Total
186 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-30228 | 1 Siemens | 1 Sicam Gridedge Essential | 2022-06-24 | 4.3 MEDIUM | 6.5 MEDIUM |
A vulnerability has been identified in SICAM GridEdge Essential ARM (All versions < V2.6.6), SICAM GridEdge Essential Intel (All versions < V2.6.6), SICAM GridEdge Essential with GDS ARM (All versions < V2.6.6), SICAM GridEdge Essential with GDS Intel (All versions < V2.6.6). The affected software does not apply cross-origin resource sharing (CORS) restrictions for critical operations. In case an attacker tricks a legitimate user into accessing a special resource a malicious request could be executed. | |||||
CVE-2019-5062 | 1 W1.fi | 1 Hostapd | 2022-06-17 | 3.3 LOW | 6.5 MEDIUM |
An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of service. | |||||
CVE-2022-31024 | 1 Nextcloud | 1 Richdocuments | 2022-06-13 | 4.3 MEDIUM | 6.5 MEDIUM |
richdocuments is the repository for NextCloud Collabra, the app for Nextcloud Office collaboration. Prior to versions 6.0.0, 5.0.4, and 4.2.6, a user could be tricked into working against a remote Office by sending them a federated share. richdocuments versions 6.0.0, 5.0.4 and 4.2.6 contain a fix for this issue. There are currently no known workarounds available. | |||||
CVE-2022-25227 | 1 Cybelesoft | 1 Thinfinity Vnc | 2022-06-01 | 6.8 MEDIUM | 8.8 HIGH |
Thinfinity VNC v4.0.0.1 contains a Cross-Origin Resource Sharing (CORS) vulnerability which can allow an unprivileged remote attacker, if they can trick a user into browse malicious site, to obtain an 'ID' that can be used to send websocket requests and achieve RCE. | |||||
CVE-2022-29818 | 1 Jetbrains | 1 Intellij Idea | 2022-05-05 | 3.6 LOW | 7.1 HIGH |
In JetBrains IntelliJ IDEA before 2022.1 origin checks in the internal web server were flawed | |||||
CVE-2020-11868 | 5 Debian, Netapp, Ntp and 2 more | 24 Debian Linux, All Flash Fabric-attached Storage 8300, All Flash Fabric-attached Storage 8300 Firmware and 21 more | 2022-04-26 | 5.0 MEDIUM | 7.5 HIGH |
ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows an off-path attacker to block unauthenticated synchronization via a server mode packet with a spoofed source IP address, because transmissions are rescheduled even when a packet lacks a valid origin timestamp. | |||||
CVE-2022-0108 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2022-04-18 | 4.3 MEDIUM | 6.5 MEDIUM |
Inappropriate implementation in Navigation in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
CVE-2022-0111 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2022-04-18 | 4.3 MEDIUM | 6.5 MEDIUM |
Inappropriate implementation in Navigation in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to incorrectly set origin via a crafted HTML page. | |||||
CVE-2022-0113 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2022-04-18 | 4.3 MEDIUM | 6.5 MEDIUM |
Inappropriate implementation in Blink in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
CVE-2022-0120 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2022-04-18 | 4.3 MEDIUM | 6.5 MEDIUM |
Inappropriate implementation in Passwords in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to potentially leak cross-origin data via a malicious website. | |||||
CVE-2019-5834 | 4 Debian, Fedoraproject, Google and 1 more | 5 Debian Linux, Fedora, Chrome and 2 more | 2022-04-18 | 4.3 MEDIUM | 6.5 MEDIUM |
Insufficient data validation in Blink in Google Chrome prior to 75.0.3770.80 allowed a remote attacker to perform domain spoofing via a crafted HTML page. | |||||
CVE-2021-32985 | 1 Aveva | 1 System Platform | 2022-04-13 | 6.5 MEDIUM | 7.2 HIGH |
AVEVA System Platform versions 2017 through 2020 R2 P01 does not properly verify that the source of data or communication is valid. | |||||
CVE-2020-24772 | 1 Clash Project | 1 Clash | 2022-03-29 | 6.8 MEDIUM | 8.8 HIGH |
In Dreamacro Clash for Windows v0.11.4, an attacker could embed a malicious iframe in a website with a crafted URL that would launch the Clash Windows client and force it to open a remote SMB share. Windows will perform NTLM authentication when opening the SMB share and that request can be relayed (using a tool like responder) for code execution (or captured for hash cracking). | |||||
CVE-2022-22594 | 1 Apple | 6 Ipados, Iphone Os, Macos and 3 more | 2022-03-28 | 4.3 MEDIUM | 6.5 MEDIUM |
A cross-origin issue in the IndexDB API was addressed with improved input validation. This issue is fixed in iOS 15.3 and iPadOS 15.3, watchOS 8.4, tvOS 15.3, Safari 15.3, macOS Monterey 12.2. A website may be able to track sensitive user information. | |||||
CVE-2021-4024 | 3 Fedoraproject, Podman Project, Redhat | 3 Fedora, Podman, Enterprise Linux | 2022-03-01 | 6.4 MEDIUM | 6.5 MEDIUM |
A flaw was found in podman. The `podman machine` function (used to create and manage Podman virtual machine containing a Podman process) spawns a `gvproxy` process on the host system. The `gvproxy` API is accessible on port 7777 on all IP addresses on the host. If that port is open on the host's firewall, an attacker can potentially use the `gvproxy` API to forward ports on the host to ports in the VM, making private services on the VM accessible to the network. This issue could be also used to interrupt the host's services by forwarding all ports to the VM. | |||||
CVE-2021-37966 | 3 Debian, Fedoraproject, Google | 4 Debian Linux, Fedora, Android and 1 more | 2022-02-18 | 4.3 MEDIUM | 4.3 MEDIUM |
Inappropriate implementation in Compositing in Google Chrome on Android prior to 94.0.4606.54 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||||
CVE-2022-23032 | 1 F5 | 2 Big-ip Access Policy Manager, Big-ip Access Policy Manager Client | 2022-02-01 | 5.0 MEDIUM | 5.3 MEDIUM |
In all versions before 7.2.1.4, when proxy settings are configured in the network access resource of a BIG-IP APM system, connecting BIG-IP Edge Client on Mac and Windows is vulnerable to a DNS rebinding attack. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
CVE-2021-39063 | 2 Ibm, Linux | 2 Spectrum Protect Plus, Linux Kernel | 2021-12-15 | 6.4 MEDIUM | 9.1 CRITICAL |
IBM Spectrum Protect Plus 10.1.0.0 through 10.1.8.x uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information due to a misconfiguration in access control headers. IBM X-Force ID: 214956. | |||||
CVE-2021-44935 | 1 Glfusion | 1 Glfusion | 2021-12-15 | 6.4 MEDIUM | 9.1 CRITICAL |
glFusion CMS v1.7.9 is affected by an arbitrary user impersonation vulnerability in /public_html/comment.php. The attacker can complete the attack remotely without interaction. | |||||
CVE-2021-43531 | 1 Mozilla | 1 Firefox | 2021-12-10 | 4.3 MEDIUM | 4.3 MEDIUM |
When a user loaded a Web Extensions context menu, the Web Extension could access the post-redirect URL of the element clicked. If the Web Extension lacked the WebRequest permission for the hosts involved in the redirect, this would be a same-origin-violation leaking data the Web Extension should have access to. This was fixed to provide the pre-redirect URL. This is related to CVE-2021-43532 but in the context of Web Extensions. This vulnerability affects Firefox < 94. |