Total
247 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-26114 | 1 Coder | 1 Code-server | 2024-02-04 | N/A | 9.3 CRITICAL |
| Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect to the code-server instance. | |||||
| CVE-2023-23601 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2024-02-04 | N/A | 6.5 MEDIUM |
| Navigations were being allowed when dragging a URL from a cross-origin iframe into the same tab which could lead to website spoofing attacks. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7. | |||||
| CVE-2022-45139 | 1 Wago | 14 751-9301, 751-9301 Firmware, 752-8303\/8000-002 and 11 more | 2024-02-04 | N/A | 5.3 MEDIUM |
| A CORS Misconfiguration in the web-based management allows a malicious third party webserver to misuse all basic information pages on the webserver. In combination with CVE-2022-45138 this could lead to disclosure of device information like CPU diagnostics. As there is just a limited amount of information readable the impact only affects a small subset of confidentiality. | |||||
| CVE-2023-0957 | 1 Gitpod | 1 Gitpod | 2024-02-04 | N/A | 9.6 CRITICAL |
| An issue was discovered in Gitpod versions prior to release-2022.11.2.16. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to the Gitpod JSONRPC server using a victim’s credentials, because the Origin header is not restricted. This can lead to the extraction of data from workspaces, to a full takeover of the workspace. | |||||
| CVE-2022-41924 | 2 Microsoft, Tailscale | 2 Windows, Tailscale | 2024-02-04 | N/A | 9.6 CRITICAL |
| A vulnerability identified in the Tailscale Windows client allows a malicious website to reconfigure the Tailscale daemon `tailscaled`, which can then be used to remotely execute code. In the Tailscale Windows client, the local API was bound to a local TCP socket, and communicated with the Windows client GUI in cleartext with no Host header verification. This allowed an attacker-controlled website visited by the node to rebind DNS to an attacker-controlled DNS server, and then make local API requests in the client, including changing the coordination server to an attacker-controlled coordination server. An attacker-controlled coordination server can send malicious URL responses to the client, including pushing executables or installing an SMB share. These allow the attacker to remotely execute code on the node. All Windows clients prior to version v.1.32.3 are affected. If you are running Tailscale on Windows, upgrade to v1.32.3 or later to remediate the issue. | |||||
| CVE-2022-41961 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-02-04 | N/A | 4.3 MEDIUM |
| BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are subject to Ineffective user bans. The attacker could register multiple users, and join the meeting with one of them. When that user is banned, they could still join the meeting with the remaining registered users from the same extId. This issue has been fixed by improving permissions such that banning a user removes all users related to their extId, including registered users that have not joined the meeting. This issue is patched in versions 2.4-rc-6 and 2.5-alpha-1. There are no workarounds. | |||||
| CVE-2021-33959 | 1 Plex | 1 Media Server | 2024-02-04 | N/A | 7.5 HIGH |
| Plex media server 1.21 and before is vulnerable to ddos reflection attack via plex service. | |||||
| CVE-2022-22757 | 1 Mozilla | 1 Firefox | 2024-02-04 | N/A | 6.5 MEDIUM |
| Remote Agent, used in WebDriver, did not validate the Host or Origin headers. This could have allowed websites to connect back locally to the user's browser to control it. <br>*This bug only affected Firefox when WebDriver was enabled, which is not the default configuration.*. This vulnerability affects Firefox < 97. | |||||
| CVE-2022-41749 | 2 Microsoft, Trendmicro | 2 Windows, Apex One | 2024-02-04 | N/A | 7.8 HIGH |
| An origin validation error vulnerability in Trend Micro Apex One agents could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | |||||
| CVE-2022-3457 | 1 Ikus-soft | 1 Rdiffweb | 2024-02-04 | N/A | 9.8 CRITICAL |
| Origin Validation Error in GitHub repository ikus060/rdiffweb prior to 2.5.0a5. | |||||
| CVE-2022-41294 | 2 Ibm, Microsoft | 2 Robotic Process Automation, Windows | 2024-02-04 | N/A | 6.5 MEDIUM |
| IBM Robotic Process Automation 21.0.0, 21.0.1, 21.0.2, 21.0.3, and 21.0.4 is vulnerable to cross origin resource sharing using the bot api. IBM X-Force ID: 236807. | |||||
| CVE-2022-23764 | 2 Microsoft, Teruten | 2 Windows, Webcube | 2024-02-04 | N/A | 9.8 CRITICAL |
| The vulnerability causing from insufficient verification procedures for downloaded files during WebCube update. Remote attackers can bypass this verification logic to update both digitally signed and unauthorized files, enabling remote code execution. | |||||
| CVE-2022-1497 | 1 Google | 1 Chrome | 2024-02-04 | N/A | 6.5 MEDIUM |
| Inappropriate implementation in Input in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to spoof the contents of cross-origin websites via a crafted HTML page. | |||||
| CVE-2022-0108 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2024-02-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| Inappropriate implementation in Navigation in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
| CVE-2022-0111 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2024-02-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| Inappropriate implementation in Navigation in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to incorrectly set origin via a crafted HTML page. | |||||
| CVE-2022-24762 | 1 Sysend.js Project | 1 Sysend.js | 2024-02-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| sysend.js is a library that allows a user to send messages between pages that are open in the same browser. Users that use cross-origin communication may have their communications intercepted. Impact is limited by the communication occurring in the same browser. This issue has been patched in sysend.js version 1.10.0. The only currently known workaround is to avoid sending communications that a user does not want to have intercepted via sysend messages. | |||||
| CVE-2022-29818 | 1 Jetbrains | 1 Intellij Idea | 2024-02-04 | 3.6 LOW | 7.1 HIGH |
| In JetBrains IntelliJ IDEA before 2022.1 origin checks in the internal web server were flawed | |||||
| CVE-2022-23763 | 2 Douzone, Microsoft | 2 Neors, Windows | 2024-02-04 | 6.8 MEDIUM | 8.8 HIGH |
| Origin validation error vulnerability in NeoRS’s ActiveX moudle allows attackers to download and execute arbitrary files. Remote attackers can use this vulerability to encourage users to access crafted web pages, causing damage such as malicious code infections. | |||||
| CVE-2022-25227 | 1 Cybelesoft | 1 Thinfinity Vnc | 2024-02-04 | 6.8 MEDIUM | 8.8 HIGH |
| Thinfinity VNC v4.0.0.1 contains a Cross-Origin Resource Sharing (CORS) vulnerability which can allow an unprivileged remote attacker, if they can trick a user into browse malicious site, to obtain an 'ID' that can be used to send websocket requests and achieve RCE. | |||||
| CVE-2021-46701 | 1 Premid | 1 Premid | 2024-02-04 | 6.4 MEDIUM | 6.5 MEDIUM |
| PreMiD 2.2.0 allows unintended access via the websocket transport. An attacker can receive events from a socket and emit events to a socket, potentially interfering with a victim's "now playing" status on Discord. | |||||