Total
265 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-21310 | 1 Nextauth.js | 1 Next-auth | 2021-02-19 | 4.3 MEDIUM | 5.9 MEDIUM |
| NextAuth.js (next-auth) is am open source authentication solution for Next.js applications. In next-auth before version 3.3.0 there is a token verification vulnerability. Implementations using the Prisma database adapter in conjunction with the Email provider are impacted. Implementations using the Email provider with the default database adapter are not impacted. Implementations using the Prisma database adapter but not using the Email provider are not impacted. The Prisma database adapter was checking the verification token, but was not verifying the email address associated with that token. This made it possible to use a valid token to sign in as another user when using the Prima adapter in conjunction with the Email provider. This issue is specific to the community supported Prisma adapter. This issue is fixed in version 3.3.0. | |||||
| CVE-2020-27276 | 1 Sooil | 6 Anydana-a, Anydana-a Firmware, Anydana-i and 3 more | 2021-01-23 | 2.9 LOW | 5.7 MEDIUM |
| SOOIL Developments Co Ltd DiabecareRS,AnyDana-i & AnyDana-A, the communication protocol of the insulin pump and its AnyDana-i & AnyDana-A mobile apps doesn't use adequate measures to authenticate the communicating entities before exchanging keys, which allows unauthenticated, physically proximate attackers to eavesdrop the authentication sequence via Bluetooth Low Energy. | |||||
| CVE-2020-26276 | 1 Fleetdm | 1 Fleet | 2020-12-18 | 6.8 MEDIUM | 9.8 CRITICAL |
| Fleet is an open source osquery manager. In Fleet before version 3.5.1, due to issues in Go's standard library XML parsing, a valid SAML response may be mutated by an attacker to modify the trusted document. This can result in allowing unverified logins from a SAML IdP. Users that configure Fleet with SSO login may be vulnerable to this issue. This issue is patched in 3.5.1. The fix was made using https://github.com/mattermost/xml-roundtrip-validator If upgrade to 3.5.1 is not possible, users should disable SSO authentication in Fleet. | |||||
| CVE-2020-28856 | 1 Openasset | 1 Digital Asset Management | 2020-12-15 | 5.0 MEDIUM | 7.5 HIGH |
| OpenAsset Digital Asset Management (DAM) through 12.0.19 does not correctly determine the HTTP request's originating IP address, allowing attackers to spoof it using X-Forwarded-For in the header, by supplying localhost address such as 127.0.0.1, effectively bypassing all IP address based access controls. | |||||
| CVE-2020-26254 | 1 Omniauth-apple Project | 1 Omniauth-apple | 2020-12-10 | 5.0 MEDIUM | 7.7 HIGH |
| omniauth-apple is the OmniAuth strategy for "Sign In with Apple" (RubyGem omniauth-apple). In omniauth-apple before version 1.0.1 attackers can fake their email address during authentication. This vulnerability impacts applications using the omniauth-apple strategy of OmniAuth and using the info.email field of OmniAuth's Auth Hash Schema for any kind of identification. The value of this field may be set to any value of the attacker's choice including email addresses of other users. Applications not using info.email for identification but are instead using the uid field are not impacted in the same manner. Note, these applications may still be negatively affected if the value of info.email is being used for other purposes. Applications using affected versions of omniauth-apple are advised to upgrade to omniauth-apple version 1.0.1 or later. | |||||
| CVE-2020-4864 | 1 Ibm | 1 Resilient Security Orchestration Automation And Response | 2020-10-30 | 3.3 LOW | 4.3 MEDIUM |
| IBM Resilient SOAR V38.0 could allow an attacker on the internal net work to provide the server with a spoofed source IP address. IBM X-Force ID: 190567. | |||||
| CVE-2020-24375 | 1 Free | 3 Freebox Server, Freebox V5, Freebox V5 Firmware | 2020-10-27 | 4.3 MEDIUM | 6.5 MEDIUM |
| A DNS rebinding vulnerability in the UPnP MediaServer implementation in Freebox Server before 4.2.3. | |||||
| CVE-2018-5354 | 1 Anixis | 1 Password Reset Client | 2020-10-20 | 5.8 MEDIUM | 8.8 HIGH |
| The custom GINA/CP module in ANIXIS Password Reset Client before version 3.22 allows remote attackers to execute code and escalate privileges via spoofing. When the client is configured to use HTTP, it does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable of conducting a spoofing attack can redirect the browser to gain execution in the context of the WinLogon.exe process. If Network Level Authentication is not enforced, the vulnerability can be exploited via RDP. | |||||
| CVE-2018-5353 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2020-10-15 | 7.5 HIGH | 9.8 CRITICAL |
| The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. It does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable of conducting a spoofing attack can redirect the browser to gain execution in the context of the WinLogon.exe process. If Network Level Authentication is not enforced, the vulnerability can be exploited via RDP. Additionally, if the web server has a misconfigured certificate then no spoofing attack is required | |||||
| CVE-2019-16766 | 1 Labdigital | 1 Wagtail-2fa | 2020-10-09 | 4.0 MEDIUM | 8.8 HIGH |
| When using wagtail-2fa before 1.3.0, if someone gains access to someone's Wagtail login credentials, they can log into the CMS and bypass the 2FA check by changing the URL. They can then add a new device and gain full access to the CMS. This problem has been patched in version 1.3.0. | |||||
| CVE-2019-1318 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2020-08-24 | 4.3 MEDIUM | 5.9 MEDIUM |
| A spoofing vulnerability exists when Transport Layer Security (TLS) accesses non- Extended Master Secret (EMS) sessions, aka 'Microsoft Windows Transport Layer Security Spoofing Vulnerability'. | |||||
| CVE-2018-1695 | 1 Ibm | 1 Websphere Application Server | 2020-08-24 | 6.8 MEDIUM | 5.6 MEDIUM |
| IBM WebSphere Application Server 7.0, 8.0, and 8.5.5 installations using Form Login could allow a remote attacker to conduct spoofing attacks. IBM X-Force ID: 145769. | |||||
| CVE-2018-8383 | 1 Microsoft | 1 Edge | 2020-08-24 | 4.3 MEDIUM | 4.3 MEDIUM |
| A spoofing vulnerability exists when Microsoft Edge does not properly parse HTTP content, aka "Microsoft Edge Spoofing Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-8388. | |||||
| CVE-2019-0283 | 1 Sap | 1 Netweaver Process Integration | 2020-08-24 | 5.5 MEDIUM | 7.1 HIGH |
| SAP NetWeaver Process Integration (Adapter Engine), fixed in versions 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50; is vulnerable to Digital Signature Spoofing. It is possible to spoof XML signatures and send arbitrary requests to the server via PI Axis adapter. These requests will be accepted by the PI Axis adapter even if the payload has been altered, especially when the signed element is the body of the xml document. | |||||
| CVE-2018-8388 | 1 Microsoft | 1 Edge | 2020-08-24 | 4.3 MEDIUM | 4.3 MEDIUM |
| A spoofing vulnerability exists when Microsoft Edge improperly handles specific HTML content, aka "Microsoft Edge Spoofing Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-8383. | |||||
| CVE-2018-12331 | 1 Ecos | 1 System Management Appliance | 2020-08-24 | 5.8 MEDIUM | 7.4 HIGH |
| Authentication Bypass by Spoofing vulnerability in ECOS System Management Appliance (aka SMA) 5.2.68 allows a man-in-the-middle attacker to compromise authentication keys and configurations via IP spoofing during "Easy Enrollment." | |||||
| CVE-2018-8278 | 1 Microsoft | 2 Edge, Windows 10 | 2020-08-24 | 5.8 MEDIUM | 6.1 MEDIUM |
| A spoofing vulnerability exists when Microsoft Edge improperly handles specific HTML content, aka "Microsoft Edge Spoofing Vulnerability." This affects Microsoft Edge. | |||||
| CVE-2018-16483 | 1 Express-cart Project | 1 Express-cart | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| A deficiency in the access control in module express-cart <=1.1.5 allows unprivileged users to add new users to the application as administrators. | |||||
| CVE-2019-20203 | 1 Postieplugin | 1 Postie | 2020-08-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Authorized Addresses feature in the Postie plugin 1.9.40 for WordPress allows remote attackers to publish posts by spoofing the From information of an email message. | |||||
| CVE-2018-8425 | 1 Microsoft | 3 Edge, Windows 10, Windows Server 2016 | 2020-08-24 | 4.3 MEDIUM | 4.3 MEDIUM |
| A spoofing vulnerability exists when Microsoft Edge improperly handles specific HTML content, aka "Microsoft Edge Spoofing Vulnerability." This affects Microsoft Edge. | |||||