CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15235 – Sensitive data exposure in RACTF
https://notcve.org/view.php?id=CVE-2020-15235
In RACTF before commit f3dc89b, unauthenticated users are able to get the value of sensitive config keys that would normally be hidden to everyone except admins. All versions after commit f3dc89b9f6ab1544a289b3efc06699b13d63e0bd(3/10/20) are patched. En RACTF versiones anteriores al commit f3dc89b, los usuarios no autenticados pueden ser capaces de obtener el valor de las claves de configuración confidenciales que normalmente estarían ocultas para todos excepto para los administradores. Todas las versiones posteriores a la confirmación f3dc89b9f6ab1544a289b3efc06699b13d63e0bd (10/3/20) están parcheadas • https://github.com/ractf/core/commit/f3dc89b9f6ab1544a289b3efc06699b13d63e0bd https://github.com/ractf/core/security/advisories/GHSA-ph67-c355-52vm • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 97%CPEs: 13EXPL: 3CVE-2020-15505 – Ivanti MobileIron Multiple Products Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-15505
A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0; and Sentry versions 9.7.2 and earlier, and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier that allows remote attackers to execute arbitrary code via unspecified vectors. Se presenta una vulnerabilidad de ejecución de código remoto en las versiones 10.3.0.3 y anteriores del MobileIron Core y Connector, versiones 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 y 10.6.0.0; y las versiones 9 del Sentry. 7.2 y anteriores, y versiones 9.8.0; y Monitor and Reporting Database (RDB) versión 2.0.0.1 y anteriores que permite a los atacantes remotos ejecutar código arbitrario a través de vectores no especificados Ivanti MobileIron's Core & Connector, Sentry, and Monitor and Reporting Database (RDB) products contain an unspecified vulnerability that allows for remote code execution. • http://packetstormsecurity.com/files/161097/MobileIron-MDM-Hessian-Based-Java-Deserialization-Remote-Code-Execution.html https://cwe.mitre.org/data/definitions/41.html https://perchsecurity.com/perch-news/cve-spotlight-mobileiron-rce-cve-2020-15505 https://www.mobileiron.com/en/blog/mobileiron-security-updates-available https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html https://github.com/httpvoid/CVE-Reverse/tree/master/CVE-2020-15505 https://raw.githubusercontent.com/rapi • CWE-706: Use of Incorrectly-Resolved Name or Reference •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2020-15506
https://notcve.org/view.php?id=CVE-2020-15506
An authentication bypass vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0 that allows remote attackers to bypass authentication mechanisms via unspecified vectors. Una vulnerabilidad de omisión de autentificación en MobileIron Core y Connector versiones 10.3.0.3 y anteriores, versiones 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 y versión 10.6.0.0 permite a atacantes remotos omitir los mecanismos de autenticación por medio de vectores no especificados • https://www.mobileiron.com/en/blog/mobileiron-security-updates-available •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2020-15507
https://notcve.org/view.php?id=CVE-2020-15507
An arbitrary file reading vulnerability in MobileIron Core versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0 that allows remote attackers to read files on the system via unspecified vectors. Se presenta una vulnerabilidad arbitraria de lectura de archivos en MobileIron Core y Connector versiones 10.3.0.3 y anteriores, versiones 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 y versión 10.6.0.0 que permite a atacantes remotos leer archivos sobre el sistema por medio de vectores no especificados • https://www.mobileiron.com/en/blog/mobileiron-security-updates-available •