How severe is CVE-2020-26251?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 4.7 out of 10.

What type of vulnerability is CVE-2020-26251?

This is classified as CWE-346, which is a common weakness in software security.

CVE-2020-26251

MEDIUM Year: 2020

CVSS v3 Score

4.7

Medium

CVSS v2 Score

4.3

Medium

Weakness Type

CWE-346

View all →

Vulnerability Description

Open Zaak is a modern, open-source data- and services-layer to enable zaakgericht werken, a Dutch approach to case management. In Open Zaak before version 1.3.3 the Cross-Origin-Resource-Sharing policy in Open Zaak is currently wide open - every client is allowed. This allows evil.com to run scripts that perform AJAX calls to known Open Zaak installations, and the browser will not block these. This was intended to only apply to development machines running on localhost/127.0.0.1. Open Zaak 1.3.3 disables CORS by default, while it can be opted-in through environment variables. The vulnerability does not actually seem exploitable because: a) The session cookie has a `Same-Site: Lax` policy which prevents it from being sent along in Cross-Origin requests. b) All pages that give access to (production) data are login-protected c) `Access-Control-Allow-Credentials` is set to `false` d) CSRF checks probably block the remote origin, since they're not explicitly added to the trusted allowlist.

CVE-2021-26737

MEDIUM

CVSS:4.7(Medium)

The Zscaler Client Connector for macOS prior to 3.6 did not sufficiently validate RPC clients. A local adversary without sufficient privileges may be able to shutdown the Zscaler tunnel by exploiting ...

CWE-3462021

CVE-2023-2639

MEDIUM

CVSS:4.7(Medium)

The underlying feedback mechanism of Rockwell Automation's FactoryTalk System Services that transfers the FactoryTalk Policy Manager rules to relevant devices on the network does not verify that the o...

CWE-3462023

CVE-2020-26234

MEDIUM

CVSS:4.8(Medium)

Opencast before versions 8.9 and 7.9 disables HTTPS hostname verification of its HTTP client used for a large portion of Opencast's HTTP requests. Hostname verification is an important part when using...

CWE-3462020

CVE-2022-1747

MEDIUM

CVSS:4.6(Medium)

The authentication mechanism used by voters to activate a voting session on the tested version of Dominion Voting Systems ImageCast X is susceptible to forgery. An attacker could leverage this vulnera...

CWE-3462022

CVE-2023-2445

MEDIUM

CVSS:4.9(Medium)

Improper access control in Subscriptions Folder path filter in Devolutions Server 2023.1.1 and earlier allows attackers with administrator privileges to retrieve usage information on folders in user v...

CWE-3462023

CVE-2019-4640

MEDIUM

CVSS:4.4(Medium)

IBM Security Secret Server 10.7 processes patches, image backups and other updates without sufficiently verifying the origin and integrity of the code which could result in an attacker executing malic...

CWE-3462019

CVE-2020-26251

Vulnerability Description

Related Vulnerabilities

CVE-2021-26737

CVE-2023-2639

CVE-2020-26234

CVE-2022-1747

CVE-2023-2445

CVE-2019-4640