Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2020-5800

Summary
Assigner-tenable
Assigner Org ID-5ac1ecc2-367a-4d16-a0b2-35d495ddd0be
Published At-07 Dec, 2020 | 12:40
Updated At-04 Aug, 2024 | 08:39
Rejected At-
Credits

The Eat Spray Love mobile app for both iOS and Android contains logic that allows users to bypass authentication and retrieve or modify information that they would not normally have access to.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:tenable
Assigner Org ID:5ac1ecc2-367a-4d16-a0b2-35d495ddd0be
Published At:07 Dec, 2020 | 12:40
Updated At:04 Aug, 2024 | 08:39
Rejected At:
▼CVE Numbering Authority (CNA)

The Eat Spray Love mobile app for both iOS and Android contains logic that allows users to bypass authentication and retrieve or modify information that they would not normally have access to.

Affected Products
Vendor
n/a
Product
Eat Spray Love
Versions
Affected
  • Eat Spray Love for iOS 2.0.20, Eat Spray Love for Android 2.0.20
Problem Types
TypeCWE IDDescription
textN/AInsufficient Access Controls
Type: text
CWE ID: N/A
Description: Insufficient Access Controls
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.tenable.com/security/research/tra-2020-65
x_refsource_MISC
Hyperlink: https://www.tenable.com/security/research/tra-2020-65
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.tenable.com/security/research/tra-2020-65
x_refsource_MISC
x_transferred
Hyperlink: https://www.tenable.com/security/research/tra-2020-65
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:vulnreport@tenable.com
Published At:07 Dec, 2020 | 13:15
Updated At:21 Jul, 2021 | 11:39

The Eat Spray Love mobile app for both iOS and Android contains logic that allows users to bypass authentication and retrieve or modify information that they would not normally have access to.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary2.07.5HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 7.5
Base severity: HIGH
Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CPE Matches
eat_spray_love_project
eat_spray_love_project
>>eat_spray_love>>2.0.20
cpe:2.3:a:eat_spray_love_project:eat_spray_love:2.0.20:*:*:*:*:android:*:*
eat_spray_love_project
eat_spray_love_project
>>eat_spray_love>>2.0.20
cpe:2.3:a:eat_spray_love_project:eat_spray_love:2.0.20:*:*:*:*:iphone_os:*:*
Weaknesses
CWE IDTypeSource
CWE-669Primarynvd@nist.gov
CWE ID: CWE-669
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.tenable.com/security/research/tra-2020-65vulnreport@tenable.com
Exploit
Third Party Advisory
Hyperlink: https://www.tenable.com/security/research/tra-2020-65
Source: vulnreport@tenable.com
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

6Records found
CVE-2020-5799
Matching Score-8
Assigner-Tenable Network Security, Inc.
ShareView Details
Matching Score-8
Assigner-Tenable Network Security, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.43% / 62.54%
||
7 Day CHG~0.00%
Published-07 Dec, 2020 | 12:40
Updated-04 Aug, 2024 | 08:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Eat Spray Love mobile app for both iOS and Android contains a backdoor account that, when modified, allowed privileged access to restricted functionality and to other users' data.

Action-Not Available
Vendor-eat_spray_love_projectn/a
Product-eat_spray_loveEat Spray Love
CVE-2025-67895
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-0.35% / 57.10%
||
7 Day CHG~0.00%
Published-17 Dec, 2025 | 11:47
Updated-22 Dec, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Airflow Providers Edge3: Edge3 Worker RPC RCE on Airflow 2

Edge3 Worker RPC RCE on Airflow 2. This issue affects Apache Airflow Providers Edge3: before 2.0.0 - and only if you installed and configured it on Airflow 2. The Edge3 provider support in Airflow 2 has been always development-only and not officially released, however if you installed and configured Edge3 provider in Airflow 2, it implicitly enabled non-public (normally) API which was used to test Edge Provider in Airflow 2 during the development. This API allowed Dag author to perform Remote Code Execution in the webserver context, which Dag Author was not supposed to be able to do. If you installed and configured Edge3 provider for Airflow 2, you should uninstall it and migrate to Airflow 3. The new Edge3 provider versions (>=2.0.0) has minimum version of Airflow set to 3 and the RCE-prone Airflow 2 code is removed, so it should no longer be possible to use the Edge3 provider 2.0.0+ on Airflow 2. If you used Edge Provider in Airflow 3, you are not affected.

Action-Not Available
Vendor-The Apache Software Foundation
Product-apache-airflow-providers-edge3Apache Airflow Providers Edge3
CWE ID-CWE-669
Incorrect Resource Transfer Between Spheres
CVE-2022-4446
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-9.8||CRITICAL
EPSS-0.72% / 72.35%
||
7 Day CHG~0.00%
Published-13 Dec, 2022 | 00:00
Updated-14 Apr, 2025 | 18:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHP Remote File Inclusion in tsolucio/corebos

PHP Remote File Inclusion in GitHub repository tsolucio/corebos prior to 8.0.

Action-Not Available
Vendor-corebostsolucio
Product-corebostsolucio/corebos
CWE ID-CWE-98
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CWE ID-CWE-669
Incorrect Resource Transfer Between Spheres
CVE-2020-24683
Matching Score-4
Assigner-Asea Brown Boveri Ltd. (ABB)
ShareView Details
Matching Score-4
Assigner-Asea Brown Boveri Ltd. (ABB)
CVSS Score-9.8||CRITICAL
EPSS-0.45% / 63.57%
||
7 Day CHG~0.00%
Published-22 Dec, 2020 | 21:19
Updated-17 Sep, 2024 | 01:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authentication Bypass in Symphony Plus

The affected versions of S+ Operations (version 2.1 SP1 and earlier) used an approach for user authentication which relies on validation at the client node (client-side authentication). This is not as secure as having the server validate a client application before allowing a connection. Therefore, if the network communication or endpoints for these applications are not protected, unauthorized actors can bypass authentication and make unauthorized connections to the server application.

Action-Not Available
Vendor-ABB
Product-symphony_\+_historiansymphony_\+_operationsABB Ability™ Symphony® Plus Operations
CWE ID-CWE-602
Client-Side Enforcement of Server-Side Security
CWE ID-CWE-305
Authentication Bypass by Primary Weakness
CWE ID-CWE-669
Incorrect Resource Transfer Between Spheres
CVE-2020-15892
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.92% / 75.79%
||
7 Day CHG~0.00%
Published-22 Jul, 2020 | 18:56
Updated-04 Aug, 2024 | 13:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in apply.cgi on D-Link DAP-1520 devices before 1.10b04Beta02. Whenever a user performs a login action from the web interface, the request values are being forwarded to the ssi binary. On the login page, the web interface restricts the password input field to a fixed length of 15 characters. The problem is that validation is being done on the client side, hence it can be bypassed. When an attacker manages to intercept the login request (POST based) and tampers with the vulnerable parameter (log_pass), to a larger length, the request will be forwarded to the webserver. This results in a stack-based buffer overflow. A few other POST variables, (transferred as part of the login request) are also vulnerable: html_response_page and log_user.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dap-1520dap-1520_firmwaren/a
CWE ID-CWE-787
Out-of-bounds Write
CWE ID-CWE-669
Incorrect Resource Transfer Between Spheres
CVE-2019-13025
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-10.81% / 93.25%
||
7 Day CHG~0.00%
Published-02 Oct, 2019 | 14:54
Updated-04 Aug, 2024 | 23:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Compal CH7465LG CH7465LG-NCIP-6.12.18.24-5p8-NOSH devices have Incorrect Access Control because of Improper Input Validation. The attacker can send a maliciously modified POST (HTTP) request containing shell commands, which will be executed on the device, to an backend API endpoint of the cable modem.

Action-Not Available
Vendor-compaln/a
Product-ch7465lgch7465lg_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-669
Incorrect Resource Transfer Between Spheres
Details not found