Total
433 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-4031 | 1 Syltek | 1 Syltek | 2024-09-16 | 7.5 High |
| Syltek application before its 10.22.00 version, does not correctly check that a product ID has a valid payment associated to it. This could allow an attacker to forge a request and bypass the payment system by marking items as payed without any verification. | ||||
| CVE-2019-1866 | 1 Cisco | 1 Webex Business Suite 39 | 2024-09-16 | 3.1 Low |
| Cisco Webex Business Suite before 39.1.0 contains a vulnerability that could allow an unauthenticated, remote attacker to affect the integrity of the application. The vulnerability is due to improper validation of host header values. An attacker with a privileged network position, either a man-in-the-middle or by intercepting wireless network traffic, could exploit this vulnerability to manipulate header values sent by a client to the affected application. The attacker could cause the application to use input from the header to redirect a user from the Cisco Webex Meetings Online site to an arbitrary site of the attacker's choosing. | ||||
| CVE-2017-11379 | 1 Trendmicro | 1 Deep Discovery Director | 2024-09-16 | N/A |
| Configuration and database backup archives are not signed or validated in Trend Micro Deep Discovery Director 1.1. | ||||
| CVE-2022-34763 | 1 Schneider-electric | 4 Opc Ua Module For M580, Opc Ua Module For M580 Firmware, X80 Advanced Rtu Module and 1 more | 2024-09-16 | 5.9 Medium |
| A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists that could cause loading of unauthorized firmware images due to improper verification of the firmware signature. Affected Products: X80 advanced RTU Communication Module (BMENOR2200H) (V2.01 and later), OPC UA Modicon Communication Module (BMENUA0100) (V1.10 and prior) | ||||
| CVE-2022-31801 | 2 Phoenixcontact, Phoenixcontact-software | 3 Multiprog, Proconos, Proconos Eclr | 2024-09-16 | 9.8 Critical |
| An unauthenticated, remote attacker could upload malicious logic to the devices based on ProConOS/ProConOS eCLR in order to gain full control over the device. | ||||
| CVE-2022-28757 | 1 Zoom | 1 Meetings | 2024-09-16 | 8.8 High |
| The Zoom Client for Meetings for macOS (Standard and for IT Admin) starting with version 5.7.3 and before 5.11.6 contains a vulnerability in the auto update process. A local low-privileged user could exploit this vulnerability to escalate their privileges to root. | ||||
| CVE-2018-15801 | 1 Vmware | 1 Spring Framework | 2024-09-16 | 7.4 High |
| Spring Security versions 5.1.x prior to 5.1.2 contain an authorization bypass vulnerability during JWT issuer validation. In order to be impacted, the same private key for an honest issuer and a malicious user must be used when signing JWTs. In that case, a malicious user could fashion signed JWTs with the malicious issuer URL that may be granted for the honest issuer. | ||||
| CVE-2015-9232 | 1 Good | 1 Good For Enterprise | 2024-09-16 | N/A |
| The Good for Enterprise application 3.0.0.415 for Android does not use signature protection for its Authentication Delegation API intent. Also, the Good Dynamic application activation process does not attempt to detect malicious activation attempts involving modified names beginning with a com.good.gdgma substring. Consequently, an attacker could obtain access to intranet data. This issue is only relevant in cases where the user has already downloaded a malicious Android application. | ||||
| CVE-2023-43666 | 1 Apache | 1 Inlong | 2024-09-16 | 6.5 Medium |
| Insufficient Verification of Data Authenticity vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0, General user can view all user data like Admin account. Users are advised to upgrade to Apache InLong's 1.9.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/8623 | ||||
| CVE-2020-10137 | 1 Silabs | 2 700 Series Firmware, Uzb-7 | 2024-09-16 | 6.5 Medium |
| Z-Wave devices based on Silicon Labs 700 series chipsets using S2 do not adequately authenticate or encrypt FIND_NODE_IN_RANGE frames, allowing a remote, unauthenticated attacker to inject a FIND_NODE_IN_RANGE frame with an invalid random payload, denying service by blocking the processing of upcoming events. | ||||
| CVE-2019-6475 | 1 Isc | 1 Bind | 2024-09-16 | 5.9 Medium |
| Mirror zones are a BIND feature allowing recursive servers to pre-cache zone data provided by other servers. A mirror zone is similar to a zone of type secondary, except that its data is subject to DNSSEC validation before being used in answers, as if it had been looked up via traditional recursion, and when mirror zone data cannot be validated, BIND falls back to using traditional recursion instead of the mirror zone. However, an error in the validity checks for the incoming zone data can allow an on-path attacker to replace zone data that was validated with a configured trust anchor with forged data of the attacker's choosing. The mirror zone feature is most often used to serve a local copy of the root zone. If an attacker was able to insert themselves into the network path between a recursive server using a mirror zone and a root name server, this vulnerability could then be used to cause the recursive server to accept a copy of falsified root zone data. This affects BIND versions 9.14.0 up to 9.14.6, and 9.15.0 up to 9.15.4. | ||||
| CVE-2023-6236 | 1 Redhat | 2 Jboss Enterprise Application Platform, Jbosseapxp | 2024-09-16 | 7.3 High |
| A flaw was found in Red Hat Enterprise Application Platform 8. When an OIDC app that serves multiple tenants attempts to access the second tenant, it should prompt the user to log in again since the second tenant is secured with a different OIDC configuration. The underlying issue is in OidcSessionTokenStore when determining if a cached token should be used or not. This logic needs to be updated to take into account the new "provider-url" option in addition to the "realm" option. EAP-7 does not provide the vulnerable provider-url configuration option in its OIDC implementation and is not affected by this flaw. | ||||
| CVE-2017-1773 | 1 Ibm | 1 Datapower Gateway | 2024-09-16 | N/A |
| IBM DataPower Gateways 7.1, 7,2, 7.5, and 7.6 could allow an attacker using man-in-the-middle techniques to spoof DNS responses to perform DNS cache poisoning and redirect Internet traffic. IBM X-Force ID: 136817. | ||||
| CVE-2021-34572 | 1 Enbra | 1 Ewm | 2024-09-16 | 6.5 Medium |
| Enbra EWM 1.7.29 does not check for or detect replay attacks sent by wireless M-Bus Security mode 5 devices. Instead timestamps of the sensor are replaced by the time of the readout even if the data is a replay of earlier data. | ||||
| CVE-2016-3983 | 1 Mcafee | 1 Advanced Threat Defense | 2024-09-16 | N/A |
| McAfee Advanced Threat Defense (ATD) before 3.4.8.178 might allow remote attackers to bypass malware detection by leveraging information about the parent process. | ||||
| CVE-2018-10626 | 1 Medtronic | 4 Mycarelink 24950 Patient Monitor, Mycarelink 24950 Patient Monitor Firmware, Mycarelink 24952 Patient Monitor and 1 more | 2024-09-16 | N/A |
| A vulnerability was discovered in all versions of Medtronic MyCareLink 24950 and 24952 Patient Monitor. The affected product's update service does not sufficiently verify the authenticity of the data uploaded. An attacker who obtains per-product credentials from the monitor and paired implantable cardiac device information can potentially upload invalid data to the Medtronic CareLink network. | ||||
| CVE-2022-26516 | 1 Redlion | 2 Da50n, Da50n Firmware | 2024-09-16 | 8.4 High |
| Authorized users may install a maliciously modified package file when updating the device via the web user interface. The user may inadvertently use a package file obtained from an unauthorized source or a file that was compromised between download and deployment. | ||||
| CVE-2022-31800 | 1 Phoenixcontact | 34 Axc 1050, Axc 1050 Firmware, Axc 1050 Xc and 31 more | 2024-09-16 | 9.8 Critical |
| An unauthenticated, remote attacker could upload malicious logic to devices based on ProConOS/ProConOS eCLR in order to gain full control over the device. | ||||
| CVE-2020-3220 | 1 Cisco | 1 Ios Xe | 2024-09-16 | 6.8 Medium |
| A vulnerability in the hardware crypto driver of Cisco IOS XE Software for Cisco 4300 Series Integrated Services Routers and Cisco Catalyst 9800-L Wireless Controllers could allow an unauthenticated, remote attacker to disconnect legitimate IPsec VPN sessions to an affected device. The vulnerability is due to insufficient verification of authenticity of received Encapsulating Security Payload (ESP) packets. An attacker could exploit this vulnerability by tampering with ESP cleartext values as a man-in-the-middle. | ||||
| CVE-2020-16122 | 2 Canonical, Packagekit Project | 2 Ubuntu Linux, Packagekit | 2024-09-16 | 8.2 High |
| PackageKit's apt backend mistakenly treated all local debs as trusted. The apt security model is based on repository trust and not on the contents of individual files. On sites with configured PolicyKit rules this may allow users to install malicious packages. | ||||