Total
2481 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2014-8684 | 2 Codeigniter, Kohanaframework | 2 Codeigniter, Kohana | 2017-09-28 | 7.5 HIGH | 9.8 CRITICAL |
CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes. | |||||
CVE-2014-8686 | 1 Codeigniter | 1 Codeigniter | 2017-09-28 | 5.0 MEDIUM | 9.8 CRITICAL |
CodeIgniter before 2.2.0 makes it easier for attackers to decode session cookies by leveraging fallback to a custom XOR-based encryption scheme when the Mcrypt extension for PHP is not available. | |||||
CVE-2015-2091 | 1 Apache | 1 Mod-gnutls | 2017-09-19 | 5.0 MEDIUM | N/A |
The authentication hook (mgs_hook_authz) in mod-gnutls 0.5.10 and earlier does not validate client certificates when "GnuTLSClientVerify require" is set, which allows remote attackers to spoof clients via a crafted certificate. | |||||
CVE-2013-1699 | 1 Mozilla | 1 Firefox | 2017-09-19 | 5.0 MEDIUM | N/A |
The Internationalized Domain Name (IDN) display algorithm in Mozilla Firefox before 22.0 does not properly handle the .com, .name, and .net top-level domains, which allows remote attackers to spoof the address bar via unspecified homograph characters. | |||||
CVE-2013-1576 | 1 Wireshark | 1 Wireshark | 2017-09-19 | 2.9 LOW | N/A |
The dissect_sdp_media_attribute function in epan/dissectors/packet-sdp.c in the SDP dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly process crypto-suite parameters, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. | |||||
CVE-2012-2746 | 2 Fedoraproject, Redhat | 2 389 Directory Server, Directory Server | 2017-09-19 | 2.1 LOW | N/A |
389 Directory Server before 1.2.11.6 (aka Red Hat Directory Server before 8.2.10-3), when the password of a LDAP user has been changed and audit logging is enabled, saves the new password to the log in plain text, which allows remote authenticated users to read the password. | |||||
CVE-2012-2678 | 2 Fedoraproject, Redhat | 2 389 Directory Server, Directory Server | 2017-09-19 | 1.2 LOW | N/A |
389 Directory Server before 1.2.11.6 (aka Red Hat Directory Server before 8.2.10-3), after the password for a LDAP user has been changed and before the server has been reset, allows remote attackers to read the plaintext password via the unhashed#user#password attribute. | |||||
CVE-2010-3804 | 2 Apple, Microsoft | 7 Mac Os X, Mac Os X Server, Safari and 4 more | 2017-09-19 | 5.0 MEDIUM | N/A |
The JavaScript implementation in WebKit in Apple Safari before 5.0.3 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1.3 on Mac OS X 10.4, uses a weak algorithm for generating values of random numbers, which makes it easier for remote attackers to track a user by predicting a value, a related issue to CVE-2008-5913 and CVE-2010-3171. | |||||
CVE-2010-3741 | 1 Rim | 1 Blackberry Desktop Software | 2017-09-19 | 4.7 MEDIUM | N/A |
The offline backup mechanism in Research In Motion (RIM) BlackBerry Desktop Software uses single-iteration PBKDF2, which makes it easier for local users to decrypt a .ipd file via a brute-force attack. | |||||
CVE-2010-3400 | 1 Mozilla | 2 Firefox, Seamonkey | 2017-09-19 | 5.8 MEDIUM | N/A |
The js_InitRandom function in the JavaScript implementation in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, and SeaMonkey before 2.0.5, uses the current time for seeding of a random number generator, which makes it easier for remote attackers to guess the seed value via a brute-force attack, a different vulnerability than CVE-2008-5913. | |||||
CVE-2010-3399 | 1 Mozilla | 1 Firefox | 2017-09-19 | 5.8 MEDIUM | N/A |
The js_InitRandom function in the JavaScript implementation in Mozilla Firefox 3.5.10 through 3.5.11, 3.6.4 through 3.6.8, and 4.0 Beta1 uses a context pointer in conjunction with its successor pointer for seeding of a random number generator, which makes it easier for remote attackers to guess the seed value via a brute-force attack, a different vulnerability than CVE-2010-3171. | |||||
CVE-2010-3173 | 1 Mozilla | 3 Firefox, Seamonkey, Thunderbird | 2017-09-19 | 7.5 HIGH | N/A |
The SSL implementation in Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 does not properly set the minimum key length for Diffie-Hellman Ephemeral (DHE) mode, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack. | |||||
CVE-2010-3171 | 1 Mozilla | 1 Firefox | 2017-09-19 | 5.8 MEDIUM | N/A |
The Math.random function in the JavaScript implementation in Mozilla Firefox 3.5.10 through 3.5.11, 3.6.4 through 3.6.8, and 4.0 Beta1 uses a random number generator that is seeded only once per document object, which makes it easier for remote attackers to track a user, or trick a user into acting upon a spoofed pop-up message, by calculating the seed value, related to a "temporary footprint" and an "in-session phishing attack." NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-5913. | |||||
CVE-2010-3170 | 1 Mozilla | 3 Firefox, Seamonkey, Thunderbird | 2017-09-19 | 4.3 MEDIUM | N/A |
Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 recognize a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. | |||||
CVE-2010-1413 | 2 Apple, Microsoft | 7 Mac Os X, Mac Os X Server, Safari and 4 more | 2017-09-19 | 5.0 MEDIUM | N/A |
WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, sends NTLM credentials in cleartext in unspecified circumstances, which allows man-in-the-middle attackers to obtain sensitive information via unspecified vectors. | |||||
CVE-2010-0742 | 1 Openssl | 1 Openssl | 2017-09-19 | 7.5 HIGH | N/A |
The Cryptographic Message Syntax (CMS) implementation in crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and 1.x before 1.0.0a does not properly handle structures that contain OriginatorInfo, which allows context-dependent attackers to modify invalid memory locations or conduct double-free attacks, and possibly execute arbitrary code, via unspecified vectors. | |||||
CVE-2009-4565 | 1 Sendmail | 1 Sendmail | 2017-09-19 | 7.5 HIGH | N/A |
sendmail before 8.14.4 does not properly handle a '\0' character in a Common Name (CN) field of an X.509 certificate, which (1) allows man-in-the-middle attackers to spoof arbitrary SSL-based SMTP servers via a crafted server certificate issued by a legitimate Certification Authority, and (2) allows remote attackers to bypass intended access restrictions via a crafted client certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. | |||||
CVE-2009-4144 | 1 Gnome | 1 Networkmanager | 2017-09-19 | 6.8 MEDIUM | N/A |
NetworkManager (NM) 0.7.2 does not ensure that the configured Certification Authority (CA) certificate file for a (1) WPA Enterprise or (2) 802.1x network remains present upon a connection attempt, which might allow remote attackers to obtain sensitive information or cause a denial of service (connectivity disruption) by spoofing the identity of a wireless network. | |||||
CVE-2009-3490 | 1 Gnu | 1 Wget | 2017-09-19 | 6.8 MEDIUM | N/A |
GNU Wget before 1.12 does not properly handle a '\0' character in a domain name in the Common Name field of an X.509 certificate, which allows man-in-the-middle remote attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. | |||||
CVE-2009-3044 | 1 Opera | 1 Opera Browser | 2017-09-19 | 5.0 MEDIUM | N/A |
Opera before 10.00 does not properly handle a (1) '\0' character or (2) invalid wildcard character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. |