Total
380 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-46370 | 1 Maxum | 1 Rumpus | 2023-01-20 | N/A | 7.5 HIGH |
| Rumpus - FTP server version 9.0.7.1 Improper Token Verification– vulnerability may allow bypassing identity verification. | |||||
| CVE-2022-42267 | 2 Microsoft, Nvidia | 2 Windows, Virtual Gpu | 2023-01-10 | N/A | 7.8 HIGH |
| NVIDIA GPU Display Driver for Windows contains a vulnerability where a regular user can cause an out-of-bounds read, which may lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering. | |||||
| CVE-2020-9885 | 1 Apple | 5 Ipados, Iphone Os, Mac Os X and 2 more | 2023-01-09 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue existed in the handling of iMessage tapbacks. The issue was resolved with additional verification. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8. A user that is removed from an iMessage group could rejoin the group. | |||||
| CVE-2022-3347 | 1 Go-resolver Project | 1 Go-resolver | 2023-01-06 | N/A | 7.5 HIGH |
| DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. Root DNSSEC public keys are not validated, permitting an attacker to present a self-signed root key and delegation chain. | |||||
| CVE-2022-3346 | 1 Go-resolver Project | 1 Go-resolver | 2023-01-06 | N/A | 6.5 MEDIUM |
| DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. The owner name of RRSIG RRs is not validated, permitting an attacker to present the RRSIG for an attacker-controlled domain in a response for any other domain. | |||||
| CVE-2022-41961 | 1 Bigbluebutton | 1 Bigbluebutton | 2022-12-20 | N/A | 4.3 MEDIUM |
| BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are subject to Ineffective user bans. The attacker could register multiple users, and join the meeting with one of them. When that user is banned, they could still join the meeting with the remaining registered users from the same extId. This issue has been fixed by improving permissions such that banning a user removes all users related to their extId, including registered users that have not joined the meeting. This issue is patched in versions 2.4-rc-6 and 2.5-alpha-1. There are no workarounds. | |||||
| CVE-2022-41960 | 1 Bigbluebutton | 1 Bigbluebutton | 2022-12-20 | N/A | 4.3 MEDIUM |
| BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3, are subject to Insufficient Verification of Data Authenticity, resulting in Denial of Service. An attacker can make a Meteor call to `validateAuthToken` using a victim's userId, meetingId, and an invalid authToken. This forces the victim to leave the conference, because the resulting verification failure is also observed and handled by the victim's client. The attacker must be a participant in any meeting on the server. This issue is patched in version 2.4.3. There are no workarounds. | |||||
| CVE-2021-36751 | 1 Encsecurity | 1 Datavault | 2022-12-13 | 6.4 MEDIUM | 4.2 MEDIUM |
| ENC DataVault 7.2.3 and before, and OEM versions, use an encryption algorithm that is vulnerable to data manipulation (without knowledge of the key). This is called ciphertext malleability. There is no data integrity mechanism to detect this manipulation. | |||||
| CVE-2022-39909 | 1 Samsung | 1 Gear Iconx Pc Manager | 2022-12-12 | N/A | 5.5 MEDIUM |
| Insufficient verification of data authenticity vulnerability in Samsung Gear IconX PC Manager prior to version 2.1.221019.51 allows local attackers to create arbitrary file using symbolic link. | |||||
| CVE-2022-41156 | 2 Etm-s, Microsoft | 2 Ondiskplayeragent, Windows | 2022-12-01 | N/A | 7.8 HIGH |
| Remote code execution vulnerability due to insufficient verification of URLs, etc. in OndiskPlayerAgent. A remote attacker could exploit the vulnerability to cause remote code execution by causing an arbitrary user to download and execute malicious code. | |||||
| CVE-2022-31877 | 1 Msi | 1 Center | 2022-11-30 | N/A | 8.8 HIGH |
| An issue in the component MSI.TerminalServer.exe of MSI Center v1.0.41.0 allows attackers to escalate privileges via a crafted TCP packet. | |||||
| CVE-2022-36111 | 1 Codenotary | 1 Immudb | 2022-11-27 | N/A | 5.3 MEDIUM |
| immudb is a database with built-in cryptographic proof and verification. In versions prior to 1.4.1, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability. This issue has been patched in version 1.4.1. | |||||
| CVE-2022-39199 | 1 Codenotary | 1 Immudb | 2022-11-26 | N/A | 5.9 MEDIUM |
| immudb is a database with built-in cryptographic proof and verification. immudb client SDKs use server's UUID to distinguish between different server instance so that the client can connect to different immudb instances and keep the state for multiple servers. SDK does not validate this uuid and can accept any value reported by the server. A malicious server can change the reported UUID tricking the client to treat it as a different server thus accepting a state completely irrelevant to the one previously retrieved from the server. This issue has been patched in version 1.4.1. As a workaround, when initializing an immudb client object a custom state handler can be used to store the state. Providing custom implementation that ignores the server UUID can be used to ensure that even if the server changes the UUID, client will still consider it to be the same server. | |||||
| CVE-2022-0031 | 2 Linux, Paloaltonetworks | 2 Linux Kernel, Cortex Xsoar | 2022-11-10 | N/A | 6.7 MEDIUM |
| A local privilege escalation (PE) vulnerability in the Palo Alto Networks Cortex XSOAR engine software running on a Linux operating system allows a local attacker with shell access to the engine to execute programs with elevated privileges. | |||||
| CVE-2019-8921 | 3 Bluez, Debian, Linux | 3 Bluez, Debian Linux, Linux Kernel | 2022-11-07 | 3.3 LOW | 6.5 MEDIUM |
| An issue was discovered in bluetoothd in BlueZ through 5.48. The vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data. The root cause can be found in the function service_attr_req of sdpd-request.c. The server does not check whether the CSTATE data is the same in consecutive requests, and instead simply trusts that it is the same. | |||||
| CVE-2022-26122 | 1 Fortinet | 3 Antivirus Engine, Fortimail, Fortios | 2022-11-04 | N/A | 8.6 HIGH |
| An insufficient verification of data authenticity vulnerability [CWE-345] in FortiClient, FortiMail and FortiOS AV engines version 6.2.168 and below and version 6.4.274 and below may allow an attacker to bypass the AV engine via manipulating MIME attachment with junk and pad characters in base64. | |||||
| CVE-2021-38396 | 1 Bostonscientific | 2 Zoom Latitude Pogrammer\/recorder\/monitor 3120, Zoom Latitude Pogrammer\/recorder\/monitor 3120 Firmware | 2022-10-27 | 4.6 MEDIUM | 6.8 MEDIUM |
| The programmer installation utility does not perform a cryptographic authenticity or integrity checks of the software on the flash drive. An attacker could leverage this weakness to install unauthorized software using a specially crafted USB. | |||||
| CVE-2022-34845 | 1 Robustel | 2 R1510, R1510 Firmware | 2022-10-26 | N/A | 2.7 LOW |
| A firmware update vulnerability exists in the sysupgrade functionality of Robustel R1510 3.1.16 and 3.3.0. A specially-crafted network packet can lead to arbitrary firmware update. An attacker can send a sequence of requests to trigger this vulnerability. | |||||
| CVE-2022-24889 | 1 Nextcloud | 1 Nextcloud Server | 2022-10-25 | 4.3 MEDIUM | 4.3 MEDIUM |
| Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 21.0.8, 22.2.4, and 23.0.1, it is possible to trick administrators into enabling "recommended" apps for the Nextcloud server that they do not need, thus expanding their attack surface unnecessarily. This issue is fixed in versions 21.0.8 , 22.2.4, and 23.0.1. | |||||
| CVE-2020-16122 | 2 Canonical, Packagekit Project | 2 Ubuntu Linux, Packagekit | 2022-10-21 | 2.1 LOW | 7.8 HIGH |
| PackageKit's apt backend mistakenly treated all local debs as trusted. The apt security model is based on repository trust and not on the contents of individual files. On sites with configured PolicyKit rules this may allow users to install malicious packages. | |||||