Search
Total
831 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-21216 | 1 Intel | 132 Atom C5310, Atom C5310 Firmware, Atom C5315 and 129 more | 2023-08-08 | N/A | 6.8 MEDIUM |
| Insufficient granularity of access control in out-of-band management in some Intel(R) Atom and Intel Xeon Scalable Processors may allow a privileged user to potentially enable escalation of privilege via adjacent network access. | |||||
| CVE-2020-28388 | 4 Arm, Mips, Powerpc Project and 1 more | 8 Arm, Mips, Powerpc and 5 more | 2023-08-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability has been identified in APOGEE PXC Compact (BACnet) (All versions < V3.5.5), APOGEE PXC Compact (P2 Ethernet) (All versions < V2.8.20), APOGEE PXC Modular (BACnet) (All versions < V3.5.5), APOGEE PXC Modular (P2 Ethernet) (All versions < V2.8.20), Nucleus NET (All versions < V5.2), Nucleus ReadyStart V3 (All versions < V2012.12), Nucleus Source Code (All versions), PLUSCONTROL 1st Gen (All versions), TALON TC Compact (BACnet) (All versions < V3.5.5), TALON TC Modular (BACnet) (All versions < V3.5.5). Initial Sequence Numbers (ISNs) for TCP connections are derived from an insufficiently random source. As a result, the ISN of current and future TCP connections could be predictable. An attacker could hijack existing sessions or spoof future ones. | |||||
| CVE-2023-2022 | 1 Gitlab | 1 Gitlab | 2023-08-05 | N/A | 4.3 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions starting before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2, which leads to developers being able to create pipeline schedules on protected branches even if they don't have access to merge | |||||
| CVE-2023-32732 | 2 Fedoraproject, Grpc | 2 Fedora, Grpc | 2023-08-02 | N/A | 5.3 MEDIUM |
| gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. We recommend upgrading beyond the commit in https://github.com/grpc/grpc/pull/32309 https://www.google.com/url | |||||
| CVE-2023-23568 | 1 Gallagher | 1 Command Centre | 2023-08-01 | N/A | 5.4 MEDIUM |
| Improper privilege validation in Command Centre Server allows authenticated unprivileged operators to modify and view Personal Data Fields. This issue affects Command Centre: vEL 8.90 prior to vEL8.90.1318 (MR1), vEL8.80 prior to vEL8.80.1192 (MR2), vEL8.70 prior to vEL8.70.2185 (MR4), vEL8.60 prior to vEL8.60.2347 (MR6), vEL8.50 prior to vEL8.50.2831 (MR8), all versions vEL8.40 and prior | |||||
| CVE-2023-22428 | 1 Gallagher | 1 Command Centre | 2023-08-01 | N/A | 6.5 MEDIUM |
| Improper privilege validation in Command Centre Server allows authenticated operators to modify Division lineage. This issue affects Command Centre: vEL8.80 prior to vEL8.80.1192 (MR2), vEL8.70 prior to vEL8.70.2185 (MR4), vEL8.60 prior to vEL8.60.2347 (MR6), vEL8.50 prior to vEL8.50.2831(MR8), vEL8.40 and prior. | |||||
| CVE-2023-25074 | 1 Gallagher | 1 Command Centre | 2023-08-01 | N/A | 5.4 MEDIUM |
| Improper privilege validation in Command Centre Server allows authenticated unprivileged operators to modify and view Competencies. This issue affects Command Centre: vEL8.90 prior to vEL8.90.1318 (MR1), vEL8.80 prior to vEL8.80.1192 (MR2), vEL8.70 prior to vEL8.70.2185 (MR4), vEL8.60 prior to vEL8.60.2347 (MR6), vEL8.50 prior to vEL8.50.2831 (MR8), all versions vEL8.40 and prior. | |||||
| CVE-2023-38195 | 1 Datalust | 1 Seq | 2023-08-01 | N/A | 4.9 MEDIUM |
| Datalust Seq before 2023.2.9489 allows insertion of sensitive information into an externally accessible file or directory. This is exploitable only when external (SQL Server or PostgreSQL) metadata storage is used. Exploitation can only occur from a high-privileged user account. | |||||
| CVE-2023-23487 | 4 Ibm, Linux, Microsoft and 1 more | 5 Aix, Db2, Linux Kernel and 2 more | 2023-07-31 | N/A | 4.3 MEDIUM |
| IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.1 and 11.5 is vulnerable to insufficient audit logging. IBM X-Force ID: 245918. | |||||
| CVE-2023-38335 | 1 Omnis | 1 Studio | 2023-07-31 | N/A | 5.3 MEDIUM |
| Omnis Studio 10.22.00 has incorrect access control. It advertises a feature for making Omnis libraries "always private" - this is supposed to be an irreversible operation. However, due to implementation issues, "always private" Omnis libraries can be opened by the Omnis Studio browser by bypassing specific checks. This violates the expected behavior of an "irreversible operation". | |||||
| CVE-2023-38334 | 1 Omnis | 1 Studio | 2023-07-31 | N/A | 6.5 MEDIUM |
| Omnis Studio 10.22.00 has incorrect access control. It advertises an irreversible feature for locking classes within Omnis libraries: it should be no longer possible to delete, view, change, copy, rename, duplicate, or print a locked class. Due to implementation issues, locked classes in Omnis libraries can be unlocked, and thus further analyzed and modified by Omnis Studio. This allows for further analyzing and also deleting, viewing, changing, copying, renaming, duplicating, or printing previously locked Omnis classes. This violates the expected behavior of an "irreversible operation." | |||||
| CVE-2023-3786 | 1 Aures | 2 Komet, Komet Firmware | 2023-07-31 | N/A | 6.8 MEDIUM |
| A vulnerability classified as problematic has been found in Aures Komet up to 20230509. This affects an unknown part of the component Kiosk Mode. The manipulation leads to improper access controls. It is possible to launch the attack on the physical device. The exploit has been disclosed to the public and may be used. The identifier VDB-235053 was assigned to this vulnerability. | |||||
| CVE-2020-29509 | 2 Golang, Netapp | 2 Go, Trident | 2023-07-27 | 6.8 MEDIUM | 5.6 MEDIUM |
| The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. | |||||
| CVE-2020-29511 | 2 Golang, Netapp | 2 Go, Trident | 2023-07-27 | 6.8 MEDIUM | 5.6 MEDIUM |
| The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. | |||||
| CVE-2021-24788 | 1 Batch Cat Project | 1 Batch Cat | 2022-07-30 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Batch Cat WordPress plugin through 0.3 defines 3 custom AJAX actions, which both require authentication but are available for all roles. As a result, any authenticated user (including simple subscribers) can add/set/delete arbitrary categories to posts. | |||||
| CVE-2022-27337 | 1 Freedesktop | 1 Poppler | 2022-07-30 | 4.3 MEDIUM | 6.5 MEDIUM |
| A logic error in the Hints::Hints function of Poppler v22.03.0 allows attackers to cause a Denial of Service (DoS) via a crafted PDF file. | |||||
| CVE-2022-22213 | 1 Juniper | 2 Junos, Junos Os Evolved | 2022-07-29 | N/A | 5.9 MEDIUM |
| A vulnerability in Handling of Undefined Values in the routing protocol daemon (RPD) process of Juniper Networks Junos OS and Junos OS Evolved may allow an unauthenticated network-based attacker to crash the RPD process by sending a specific BGP update while the system is under heavy load, leading to a Denial of Service (DoS). Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition. Malicious exploitation of this issue requires a very specific combination of load, timing, and configuration of the vulnerable system which is beyond the direct control of the attacker. Internal reproduction has only been possible through artificially created load and specially instrumented source code. Systems are only vulnerable to this issue if BGP multipath is enabled. Routers not configured for BGP multipath are not vulnerable to this issue. This issue affects: Juniper Networks Junos OS: 21.1 versions prior to 21.1R3-S1; 21.2 versions prior to 21.2R2-S2, 21.2R3; 21.3 versions prior to 21.3R2, 21.3R3; 21.4 versions prior to 21.4R1-S1, 21.4R2. Juniper Networks Junos OS Evolved: 21.1 versions prior to 21.1R3-S1-EVO; 21.2 version 21.2R1-EVO and later versions; 21.3 versions prior to 21.3R3-EVO; 21.4 versions prior to 21.4R1-S1-EVO, 21.4R2-EVO. This issue does not affect: Juniper Networks Junos OS versions prior to 21.1. Juniper Networks Junos OS Evolved versions prior to 21.1-EVO. | |||||
| CVE-2021-3801 | 1 Prismjs | 1 Prism | 2022-07-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| prism is vulnerable to Inefficient Regular Expression Complexity | |||||
| CVE-2021-21792 | 1 Iobit | 1 Advanced Systemcare Ultimate | 2022-07-29 | 2.1 LOW | 5.5 MEDIUM |
| An information disclosure vulnerability exists in the the way IOBit Advanced SystemCare Ultimate 14.2.0.220 driver handles Privileged I/O read requests. A specially crafted I/O request packet (IRP) can lead to privileged reads in the context of a driver which can result in sensitive information disclosure from the kernel. The IN instruction can read four bytes from the given I/O device, potentially leaking sensitive device data to unprivileged users. | |||||
| CVE-2021-21791 | 1 Iobit | 1 Advanced Systemcare Ultimate | 2022-07-29 | 2.1 LOW | 5.5 MEDIUM |
| An information disclosure vulnerability exists in the the way IOBit Advanced SystemCare Ultimate 14.2.0.220 driver handles Privileged I/O read requests. A specially crafted I/O request packet (IRP) can lead to privileged reads in the context of a driver which can result in sensitive information disclosure from the kernel. The IN instruction can read two bytes from the given I/O device, potentially leaking sensitive device data to unprivileged users. | |||||
| CVE-2021-21790 | 1 Iobit | 1 Advanced Systemcare Ultimate | 2022-07-29 | 2.1 LOW | 5.5 MEDIUM |
| An information disclosure vulnerability exists in the the way IOBit Advanced SystemCare Ultimate 14.2.0.220 driver handles Privileged I/O read requests. A specially crafted I/O request packet (IRP) can lead to privileged reads in the context of a driver which can result in sensitive information disclosure from the kernel. The IN instruction can read two bytes from the given I/O device, potentially leaking sensitive device data to unprivileged users. | |||||
| CVE-2021-21785 | 1 Iobit | 1 Advanced Systemcare Ultimate | 2022-07-29 | 2.1 LOW | 5.5 MEDIUM |
| An information disclosure vulnerability exists in the IOCTL 0x9c40a148 handling of IOBit Advanced SystemCare Ultimate 14.2.0.220. A specially crafted I/O request packet (IRP) can lead to a disclosure of sensitive information. An attacker can send a malicious IRP to trigger this vulnerability. | |||||
| CVE-2021-24845 | 1 Improved Include Page Project | 1 Improved Include Page | 2022-07-29 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Improved Include Page WordPress plugin through 1.2 allows passing shortcode attributes with post_type & post_status which can be used to retrieve arbitrary content. This way, users with a role as low as Contributor can gain access to content they are not supposed to. | |||||
| CVE-2021-24405 | 1 Izsoft | 1 Easy Cookies Policy | 2022-07-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Easy Cookies Policy WordPress plugin through 1.6.2 is lacking any capability and CSRF check when saving its settings, allowing any authenticated users (such as subscriber) to change them. If users can't register, this can be done through CSRF. Furthermore, the cookie banner setting is not sanitised or validated before being output in all pages of the frontend and the backend settings one, leading to a Stored Cross-Site Scripting issue. | |||||
| CVE-2021-24661 | 1 Wpxpo | 1 Postx - Gutenberg Blocks For Post Grid | 2022-07-28 | 3.5 LOW | 4.3 MEDIUM |
| The PostX – Gutenberg Blocks for Post Grid WordPress plugin before 2.4.10, with Saved Templates Addon enabled, allows users with Contributor roles or higher to read password-protected or private post contents the user is otherwise unable to read, given the post ID. | |||||
| CVE-2022-31150 | 1 Nodejs | 1 Undici | 2022-07-26 | N/A | 6.5 MEDIUM |
| undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue. | |||||
| CVE-2020-28500 | 2 Lodash, Oracle | 16 Lodash, Banking Corporate Lending Process Management, Banking Credit Facilities Process Management and 13 more | 2022-07-25 | 5.0 MEDIUM | 5.3 MEDIUM |
| Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. | |||||
| CVE-2020-17521 | 3 Apache, Netapp, Oracle | 20 Atlas, Groovy, Snapcenter and 17 more | 2022-07-25 | 2.1 LOW | 5.5 MEDIUM |
| Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2. | |||||
| CVE-2021-36373 | 2 Apache, Oracle | 32 Ant, Agile Plm, Banking Trade Finance and 29 more | 2022-07-25 | 4.3 MEDIUM | 5.5 MEDIUM |
| When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected. | |||||
| CVE-2020-25659 | 2 Oracle, Python-cryptography Project | 2 Communications Cloud Native Core Network Function Cloud Native Environment, Python-cryptography | 2022-07-25 | 4.3 MEDIUM | 5.9 MEDIUM |
| python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext. | |||||
| CVE-2021-36374 | 2 Apache, Oracle | 33 Ant, Agile Plm, Banking Trade Finance and 30 more | 2022-07-25 | 4.3 MEDIUM | 5.5 MEDIUM |
| When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected. | |||||
| CVE-2021-29799 | 1 Ibm | 1 Engineering Requirements Quality Assistant On-premises | 2022-07-25 | N/A | 6.5 MEDIUM |
| IBM Engineering Requirements Quality Assistant On-Premises (All versions) could allow an authenticated user to obtain sensitive information due to improper client side validation. IBM X-Force ID: 203738. | |||||
| CVE-2020-10930 | 1 Netgear | 2 R6700, R6700 Firmware | 2022-07-25 | 3.3 LOW | 6.5 MEDIUM |
| This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR R6700 V1.0.4.84_10.0.58 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of URLs. The issue results from the lack of proper routing of URLs. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-9618. | |||||
| CVE-2020-1765 | 3 Debian, Opensuse, Otrs | 4 Debian Linux, Backports Sle, Leap and 1 more | 2022-07-25 | 5.0 MEDIUM | 5.3 MEDIUM |
| An improper control of parameters allows the spoofing of the from fields of the following screens: AgentTicketCompose, AgentTicketForward, AgentTicketBounce and AgentTicketEmailOutbound. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions. | |||||
| CVE-2020-1690 | 1 Redhat | 2 Openstack-selinux, Openstack Platform | 2022-07-25 | 4.9 MEDIUM | 6.5 MEDIUM |
| An improper authorization flaw was discovered in openstack-selinux's applied policy where it does not prevent a non-root user in a container from privilege escalation. A non-root attacker in one or more Red Hat OpenStack (RHOSP) containers could send messages to the dbus. With access to the dbus, the attacker could start or stop services, possibly causing a denial of service. Versions before openstack-selinux 0.8.24 are affected. | |||||
| CVE-2020-14388 | 1 Redhat | 1 3scale Api Management | 2022-07-25 | 6.5 MEDIUM | 6.3 MEDIUM |
| A flaw was found in the Red Hat 3scale API Management Platform, where member permissions for an API's admin portal were not properly enforced. This flaw allows an authenticated user to bypass normal account restrictions and access API services where they do not have permission. | |||||
| CVE-2020-14340 | 2 Oracle, Redhat | 14 Communications Cloud Native Core Console, Communications Cloud Native Core Network Repository Function, Communications Cloud Native Core Policy and 11 more | 2022-07-25 | 4.3 MEDIUM | 5.9 MEDIUM |
| A vulnerability was discovered in XNIO where file descriptor leak caused by growing amounts of NIO Selector file handles between garbage collection cycles. It may allow the attacker to cause a denial of service. It affects XNIO versions 3.6.0.Beta1 through 3.8.1.Final. | |||||
| CVE-2020-14312 | 1 Fedoraproject | 1 Fedora | 2022-07-25 | 4.3 MEDIUM | 5.9 MEDIUM |
| A flaw was found in the default configuration of dnsmasq, as shipped with Fedora versions prior to 31 and in all versions Red Hat Enterprise Linux, where it listens on any interface and accepts queries from addresses outside of its local subnet. In particular, the option `local-service` is not enabled. Running dnsmasq in this manner may inadvertently make it an open resolver accessible from any address on the internet. This flaw allows an attacker to conduct a Distributed Denial of Service (DDoS) against other systems. | |||||
| CVE-2021-3049 | 1 Paloaltonetworks | 1 Cortex Xsoar | 2022-07-25 | 4.0 MEDIUM | 4.3 MEDIUM |
| An improper authorization vulnerability in the Palo Alto Networks Cortex XSOAR server enables an authenticated network-based attacker with investigation read permissions to download files from incident investigations of which they are aware but are not a part of. This issue impacts: All Cortex XSOAR 5.5.0 builds; Cortex XSOAR 6.1.0 builds earlier than 12099345. This issue does not impact Cortex XSOAR 6.2.0 versions. | |||||
| CVE-2021-25433 | 1 Linux | 1 Tizen | 2022-07-25 | 4.9 MEDIUM | 5.5 MEDIUM |
| Improper authorization vulnerability in Tizen factory reset policy prior to Firmware update JUL-2021 Release allows untrusted applications to perform factory reset using dbus signal. | |||||
| CVE-2021-25507 | 1 Samsung | 1 Samsung Flow | 2022-07-25 | 2.7 LOW | 5.7 MEDIUM |
| Improper authorization vulnerability in Samsung Flow mobile application prior to 4.8.03.5 allows Samsung Flow PC application connected with user device to access part of notification data in Secure Folder without authorization. | |||||
| CVE-2021-43792 | 1 Discourse | 1 Discourse | 2022-07-25 | 3.5 LOW | 4.3 MEDIUM |
| Discourse is an open source discussion platform. In affected versions a vulnerability affects users of tag groups who use the "Tags are visible only to the following groups" feature. A tag group may only allow a certain group (e.g. staff) to view certain tags. Users who were tracking or watching the tags via /preferences/tags, then have their staff status revoked will still see notifications related to the tag, but will not see the tag on each topic. This issue has been patched in stable version 2.7.11. Users are advised to upgrade as soon as possible. | |||||
| CVE-2022-30973 | 1 Apache | 1 Tika | 2022-07-22 | 2.6 LOW | 5.5 MEDIUM |
| We failed to apply the fix for CVE-2022-30126 to the 1.x branch in the 1.28.2 release. In Apache Tika, a regular expression in the StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.3. | |||||
| CVE-2022-22023 | 1 Microsoft | 10 Windows 10, Windows 11, Windows 7 and 7 more | 2022-07-16 | 6.9 MEDIUM | 6.6 MEDIUM |
| Windows Portable Device Enumerator Service Security Feature Bypass Vulnerability. | |||||
| CVE-2021-25431 | 2 Google, Samsung | 2 Android, Cameralyzer | 2022-07-14 | 2.1 LOW | 5.5 MEDIUM |
| Improper access control vulnerability in Cameralyzer prior to versions 3.2.1041 in 3.2.x, 3.3.1040 in 3.3.x, and 3.4.4210 in 3.4.x allows untrusted applications to access some functions of Cameralyzer. | |||||
| CVE-2021-28164 | 3 Eclipse, Netapp, Oracle | 17 Jetty, Cloud Manager, E-series Performance Analyzer and 14 more | 2022-07-14 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. | |||||
| CVE-2021-25405 | 1 Samsung | 1 Notes | 2022-07-14 | 2.1 LOW | 5.5 MEDIUM |
| An improper access control vulnerability in ScreenOffActivity in Samsung Notes prior to version 4.2.04.27 allows untrusted applications to access local files. | |||||
| CVE-2021-25369 | 1 Google | 1 Android | 2022-07-14 | 2.1 LOW | 5.5 MEDIUM |
| An improper access control vulnerability in sec_log file prior to SMR MAR-2021 Release 1 exposes sensitive kernel information to userspace. | |||||
| CVE-2021-22128 | 1 Fortinet | 1 Fortiproxy | 2022-07-12 | 4.0 MEDIUM | 4.3 MEDIUM |
| An improper access control vulnerability in FortiProxy SSL VPN portal 2.0.0, 1.2.9 and below versions may allow an authenticated, remote attacker to access internal service such as the ZebOS Shell on the FortiProxy appliance through the Quick Connection functionality. | |||||
| CVE-2021-38502 | 2 Debian, Mozilla | 2 Debian Linux, Thunderbird | 2022-07-12 | 4.3 MEDIUM | 5.9 MEDIUM |
| Thunderbird ignored the configuration to require STARTTLS security for an SMTP connection. A MITM could perform a downgrade attack to intercept transmitted messages, or could take control of the authenticated session to execute SMTP commands chosen by the MITM. If an unprotected authentication method was configured, the MITM could obtain the authentication credentials, too. This vulnerability affects Thunderbird < 91.2. | |||||