

CVE-2020-11209

by

Improper authorization in DSP process could allow unauthorized users to downgrade the library versions in SD820, SD821, SD820, QCS603, QCS605, SDA855, SA6155P, SA6145P, SA6155, SA6155P, SD855, SD 675, SD660, SD429, SD439