Total
412 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-15149 | 1 Networkgenomics | 1 Mitogen | 2024-05-17 | 6.8 MEDIUM | 9.8 CRITICAL |
| ** DISPUTED ** core.py in Mitogen before 0.2.8 has a typo that drops the unidirectional-routing protection mechanism in the case of a child that is initiated by another child. The Ansible extension is unaffected. NOTE: the vendor disputes this issue because it is exploitable only in conjunction with hypothetical other factors, i.e., an affected use case within a library caller, and a bug in the message receiver policy code that led to reliance on this extra protection mechanism. | |||||
| CVE-2016-10894 | 2 Debian, Xtrlock Project | 2 Debian Linux, Xtrlock | 2024-02-04 | 2.1 LOW | 4.6 MEDIUM |
| xtrlock through 2.10 does not block multitouch events. Consequently, an attacker at a locked screen can send input to (and thus control) various programs such as Chromium via events such as pan scrolling, "pinch and zoom" gestures, or even regular mouse clicks (by depressing the touchpad once and then clicking with a different finger). | |||||
| CVE-2017-11579 | 1 Blipcare | 2 Wi-fi Blood Pressure Monitor, Wi-fi Blood Pressure Monitor Firmware | 2024-02-04 | 4.8 MEDIUM | 7.1 HIGH |
| In the most recent firmware for Blipcare, the device provides an open Wireless network called "Blip" for communicating with the device. The user connects to this open Wireless network and uses the web management interface of the device to provide the user's Wi-Fi credentials so that the device can connect to it and have Internet access. This device acts as a Wireless Blood pressure monitor and is used to measure blood pressure levels of a person. This allows an attacker who is in vicinity of Wireless signal generated by the Blipcare device to easily sniff the credentials. Also, an attacker can connect to the open wireless network "Blip" exposed by the device and modify the HTTP response presented to the user by the device to execute other attacks such as convincing the user to download and execute a malicious binary that would infect a user's computer or mobile device with malware. | |||||
| CVE-2017-18462 | 1 Cpanel | 1 Cpanel | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| cPanel before 62.0.17 allows a CPHulk one-day ban bypass when IP based protection is enabled (SEC-224). | |||||
| CVE-2014-1428 | 1 Canonical | 1 Metal As A Service | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability in generate_filestorage_key of Ubuntu MAAS allows an attacker to brute-force filenames. This issue affects Ubuntu MAAS versions prior to 1.9.2. | |||||
| CVE-2015-9318 | 1 Getawesomesupport | 1 Awesome Support | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| The awesome-support plugin before 3.1.7 for WordPress has a security issue in which shortcodes are allowed in replies. | |||||
| CVE-2016-1585 | 1 Canonical | 1 Apparmor | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| In all versions of AppArmor mount rules are accidentally widened when compiled. | |||||
| CVE-2019-11636 | 1 Z.cash | 1 Zcash | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| Zcash 2.x allows an inexpensive approach to "fill all transactions of all blocks" and "prevent any real transaction from occurring" via a "Sapling Wood-Chipper" attack. | |||||
| CVE-2017-2748 | 1 Hp | 1 Isaac Mizrahi Smartwatch | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| A potential security vulnerability caused by the use of insecure (http) transactions during login has been identified with early versions of the Isaac Mizrahi Smartwatch mobile app. HP has no access to customer data as a result of this issue. | |||||
| CVE-2017-18429 | 1 Cpanel | 1 Cpanel | 2024-02-04 | 2.1 LOW | 3.3 LOW |
| In cPanel before 66.0.2, Apache HTTP Server SSL domain logs can persist on disk after an account termination (SEC-291). | |||||
| CVE-2016-10772 | 1 Cpanel | 1 Cpanel | 2024-02-04 | 2.1 LOW | 3.3 LOW |
| cPanel before 60.0.25 does not enforce feature-list restrictions when calling the multilang adminbin (SEC-168). | |||||
| CVE-2019-10741 | 1 K-9 Mail Project | 1 K-9 Mail | 2024-02-04 | 4.3 MEDIUM | 4.3 MEDIUM |
| K-9 Mail v5.600 can include the original quoted HTML code of a specially crafted, benign looking, email within (digitally signed) reply messages. The quoted part can contain conditional statements that show completely different text if opened in a different email client. This can be abused by an attacker to obtain valid S/MIME or PGP signatures for arbitrary content to be displayed to a third party. NOTE: the vendor states "We don't plan to take any action because of this." | |||||
| CVE-2019-10059 | 1 Lexmark | 142 6500e, 6500e Firmware, C734 and 139 more | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| The legacy finger service (TCP port 79) is enabled by default on various older Lexmark devices. | |||||
| CVE-2017-18477 | 1 Cpanel | 1 Cpanel | 2024-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| In cPanel before 62.0.4, Exim transports could execute in the context of the nobody account (SEC-206). | |||||
| CVE-2011-3145 | 1 Mount.ecrpytfs Private Project | 1 Mount.ecrpytfs Private | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| When mount.ecrpytfs_private before version 87-0ubuntu1.2 calls setreuid() it doesn't also set the effective group id. So when it creates the new version, mtab.tmp, it's created with the group id of the user running mount.ecryptfs_private. | |||||
| CVE-2017-18476 | 1 Cpanel | 1 Cpanel | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| Leech Protect in cPanel before 62.0.4 does not protect certain directories (SEC-205). | |||||
| CVE-2017-18467 | 1 Cpanel | 1 Cpanel | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| cPanel before 62.0.17 allows access to restricted resources because of a URL filtering error (SEC-229). | |||||
| CVE-2017-13718 | 1 Starry | 2 S00111, S00111 Firmware | 2024-02-04 | 6.0 MEDIUM | 8.0 HIGH |
| The HTTP API supported by Starry Station (aka Starry Router) allows brute forcing the PIN setup by the user on the device, and this allows an attacker to change the Wi-Fi settings and PIN, as well as port forward and expose any internal device's port to the Internet. It was identified that the device uses custom Python code called "rodman" that allows the mobile appication to interact with the device. The APIs that are a part of this rodman Python file allow the mobile application to interact with the device using a secret, which is a uuid4 based session identifier generated by the device the first time it is set up. However, in some cases, these APIs can also use a security code. This security code is nothing but the PIN number set by the user to interact with the device when using the touch interface on the router. This allows an attacker on the Internet to interact with the router's HTTP interface when a user navigates to the attacker's website, and brute force the credentials. Also, since the device's server sets the Access-Control-Allow-Origin header to "*", an attacker can easily interact with the JSON payload returned by the device and steal sensitive information about the device. | |||||
| CVE-2017-18480 | 1 Cpanel | 1 Cpanel | 2024-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| cPanel before 62.0.4 does not enforce account ownership for has_mycnf_for_cpuser WHM API calls (SEC-210). | |||||
| CVE-2016-10932 | 2 Hyper, Microsoft | 2 Hyper, Windows | 2024-02-04 | 5.8 MEDIUM | 4.8 MEDIUM |
| An issue was discovered in the hyper crate before 0.9.4 for Rust on Windows. There is an HTTPS man-in-the-middle vulnerability because hostname verification was omitted. | |||||