Total
2470 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2010-2057 | 1 Apache | 1 Myfaces | 2010-11-18 | 5.0 MEDIUM | N/A |
| shared/util/StateUtils.java in Apache MyFaces 1.1.x before 1.1.8, 1.2.x before 1.2.9, and 2.0.x before 2.0.1 uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack. | |||||
| CVE-2010-3869 | 1 Redhat | 2 Certificate System, Dogtag Certificate System | 2010-11-17 | 4.0 MEDIUM | N/A |
| Red Hat Certificate System (RHCS) 7.3 and 8 and Dogtag Certificate System allow remote authenticated users to generate an arbitrary number of certificates by replaying a single SCEP one-time PIN. | |||||
| CVE-2010-4214 | 2 Google, Wellsfargo | 2 Android, Wells Fargo Mobile | 2010-11-08 | 4.3 MEDIUM | N/A |
| The Wells Fargo Mobile application 1.1 for Android stores a username and password, along with account balances, in cleartext, which might allow physically proximate attackers to obtain sensitive information by reading application data. | |||||
| CVE-2010-4213 | 2 Bankofamerica, Google | 2 Bank Of America, Android | 2010-11-08 | 4.3 MEDIUM | N/A |
| The Bank of America application 2.12 for Android stores a security question's answer in cleartext, which might allow physically proximate attackers to obtain sensitive information by reading application data. | |||||
| CVE-2009-5014 | 1 Turbogears | 1 Turbogears2 | 2010-11-08 | 7.5 HIGH | N/A |
| The default quickstart configuration of TurboGears2 (aka tg2) before 2.0.2 has a weak cookie salt, which makes it easier for remote attackers to bypass repoze.who authentication via a forged authorization cookie, a related issue to CVE-2010-3852. | |||||
| CVE-2010-4007 | 1 Oracle | 1 Mojarra | 2010-10-20 | 5.0 MEDIUM | N/A |
| Oracle Mojarra uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack, a related issue to CVE-2010-2057. | |||||
| CVE-2010-3075 | 1 Arg0 | 1 Encfs | 2010-09-19 | 5.0 MEDIUM | N/A |
| EncFS before 1.7.0 encrypts multiple blocks by means of the CFB cipher mode with the same initialization vector, which makes it easier for local users to obtain sensitive information via calculations involving recovery of XORed data, as demonstrated by an attack on encrypted data in which the last block contains only one byte. | |||||
| CVE-2010-2757 | 1 Mozilla | 1 Bugzilla | 2010-09-07 | 6.5 MEDIUM | N/A |
| The sudo feature in Bugzilla 2.22rc1 through 3.2.7, 3.3.1 through 3.4.7, 3.5.1 through 3.6.1, and 3.7 through 3.7.2 does not properly send impersonation notifications, which makes it easier for remote authenticated users to impersonate other users without discovery. | |||||
| CVE-2010-2978 | 1 Cisco | 1 Unified Wireless Network Solution Software | 2010-08-10 | 10.0 HIGH | N/A |
| Cisco Unified Wireless Network (UWN) Solution 7.x before 7.0.98.0 does not use an adequate message-digest algorithm for a self-signed certificate, which allows remote attackers to bypass intended access restrictions via vectors involving collisions, aka Bug ID CSCtd67660. | |||||
| CVE-2010-2967 | 1 Windriver | 1 Vxworks | 2010-08-05 | 7.8 HIGH | N/A |
| The loginDefaultEncrypt algorithm in loginLib in Wind River VxWorks before 6.9 does not properly support a large set of distinct possible passwords, which makes it easier for remote attackers to obtain access via a (1) telnet, (2) rlogin, or (3) FTP session. | |||||
| CVE-2010-0525 | 1 Apple | 2 Mac Os X, Mac Os X Server | 2010-06-20 | 5.0 MEDIUM | N/A |
| Mail in Apple Mac OS X before 10.6.3 does not properly enforce the key usage extension during processing of a keychain that specifies multiple certificates for an e-mail recipient, which might make it easier for remote attackers to obtain sensitive information via a brute-force attack on a weakly encrypted e-mail message. | |||||
| CVE-2010-1377 | 1 Apple | 2 Mac Os X, Mac Os X Server | 2010-06-17 | 9.3 HIGH | N/A |
| Open Directory in Apple Mac OS X 10.6 before 10.6.4 creates an unencrypted connection upon certain SSL failures, which allows man-in-the-middle attackers to spoof arbitrary network account servers, and possibly execute arbitrary code, via unspecified vectors. | |||||
| CVE-2010-2270 | 1 Accoria | 1 Rock Web Server | 2010-06-16 | 7.5 HIGH | N/A |
| Accoria Web Server (aka Rock Web Server) 1.4.7 uses a predictable httpmod-sessionid cookie, which makes it easier for remote attackers to hijack sessions via a modified cookie. | |||||
| CVE-2010-2011 | 1 Microsoft | 1 Dynamics Gp | 2010-05-23 | 4.0 MEDIUM | N/A |
| Microsoft Dynamics GP uses a substitution cipher to encrypt the system password field and unspecified other fields, which makes it easier for remote authenticated users to obtain sensitive information by decrypting a field's contents. | |||||
| CVE-2010-1192 | 1 Stafford.uklinux | 1 Libesmtp | 2010-05-21 | 6.8 MEDIUM | N/A |
| libESMTP, probably 1.0.4 and earlier, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. | |||||
| CVE-2010-1194 | 1 Stafford.uklinux | 1 Libesmtp | 2010-05-21 | 6.8 MEDIUM | N/A |
| The match_component function in smtp-tls.c in libESMTP 1.0.3.r1, and possibly other versions including 1.0.4, treats two strings as equal if one is a substring of the other, which allows remote attackers to spoof trusted certificates via a crafted subjectAltName. | |||||
| CVE-2010-1568 | 1 Cisco | 1 Ironport Desktop Flag Plugin For Outlook | 2010-05-16 | 5.0 MEDIUM | N/A |
| The Send Secure functionality in the Cisco IronPort Desktop Flag Plug-in for Outlook before 6.5.0-006 does not properly handle simultaneously composed messages, which might allow remote attackers to obtain cleartext contents of e-mail messages that were intended to be encrypted, aka bug 65623. | |||||
| CVE-2009-3942 | 1 Martin Lambers | 1 Msmtp | 2010-01-27 | 6.4 MEDIUM | N/A |
| Martin Lambers msmtp before 1.4.19, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the (1) subject's Common Name or (2) Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. | |||||
| CVE-2010-0228 | 1 Verbatim | 1 Corporate Secure | 2010-01-07 | 4.6 MEDIUM | N/A |
| Verbatim Corporate Secure and Corporate Secure FIPS Edition USB flash drives use a fixed 256-bit key for obtaining access to the cleartext drive contents, which makes it easier for physically proximate attackers to read or modify data by determining and providing this key. | |||||
| CVE-2009-4295 | 1 Sun | 1 Ray Server Software | 2009-12-13 | 7.8 HIGH | N/A |
| Sun Ray Server Software 4.0 and 4.1 does not generate a unique DSA private key for the firmware on each Sun Ray 1, 1g, 100, and 150 DTU device, which makes it easier for remote attackers to obtain sensitive information by predicting a key and then using it to decrypt sniffed network traffic. | |||||