Total
275 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-45441 | 2 Microsoft, Trendmicro | 4 Windows, Apex One, Worry-free Business Security and 1 more | 2022-07-12 | 7.2 HIGH | 7.8 HIGH |
| A origin validation error vulnerability in Trend Micro Apex One (on-prem and SaaS) could allow a local attacker drop and manipulate a specially crafted file to issue commands over a certain pipe and elevate to a higher level of privileges. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | |||||
| CVE-2021-46701 | 1 Premid | 1 Premid | 2022-07-12 | 6.4 MEDIUM | 6.5 MEDIUM |
| PreMiD 2.2.0 allows unintended access via the websocket transport. An attacker can receive events from a socket and emit events to a socket, potentially interfering with a victim's "now playing" status on Discord. | |||||
| CVE-2022-23763 | 2 Douzone, Microsoft | 2 Neors, Windows | 2022-07-11 | 6.8 MEDIUM | 8.8 HIGH |
| Origin validation error vulnerability in NeoRS’s ActiveX moudle allows attackers to download and execute arbitrary files. Remote attackers can use this vulerability to encourage users to access crafted web pages, causing damage such as malicious code infections. | |||||
| CVE-2019-5036 | 1 Google | 2 Nest Cam Iq Indoor, Nest Cam Iq Indoor Firmware | 2022-06-27 | 7.8 HIGH | 7.5 HIGH |
| An exploitable denial-of-service vulnerability exists in the Weave error reporting functionality of the Nest Cam IQ Indoor, version 4620002. A specially crafted weave packets can cause an arbitrary Weave Exchange Session to close, resulting in a denial of service. An attacker can send a specially crafted packet to trigger this vulnerability. | |||||
| CVE-2022-30228 | 1 Siemens | 1 Sicam Gridedge Essential | 2022-06-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| A vulnerability has been identified in SICAM GridEdge Essential ARM (All versions < V2.6.6), SICAM GridEdge Essential Intel (All versions < V2.6.6), SICAM GridEdge Essential with GDS ARM (All versions < V2.6.6), SICAM GridEdge Essential with GDS Intel (All versions < V2.6.6). The affected software does not apply cross-origin resource sharing (CORS) restrictions for critical operations. In case an attacker tricks a legitimate user into accessing a special resource a malicious request could be executed. | |||||
| CVE-2019-5062 | 1 W1.fi | 1 Hostapd | 2022-06-17 | 3.3 LOW | 6.5 MEDIUM |
| An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of service. | |||||
| CVE-2022-31024 | 1 Nextcloud | 1 Richdocuments | 2022-06-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| richdocuments is the repository for NextCloud Collabra, the app for Nextcloud Office collaboration. Prior to versions 6.0.0, 5.0.4, and 4.2.6, a user could be tricked into working against a remote Office by sending them a federated share. richdocuments versions 6.0.0, 5.0.4 and 4.2.6 contain a fix for this issue. There are currently no known workarounds available. | |||||
| CVE-2022-25227 | 1 Cybelesoft | 1 Thinfinity Vnc | 2022-06-01 | 6.8 MEDIUM | 8.8 HIGH |
| Thinfinity VNC v4.0.0.1 contains a Cross-Origin Resource Sharing (CORS) vulnerability which can allow an unprivileged remote attacker, if they can trick a user into browse malicious site, to obtain an 'ID' that can be used to send websocket requests and achieve RCE. | |||||
| CVE-2022-29818 | 1 Jetbrains | 1 Intellij Idea | 2022-05-05 | 3.6 LOW | 7.1 HIGH |
| In JetBrains IntelliJ IDEA before 2022.1 origin checks in the internal web server were flawed | |||||
| CVE-2021-32985 | 1 Aveva | 1 System Platform | 2022-04-13 | 6.5 MEDIUM | 7.2 HIGH |
| AVEVA System Platform versions 2017 through 2020 R2 P01 does not properly verify that the source of data or communication is valid. | |||||
| CVE-2020-24772 | 1 Clash Project | 1 Clash | 2022-03-29 | 6.8 MEDIUM | 8.8 HIGH |
| In Dreamacro Clash for Windows v0.11.4, an attacker could embed a malicious iframe in a website with a crafted URL that would launch the Clash Windows client and force it to open a remote SMB share. Windows will perform NTLM authentication when opening the SMB share and that request can be relayed (using a tool like responder) for code execution (or captured for hash cracking). | |||||
| CVE-2022-22594 | 1 Apple | 6 Ipados, Iphone Os, Macos and 3 more | 2022-03-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-origin issue in the IndexDB API was addressed with improved input validation. This issue is fixed in iOS 15.3 and iPadOS 15.3, watchOS 8.4, tvOS 15.3, Safari 15.3, macOS Monterey 12.2. A website may be able to track sensitive user information. | |||||
| CVE-2022-23032 | 1 F5 | 2 Big-ip Access Policy Manager, Big-ip Access Policy Manager Client | 2022-02-01 | 5.0 MEDIUM | 5.3 MEDIUM |
| In all versions before 7.2.1.4, when proxy settings are configured in the network access resource of a BIG-IP APM system, connecting BIG-IP Edge Client on Mac and Windows is vulnerable to a DNS rebinding attack. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2021-39063 | 2 Ibm, Linux | 2 Spectrum Protect Plus, Linux Kernel | 2021-12-15 | 6.4 MEDIUM | 9.1 CRITICAL |
| IBM Spectrum Protect Plus 10.1.0.0 through 10.1.8.x uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information due to a misconfiguration in access control headers. IBM X-Force ID: 214956. | |||||
| CVE-2021-44935 | 1 Glfusion | 1 Glfusion | 2021-12-15 | 6.4 MEDIUM | 9.1 CRITICAL |
| glFusion CMS v1.7.9 is affected by an arbitrary user impersonation vulnerability in /public_html/comment.php. The attacker can complete the attack remotely without interaction. | |||||
| CVE-2021-43531 | 1 Mozilla | 1 Firefox | 2021-12-10 | 4.3 MEDIUM | 4.3 MEDIUM |
| When a user loaded a Web Extensions context menu, the Web Extension could access the post-redirect URL of the element clicked. If the Web Extension lacked the WebRequest permission for the hosts involved in the redirect, this would be a same-origin-violation leaking data the Web Extension should have access to. This was fixed to provide the pre-redirect URL. This is related to CVE-2021-43532 but in the context of Web Extensions. This vulnerability affects Firefox < 94. | |||||
| CVE-2019-8069 | 5 Adobe, Apple, Google and 2 more | 8 Flash Player, Flash Player Desktop Runtime, Macos and 5 more | 2021-11-22 | 10.0 HIGH | 9.8 CRITICAL |
| Adobe Flash Player 32.0.0.238 and earlier versions, 32.0.0.207 and earlier versions have a Same Origin Method Execution vulnerability. Successful exploitation could lead to Arbitrary Code Execution in the context of the current user. | |||||
| CVE-2021-38497 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2021-11-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| Through use of reportValidity() and window.open(), a plain-text validation message could have been overlaid on another origin, leading to possible user confusion and spoofing attacks. This vulnerability affects Firefox < 93, Thunderbird < 91.2, and Firefox ESR < 91.2. | |||||
| CVE-2020-27969 | 1 Yandex | 1 Yandex Browser | 2021-09-22 | 7.5 HIGH | 7.3 HIGH |
| Yandex Browser for Android 20.8.4 allows remote attackers to perform SOP bypass and addresss bar spoofing | |||||
| CVE-2021-39185 | 1 Typelevel | 1 Http4s | 2021-09-15 | 6.4 MEDIUM | 9.1 CRITICAL |
| Http4s is a minimal, idiomatic Scala interface for HTTP services. In http4s versions 0.21.26 and prior, 0.22.0 through 0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24, the default CORS configuration is vulnerable to an origin reflection attack. The middleware is also susceptible to a Null Origin Attack. The problem is fixed in 0.21.27, 0.22.3, 0.23.2, and 1.0.0-M25. The original `CORS` implementation and `CORSConfig` are deprecated. See the GitHub GHSA for more information, including code examples and workarounds. | |||||