Total
392 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-25827 | 1 Emby | 1 Emby | 2024-11-21 | N/A | 9.8 CRITICAL |
| Emby Server < 4.7.12.0 is vulnerable to a login bypass attack by setting the X-Forwarded-For header to a local IP-address. | |||||
| CVE-2021-23984 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| A malicious extension could have opened a popup window lacking an address bar. The title of the popup lacking an address bar should not be fully controllable, but in this situation was. This could have been used to spoof a website and attempt to trick the user into providing credentials. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9. | |||||
| CVE-2021-22890 | 8 Broadcom, Debian, Fedoraproject and 5 more | 11 Fabric Operating System, Debian Linux, Fedora and 8 more | 2024-11-21 | 4.3 MEDIUM | 3.7 LOW |
| curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check. | |||||
| CVE-2021-22779 | 1 Schneider-electric | 61 Ecostruxure Control Expert, Ecostruxure Process Expert, Modicon M340 Bmxp341000 and 58 more | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| Authentication Bypass by Spoofing vulnerability exists in EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Control Expert V15.0 SP1, EcoStruxure Process Expert (all versions, including all versions of EcoStruxure Hybrid DCS), SCADAPack RemoteConnect for x70 (all versions), Modicon M580 CPU (all versions - part numbers BMEP* and BMEH*), Modicon M340 CPU (all versions - part numbers BMXP34*), that could cause unauthorized access in read and write mode to the controller by spoofing the Modbus communication between the engineering software and the controller. | |||||
| CVE-2021-21492 | 1 Sap | 1 Netweaver Application Server Java | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| SAP NetWeaver Application Server Java(HTTP Service), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate logon group in URLs, resulting in a content spoofing vulnerability when directory listing is enabled. | |||||
| CVE-2021-21310 | 1 Nextauth.js | 1 Next-auth | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| NextAuth.js (next-auth) is am open source authentication solution for Next.js applications. In next-auth before version 3.3.0 there is a token verification vulnerability. Implementations using the Prisma database adapter in conjunction with the Email provider are impacted. Implementations using the Email provider with the default database adapter are not impacted. Implementations using the Prisma database adapter but not using the Email provider are not impacted. The Prisma database adapter was checking the verification token, but was not verifying the email address associated with that token. This made it possible to use a valid token to sign in as another user when using the Prima adapter in conjunction with the Email provider. This issue is specific to the community supported Prisma adapter. This issue is fixed in version 3.3.0. | |||||
| CVE-2021-21216 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Inappropriate implementation in Autofill in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to spoof security UI via a crafted HTML page. | |||||
| CVE-2021-21215 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Inappropriate implementation in Autofill in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to spoof security UI via a crafted HTML page. | |||||
| CVE-2021-21134 | 3 Apple, Google, Microsoft | 3 Iphone Os, Chrome, Edge Chromium | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Incorrect security UI in Page Info in Google Chrome on iOS prior to 88.0.4324.96 allowed a remote attacker to spoof security UI via a crafted HTML page. | |||||
| CVE-2021-20278 | 1 Kiali | 1 Kiali | 2024-11-21 | 5.8 MEDIUM | 6.5 MEDIUM |
| An authentication bypass vulnerability was found in Kiali in versions before 1.31.0 when the authentication strategy `OpenID` is used. When RBAC is enabled, Kiali assumes that some of the token validation is handled by the underlying cluster. When OpenID `implicit flow` is used with RBAC turned off, this token validation doesn't occur, and this allows a malicious user to bypass the authentication. | |||||
| CVE-2021-1677 | 1 Microsoft | 1 Azure Kubernetes Service | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| Azure Active Directory Pod Identity Spoofing Vulnerability | |||||
| CVE-2021-0232 | 2 Fedoraproject, Juniper | 2 Fedora, Paragon Active Assurance Control Center | 2024-11-21 | 5.8 MEDIUM | 7.4 HIGH |
| An authentication bypass vulnerability in the Juniper Networks Paragon Active Assurance Control Center may allow an attacker with specific information about the deployment to mimic an already registered Test Agent and access its configuration including associated inventory details. If the issue occurs, the affected Test Agent will not be able to connect to the Control Center. This issue affects Juniper Networks Paragon Active Assurance Control Center All versions prior to 2.35.6; 2.36 versions prior to 2.36.2. | |||||
| CVE-2020-7388 | 1 Sage | 3 Adxadmin, X3, X3 Hr \& Payroll | 2024-11-21 | 7.5 HIGH | 10.0 CRITICAL |
| Sage X3 Unauthenticated Remote Command Execution (RCE) as SYSTEM in AdxDSrv.exe component. By editing the client side authentication request, an attacker can bypass credential validation. While exploiting this does require knowledge of the installation path, that information can be learned by exploiting CVE-2020-7387. This issue was fixed in AdxAdmin 93.2.53, which ships with updates for on-premises versions of Sage X3 including Version 9 (components shipped with Syracuse 9.22.7.2 and later), Sage X3 HR & Payroll Version 9 (those components that ship with Syracuse 9.24.1.3), Version 11 (components shipped with Syracuse 11.25.2.6 and later), and Version 12 (components shipped with Syracuse 12.10.2.8 and later) of Sage X3. Other on-premises versions of Sage X3 are unsupported by the vendor. | |||||
| CVE-2020-7327 | 1 Mcafee | 1 Mvision Endpoint Detection And Response | 2024-11-21 | 4.6 MEDIUM | 6.0 MEDIUM |
| Improperly implemented security check in McAfee MVISION Endpoint Detection and Response Client (MVEDR) prior to 3.2.0 may allow local administrators to execute malicious code via stopping a core Windows service leaving McAfee core trust component in an inconsistent state resulting in MVEDR failing open rather than closed | |||||
| CVE-2020-7326 | 1 Mcafee | 1 Active Response | 2024-11-21 | 4.6 MEDIUM | 6.0 MEDIUM |
| Improperly implemented security check in McAfee Active Response (MAR) prior to 2.4.4 may allow local administrators to execute malicious code via stopping a core Windows service leaving McAfee core trust component in an inconsistent state resulting in MAR failing open rather than closed | |||||
| CVE-2020-6810 | 1 Mozilla | 1 Firefox | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| After a website had entered fullscreen mode, it could have used a previously opened popup to obscure the notification that indicates the browser is in fullscreen mode. Combined with spoofing the browser chrome, this could have led to confusing the user about the current origin of the page and credential theft or other attacks. This vulnerability affects Firefox < 74. | |||||
| CVE-2020-6808 | 1 Mozilla | 1 Firefox | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| When a JavaScript URL (javascript:) is evaluated and the result is a string, this string is parsed to create an HTML document, which is then presented. Previously, this document's URL (as reported by the document.location property, for example) was the originating javascript: URL which could lead to spoofing attacks; it is now correctly the URL of the originating document. This vulnerability affects Firefox < 74. | |||||
| CVE-2020-5415 | 1 Pivotal Software | 1 Concourse | 2024-11-21 | 6.4 MEDIUM | 10.0 CRITICAL |
| Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this vulnerability, so GitLab users may be moved into groups which are then configured in the Concourse team. | |||||
| CVE-2020-4864 | 1 Ibm | 1 Resilient Security Orchestration Automation And Response | 2024-11-21 | 3.3 LOW | 4.3 MEDIUM |
| IBM Resilient SOAR V38.0 could allow an attacker on the internal net work to provide the server with a spoofed source IP address. IBM X-Force ID: 190567. | |||||
| CVE-2020-4421 | 1 Ibm | 1 Websphere Application Server | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| IBM WebSphere Application Liberty 19.0.0.5 through 20.0.0.4 could allow an authenticated user using openidconnect to spoof another users identify. IBM X-Force ID: 180084. | |||||