ReportizFlow
Filtered by vendor
Subscriptions
Total
351 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-49193 | 1 Zendesk | 1 Zendesk | 2024-10-16 | 7.5 High |
| Zendesk before 2024-07-02 allows remote attackers to read ticket history via e-mail spoofing, because Cc fields are extracted from incoming e-mail messages and used to grant additional authorization for ticket viewing, the mechanism for detecting spoofed e-mail messages is insufficient, and the support e-mail addresses associated with individual tickets are predictable. | ||||
| CVE-2024-46957 | 1 Mellium | 1 Xmpp | 2024-09-26 | 9.8 Critical |
| Mellium mellium.im/xmpp 0.0.1 through 0.21.4 allows response spoofing if the implementation uses predictable IDs because the stanza type is not checked. This is fixed in 0.22.0. | ||||
| CVE-2024-45453 | 2024-09-26 | 3.7 Low | ||
| Authentication Bypass by Spoofing vulnerability in Peter Hardy-vanDoorn Maintenance Redirect allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Maintenance Redirect: from n/a through 2.0.1. | ||||
| CVE-2023-30464 | 1 Coredns.io | 1 Coredns | 2024-09-20 | 7.5 High |
| CoreDNS through 1.10.1 enables attackers to achieve DNS cache poisoning and inject fake responses via a birthday attack. | ||||
| CVE-2024-44104 | 1 Ivanti | 2 Automation, Workspace Control | 2024-09-18 | 8.8 High |
| An incorrectly implemented authentication scheme that is subjected to a spoofing attack in the management console of Ivanti Workspace Control version 10.18.0.0 and below allows a local authenticated attacker to escalate their privileges. | ||||
| CVE-2024-42364 | 1 Gethomepage | 1 Homepage | 2024-09-12 | 6.5 Medium |
| Homepage is a highly customizable homepage with Docker and service API integrations. The default setup of homepage 0.9.1 is vulnerable to DNS rebinding. Homepage is setup without certificate and authentication by default, leaving it to vulnerable to DNS rebinding. In this attack, an attacker will ask a user to visit his/her website. The attacker website will then change the DNS records of their domain from their IP address to the internal IP address of the homepage instance. To tell which IP addresses are valid, we can rebind a subdomain to each IP address we want to check, and see if there is a response. Once potential candidates have been found, the attacker can launch the attack by reading the response of the webserver after the IP address has changed. When the attacker domain is fetched, the response will be from the homepage instance, not the attacker website, because the IP address has been changed. Due to a lack of authentication, a user’s private information such as API keys (fixed after first report) and other private information can then be extracted by the attacker website. | ||||
| CVE-2024-7745 | 1 Progress | 1 Ws Ftp Server | 2024-09-04 | 6.5 Medium |
| In WS_FTP Server versions before 8.8.8 (2022.0.8), a Missing Critical Step in Multi-Factor Authentication of the Web Transfer Module allows users to skip the second-factor verification and log in with username and password only. | ||||
| CVE-2024-35539 | 1 Typecho | 1 Cms | 2024-08-21 | 6.5 Medium |
| Typecho v1.3.0 was discovered to contain a race condition vulnerability in the post commenting function. This vulnerability allows attackers to post several comments before the spam protection checks if the comments are posted too frequently. | ||||
| CVE-2024-35538 | 1 Typecho | 1 Typecho | 2024-08-20 | 5.3 Medium |
| Typecho v1.3.0 was discovered to contain a Client IP Spoofing vulnerability, which allows attackers to falsify their IP addresses by specifying an arbitrary IP as value of X-Forwarded-For or Client-Ip headers while performing HTTP requests. | ||||
| CVE-2024-41432 | 1 Likeshop | 1 Likeshop | 2024-08-08 | 5.3 Medium |
| An IP Spoofing vulnerability has been discovered in Likeshop up to 2.5.7.20210811. This issue allows an attacker to replace their real IP address with any arbitrary IP address, specifically by adding a forged 'X-Forwarded' or 'Client-IP' header to requests. Exploiting IP spoofing, attackers can bypass account lockout mechanisms during attempts to log into admin accounts, spoof IP addresses in requests sent to the server, and impersonate IP addresses that have logged into user accounts, etc. | ||||
| CVE-2022-0931 | 2024-02-09 | 0.0 Low | ||
| Red Hat Product Security does not consider this to be a vulnerability. Upstream has not acknowledged this issue as a security flaw. | ||||