Total
513 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-39745 | 1 Google | 1 Android | 2022-04-05 | 2.1 LOW | 5.5 MEDIUM |
| In DevicePolicyManager, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-206127671 | |||||
| CVE-2021-39744 | 1 Google | 1 Android | 2022-04-05 | 2.1 LOW | 5.5 MEDIUM |
| In DevicePolicyManager, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-192369136 | |||||
| CVE-2021-39021 | 1 Ibm | 1 Guardium Data Encryption | 2022-03-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| IBM Guardium Data Encryption (GDE) 5.0.0.2 behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which could facilitate username enumeration. IBM X-Force ID: 213856. | |||||
| CVE-2021-44421 | 1 Occlum Project | 1 Occlum | 2022-03-15 | 2.1 LOW | 5.5 MEDIUM |
| The pointer-validation logic in util/mem_util.rs in Occlum before 0.26.0 for Intel SGX acts as a confused deputy that allows a local attacker to access unauthorized information via side-channel analysis. | |||||
| CVE-2020-36517 | 1 Home-assistant | 1 Home-assistant | 2022-03-14 | 5.0 MEDIUM | 7.5 HIGH |
| An information leak in Nabu Casa Home Assistant Operating System and Home Assistant Supervised 2022.03 allows a DNS operator to gain knowledge about internal network resources via the hardcoded DNS resolver configuration. | |||||
| CVE-2022-23643 | 1 Sourcegraph | 1 Sourcegraph | 2022-02-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| Sourcegraph is a code search and navigation engine. Sourcegraph versions 3.35 and 3.36 reintroduced a previously fixed side-channel vulnerabilitity in the Code Monitoring feature where strings in private source code could be guessed by an authenticated but unauthorized actor. This issue affects only the Code Monitoring feature, whereas CVE-2021-43823 also affected saved searches. A successful attack would require an authenticated bad actor to create many Code Monitors to receive confirmation that a specific string exists. This could allow an attacker to guess formatted tokens in source code, such as API keys. This issue was patched in versions 3.35.2 and 3.36.3 of Sourcegraph. Those who are unable to upgrade may disable the Code Monitor feature in their installation. | |||||
| CVE-2021-45901 | 1 Servicenow | 1 Servicenow | 2022-02-22 | 5.0 MEDIUM | 5.3 MEDIUM |
| The password-reset form in ServiceNow Orlando provides different responses to invalid authentication attempts depending on whether the username exists. | |||||
| CVE-2020-9389 | 1 Squaredup | 1 Squaredup | 2022-02-22 | 4.3 MEDIUM | 3.7 LOW |
| A username enumeration issue was discovered in SquaredUp before version 4.6.0. The login functionality was implemented in a way that would enable a malicious user to guess valid username due to a different response time from invalid usernames. | |||||
| CVE-2019-16516 | 1 Connectwise | 1 Control | 2022-02-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. There is a user enumeration vulnerability, allowing an unauthenticated attacker to determine with certainty if an account exists for a given username. | |||||
| CVE-2021-0524 | 1 Google | 1 Android | 2022-02-18 | 2.1 LOW | 5.5 MEDIUM |
| In isServiceDistractionOptimized of CarPackageManagerService.java, there is a possible disclosure of installed packages due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-180418334 | |||||
| CVE-2022-21659 | 1 Flask-appbuilder Project | 1 Flask-appbuilder | 2022-02-07 | 5.0 MEDIUM | 5.3 MEDIUM |
| Flask-AppBuilder is an application development framework, built on top of the Flask web framework. In affected versions there exists a user enumeration vulnerability. This vulnerability allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Users are advised to upgrade to version 3.4.4 as soon as possible. There are no known workarounds for this issue. | |||||
| CVE-2019-25056 | 1 Bromite | 1 Bromite | 2022-02-01 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Bromite through 78.0.3904.130, there are adblock rules in the release APK; therefore, probing which resources are blocked and which aren't can identify the application version and defeat the User-Agent protection mechanism. | |||||
| CVE-2022-22120 | 1 Xgenecloud | 1 Nocodb | 2022-01-19 | 5.0 MEDIUM | 5.3 MEDIUM |
| In NocoDB, versions 0.9 to 0.83.8 are vulnerable to Observable Discrepancy in the password-reset feature. When requesting a password reset for a given email address, the application displays an error message when the email isn't registered within the system. This allows attackers to enumerate the registered users' email addresses. | |||||
| CVE-2021-20147 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2022-01-13 | 5.0 MEDIUM | 5.3 MEDIUM |
| ManageEngine ADSelfService Plus below build 6116 contains an observable response discrepancy in the UMCP operation of the ChangePasswordAPI. This allows an unauthenticated remote attacker to determine whether a Windows domain user exists. | |||||
| CVE-2020-12399 | 2 Debian, Mozilla | 4 Debian Linux, Firefox, Firefox Esr and 1 more | 2022-01-04 | 1.2 LOW | 4.4 MEDIUM |
| NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9. | |||||
| CVE-2019-13456 | 4 Freeradius, Linux, Opensuse and 1 more | 4 Freeradius, Linux Kernel, Leap and 1 more | 2022-01-01 | 2.9 LOW | 6.5 MEDIUM |
| In FreeRADIUS 3.0 through 3.0.19, on average 1 in every 2048 EAP-pwd handshakes fails because the password element cannot be found within 10 iterations of the hunting and pecking loop. This leaks information that an attacker can use to recover the password of any user. This information leakage is similar to the "Dragonblood" attack and CVE-2019-9494. | |||||
| CVE-2020-11713 | 1 Wolfssl | 1 Wolfssl | 2022-01-01 | 5.0 MEDIUM | 7.5 HIGH |
| wolfSSL 4.3.0 has mulmod code in wc_ecc_mulmod_ex in ecc.c that does not properly resist timing side-channel attacks. | |||||
| CVE-2020-35398 | 1 Utimf | 1 Uti Mutual Fund Invest Online | 2021-12-29 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in UTI Mutual fund Android application 5.4.18 and prior, allows attackers to brute force enumeration of usernames determined by the error message returned after invalid credentials are attempted. | |||||
| CVE-2021-44554 | 1 Cybelesoft | 1 Thinfinity Virtualui | 2021-12-29 | 5.0 MEDIUM | 5.3 MEDIUM |
| Thinfinity VirtualUI before 3.0 allows a malicious actor to enumerate users registered in the OS (Windows) through the /changePassword URI. By accessing the vector, an attacker can determine if a username exists thanks to the message returned; it can be presented in different languages according to the configuration of VirtualUI. Common users are administrator, admin, guest and krgtbt. | |||||
| CVE-2021-44875 | 1 Dalmark | 1 Systeam Enterprise Resource Planning | 2021-12-27 | 5.0 MEDIUM | 5.3 MEDIUM |
| Dalmark Systems Systeam 2.22.8 build 1724 is vulnerable to User enumeration. The Systeam application is an ERP system that uses a mixed architecture based on SaaS tenant and user management, and on-premise database and web application counterparts. This issue occurs during the password recovery procedure for a given user, where a difference in messages could allow an attacker to determine if the given user is valid or not, enabling a brute force attack with valid users. | |||||