Search
Total
96 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-5851 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2023-12-22 | N/A | 4.3 MEDIUM |
| Inappropriate implementation in Downloads in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to obfuscate security UI via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2023-5859 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2023-12-22 | N/A | 4.3 MEDIUM |
| Incorrect security UI in Picture In Picture in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to perform domain spoofing via a crafted local HTML page. (Chromium security severity: Low) | |||||
| CVE-2023-5853 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2023-12-22 | N/A | 4.3 MEDIUM |
| Incorrect security UI in Downloads in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to obfuscate security UI via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2023-5858 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2023-12-22 | N/A | 4.3 MEDIUM |
| Inappropriate implementation in WebApp Provider in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to obfuscate security UI via a crafted HTML page. (Chromium security severity: Low) | |||||
| CVE-2023-28794 | 1 Zscaler | 1 Client Connector | 2023-11-14 | N/A | 6.5 MEDIUM |
| Origin Validation Error vulnerability in Zscaler Client Connector on Linux allows Privilege Abuse. This issue affects Zscaler Client Connector for Linux: before 1.3.1.6. | |||||
| CVE-2023-4045 | 2 Debian, Mozilla | 3 Debian Linux, Firefox, Firefox Esr | 2023-08-09 | N/A | 5.3 MEDIUM |
| Offscreen Canvas did not properly track cross-origin tainting, which could have been used to access image data from another site in violation of same-origin policy. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1. | |||||
| CVE-2022-22757 | 1 Mozilla | 1 Firefox | 2023-08-08 | N/A | 6.5 MEDIUM |
| Remote Agent, used in WebDriver, did not validate the Host or Origin headers. This could have allowed websites to connect back locally to the user's browser to control it. <br>*This bug only affected Firefox when WebDriver was enabled, which is not the default configuration.*. This vulnerability affects Firefox < 97. | |||||
| CVE-2023-2850 | 1 Nodebb | 1 Nodebb | 2023-08-07 | N/A | 4.7 MEDIUM |
| NodeBB is affected by a Cross-Site WebSocket Hijacking vulnerability due to missing validation of the request origin. Exploitation of this vulnerability allows certain user information to be extracted by attacker. | |||||
| CVE-2023-30949 | 1 Palantir | 1 Slate | 2023-08-04 | N/A | 5.3 MEDIUM |
| A missing origin validation in Slate sandbox could be exploited by a malicious user to modify the page's content, which could lead to phishing attacks. | |||||
| CVE-2022-1497 | 1 Google | 1 Chrome | 2022-07-28 | N/A | 6.5 MEDIUM |
| Inappropriate implementation in Input in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to spoof the contents of cross-origin websites via a crafted HTML page. | |||||
| CVE-2021-37967 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2022-07-12 | 4.3 MEDIUM | 4.3 MEDIUM |
| Inappropriate implementation in Background Fetch API in Google Chrome prior to 94.0.4606.54 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. | |||||
| CVE-2021-46701 | 1 Premid | 1 Premid | 2022-07-12 | 6.4 MEDIUM | 6.5 MEDIUM |
| PreMiD 2.2.0 allows unintended access via the websocket transport. An attacker can receive events from a socket and emit events to a socket, potentially interfering with a victim's "now playing" status on Discord. | |||||
| CVE-2021-30630 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2022-07-12 | 4.3 MEDIUM | 4.3 MEDIUM |
| Inappropriate implementation in Blink in Google Chrome prior to 93.0.4577.82 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. | |||||
| CVE-2022-1747 | 1 Dominionvoting | 2 Democracy Suite, Imagecast X | 2022-07-05 | 2.1 LOW | 4.6 MEDIUM |
| The authentication mechanism used by voters to activate a voting session on the tested version of Dominion Voting Systems ImageCast X is susceptible to forgery. An attacker could leverage this vulnerability to print an arbitrary number of ballots without authorization. | |||||
| CVE-2022-30228 | 1 Siemens | 1 Sicam Gridedge Essential | 2022-06-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| A vulnerability has been identified in SICAM GridEdge Essential ARM (All versions < V2.6.6), SICAM GridEdge Essential Intel (All versions < V2.6.6), SICAM GridEdge Essential with GDS ARM (All versions < V2.6.6), SICAM GridEdge Essential with GDS Intel (All versions < V2.6.6). The affected software does not apply cross-origin resource sharing (CORS) restrictions for critical operations. In case an attacker tricks a legitimate user into accessing a special resource a malicious request could be executed. | |||||
| CVE-2019-5062 | 1 W1.fi | 1 Hostapd | 2022-06-17 | 3.3 LOW | 6.5 MEDIUM |
| An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of service. | |||||
| CVE-2022-31024 | 1 Nextcloud | 1 Richdocuments | 2022-06-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| richdocuments is the repository for NextCloud Collabra, the app for Nextcloud Office collaboration. Prior to versions 6.0.0, 5.0.4, and 4.2.6, a user could be tricked into working against a remote Office by sending them a federated share. richdocuments versions 6.0.0, 5.0.4 and 4.2.6 contain a fix for this issue. There are currently no known workarounds available. | |||||
| CVE-2022-0120 | 1 Google | 1 Chrome | 2022-02-22 | 4.3 MEDIUM | 6.5 MEDIUM |
| Inappropriate implementation in Passwords in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to potentially leak cross-origin data via a malicious website. | |||||
| CVE-2022-0113 | 1 Google | 1 Chrome | 2022-02-22 | 4.3 MEDIUM | 6.5 MEDIUM |
| Inappropriate implementation in Blink in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
| CVE-2021-38507 | 2 Debian, Mozilla | 4 Debian Linux, Firefox, Firefox Esr and 1 more | 2022-02-22 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a connection to be transparently upgraded to TLS while retaining the visual properties of an HTTP connection, including being same-origin with unencrypted connections on port 80. However, if a second encrypted port on the same IP address (e.g. port 8443) did not opt-in to opportunistic encryption; a network attacker could forward a connection from the browser to port 443 to port 8443, causing the browser to treat the content of port 8443 as same-origin with HTTP. This was resolved by disabling the Opportunistic Encryption feature, which had low usage. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3. | |||||
| CVE-2021-37966 | 3 Debian, Fedoraproject, Google | 4 Debian Linux, Fedora, Android and 1 more | 2022-02-18 | 4.3 MEDIUM | 4.3 MEDIUM |
| Inappropriate implementation in Compositing in Google Chrome on Android prior to 94.0.4606.54 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||||
| CVE-2022-0111 | 1 Google | 1 Chrome | 2022-02-18 | 4.3 MEDIUM | 6.5 MEDIUM |
| Inappropriate implementation in Navigation in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to incorrectly set origin via a crafted HTML page. | |||||
| CVE-2022-0108 | 1 Google | 1 Chrome | 2022-02-18 | 4.3 MEDIUM | 6.5 MEDIUM |
| Inappropriate implementation in Navigation in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
| CVE-2021-4024 | 3 Fedoraproject, Podman Project, Redhat | 3 Fedora, Podman, Enterprise Linux | 2022-02-08 | 6.4 MEDIUM | 6.5 MEDIUM |
| A flaw was found in podman. The `podman machine` function (used to create and manage Podman virtual machine containing a Podman process) spawns a `gvproxy` process on the host system. The `gvproxy` API is accessible on port 7777 on all IP addresses on the host. If that port is open on the host's firewall, an attacker can potentially use the `gvproxy` API to forward ports on the host to ports in the VM, making private services on the VM accessible to the network. This issue could be also used to interrupt the host's services by forwarding all ports to the VM. | |||||
| CVE-2022-23032 | 1 F5 | 2 Big-ip Access Policy Manager, Big-ip Access Policy Manager Client | 2022-02-01 | 5.0 MEDIUM | 5.3 MEDIUM |
| In all versions before 7.2.1.4, when proxy settings are configured in the network access resource of a BIG-IP APM system, connecting BIG-IP Edge Client on Mac and Windows is vulnerable to a DNS rebinding attack. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2021-43531 | 1 Mozilla | 1 Firefox | 2021-12-10 | 4.3 MEDIUM | 4.3 MEDIUM |
| When a user loaded a Web Extensions context menu, the Web Extension could access the post-redirect URL of the element clicked. If the Web Extension lacked the WebRequest permission for the hosts involved in the redirect, this would be a same-origin-violation leaking data the Web Extension should have access to. This was fixed to provide the pre-redirect URL. This is related to CVE-2021-43532 but in the context of Web Extensions. This vulnerability affects Firefox < 94. | |||||
| CVE-2021-21164 | 4 Apple, Debian, Fedoraproject and 1 more | 4 Iphone Os, Debian Linux, Fedora and 1 more | 2021-12-03 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient data validation in Chrome on iOS in Google Chrome on iOS prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
| CVE-2021-21163 | 4 Apple, Debian, Fedoraproject and 1 more | 4 Iphone Os, Debian Linux, Fedora and 1 more | 2021-12-03 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient data validation in Reader Mode in Google Chrome on iOS prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page and a malicious server. | |||||
| CVE-2021-21175 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2021-12-03 | 4.3 MEDIUM | 6.5 MEDIUM |
| Inappropriate implementation in Site isolation in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
| CVE-2021-21184 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2021-12-03 | 4.3 MEDIUM | 4.3 MEDIUM |
| Inappropriate implementation in performance APIs in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
| CVE-2021-21183 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2021-12-03 | 4.3 MEDIUM | 4.3 MEDIUM |
| Inappropriate implementation in performance APIs in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
| CVE-2021-30596 | 2 Fedoraproject, Google | 3 Fedora, Android, Chrome | 2021-11-30 | 4.3 MEDIUM | 4.3 MEDIUM |
| Incorrect security UI in Navigation in Google Chrome on Android prior to 92.0.4515.131 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||||
| CVE-2021-38497 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2021-11-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| Through use of reportValidity() and window.open(), a plain-text validation message could have been overlaid on another origin, leading to possible user confusion and spoofing attacks. This vulnerability affects Firefox < 93, Thunderbird < 91.2, and Firefox ESR < 91.2. | |||||
| CVE-2021-39175 | 1 Hedgedoc | 1 Hedgedoc | 2021-09-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| HedgeDoc is a platform to write and share markdown. In versions prior to 1.9.0, an unauthenticated attacker can inject arbitrary JavaScript into the speaker-notes of the slide-mode feature by embedding an iframe hosting the malicious code into the slides or by embedding the HedgeDoc instance into another page. The problem is patched in version 1.9.0. There are no known workarounds aside from upgrading. | |||||
| CVE-2021-23986 | 1 Mozilla | 1 Firefox | 2021-08-06 | 4.3 MEDIUM | 6.5 MEDIUM |
| A malicious extension with the 'search' permission could have installed a new search engine whose favicon referenced a cross-origin URL. The response to this cross-origin request could have been read by the extension, allowing a same-origin policy bypass by the extension, which should not have cross-origin permissions. This cross-origin request was made without cookies, so the sensitive information disclosed by the violation was limited to local-network resources or resources that perform IP-based authentication. This vulnerability affects Firefox < 87. | |||||
| CVE-2021-21209 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2021-06-01 | 4.3 MEDIUM | 6.5 MEDIUM |
| Inappropriate implementation in storage in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
| CVE-2021-21211 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2021-06-01 | 4.3 MEDIUM | 6.5 MEDIUM |
| Inappropriate implementation in Navigation in Google Chrome on iOS prior to 90.0.4430.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
| CVE-2021-21229 | 3 Debian, Fedoraproject, Google | 4 Debian Linux, Fedora, Android and 1 more | 2021-06-01 | 4.3 MEDIUM | 6.5 MEDIUM |
| Incorrect security UI in downloads in Google Chrome on Android prior to 90.0.4430.93 allowed a remote attacker to perform domain spoofing via a crafted HTML page. | |||||
| CVE-2021-28048 | 1 Devolutions | 1 Devolutions Server | 2021-04-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| An overly permissive CORS policy in Devolutions Server before 2021.1 and Devolutions Server LTS before 2020.3.18 allows a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
| CVE-2020-15734 | 1 Bitdefender | 1 Safepay | 2021-04-21 | 2.1 LOW | 5.5 MEDIUM |
| An Origin Validation Error vulnerability in Bitdefender Safepay allows an attacker to manipulate the browser's file upload capability into accessing other files in the same directory or sub-directories. This issue affects: Bitdefender Safepay versions prior to 25.0.7.29. | |||||
| CVE-2017-5646 | 1 Apache | 1 Knox | 2021-04-06 | 4.9 MEDIUM | 6.8 MEDIUM |
| For versions of Apache Knox from 0.2.0 to 0.11.0 - an authenticated user may use a specially crafted URL to impersonate another user while accessing WebHDFS through Apache Knox. This may result in escalated privileges and unauthorized data access. While this activity is audit logged and can be easily associated with the authenticated user, this is still a serious security issue. All users are recommended to upgrade to the Apache Knox 0.12.0 release. | |||||
| CVE-2021-21136 | 2 Google, Microsoft | 3 Android, Chrome, Edge Chromium | 2021-03-08 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient policy enforcement in WebView in Google Chrome on Android prior to 88.0.4324.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
| CVE-2021-21135 | 2 Google, Microsoft | 2 Chrome, Edge Chromium | 2021-03-08 | 4.3 MEDIUM | 6.5 MEDIUM |
| Inappropriate implementation in Performance API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
| CVE-2021-20199 | 1 Podman Project | 1 Podman | 2021-02-26 | 4.3 MEDIUM | 5.9 MEDIUM |
| Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 (including from remote hosts). This impacts containerized applications that trust localhost (127.0.01) connections by default and do not require authentication. This issue affects Podman 1.8.0 onwards. | |||||
| CVE-2020-28481 | 1 Socket | 1 Socket.io | 2021-01-28 | 4.0 MEDIUM | 4.3 MEDIUM |
| The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default. | |||||
| CVE-2020-26251 | 1 Openzaak | 1 Open Zaak | 2020-12-22 | 4.3 MEDIUM | 4.7 MEDIUM |
| Open Zaak is a modern, open-source data- and services-layer to enable zaakgericht werken, a Dutch approach to case management. In Open Zaak before version 1.3.3 the Cross-Origin-Resource-Sharing policy in Open Zaak is currently wide open - every client is allowed. This allows evil.com to run scripts that perform AJAX calls to known Open Zaak installations, and the browser will not block these. This was intended to only apply to development machines running on localhost/127.0.0.1. Open Zaak 1.3.3 disables CORS by default, while it can be opted-in through environment variables. The vulnerability does not actually seem exploitable because: a) The session cookie has a `Same-Site: Lax` policy which prevents it from being sent along in Cross-Origin requests. b) All pages that give access to (production) data are login-protected c) `Access-Control-Allow-Credentials` is set to `false` d) CSRF checks probably block the remote origin, since they're not explicitly added to the trusted allowlist. | |||||
| CVE-2020-15733 | 1 Bitdefender | 1 Antivirus Plus | 2020-12-16 | 4.3 MEDIUM | 6.5 MEDIUM |
| An Origin Validation Error vulnerability in the SafePay component of Bitdefender Antivirus Plus allows a web resource to misrepresent itself in the URL bar. This issue affects: Bitdefender Antivirus Plus versions prior to 25.0.7.29. | |||||
| CVE-2020-26234 | 1 Apereo | 1 Opencast | 2020-12-10 | 2.1 LOW | 4.8 MEDIUM |
| Opencast before versions 8.9 and 7.9 disables HTTPS hostname verification of its HTTP client used for a large portion of Opencast's HTTP requests. Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle attacks. This problem is fixed in Opencast 7.9 and Opencast 8.8 Please be aware that fixing the problem means that Opencast will not simply accept any self-signed certificates any longer without properly importing them. If you need those, please make sure to import them into the Java key store. Better yet, get a valid certificate. | |||||
| CVE-2020-26253 | 1 Getkirby | 2 Kirby, Panel | 2020-12-08 | 4.3 MEDIUM | 5.9 MEDIUM |
| Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.3.6, and Kirby Panel before version 2.5.14 there is a vulnerability in which the admin panel may be accessed if hosted on a .dev domain. In order to protect new installations on public servers that don't have an admin account for the Panel yet, we block account registration there by default. This is a security feature, which we implemented years ago in Kirby 2. It helps to avoid that you forget registering your first admin account on a public server. In this case – without our security block – someone else might theoretically be able to find your site, find out it's running on Kirby, find the Panel and then register the account first. It's an unlikely situation, but it's still a certain risk. To be able to register the first Panel account on a public server, you have to enforce the installer via a config setting. This helps to push all users to the best practice of registering your first Panel account on your local machine and upload it together with the rest of the site. This installation block implementation in Kirby versions before 3.3.6 still assumed that .dev domains are local domains, which is no longer true. In the meantime, those domains became publicly available. This means that our installation block is no longer working as expected if you use a .dev domain for your Kirby site. Additionally the local installation check may also fail if your site is behind a reverse proxy. You are only affected if you use a .dev domain or your site is behind a reverse proxy and you have not yet registered your first Panel account on the public server and someone finds your site and tries to login at `yourdomain.dev/panel` before you register your first account. You are not affected if you have already created one or multiple Panel accounts (no matter if on a .dev domain or behind a reverse proxy). The problem has been patched in Kirby 3.3.6. Please upgrade to this or a later version to fix the vulnerability. | |||||
| CVE-2020-15682 | 1 Mozilla | 1 Firefox | 2020-10-30 | 4.3 MEDIUM | 6.5 MEDIUM |
| When a link to an external protocol was clicked, a prompt was presented that allowed the user to choose what application to open it in. An attacker could induce that prompt to be associated with an origin they didn't control, resulting in a spoofing attack. This was fixed by changing external protocol prompts to be tab-modal while also ensuring they could not be incorrectly associated with a different origin. This vulnerability affects Firefox < 82. | |||||