| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| In HP ThinPro Linux 6.2, 6.2.1, 7.0 and 7.1, an attacker may be able to leverage the application filter bypass vulnerability to gain privileged access to create a file on the local file system whose presence puts the device in Administrative Mode, which will allow the attacker to executed commands with elevated privileges. |
| An attacker may be able to bypass the OS application filter meant to restrict applications that can be executed by changing browser preferences to launch a separate process that in turn can execute arbitrary commands. |
| If a local user has been configured and logged in, an unauthenticated attacker with physical access may be able to extract sensitive information onto a local drive. |
| A potential security vulnerability has been identified in multiple HP products and versions which involves possible execution of arbitrary code during boot services that can result in elevation of privilege. The EFI_BOOT_SERVICES structure might be overwritten by an attacker to execute arbitrary SMM (System Management Mode) code. A list of affected products and versions are available in https://support.hp.com/rs-en/document/c06456250. |
| In NCH Express Invoice v7.12, persistent cross site scripting (XSS) exists via the Invoices/Items/Customers/Quotes input field. An authenticated unprivileged user can add/modify the Invoices/Items/Customers fields parameter to inject arbitrary JavaScript. |
| Ptarmigan before 0.2.3 lacks API token validation, e.g., an "if (token === apiToken) {return true;} return false;" code block. |
| A memory error in the function SSL_accept in nostromo nhttpd through 1.9.6 allows an attacker to trigger a denial of service via a crafted HTTP request. |
| PicoC 2.1 has a heap-based buffer overflow in StringStrcpy in cstdlib/string.c when called from ExpressionParseFunctionCall in expression.c. |
| Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling. |
| hostapd before 2.10 and wpa_supplicant before 2.10 allow an incorrect indication of disconnection in certain situations because source address validation is mishandled. This is a denial of service that should have been prevented by PMF (aka management frame protection). The attacker must send a crafted 802.11 frame from a location that is within the 802.11 communications range. |
| DTEN D5 before 1.3 and D7 before 1.3 devices transfer customer data files via unencrypted HTTP. |
| DTEN D5 and D7 before 1.3.4 devices allow unauthenticated root shell access through Android Debug Bridge (adb), leading to arbitrary code execution and system administration. Also, this provides a covert ability to capture screen data from the Zoom Client on Windows by executing commands on the Android OS. |
| On DTEN D5 and D7 before 1.3.4 devices, factory settings allows for firmware reflash and Android Debug Bridge (adb) enablement. |
| DTEN D5 and D7 before 1.3.2 devices allows remote attackers to read saved whiteboard image PDF documents via storage/emulated/0/Notes/PDF on TCP port 8080 without authentication. |
| Zoho ManageEngine Remote Access Plus 10.0.259 allows HTML injection via the Description field on the Admin - User Administration userMgmt.do?actionToCall=ShowUser screen. |
| CODESYS V2.3 ENI server up to V3.2.2.24 has a Buffer Overflow. |
| In Escuela de Gestion Publica Plurinacional (EGPP) Sistema Integrado de Gestion Academica (GESAC) v1, the username parameter of the authentication form is vulnerable to SQL injection, allowing attackers to access the database. |
| The Twitter Kit framework through 3.4.2 for iOS does not properly validate the api.twitter.com SSL certificate. Although the certificate chain must contain one of a set of pinned certificates, there are certain implementation errors such as a lack of hostname verification. NOTE: this is an end-of-life product. |
| The bootloader of the homee Brain Cube V2 through 2.23.0 allows attackers with physical access to gain root access by manipulating the U-Boot environment via the CLI after connecting to the internal UART interface. |
| Some Motorola devices include the SIMalliance Toolbox Browser (aka S@T Browser) on the UICC, which might allow remote attackers to retrieve location and IMEI information, or retrieve other data or execute certain commands, via SIM Toolkit (STK) instructions in an SMS message, aka Simjacker. |
