Total
265 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-21494 | 2024-02-20 | N/A | 5.4 MEDIUM | ||
| All versions of the package github.com/greenpau/caddy-security are vulnerable to Authentication Bypass by Spoofing via the X-Forwarded-For header due to improper input sanitization. An attacker can spoof an IP address used in the user identity module (/whoami API endpoint). This could lead to unauthorized access if the system trusts this spoofed IP address. | |||||
| CVE-2023-7169 | 1 Snowsoftware | 1 Snow Inventory Agent | 2024-02-15 | N/A | 5.5 MEDIUM |
| Authentication Bypass by Spoofing vulnerability in Snow Software Snow Inventory Agent on Windows allows Signature Spoof.This issue affects Snow Inventory Agent: through 6.14.5. Customers advised to upgrade to version 7.0 | |||||
| CVE-2024-22519 | 1 Sorenfriis | 1 Opendroneid Osm | 2024-02-14 | N/A | 8.2 HIGH |
| An issue discovered in OpenDroneID OSM 3.5.1 allows attackers to impersonate other drones via transmission of crafted data packets. | |||||
| CVE-2024-22520 | 1 Dronetag | 1 Drone Scanner | 2024-02-14 | N/A | 8.2 HIGH |
| An issue discovered in Dronetag Drone Scanner 1.5.2 allows attackers to impersonate other drones via transmission of crafted data packets. | |||||
| CVE-2024-23832 | 1 Joinmastodon | 1 Mastodon | 2024-02-09 | N/A | 9.8 CRITICAL |
| Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account. Every Mastodon version prior to 3.5.17 is vulnerable, as well as 4.0.x versions prior to 4.0.13, 4.1.x version prior to 4.1.13, and 4.2.x versions prior to 4.2.5. | |||||
| CVE-2022-30319 | 1 Honeywell | 1 Saia Pg5 Controls Suite | 2024-02-09 | N/A | 8.1 HIGH |
| Saia Burgess Controls (SBC) PCD through 2022-05-06 allows Authentication bypass. According to FSCT-2022-0062, there is a Saia Burgess Controls (SBC) PCD S-Bus authentication bypass issue. The affected components are characterized as: S-Bus (5050/UDP) authentication. The potential impact is: Authentication bypass. The Saia Burgess Controls (SBC) PCD controllers utilize the S-Bus protocol (5050/UDP) for a variety of engineering purposes. It is possible to configure a password in order to restrict access to sensitive engineering functionality. Authentication functions on the basis of a MAC/IP whitelist with inactivity timeout to which an authenticated client's MAC/IP is stored. UDP traffic can be spoofed to bypass the whitelist-based access control. Since UDP is stateless, an attacker capable of passively observing traffic can spoof arbitrary messages using the MAC/IP of an authenticated client. This allows the attacker access to sensitive engineering functionality such as uploading/downloading control logic and manipulating controller configuration. | |||||
| CVE-2023-6044 | 1 Lenovo | 1 Vantage | 2024-02-05 | N/A | 6.8 MEDIUM |
| A privilege escalation vulnerability was reported in Lenovo Vantage that could allow a local attacker with physical access to impersonate Lenovo Vantage Service and execute arbitrary code with elevated privileges. | |||||
| CVE-2023-49794 | 2024-02-05 | N/A | 7.8 HIGH | ||
| KernelSU is a Kernel-based root solution for Android devices. In versions 0.7.1 and prior, the logic of get apk path in KernelSU kernel module can be bypassed, which causes any malicious apk named `me.weishu.kernelsu` get root permission. If a KernelSU module installed device try to install any not checked apk which package name equal to the official KernelSU Manager, it can take over root privileges on the device. As of time of publication, a patched version is not available. | |||||
| CVE-2024-0454 | 1 Emc | 2 Elan Match-on-chip Fpr Solution, Elan Match-on-chip Fpr Solution Firmware | 2024-02-05 | N/A | 6.1 MEDIUM |
| ELAN Match-on-Chip FPR solution has design fault about potential risk of valid SID leakage and enumeration with spoof sensor. This fault leads to that Windows Hello recognition would be bypass with cloning SID to cause broken account identity. Version which is lower than 3.0.12011.08009(Legacy)/3.3.12011.08103(ESS) would suffer this risk on DELL Inspiron platform. | |||||
| CVE-2023-50463 | 1 Caddyserver | 1 Caddy | 2024-02-05 | N/A | 6.5 MEDIUM |
| The caddy-geo-ip (aka GeoIP) middleware through 0.6.0 for Caddy 2, when trust_header X-Forwarded-For is used, allows attackers to spoof their source IP address via an X-Forwarded-For header, which may bypass a protection mechanism (trusted_proxy directive in reverse_proxy or IP address range restrictions). | |||||
| CVE-2023-51350 | 1 Ujcms | 1 Ujcms | 2024-02-05 | N/A | 9.8 CRITICAL |
| A spoofing attack in ujcms v.8.0.2 allows a remote attacker to obtain sensitive information and execute arbitrary code via a crafted script to the X-Forwarded-For function in the header. | |||||
| CVE-2023-6263 | 1 Networkoptix | 1 Nxcloud | 2024-02-05 | N/A | 8.1 HIGH |
| An issue was discovered by IPVM team in Network Optix NxCloud before 23.1.0.40440. It was possible to add a fake VMS server to NxCloud by using the exact identification of a legitimate VMS server. As result, it was possible to retrieve authorization headers from legitimate users when the legitimate client connects to the fake VMS server. | |||||
| CVE-2023-34329 | 1 Ami | 1 Megarac Sp-x | 2024-02-05 | N/A | 8.0 HIGH |
| AMI MegaRAC SPx12 contains a vulnerability in BMC where a User may cause an authentication bypass by spoofing the HTTP header. A successful exploit of this vulnerability may lead to loss of confidentiality, integrity, and availability. | |||||
| CVE-2023-34167 | 1 Huawei | 1 Emui | 2024-02-04 | N/A | 5.3 MEDIUM |
| Vulnerability of spoofing trustlists of Huawei desktop.Successful exploitation of this vulnerability can cause third-party apps to hide app icons on the desktop to prevent them from being uninstalled. | |||||
| CVE-2023-25743 | 1 Mozilla | 1 Firefox Focus | 2024-02-04 | N/A | 7.5 HIGH |
| A lack of in app notification for entering fullscreen mode could have lead to a malicious website spoofing browser chrome.<br>*This bug only affects Firefox Focus. Other versions of Firefox are unaffected.*. This vulnerability affects Firefox < 110 and Firefox ESR < 102.8. | |||||
| CVE-2022-48513 | 1 Huawei | 2 Emui, Harmonyos | 2024-02-04 | N/A | 9.8 CRITICAL |
| Vulnerability of identity verification being bypassed in the Gallery module. Successful exploitation of this vulnerability may cause out-of-bounds access. | |||||
| CVE-2023-3128 | 1 Grafana | 1 Grafana | 2024-02-04 | N/A | 9.8 CRITICAL |
| Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app. | |||||
| CVE-2021-25827 | 1 Emby | 1 Emby | 2024-02-04 | N/A | 9.8 CRITICAL |
| Emby Server < 4.7.12.0 is vulnerable to a login bypass attack by setting the X-Forwarded-For header to a local IP-address. | |||||
| CVE-2023-34160 | 1 Huawei | 1 Emui | 2024-02-04 | N/A | 5.3 MEDIUM |
| Vulnerability of spoofing trustlists of Huawei desktop.Successful exploitation of this vulnerability can cause third-party apps to hide app icons on the desktop to prevent them from being uninstalled. | |||||
| CVE-2023-0816 | 1 Strategy11 | 1 Formidable Form Builder | 2024-02-04 | N/A | 6.5 MEDIUM |
| The Formidable Forms WordPress plugin before 6.1 uses several potentially untrusted headers to determine the IP address of the client, leading to IP Address spoofing and bypass of anti-spam protections. | |||||