Search
Total
96 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-8754 | 1 Apple | 1 Mac Os X | 2020-10-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-origin issue existed with "iframe" elements. This was addressed with improved tracking of security origins. This issue is fixed in macOS Catalina 10.15.1, Security Update 2019-001, and Security Update 2019-006. A malicious HTML document may be able to render iframes with sensitive user information. | |||||
| CVE-2019-8282 | 1 Gemalto | 1 Sentinel Ldk | 2020-10-22 | 2.6 LOW | 5.3 MEDIUM |
| Gemalto Admin Control Center, all versions prior to 7.92, uses cleartext HTTP to communicate with www3.safenet-inc.com to obtain language packs. This allows attacker to do man-in-the-middle (MITM) attack and replace original language pack by malicious one. | |||||
| CVE-2020-15773 | 1 Gradle | 1 Enterprise | 2020-09-25 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Gradle Enterprise before 2020.2.4. Because of unrestricted cross-origin requests to read-only data in the Export API, an attacker can access data as a user (for the duration of the browser session) after previously explicitly authenticating with the API. | |||||
| CVE-2020-16168 | 1 Robotemi | 2 Temi, Temi Firmware | 2020-09-02 | 4.3 MEDIUM | 6.5 MEDIUM |
| Origin Validation Error in temi Robox OS prior to 120, temi Android app up to 1.3.7931 allows remote attackers to access the REST API and MQTT broker used by the temi and send it custom data/requests via unspecified vectors. | |||||
| CVE-2018-8235 | 1 Microsoft | 3 Edge, Windows 10, Windows Server 2016 | 2020-08-24 | 4.3 MEDIUM | 4.3 MEDIUM |
| A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins, aka "Microsoft Edge Security Feature Bypass Vulnerability." This affects Microsoft Edge. | |||||
| CVE-2019-1442 | 1 Microsoft | 1 Sharepoint Server | 2020-08-24 | 4.3 MEDIUM | 5.5 MEDIUM |
| A security feature bypass vulnerability exists when Microsoft Office does not validate URLs.An attacker could send a victim a specially crafted file, which could trick the victim into entering credentials, aka 'Microsoft Office Security Feature Bypass Vulnerability'. | |||||
| CVE-2019-1445 | 1 Microsoft | 1 Office Online Server | 2020-08-24 | 5.8 MEDIUM | 5.4 MEDIUM |
| A spoofing vulnerability exists when Office Online does not validate origin in cross-origin communications handlers correctly, aka 'Microsoft Office Online Spoofing Vulnerability'. This CVE ID is unique from CVE-2019-1447. | |||||
| CVE-2019-1447 | 1 Microsoft | 1 Office Online Server | 2020-08-24 | 5.8 MEDIUM | 5.4 MEDIUM |
| A spoofing vulnerability exists when Office Online does not validate origin in cross-origin communications handlers correctly, aka 'Microsoft Office Online Spoofing Vulnerability'. This CVE ID is unique from CVE-2019-1445. | |||||
| CVE-2019-16275 | 3 Canonical, Debian, W1.fi | 4 Ubuntu Linux, Debian Linux, Hostapd and 1 more | 2020-08-24 | 3.3 LOW | 6.5 MEDIUM |
| hostapd before 2.10 and wpa_supplicant before 2.10 allow an incorrect indication of disconnection in certain situations because source address validation is mishandled. This is a denial of service that should have been prevented by PMF (aka management frame protection). The attacker must send a crafted 802.11 frame from a location that is within the 802.11 communications range. | |||||
| CVE-2019-13740 | 1 Google | 1 Chrome | 2020-08-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| Incorrect security UI in sharing in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to perform domain spoofing via a crafted HTML page. | |||||
| CVE-2019-13664 | 1 Google | 1 Chrome | 2020-08-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient policy enforcement in Blink in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to bypass content security policy via a crafted HTML page. | |||||
| CVE-2019-1413 | 1 Microsoft | 4 Edge, Windows 10, Windows Server 2016 and 1 more | 2020-08-24 | 4.3 MEDIUM | 4.3 MEDIUM |
| A security feature bypass vulnerability exists when Microsoft Edge improperly handles extension requests and fails to request host permission for all_urls, aka 'Microsoft Edge Security Feature Bypass Vulnerability'. | |||||
| CVE-2018-8112 | 1 Microsoft | 1 Edge | 2020-08-24 | 4.3 MEDIUM | 4.3 MEDIUM |
| A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins, aka "Microsoft Edge Security Feature Bypass Vulnerability." This affects Microsoft Edge. | |||||
| CVE-2020-15652 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2020-08-18 | 4.3 MEDIUM | 6.5 MEDIUM |
| By observing the stack trace for JavaScript errors in web workers, it was possible to leak the result of a cross-origin redirect. This applied only to content that can be parsed as script. This vulnerability affects Firefox < 79, Firefox ESR < 68.11, Firefox ESR < 78.1, Thunderbird < 68.11, and Thunderbird < 78.1. | |||||
| CVE-2020-15104 | 1 Envoyproxy | 1 Envoy | 2020-07-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| In Envoy before versions 1.12.6, 1.13.4, 1.14.4, and 1.15.0 when validating TLS certificates, Envoy would incorrectly allow a wildcard DNS Subject Alternative Name apply to multiple subdomains. For example, with a SAN of *.example.com, Envoy would incorrectly allow nested.subdomain.example.com, when it should only allow subdomain.example.com. This defect applies to both validating a client TLS certificate in mTLS, and validating a server TLS certificate for upstream connections. This vulnerability is only applicable to situations where an untrusted entity can obtain a signed wildcard TLS certificate for a domain of which you only intend to trust a subdomain of. For example, if you intend to trust api.mysubdomain.example.com, and an untrusted actor can obtain a signed TLS certificate for *.example.com or *.com. Configurations are vulnerable if they use verify_subject_alt_name in any Envoy version, or if they use match_subject_alt_names in version 1.14 or later. This issue has been fixed in Envoy versions 1.12.6, 1.13.4, 1.14.4, 1.15.0. | |||||
| CVE-2020-12397 | 1 Mozilla | 1 Thunderbird | 2020-06-12 | 4.3 MEDIUM | 4.3 MEDIUM |
| By encoding Unicode whitespace characters within the From email header, an attacker can spoof the sender email address that Thunderbird displays. This vulnerability affects Thunderbird < 68.8.0. | |||||
| CVE-2019-11762 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2020-03-14 | 5.8 MEDIUM | 6.1 MEDIUM |
| If two same-origin documents set document.domain differently to become cross-origin, it was possible for them to call arbitrary DOM methods/getters/setters on the now-cross-origin window. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. | |||||
| CVE-2017-5592 | 1 Profanity Project | 1 Profanity | 2020-01-23 | 4.3 MEDIUM | 5.9 MEDIUM |
| An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for profanity (0.4.7 - 0.5.0). | |||||
| CVE-2017-5606 | 1 Xabber | 1 Xabber | 2020-01-22 | 4.3 MEDIUM | 5.9 MEDIUM |
| An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for Xabber (only if manually enabled: 1.0.30, 1.0.30 VIP, beta 1.0.3 - 1.0.74; Android). | |||||
| CVE-2017-5591 | 3 Poezio, Sleekxmpp Project, Slixmpp Project | 3 Poezio, Sleekxmpp, Slixmpp | 2020-01-22 | 4.3 MEDIUM | 5.9 MEDIUM |
| An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for SleekXMPP up to 1.3.1 and Slixmpp all versions up to 1.2.3, as bundled in poezio (0.8 - 0.10) and other products. | |||||
| CVE-2019-19545 | 1 Norton | 1 Password Manager | 2019-12-13 | 6.5 MEDIUM | 6.3 MEDIUM |
| Norton Password Manager, prior to 6.6.2.5, may be susceptible to a cross origin resource sharing (CORS) vulnerability, which is a type of issue that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. | |||||
| CVE-2019-18381 | 1 Norton | 1 Password Manager | 2019-12-13 | 6.5 MEDIUM | 6.3 MEDIUM |
| Norton Password Manager, prior to 6.6.2.5, may be susceptible to a cross origin resource sharing (CORS) vulnerability, which is a type of issue that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. | |||||
| CVE-2017-18016 | 1 Parity | 1 Browser | 2019-10-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| Parity Browser 1.6.10 and earlier allows remote attackers to bypass the Same Origin Policy and obtain sensitive information by requesting other websites via the Parity web proxy engine (reusing the current website's token, which is not bound to an origin). | |||||
| CVE-2018-16072 | 1 Google | 1 Chrome | 2019-10-03 | 4.3 MEDIUM | 6.5 MEDIUM |
| A missing origin check related to HLS manifests in Blink in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to bypass same origin policy via a crafted HTML page. | |||||
| CVE-2018-12402 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2019-10-03 | 4.3 MEDIUM | 6.5 MEDIUM |
| The internal WebBrowserPersist code does not use correct origin context for a resource being saved. This manifests when sub-resources are loaded as part of "Save Page As..." functionality. For example, a malicious page could recover a visitor's Windows username and NTLM hash by including resources otherwise unreachable to the malicious page, if they can convince the visitor to save the complete web page. Similarly, SameSite cookies are sent on cross-origin requests when the "Save Page As..." menu item is selected to save a page, which can result in saving the wrong version of resources based on those cookies. This vulnerability affects Firefox < 63. | |||||
| CVE-2017-8530 | 1 Microsoft | 3 Edge, Windows 10, Windows Server 2016 | 2019-10-03 | 5.8 MEDIUM | 5.4 MEDIUM |
| Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an attacker to trick a user into loading a page with malicious content when Microsoft Edge does not properly enforce same-origin policies, aka "Microsoft Edge Security Feature Bypass Vulnerability". This CVE ID is unique from CVE-2017-8523 and CVE-2017-8555. | |||||
| CVE-2017-8523 | 1 Microsoft | 3 Edge, Windows 10, Windows Server 2016 | 2019-10-03 | 4.3 MEDIUM | 4.3 MEDIUM |
| Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an attacker to trick a user into loading a page with malicious content when Microsoft Edge fails to correctly apply Same Origin Policy for HTML elements present in other browser windows, aka "Microsoft Edge Security Feature Bypass Vulnerability". This CVE ID is unique from CVE-2017-8530 and CVE-2017-8555. | |||||
| CVE-2017-8650 | 1 Microsoft | 2 Edge, Windows 10 | 2019-10-03 | 5.8 MEDIUM | 5.4 MEDIUM |
| Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to exploit a security feature bypass due to Microsoft Edge not properly enforcing same-origin policies, aka "Microsoft Edge Security Feature Bypass Vulnerability". | |||||
| CVE-2019-9817 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2019-07-26 | 5.0 MEDIUM | 5.3 MEDIUM |
| Images from a different domain can be read using a canvas object in some circumstances. This could be used to steal image data from a different site in violation of same-origin policy. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7. | |||||
| CVE-2019-9797 | 1 Mozilla | 1 Firefox | 2019-06-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| Cross-origin images can be read in violation of the same-origin policy by exporting an image after using createImageBitmap to read the image and then rendering the resulting bitmap image within a canvas element. This vulnerability affects Firefox < 66. | |||||
| CVE-2019-9808 | 1 Mozilla | 1 Firefox | 2019-04-29 | 5.0 MEDIUM | 5.3 MEDIUM |
| If WebRTC permission is requested from documents with data: or blob: URLs, the permission notifications do not properly display the originating domain. The notification states "Unknown origin" as the requestee, leading to user confusion about which site is asking for this permission. This vulnerability affects Firefox < 66. | |||||
| CVE-2018-18494 | 4 Canonical, Debian, Mozilla and 1 more | 11 Ubuntu Linux, Debian Linux, Firefox and 8 more | 2019-03-11 | 4.3 MEDIUM | 6.5 MEDIUM |
| A same-origin policy violation allowing the theft of cross-origin URL entries when using the Javascript location property to cause a redirection to another site using performance.getEntries(). This is a same-origin policy violation and could allow for data theft. This vulnerability affects Thunderbird < 60.4, Firefox ESR < 60.4, and Firefox < 64. | |||||
| CVE-2018-18499 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2019-03-01 | 4.3 MEDIUM | 6.5 MEDIUM |
| A same-origin policy violation allowing the theft of cross-origin URL entries when using a meta http-equiv="refresh" on a page to cause a redirection to another site using performance.getEntries(). This is a same-origin policy violation and could allow for data theft. This vulnerability affects Firefox < 62, Firefox ESR < 60.2, and Thunderbird < 60.2.1. | |||||
| CVE-2018-20744 | 1 Go Cors Project | 1 Go Cors | 2019-02-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| The Olivier Poitrey Go CORS handler through 1.3.0 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems. | |||||
| CVE-2018-20745 | 1 Yiiframework | 1 Yii | 2019-02-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| Yii 2.x through 2.0.15.1 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems. | |||||
| CVE-2017-7808 | 1 Mozilla | 1 Firefox | 2018-08-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| A content security policy (CSP) "frame-ancestors" directive containing origins with paths allows for comparisons against those paths instead of the origin. This results in a cross-origin information leak of this path information. This vulnerability affects Firefox < 55. | |||||
| CVE-2018-5109 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2018-06-25 | 5.0 MEDIUM | 5.3 MEDIUM |
| An audio capture session can started under an incorrect origin from the site making the capture request. Users are still prompted to allow the request but the prompt can display the wrong origin, leading to user confusion about which site is making the request to capture an audio stream. This vulnerability affects Firefox < 58. | |||||
| CVE-2017-1000455 | 1 Gnu | 1 Guixsd | 2018-01-30 | 2.1 LOW | 5.5 MEDIUM |
| GuixSD prior to Git commit 5e66574a128937e7f2fcf146d146225703ccfd5d used POSIX hard links incorrectly, leading the creation of setuid executables in "the store", violating a fundamental security assumption of GNU Guix. | |||||
| CVE-2017-5602 | 1 Jappix Project | 1 Jappix | 2017-03-01 | 4.3 MEDIUM | 5.9 MEDIUM |
| An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for jappix 1.0.0 to 1.1.6. | |||||
| CVE-2017-5593 | 1 Psi-plus | 1 Psi\+ | 2017-03-01 | 4.3 MEDIUM | 5.9 MEDIUM |
| An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for Psi+ (0.16.563.580 - 0.16.571.627). | |||||
| CVE-2017-5590 | 2 Chatsecure, Zom | 2 Chatsecure, Zom | 2017-03-01 | 4.3 MEDIUM | 5.9 MEDIUM |
| An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for ChatSecure (3.2.0 - 4.0.0; only iOS) and Zom (all versions up to 1.0.11; only iOS). | |||||
| CVE-2017-5858 | 1 Conversejs | 1 Converse.js | 2017-03-01 | 4.3 MEDIUM | 5.9 MEDIUM |
| An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for Converse.js (0.8.0 - 1.0.6, 2.0.0 - 2.0.4). | |||||
| CVE-2017-5589 | 1 Yaxim | 2 Bruno, Yaxim | 2017-03-01 | 4.3 MEDIUM | 5.9 MEDIUM |
| An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for yaxim and Bruno (0.8.6 - 0.8.8; Android). | |||||
| CVE-2017-5605 | 1 Movim | 1 Movim | 2017-03-01 | 4.3 MEDIUM | 5.9 MEDIUM |
| An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for Movim 0.8 - 0.10. | |||||
| CVE-2017-5604 | 1 Mcabber | 1 Mcabber | 2017-03-01 | 4.3 MEDIUM | 5.9 MEDIUM |
| An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for mcabber 1.0.0 - 1.0.4. | |||||
| CVE-2017-5603 | 1 Jitsi | 1 Jitsi | 2017-03-01 | 4.3 MEDIUM | 5.9 MEDIUM |
| An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for Jitsi 2.5.5061 - 2.9.5544. | |||||