CVE List - 2020 / June
Showing 1201 - 1300 of 1807 CVEs for June 2020 (Page 13 of 19)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2019-20886 | 2020-06-19 | An issue was discovered in Mattermost Server before 5.8.0. The first user is sometimes inadvertently a system admin. |
| CVE-2019-20888 | 2020-06-19 | An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It allows attackers to cause a denial of service (memory consumption) via an outgoing webhook or a... |
| CVE-2018-21248 | 2020-06-19 | An issue was discovered in Mattermost Server before 5.4.0. It mishandles possession of superfluous authentication credentials. |
| CVE-2019-20889 | 2020-06-19 | An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It mishandles permissions for user-access token creation. |
| CVE-2018-21259 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.10.1, 4.9.4, and 4.8.2. It allows attackers to cause a denial of service (application hang) via a malformed link in a channel. |
| CVE-2017-18870 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, and 4.3.4. It mishandled webhook access control in the EnableOnlyAdminIntegrations case. |
| CVE-2017-18875 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can create arbitrary files. |
| CVE-2018-21249 | 2020-06-19 | An issue was discovered in Mattermost Server before 5.3.0. It mishandles timing. |
| CVE-2018-21251 | 2020-06-19 | An issue was discovered in Mattermost Server before 5.2 and 5.1.1. Authorization could be bypassed if the channel name were not the same in the params and the body. |
| CVE-2018-21260 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.8.1, 4.7.4, and 4.6.3. WebSocket events were accidentally sent during certain user-management operations, violating user privacy. |
| CVE-2018-21254 | 2020-06-19 | An issue was discovered in Mattermost Server before 5.1. An attacker can bypass intended access control (for direct-message channel creation) via the Message slash command. |
| CVE-2018-21255 | 2020-06-19 | An issue was discovered in Mattermost Server before 5.1. Non-members of a channel could use the Channel PATCH API to modify that channel. |
| CVE-2017-18876 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can test for the existence of an arbitrary... |
| CVE-2017-18877 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS attacks could occur against an OAuth 2.0 allow/deny page. |
| CVE-2018-21250 | 2020-06-19 | An issue was discovered in Mattermost Server before 5.2.2, 5.1.2, and 4.10.4. It allows remote attackers to cause a denial of service (memory consumption) via crafted image dimensions. |
| CVE-2017-18871 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, 4.3.4, and 4.2.2. It allows attackers to cause a denial of service (application crash) via an @ character before a... |
| CVE-2018-21265 | 2020-06-19 | An issue was discovered in Mattermost Desktop App before 4.0.0. It mishandled the Same Origin Policy for setPermissionRequestHandler (e.g., video, audio, and notifications). |
| CVE-2018-21262 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.7.3. It allows attackers to cause a denial of service (application crash) via invalid LaTeX text. |
| CVE-2018-21261 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.8.1, 4.7.4, and 4.6.3. An e-mail invite accidentally included the team invite_id, which leads to unintended excessive invitation privileges. |
| CVE-2018-21257 | 2020-06-19 | An issue was discovered in Mattermost Server before 5.1. It allows attackers to bypass intended access restrictions (for setting a channel header) via the Channel header slash command API. |
| CVE-2020-8162 | 2020-06-19 | A client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload... |
| CVE-2020-14927 | 2020-06-19 | Navigate CMS 2.9 allows XSS via the Alias or Real URL field of the "Web Sites > Create > Aliases > Add" screen. |
| CVE-2020-14926 | 2020-06-19 | CMS Made Simple 2.2.14 allows XSS via a Search Term to the admin/moduleinterface.php?mact=ModuleManager page. |
| CVE-2020-8164 | 2020-06-19 | A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters. |
| CVE-2020-8165 | 2020-06-19 | A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in... |
| CVE-2020-8167 | 2020-06-19 | A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains. |
| CVE-2020-13277 | 2020-06-19 | An authorization issue in the mirroring logic allowed read access to private repositories in GitLab CE/EE 10.6 and later through 13.0.5 |
| CVE-2020-3972 | 2020-06-19 | VMware Tools for macOS (11.x.x and prior before 11.1.1) contains a denial-of-service vulnerability in the Host-Guest File System (HGFS) implementation. Successful exploitation of this issue may allow attackers with non-admin... |
| CVE-2018-21264 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. It did not enforce the expiration date of a SAML response. |
| CVE-2018-21256 | 2020-06-19 | An issue was discovered in Mattermost Server before 5.1. It allows attackers to bypass intended access restrictions (for group-message channel creation) via the Group message slash command. |
| CVE-2018-21252 | 2020-06-19 | An issue was discovered in Mattermost Server before 5.2, 5.1.1, 5.0.3, and 4.10.3. Attackers could use multiple e-mail addresses to bypass a domain-based policy for signups. |
| CVE-2017-18872 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.4.3 and 4.3.3. Attackers could reconfigure an OAuth app in some cases where Mattermost is an OAuth 2.0 service provider. |
| CVE-2017-18873 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to cause a denial of service (channel invisibility) via a misformatted post. |
| CVE-2017-18874 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can achieve directory traversal. |
| CVE-2017-18878 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. Knowledge of a session ID allows revoking another user's session. |
| CVE-2017-18879 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via the author_link field of a Slack attachment. |
| CVE-2017-18881 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via a goto_location response to a slash command. |
| CVE-2017-18882 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS can occur via OpenGraph data. |
| CVE-2017-18883 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2, when serving as an OAuth 2.0 Service Provider. There is low entropy for authorization data. |
| CVE-2017-18884 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by using a registered OAuth application with personal access tokens. |
| CVE-2017-18891 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows Phishing because an error page can have a link. |
| CVE-2017-18892 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. E-mail templates can have a field in which HTML content is not neutralized. |
| CVE-2017-18890 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows an attacker to create a button that, when pressed by a user, launches an API request. |
| CVE-2017-18889 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. An attacker could create fictive system-message posts via webhooks and slash commands, in the v3 or v4 REST... |
| CVE-2017-18901 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover a team invite ID by requesting a JSON document. |
| CVE-2017-18885 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by accessing unintended API endpoints on a user's behalf. |
| CVE-2017-18897 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. It mishandles a deny action for a redirection. |
| CVE-2017-18896 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to add DEBUG lines to the logs via a REST API version 3 logging endpoint. |
| CVE-2017-18894 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. Sometimes. resource-owner authorization is bypassed, allowing account takeover. |
| CVE-2017-18893 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. Display names allow XSS. |
| CVE-2017-18888 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows SQL injection during the fetching of multiple posts. |
| CVE-2017-18887 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It discloses the team creator's e-mail address to members. |
| CVE-2017-18899 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It mishandles IP-based rate limiting. |
| CVE-2017-18880 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via the title_link field of a Slack attachment. |
| CVE-2017-18895 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to obtain sensitive information (user statuses) via a REST API version 4 endpoint. |
| CVE-2017-18886 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows a bypass of restrictions on use of slash commands. |
| CVE-2017-18900 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows CSV injection via a compliance report. |
| CVE-2017-18898 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows crafted posts that potentially cause a web browser to hang. |
| CVE-2017-18902 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints. |
| CVE-2017-18903 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. CSRF can occur if CORS is enabled. |
| CVE-2017-18904 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. It allows XSS via an uploaded file. |
| CVE-2017-18912 | 2020-06-19 | An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. It allows an attacker to specify a full pathname of a log file. |
| CVE-2017-18911 | 2020-06-19 | An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. The X.509 certificate validation can be skipped for a TLS-based e-mail server. |
| CVE-2017-18910 | 2020-06-19 | An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. E-mail notifications can have spoofed links. |
| CVE-2017-18909 | 2020-06-19 | An issue was discovered in Mattermost Server before 3.9.0 when SAML is used. Encryption and signature verification are not mandatory. |
| CVE-2020-14929 | 2020-06-19 | Alpine before 2.23 silently proceeds to use an insecure connection after a /tls is sent in certain circumstances involving PREAUTH, which is a less secure behavior than the alternative of... |
| CVE-2020-9495 | 2020-06-19 | Apache Archiva login service before 2.2.5 is vulnerable to LDAP injection. A attacker is able to retrieve user attribute data from the connected LDAP server by providing special values to... |
| CVE-2017-18915 | 2020-06-19 | An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. After a restart of a server, an attacker might suddenly gain API Endpoint access. |
| CVE-2017-18914 | 2020-06-19 | An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. An external link can occur on an error page even if it is not on an allowlist. |
| CVE-2017-18908 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. A password-reset request was sometime sent to an attacker-provided e-mail address. |
| CVE-2017-18913 | 2020-06-19 | An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. XSS can occur via a link on an error page. |
| CVE-2017-18905 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth 2.0 service provider, Session invalidation was mishandled. |
| CVE-2017-18906 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when Single Sign-On OAuth2 is used. An attacker could claim somebody else's account. |
| CVE-2017-18917 | 2020-06-19 | An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. Weak hashing was used for e-mail invitations, OAuth, and e-mail verification tokens. |
| CVE-2017-18916 | 2020-06-19 | An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. API endpoint access control does not honor an integration permission restriction. |
| CVE-2017-18907 | 2020-06-19 | An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. XSS could occur via a channel header. |
| CVE-2017-18918 | 2020-06-19 | An issue was discovered in Mattermost Server before 3.7.3 and 3.6.5. A System Administrator can place a SAML certificate at an arbitrary pathname. |
| CVE-2017-18919 | 2020-06-19 | An issue was discovered in Mattermost Server before 3.7.0 and 3.6.3. Attackers can use the API for unauthenticated team creation. |
| CVE-2017-18920 | 2020-06-19 | An issue was discovered in Mattermost Server before 3.6.2. The WebSocket feature does not follow the Same Origin Policy. |
| CVE-2017-18921 | 2020-06-19 | An issue was discovered in Mattermost Server before 3.6.0 and 3.5.2. XSS can occur via a link on an error page. |
| CVE-2016-11062 | 2020-06-19 | An issue was discovered in Mattermost Server before 3.5.1. E-mail address verification can be bypassed. |
| CVE-2016-11063 | 2020-06-19 | An issue was discovered in Mattermost Server before 3.5.1. XSS can occur via file preview. |
| CVE-2016-11064 | 2020-06-19 | An issue was discovered in Mattermost Desktop App before 3.4.0. Strings could be executed as code via injection. |
| CVE-2016-11065 | 2020-06-19 | An issue was discovered in Mattermost Server before 3.3.0. An attacker could use the WebSocket feature to send pop-up messages to users or change a post's appearance. |
| CVE-2020-10750 | 2020-06-19 | Sensitive information written to a log file vulnerability was found in jaegertracing/jaeger before version 1.18.1 when the Kafka data store is used. This flaw allows an attacker with access to... |
| CVE-2016-11066 | 2020-06-19 | An issue was discovered in Mattermost Server before 3.2.0. The initial_load API disclosed unnecessary personal information. |
| CVE-2016-11067 | 2020-06-19 | An issue was discovered in Mattermost Server before 3.2.0. It allowed crafted posts that could cause a web browser to hang. |
| CVE-2016-11068 | 2020-06-19 | An issue was discovered in Mattermost Server before 3.2.0. Attackers could read LDAP fields via injection. |
| CVE-2016-11069 | 2020-06-19 | An issue was discovered in Mattermost Server before 3.2.0. It mishandles brute-force attempts at password change. |
| CVE-2016-11070 | 2020-06-19 | An issue was discovered in Mattermost Server before 3.1.0. It allows XSS via theme color-code values. |
| CVE-2016-11071 | 2020-06-19 | An issue was discovered in Mattermost Server before 3.1.0. It allows XSS because the noreferrer and noopener protection mechanisms were not in place. |
| CVE-2016-11072 | 2020-06-19 | An issue was discovered in Mattermost Server before 3.0.2. The purposes of a session ID and a Session Token were mishandled. |
| CVE-2016-11073 | 2020-06-19 | An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a Legal or Support setting. |
| CVE-2016-11074 | 2020-06-19 | An issue was discovered in Mattermost Server before 3.0.0. A password-reset link could be reused. |
| CVE-2016-11075 | 2020-06-19 | An issue was discovered in Mattermost Server before 3.0.0. It allows attackers to obtain sensitive information about team URLs via an API. |
| CVE-2016-11076 | 2020-06-19 | An issue was discovered in Mattermost Server before 3.0.0. It does not ensure that a cookie is used over SSL. |
| CVE-2016-11077 | 2020-06-19 | An issue was discovered in Mattermost Server before 3.0.0. It has a superfluous API in which the System Admin can change the account name and e-mail address of an LDAP... |
| CVE-2016-11078 | 2020-06-19 | An issue was discovered in Mattermost Server before 3.0.0. It potentially allows attackers to obtain sensitive information (credential fields within config.json) via the System Console UI. |
| CVE-2016-11079 | 2020-06-19 | An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a redirect URL. |
| CVE-2016-11080 | 2020-06-19 | An issue was discovered in Mattermost Server before 3.0.0. It offers superfluous APIs for a Team Administrator to view account details. |