Total
489 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-28228 | 1 Microsoft | 13 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 10 more | 2025-01-14 | 5.5 Medium |
| Windows Spoofing Vulnerability | ||||
| CVE-2023-28226 | 1 Microsoft | 8 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 5 more | 2025-01-14 | 5.3 Medium |
| Windows Enroll Engine Security Feature Bypass Vulnerability | ||||
| CVE-2023-33185 | 1 Django-ses Project | 1 Django-ses | 2025-01-14 | 4.6 Medium |
| Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests are signed by AWS and are verified by django_ses, however the verification of this signature was found to be flawed as it allowed users to specify arbitrary public certificates. This issue was patched in version 3.5.0. | ||||
| CVE-2024-13172 | 2025-01-14 | 7.8 High | ||
| Improper signature verification in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. Local user interaction is required. | ||||
| CVE-2023-34205 | 1 Moov | 1 Signedxml | 2025-01-10 | 9.1 Critical |
| In Moov signedxml through 1.0.0, parsing the raw XML (as received) can result in different output than parsing the canonicalized XML. Thus, signature validation can be bypassed via a Signature Wrapping attack (aka XSW). | ||||
| CVE-2024-26228 | 1 Microsoft | 14 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 11 more | 2025-01-08 | 7.8 High |
| Windows Cryptographic Services Security Feature Bypass Vulnerability | ||||
| CVE-2024-26194 | 1 Microsoft | 11 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 8 more | 2025-01-08 | 7.4 High |
| Secure Boot Security Feature Bypass Vulnerability | ||||
| CVE-2013-3900 | 1 Microsoft | 16 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 13 more | 2025-01-06 | 5.5 Medium |
| Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update the Security Updates table and to inform customers that the EnableCertPaddingCheck is available in all currently supported versions of Windows 10 and Windows 11. While the format is different from the original CVE published in 2013, except for clarifications about how to configure the EnableCertPaddingCheck registry value, the information herein remains unchanged from the original text published on December 10, 2013, Microsoft does not plan to enforce the stricter verification behavior as a default functionality on supported releases of Microsoft Windows. This behavior remains available as an opt-in feature via reg key setting, and is available on supported editions of Windows released since December 10, 2013. This includes all currently supported versions of Windows 10 and Windows 11. The supporting code for this reg key was incorporated at the time of release for Windows 10 and Windows 11, so no security update is required; however, the reg key must be set. See the Security Updates table for the list of affected software. Vulnerability Description A remote code execution vulnerability exists in the way that the WinVerifyTrust function handles Windows Authenticode signature verification for portable executable (PE) files. An anonymous attacker could exploit the vulnerability by modifying an existing signed executable file to leverage unverified portions of the file in such a way as to add malicious code to the file without invalidating the signature. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of this vulnerability requires that a user or application run or install a specially crafted, signed PE file. An attacker could modify an... See more at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900 | ||||
| CVE-2024-21491 | 1 Svix | 1 Svix-webhooks | 2025-01-03 | 5.9 Medium |
| Versions of the package svix before 1.17.0 are vulnerable to Authentication Bypass due to an issue in the verify function where signatures of different lengths are incorrectly compared. An attacker can bypass signature verification by providing a shorter signature that matches the beginning of the actual signature. **Note:** The attacker would need to know a victim uses the Rust library for verification,no easy way to automatically check that; and uses webhooks by a service that uses Svix, and then figure out a way to craft a malicious payload that will actually include all of the correct identifiers needed to trick the receivers to cause actual issues. | ||||
| CVE-2023-28602 | 1 Zoom | 1 Zoom | 2025-01-02 | 2.8 Low |
| Zoom for Windows clients prior to 5.13.5 contain an improper verification of cryptographic signature vulnerability. A malicious user may potentially downgrade Zoom Client components to previous versions. | ||||
| CVE-2023-34120 | 2 Microsoft, Zoom | 2 Windows, Virtual Desktop Infrastructure | 2025-01-02 | 8.7 High |
| Improper privilege management in Zoom for Windows, Zoom Rooms for Windows, and Zoom VDI for Windows clients before 5.14.0 may allow an authenticated user to potentially enable an escalation of privilege via local access. Users may potentially utilize higher level system privileges maintained by the Zoom client to spawn processes with escalated privileges. | ||||
| CVE-2023-41764 | 1 Microsoft | 3 365 Apps, Office, Office Long Term Servicing Channel | 2025-01-01 | 5.5 Medium |
| Microsoft Office Spoofing Vulnerability | ||||
| CVE-2023-35373 | 1 Microsoft | 1 Mono | 2025-01-01 | 5.3 Medium |
| Mono Authenticode Validation Spoofing Vulnerability | ||||
| CVE-2024-38069 | 1 Microsoft | 12 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 9 more | 2024-12-31 | 7 High |
| Windows Enroll Engine Security Feature Bypass Vulnerability | ||||
| CVE-2024-21383 | 1 Microsoft | 1 Edge Chromium | 2024-12-31 | 3.3 Low |
| Microsoft Edge (Chromium-based) Spoofing Vulnerability | ||||
| CVE-2024-41145 | 2024-12-28 | 7.1 High | ||
| A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. A specially crafted library can leverage Teams's access privileges, leading to a permission bypass. A malicious application could inject a library and start the program to trigger this vulnerability and then make use of the vulnerable application's permissions. | ||||
| CVE-2024-48949 | 2 Indutny, Redhat | 7 Elliptic, Acm, Multicluster Engine and 4 more | 2024-12-27 | 9.1 Critical |
| The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation. | ||||
| CVE-2024-22461 | 2024-12-23 | 8.8 High | ||
| Dell RecoverPoint for Virtual Machines 6.0.x contains an OS Command injection vulnerability. A low privileged remote attacker could potentially exploit this vulnerability by running any command as root, leading to gaining of root-level access and compromise of complete system. | ||||
| CVE-2024-54150 | 2024-12-20 | 9.1 Critical | ||
| cjwt is a C JSON Web Token (JWT) Implementation. Algorithm confusion occurs when a system improperly verifies the type of signature used, allowing attackers to exploit the lack of distinction between signing methods. If the system doesn't differentiate between an HMAC signed token and an RS/EC/PS signed token during verification, it becomes vulnerable to this kind of attack. For instance, an attacker could craft a token with the alg field set to "HS256" while the server expects an asymmetric algorithm like "RS256". The server might mistakenly use the wrong verification method, such as using a public key as the HMAC secret, leading to unauthorised access. For RSA, the key can be computed from a few signatures. For Elliptic Curve (EC), two potential keys can be recovered from one signature. This can be used to bypass the signature mechanism if an application relies on asymmetrically signed tokens. This issue has been addressed in version 2.3.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-41165 | 2024-12-20 | 7.1 High | ||
| A library injection vulnerability exists in Microsoft Word 16.83 for macOS. A specially crafted library can leverage Word's access privileges, leading to a permission bypass. A malicious application could inject a library and start the program to trigger this vulnerability and then make use of the vulnerable application's permissions. | ||||