Total
370 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-48271 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
| Authentication Bypass by Spoofing vulnerability in yonifre Maspik – Spam blacklist allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Maspik – Spam blacklist: from n/a through 0.10.3. | |||||
| CVE-2023-47769 | 2024-11-21 | N/A | 3.7 LOW | ||
| Authentication Bypass by Spoofing vulnerability in WP Maintenance allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WP Maintenance: from n/a through 6.1.3. | |||||
| CVE-2023-44463 | 1 Rami | 1 Pretix | 2024-11-21 | N/A | 5.3 MEDIUM |
| An issue was discovered in pretix before 2023.7.1. Incorrect parsing of configuration files causes the application to trust unchecked X-Forwarded-For headers even though it has not been configured to do so. This can lead to IP address spoofing by users of the application. | |||||
| CVE-2023-44447 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
| TP-Link TL-WR902AC loginFs Improper Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of TP-Link TL-WR902AC routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from improper authentication. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-21529. | |||||
| CVE-2023-41329 | 1 Wiremock | 4 Python Wiremock, Studio, Wiremock and 1 more | 2024-11-21 | N/A | 3.9 LOW |
| WireMock is a tool for mocking HTTP services. The proxy mode of WireMock, can be protected by the network restrictions configuration, as documented in Preventing proxying to and recording from specific target addresses. These restrictions can be configured using the domain names, and in such a case the configuration is vulnerable to the DNS rebinding attacks. A similar patch was applied in WireMock 3.0.0-beta-15 for the WireMock Webhook Extensions. The root cause of the attack is a defect in the logic which allows for a race condition triggered by a DNS server whose address expires in between the initial validation and the outbound network request that might go to a domain that was supposed to be prohibited. Control over a DNS service is required to exploit this attack, so it has high execution complexity and limited impact. This issue has been addressed in version 2.35.1 of wiremock-jre8 and wiremock-jre8-standalone, version 3.0.3 of wiremock and wiremock-standalone, version 2.6.1 of the python version of wiremock, and versions 2.35.1-1 and 3.0.3-1 of the wiremock/wiremock Docker container. Users are advised to upgrade. Users unable to upgrade should either configure firewall rules to define the list of permitted destinations or to configure WireMock to use IP addresses instead of the domain names. | |||||
| CVE-2023-41134 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
| Authentication Bypass by Spoofing vulnerability in pluginkollektiv Antispam Bee allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Antispam Bee: from n/a through 2.11.3. | |||||
| CVE-2023-40702 | 2024-11-21 | N/A | N/A | ||
| PingOne MFA Integration Kit contains a vulnerability where the skipMFA action can be configured such that user authentication does not require the second factor authentication from the user's existing registered devices. A threat actor might be able to exploit this vulnerability to authenticate as a target user if they have existing knowledge of the target user’s first-factor credentials. | |||||
| CVE-2023-40356 | 2024-11-21 | N/A | N/A | ||
| PingOne MFA Integration Kit contains a vulnerability related to the Prompt Users to Set Up MFA configuration. Under certain conditions, this configuration could allow for a new MFA device to be paired with a target user account without requiring second-factor authentication from the target’s existing registered devices. A threat actor might be able to exploit this vulnerability to register their own MFA device with a target user’s account if they have existing knowledge of the target user’s first factor credential. | |||||
| CVE-2023-37865 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
| Authentication Bypass by Spoofing vulnerability in IP2Location Download IP2Location Country Blocker allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Download IP2Location Country Blocker: from n/a through 2.29.1. | |||||
| CVE-2023-30803 | 1 Sangfor | 1 Next-gen Application Firewall | 2024-11-21 | N/A | 9.8 CRITICAL |
| The Sangfor Next-Gen Application Firewall version NGAF8.0.17 is vulnerable to an authentication bypass vulnerability. A remote and unauthenticated attacker can bypass authentication and access administrative functionality by sending HTTP requests using a crafted Y-forwarded-for header. | |||||
| CVE-2023-2887 | 1 Cbot | 2 Cbot Core, Cbot Panel | 2024-11-21 | N/A | 9.8 CRITICAL |
| Authentication Bypass by Spoofing vulnerability in CBOT Chatbot allows Authentication Bypass.This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7. | |||||
| CVE-2023-28803 | 1 Zscaler | 1 Client Connector | 2024-11-21 | N/A | 5.9 MEDIUM |
| An authentication bypass by spoofing of a device with a synthetic IP address is possible in Zscaler Client Connector on Windows, allowing a functionality bypass. This issue affects Client Connector: before 3.9. | |||||
| CVE-2023-27964 | 1 Apple | 1 Airpods Firmware | 2024-11-21 | N/A | 5.4 MEDIUM |
| An authentication issue was addressed with improved state management. This issue is fixed in AirPods Firmware Update 5E133. When your headphones are seeking a connection request to one of your previously paired devices, an attacker in Bluetooth range might be able to spoof the intended source device and gain access to your headphones. | |||||
| CVE-2023-25743 | 1 Mozilla | 1 Firefox Focus | 2024-11-21 | N/A | 7.5 HIGH |
| A lack of in app notification for entering fullscreen mode could have lead to a malicious website spoofing browser chrome.<br>*This bug only affects Firefox Focus. Other versions of Firefox are unaffected.*. This vulnerability affects Firefox < 110 and Firefox ESR < 102.8. | |||||
| CVE-2023-22814 | 1 Westerndigital | 11 My Cloud, My Cloud Dl2100, My Cloud Dl4100 and 8 more | 2024-11-21 | N/A | 10.0 CRITICAL |
| An authentication bypass issue via spoofing was discovered in the token-based authentication mechanism that could allow an attacker to carry out an impersonation attack. This issue affects My Cloud OS 5 devices: before 5.26.202. | |||||
| CVE-2023-22474 | 2024-11-21 | N/A | 8.7 HIGH | ||
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server uses the request header `x-forwarded-for` to determine the client IP address. If Parse Server doesn't run behind a proxy server, then a client can set this header and Parse Server will trust the value of the header. The incorrect client IP address will be used by various features in Parse Server. This allows to circumvent the security mechanism of the Parse Server option `masterKeyIps` by setting an allowed IP address as the `x-forwarded-for` header value. This issue has been patched in version 5.4.1. The mechanism to determine the client IP address has been rewritten. The correct IP address determination now requires to set the Parse Server option `trustProxy`. | |||||
| CVE-2022-4098 | 1 Wut | 32 Com-server 20ma, Com-server 20ma Firmware, Com-server \+\+ and 29 more | 2024-11-21 | N/A | 8.0 HIGH |
| Multiple Wiesemann&Theis products of the ComServer Series are prone to an authentication bypass through IP spoofing. After a user logged in to the WBM of the Com-Server an unauthenticated attacker in the same subnet can obtain the session ID and through IP spoofing change arbitrary settings by crafting modified HTTP Get requests. This may result in a complete takeover of the device. | |||||
| CVE-2022-48513 | 1 Huawei | 2 Emui, Harmonyos | 2024-11-21 | N/A | 9.8 CRITICAL |
| Vulnerability of identity verification being bypassed in the Gallery module. Successful exploitation of this vulnerability may cause out-of-bounds access. | |||||
| CVE-2022-48469 | 1 Huawei | 2 B535-232a, B535-232a Firmware | 2024-11-21 | N/A | 6.5 MEDIUM |
| There is a traffic hijacking vulnerability in Huawei routers. Successful exploitation of this vulnerability can cause packets to be hijacked by attackers. | |||||
| CVE-2022-47648 | 1 Bosch | 2 B420, B420 Firmware | 2024-11-21 | N/A | 7.6 HIGH |
| An Improper Access Control vulnerability allows an attacker to access the control panel of the B420 without requiring any sort of authorization or authentication due to the IP based authorization. If an authorized user has accessed a publicly available B420 product using valid credentials, an insider attacker can gain access to the same panel without requiring any sort of authorization. The B420 module was already obsolete at the time this vulnerability was found (The End of Life announcement was made in 2013). | |||||