Total
396 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-6854 | 1 Broadcom | 1 Single Sign-on | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| The non-Domino web agents in CA Single Sign-On (aka SSO, formerly SiteMinder) R6, R12.0 before SP3 CR13, R12.0J before SP3 CR1.2, and R12.5 before CR5 allow remote attackers to cause a denial of service (daemon crash) or obtain sensitive information via a crafted request. | |||||
| CVE-2015-6853 | 1 Broadcom | 1 Single Sign-on | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| The Domino web agent in CA Single Sign-On (aka SSO, formerly SiteMinder) R6, R12.0 before SP3 CR13, R12.0J before SP3 CR1.2, R12.5 before CR5, R12.51 before CR4, and R12.52 before SP1 CR3 allows remote attackers to cause a denial of service (daemon crash) or obtain sensitive information via a crafted request. | |||||
| CVE-2015-5236 | 1 Icedtea-web Project | 1 Icedtea-web | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| It was discovered that the IcedTea-Web used codebase attribute of the <applet> tag on the HTML page that hosts Java applet in the Same Origin Policy (SOP) checks. As the specified codebase does not have to match the applet's actual origin, this allowed malicious site to bypass SOP via spoofed codebase value. | |||||
| CVE-2015-4674 | 1 Timedoctor | 1 Timedoctor | 2024-11-21 | 9.3 HIGH | N/A |
| The autoupdate implementation in TimeDoctor Pro 1.4.72.3 on Windows relies on unsigned installer files that are retrieved without use of SSL, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted file. | |||||
| CVE-2015-3956 | 1 Pifzer | 6 Plum A\+3 Infusion System, Plum A\+3 Infusion System Firmware, Plum A\+ Infusion System and 3 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior accept drug libraries, firmware updates, pump commands, and unauthorized configuration changes from unauthenticated devices on the host network. Hospira recommends that customers close Port 20/FTP and Port 23/TELNET on the affected devices. Hospira has also released the Plum 360 Infusion System which is not vulnerable to this issue. | |||||
| CVE-2015-3908 | 1 Redhat | 1 Ansible | 2024-11-21 | 4.3 MEDIUM | N/A |
| Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | |||||
| CVE-2015-2908 | 1 Mobile Devices | 1 C4 Obd-ii Dongle Firmware | 2024-11-21 | 9.0 HIGH | N/A |
| Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, do not validate firmware updates, which allows remote attackers to execute arbitrary code by specifying an update server. | |||||
| CVE-2015-0259 | 1 Openstack | 1 Nova | 2024-11-21 | 5.1 MEDIUM | N/A |
| OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users for access to consoles via a crafted webpage. | |||||
| CVE-2015-0251 | 5 Apache, Apple, Opensuse and 2 more | 9 Subversion, Xcode, Opensuse and 6 more | 2024-11-21 | 4.0 MEDIUM | N/A |
| The mod_dav_svn server in Subversion 1.5.0 through 1.7.19 and 1.8.0 through 1.8.11 allows remote authenticated users to spoof the svn:author property via a crafted v1 HTTP protocol request sequences. | |||||
| CVE-2014-8165 | 1 Powerpc-utils Project | 1 Powerpc-utils | 2024-11-21 | 10.0 HIGH | N/A |
| scripts/amsvis/powerpcAMS/amsnet.py in powerpc-utils-python uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object. | |||||
| CVE-2014-5406 | 1 Hospira | 3 Lifecare Pca3, Lifecare Pca5, Lifecare Pcainfusion Firmware | 2024-11-21 | 9.3 HIGH | N/A |
| The Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a (1) drug library, (2) software update, or (3) configuration change, which allows remote attackers to modify settings or medication data via packets on the (a) TELNET, (b) HTTP, (c) HTTPS, or (d) UPNP port. NOTE: this issue might overlap CVE-2015-3459. | |||||
| CVE-2014-4936 | 1 Malwarebytes | 2 Malwarebytes Anti-exploit, Malwarebytes Anti-malware | 2024-11-21 | 9.3 HIGH | N/A |
| The upgrade functionality in Malwarebytes Anti-Malware (MBAM) consumer before 2.0.3 and Malwarebytes Anti-Exploit (MBAE) consumer 1.04.1.1012 and earlier allow man-in-the-middle attackers to execute arbitrary code by spoofing the update server and uploading an executable. | |||||
| CVE-2014-4883 | 1 Lwip Project | 1 Lwip | 2024-11-21 | 4.3 MEDIUM | N/A |
| resolv.c in the DNS resolver in uIP, and dns.c in the DNS resolver in lwIP 1.4.1 and earlier, does not use random values for ID fields and source ports of DNS query packets, which makes it easier for man-in-the-middle attackers to conduct cache-poisoning attacks via spoofed reply packets. | |||||
| CVE-2014-2718 | 2 Asus, T-mobile | 10 Rt-ac56r, Rt-ac66r, Rt-ac66u and 7 more | 2024-11-21 | 7.1 HIGH | N/A |
| ASUS RT-AC68U, RT-AC66R, RT-AC66U, RT-AC56R, RT-AC56U, RT-N66R, RT-N66U, RT-N56R, RT-N56U, and possibly other RT-series routers before firmware 3.0.0.4.376.x do not verify the integrity of firmware (1) update information or (2) downloaded updates, which allows man-in-the-middle (MITM) attackers to execute arbitrary code via a crafted image. | |||||
| CVE-2014-0364 | 1 Igniterealtime | 1 Smack | 2024-11-21 | 5.0 MEDIUM | N/A |
| The ParseRoster component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify the from attribute of a roster-query IQ stanza, which allows remote attackers to spoof IQ responses via a crafted attribute. | |||||
| CVE-2013-7398 | 2 Async-http-client Project, Redhat | 2 Async-http-client, Jboss Fuse | 2024-11-21 | 4.3 MEDIUM | N/A |
| main/java/com/ning/http/client/AsyncHttpClientConfig.java in Async Http Client (aka AHC or async-http-client) before 1.9.0 does not require a hostname match during verification of X.509 certificates, which allows man-in-the-middle attackers to spoof HTTPS servers via an arbitrary valid certificate. | |||||
| CVE-2013-7397 | 2 Async-http-client Project, Redhat | 2 Async-http-client, Jboss Fuse | 2024-11-21 | 4.3 MEDIUM | N/A |
| Async Http Client (aka AHC or async-http-client) before 1.9.0 skips X.509 certificate verification unless both a keyStore location and a trustStore location are explicitly set, which allows man-in-the-middle attackers to spoof HTTPS servers by presenting an arbitrary certificate during use of a typical AHC configuration, as demonstrated by a configuration that does not send client certificates. | |||||
| CVE-2013-2167 | 3 Debian, Openstack, Redhat | 3 Debian Linux, Python-keystoneclient, Openstack | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache signing bypass | |||||
| CVE-2024-47867 | 1 Gradio Project | 1 Gradio | 2024-11-15 | N/A | 7.5 HIGH |
| Gradio is an open-source Python package designed for quick prototyping. This vulnerability is a **lack of integrity check** on the downloaded FRP client, which could potentially allow attackers to introduce malicious code. If an attacker gains access to the remote URL from which the FRP client is downloaded, they could modify the binary without detection, as the Gradio server does not verify the file's checksum or signature. Any users utilizing the Gradio server's sharing mechanism that downloads the FRP client could be affected by this vulnerability, especially those relying on the executable binary for secure data tunneling. There is no direct workaround for this issue without upgrading. However, users can manually validate the integrity of the downloaded FRP client by implementing checksum or signature verification in their own environment to ensure the binary hasn't been tampered with. | |||||
| CVE-2024-47255 | 1 2n | 1 Access Commander | 2024-11-07 | N/A | 7.8 HIGH |
| In 2N Access Commander versions 3.1.1.2 and prior, a local attacker can escalate their privileges in the system which could allow for arbitrary code execution with root permissions. | |||||