Search
Total
63 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-3511 | 1 Gitlab | 1 Gitlab | 2023-12-19 | N/A | 3.5 LOW |
| An issue has been discovered in GitLab EE affecting all versions starting from 8.17 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. It was possible for auditor users to fork and submit merge requests to private projects they're not a member of. | |||||
| CVE-2023-42577 | 1 Samsung | 2 Android, Samsung Voice Recorder | 2023-12-11 | N/A | 2.4 LOW |
| Improper Access Control in Samsung Voice Recorder prior to versions 21.4.15.01 in Android 12 and Android 13, 21.4.50.17 in Android 14 allows physical attackers to access Voice Recorder information on the lock screen. | |||||
| CVE-2023-42570 | 1 Samsung | 1 Android | 2023-12-11 | N/A | 3.3 LOW |
| Improper access control vulnerability in KnoxCustomManagerService prior to SMR Dec-2023 Release 1 allows attacker to access device SIM PIN. | |||||
| CVE-2023-6467 | 1 Thecosy | 1 Icecms | 2023-12-06 | N/A | 3.7 LOW |
| A vulnerability was found in Thecosy IceCMS 2.0.1. It has been rated as problematic. This issue affects some unknown processing of the file /Websquare/likeClickComment/ of the component Comment Like Handler. The manipulation leads to improper enforcement of a single, unique action. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-246617 was assigned to this vulnerability. | |||||
| CVE-2023-43089 | 1 Dell | 1 Rugged Control Center | 2023-12-06 | N/A | 3.3 LOW |
| Dell Rugged Control Center, version prior to 4.7, contains insufficient protection for the Policy folder. A local malicious standard user could potentially exploit this vulnerability to modify the content of the policy file, leading to unauthorized access to resources. | |||||
| CVE-2023-48303 | 1 Nextcloud | 1 Nextcloud Server | 2023-11-30 | N/A | 2.7 LOW |
| Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Server and Nextcloud Enterprise Server, admins can change authentication details of user configured external storage. Nextcloud Server and Nextcloud Enterprise Server versions 25.0.11, 26.0.6, and 27.1.0 contain a patch for this issue. No known workarounds are available. | |||||
| CVE-2023-42542 | 1 Samsung | 1 Push Service | 2023-11-14 | N/A | 3.3 LOW |
| Improper access control vulnerability in Samsung Push Service prior to 3.4.10 allows local attackers to get register ID to identify the device. | |||||
| CVE-2022-1783 | 1 Gitlab | 1 Gitlab | 2023-08-08 | 4.0 MEDIUM | 2.7 LOW |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.3 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. It may be possible for malicious group maintainers to add new members to a project within their group, through the REST API, even after their group owner enabled a setting to prevent members from being added to projects within that group. | |||||
| CVE-2022-2456 | 1 Gitlab | 1 Gitlab | 2023-08-08 | N/A | 2.7 LOW |
| An issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible for malicious group or project maintainers to change their corresponding group or project visibility by crafting a malicious POST request. | |||||
| CVE-2022-1111 | 1 Gitlab | 1 Gitlab | 2023-08-08 | 3.5 LOW | 2.7 LOW |
| A business logic error in Project Import in GitLab CE/EE versions 14.9 prior to 14.9.2, 14.8 prior to 14.8.5, and 14.0 prior to 14.7.7 under certain conditions caused imported projects to show an incorrect user in the 'Access Granted' column in the project membership pages | |||||
| CVE-2022-26703 | 1 Apple | 2 Ipados, Iphone Os | 2023-08-08 | 2.1 LOW | 2.4 LOW |
| An authorization issue was addressed with improved state management. This issue is fixed in iOS 15.5 and iPadOS 15.5. A person with physical access to an iOS device may be able to access photos from the lock screen. | |||||
| CVE-2021-23188 | 1 Intel | 36 Dual Band Wireless-ac 3165, Dual Band Wireless-ac 3165 Firmware, Dual Band Wireless-ac 3168 and 33 more | 2023-08-08 | N/A | 3.3 LOW |
| Improper access control for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi products may allow an authenticated user to potentially enable information disclosure via local access. | |||||
| CVE-2023-3674 | 2 Fedoraproject, Keylime | 2 Fedora, Keylime | 2023-07-28 | N/A | 2.8 LOW |
| A flaw was found in the keylime attestation verifier, which fails to flag a device's submitted TPM quote as faulty when the quote's signature does not validate for some reason. Instead, it will only emit an error in the log without flagging the device as untrusted. | |||||
| CVE-2021-25403 | 2 Google, Samsung | 2 Android, Account | 2022-07-30 | 2.1 LOW | 3.3 LOW |
| Intent redirection vulnerability in Samsung Account prior to version 10.8.0.4 in Android P(9.0) and below, and 12.2.0.9 in Android Q(10.0) and above allows attacker to access contacts and file provider using SettingWebView component. | |||||
| CVE-2021-25439 | 2 Google, Samsung | 2 Android, Members | 2022-07-25 | 2.1 LOW | 3.3 LOW |
| Improper access control vulnerability in Samsung Members prior to versions 2.4.85.11 in Android O(8.1) and below, and 3.9.10.11 in Android P(9.0) and above allows untrusted applications to cause arbitrary webpage loading in webview. | |||||
| CVE-2021-25501 | 1 Google | 1 Android | 2022-07-14 | 2.1 LOW | 3.3 LOW |
| An improper access control vulnerability in SCloudBnRReceiver in SecTelephonyProvider prior to SMR Nov-2021 Release 1 allows untrusted application to call some protected providers. | |||||
| CVE-2021-25336 | 1 Google | 1 Android | 2022-07-14 | 4.3 MEDIUM | 3.3 LOW |
| Improper access control in NotificationManagerService in Samsung mobile devices prior to SMR Mar-2021 Release 1 allows untrusted applications to acquire notification access via sending a crafted malicious intent. | |||||
| CVE-2021-35465 | 1 Arm | 8 China Star-mc1, China Star-mc1 Firmware, Cortex-m33 and 5 more | 2022-07-12 | 3.6 LOW | 3.4 LOW |
| Certain Arm products before 2021-08-23 do not properly consider the effect of exceptions on a VLLDM instruction. A Non-secure handler may have read or write access to part of a Secure context. This affects Arm Cortex-M33 r0p0 through r1p0, Arm Cortex-M35P r0, Arm Cortex-M55 r0p0 through r1p0, and Arm China STAR-MC1 (in the STAR SE configuration). | |||||
| CVE-2021-25755 | 1 Jetbrains | 1 Code With Me | 2022-07-12 | 1.9 LOW | 2.5 LOW |
| In JetBrains Code With Me before 2020.3, an attacker on the local network, knowing a session ID, could get access to the encrypted traffic. | |||||
| CVE-2021-30816 | 1 Apple | 2 Ipados, Iphone Os | 2022-07-12 | 2.1 LOW | 2.4 LOW |
| The issue was addressed with improved permissions logic. This issue is fixed in iOS 15 and iPadOS 15. An attacker with physical access to a device may be able to see private contact information. | |||||
| CVE-2020-24586 | 5 Arista, Debian, Ieee and 2 more | 44 C-200, C-200 Firmware, C-230 and 41 more | 2022-07-12 | 2.9 LOW | 3.5 LOW |
| The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data. | |||||
| CVE-2020-35501 | 2 Linux, Redhat | 2 Linux Kernel, Enterprise Linux | 2022-07-08 | 3.6 LOW | 3.4 LOW |
| A flaw was found in the Linux kernels implementation of audit rules, where a syscall can unexpectedly not be correctly not be logged by the audit subsystem | |||||
| CVE-2022-33879 | 1 Apache | 1 Tika | 2022-07-07 | 2.6 LOW | 3.3 LOW |
| The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the StandardsExtractingContentHandler were insufficient, and we found a separate, new regex DoS in a different regex in the StandardsExtractingContentHandler. These are now fixed in 1.28.4 and 2.4.1. | |||||
| CVE-2021-32002 | 1 Secomea | 2 Sitemanager, Sitemanager Firmware | 2022-07-02 | 2.1 LOW | 3.3 LOW |
| Improper Access Control vulnerability in web service of Secomea SiteManager allows local attacker without credentials to gather network information and configuration of the SiteManager. This issue affects: Secomea SiteManager All versions prior to 9.5 on Hardware. | |||||
| CVE-2020-10698 | 1 Redhat | 1 Ansible Tower | 2022-06-15 | 2.1 LOW | 3.3 LOW |
| A flaw was found in Ansible Tower when running jobs. This flaw allows an attacker to access the stdout of the executed jobs which are run from other organizations. Some sensible data can be disclosed. However, critical data should not be disclosed, as it should be protected by the no_log flag when debugging is enabled. This flaw affects Ansible Tower versions before 3.6.4, Ansible Tower versions before 3.5.6 and Ansible Tower versions before 3.4.6. | |||||
| CVE-2022-29812 | 1 Jetbrains | 1 Intellij Idea | 2022-05-05 | 2.1 LOW | 2.3 LOW |
| In JetBrains IntelliJ IDEA before 2022.1 notification mechanisms about using Unicode directionality formatting characters were insufficient | |||||
| CVE-2020-25779 | 1 Trendmicro | 1 Antivirus | 2022-05-03 | 2.1 LOW | 3.3 LOW |
| Trend Micro Antivirus for Mac 2020 (Consumer) has a vulnerability in which a Internationalized Domain Name homograph attack (Puny-code) could be used to add a malicious website to the approved websites list of Trend Micro Antivirus for Mac to bypass the web threat protection feature. | |||||
| CVE-2021-22308 | 1 Huawei | 2 Emui, Magic Ui | 2022-05-03 | 2.1 LOW | 3.3 LOW |
| There is a Business Logic Errors vulnerability in Huawei Smartphone. The malicious apps installed on the device can keep taking screenshots in the background. This issue does not cause system errors, but may cause personal information leakage. | |||||
| CVE-2021-25743 | 1 Kubernetes | 1 Kubernetes | 2022-02-28 | 2.1 LOW | 3.0 LOW |
| kubectl does not neutralize escape, meta or control sequences contained in the raw data it outputs to a terminal. This includes but is not limited to the unstructured string fields in objects such as Events. | |||||
| CVE-2022-23997 | 1 Samsung | 1 Wear Os | 2022-02-18 | 4.3 MEDIUM | 3.3 LOW |
| Unprotected component vulnerability in StTheaterModeDurationAlarmReceiver in Wear OS 3.0 prior to Firmware update Feb-2022 Release allows untrusted applications to disable theater mode without a proper permission. | |||||
| CVE-2020-25684 | 4 Arista, Debian, Fedoraproject and 1 more | 4 Eos, Debian Linux, Fedora and 1 more | 2022-02-14 | 4.3 MEDIUM | 3.7 LOW |
| A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query, substantially reducing the number of attempts an attacker on the network would have to perform to forge a reply and get it accepted by dnsmasq. This issue contrasts with RFC5452, which specifies a query's attributes that all must be used to match a reply. This flaw allows an attacker to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25685 or CVE-2020-25686, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity. | |||||
| CVE-2021-44714 | 3 Adobe, Apple, Microsoft | 6 Acrobat, Acrobat Dc, Acrobat Reader and 3 more | 2022-01-21 | 4.3 MEDIUM | 3.3 LOW |
| Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (and earlier) and 17.011.30204 (and earlier) are affected by a Violation of Secure Design Principles that could lead to a Security feature bypass. Acrobat Reader DC displays a warning message when a user clicks on a PDF file, which could be used by an attacker to mislead the user. In affected versions, this warning message does not include custom protocols when used by the sender. User interaction is required to abuse this vulnerability as they would need to click 'allow' on the warning message of a malicious file. | |||||
| CVE-2021-22567 | 1 Dart | 1 Dart Software Development Kit | 2022-01-12 | 3.5 LOW | 3.5 LOW |
| Bidirectional Unicode text can be interpreted and compiled differently than how it appears in editors which can be exploited to get nefarious code passed a code review by appearing benign. An attacker could embed a source that is invisible to a code reviewer that modifies the behavior of a program in unexpected ways. | |||||
| CVE-2020-16230 | 1 Hms-networks | 4 Ewon Cosy, Ewon Cosy Firmware, Ewon Flexy and 1 more | 2021-11-22 | 2.1 LOW | 2.3 LOW |
| All version of Ewon Flexy and Cosy prior to 14.1 use wildcards such as (*) under which domains can request resources. An attacker with local access and high privileges could inject scripts into the Cross-origin Resource Sharing (CORS) configuration that could abuse this vulnerability, allowing the attacker to retrieve limited confidential information through sniffing. | |||||
| CVE-2019-5452 | 1 Nextcloud | 1 Nextcloud | 2021-11-03 | 2.1 LOW | 2.4 LOW |
| Bypass lock protection in the Nextcloud Android app prior to version 3.6.2 causes leaking of thumbnails when requesting the Android content provider although the lock protection was not solved. | |||||
| CVE-2020-8920 | 1 Google | 1 Gerrit | 2021-10-07 | 2.7 LOW | 3.5 LOW |
| An information leak vulnerability exists in Gerrit versions prior to 2.14.22, 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where an overoptimization with the FilteredRepository wrapper skips the verification of access on All-Users repositories, allowing an attacker to get read access to all users' personal information associated with their accounts. | |||||
| CVE-2021-32680 | 2 Fedoraproject, Nextcloud | 2 Fedora, Nextcloud Server | 2021-09-20 | 2.1 LOW | 3.3 LOW |
| Nextcloud Server is a Nextcloud package that handles data storage. In versions priot to 19.0.13, 20.0.11, and 21.0.3, Nextcloud Server audit logging functionality wasn't properly logging events for the unsetting of a share expiration date. This event is supposed to be logged. This issue is patched in versions 19.0.13, 20.0.11, and 21.0.3. | |||||
| CVE-2021-33595 | 1 F-secure | 1 Safe | 2021-08-19 | 3.5 LOW | 3.5 LOW |
| A address bar spoofing vulnerability was discovered in Safe Browser for iOS. Showing the legitimate URL in the address bar while loading the content from other domain. This makes the user believe that the content is served by a legit domain. A remote attacker can leverage this to perform address bar spoofing attack. | |||||
| CVE-2021-33594 | 1 F-secure | 1 Safe | 2021-08-19 | 3.5 LOW | 3.5 LOW |
| An address bar spoofing vulnerability was discovered in Safe Browser for Android. When user clicks on a specially crafted a malicious URL, it appears like a legitimate one on the address bar, while the content comes from other domain and presented in a window, covering the original content. A remote attacker can leverage this to perform address bar spoofing attack. | |||||
| CVE-2021-33604 | 1 Vaadin | 2 Flow-server, Vaadin | 2021-07-01 | 1.2 LOW | 2.5 LOW |
| URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser. | |||||
| CVE-2021-32655 | 1 Nextcloud | 1 Nextcloud Server | 2021-06-11 | 3.5 LOW | 3.5 LOW |
| Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to convert a Files Drop link to a federated share. This causes an issue on the UI side of the sharing user. When the sharing user opens the sharing panel and tries to remove the "Create" privileges of this unexpected share, Nextcloud server would silently grant the share read privileges. The vulnerability is patched in versions 19.0.11, 20.0.10 and 21.0.2. No workarounds are known to exist. | |||||
| CVE-2021-25379 | 1 Samsung | 1 Gallery | 2021-04-23 | 2.1 LOW | 3.3 LOW |
| Intent redirection vulnerability in Gallery prior to version 5.4.16.1 allows attacker to execute privileged action. | |||||
| CVE-2016-1133 | 1 Dena | 1 H2o | 2021-04-19 | 4.3 MEDIUM | 3.7 LOW |
| CRLF injection vulnerability in the on_req function in lib/handler/redirect.c in H2O before 1.6.2 and 1.7.x before 1.7.0-beta3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URI. | |||||
| CVE-2021-22887 | 2 Pulsesecure, Supermicro | 24 Psa-5000, Psa-5000 Firmware, Psa-7000 and 21 more | 2021-03-22 | 2.1 LOW | 2.3 LOW |
| A vulnerability in the BIOS of Pulse Secure (PSA-Series Hardware) models PSA5000 and PSA7000 could allow an attacker to compromise BIOS firmware. This vulnerability can be exploited only as part of an attack chain. Before an attacker can compromise the BIOS, they must exploit the device. | |||||
| CVE-2021-21331 | 1 Datadoghq | 1 Datadog-api-client-java | 2021-03-10 | 4.3 MEDIUM | 3.3 LOW |
| The Java client for the Datadog API before version 1.0.0-beta.9 has a local information disclosure of sensitive information downloaded via the API using the API Client. The Datadog API is executed on a unix-like system with multiple users. The API is used to download a file containing sensitive information. This sensitive information is exposed locally to other users. This vulnerability exists in the API Client for version 1 and 2. The method `prepareDownloadFilecreates` creates a temporary file with the permissions bits of `-rw-r--r--` on unix-like systems. On unix-like systems, the system temporary directory is shared between users. As such, the contents of the file downloaded via the `downloadFileFromResponse` method will be visible to all other users on the local system. Analysis of the finding determined that the affected code was unused, meaning that the exploitation likelihood is low. The unused code has been removed, effectively mitigating this issue. This issue has been patched in version 1.0.0-beta.9. As a workaround one may specify `java.io.tmpdir` when starting the JVM with the flag `-Djava.io.tmpdir`, specifying a path to a directory with `drw-------` permissions owned by `dd-agent`. | |||||
| CVE-2020-4725 | 1 Ibm | 1 Cloud Application Performance Management | 2021-03-08 | 3.5 LOW | 3.5 LOW |
| IBM Monitoring (IBM Cloud APM 8.1.4 ) could allow an authenticated user to modify HTML content by sending a specially crafted HTTP request to the APM UI, which could mislead another user. IBM X-Force ID: 187974. | |||||
| CVE-2021-25348 | 1 Samsung | 1 Internet | 2021-03-05 | 2.1 LOW | 2.4 LOW |
| Improper permission grant check in Samsung Internet prior to version 13.0.1.60 allows access to files in internal storage without authorized STORAGE permission. | |||||
| CVE-2020-28923 | 1 Lightbend | 1 Play Framework | 2020-12-07 | 4.0 MEDIUM | 2.7 LOW |
| An issue was discovered in Play Framework 2.8.0 through 2.8.4. Carefully crafted JSON payloads sent as a form field lead to Data Amplification. This affects users migrating from a Play version prior to 2.8.0 that used the Play Java API to serialize classes with protected or private fields to JSON. | |||||
| CVE-2019-3981 | 1 Mikrotik | 2 Routeros, Winbox | 2020-10-22 | 4.3 MEDIUM | 3.7 LOW |
| MikroTik Winbox 3.20 and below is vulnerable to man in the middle attacks. A man in the middle can downgrade the client's authentication protocol and recover the user's username and MD5 hashed password. | |||||
| CVE-2019-15620 | 1 Nextcloud | 1 Talk | 2020-10-09 | 4.0 MEDIUM | 2.7 LOW |
| Improper access control in Nextcloud Talk 6.0.3 leaks the existance and the name of private conversations when linked them to another shared item via the projects feature. | |||||