Total
415 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-18467 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| cPanel before 62.0.17 allows access to restricted resources because of a URL filtering error (SEC-229). | |||||
| CVE-2017-18462 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| cPanel before 62.0.17 allows a CPHulk one-day ban bypass when IP based protection is enabled (SEC-224). | |||||
| CVE-2017-18445 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| cPanel before 64.0.21 does not enforce demo restrictions for SSL API calls (SEC-249). | |||||
| CVE-2017-18429 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 2.1 LOW | 3.3 LOW |
| In cPanel before 66.0.2, Apache HTTP Server SSL domain logs can persist on disk after an account termination (SEC-291). | |||||
| CVE-2017-13718 | 1 Starry | 2 S00111, S00111 Firmware | 2024-11-21 | 6.0 MEDIUM | 8.0 HIGH |
| The HTTP API supported by Starry Station (aka Starry Router) allows brute forcing the PIN setup by the user on the device, and this allows an attacker to change the Wi-Fi settings and PIN, as well as port forward and expose any internal device's port to the Internet. It was identified that the device uses custom Python code called "rodman" that allows the mobile appication to interact with the device. The APIs that are a part of this rodman Python file allow the mobile application to interact with the device using a secret, which is a uuid4 based session identifier generated by the device the first time it is set up. However, in some cases, these APIs can also use a security code. This security code is nothing but the PIN number set by the user to interact with the device when using the touch interface on the router. This allows an attacker on the Internet to interact with the router's HTTP interface when a user navigates to the attacker's website, and brute force the credentials. Also, since the device's server sets the Access-Control-Allow-Origin header to "*", an attacker can easily interact with the JSON payload returned by the device and steal sensitive information about the device. | |||||
| CVE-2017-11579 | 1 Blipcare | 2 Wi-fi Blood Pressure Monitor, Wi-fi Blood Pressure Monitor Firmware | 2024-11-21 | 4.8 MEDIUM | 7.1 HIGH |
| In the most recent firmware for Blipcare, the device provides an open Wireless network called "Blip" for communicating with the device. The user connects to this open Wireless network and uses the web management interface of the device to provide the user's Wi-Fi credentials so that the device can connect to it and have Internet access. This device acts as a Wireless Blood pressure monitor and is used to measure blood pressure levels of a person. This allows an attacker who is in vicinity of Wireless signal generated by the Blipcare device to easily sniff the credentials. Also, an attacker can connect to the open wireless network "Blip" exposed by the device and modify the HTTP response presented to the user by the device to execute other attacks such as convincing the user to download and execute a malicious binary that would infect a user's computer or mobile device with malware. | |||||
| CVE-2016-9900 | 3 Debian, Mozilla, Redhat | 10 Debian Linux, Firefox, Firefox Esr and 7 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| External resources that should be blocked when loaded by SVG images can bypass security restrictions through the use of "data:" URLs. This could allow for cross-domain data leakage. This vulnerability affects Firefox < 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6. | |||||
| CVE-2016-9895 | 3 Debian, Mozilla, Redhat | 10 Debian Linux, Firefox, Firefox Esr and 7 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Event handlers on "marquee" elements were executed despite a strict Content Security Policy (CSP) that disallowed inline JavaScript. This vulnerability affects Firefox < 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6. | |||||
| CVE-2016-9568 | 1 Carbonblack | 1 Carbon Black | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| A security design issue can allow an unprivileged user to interact with the Carbon Black Sensor and perform unauthorized actions. | |||||
| CVE-2016-9072 | 2 Microsoft, Mozilla | 2 Windows, Firefox | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| When a new Firefox profile is created on 64-bit Windows installations, the sandbox for 64-bit NPAPI plugins is not enabled by default. Note: This issue only affects 64-bit Windows. 32-bit Windows and other operating systems are unaffected. This vulnerability affects Firefox < 50. | |||||
| CVE-2016-9071 | 1 Mozilla | 1 Firefox | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Content Security Policy combined with HTTP to HTTPS redirection can be used by malicious server to verify whether a known site is within a user's browser history. This vulnerability affects Firefox < 50. | |||||
| CVE-2016-8615 | 1 Haxx | 1 Curl | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar. | |||||
| CVE-2016-4642 | 1 Apple | 3 Apple Tv, Iphone Os, Mac Os | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| In iOS before 9.3.3, tvOS before 9.2.2, and OS X El Capitan before v10.11.6 and Security Update 2016-004, proxy authentication incorrectly reported HTTP proxies received credentials securely. This issue was addressed through improved warnings. | |||||
| CVE-2016-1585 | 1 Canonical | 1 Apparmor | 2024-11-21 | 7.5 HIGH | 3.9 LOW |
| In all versions of AppArmor mount rules are accidentally widened when compiled. | |||||
| CVE-2016-10933 | 1 Portaudio Project | 1 Portaudio | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered in the portaudio crate through 0.7.0 for Rust. There is a man-in-the-middle issue because the source code is downloaded over cleartext HTTP. | |||||
| CVE-2016-10932 | 2 Hyper, Microsoft | 2 Hyper, Windows | 2024-11-21 | 5.8 MEDIUM | 4.8 MEDIUM |
| An issue was discovered in the hyper crate before 0.9.4 for Rust on Windows. There is an HTTPS man-in-the-middle vulnerability because hostname verification was omitted. | |||||
| CVE-2016-10894 | 2 Debian, Xtrlock Project | 2 Debian Linux, Xtrlock | 2024-11-21 | 2.1 LOW | 4.6 MEDIUM |
| xtrlock through 2.10 does not block multitouch events. Consequently, an attacker at a locked screen can send input to (and thus control) various programs such as Chromium via events such as pan scrolling, "pinch and zoom" gestures, or even regular mouse clicks (by depressing the touchpad once and then clicking with a different finger). | |||||
| CVE-2016-10772 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 2.1 LOW | 3.3 LOW |
| cPanel before 60.0.25 does not enforce feature-list restrictions when calling the multilang adminbin (SEC-168). | |||||
| CVE-2016-10746 | 2 Debian, Redhat | 2 Debian Linux, Libvirt | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| libvirt-domain.c in libvirt before 1.3.1 supports virDomainGetTime API calls by guest agents with an RO connection, even though an RW connection was supposed to be required, a different vulnerability than CVE-2019-3886. | |||||
| CVE-2016-10717 | 1 Malwarebytes | 1 Malwarebytes Anti-malware | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| A vulnerability in the encryption and permission implementation of Malwarebytes Anti-Malware consumer version 2.2.1 and prior (fixed in 3.0.4) allows an attacker to take control of the whitelisting feature (exclusions.dat under %SYSTEMDRIVE%\ProgramData) to permit execution of unauthorized applications including malware and malicious websites. Files blacklisted by Malwarebytes Malware Protect can be executed, and domains blacklisted by Malwarebytes Web Protect can be reached through HTTP. | |||||