Total
380 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-11614 | 1 Mids\' Reborn Hero Designer Project | 1 Mids\' Reborn Hero Designer | 2021-07-21 | 6.8 MEDIUM | 8.1 HIGH |
| Mids' Reborn Hero Designer 2.6.0.7 downloads the update manifest, as well as update files, over cleartext HTTP. Additionally, the application does not perform file integrity validation for files after download. An attacker can perform a man-in-the-middle attack against this connection and replace executable files with malicious versions, which the operating system then executes under the context of the user running Hero Designer. | |||||
| CVE-2020-13272 | 1 Gitlab | 1 Gitlab | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| OAuth flow missing verification checks CE/EE 12.3 and later through 13.0.1 allows unverified user to use OAuth authorization code flow | |||||
| CVE-2019-1000012 | 1 Hex | 1 Hex | 2021-07-21 | 6.8 MEDIUM | 8.8 HIGH |
| Hex package manager version 0.14.0 through 0.18.2 contains a Signing oracle vulnerability in Package registry verification that can result in Package modifications not detected, allowing code execution. This attack appears to be exploitable via victim fetches packages from malicious/compromised mirror. This vulnerability appears to have been fixed in 0.19. | |||||
| CVE-2021-21588 | 1 Dell | 1 Powerflex Presentation Server | 2021-07-14 | 4.3 MEDIUM | 4.3 MEDIUM |
| Dell EMC PowerFlex, v3.5.x contain a Cross-Site WebSocket Hijacking Vulnerability in the Presentation Server/WebUI. An unauthenticated attacker could potentially exploit this vulnerability by tricking the user into performing unwanted actions on the Presentation Server and perform which may lead to configuration changes. | |||||
| CVE-2021-23998 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2021-07-02 | 4.3 MEDIUM | 6.5 MEDIUM |
| Through complicated navigations with new windows, an HTTP page could have inherited a secure lock icon from an HTTPS page. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88. | |||||
| CVE-2021-29963 | 1 Mozilla | 1 Firefox | 2021-07-01 | 4.3 MEDIUM | 4.3 MEDIUM |
| Address bar search suggestions in private browsing mode were re-using session data from normal mode. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 89. | |||||
| CVE-2021-33887 | 1 Onepeloton | 2 Ttr01, Ttr01 Firmware | 2021-06-24 | 7.2 HIGH | 6.8 MEDIUM |
| Insufficient verification of data authenticity in Peloton TTR01 up to and including PTV55G allows an attacker with physical access to boot into a modified kernel/ramdisk without unlocking the bootloader. | |||||
| CVE-2021-33712 | 1 Mendix | 1 Saml | 2021-06-15 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability has been identified in Mendix SAML Module (All versions < V2.1.2). The configuration of the SAML module does not properly check various restrictions and validations imposed by an identity provider. This could allow a remote authenticated attacker to escalate privileges. | |||||
| CVE-2021-32665 | 1 Wire | 1 Wire | 2021-06-11 | 5.0 MEDIUM | 6.5 MEDIUM |
| wire-ios is the iOS version of Wire, an open-source secure messaging app. wire-ios versions 3.8.0 and earlier have a bug in which a conversation could be incorrectly set to "unverified. This occurs when: - Self user is added to a new conversation - Self user is added to an existing conversation - All the participants in the conversation were previously marked as verified. The vulnerability is patched in wire-ios version 3.8.1. As a workaround, one can unverify & verify a device in the conversation. | |||||
| CVE-2020-24395 | 1 Hom.ee | 2 Brain Cube, Brain Cube Core | 2021-06-03 | 7.2 HIGH | 6.8 MEDIUM |
| The USB firmware update script of homee Brain Cube v2 (2.28.2 and 2.28.4) devices allows an attacker with physical access to install compromised firmware. This occurs because of insufficient validation of the firmware image file and can lead to code execution on the device. | |||||
| CVE-2020-28900 | 1 Nagios | 2 Fusion, Nagios Xi | 2021-05-28 | 10.0 HIGH | 9.8 CRITICAL |
| Insufficient Verification of Data Authenticity in Nagios Fusion 4.1.8 and earlier and Nagios XI 5.7.5 and earlier allows for Escalation of Privileges or Code Execution as root via vectors related to an untrusted update package to upgrade_to_latest.sh. | |||||
| CVE-2021-22339 | 1 Huawei | 1 Manageone | 2021-05-26 | 3.5 LOW | 6.5 MEDIUM |
| There is a denial of service vulnerability in some versions of ManageOne. In specific scenarios, due to the insufficient verification of the parameter, an attacker may craft some specific parameter. Successful exploit may cause some services abnormal. | |||||
| CVE-2021-29239 | 1 Codesys | 1 Development System | 2021-05-07 | 4.6 MEDIUM | 7.8 HIGH |
| CODESYS Development System 3 before 3.5.17.0 displays or executes malicious documents or files embedded in libraries without first checking their validity. | |||||
| CVE-2021-31783 | 1 Piwigo | 1 Localfiles Editor | 2021-05-04 | 5.0 MEDIUM | 7.5 HIGH |
| show_default.php in the LocalFilesEditor extension before 11.4.0.1 for Piwigo allows Local File Inclusion because the file parameter is not validated with a proper regular-expression check. | |||||
| CVE-2015-6854 | 1 Broadcom | 1 Single Sign-on | 2021-04-09 | 6.4 MEDIUM | 9.1 CRITICAL |
| The non-Domino web agents in CA Single Sign-On (aka SSO, formerly SiteMinder) R6, R12.0 before SP3 CR13, R12.0J before SP3 CR1.2, and R12.5 before CR5 allow remote attackers to cause a denial of service (daemon crash) or obtain sensitive information via a crafted request. | |||||
| CVE-2015-6853 | 1 Broadcom | 1 Single Sign-on | 2021-04-09 | 6.4 MEDIUM | 9.1 CRITICAL |
| The Domino web agent in CA Single Sign-On (aka SSO, formerly SiteMinder) R6, R12.0 before SP3 CR13, R12.0J before SP3 CR1.2, R12.5 before CR5, R12.51 before CR4, and R12.52 before SP1 CR3 allows remote attackers to cause a denial of service (daemon crash) or obtain sensitive information via a crafted request. | |||||
| CVE-2021-21320 | 1 Matrix-react-sdk Project | 1 Matrix-react-sdk | 2021-03-08 | 4.3 MEDIUM | 4.3 MEDIUM |
| matrix-react-sdk is an npm package which is a Matrix SDK for React Javascript. In matrix-react-sdk before version 3.15.0, the user content sandbox can be abused to trick users into opening unexpected documents. The content is opened with a `blob` origin that cannot access Matrix user data, so messages and secrets are not at risk. This has been fixed in version 3.15.0. | |||||
| CVE-2014-0364 | 1 Igniterealtime | 1 Smack | 2021-02-23 | 5.0 MEDIUM | N/A |
| The ParseRoster component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify the from attribute of a roster-query IQ stanza, which allows remote attackers to spoof IQ responses via a crafted attribute. | |||||
| CVE-2020-26547 | 1 Monal | 1 Monal | 2021-02-05 | 5.0 MEDIUM | 9.8 CRITICAL |
| Monal before 4.9 does not implement proper sender verification on MAM and Message Carbon (XEP-0280) results. This allows a remote attacker (able to send stanzas to a victim) to inject arbitrary messages into the local history, with full control over the sender and receiver displayed to the victim. | |||||
| CVE-2016-3016 | 1 Ibm | 6 Security Access Manager 9.0 Firmware, Security Access Manager For Mobile 8.0 Firmware, Security Access Manager For Mobile Appliance and 3 more | 2020-10-27 | 3.5 LOW | 4.4 MEDIUM |
| IBM Security Access Manager for Web processes patches, image backups and other updates without sufficiently verifying the origin and integrity of the code, which could allow an authenticated attacker to load malicious code. | |||||