Total
477 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-9606 | 1 Infotecs | 2 Vipnet Client, Vipnet Coordinator | 2025-04-20 | N/A |
| Infotecs ViPNet Client and Coordinator before 4.3.2-42442 allow local users to gain privileges by placing a Trojan horse ViPNet update file in the update folder. The attack succeeds because of incorrect folder permissions in conjunction with a lack of integrity and authenticity checks. | ||||
| CVE-2017-3219 | 1 Acronis | 1 True Image | 2025-04-20 | N/A |
| Acronis True Image up to and including version 2017 Build 8053 performs software updates using HTTP. Downloaded updates are only verified using a server-provided MD5 hash. | ||||
| CVE-2017-14604 | 3 Debian, Gnome, Redhat | 3 Debian Linux, Nautilus, Enterprise Linux | 2025-04-20 | 6.5 Medium |
| GNOME Nautilus before 3.23.90 allows attackers to spoof a file type by using the .desktop file extension, as demonstrated by an attack in which a .desktop file's Name field ends in .pdf but this file's Exec field launches a malicious "sh -c" command. In other words, Nautilus provides no UI indication that a file actually has the potentially unsafe .desktop extension; instead, the UI only shows the .pdf extension. One (slightly) mitigating factor is that an attack requires the .desktop file to have execute permission. The solution is to ask the user to confirm that the file is supposed to be treated as a .desktop file, and then remember the user's answer in the metadata::trusted field. | ||||
| CVE-2017-3218 | 1 Samsung | 1 Magician | 2025-04-20 | N/A |
| Samsung Magician 5.0 fails to validate TLS certificates for HTTPS software update traffic. Prior to version 5.0, Samsung Magician uses HTTP for software updates. | ||||
| CVE-2017-11103 | 5 Apple, Debian, Freebsd and 2 more | 6 Iphone Os, Mac Os X, Debian Linux and 3 more | 2025-04-20 | 8.1 High |
| Heimdal before 7.4 allows remote attackers to impersonate services with Orpheus' Lyre attacks because it obtains service-principal names in a way that violates the Kerberos 5 protocol specification. In _krb5_extract_ticket() the KDC-REP service name must be obtained from the encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unencrypted version provides an opportunity for successful server impersonation and other attacks. NOTE: this CVE is only for Heimdal and other products that embed Heimdal code; it does not apply to other instances in which this part of the Kerberos 5 protocol specification is violated. | ||||
| CVE-2024-12369 | 1 Redhat | 2 Build Keycloak, Jboss Enterprise Application Platform | 2025-04-17 | 4.2 Medium |
| A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is usually done with a Man-in-the-Middle (MitM) or phishing attack. | ||||
| CVE-2022-41960 | 1 Bigbluebutton | 1 Bigbluebutton | 2025-04-17 | 4.3 Medium |
| BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3, are subject to Insufficient Verification of Data Authenticity, resulting in Denial of Service. An attacker can make a Meteor call to `validateAuthToken` using a victim's userId, meetingId, and an invalid authToken. This forces the victim to leave the conference, because the resulting verification failure is also observed and handled by the victim's client. The attacker must be a participant in any meeting on the server. This issue is patched in version 2.4.3. There are no workarounds. | ||||
| CVE-2022-41961 | 1 Bigbluebutton | 1 Bigbluebutton | 2025-04-17 | 4.3 Medium |
| BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are subject to Ineffective user bans. The attacker could register multiple users, and join the meeting with one of them. When that user is banned, they could still join the meeting with the remaining registered users from the same extId. This issue has been fixed by improving permissions such that banning a user removes all users related to their extId, including registered users that have not joined the meeting. This issue is patched in versions 2.4-rc-6 and 2.5-alpha-1. There are no workarounds. | ||||
| CVE-2022-46422 | 1 Netgear | 2 Wnr2000, Wnr2000 Firmware | 2025-04-17 | 4.8 Medium |
| An issue in Netgear WNR2000 v1 1.2.3.7 and earlier allows authenticated attackers to cause a Denial of Service (DoS) via uploading a crafted firmware image during the firmware update process. | ||||
| CVE-2022-46139 | 1 Tp-link | 2 Tl-wr940n V4, Tl-wr940n V4 Firmware | 2025-04-17 | 6.5 Medium |
| TP-Link TL-WR940N V4 3.16.9 and earlier allows authenticated attackers to cause a Denial of Service (DoS) via uploading a crafted firmware image during the firmware update process. | ||||
| CVE-2022-38873 | 1 Dlink | 18 Dap-2310, Dap-2310 Firmware, Dap-2330 and 15 more | 2025-04-17 | 7.5 High |
| D-Link devices DAP-2310 v2.10rc036 and earlier, DAP-2330 v1.06rc020 and earlier, DAP-2360 v2.10rc050 and earlier, DAP-2553 v3.10rc031 and earlier, DAP-2660 v1.15rc093 and earlier, DAP-2690 v3.20rc106 and earlier, DAP-2695 v1.20rc119_beta31 and earlier, DAP-3320 v1.05rc027 beta and earlier, DAP-3662 v1.05rc047 and earlier allows attackers to cause a Denial of Service (DoS) via uploading a crafted firmware after modifying the firmware header. | ||||
| CVE-2023-22955 | 2 Audiocodes, Audiocodes Ltd | 7 405hd, 405hd Firmware, 445hd and 4 more | 2025-04-17 | 7.8 High |
| An issue was discovered on AudioCodes VoIP desk phones through 3.4.4.1000. The validation of firmware images only consists of simple checksum checks for different firmware components. Thus, by knowing how to calculate and where to store the required checksums for the flasher tool, an attacker is able to store malicious firmware. | ||||
| CVE-2022-26516 | 1 Redlion | 2 Da50n, Da50n Firmware | 2025-04-16 | 8.4 High |
| Authorized users may install a maliciously modified package file when updating the device via the web user interface. The user may inadvertently use a package file obtained from an unauthorized source or a file that was compromised between download and deployment. | ||||
| CVE-2022-3703 | 1 Etictelecom | 14 Ras-c-100-lw, Ras-e-100, Ras-e-220 and 11 more | 2025-04-16 | 7.6 High |
| All versions of ETIC Telecom Remote Access Server (RAS) 4.5.0 and prior’s web portal is vulnerable to accepting malicious firmware packages that could provide a backdoor to an attacker and provide privilege escalation to the device. | ||||
| CVE-2022-2789 | 1 Emerson | 1 Electric\'s Proficy | 2025-04-16 | 4.7 Medium |
| Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulnerable to CWE-345 Insufficient Verification of Data Authenticity, and can display logic that is different than the compiled logic. | ||||
| CVE-2022-2793 | 1 Emerson | 1 Electric\'s Proficy | 2025-04-16 | 5.9 Medium |
| Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulenrable to CWE-353 Missing Support for Integrity Check, and has no authentication or authorization of data packets after establishing a connection for the SRTP protocol. | ||||
| CVE-2025-27680 | 1 Printerlogic | 2 Vasion Print, Virtual Appliance | 2025-04-16 | 9.1 Critical |
| Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 1.0.750 Application 20.0.1442 allows Insecure Firmware Image with Insufficient Verification of Data Authenticity V-2024-004. | ||||
| CVE-2022-22757 | 1 Mozilla | 1 Firefox | 2025-04-16 | 6.5 Medium |
| Remote Agent, used in WebDriver, did not validate the Host or Origin headers. This could have allowed websites to connect back locally to the user's browser to control it. <br>*This bug only affected Firefox when WebDriver was enabled, which is not the default configuration.*. This vulnerability affects Firefox < 97. | ||||
| CVE-2022-36315 | 1 Mozilla | 1 Firefox | 2025-04-15 | 4.3 Medium |
| When loading a script with Subresource Integrity, attackers with an injection capability could trigger the reuse of previously cached entries with incorrect, different integrity metadata. This vulnerability affects Firefox < 103. | ||||
| CVE-2022-34471 | 1 Mozilla | 1 Firefox | 2025-04-15 | 6.5 Medium |
| When downloading an update for an addon, the downloaded addon update's version was not verified to match the version selected from the manifest. If the manifest had been tampered with on the server, an attacker could trick the browser into downgrading the addon to a prior version. This vulnerability affects Firefox < 102. | ||||