Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-346
Total 186 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-21164 4 Apple, Debian, Fedoraproject and 1 more 4 Iphone Os, Debian Linux, Fedora and 1 more 2021-12-03 4.3 MEDIUM 6.5 MEDIUM
Insufficient data validation in Chrome on iOS in Google Chrome on iOS prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
CVE-2021-21163 4 Apple, Debian, Fedoraproject and 1 more 4 Iphone Os, Debian Linux, Fedora and 1 more 2021-12-03 4.3 MEDIUM 6.5 MEDIUM
Insufficient data validation in Reader Mode in Google Chrome on iOS prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page and a malicious server.
CVE-2021-21175 3 Debian, Fedoraproject, Google 3 Debian Linux, Fedora, Chrome 2021-12-03 4.3 MEDIUM 6.5 MEDIUM
Inappropriate implementation in Site isolation in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
CVE-2021-21184 3 Debian, Fedoraproject, Google 3 Debian Linux, Fedora, Chrome 2021-12-03 4.3 MEDIUM 4.3 MEDIUM
Inappropriate implementation in performance APIs in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
CVE-2021-21183 3 Debian, Fedoraproject, Google 3 Debian Linux, Fedora, Chrome 2021-12-03 4.3 MEDIUM 4.3 MEDIUM
Inappropriate implementation in performance APIs in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
CVE-2021-30596 2 Fedoraproject, Google 3 Fedora, Android, Chrome 2021-11-30 4.3 MEDIUM 4.3 MEDIUM
Incorrect security UI in Navigation in Google Chrome on Android prior to 92.0.4515.131 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
CVE-2019-8069 5 Adobe, Apple, Google and 2 more 8 Flash Player, Flash Player Desktop Runtime, Macos and 5 more 2021-11-22 10.0 HIGH 9.8 CRITICAL
Adobe Flash Player 32.0.0.238 and earlier versions, 32.0.0.207 and earlier versions have a Same Origin Method Execution vulnerability. Successful exploitation could lead to Arbitrary Code Execution in the context of the current user.
CVE-2021-38497 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2021-11-04 4.3 MEDIUM 6.5 MEDIUM
Through use of reportValidity() and window.open(), a plain-text validation message could have been overlaid on another origin, leading to possible user confusion and spoofing attacks. This vulnerability affects Firefox < 93, Thunderbird < 91.2, and Firefox ESR < 91.2.
CVE-2020-27969 1 Yandex 1 Yandex Browser 2021-09-22 7.5 HIGH 7.3 HIGH
Yandex Browser for Android 20.8.4 allows remote attackers to perform SOP bypass and addresss bar spoofing
CVE-2021-39185 1 Typelevel 1 Http4s 2021-09-14 6.4 MEDIUM 9.1 CRITICAL
Http4s is a minimal, idiomatic Scala interface for HTTP services. In http4s versions 0.21.26 and prior, 0.22.0 through 0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24, the default CORS configuration is vulnerable to an origin reflection attack. The middleware is also susceptible to a Null Origin Attack. The problem is fixed in 0.21.27, 0.22.3, 0.23.2, and 1.0.0-M25. The original `CORS` implementation and `CORSConfig` are deprecated. See the GitHub GHSA for more information, including code examples and workarounds.
CVE-2021-39270 1 Pingidentity 1 Rsa Securid Integration Kit 2021-08-26 5.0 MEDIUM 7.5 HIGH
In Ping Identity RSA SecurID Integration Kit before 3.2, user impersonation can occur.
CVE-2021-23986 1 Mozilla 1 Firefox 2021-08-06 4.3 MEDIUM 6.5 MEDIUM
A malicious extension with the 'search' permission could have installed a new search engine whose favicon referenced a cross-origin URL. The response to this cross-origin request could have been read by the extension, allowing a same-origin policy bypass by the extension, which should not have cross-origin permissions. This cross-origin request was made without cookies, so the sensitive information disclosed by the violation was limited to local-network resources or resources that perform IP-based authentication. This vulnerability affects Firefox < 87.
CVE-2020-0647 1 Microsoft 1 Office Online Server 2021-07-21 5.8 MEDIUM 5.4 MEDIUM
A spoofing vulnerability exists when Office Online does not validate origin in cross-origin communications correctly, aka 'Microsoft Office Online Spoofing Vulnerability'.
CVE-2020-0695 1 Microsoft 1 Office Online Server 2021-07-21 5.8 MEDIUM 5.4 MEDIUM
A spoofing vulnerability exists when Office Online Server does not validate origin in cross-origin communications correctly, aka 'Microsoft Office Online Server Spoofing Vulnerability'.
CVE-2019-5773 4 Debian, Fedoraproject, Google and 1 more 6 Debian Linux, Fedora, Chrome and 3 more 2021-07-21 4.3 MEDIUM 6.5 MEDIUM
Insufficient origin validation in IndexedDB in Google Chrome prior to 72.0.3626.81 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page.
CVE-2019-5227 1 Huawei 8 Hisuite, Hisuite Firmware, Mate 20 and 5 more 2021-07-21 4.3 MEDIUM 5.5 MEDIUM
P30, P30 Pro, Mate 20 smartphones with software of versions earlier than ELLE-AL00B 9.1.0.193(C00E190R2P1), versions earlier than VOGUE-AL00A 9.1.0.193(C00E190R2P1), versions earlier than Hima-AL00B 9.1.0.135(C00E133R2P1) and HiSuite with versions earlier than HiSuite 9.1.0.305 have a version downgrade vulnerability. The device and HiSuite software do not validate the upgrade package sufficiently, so that the system of smartphone can be downgraded to an older version.
CVE-2019-5226 1 Huawei 8 Hisuite, Hisuite Firmware, Mate 20 and 5 more 2021-07-21 4.3 MEDIUM 5.5 MEDIUM
P30, P30 Pro, Mate 20 smartphones with software of versions earlier than ELLE-AL00B 9.1.0.193(C00E190R2P1), versions earlier than VOGUE-AL00A 9.1.0.193(C00E190R2P1), versions earlier than Hima-AL00B 9.1.0.135(C00E133R2P1) and HiSuite with versions earlier than HiSuite 9.1.0.305 have a version downgrade vulnerability. The device and HiSuite software do not validate the upgrade package sufficiently, so that the system of smartphone can be downgraded to an older version.
CVE-2019-4640 2 Ibm, Microsoft 2 Security Secret Server, Windows 2021-07-21 7.5 HIGH 9.8 CRITICAL
IBM Security Secret Server 10.7 processes patches, image backups and other updates without sufficiently verifying the origin and integrity of the code which could result in an attacker executing malicious code. IBM X-Force ID: 170046.
CVE-2019-3980 1 Solarwinds 1 Dameware Mini Remote Control 2021-07-21 10.0 HIGH 9.8 CRITICAL
The Solarwinds Dameware Mini Remote Client agent v12.1.0.89 supports smart card authentication which can allow a user to upload an executable to be executed on the DWRCS.exe host. An unauthenticated, remote attacker can request smart card login and upload and execute an arbitrary executable run under the Local System account.
CVE-2019-20329 1 Openlambda Project 1 Openlambda 2021-07-21 5.8 MEDIUM 8.1 HIGH
OpenLambda 2019-09-10 allows DNS rebinding attacks against the OL server for the REST API on TCP port 5000.