ReportizFlow
Filtered by vendor
Subscriptions
Total
468 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-1279 | 1 Pivotal Software | 1 Rabbitmq | 2024-11-21 | N/A |
| Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on any server in the MQ cluster can use this cookie to gain full control over the entire cluster. | ||||
| CVE-2018-16483 | 1 Express-cart Project | 1 Express-cart | 2024-11-21 | N/A |
| A deficiency in the access control in module express-cart <=1.1.5 allows unprivileged users to add new users to the application as administrators. | ||||
| CVE-2018-15715 | 1 Zoom | 1 Zoom | 2024-11-21 | N/A |
| Zoom clients on Windows (before version 4.1.34814.1119), Mac OS (before version 4.1.34801.1116), and Linux (2.4.129780.0915 and below) are vulnerable to unauthorized message processing. A remote unauthenticated attacker can spoof UDP messages from a meeting attendee or Zoom server in order to invoke functionality in the target client. This allows the attacker to remove attendees from meetings, spoof messages from users, or hijack shared screens. | ||||
| CVE-2018-15588 | 1 Freron | 1 Mailmate | 2024-11-21 | N/A |
| MailMate before 1.11.3 mishandles a suspicious HTML/MIME structure in a signed/encrypted email. | ||||
| CVE-2018-15587 | 3 Debian, Gnome, Redhat | 3 Debian Linux, Evolution, Enterprise Linux | 2024-11-21 | N/A |
| GNOME Evolution through 3.28.2 is prone to OpenPGP signatures being spoofed for arbitrary messages using a specially crafted email that contains a valid signature from the entity to be impersonated as an attachment. | ||||
| CVE-2018-12403 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2024-11-21 | N/A |
| If a site is loaded over a HTTPS connection but loads a favicon resource over HTTP, the mixed content warning is not displayed to users. This vulnerability affects Firefox < 63. | ||||
| CVE-2018-12399 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2024-11-21 | N/A |
| When a new protocol handler is registered, the API accepts a title argument which can be used to mislead users about which domain is registering the new protocol. This may result in the user approving a protocol handler that they otherwise would not have. This vulnerability affects Firefox < 63. | ||||
| CVE-2018-12331 | 1 Ecos | 1 System Management Appliance | 2024-11-21 | N/A |
| Authentication Bypass by Spoofing vulnerability in ECOS System Management Appliance (aka SMA) 5.2.68 allows a man-in-the-middle attacker to compromise authentication keys and configurations via IP spoofing during "Easy Enrollment." | ||||
| CVE-2017-7762 | 2 Mozilla, Redhat | 5 Firefox, Enterprise Linux, Enterprise Linux Desktop and 2 more | 2024-11-21 | N/A |
| When entered directly, Reader Mode did not strip the username and password section of URLs displayed in the addressbar. This can be used for spoofing the domain of the current page. This vulnerability affects Firefox < 54. | ||||
| CVE-2017-18190 | 4 Apple, Canonical, Debian and 1 more | 4 Cups, Ubuntu Linux, Debian Linux and 1 more | 2024-11-21 | N/A |
| A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1). | ||||
| CVE-2017-12610 | 1 Apache | 1 Kafka | 2024-11-21 | N/A |
| In Apache Kafka 0.10.0.0 to 0.10.2.1 and 0.11.0.0 to 0.11.0.1, authenticated Kafka clients may use impersonation via a manually crafted protocol message with SASL/PLAIN or SASL/SCRAM authentication when using the built-in PLAIN or SCRAM server implementations in Apache Kafka. | ||||
| CVE-2017-12095 | 1 Meetcircle | 1 Circle With Disney Firmware | 2024-11-21 | N/A |
| An exploitable vulnerability exists in the WiFi Access Point feature of Circle with Disney running firmware 2.0.1. A series of WiFi packets can force Circle to setup an Access Point with default credentials. An attacker needs to send a series of spoofed "de-auth" packets to trigger this vulnerability. | ||||
| CVE-2013-5661 | 4 Isc, Nic, Nlnetlabs and 1 more | 4 Bind, Knot Resolver, Nsd and 1 more | 2024-11-21 | 5.9 Medium |
| Cache Poisoning issue exists in DNS Response Rate Limiting. | ||||
| CVE-2012-6639 | 3 Canonical, Debian, Suse | 3 Cloud-init, Debian Linux, Linux Enterprise Server | 2024-11-21 | 8.8 High |
| An privilege elevation vulnerability exists in Cloud-init before 0.7.0 when requests to an untrusted system are submitted for EC2 instance data. | ||||
| CVE-2024-8935 | 1 Schneider-electric | 3 Modicon M340 Bmxp341000, Modicon Mc80 Bmkc8020301, Modicon Momentum Unity M1e Processor | 2024-11-13 | 7.5 High |
| CWE-290: Authentication Bypass by Spoofing vulnerability exists that could cause a denial of service and loss of confidentiality and integrity of controllers when conducting a Man-In-The-Middle attack between the controller and the engineering workstation while a valid user is establishing a communication session. This vulnerability is inherent to Diffie Hellman algorithm which does not protect against Man-In-The-Middle attacks. | ||||
| CVE-2024-45397 | 1 Dena | 1 H2o | 2024-11-12 | 5.9 Medium |
| h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When an HTTP request using TLS/1.3 early data on top of TCP Fast Open or QUIC 0-RTT packets is received and the IP-address-based access control is used, the access control does not detect and prohibit HTTP requests conveyed by packets with a spoofed source address. This behavior allows attackers on the network to execute HTTP requests from addresses that are otherwise rejected by the address-based access control. The vulnerability has been addressed in commit 15ed15a. Users may disable the use of TCP FastOpen and QUIC to mitigate the issue. | ||||
| CVE-2024-39341 | 2024-11-04 | 5.9 Medium | ||
| Entrust Instant Financial Issuance (On Premise) Software (formerly known as Cardwizard) 6.10.0, 6.9.0, 6.9.1, 6.9.2, and 6.8.x and earlier leaves behind a configuration file (i.e. WebAPI.cfg.xml) after the installation process. This file can be accessed without authentication on HTTP port 80 by guessing the correct IIS webroot path. It includes system configuration parameter names and values with sensitive configuration values encrypted. | ||||
| CVE-2024-10462 | 2 Mozilla, Redhat | 9 Firefox, Firefox Esr, Thunderbird and 6 more | 2024-11-04 | 7.5 High |
| Truncation of a long URL could have allowed origin spoofing in a permission prompt. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132. | ||||
| CVE-2024-10465 | 2 Mozilla, Redhat | 9 Firefox, Firefox Esr, Thunderbird and 6 more | 2024-11-04 | 7.5 High |
| A clipboard "paste" button could persist across tabs which allowed a spoofing attack. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132. | ||||
| CVE-2024-8901 | 1 Amazon | 1 Aws Alb Route Directive Adapter For Istio | 2024-10-24 | 7.5 High |
| The AWS ALB Route Directive Adapter For Istio repo https://github.com/awslabs/aws-alb-route-directive-adapter-for-istio/tree/master provides an OIDC authentication mechanism that was integrated into the open source Kubeflow project. The adapter uses JWT for authentication, but lacks proper signer and issuer validation. In deployments of ALB that ignore security best practices, where ALB targets are directly exposed to internet traffic, an actor can provide a JWT signed by an untrusted entity in order to spoof OIDC-federated sessions and successfully bypass authentication. The repository/package has been deprecated, is end of life, and is no longer supported. As a security best practice, ensure that your ELB targets (e.g. EC2 Instances, Fargate Tasks etc.) do not have public IP addresses. Ensure any forked or derivative code validate that the signer attribute in the JWT match the ARN of the Application Load Balancer that the service is configured to use. | ||||