Total
626 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-6056 | 2025-07-08 | N/A | N/A | ||
| Timing difference in password reset in Ergon Informatik AG's Airlock IAM 7.7.9, 8.0.8, 8.1.7, 8.2.4 and 8.3.1 allows unauthenticated attackers to enumerate usernames. | |||||
| CVE-2025-6386 | 2025-07-08 | N/A | 7.5 HIGH | ||
| The parisneo/lollms repository is affected by a timing attack vulnerability in the `authenticate_user` function within the `lollms_authentication.py` file. This vulnerability allows attackers to enumerate valid usernames and guess passwords incrementally by analyzing response time differences. The affected version is the latest, and the issue is resolved in version 20.1. The vulnerability arises from the use of Python's default string equality operator for password comparison, which compares characters sequentially and exits on the first mismatch, leading to variable response times based on the number of matching initial characters. | |||||
| CVE-2025-40732 | 1 Code-projects | 1 Daily Expense Manager | 2025-07-07 | N/A | 7.5 HIGH |
| user enumeration vulnerability in Daily Expense Manager v1.0. To exploit this vulnerability a POST request must be sent using the name parameter in /check.php | |||||
| CVE-2024-51477 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2025-07-07 | N/A | 4.3 MEDIUM |
| IBM InfoSphere Information Server 11.7 could allow an authenticated to obtain sensitive username information due to an observable response discrepancy. | |||||
| CVE-2024-11297 | 1 Miniorange | 1 Page Restriction | 2025-07-03 | N/A | 5.3 MEDIUM |
| The Page Restriction WordPress (WP) – Protect WP Pages/Post plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.6 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator. | |||||
| CVE-2025-46570 | 1 Vllm | 1 Vllm | 2025-06-24 | N/A | 2.6 LOW |
| vLLM is an inference and serving engine for large language models (LLMs). Prior to version 0.9.0, when a new prompt is processed, if the PageAttention mechanism finds a matching prefix chunk, the prefill process speeds up, which is reflected in the TTFT (Time to First Token). These timing differences caused by matching chunks are significant enough to be recognized and exploited. This issue has been patched in version 0.9.0. | |||||
| CVE-2024-56738 | 1 Gnu | 1 Grub2 | 2025-06-24 | N/A | 5.3 MEDIUM |
| GNU GRUB (aka GRUB2) through 2.12 does not use a constant-time algorithm for grub_crypto_memcmp and thus allows side-channel attacks. | |||||
| CVE-2024-21206 | 1 Oracle | 1 Enterprise Command Center Framework | 2025-06-23 | N/A | 4.3 MEDIUM |
| Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Diagnostics). Supported versions that are affected are ECC:11-13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Command Center Framework. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Enterprise Command Center Framework accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). | |||||
| CVE-2024-23170 | 1 Arm | 1 Mbed Tls | 2025-06-20 | N/A | 5.5 MEDIUM |
| An issue was discovered in Mbed TLS 2.x before 2.28.7 and 3.x before 3.5.2. There was a timing side channel in RSA private operations. This side channel could be sufficient for a local attacker to recover the plaintext. It requires the attacker to send a large number of messages for decryption, as described in "Everlasting ROBOT: the Marvin Attack" by Hubert Kario. | |||||
| CVE-2024-21210 | 1 Oracle | 2 Jdk, Jre | 2025-06-18 | N/A | 3.7 LOW |
| Vulnerability in Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4 and 23. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). | |||||
| CVE-2024-21208 | 1 Oracle | 4 Graalvm, Graalvm For Jdk, Jdk and 1 more | 2025-06-18 | N/A | 3.7 LOW |
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). | |||||
| CVE-2025-32789 | 1 Espocrm | 1 Espocrm | 2025-06-18 | N/A | 3.1 LOW |
| EspoCRM is an Open Source Customer Relationship Management software. Prior to version 9.0.7, users can be sorted by their password hash. This flaw allows an attacker to make assumptions about the hash values of other users stored in the password column of the user table, based on the results of the sorted list of users. Although unlikely, if an attacker knows the hash value of their password, they can change the password and repeat the sorting until the other user's password hash is fully revealed. This issue is patched in version 9.0.7. | |||||
| CVE-2024-2464 | 1 Cdex | 1 Cdex | 2025-06-17 | N/A | 6.3 MEDIUM |
| This issue occurs during password recovery, where a difference in messages could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users.This issue affects CDeX application versions through 5.7.1. | |||||
| CVE-2024-25191 | 1 Zihanggao | 1 Php-jwt | 2025-06-12 | N/A | 9.8 CRITICAL |
| php-jwt 1.0.0 uses strcmp (which is not constant time) to verify authentication, which makes it easier to bypass authentication via a timing side channel. | |||||
| CVE-2023-5388 | 2 Debian, Mozilla | 3 Debian Linux, Firefox, Thunderbird | 2025-06-09 | N/A | 6.5 MEDIUM |
| NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private data. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9. | |||||
| CVE-2024-47156 | 1 Honor | 1 Magicos | 2025-06-05 | N/A | 3.3 LOW |
| Some Honor products are affected by information leak vulnerability, successful exploitation could cause the information leak. | |||||
| CVE-2024-47153 | 1 Honor | 1 Magicos | 2025-06-05 | N/A | 6.2 MEDIUM |
| Some Honor products are affected by information leak vulnerability, successful exploitation could cause the information leak. | |||||
| CVE-2024-47154 | 1 Honor | 1 Magicos | 2025-06-05 | N/A | 5.5 MEDIUM |
| Some Honor products are affected by information leak vulnerability, successful exploitation could cause the information leak. | |||||
| CVE-2024-47155 | 1 Honor | 1 Magicos | 2025-06-05 | N/A | 5.5 MEDIUM |
| Some Honor products are affected by information leak vulnerability, successful exploitation could cause the information leak. | |||||
| CVE-2024-8992 | 1 Honor | 1 Magicos | 2025-06-05 | N/A | 4.0 MEDIUM |
| Some Honor products are affected by information leak vulnerability, successful exploitation could cause the information leak. | |||||