Total
335 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-20113 | 1 Tecnick | 1 Tcexam | 2021-08-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| An exposure of sensitive information vulnerability exists in TCExam <= 14.8.1. If a password reset request was made for an email address that was not registered with a user then we would be presented with an ‘unknown email’ error. If an email is given that is registered with a user then this error will not appear. A malicious actor could abuse this to enumerate the email addresses of | |||||
| CVE-2019-1563 | 1 Openssl | 1 Openssl | 2021-07-31 | 4.3 MEDIUM | 3.7 LOW |
| In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s). | |||||
| CVE-2021-24116 | 1 Wolfssl | 1 Wolfssl | 2021-07-22 | 4.0 MEDIUM | 4.9 MEDIUM |
| In wolfSSL through 4.6.0, a side-channel vulnerability in base64 PEM file decoding allows system-level (administrator) attackers to obtain information about secret RSA keys via a controlled-channel and side-channel attack on software running in isolated environments that can be single stepped, especially Intel SGX. | |||||
| CVE-2020-24008 | 1 Umanni | 1 Human Resources | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Umanni RH 1.0 has a user enumeration vulnerability. This issue occurs during password recovery, where a difference in messages could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users. | |||||
| CVE-2020-27026 | 1 Google | 1 Android | 2021-07-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| During boot, the device unlock interface behaves differently depending on if a fingerprint registered to the device is present. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-79776455 | |||||
| CVE-2020-15392 | 1 Venki | 1 Supravizio Bpm | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| A user enumeration vulnerability flaw was found in Venki Supravizio BPM 10.1.2. This issue occurs during password recovery, where a difference in error messages could allow an attacker to determine if a username is valid or not, enabling a brute-force attack with valid usernames. | |||||
| CVE-2020-5929 | 1 F5 | 14 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 11 more | 2021-07-21 | 2.6 LOW | 5.9 MEDIUM |
| In versions 13.0.0-13.0.0 HF2, 12.1.0-12.1.2 HF1, and 11.6.1-11.6.2, BIG-IP platforms with Cavium Nitrox SSL hardware acceleration cards, a Virtual Server configured with a Client SSL profile, and using Anonymous (ADH) or Ephemeral (DHE) Diffie-Hellman key exchange and Single DH use option not enabled in the options list may be vulnerable to crafted SSL/TLS Handshakes that may result with a PMS (Pre-Master Secret) that starts in a 0 byte and may lead to a recovery of plaintext messages as BIG-IP TLS/SSL ADH/DHE sends different error messages acting as an oracle. Similar error messages when PMS starts with 0 byte coupled with very precise timing measurement observation may also expose this vulnerability. | |||||
| CVE-2020-6473 | 4 Debian, Fedoraproject, Google and 1 more | 5 Debian Linux, Fedora, Chrome and 2 more | 2021-07-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient policy enforcement in Blink in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | |||||
| CVE-2020-1459 | 1 Microsoft | 1 Windows 10 | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| An information disclosure vulnerability exists on ARM implementations that use speculative execution in control flow via a side-channel analysis, aka "straight-line speculation, aka 'Windows ARM Information Disclosure Vulnerability'. | |||||
| CVE-2020-7959 | 1 Labvantage | 1 Labvantage | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| LabVantage LIMS 8.3 does not properly maintain the confidentiality of database names. For example, the web application exposes the database name. An attacker might be able to enumerate database names by providing his own database name in a request, because the response will return an 'Unrecognized Database exception message if the database does not exist. | |||||
| CVE-2020-7962 | 1 Oneidentity | 1 Password Manager | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in One Identity Password Manager 5.8. An attacker could enumerate valid answers for a user. It is possible for an attacker to detect a valid answer based on the HTTP response content, and reuse this answer later for a password reset on a chosen password. The enumeration is possible because, within the HTTP response content, WRONG ID is only returned when the answer is incorrect. | |||||
| CVE-2020-8695 | 3 Debian, Fedoraproject, Intel | 600 Debian Linux, Fedora, Celeron 3855u and 597 more | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| Observable discrepancy in the RAPL interface for some Intel(R) Processors may allow a privileged user to potentially enable information disclosure via local access. | |||||
| CVE-2020-11735 | 1 Wolfssl | 1 Wolfssl | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The private-key operations in ecc.c in wolfSSL before 4.4.0 do not use a constant-time modular inverse when mapping to affine coordinates, aka a "projective coordinates leak." | |||||
| CVE-2020-11287 | 1 Qualcomm | 329 Aqt1000, Ar8031, Ar8035 and 326 more | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| Allowing RTT frames to be linked with non randomized MAC address by comparing the sequence numbers can lead to information disclosure. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | |||||
| CVE-2019-9472 | 1 Google | 1 Android | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| In DCRYPTO_equals of compare.c, there is a possible timing attack due to improperly used crypto. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-130237611 | |||||
| CVE-2019-20399 | 1 Parity | 1 Libsecp256k1 | 2021-07-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack. | |||||
| CVE-2019-19805 | 1 Mfscripts | 1 Yetishare | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| _account_forgot_password.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.3 takes a different amount of time to return depending on whether an email address is configured for the account name provided. This can be used by an attacker to enumerate accounts by guessing email addresses. | |||||
| CVE-2019-18886 | 1 Sensiolabs | 1 Symfony | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality. This is related to symfony/security. | |||||
| CVE-2019-18850 | 1 Trustedsec | 1 Trevorc2 | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| TrevorC2 v1.1/v1.2 fails to prevent fingerprinting primarily via a discrepancy between response headers when responding to different HTTP methods, also via predictible responses when accessing and interacting with the "SITE_PATH_QUERY". | |||||
| CVE-2019-18673 | 1 Shiftcrypto | 1 Bitbox02 | 2021-07-21 | 1.9 LOW | 4.6 MEDIUM |
| On SHIFT BitBox02 devices, a side channel for the row-based OLED display was found. The power consumption of each row-based display cycle depends on the number of illuminated pixels, allowing a partial recovery of display contents. For example, a hardware implant in the USB cable might be able to leverage this behavior to recover confidential secrets such as the PIN and BIP39 mnemonic. Note: BIP39 secrets are not displayed by default on this device. The side channel is relevant only if the attacker has enough control over the device's USB connection to make power-consumption measurements at a time when secret data is displayed. The side channel is not relevant in other circumstances, such as a stolen device that is not currently displaying secret data. | |||||