Total
477 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-46692 | 2 Apple, Redhat | 8 Icloud, Ipados, Iphone Os and 5 more | 2025-04-21 | 5.5 Medium |
| A logic issue was addressed with improved state management. This issue is fixed in Safari 16.2, tvOS 16.2, iCloud for Windows 14.1, iOS 15.7.2 and iPadOS 15.7.2, macOS Ventura 13.1, iOS 16.2 and iPadOS 16.2, watchOS 9.2. Processing maliciously crafted web content may bypass Same Origin Policy. | ||||
| CVE-2021-4226 | 1 Rsjoomla | 1 Rsfirewall\! | 2025-04-21 | 9.8 Critical |
| RSFirewall tries to identify the original IP address by looking at different HTTP headers. A bypass is possible due to the way it is implemented. | ||||
| CVE-2017-11130 | 1 Stashcat | 1 Heinekingmedia | 2025-04-20 | N/A |
| An issue was discovered in heinekingmedia StashCat through 1.7.5 for Android, through 0.0.80w for Web, and through 0.0.86 for Desktop. The product's protocol only tries to ensure confidentiality. In the whole protocol, no integrity or authenticity checks are done. Therefore man-in-the-middle attackers can conduct replay attacks. | ||||
| CVE-2016-3016 | 1 Ibm | 6 Security Access Manager 9.0 Firmware, Security Access Manager For Mobile 8.0 Firmware, Security Access Manager For Mobile Appliance and 3 more | 2025-04-20 | N/A |
| IBM Security Access Manager for Web processes patches, image backups and other updates without sufficiently verifying the origin and integrity of the code, which could allow an authenticated attacker to load malicious code. | ||||
| CVE-2017-11103 | 5 Apple, Debian, Freebsd and 2 more | 6 Iphone Os, Mac Os X, Debian Linux and 3 more | 2025-04-20 | 8.1 High |
| Heimdal before 7.4 allows remote attackers to impersonate services with Orpheus' Lyre attacks because it obtains service-principal names in a way that violates the Kerberos 5 protocol specification. In _krb5_extract_ticket() the KDC-REP service name must be obtained from the encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unencrypted version provides an opportunity for successful server impersonation and other attacks. NOTE: this CVE is only for Heimdal and other products that embed Heimdal code; it does not apply to other instances in which this part of the Kerberos 5 protocol specification is violated. | ||||
| CVE-2017-11379 | 1 Trendmicro | 1 Deep Discovery Director | 2025-04-20 | N/A |
| Configuration and database backup archives are not signed or validated in Trend Micro Deep Discovery Director 1.1. | ||||
| CVE-2017-14604 | 3 Debian, Gnome, Redhat | 3 Debian Linux, Nautilus, Enterprise Linux | 2025-04-20 | 6.5 Medium |
| GNOME Nautilus before 3.23.90 allows attackers to spoof a file type by using the .desktop file extension, as demonstrated by an attack in which a .desktop file's Name field ends in .pdf but this file's Exec field launches a malicious "sh -c" command. In other words, Nautilus provides no UI indication that a file actually has the potentially unsafe .desktop extension; instead, the UI only shows the .pdf extension. One (slightly) mitigating factor is that an attack requires the .desktop file to have execute permission. The solution is to ask the user to confirm that the file is supposed to be treated as a .desktop file, and then remember the user's answer in the metadata::trusted field. | ||||
| CVE-2017-7674 | 2 Apache, Redhat | 3 Tomcat, Enterprise Linux, Jboss Enterprise Web Server | 2025-04-20 | N/A |
| The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances. | ||||
| CVE-2017-7561 | 1 Redhat | 1 Jboss Enterprise Application Platform | 2025-04-20 | N/A |
| Red Hat JBoss EAP version 3.0.7 through before 4.0.0.Beta1 is vulnerable to a server-side cache poisoning or CORS requests in the JAX-RS component resulting in a moderate impact. | ||||
| CVE-2017-9606 | 1 Infotecs | 2 Vipnet Client, Vipnet Coordinator | 2025-04-20 | N/A |
| Infotecs ViPNet Client and Coordinator before 4.3.2-42442 allow local users to gain privileges by placing a Trojan horse ViPNet update file in the update folder. The attack succeeds because of incorrect folder permissions in conjunction with a lack of integrity and authenticity checks. | ||||
| CVE-2017-3219 | 1 Acronis | 1 True Image | 2025-04-20 | N/A |
| Acronis True Image up to and including version 2017 Build 8053 performs software updates using HTTP. Downloaded updates are only verified using a server-provided MD5 hash. | ||||
| CVE-2017-3218 | 1 Samsung | 1 Magician | 2025-04-20 | N/A |
| Samsung Magician 5.0 fails to validate TLS certificates for HTTPS software update traffic. Prior to version 5.0, Samsung Magician uses HTTP for software updates. | ||||
| CVE-2017-11178 | 1 Finecms Project | 1 Finecms | 2025-04-20 | N/A |
| In FineCMS through 2017-07-11, application/core/controller/style.php allows remote attackers to write to arbitrary files via the contents and filename parameters in a route=style action. For example, this can be used to overwrite a .php file because the file extension is not checked. | ||||
| CVE-2017-13083 | 1 Rufus Project | 1 Rufus | 2025-04-20 | N/A |
| Akeo Consulting Rufus prior to version 2.17.1187 does not adequately validate the integrity of updates downloaded over HTTP, allowing an attacker to easily convince a user to execute arbitrary code | ||||
| CVE-2017-14091 | 1 Trendmicro | 1 Scanmail | 2025-04-20 | N/A |
| A vulnerability in Trend Micro ScanMail for Exchange 12.0 exists in which certain specific installations that utilize a uncommon feature - Other Update Sources - could be exploited to overwrite sensitive files in the ScanMail for Exchange directory. | ||||
| CVE-2017-12440 | 2 Openstack, Redhat | 2 Openstack, Openstack | 2025-04-20 | N/A |
| Aodh as packaged in Openstack Ocata and Newton before change-ID I8fd11a7f9fe3c0ea5f9843a89686ac06713b7851 and before Pike-rc1 does not verify that trust IDs belong to the user when creating alarm action with the scheme trust+http, which allows remote authenticated users with knowledge of trust IDs where Aodh is the trustee to obtain a Keystone token and perform unspecified authenticated actions by adding an alarm action with the scheme trust+http, and providing a trust id where Aodh is the trustee. | ||||
| CVE-2017-12740 | 1 Siemens | 1 Logo\! Soft Comfort | 2025-04-20 | N/A |
| Siemens LOGO! Soft Comfort (All versions before V8.2) lacks integrity verification of software packages downloaded via an unprotected communication channel. This could allow a remote attacker to manipulate the software package while performing a Man-in-the-Middle (MitM) attack. | ||||
| CVE-2017-12972 | 1 Connect2id | 1 Nimbus Jose\+jwt | 2025-04-20 | N/A |
| In Nimbus JOSE+JWT before 4.39, there is no integer-overflow check when converting length values from bytes to bits, which allows attackers to conduct HMAC bypass attacks by shifting Additional Authenticated Data (AAD) and ciphertext so that different plaintext is obtained for the same HMAC. | ||||
| CVE-2017-0563 | 1 Linux | 1 Linux Kernel | 2025-04-20 | N/A |
| An elevation of privilege vulnerability in the HTC touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-32089409. | ||||
| CVE-2017-10624 | 1 Juniper | 1 Junos Space | 2025-04-20 | N/A |
| Insufficient verification of node certificates in Juniper Networks Junos Space may allow a man-in-the-middle type of attacker to make unauthorized modifications to Space database or add nodes. Affected releases are Juniper Networks Junos Space all versions prior to 17.1R1. | ||||