ReportizFlow
Filtered by vendor
Subscriptions
Total
442 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2013-2166 | 4 Debian, Fedoraproject, Openstack and 1 more | 4 Debian Linux, Fedora, Python-keystoneclient and 1 more | 2024-11-21 | 9.8 Critical |
| python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache encryption bypass | ||||
| CVE-2013-0334 | 4 Bundler, Fedoraproject, Opensuse and 1 more | 4 Bundler, Fedora, Opensuse and 1 more | 2024-11-21 | N/A |
| Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source. | ||||
| CVE-2024-47867 | 1 Gradio Project | 1 Gradio | 2024-11-15 | 7.5 High |
| Gradio is an open-source Python package designed for quick prototyping. This vulnerability is a **lack of integrity check** on the downloaded FRP client, which could potentially allow attackers to introduce malicious code. If an attacker gains access to the remote URL from which the FRP client is downloaded, they could modify the binary without detection, as the Gradio server does not verify the file's checksum or signature. Any users utilizing the Gradio server's sharing mechanism that downloads the FRP client could be affected by this vulnerability, especially those relying on the executable binary for secure data tunneling. There is no direct workaround for this issue without upgrading. However, users can manually validate the integrity of the downloaded FRP client by implementing checksum or signature verification in their own environment to ensure the binary hasn't been tampered with. | ||||
| CVE-2024-47255 | 1 2n | 1 Access Commander | 2024-11-07 | 4.7 Medium |
| In 2N Access Commander versions 3.1.1.2 and prior, a local attacker can escalate their privileges in the system which could allow for arbitrary code execution with root permissions. | ||||
| CVE-2024-47254 | 1 2n | 1 Access Commander | 2024-11-07 | 6.3 Medium |
| In 2N Access Commander versions 3.1.1.2 and prior, an Insufficient Verification of Data Authenticity vulnerability could allow an attacker to escalate their privileges and gain root access to the system. | ||||
| CVE-2024-43108 | 1 Gotenna | 1 Gotenna | 2024-10-17 | 5.3 Medium |
| The goTenna Pro ATAK Plugin uses AES CTR type encryption for short, encrypted messages without any additional integrity checking mechanisms. This leaves messages malleable to an attacker that can access the message. It is advised to continue to use encryption in the plugin and update to the current release for enhanced encryption protocols. | ||||
| CVE-2024-37968 | 1 Microsoft | 10 Windows Server 2008, Windows Server 2008 R2, Windows Server 2008 Sp2 and 7 more | 2024-10-16 | 7.5 High |
| Windows DNS Spoofing Vulnerability | ||||
| CVE-2024-38198 | 1 Microsoft | 25 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 22 more | 2024-10-16 | 7.5 High |
| Windows Print Spooler Elevation of Privilege Vulnerability | ||||
| CVE-2024-7847 | 1 Rockwellautomation | 4 Rslogix 5, Rslogix 500, Rslogix Micro Developer and 1 more | 2024-10-15 | 7.7 High |
| VULNERABILITY DETAILS Rockwell Automation used the latest versions of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported to us by Sharon Brizinov of Claroty Research - Team82. A feature in the affected products enables users to prepare a project file with an embedded VBA script and can be configured to run once the project file has been opened without user intervention. This feature can be abused to trick a legitimate user into executing malicious code upon opening an infected RSP/RSS project file. If exploited, a threat actor may be able to perform a remote code execution. Connected devices may also be impacted by exploitation of this vulnerability. | ||||
| CVE-2024-47079 | 2024-10-10 | 6.4 Medium | ||
| Meshtastic is an open source, off-grid, decentralized, mesh network built to run on affordable, low-power devices. Meshtastic firmware is an open source firmware implementation for the broader project. The remote hardware module of the firmware does not have proper checks to ensure a remote hardware control message was received should be considered valid. This issue has been addressed in release version 2.5.1. All users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-23922 | 1 Sony | 2 Xav-ax5500, Xav-ax5500 Firmware | 2024-09-30 | 6.8 Medium |
| Sony XAV-AX5500 Insufficient Firmware Update Validation Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Sony XAV-AX5500 devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of software updates. The issue results from the lack of proper validation of software update packages. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-22939 | ||||
| CVE-2022-4533 | 2 Felixmoira, Limit Login Attempts Project | 2 Limit Login Attempts Plus, Limit Login Attempts Plus | 2024-09-25 | 5.3 Medium |
| The Limit Login Attempts Plus plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 1.1.0. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address or country from logging in. | ||||
| CVE-2024-45410 | 1 Traefik | 1 Traefik | 2024-09-25 | 9.8 Critical |
| Traefik is a golang, Cloud Native Application Proxy. When a HTTP request is processed by Traefik, certain HTTP headers such as X-Forwarded-Host or X-Forwarded-Port are added by Traefik before the request is routed to the application. For a HTTP client, it should not be possible to remove or modify these headers. Since the application trusts the value of these headers, security implications might arise, if they can be modified. For HTTP/1.1, however, it was found that some of theses custom headers can indeed be removed and in certain cases manipulated. The attack relies on the HTTP/1.1 behavior, that headers can be defined as hop-by-hop via the HTTP Connection header. This issue has been addressed in release versions 2.11.9 and 3.1.3. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-42483 | 1 Espressif | 1 Esp-now | 2024-09-23 | 6.5 Medium |
| ESP-NOW Component provides a connectionless Wi-Fi communication protocol. An replay attacks vulnerability was discovered in the implementation of the ESP-NOW because the caches is not differentiated by message types, it is a single, shared resource for all kinds of messages, whether they are broadcast or unicast, and regardless of whether they are ciphertext or plaintext. This can result an attacker to clear the cache of its legitimate entries, there by creating an opportunity to re-inject previously captured packets. This vulnerability is fixed in 2.5.2. | ||||
| CVE-2023-28457 | 1 Technitium | 1 Dns Server | 2024-09-20 | 7.5 High |
| An issue was discovered in Technitium through 11.0.3. It enables attackers to conduct a DNS cache poisoning attack and inject fake responses within 1 second, which is impactful. | ||||
| CVE-2022-4539 | 1 Miniorange | 1 Web Application Firewall | 2024-09-19 | 5.3 Medium |
| The Web Application Firewall plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 2.1.2. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address or country from logging in. | ||||
| CVE-2024-25584 | 2024-09-06 | 5.3 Medium | ||
| Dovecot accepts dot LF DOT LF symbol as end of DATA command. RFC requires that it should always be CR LF DOT CR LF. This causes Dovecot to convert single mail with LF DOT LF in middle, into two emails when relaying to SMTP. Dovecot will split mail with LF DOT LF into two mails. Upgrade to latest released version. No publicly available exploits are known. | ||||
| CVE-2024-7980 | 2 Google, Microsoft | 2 Chrome, Windows | 2024-08-26 | 7.3 High |
| Insufficient data validation in Installer in Google Chrome on Windows prior to 128.0.6613.84 allowed a local attacker to perform privilege escalation via a crafted symbolic link. (Chromium security severity: Medium) | ||||
| CVE-2024-7979 | 2 Google, Microsoft | 2 Chrome, Windows | 2024-08-26 | 7 High |
| Insufficient data validation in Installer in Google Chrome on Windows prior to 128.0.6613.84 allowed a local attacker to perform privilege escalation via a crafted symbolic link. (Chromium security severity: Medium) | ||||
| CVE-2023-28865 | 1 Dieboldnixdorf | 1 Vynamic Security Suite | 2024-08-19 | 6.6 Medium |
| Diebold Nixdorf Vynamic Security Suite (VSS) before 3.3.0 SR15, 4.0.0 SR05, 4.1.0 SR03, and 4.2.0 SR02 fails to validate the directory contents of certain directories (e.g., ensuring the expected hash sum) during the Pre-Boot Authorization (PBA) process. This can be exploited by a physical attacker who is able to manipulate the contents of the system's hard disk. | ||||