ReportizFlow
Filtered by vendor
Subscriptions
Total
593 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-24807 | 1 Eprosima | 1 Fast Dds | 2025-02-21 | 7.1 High |
| eprosima Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to versions 2.6.10, 2.10.7, 2.14.5, 3.0.2, 3.1.2, and 3.2.0, per design, PermissionsCA is not full chain validated, nor is the expiration date validated. Access control plugin validates only the S/MIME signature which causes an expired PermissionsCA to be taken as valid. Even though this issue is responsible for allowing `governance/permissions` from an expired PermissionsCA and having the system crash when PermissionsCA is not self-signed and contains the full-chain, the impact is low. Versions 2.6.10, 2.10.7, 2.14.5, 3.0.2, 3.1.2, and 3.2.0 contain a fix for the issue. | ||||
| CVE-2024-39689 | 2 Certifi, Netapp | 4 Certifi, Management Services For Element Software And Netapp Hci, Ontap Select Deploy Administration Utility and 1 more | 2025-02-15 | 7.5 High |
| Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.7.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.7.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues." | ||||
| CVE-2024-23601 | 1 Automationdirect | 12 P1-540, P1-540 Firmware, P1-550 and 9 more | 2025-02-13 | 9.8 Critical |
| A code injection vulnerability exists in the scan_lib.bin functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted scan_lib.bin can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. | ||||
| CVE-2023-5366 | 2 Openvswitch, Redhat | 7 Openvswitch, Enterprise Linux, Fast Datapath and 4 more | 2025-02-13 | 7.1 High |
| A flaw was found in Open vSwitch that allows ICMPv6 Neighbor Advertisement packets between virtual machines to bypass OpenFlow rules. This issue may allow a local attacker to create specially crafted packets with a modified or spoofed target IP address field that can redirect ICMPv6 traffic to arbitrary IP addresses. | ||||
| CVE-2023-2314 | 1 Google | 1 Chrome | 2025-02-13 | 6.5 Medium |
| Insufficient data validation in DevTools in Google Chrome prior to 111.0.5563.64 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2022-48431 | 1 Jetbrains | 1 Intellij Idea | 2025-02-12 | 4.5 Medium |
| In JetBrains IntelliJ IDEA before 2023.1 in some cases, Gradle and Maven projects could be imported without the “Trust Project” confirmation. | ||||
| CVE-2023-6323 | 4 Owletcare, Roku, Throughtek and 1 more | 9 Cam, Cam 2, Cam 2 Firmware and 6 more | 2025-02-12 | 4.3 Medium |
| ThroughTek Kalay SDK does not verify the authenticity of received messages, allowing an attacker to impersonate an authoritative server. | ||||
| CVE-2023-26467 | 1 Pega | 1 Synchronization Engine | 2025-02-07 | 5.4 Medium |
| A man in the middle can redirect traffic to a malicious server in a compromised configuration. | ||||
| CVE-2023-27748 | 1 Blackvue | 4 Dr750-2ch Ir Lte, Dr750-2ch Ir Lte Firmware, Dr750-2ch Lte and 1 more | 2025-02-07 | 9.8 Critical |
| BlackVue DR750-2CH LTE v.1.012_2022.10.26 does not employ authenticity check for uploaded firmware. This can allow attackers to upload crafted firmware which contains backdoors and enables arbitrary code execution. | ||||
| CVE-2023-27977 | 1 Schneider-electric | 3 Custom Reports, Igss Dashboard, Igss Data Server | 2025-02-05 | 6.5 Medium |
| A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could cause access to delete files in the IGSS project report directory, this could lead to loss of data when an attacker sends specific crafted messages to the Data Server TCP port. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior). | ||||
| CVE-2023-27979 | 1 Schneider-electric | 3 Custom Reports, Igss Dashboard, Igss Data Server | 2025-02-05 | 6.5 Medium |
| A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could allow the renaming of files in the IGSS project report directory, this could lead to denial of service when an attacker sends specific crafted messages to the Data Server TCP port. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior). | ||||
| CVE-2023-27982 | 1 Schneider-electric | 3 Custom Reports, Igss Dashboard, Igss Data Server | 2025-02-05 | 8.8 High |
| A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could cause manipulation of dashboard files in the IGSS project report directory, when an attacker sends specific crafted messages to the Data Server TCP port, this could lead to remote code execution when a victim eventually opens a malicious dashboard file. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior). | ||||
| CVE-2022-44420 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2025-01-28 | 5.5 Medium |
| In modem, there is a possible missing verification of HashMME value in Security Mode Command. This could local denial of service with no additional execution privileges. | ||||
| CVE-2023-31502 | 1 Apsystems | 3 Alternergy Power Control Software, Ecu-c, Ecu-r | 2025-01-27 | 7.2 High |
| Altenergy Power Control Software C1.2.5 was discovered to contain a remote code execution (RCE) vulnerability via the component /models/management_model.php. | ||||
| CVE-2023-32993 | 1 Jenkins | 1 Saml Single Sign On | 2025-01-23 | 4.8 Medium |
| Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier does not perform hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata, which could be abused using a man-in-the-middle attack to intercept these connections. | ||||
| CVE-2024-27305 | 1 Aio-libs | 1 Aiosmtpd | 2025-01-22 | 5.3 Medium |
| aiosmtpd is a reimplementation of the Python stdlib smtpd.py based on asyncio. aiosmtpd is vulnerable to inbound SMTP smuggling. SMTP smuggling is a novel vulnerability based on not so novel interpretation differences of the SMTP protocol. By exploiting SMTP smuggling, an attacker may send smuggle/spoof e-mails with fake sender addresses, allowing advanced phishing attacks. This issue is also existed in other SMTP software like Postfix. With the right SMTP server constellation, an attacker can send spoofed e-mails to inbound/receiving aiosmtpd instances. This issue has been addressed in version 1.4.5. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-22315 | 1 Snapav | 2 Wattbox Wb-300-ip-3, Wattbox Wb-300-ip-3 Firmware | 2025-01-17 | 6.7 Medium |
| Snap One Wattbox WB-300-IP-3 versions WB10.9a17 and prior use a proprietary local area network (LAN) protocol that does not verify updates to the device. An attacker could upload a malformed update file to the device and execute arbitrary code. | ||||
| CVE-2023-0350 | 1 Akuvox | 2 E11, E11 Firmware | 2025-01-17 | 6.5 Medium |
| Akuvox E11 does not ensure that a file extension is associated with the file provided. This could allow an attacker to upload a file to the device by changing the extension of a malicious file to an accepted file type. | ||||
| CVE-2023-28386 | 2 Control4, Snapone | 13 Ca-1, Ca-10, Ea-1 and 10 more | 2025-01-17 | 8.6 High |
| Snap One OvrC Pro devices versions 7.2 and prior do not validate firmware updates correctly. The device only calculates the MD5 hash of the firmware and does not check using a private-public key mechanism. The lack of complete PKI system firmware signature could allow attackers to upload arbitrary firmware updates, resulting in code execution. | ||||
| CVE-2023-2866 | 1 Advantech | 1 Webaccess | 2025-01-17 | 7.3 High |
| If an attacker can trick an authenticated user into loading a maliciously crafted .zip file onto Advantech WebAccess version 8.4.5, a web shell could be used to give the attacker full control of the SCADA server. | ||||