Total
414 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2015-9065 | 1 Google | 1 Android | 2025-04-20 | N/A |
| In all Qualcomm products with Android releases from CAF using the Linux kernel, a UE can respond to a UEInformationRequest before Access Stratum security is established. | ||||
| CVE-2016-10148 | 1 Wordpress | 1 Wordpress | 2025-04-20 | N/A |
| The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 makes a get_plugin_data call before checking the update_plugins capability, which allows remote authenticated users to bypass intended read-access restrictions via the plugin parameter to wp-admin/admin-ajax.php, a related issue to CVE-2016-6896. | ||||
| CVE-2016-10336 | 1 Google | 1 Android | 2025-04-20 | N/A |
| In all Android releases from CAF using the Linux kernel, some regions of memory were not protected during boot. | ||||
| CVE-2016-10321 | 1 Web2py | 1 Web2py | 2025-04-20 | N/A |
| web2py before 2.14.6 does not properly check if a host is denied before verifying passwords, allowing a remote attacker to perform brute-force attacks. | ||||
| CVE-2016-10517 | 1 Redislabs | 1 Redis | 2025-04-20 | N/A |
| networking.c in Redis before 3.2.7 allows "Cross Protocol Scripting" because it lacks a check for POST and Host: strings, which are not valid in the Redis protocol (but commonly occur when an attack triggers an HTTP request to the Redis TCP port). | ||||
| CVE-2016-1520 | 1 Grandstream | 1 Wave | 2025-04-20 | N/A |
| The Grandstream Wave app 1.0.1.26 and earlier for Android does not use HTTPS when retrieving update information, which might allow man-in-the-middle attackers to execute arbitrary code via a crafted application. | ||||
| CVE-2016-3128 | 1 Blackberry | 1 Enterprise Service | 2025-04-20 | N/A |
| A spoofing vulnerability in the Core of BlackBerry Enterprise Server (BES) 12 through 12.5.2 allows remote attackers to enroll an illegitimate device to the BES, gain access to device parameters for the BES, or send false information to the BES by gaining access to specific information about a device that was legitimately enrolled on the BES. | ||||
| CVE-2016-3180 | 1 Tor Browser Launcher Project | 1 Tor Browser Launcher | 2025-04-20 | N/A |
| Tor Browser Launcher (aka torbrowser-launcher) before 0.2.4, during the initial run, allows man-in-the-middle attackers to bypass the PGP signature verification and execute arbitrary code via a Trojan horse tar file and a signature file with the valid tarball and signature. | ||||
| CVE-2016-3997 | 1 Netapp | 1 Clustered Data Ontap | 2025-04-20 | N/A |
| NetApp Clustered Data ONTAP allows man-in-the-middle attackers to obtain sensitive information, gain privileges, or cause a denial of service by leveraging failure to enable SMB signing enforcement in its default state. | ||||
| CVE-2016-4689 | 1 Apple | 1 Iphone Os | 2025-04-20 | N/A |
| An issue was discovered in certain Apple products. iOS before 10.2 is affected. The issue involves the "Mail" component, which does not alert the user to an S/MIME email signature that used a revoked certificate. | ||||
| CVE-2010-1776 | 1 Apple | 1 Iphone Os | 2025-04-20 | N/A |
| Find My iPhone on iOS 2.0 through 3.1.3 for iPhone 3G and later and iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later, when Find My iPhone is disabled, allows remote authenticated users with an associated MobileMe account to wipe the device. | ||||
| CVE-2011-2683 | 1 Reseed Project | 1 Reseed | 2025-04-20 | N/A |
| reseed seeds random numbers from an insecure HTTP request to random.org during installation, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a man-in-the-middle attack. | ||||
| CVE-2014-9634 | 2 Apache, Jenkins | 2 Tomcat, Jenkins | 2025-04-20 | N/A |
| Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session. | ||||
| CVE-2014-9635 | 2 Apache, Jenkins | 2 Tomcat, Jenkins | 2025-04-20 | N/A |
| Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies. | ||||
| CVE-2015-5246 | 1 Theforeman | 1 Foreman | 2025-04-20 | N/A |
| The LDAP Authentication functionality in Foreman might allow remote attackers with knowledge of old passwords to gain access via vectors involving the password lifetime period in Active Directory. | ||||
| CVE-2015-6473 | 1 Wago | 4 750-849, 750-849 Firmware, 758-870 and 1 more | 2025-04-20 | N/A |
| WAGO IO 750-849 01.01.27 and WAGO IO 750-881 01.02.05 do not contain privilege separation. | ||||
| CVE-2015-6592 | 1 Huawei | 2 Uap2105, Uap2105 Firmware | 2025-04-20 | N/A |
| Huawei UAP2105 before V300R012C00SPC160(BootRom) does not require authentication to the serial port or the VxWorks shell. | ||||
| CVE-2015-7225 | 1 Tinfoilsecurity | 1 Devise-two-factor | 2025-04-20 | N/A |
| Tinfoil Devise-two-factor before 2.0.0 does not strictly follow section 5.2 of RFC 6238 and does not "burn" a successfully validated one-time password (aka OTP), which allows remote or physically proximate attackers with a target user's login credentials to log in as said user by obtaining the OTP through performing a man-in-the-middle attack between the provider and verifier, or shoulder surfing, and replaying the OTP in the current time-step. | ||||
| CVE-2015-7973 | 5 Canonical, Freebsd, Netapp and 2 more | 9 Ubuntu Linux, Freebsd, Clustered Data Ontap and 6 more | 2025-04-20 | 6.5 Medium |
| NTP before 4.2.8p6 and 4.3.x before 4.3.90, when configured in broadcast mode, allows man-in-the-middle attackers to conduct replay attacks by sniffing the network. | ||||
| CVE-2016-5057 | 1 Osram | 1 Lightify Pro | 2025-04-20 | N/A |
| OSRAM SYLVANIA Osram Lightify Pro through 2016-07-26 does not use SSL pinning. | ||||