ReportizFlow
Filtered by vendor
Subscriptions
Total
593 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2015-6254 | 2 Picketlink, Redhat | 2 Picketlink, Jboss Enterprise Application Platform | 2025-04-12 | 6.3 Medium |
| The (1) Service Provider (SP) and (2) Identity Provider (IdP) in PicketLink before 2.7.0 does not ensure that the Destination attribute in a Response element in a SAML assertion matches the location from which the message was received, which allows remote attackers to have unspecified impact via unknown vectors. NOTE: this identifier was SPLIT from CVE-2015-0277 per ADT2 due to different vulnerability types. | ||||
| CVE-2015-6853 | 1 Broadcom | 1 Single Sign-on | 2025-04-12 | N/A |
| The Domino web agent in CA Single Sign-On (aka SSO, formerly SiteMinder) R6, R12.0 before SP3 CR13, R12.0J before SP3 CR1.2, R12.5 before CR5, R12.51 before CR4, and R12.52 before SP1 CR3 allows remote attackers to cause a denial of service (daemon crash) or obtain sensitive information via a crafted request. | ||||
| CVE-2015-6854 | 1 Broadcom | 1 Single Sign-on | 2025-04-12 | N/A |
| The non-Domino web agents in CA Single Sign-On (aka SSO, formerly SiteMinder) R6, R12.0 before SP3 CR13, R12.0J before SP3 CR1.2, and R12.5 before CR5 allow remote attackers to cause a denial of service (daemon crash) or obtain sensitive information via a crafted request. | ||||
| CVE-2016-9450 | 1 Drupal | 1 Drupal | 2025-04-12 | N/A |
| The user password reset form in Drupal 8.x before 8.2.3 allows remote attackers to conduct cache poisoning attacks by leveraging failure to specify a correct cache context. | ||||
| CVE-2014-2718 | 2 Asus, T-mobile | 10 Rt-ac56r, Rt-ac66r, Rt-ac66u and 7 more | 2025-04-12 | N/A |
| ASUS RT-AC68U, RT-AC66R, RT-AC66U, RT-AC56R, RT-AC56U, RT-N66R, RT-N66U, RT-N56R, RT-N56U, and possibly other RT-series routers before firmware 3.0.0.4.376.x do not verify the integrity of firmware (1) update information or (2) downloaded updates, which allows man-in-the-middle (MITM) attackers to execute arbitrary code via a crafted image. | ||||
| CVE-2022-42267 | 2 Microsoft, Nvidia | 2 Windows, Virtual Gpu | 2025-04-10 | 7 High |
| NVIDIA GPU Display Driver for Windows contains a vulnerability where a regular user can cause an out-of-bounds read, which may lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering. | ||||
| CVE-2021-26396 | 1 Amd | 48 Epyc 7003, Epyc 7003 Firmware, Epyc 72f3 and 45 more | 2025-04-09 | 4.4 Medium |
| Insufficient validation of address mapping to IO in ASP (AMD Secure Processor) may result in a loss of memory integrity in the SNP guest. | ||||
| CVE-2021-26403 | 1 Amd | 82 Epyc 7001, Epyc 7001 Firmware, Epyc 7002 and 79 more | 2025-04-09 | 6.5 Medium |
| Insufficient checks in SEV may lead to a malicious hypervisor disclosing the launch secret potentially resulting in compromise of VM confidentiality. | ||||
| CVE-2022-46370 | 1 Maxum | 1 Rumpus | 2025-04-08 | 7.3 High |
| Rumpus - FTP server version 9.0.7.1 Improper Token Verification– vulnerability may allow bypassing identity verification. | ||||
| CVE-2024-1554 | 1 Mozilla | 1 Firefox | 2025-04-02 | 9.8 Critical |
| The `fetch()` API and navigation incorrectly shared the same cache, as the cache key did not include the optional headers `fetch()` may contain. Under the correct circumstances, an attacker may have been able to poison the local browser cache by priming it with a `fetch()` response controlled by the additional headers. Upon navigation to the same URL, the user would see the cached response instead of the expected response. This vulnerability affects Firefox < 123. | ||||
| CVE-2023-52546 | 1 Huawei | 2 Emui, Harmonyos | 2025-03-28 | 7.5 High |
| Vulnerability of package name verification being bypassed in the Calendar app. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | ||||
| CVE-2023-21441 | 1 Samsung | 1 Android | 2025-03-24 | 7.4 High |
| Insufficient Verification of Data Authenticity vulnerability in Routine prior to versions 2.6.30.6 in Android Q(10), 3.1.21.10 in Android R(11) and 3.5.2.23 in Android S(12) allows local attacker to access protected files via unused code. | ||||
| CVE-2023-20570 | 1 Amd | 94 Alveo U200, Alveo U200 Firmware, Alveo U250 and 91 more | 2025-03-22 | 3.3 Low |
| Insufficient verification of data authenticity in the configuration state machine may allow a local attacker to potentially load arbitrary bitstreams. | ||||
| CVE-2024-33687 | 1 Omron | 110 Nj-pa3001, Nj-pa3001 Firmware, Nj-pd3001 and 107 more | 2025-03-13 | 7.5 High |
| Insufficient verification of data authenticity issue exists in NJ Series CPU Unit all versions and NX Series CPU Unit all versions. If a user program in the affected product is altered, the product may not be able to detect the alteration. | ||||
| CVE-2023-23940 | 1 Openzeppelin | 1 Contracts | 2025-03-11 | 6.4 Medium |
| OpenZeppelin Contracts for Cairo is a library for secure smart contract development written in Cairo for StarkNet, a decentralized ZK Rollup. `is_valid_eth_signature` is missing a call to `finalize_keccak` after calling `verify_eth_signature`. As a result, any contract using `is_valid_eth_signature` from the account library (such as the `EthAccount` preset) is vulnerable to a malicious sequencer. Specifically, the malicious sequencer would be able to bypass signature validation to impersonate an instance of these accounts. The issue has been patched in 0.6.1. | ||||
| CVE-2023-23941 | 1 Shopware | 1 Swagpaypal | 2025-03-11 | 7.5 High |
| SwagPayPal is a PayPal integration for shopware/platform. If JavaScript-based PayPal checkout methods are used (PayPal Plus, Smart Payment Buttons, SEPA, Pay Later, Venmo, Credit card), the amount and item list sent to PayPal may not be identical to the one in the created order. The problem has been fixed with version 5.4.4. As a workaround, disable the aforementioned payment methods or use the Security Plugin in version >= 1.0.21. | ||||
| CVE-2024-27773 | 1 Unitronics | 1 Unilogic | 2025-03-10 | 8.8 High |
| Unitronics Unistream Unilogic – Versions prior to 1.35.227 - CWE-348: Use of Less Trusted Source may allow RCE | ||||
| CVE-2023-25178 | 1 Honeywell | 2 C300, C300 Firmware | 2025-03-05 | 9.8 Critical |
| Controller may be loaded with malicious firmware which could enable remote code execution. See Honeywell Security Notification for recommendations on upgrading and versioning. | ||||
| CVE-2023-37920 | 4 Certifi, Fedoraproject, Netapp and 1 more | 14 Certifi, Fedora, Active Iq Unified Manager and 11 more | 2025-03-05 | 7.5 High |
| Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. | ||||
| CVE-2023-26481 | 1 Goauthentik | 1 Authentik | 2025-02-25 | 9.1 Critical |
| authentik is an open-source Identity Provider. Due to an insufficient access check, a recovery flow link that is created by an admin (or sent via email by an admin) can be used to set the password for any arbitrary user. This attack is only possible if a recovery flow exists, which has both an Identification and an Email stage bound to it. If the flow has policies on the identification stage to skip it when the flow is restored (by checking `request.context['is_restored']`), the flow is not affected by this. With this flow in place, an administrator must create a recovery Link or send a recovery URL to the attacker, who can, due to the improper validation of the token create, set the password for any account. Regardless, for custom recovery flows it is recommended to add a policy that checks if the flow is restored, and skips the identification stage. This issue has been fixed in versions 2023.2.3, 2023.1.3 and 2022.12.2. | ||||