Total
489 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-4435 | 1 Yarnpkg | 1 Yarn | 2024-02-13 | N/A | 7.8 HIGH |
| An untrusted search path vulnerability was found in Yarn. When a victim runs certain Yarn commands in a directory with attacker-controlled content, malicious commands could be executed in unexpected ways. | |||||
| CVE-2024-22410 | 2 Gluwa, Microsoft | 2 Creditcoin, Windows | 2024-01-26 | N/A | 7.8 HIGH |
| Creditcoin is a network that enables cross-blockchain credit transactions. The Windows binary of the Creditcoin node loads a suite of DLLs provided by Microsoft at startup. If a malicious user has access to overwrite the program files directory it is possible to replace these DLLs and execute arbitrary code. It is the view of the blockchain development team that the threat posed by a hypothetical binary planting attack is minimal and represents a low-security risk. The vulnerable DLL files are from the Windows networking subsystem, the Visual C++ runtime, and low-level cryptographic primitives. Collectively these dependencies are required for a large ecosystem of applications, ranging from enterprise-level security applications to game engines, and don’t represent a fundamental lack of security or oversight in the design and implementation of Creditcoin. The blockchain team takes the stance that running Creditcoin on Windows is officially unsupported and at best should be thought of as experimental. | |||||
| CVE-2024-22190 | 1 Gitpython Project | 1 Gitpython | 2024-01-18 | N/A | 7.8 HIGH |
| GitPython is a python library used to interact with Git repositories. There is an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run `git`, as well as when it runs `bash.exe` to interpret hooks. If either of those features are used on Windows, a malicious `git.exe` or `bash.exe` may be run from an untrusted repository. This issue has been patched in version 3.1.41. | |||||
| CVE-2023-48670 | 1 Dell | 1 Supportassist For Home Pcs | 2024-01-02 | N/A | 7.8 HIGH |
| Dell SupportAssist for Home PCs version 3.14.1 and prior versions contain a privilege escalation vulnerability in the installer. A local low privileged authenticated attacker may potentially exploit this vulnerability, leading to the execution of arbitrary executable on the operating system with elevated privileges. | |||||
| CVE-2023-4736 | 2 Apple, Vim | 2 Macos, Vim | 2023-12-22 | N/A | 7.8 HIGH |
| Untrusted Search Path in GitHub repository vim/vim prior to 9.0.1833. | |||||
| CVE-2023-39202 | 1 Zoom | 2 Rooms, Virtual Desktop Infrastructure | 2023-11-21 | N/A | 5.5 MEDIUM |
| Untrusted search path in Zoom Rooms Client for Windows and Zoom VDI Client may allow a privileged user to conduct a denial of service via local access. | |||||
| CVE-2021-31841 | 1 Mcafee | 1 Mcafee Agent | 2023-11-15 | 6.9 MEDIUM | 7.3 HIGH |
| A DLL sideloading vulnerability in McAfee Agent for Windows prior to 5.7.4 could allow a local user to perform a DLL sideloading attack with an unsigned DLL with a specific name and in a specific location. This would result in the user gaining elevated permissions and the ability to execute arbitrary code as the system user, through not checking the DLL signature. | |||||
| CVE-2022-26183 | 2 Microsoft, Pnpm | 2 Windows, Pnpm | 2023-11-09 | 6.5 MEDIUM | 8.8 HIGH |
| PNPM v6.15.1 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute PNPM commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS. | |||||
| CVE-2023-41105 | 2 Netapp, Python | 2 Active Iq Unified Manager, Python | 2023-11-07 | N/A | 7.5 HIGH |
| An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x. | |||||
| CVE-2023-23618 | 1 Git For Windows Project | 1 Git For Windows | 2023-11-07 | N/A | 7.8 HIGH |
| Git for Windows is the Windows port of the revision control system Git. Prior to Git for Windows version 2.39.2, when `gitk` is run on Windows, it potentially runs executables from the current directory inadvertently, which can be exploited with some social engineering to trick users into running untrusted code. A patch is available in version 2.39.2. As a workaround, avoid using `gitk` (or Git GUI's "Visualize History" functionality) in clones of untrusted repositories. | |||||
| CVE-2022-43456 | 1 Intel | 1 Rapid Storage Technology | 2023-11-07 | N/A | 7.8 HIGH |
| Uncontrolled search path in some Intel(R) RST software before versions 16.8.5.1014.5, 17.11.3.1010.2, 18.7.6.1011.2 and 19.5.2.1049.5 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2022-26488 | 3 Microsoft, Netapp, Python | 4 Windows, Active Iq Unified Manager, Ontap Select Deploy Administration Utility and 1 more | 2023-11-07 | 4.4 MEDIUM | 7.0 HIGH |
| In Python before 3.10.3 on Windows, local users can gain privileges because the search path is inadequately secured. The installer may allow a local attacker to add user-writable directories to the system search path. To exploit, an administrator must have installed Python for all users and enabled PATH entries. A non-administrative user can trigger a repair that incorrectly adds user-writable paths into PATH, enabling search-path hijacking of other users and system services. This affects Python (CPython) through 3.7.12, 3.8.x through 3.8.12, 3.9.x through 3.9.10, and 3.10.x through 3.10.2. | |||||
| CVE-2022-25366 | 1 Cryptomator | 1 Cryptomator | 2023-11-07 | 4.6 MEDIUM | 7.8 HIGH |
| Cryptomator through 1.6.5 allows DYLIB injection because, although it has the flag 0x1000 for Hardened Runtime, it has the com.apple.security.cs.disable-library-validation and com.apple.security.cs.allow-dyld-environment-variables entitlements. An attacker can exploit this by creating a malicious .dylib file that can be executed via the DYLD_INSERT_LIBRARIES environment variable. | |||||
| CVE-2022-0074 | 1 Litespeedtech | 1 Openlitespeed | 2023-11-07 | N/A | 8.8 HIGH |
| Untrusted Search Path vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server and LiteSpeed Web Server Container allows Privilege Escalation. This affects versions from 1.6.15 before 1.7.16.1. | |||||
| CVE-2021-26556 | 1 Octopus | 2 Octopus Deploy, Octopus Server | 2023-11-07 | 4.4 MEDIUM | 7.8 HIGH |
| When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loading to gain privileged access. | |||||
| CVE-2021-26557 | 1 Octopus | 1 Tentacle | 2023-11-07 | 4.4 MEDIUM | 7.8 HIGH |
| When Octopus Tentacle is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loading to gain privileged access. | |||||
| CVE-2021-21078 | 3 Adobe, Apple, Microsoft | 3 Creative Cloud Desktop Application, Macos, Windows | 2023-11-07 | 4.4 MEDIUM | 6.5 MEDIUM |
| Adobe Creative Cloud Desktop Application version 5.3 (and earlier) is affected by an Unquoted Service Path vulnerability in CCXProcess that could allow an attacker to achieve arbitrary code execution in the process of the current user. Exploitation of this issue requires user interaction | |||||
| CVE-2020-8793 | 3 Canonical, Fedoraproject, Opensmtpd | 3 Ubuntu Linux, Fedora, Opensmtpd | 2023-11-07 | 4.7 MEDIUM | 4.7 MEDIUM |
| OpenSMTPD before 6.6.4 allows local users to read arbitrary files (e.g., on some Linux distributions) because of a combination of an untrusted search path in makemap.c and race conditions in the offline functionality in smtpd.c. | |||||
| CVE-2020-7260 | 1 Mcafee | 1 Application And Change Control | 2023-11-07 | 4.4 MEDIUM | 7.8 HIGH |
| DLL Side Loading vulnerability in the installer for McAfee Application and Change Control (MACC) prior to 8.3 allows local users to execute arbitrary code via execution from a compromised folder. | |||||
| CVE-2020-7279 | 1 Mcafee | 1 Host Intrusion Prevention | 2023-11-07 | 4.4 MEDIUM | 7.8 HIGH |
| DLL Search Order Hijacking Vulnerability in the installer component of McAfee Host Intrusion Prevention System (Host IPS) for Windows prior to 8.0.0 Patch 15 Update allows attackers with local access to execute arbitrary code via execution from a compromised folder. | |||||