| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| If a user clicked into a specifically crafted PDF, the PDF reader could be confused into leaking cross-origin information, when said information is served as chunked data. This vulnerability affects Firefox < 85, Thunderbird < 78.7, and Firefox ESR < 78.7. |
| A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized. This DNS lookup can be engineered to overload an internal DNS server or to slow down request processing of the Apache Wicket application causing a possible denial of service on either the internal infrastructure or the web application itself. This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and prior versions; Apache Wicket 8.x version 8.11.0 and prior versions; Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket 6.x version 6.2.0 and later versions. |
| OX App Suite through 7.10.4 allows XSS via the subject of a task. |
| OX App Suite through 7.10.4 allows XSS via an appointment in which the location contains JavaScript code. |
| OX App Suite through 7.10.4 allows XSS via a contact whose name contains JavaScript code. |
| OX App Suite through 7.10.4 allows XSS via JavaScript in a Note referenced by a mail:// URL. |
| OX App Suite through 7.10.4 allows XSS via an inline image with a crafted filename. |
| OX App Suite through 7.10.4 allows XSS via an inline binary file. |
| OX App Suite through 7.10.4 allows XSS via use of the conversion API for a distributedFile. |
| OX App Suite through 7.10.4 allows XSS via a crafted Content-Disposition header in an uploaded HTML document to an ajax/share/<share-token>?delivery=view URI. |
| OX App Suite through 7.10.3 allows XSS via the ajax/apps/manifests query string. |
| OX App Suite through 7.10.4 allows SSRF via a URL with an @ character in an appsuite/api/oauth/proxy PUT request. |
| An issue was discovered in Devolutions Server before 2020.3. There is a cross-site scripting (XSS) vulnerability in entries of type Document. |
| An issue was discovered in Devolutions Server before 2020.3. There is an exposure of sensitive information in diagnostic files. |
| An issue was discovered in Devolutions Server before 2020.3. There is Broken Authentication with Windows domain users. |
| An issue was discovered in Devolutions Remote Desktop Manager before 2020.2.12. There is a cross-site scripting (XSS) vulnerability in webviews. |
| An issue was discovered in Devolutions Server before 2020.3. There is broken access control on Password List entry elements. |
| An issue was discovered in HERMES 2.1 in the MBUX Infotainment System on Mercedes-Benz vehicles through 2021. There is an out-of-bounds array access in RemoteDiagnosisApp. |
| An issue was discovered in HERMES 2.1 in the MBUX Infotainment System on Mercedes-Benz vehicles through 2021. The SH2 MCU allows remote code execution. |
| An issue was discovered in the Headunit NTG6 in the MBUX Infotainment System on Mercedes-Benz vehicles through 2021. A type confusion issue affects MultiSvSetAttributes in the HiQnet Protocol, leading to remote code execution. |
