Total
261 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-27979 | 2023-03-21 | N/A | N/A | ||
A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could allow the renaming of files in the IGSS project report directory, this could lead to denial of service when an attacker sends specific crafted messages to the Data Server TCP port. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior). | |||||
CVE-2023-27977 | 2023-03-21 | N/A | N/A | ||
A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could cause access to delete files in the IGSS project report directory, this could lead to loss of data when an attacker sends specific crafted messages to the Data Server TCP port. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior). | |||||
CVE-2023-27982 | 2023-03-21 | N/A | N/A | ||
A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could cause manipulation of dashboard files in the IGSS project report directory, when an attacker sends specific crafted messages to the Data Server TCP port, this could lead to remote code execution when a victim eventually opens a malicious dashboard file. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior). | |||||
CVE-2023-0350 | 1 Akuvox | 2 E11, E11 Firmware | 2023-03-16 | N/A | 6.5 MEDIUM |
Akuvox E11 does not ensure that a file extension is associated with the file provided. This could allow an attacker to upload a file to the device by changing the extension of a malicious file to an accepted file type. | |||||
CVE-2017-20180 | 1 Zerocoin | 1 Libzerocoin | 2023-03-10 | N/A | 7.5 HIGH |
A vulnerability classified as critical has been found in Zerocoin libzerocoin. Affected is the function CoinSpend::CoinSpend of the file CoinSpend.cpp of the component Proof Handler. The manipulation leads to insufficient verification of data authenticity. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The name of the patch is ce103a09ec079d0a0ed95475992348bed6e860de. It is recommended to apply a patch to fix this issue. VDB-222318 is the identifier assigned to this vulnerability. | |||||
CVE-2023-26481 | 1 Goauthentik | 1 Authentik | 2023-03-09 | N/A | 6.5 MEDIUM |
authentik is an open-source Identity Provider. Due to an insufficient access check, a recovery flow link that is created by an admin (or sent via email by an admin) can be used to set the password for any arbitrary user. This attack is only possible if a recovery flow exists, which has both an Identification and an Email stage bound to it. If the flow has policies on the identification stage to skip it when the flow is restored (by checking `request.context['is_restored']`), the flow is not affected by this. With this flow in place, an administrator must create a recovery Link or send a recovery URL to the attacker, who can, due to the improper validation of the token create, set the password for any account. Regardless, for custom recovery flows it is recommended to add a policy that checks if the flow is restored, and skips the identification stage. This issue has been fixed in versions 2023.2.3, 2023.1.3 and 2022.12.2. | |||||
CVE-2019-6695 | 1 Fortinet | 1 Fortimanager | 2023-03-01 | 10.0 HIGH | 9.8 CRITICAL |
Lack of root file system integrity checking in Fortinet FortiManager VM application images of 6.2.0, 6.0.6 and below may allow an attacker to implant third-party programs by recreating the image through specific methods. | |||||
CVE-2015-2908 | 1 Mobile Devices | 1 C4 Obd-ii Dongle Firmware | 2023-03-01 | 9.0 HIGH | N/A |
Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, do not validate firmware updates, which allows remote attackers to execute arbitrary code by specifying an update server. | |||||
CVE-2022-26579 | 1 Paxtechnology | 2 A930, Paydroid | 2023-02-28 | N/A | 6.0 MEDIUM |
PAX A930 device with PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 can allow a root privileged attacker to install unsigned packages. The attacker must have shell access to the device and gain root privileges in order to exploit this vulnerability. | |||||
CVE-2019-12804 | 1 Hunesion | 1 I-onenet | 2023-02-28 | 4.3 MEDIUM | 5.5 MEDIUM |
In Hunesion i-oneNet version 3.0.7 ~ 3.0.53 and 4.0.4 ~ 4.0.16, due to the lack of update file integrity checking in the upgrade process, an attacker can craft malicious file and use it as an update. | |||||
CVE-2023-21441 | 1 Samsung | 1 Android | 2023-02-21 | N/A | 5.5 MEDIUM |
Insufficient Verification of Data Authenticity vulnerability in Routine prior to versions 2.6.30.6 in Android Q(10), 3.1.21.10 in Android R(11) and 3.5.2.23 in Android S(12) allows local attacker to access protected files via unused code. | |||||
CVE-2013-2167 | 3 Debian, Openstack, Redhat | 3 Debian Linux, Python-keystoneclient, Openstack | 2023-02-12 | 7.5 HIGH | 9.8 CRITICAL |
python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache signing bypass | |||||
CVE-2015-0259 | 1 Openstack | 1 Nova | 2023-02-12 | 5.1 MEDIUM | N/A |
OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users for access to consoles via a crafted webpage. | |||||
CVE-2014-8165 | 1 Powerpc-utils Project | 1 Powerpc-utils | 2023-02-12 | 10.0 HIGH | N/A |
scripts/amsvis/powerpcAMS/amsnet.py in powerpc-utils-python uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object. | |||||
CVE-2019-10181 | 3 Debian, Icedtea-web Project, Opensuse | 3 Debian Linux, Icedtea-web, Leap | 2023-02-12 | 6.8 MEDIUM | 8.1 HIGH |
It was found that in icedtea-web up to and including 1.7.2 and 1.8.2 executable code could be injected in a JAR file without compromising the signature verification. An attacker could use this flaw to inject code in a trusted JAR. The code would be executed inside the sandbox. | |||||
CVE-2017-2667 | 1 Theforeman | 1 Hammer Cli | 2023-02-12 | 6.8 MEDIUM | 8.1 HIGH |
Hammer CLI, a CLI utility for Foreman, before version 0.10.0, did not explicitly set the verify_ssl flag for apipie-bindings that disable it by default. As a result the server certificates are not checked and connections are prone to man-in-the-middle attacks. | |||||
CVE-2021-20271 | 4 Fedoraproject, Redhat, Rpm and 1 more | 4 Fedora, Enterprise Linux, Rpm and 1 more | 2023-02-12 | 5.1 MEDIUM | 7.0 HIGH |
A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability. | |||||
CVE-2020-6090 | 1 Wago | 2 Pfc200, Pfc200 Firmware | 2023-02-07 | 9.0 HIGH | 7.2 HIGH |
An exploitable code execution vulnerability exists in the Web-Based Management (WBM) functionality of WAGO PFC 200 03.03.10(15). A specially crafted series of HTTP requests can cause code execution resulting in remote code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability. | |||||
CVE-2023-22315 | 1 Snapav | 2 Wattbox Wb-300-ip-3, Wattbox Wb-300-ip-3 Firmware | 2023-02-06 | N/A | 7.8 HIGH |
Snap One Wattbox WB-300-IP-3 versions WB10.9a17 and prior use a proprietary local area network (LAN) protocol that does not verify updates to the device. An attacker could upload a malformed update file to the device and execute arbitrary code. | |||||
CVE-2021-40491 | 2 Debian, Gnu | 2 Debian Linux, Inetutils | 2023-02-03 | 4.3 MEDIUM | 6.5 MEDIUM |
The ftp client in GNU Inetutils before 2.2 does not validate addresses returned by PASV/LSPV responses to make sure they match the server address. This is similar to CVE-2020-8284 for curl. |