Total
261 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-12406 | 2 Canonical, Mozilla | 4 Ubuntu Linux, Firefox, Firefox Esr and 1 more | 2023-01-27 | 9.3 HIGH | 8.8 HIGH |
Mozilla Developer Iain Ireland discovered a missing type check during unboxed objects removal, resulting in a crash. We presume that with enough effort that it could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9. | |||||
CVE-2022-46370 | 1 Maxum | 1 Rumpus | 2023-01-20 | N/A | 7.5 HIGH |
Rumpus - FTP server version 9.0.7.1 Improper Token Verification– vulnerability may allow bypassing identity verification. | |||||
CVE-2021-26396 | 1 Amd | 48 Epyc 7003, Epyc 7003 Firmware, Epyc 72f3 and 45 more | 2023-01-18 | N/A | 4.4 MEDIUM |
Insufficient validation of address mapping to IO in ASP (AMD Secure Processor) may result in a loss of memory integrity in the SNP guest. | |||||
CVE-2020-9885 | 1 Apple | 5 Ipados, Iphone Os, Mac Os X and 2 more | 2023-01-09 | 4.3 MEDIUM | 5.5 MEDIUM |
An issue existed in the handling of iMessage tapbacks. The issue was resolved with additional verification. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8. A user that is removed from an iMessage group could rejoin the group. | |||||
CVE-2022-3347 | 1 Go-resolver Project | 1 Go-resolver | 2023-01-06 | N/A | 7.5 HIGH |
DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. Root DNSSEC public keys are not validated, permitting an attacker to present a self-signed root key and delegation chain. | |||||
CVE-2022-3346 | 1 Go-resolver Project | 1 Go-resolver | 2023-01-06 | N/A | 6.5 MEDIUM |
DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. The owner name of RRSIG RRs is not validated, permitting an attacker to present the RRSIG for an attacker-controlled domain in a response for any other domain. | |||||
CVE-2021-22947 | 7 Apple, Debian, Fedoraproject and 4 more | 33 Macos, Debian Linux, Fedora and 30 more | 2023-01-05 | 4.3 MEDIUM | 5.9 MEDIUM |
When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got *before* the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server. | |||||
CVE-2022-30260 | 1 Emerson | 48 Deltav Distributed Control System Sq Controller, Deltav Distributed Control System Sq Controller Firmware, Deltav Distributed Control System Sx Controller and 45 more | 2023-01-05 | N/A | 7.8 HIGH |
Emerson DeltaV Distributed Control System (DCS) has insufficient verification of firmware integrity (an inadequate checksum approach, and no signature). This affects versions before 14.3 of DeltaV M-series, DeltaV S-series, DeltaV P-series, DeltaV SIS, and DeltaV CIOC/EIOC/WIOC IO cards. | |||||
CVE-2022-23556 | 1 Codeigniter | 1 Codeigniter | 2022-12-29 | N/A | 7.5 HIGH |
CodeIgniter is a PHP full-stack web framework. This vulnerability may allow attackers to spoof their IP address when the server is behind a reverse proxy. This issue has been patched, please upgrade to version 4.2.11 or later, and configure `Config\App::$proxyIPs`. As a workaround, do not use `$request->getIPAddress()`. | |||||
CVE-2022-23491 | 1 Certifi Project | 1 Certifi | 2022-12-23 | N/A | 7.5 HIGH |
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion. | |||||
CVE-2022-41961 | 1 Bigbluebutton | 1 Bigbluebutton | 2022-12-20 | N/A | 4.3 MEDIUM |
BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are subject to Ineffective user bans. The attacker could register multiple users, and join the meeting with one of them. When that user is banned, they could still join the meeting with the remaining registered users from the same extId. This issue has been fixed by improving permissions such that banning a user removes all users related to their extId, including registered users that have not joined the meeting. This issue is patched in versions 2.4-rc-6 and 2.5-alpha-1. There are no workarounds. | |||||
CVE-2022-41960 | 1 Bigbluebutton | 1 Bigbluebutton | 2022-12-20 | N/A | 4.3 MEDIUM |
BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3, are subject to Insufficient Verification of Data Authenticity, resulting in Denial of Service. An attacker can make a Meteor call to `validateAuthToken` using a victim's userId, meetingId, and an invalid authToken. This forces the victim to leave the conference, because the resulting verification failure is also observed and handled by the victim's client. The attacker must be a participant in any meeting on the server. This issue is patched in version 2.4.3. There are no workarounds. | |||||
CVE-2022-37928 | 1 Hpe | 18 Hf20, Hf20 Firmware, Hf20c and 15 more | 2022-12-14 | N/A | 6.5 MEDIUM |
Insufficient Verification of Data Authenticity vulnerability in Hewlett Packard Enterprise HPE Nimble Storage Hybrid Flash Arrays and Nimble Storage Secondary Flash Arrays. | |||||
CVE-2021-36751 | 1 Encsecurity | 1 Datavault | 2022-12-13 | 6.4 MEDIUM | 4.2 MEDIUM |
ENC DataVault 7.2.3 and before, and OEM versions, use an encryption algorithm that is vulnerable to data manipulation (without knowledge of the key). This is called ciphertext malleability. There is no data integrity mechanism to detect this manipulation. | |||||
CVE-2022-39909 | 1 Samsung | 1 Gear Iconx Pc Manager | 2022-12-12 | N/A | 5.5 MEDIUM |
Insufficient verification of data authenticity vulnerability in Samsung Gear IconX PC Manager prior to version 2.1.221019.51 allows local attackers to create arbitrary file using symbolic link. | |||||
CVE-2022-41156 | 2 Etm-s, Microsoft | 2 Ondiskplayeragent, Windows | 2022-12-01 | N/A | 7.8 HIGH |
Remote code execution vulnerability due to insufficient verification of URLs, etc. in OndiskPlayerAgent. A remote attacker could exploit the vulnerability to cause remote code execution by causing an arbitrary user to download and execute malicious code. | |||||
CVE-2022-31877 | 1 Msi | 1 Center | 2022-11-29 | N/A | 8.8 HIGH |
An issue in the component MSI.TerminalServer.exe of MSI Center v1.0.41.0 allows attackers to escalate privileges via a crafted TCP packet. | |||||
CVE-2022-36111 | 1 Codenotary | 1 Immudb | 2022-11-26 | N/A | 5.3 MEDIUM |
immudb is a database with built-in cryptographic proof and verification. In versions prior to 1.4.1, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability. This issue has been patched in version 1.4.1. | |||||
CVE-2022-39199 | 1 Codenotary | 1 Immudb | 2022-11-25 | N/A | 5.9 MEDIUM |
immudb is a database with built-in cryptographic proof and verification. immudb client SDKs use server's UUID to distinguish between different server instance so that the client can connect to different immudb instances and keep the state for multiple servers. SDK does not validate this uuid and can accept any value reported by the server. A malicious server can change the reported UUID tricking the client to treat it as a different server thus accepting a state completely irrelevant to the one previously retrieved from the server. This issue has been patched in version 1.4.1. As a workaround, when initializing an immudb client object a custom state handler can be used to store the state. Providing custom implementation that ignores the server UUID can be used to ensure that even if the server changes the UUID, client will still consider it to be the same server. | |||||
CVE-2022-3703 | 1 Etictelecom | 1 Remote Access Server | 2022-11-16 | N/A | 10.0 CRITICAL |
All versions of ETIC Telecom Remote Access Server (RAS) 4.5.0 and prior’s web portal is vulnerable to accepting malicious firmware packages that could provide a backdoor to an attacker and provide privilege escalation to the device. |