Total
392 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-29165 | 1 Argoproj | 1 Argo Cd | 2024-11-21 | 9.3 HIGH | 10.0 CRITICAL |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A critical vulnerability has been discovered in Argo CD starting with version 1.4.0 and prior to versions 2.1.15, 2.2.9, and 2.3.4 which would allow unauthenticated users to impersonate as any Argo CD user or role, including the `admin` user, by sending a specifically crafted JSON Web Token (JWT) along with the request. In order for this vulnerability to be exploited, anonymous access to the Argo CD instance must have been enabled. In a default Argo CD installation, anonymous access is disabled. The vulnerability can be exploited to impersonate as any user or role, including the built-in `admin` account regardless of whether it is enabled or disabled. Also, the attacker does not need an account on the Argo CD instance in order to exploit this. If anonymous access to the instance is enabled, an attacker can escalate their privileges, effectively allowing them to gain the same privileges on the cluster as the Argo CD instance, which is cluster admin in a default installation. This will allow the attacker to create, manipulate and delete any resource on the cluster. They may also exfiltrate data by deploying malicious workloads with elevated privileges, thus bypassing any redaction of sensitive data otherwise enforced by the Argo CD API. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. As a workaround, one may disable anonymous access, but upgrading to a patched version is preferable. | |||||
| CVE-2022-26910 | 1 Microsoft | 1 Skype For Business Server | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Skype for Business and Lync Spoofing Vulnerability | |||||
| CVE-2022-26505 | 2 Debian, Readymedia Project | 2 Debian Linux, Readymedia | 2024-11-21 | 4.3 MEDIUM | 7.4 HIGH |
| A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1 allows a remote web server to exfiltrate media files. | |||||
| CVE-2022-25989 | 1 Anker | 2 Eufy Homebase 2, Eufy Homebase 2 Firmware | 2024-11-21 | 5.8 MEDIUM | 8.8 HIGH |
| An authentication bypass vulnerability exists in the libxm_av.so getpeermac() functionality of Anker Eufy Homebase 2 2.1.8.5h. A specially-crafted DHCP packet can lead to authentication bypass. An attacker can DHCP poison to trigger this vulnerability. | |||||
| CVE-2022-24858 | 1 Nextauth.js | 1 Next-auth | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| next-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option. If you already have a `redirect` callback, make sure that you match the incoming `url` origin against the `baseUrl`. | |||||
| CVE-2022-23949 | 1 Keylime | 1 Keylime | 2024-11-21 | N/A | 7.5 HIGH |
| In Keylime before 6.3.0, unsanitized UUIDs can be passed by a rogue agent and can lead to log spoofing on the verifier and registrar. | |||||
| CVE-2022-22476 | 1 Ibm | 2 Open Liberty, Websphere Application Server | 2024-11-21 | 6.0 MEDIUM | 8.8 HIGH |
| IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.7 and Open Liberty are vulnerable to identity spoofing by an authenticated user using a specially crafted request. IBM X-Force ID: 225604. | |||||
| CVE-2022-21142 | 1 Appleple | 1 A-blog Cms | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| Authentication bypass vulnerability in a-blog cms Ver.2.8.x series versions prior to Ver.2.8.74, Ver.2.9.x series versions prior to Ver.2.9.39, Ver.2.10.x series versions prior to Ver.2.10.43, and Ver.2.11.x series versions prior to Ver.2.11.41 allows a remote unauthenticated attacker to bypass authentication under the specific condition. | |||||
| CVE-2022-1495 | 1 Google | 2 Android, Chrome | 2024-11-21 | N/A | 4.3 MEDIUM |
| Incorrect security UI in Downloads in Google Chrome on Android prior to 101.0.4951.41 allowed a remote attacker to spoof the APK downloads dialog via a crafted HTML page. | |||||
| CVE-2022-1307 | 1 Google | 2 Android, Chrome | 2024-11-21 | N/A | 4.3 MEDIUM |
| Inappropriate implementation in full screen in Google Chrome on Android prior to 100.0.4896.88 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||||
| CVE-2022-1306 | 1 Google | 1 Chrome | 2024-11-21 | N/A | 4.3 MEDIUM |
| Inappropriate implementation in compositing in Google Chrome prior to 100.0.4896.88 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||||
| CVE-2022-1129 | 1 Google | 2 Android, Chrome | 2024-11-21 | N/A | 6.5 MEDIUM |
| Inappropriate implementation in Full Screen Mode in Google Chrome on Android prior to 100.0.4896.60 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||||
| CVE-2022-0030 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | N/A | 8.1 HIGH |
| An authentication bypass vulnerability in the Palo Alto Networks PAN-OS 8.1 web interface allows a network-based attacker with specific knowledge of the target firewall or Panorama appliance to impersonate an existing PAN-OS administrator and perform privileged actions. | |||||
| CVE-2021-45036 | 1 Velneo | 1 Vclient | 2024-11-21 | N/A | 8.7 HIGH |
| Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims's username and hashed password to spoof the victim's id against the server. | |||||
| CVE-2021-43807 | 1 Apereo | 1 Opencast | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
| Opencast is an Open Source Lecture Capture & Video Management for Education. Opencast versions prior to 9.10 allow HTTP method spoofing, allowing to change the assumed HTTP method via URL parameter. This allows attackers to turn HTTP GET requests into PUT requests or an HTTP form to send DELETE requests. This bypasses restrictions otherwise put on these types of requests and aids in cross-site request forgery (CSRF) attacks, which would otherwise not be possible. The vulnerability allows attackers to craft links or forms which may change the server state. This issue is fixed in Opencast 9.10 and 10.0. You can mitigate the problem by setting the `SameSite=Strict` attribute for your cookies. If this is a viable option for you depends on your integrations. We strongly recommend updating in any case. | |||||
| CVE-2021-43310 | 1 Keylime | 1 Keylime | 2024-11-21 | N/A | 9.8 CRITICAL |
| A vulnerability in Keylime before 6.3.0 allows an attacker to craft a request to the agent that resets the U and V keys as if the agent were being re-added to a verifier. This could lead to a remote code execution. | |||||
| CVE-2021-43220 | 1 Microsoft | 1 Edge Ios | 2024-11-21 | 5.0 MEDIUM | 3.1 LOW |
| Microsoft Edge for iOS Spoofing Vulnerability | |||||
| CVE-2021-42320 | 1 Microsoft | 2 Sharepoint Enterprise Server, Sharepoint Server | 2024-11-21 | 3.5 LOW | 8.0 HIGH |
| Microsoft SharePoint Server Spoofing Vulnerability | |||||
| CVE-2021-42308 | 1 Microsoft | 1 Edge Chromium | 2024-11-21 | 5.0 MEDIUM | 3.1 LOW |
| Microsoft Edge (Chromium-based) Spoofing Vulnerability | |||||
| CVE-2021-41753 | 1 Dlink | 4 Dir-x1560, Dir-x1560 Firmware, Dir-x6060 and 1 more | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
| A denial-of-service attack in WPA2, and WPA3-SAE authentication methods in D-Link DIR-X1560, v1.04B04, and DIR-X6060, v1.11B04 allows a remote unauthenticated attacker to disconnect a wireless client via sending specific spoofed SAE authentication frames. | |||||