Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2016-4553

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-10 May, 2016 | 19:00
Updated At-06 Aug, 2024 | 00:32
Rejected At-
Credits

client_side.cc in Squid before 3.5.18 and 4.x before 4.0.10 does not properly ignore the Host header when absolute-URI is provided, which allows remote attackers to conduct cache-poisoning attacks via an HTTP request.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:10 May, 2016 | 19:00
Updated At:06 Aug, 2024 | 00:32
Rejected At:
▼CVE Numbering Authority (CNA)

client_side.cc in Squid before 3.5.18 and 4.x before 4.0.10 does not properly ignore the Host header when absolute-URI is provided, which allows remote attackers to conduct cache-poisoning attacks via an HTTP request.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://security.gentoo.org/glsa/201607-01
vendor-advisory
x_refsource_GENTOO
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
x_refsource_CONFIRM
http://bugs.squid-cache.org/show_bug.cgi?id=4501
x_refsource_CONFIRM
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html
vendor-advisory
x_refsource_SUSE
http://www.squid-cache.org/Advisories/SQUID-2016_7.txt
x_refsource_CONFIRM
http://www.ubuntu.com/usn/USN-2995-1
vendor-advisory
x_refsource_UBUNTU
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14039.patch
x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2016:1140
vendor-advisory
x_refsource_REDHAT
http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html
vendor-advisory
x_refsource_SUSE
https://access.redhat.com/errata/RHSA-2016:1139
vendor-advisory
x_refsource_REDHAT
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html
vendor-advisory
x_refsource_SUSE
http://www.securitytracker.com/id/1035768
vdb-entry
x_refsource_SECTRACK
http://www.debian.org/security/2016/dsa-3625
vendor-advisory
x_refsource_DEBIAN
Hyperlink: https://security.gentoo.org/glsa/201607-01
Resource:
vendor-advisory
x_refsource_GENTOO
Hyperlink: http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
Resource:
x_refsource_CONFIRM
Hyperlink: http://bugs.squid-cache.org/show_bug.cgi?id=4501
Resource:
x_refsource_CONFIRM
Hyperlink: http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html
Resource:
vendor-advisory
x_refsource_SUSE
Hyperlink: http://www.squid-cache.org/Advisories/SQUID-2016_7.txt
Resource:
x_refsource_CONFIRM
Hyperlink: http://www.ubuntu.com/usn/USN-2995-1
Resource:
vendor-advisory
x_refsource_UBUNTU
Hyperlink: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14039.patch
Resource:
x_refsource_CONFIRM
Hyperlink: https://access.redhat.com/errata/RHSA-2016:1140
Resource:
vendor-advisory
x_refsource_REDHAT
Hyperlink: http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html
Resource:
vendor-advisory
x_refsource_SUSE
Hyperlink: https://access.redhat.com/errata/RHSA-2016:1139
Resource:
vendor-advisory
x_refsource_REDHAT
Hyperlink: http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html
Resource:
vendor-advisory
x_refsource_SUSE
Hyperlink: http://www.securitytracker.com/id/1035768
Resource:
vdb-entry
x_refsource_SECTRACK
Hyperlink: http://www.debian.org/security/2016/dsa-3625
Resource:
vendor-advisory
x_refsource_DEBIAN
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://security.gentoo.org/glsa/201607-01
vendor-advisory
x_refsource_GENTOO
x_transferred
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
x_refsource_CONFIRM
x_transferred
http://bugs.squid-cache.org/show_bug.cgi?id=4501
x_refsource_CONFIRM
x_transferred
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html
vendor-advisory
x_refsource_SUSE
x_transferred
http://www.squid-cache.org/Advisories/SQUID-2016_7.txt
x_refsource_CONFIRM
x_transferred
http://www.ubuntu.com/usn/USN-2995-1
vendor-advisory
x_refsource_UBUNTU
x_transferred
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14039.patch
x_refsource_CONFIRM
x_transferred
https://access.redhat.com/errata/RHSA-2016:1140
vendor-advisory
x_refsource_REDHAT
x_transferred
http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html
vendor-advisory
x_refsource_SUSE
x_transferred
https://access.redhat.com/errata/RHSA-2016:1139
vendor-advisory
x_refsource_REDHAT
x_transferred
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html
vendor-advisory
x_refsource_SUSE
x_transferred
http://www.securitytracker.com/id/1035768
vdb-entry
x_refsource_SECTRACK
x_transferred
http://www.debian.org/security/2016/dsa-3625
vendor-advisory
x_refsource_DEBIAN
x_transferred
Hyperlink: https://security.gentoo.org/glsa/201607-01
Resource:
vendor-advisory
x_refsource_GENTOO
x_transferred
Hyperlink: http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: http://bugs.squid-cache.org/show_bug.cgi?id=4501
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html
Resource:
vendor-advisory
x_refsource_SUSE
x_transferred
Hyperlink: http://www.squid-cache.org/Advisories/SQUID-2016_7.txt
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: http://www.ubuntu.com/usn/USN-2995-1
Resource:
vendor-advisory
x_refsource_UBUNTU
x_transferred
Hyperlink: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14039.patch
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://access.redhat.com/errata/RHSA-2016:1140
Resource:
vendor-advisory
x_refsource_REDHAT
x_transferred
Hyperlink: http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html
Resource:
vendor-advisory
x_refsource_SUSE
x_transferred
Hyperlink: https://access.redhat.com/errata/RHSA-2016:1139
Resource:
vendor-advisory
x_refsource_REDHAT
x_transferred
Hyperlink: http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html
Resource:
vendor-advisory
x_refsource_SUSE
x_transferred
Hyperlink: http://www.securitytracker.com/id/1035768
Resource:
vdb-entry
x_refsource_SECTRACK
x_transferred
Hyperlink: http://www.debian.org/security/2016/dsa-3625
Resource:
vendor-advisory
x_refsource_DEBIAN
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:10 May, 2016 | 19:59
Updated At:12 Apr, 2025 | 10:46

client_side.cc in Squid before 3.5.18 and 4.x before 4.0.10 does not properly ignore the Host header when absolute-URI is provided, which allows remote attackers to conduct cache-poisoning attacks via an HTTP request.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.08.6HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Primary2.05.0MEDIUM
AV:N/AC:L/Au:N/C:N/I:P/A:N
Type: Primary
Version: 3.0
Base score: 8.6
Base severity: HIGH
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Type: Primary
Version: 2.0
Base score: 5.0
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:N/C:N/I:P/A:N
CPE Matches

Canonical Ltd.
canonical
>>ubuntu_linux>>12.04
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
Canonical Ltd.
canonical
>>ubuntu_linux>>14.04
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
Canonical Ltd.
canonical
>>ubuntu_linux>>15.10
cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*
Canonical Ltd.
canonical
>>ubuntu_linux>>16.04
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
Squid Cache
squid-cache
>>squid>>Versions up to 3.5.17(inclusive)
cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*
Squid Cache
squid-cache
>>squid>>4.0.1
cpe:2.3:a:squid-cache:squid:4.0.1:*:*:*:*:*:*:*
Squid Cache
squid-cache
>>squid>>4.0.2
cpe:2.3:a:squid-cache:squid:4.0.2:*:*:*:*:*:*:*
Squid Cache
squid-cache
>>squid>>4.0.3
cpe:2.3:a:squid-cache:squid:4.0.3:*:*:*:*:*:*:*
Squid Cache
squid-cache
>>squid>>4.0.4
cpe:2.3:a:squid-cache:squid:4.0.4:*:*:*:*:*:*:*
Squid Cache
squid-cache
>>squid>>4.0.5
cpe:2.3:a:squid-cache:squid:4.0.5:*:*:*:*:*:*:*
Squid Cache
squid-cache
>>squid>>4.0.6
cpe:2.3:a:squid-cache:squid:4.0.6:*:*:*:*:*:*:*
Squid Cache
squid-cache
>>squid>>4.0.7
cpe:2.3:a:squid-cache:squid:4.0.7:*:*:*:*:*:*:*
Squid Cache
squid-cache
>>squid>>4.0.8
cpe:2.3:a:squid-cache:squid:4.0.8:*:*:*:*:*:*:*
Squid Cache
squid-cache
>>squid>>4.0.9
cpe:2.3:a:squid-cache:squid:4.0.9:*:*:*:*:*:*:*
Oracle Corporation
oracle
>>linux>>7
cpe:2.3:o:oracle:linux:7:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-345Primarynvd@nist.gov
CWE ID: CWE-345
Type: Primary
Source: nvd@nist.gov
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
http://bugs.squid-cache.org/show_bug.cgi?id=4501cve@mitre.org
Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.htmlcve@mitre.org
N/A
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.htmlcve@mitre.org
N/A
http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.htmlcve@mitre.org
N/A
http://www.debian.org/security/2016/dsa-3625cve@mitre.org
N/A
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.htmlcve@mitre.org
Third Party Advisory
http://www.securitytracker.com/id/1035768cve@mitre.org
Third Party Advisory
http://www.squid-cache.org/Advisories/SQUID-2016_7.txtcve@mitre.org
Vendor Advisory
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14039.patchcve@mitre.org
N/A
http://www.ubuntu.com/usn/USN-2995-1cve@mitre.org
Third Party Advisory
https://access.redhat.com/errata/RHSA-2016:1139cve@mitre.org
N/A
https://access.redhat.com/errata/RHSA-2016:1140cve@mitre.org
N/A
https://security.gentoo.org/glsa/201607-01cve@mitre.org
N/A
http://bugs.squid-cache.org/show_bug.cgi?id=4501af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.htmlaf854a3a-2127-422b-91ae-364da2661108
N/A
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.htmlaf854a3a-2127-422b-91ae-364da2661108
N/A
http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.htmlaf854a3a-2127-422b-91ae-364da2661108
N/A
http://www.debian.org/security/2016/dsa-3625af854a3a-2127-422b-91ae-364da2661108
N/A
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.htmlaf854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
http://www.securitytracker.com/id/1035768af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
http://www.squid-cache.org/Advisories/SQUID-2016_7.txtaf854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14039.patchaf854a3a-2127-422b-91ae-364da2661108
N/A
http://www.ubuntu.com/usn/USN-2995-1af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://access.redhat.com/errata/RHSA-2016:1139af854a3a-2127-422b-91ae-364da2661108
N/A
https://access.redhat.com/errata/RHSA-2016:1140af854a3a-2127-422b-91ae-364da2661108
N/A
https://security.gentoo.org/glsa/201607-01af854a3a-2127-422b-91ae-364da2661108
N/A
Hyperlink: http://bugs.squid-cache.org/show_bug.cgi?id=4501
Source: cve@mitre.org
Resource:
Vendor Advisory
Hyperlink: http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html
Source: cve@mitre.org
Resource: N/A
Hyperlink: http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html
Source: cve@mitre.org
Resource: N/A
Hyperlink: http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html
Source: cve@mitre.org
Resource: N/A
Hyperlink: http://www.debian.org/security/2016/dsa-3625
Source: cve@mitre.org
Resource: N/A
Hyperlink: http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
Source: cve@mitre.org
Resource:
Third Party Advisory
Hyperlink: http://www.securitytracker.com/id/1035768
Source: cve@mitre.org
Resource:
Third Party Advisory
Hyperlink: http://www.squid-cache.org/Advisories/SQUID-2016_7.txt
Source: cve@mitre.org
Resource:
Vendor Advisory
Hyperlink: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14039.patch
Source: cve@mitre.org
Resource: N/A
Hyperlink: http://www.ubuntu.com/usn/USN-2995-1
Source: cve@mitre.org
Resource:
Third Party Advisory
Hyperlink: https://access.redhat.com/errata/RHSA-2016:1139
Source: cve@mitre.org
Resource: N/A
Hyperlink: https://access.redhat.com/errata/RHSA-2016:1140
Source: cve@mitre.org
Resource: N/A
Hyperlink: https://security.gentoo.org/glsa/201607-01
Source: cve@mitre.org
Resource: N/A
Hyperlink: http://bugs.squid-cache.org/show_bug.cgi?id=4501
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Vendor Advisory
Hyperlink: http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: http://www.debian.org/security/2016/dsa-3625
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
Hyperlink: http://www.securitytracker.com/id/1035768
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
Hyperlink: http://www.squid-cache.org/Advisories/SQUID-2016_7.txt
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Vendor Advisory
Hyperlink: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14039.patch
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: http://www.ubuntu.com/usn/USN-2995-1
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
Hyperlink: https://access.redhat.com/errata/RHSA-2016:1139
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://access.redhat.com/errata/RHSA-2016:1140
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://security.gentoo.org/glsa/201607-01
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

256Records found

CVE-2018-2934
Matching Score-8
Assigner-Oracle
ShareView Details
Matching Score-8
Assigner-Oracle
CVSS Score-5.3||MEDIUM
EPSS-0.41% / 60.49%
||
7 Day CHG~0.00%
Published-18 Jul, 2018 | 13:00
Updated-05 Aug, 2024 | 04:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the Oracle Application Object Library component of Oracle E-Business Suite (subcomponent: Attachments / File Upload). The supported version that is affected is 12.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Object Library. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Object Library accessible data. CVSS 3.0 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

Action-Not Available
Vendor-Oracle Corporation
Product-e-business_suiteApplication Object Library
CWE ID-CWE-665
Improper Initialization
CVE-2018-3244
Matching Score-8
Assigner-Oracle
ShareView Details
Matching Score-8
Assigner-Oracle
CVSS Score-5.3||MEDIUM
EPSS-2.09% / 83.33%
||
7 Day CHG~0.00%
Published-17 Oct, 2018 | 01:00
Updated-02 Oct, 2024 | 19:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the Oracle Application Object Library component of Oracle E-Business Suite (subcomponent: Attachments / File Upload). Supported versions that are affected are 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 and 12.2.7. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Object Library. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Object Library accessible data. CVSS 3.0 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

Action-Not Available
Vendor-Oracle Corporation
Product-application_object_libraryApplication Object Library
CVE-2015-4909
Matching Score-8
Assigner-Oracle
ShareView Details
Matching Score-8
Assigner-Oracle
CVSS Score-5||MEDIUM
EPSS-0.31% / 53.74%
||
7 Day CHG~0.00%
Published-21 Oct, 2015 | 23:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.4.0, 12.1.2.0.0, and 12.1.3.0.0 allows remote attackers to affect integrity via vectors related to ADF Faces.

Action-Not Available
Vendor-n/aOracle Corporation
Product-fusion_middlewaren/a
CVE-2015-5252
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-7.2||HIGH
EPSS-16.00% / 94.51%
||
7 Day CHG~0.00%
Published-29 Dec, 2015 | 22:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

vfs.c in smbd in Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3, when share names with certain substring relationships exist, allows remote attackers to bypass intended file-access restrictions via a symlink that points outside of a share.

Action-Not Available
Vendor-n/aSambaDebian GNU/LinuxCanonical Ltd.
Product-debian_linuxubuntu_linuxsamban/a
CVE-2015-4478
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-5||MEDIUM
EPSS-1.26% / 78.62%
||
7 Day CHG~0.00%
Published-16 Aug, 2015 | 01:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 do not impose certain ECMAScript 6 requirements on JavaScript object properties, which allows remote attackers to bypass the Same Origin Policy via the reviver parameter to the JSON.parse method.

Action-Not Available
Vendor-n/aMozilla CorporationopenSUSECanonical Ltd.
Product-firefoxopensuseubuntu_linuxn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2015-3148
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-5||MEDIUM
EPSS-1.44% / 79.94%
||
7 Day CHG~0.00%
Published-24 Apr, 2015 | 14:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request.

Action-Not Available
Vendor-n/aopenSUSEFedora ProjectApple Inc.Debian GNU/LinuxHP Inc.Canonical Ltd.CURL
Product-libcurlsystem_management_homepagefedoraopensuseubuntu_linuxcurldebian_linuxmac_os_xn/a
CWE ID-CWE-284
Improper Access Control
CVE-2015-3143
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-5||MEDIUM
EPSS-1.77% / 81.87%
||
7 Day CHG~0.00%
Published-24 Apr, 2015 | 14:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unauthenticated request, a similar issue to CVE-2014-0015.

Action-Not Available
Vendor-n/aApple Inc.Debian GNU/LinuxHP Inc.Canonical Ltd.CURL
Product-libcurlsystem_management_homepageubuntu_linuxcurldebian_linuxmac_os_xn/a
CVE-2015-2652
Matching Score-8
Assigner-Oracle
ShareView Details
Matching Score-8
Assigner-Oracle
CVSS Score-5||MEDIUM
EPSS-0.37% / 57.86%
||
7 Day CHG~0.00%
Published-16 Jul, 2015 | 10:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in the Oracle Marketing component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.3, and 12.2.4 allows remote attackers to affect integrity via unknown vectors related to Web Management.

Action-Not Available
Vendor-n/aOracle Corporation
Product-e-business_suiten/a
CVE-2013-1485
Matching Score-8
Assigner-Oracle
ShareView Details
Matching Score-8
Assigner-Oracle
CVSS Score-5||MEDIUM
EPSS-0.59% / 68.15%
||
7 Day CHG~0.00%
Published-20 Feb, 2013 | 21:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 13 and earlier allows remote attackers to affect integrity via unknown vectors related to Libraries.

Action-Not Available
Vendor-n/aOracle Corporation
Product-jrejdkn/a
CVE-2015-1235
Matching Score-8
Assigner-Chrome
ShareView Details
Matching Score-8
Assigner-Chrome
CVSS Score-5||MEDIUM
EPSS-0.96% / 75.58%
||
7 Day CHG~0.00%
Published-19 Apr, 2015 | 10:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The ContainerNode::parserRemoveChild function in core/dom/ContainerNode.cpp in the HTML parser in Blink, as used in Google Chrome before 42.0.2311.90, allows remote attackers to bypass the Same Origin Policy via a crafted HTML document with an IFRAME element.

Action-Not Available
Vendor-n/aGoogle LLCDebian GNU/LinuxCanonical Ltd.
Product-debian_linuxubuntu_linuxchromen/a
CVE-2015-1229
Matching Score-8
Assigner-Chrome
ShareView Details
Matching Score-8
Assigner-Chrome
CVSS Score-5||MEDIUM
EPSS-0.32% / 54.17%
||
7 Day CHG~0.00%
Published-09 Mar, 2015 | 00:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

net/http/proxy_client_socket.cc in Google Chrome before 41.0.2272.76 does not properly handle a 407 (aka Proxy Authentication Required) HTTP status code accompanied by a Set-Cookie header, which allows remote proxy servers to conduct cookie-injection attacks via a crafted response.

Action-Not Available
Vendor-n/aRed Hat, Inc.Google LLCCanonical Ltd.
Product-enterprise_linux_serverenterprise_linux_workstation_supplementaryubuntu_linuxchromeenterprise_linux_server_supplementary_eusenterprise_linux_desktop_supplementaryn/a
CVE-2014-6515
Matching Score-8
Assigner-Oracle
ShareView Details
Matching Score-8
Assigner-Oracle
CVSS Score-5||MEDIUM
EPSS-3.12% / 86.32%
||
7 Day CHG~0.00%
Published-15 Oct, 2014 | 22:03
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect integrity via unknown vectors related to Deployment.

Action-Not Available
Vendor-n/aOracle Corporation
Product-jrejdkn/a
CVE-2015-0832
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-5||MEDIUM
EPSS-0.14% / 33.95%
||
7 Day CHG~0.00%
Published-25 Feb, 2015 | 11:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Mozilla Firefox before 36.0 does not properly recognize the equivalence of domain names with and without a trailing . (dot) character, which allows man-in-the-middle attackers to bypass the HPKP and HSTS protection mechanisms by constructing a URL with this character and leveraging access to an X.509 certificate for a domain with this character.

Action-Not Available
Vendor-n/aMozilla CorporationopenSUSECanonical Ltd.
Product-firefoxopensuseubuntu_linuxn/a
CVE-2015-0440
Matching Score-8
Assigner-Oracle
ShareView Details
Matching Score-8
Assigner-Oracle
CVSS Score-5||MEDIUM
EPSS-0.31% / 53.74%
||
7 Day CHG~0.00%
Published-16 Apr, 2015 | 16:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in the Oracle Knowledge component in Oracle Right Now Service Cloud 8.2.3.10.1 and 8.4.7.2 allows remote attackers to affect integrity via unknown vectors related to Information Manager Console.

Action-Not Available
Vendor-n/aOracle Corporation
Product-right_now_service_cloudn/a
CVE-2015-0449
Matching Score-8
Assigner-Oracle
ShareView Details
Matching Score-8
Assigner-Oracle
CVSS Score-5||MEDIUM
EPSS-0.35% / 56.62%
||
7 Day CHG~0.00%
Published-16 Apr, 2015 | 16:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0, 12.1.1.0, and 12.1.2.0 allows remote attackers to affect integrity via unknown vectors related to Console.

Action-Not Available
Vendor-n/aOracle Corporation
Product-fusion_middlewaren/a
CVE-2018-6914
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-2.07% / 83.24%
||
7 Day CHG~0.00%
Published-03 Apr, 2018 | 22:00
Updated-05 Aug, 2024 | 06:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Directory traversal vulnerability in the Dir.mktmpdir method in the tmpdir library in Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 might allow attackers to create arbitrary directories or files via a .. (dot dot) in the prefix argument.

Action-Not Available
Vendor-n/aDebian GNU/LinuxCanonical Ltd.RubyRed Hat, Inc.
Product-ubuntu_linuxdebian_linuxrubyenterprise_linuxn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2014-8160
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-5||MEDIUM
EPSS-2.45% / 84.59%
||
7 Day CHG~0.00%
Published-02 Mar, 2015 | 11:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

net/netfilter/nf_conntrack_proto_generic.c in the Linux kernel before 3.18 generates incorrect conntrack entries during handling of certain iptables rule sets for the SCTP, DCCP, GRE, and UDP-Lite protocols, which allows remote attackers to bypass intended access restrictions via packets with disallowed port numbers.

Action-Not Available
Vendor-n/aopenSUSELinux Kernel Organization, IncSUSERed Hat, Inc.Debian GNU/LinuxCanonical Ltd.
Product-enterprise_linux_serverenterprise_linux_server_auslinux_kernelopensuseenterprise_linux_desktopubuntu_linuxlinux_enterprise_real_time_extensionenterprise_linux_server_eusenterprise_linux_server_tuslinux_enterprise_desktopenterprise_linux_workstationlinux_enterprise_workstation_extensiondebian_linuxlinux_enterprise_serverlinux_enterprise_software_development_kitn/a
CWE ID-CWE-20
Improper Input Validation
CVE-2014-6476
Matching Score-8
Assigner-Oracle
ShareView Details
Matching Score-8
Assigner-Oracle
CVSS Score-5||MEDIUM
EPSS-2.95% / 85.93%
||
7 Day CHG~0.00%
Published-15 Oct, 2014 | 15:15
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in Oracle Java SE 7u67 and 8u20 allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6527.

Action-Not Available
Vendor-n/aOracle Corporation
Product-jrejdkn/a
CVE-2018-5173
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.93% / 75.13%
||
7 Day CHG~0.00%
Published-11 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 05:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The filename appearing in the "Downloads" panel improperly renders some Unicode characters, allowing for the file name to be spoofed. This can be used to obscure the file extension of potentially executable files from user view in the panel. Note: the dialog to open the file will show the full, correct filename and whether it is executable or not. This vulnerability affects Firefox < 60.

Action-Not Available
Vendor-Mozilla CorporationCanonical Ltd.
Product-firefoxubuntu_linuxFirefox
CWE ID-CWE-20
Improper Input Validation
CVE-2021-30641
Matching Score-8
Assigner-Apache Software Foundation
ShareView Details
Matching Score-8
Assigner-Apache Software Foundation
CVSS Score-5.3||MEDIUM
EPSS-20.87% / 95.41%
||
7 Day CHG~0.00%
Published-10 Jun, 2021 | 07:10
Updated-03 Aug, 2024 | 22:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unexpected URL matching with 'MergeSlashes OFF'

Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'

Action-Not Available
Vendor-The Apache Software FoundationFedora ProjectDebian GNU/LinuxOracle Corporation
Product-http_serverdebian_linuxinstantis_enterprisetrackfedorazfs_storage_appliance_kitenterprise_manager_ops_centerApache HTTP Server
CVE-2010-0904
Matching Score-8
Assigner-Oracle
ShareView Details
Matching Score-8
Assigner-Oracle
CVSS Score-5||MEDIUM
EPSS-88.04% / 99.45%
||
7 Day CHG~0.00%
Published-13 Jul, 2010 | 22:07
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in Oracle Secure Backup 10.3.0.1 allows remote attackers to affect integrity via unknown vectors.

Action-Not Available
Vendor-n/aOracle Corporation
Product-secure_backupn/a
CVE-2013-1519
Matching Score-8
Assigner-Oracle
ShareView Details
Matching Score-8
Assigner-Oracle
CVSS Score-5||MEDIUM
EPSS-0.40% / 59.66%
||
7 Day CHG~0.00%
Published-17 Apr, 2013 | 12:10
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in the Application Express component in Oracle Database Server before 4.2.1 allows remote attackers to affect integrity via unknown vectors.

Action-Not Available
Vendor-n/aOracle Corporation
Product-database_servern/a
CVE-2020-5359
Matching Score-8
Assigner-Dell
ShareView Details
Matching Score-8
Assigner-Dell
CVSS Score-5.8||MEDIUM
EPSS-0.42% / 61.10%
||
7 Day CHG~0.00%
Published-16 Dec, 2020 | 15:50
Updated-16 Sep, 2024 | 22:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell BSAFE Micro Edition Suite, versions prior to 4.5, are vulnerable to an Unchecked Return Value Vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability to modify and corrupt the encrypted data.

Action-Not Available
Vendor-Oracle CorporationDell Inc.
Product-bsafe_micro-edition-suitedatabaseweblogic_server_proxy_plug-inDell BSAFE Micro Edition Suite
CWE ID-CWE-544
Missing Standardized Error Handling Mechanism
CWE ID-CWE-252
Unchecked Return Value
CVE-2020-3811
Matching Score-8
Assigner-Debian GNU/Linux
ShareView Details
Matching Score-8
Assigner-Debian GNU/Linux
CVSS Score-7.5||HIGH
EPSS-0.38% / 58.39%
||
7 Day CHG~0.00%
Published-26 May, 2020 | 13:04
Updated-17 Sep, 2024 | 00:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

qmail-verify as used in netqmail 1.06 is prone to a mail-address verification bypass vulnerability.

Action-Not Available
Vendor-netqmailCanonical Ltd.Debian GNU/Linux
Product-ubuntu_linuxnetqmaildebian_linuxnetqmail
CWE ID-CWE-863
Incorrect Authorization
CWE ID-CWE-665
Improper Initialization
CVE-2014-4218
Matching Score-8
Assigner-Oracle
ShareView Details
Matching Score-8
Assigner-Oracle
CVSS Score-5||MEDIUM
EPSS-1.56% / 80.77%
||
7 Day CHG~0.00%
Published-17 Jul, 2014 | 02:36
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Libraries.

Action-Not Available
Vendor-n/aOracle Corporation
Product-jrejdkn/a
CVE-2017-7829
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-5.3||MEDIUM
EPSS-1.57% / 80.78%
||
7 Day CHG~0.00%
Published-11 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 16:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

It is possible to spoof the sender's email address and display an arbitrary sender address to the email recipient. The real sender's address is not displayed if preceded by a null character in the display string. This vulnerability affects Thunderbird < 52.5.2.

Action-Not Available
Vendor-Canonical Ltd.Red Hat, Inc.Mozilla CorporationDebian GNU/Linux
Product-enterprise_linux_serverubuntu_linuxthunderbirddebian_linuxenterprise_linux_workstationenterprise_linux_ausenterprise_linux_eusenterprise_linux_desktopThunderbird
CWE ID-CWE-20
Improper Input Validation
CVE-2021-22947
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-5.9||MEDIUM
EPSS-0.09% / 25.89%
||
7 Day CHG~0.00%
Published-29 Sep, 2021 | 00:00
Updated-03 Aug, 2024 | 18:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got *before* the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server.

Action-Not Available
Vendor-n/aNetApp, Inc.Debian GNU/LinuxOracle CorporationSiemens AGSplunk LLC (Cisco Systems, Inc.)Apple Inc.CURLFedora Project
Product-peoplesoft_enterprise_peopletoolscommunications_cloud_native_core_consolecommunications_cloud_native_core_network_function_cloud_native_environmentcloud_backuph300s_firmwareh410smacoscurlh300ssolidfire_baseboard_management_controllerh300e_firmwaresinec_infrastructure_network_servicesclustered_data_ontaph500efedorah500s_firmwareh500e_firmwarecommunications_cloud_native_core_binding_support_functionh700eh300ecommunications_cloud_native_core_service_communication_proxycommunications_cloud_native_core_network_slice_selection_functioncommunications_cloud_native_core_security_edge_protection_proxyh500scommunications_cloud_native_core_network_repository_functionuniversal_forwarderdebian_linuxh410s_firmwareh700s_firmwareh700e_firmwaresolidfire_baseboard_management_controller_firmwareh700scommerce_guided_searchmysql_serverhttps://github.com/curl/curl
CWE ID-CWE-310
Not Available
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2020-16122
Matching Score-6
Assigner-Canonical Ltd.
ShareView Details
Matching Score-6
Assigner-Canonical Ltd.
CVSS Score-8.2||HIGH
EPSS-0.08% / 24.42%
||
7 Day CHG~0.00%
Published-07 Nov, 2020 | 04:10
Updated-16 Sep, 2024 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Packagekit's apt backend lets user install untrusted local packages

PackageKit's apt backend mistakenly treated all local debs as trusted. The apt security model is based on repository trust and not on the contents of individual files. On sites with configured PolicyKit rules this may allow users to install malicious packages.

Action-Not Available
Vendor-packagekit_projectPackageKitCanonical Ltd.
Product-packagekitubuntu_linuxpackagekit
CWE ID-CWE-269
Improper Privilege Management
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2020-12406
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-8.8||HIGH
EPSS-0.34% / 56.15%
||
7 Day CHG~0.00%
Published-09 Jul, 2020 | 14:45
Updated-04 Aug, 2024 | 11:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Mozilla Developer Iain Ireland discovered a missing type check during unboxed objects removal, resulting in a crash. We presume that with enough effort that it could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9.

Action-Not Available
Vendor-Mozilla CorporationCanonical Ltd.
Product-firefoxubuntu_linuxthunderbirdfirefox_esrThunderbirdFirefox ESRFirefox
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2019-11235
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-6.66% / 90.84%
||
7 Day CHG~0.00%
Published-21 Apr, 2019 | 16:40
Updated-04 Aug, 2024 | 22:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FreeRADIUS before 3.0.19 mishandles the "each participant verifies that the received scalar is within a range, and that the received group element is a valid point on the curve being used" protection mechanism, aka a "Dragonblood" issue, a similar issue to CVE-2019-9498 and CVE-2019-9499.

Action-Not Available
Vendor-n/aFreeRADIUSRed Hat, Inc.openSUSEFedora ProjectCanonical Ltd.
Product-enterprise_linux_serverubuntu_linuxfreeradiusenterprise_linux_server_ausenterprise_linux_workstationfedoraenterprise_linuxenterprise_linux_eusenterprise_linux_server_tusleapn/a
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2019-11480
Matching Score-6
Assigner-Canonical Ltd.
ShareView Details
Matching Score-6
Assigner-Canonical Ltd.
CVSS Score-8.4||HIGH
EPSS-0.43% / 61.45%
||
7 Day CHG~0.00%
Published-14 Apr, 2020 | 02:10
Updated-16 Sep, 2024 | 20:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ubuntu kernel snap build process could use unauthenticated sources

The pc-kernel snap build process hardcoded the --allow-insecure-repositories and --allow-unauthenticated apt options when creating the build chroot environment. This could allow an attacker who is able to perform a MITM attack between the build environment and the Ubuntu archive to install a malicious package within the build chroot. This issue affects pc-kernel versions prior to and including 2019-07-16

Action-Not Available
Vendor-Canonical Ltd.
Product-c-kernelpc-kernel
CWE ID-CWE-353
Missing Support for Integrity Check
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2015-0251
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-4||MEDIUM
EPSS-0.77% / 72.59%
||
7 Day CHG~0.00%
Published-08 Apr, 2015 | 18:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The mod_dav_svn server in Subversion 1.5.0 through 1.7.19 and 1.8.0 through 1.8.11 allows remote authenticated users to spoof the svn:author property via a crafted v1 HTTP protocol request sequences.

Action-Not Available
Vendor-n/aopenSUSEThe Apache Software FoundationRed Hat, Inc.Apple Inc.Oracle Corporation
Product-enterprise_linux_serversolarisenterprise_linux_hpc_nodeopensuseenterprise_linux_desktopenterprise_linux_server_eussubversionenterprise_linux_workstationxcoden/a
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2016-3983
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.18% / 39.86%
||
7 Day CHG~0.00%
Published-08 Apr, 2016 | 15:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

McAfee Advanced Threat Defense (ATD) before 3.4.8.178 might allow remote attackers to bypass malware detection by leveraging information about the parent process.

Action-Not Available
Vendor-n/aMcAfee, LLC
Product-advanced_threat_defensen/a
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2019-11737
Matching Score-4
Assigner-Mozilla Corporation
ShareView Details
Matching Score-4
Assigner-Mozilla Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.13% / 33.70%
||
7 Day CHG~0.00%
Published-27 Sep, 2019 | 17:20
Updated-04 Aug, 2024 | 23:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

If a wildcard ('*') is specified for the host in Content Security Policy (CSP) directives, any port or path restriction of the directive will be ignored, leading to CSP directives not being properly applied to content. This vulnerability affects Firefox < 69.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxFirefox
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2018-10080
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.6||HIGH
EPSS-0.11% / 29.48%
||
7 Day CHG~0.00%
Published-13 Apr, 2018 | 04:00
Updated-16 Sep, 2024 | 23:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Secutech RiS-11, RiS-22, and RiS-33 devices with firmware V5.07.52_es_FRI01 allow DNS settings changes via a goform/AdvSetDns?GO=wan_dns.asp request in conjunction with a crafted admin cookie.

Action-Not Available
Vendor-secutech_projectn/a
Product-ris-11_firmwareris-22ris-33_firmwareris-11ris-33ris-22_firmwaren/a
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2021-46559
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.11% / 30.59%
||
7 Day CHG~0.00%
Published-26 Jan, 2022 | 01:11
Updated-04 Aug, 2024 | 05:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The firmware on Moxa TN-5900 devices through 3.1 has a weak algorithm that allows an attacker to defeat an inspection mechanism for integrity protection.

Action-Not Available
Vendor-n/aMoxa Inc.
Product-tn-5900_firmwaretn-5900n/a
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2020-26547
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.21% / 43.13%
||
7 Day CHG~0.00%
Published-01 Feb, 2021 | 01:02
Updated-04 Aug, 2024 | 15:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Monal before 4.9 does not implement proper sender verification on MAM and Message Carbon (XEP-0280) results. This allows a remote attacker (able to send stanzas to a victim) to inject arbitrary messages into the local history, with full control over the sender and receiver displayed to the victim.

Action-Not Available
Vendor-monaln/a
Product-monaln/a
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2014-0364
Matching Score-4
Assigner-CERT/CC
ShareView Details
Matching Score-4
Assigner-CERT/CC
CVSS Score-5||MEDIUM
EPSS-1.51% / 80.44%
||
7 Day CHG~0.00%
Published-30 Apr, 2014 | 10:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The ParseRoster component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify the from attribute of a roster-query IQ stanza, which allows remote attackers to spoof IQ responses via a crafted attribute.

Action-Not Available
Vendor-igniterealtimen/a
Product-smackn/a
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2020-15699
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.01% / 0.50%
||
7 Day CHG~0.00%
Published-15 Jul, 2020 | 15:52
Updated-04 Aug, 2024 | 13:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Joomla! through 3.9.19. Missing validation checks on the usergroups table object can result in a broken site configuration.

Action-Not Available
Vendor-n/aJoomla!
Product-joomla\!n/a
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2020-15262
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-3.7||LOW
EPSS-0.16% / 37.34%
||
7 Day CHG~0.00%
Published-19 Oct, 2020 | 20:10
Updated-04 Aug, 2024 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Invalid integrity hashes in webpack-subresource-integrity

In webpack-subresource-integrity before version 1.5.1, all dynamically loaded chunks receive an invalid integrity hash that is ignored by the browser, and therefore the browser cannot validate their integrity. This removes the additional level of protection offered by SRI for such chunks. Top-level chunks are unaffected. This issue is patched in version 1.5.1.

Action-Not Available
Vendor-webpack-subresource-integrity_projectwaysact
Product-webpack-subresource-integritywebpack-subresource-integrity
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2020-14116
Matching Score-4
Assigner-Xiaomi Technology Co., Ltd.
ShareView Details
Matching Score-4
Assigner-Xiaomi Technology Co., Ltd.
CVSS Score-7.5||HIGH
EPSS-0.11% / 30.59%
||
7 Day CHG~0.00%
Published-21 Apr, 2022 | 17:22
Updated-04 Aug, 2024 | 12:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An intent redirection vulnerability in the Mi Browser product. This vulnerability is caused by the Mi Browser does not verify the validity of the incoming data. Attackers can perform sensitive operations by exploiting this.

Action-Not Available
Vendor-n/aXiaomi
Product-mi_browserMi Browser
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2020-10831
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.04% / 12.28%
||
7 Day CHG~0.00%
Published-24 Mar, 2020 | 17:05
Updated-04 Aug, 2024 | 11:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. Attackers can trigger an update to arbitrary touch-screen firmware. The Samsung ID is SVE-2019-16013 (March 2020).

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidn/a
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2021-4031
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
ShareView Details
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
CVSS Score-7.5||HIGH
EPSS-0.10% / 29.21%
||
7 Day CHG~0.00%
Published-18 Mar, 2022 | 17:59
Updated-16 Sep, 2024 | 20:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Syltek Insufficient Verification of Data Authenticity

Syltek application before its 10.22.00 version, does not correctly check that a product ID has a valid payment associated to it. This could allow an attacker to forge a request and bypass the payment system by marking items as payed without any verification.

Action-Not Available
Vendor-syltekSyltek
Product-syltekSyltek
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2017-11379
Matching Score-4
Assigner-Trend Micro, Inc.
ShareView Details
Matching Score-4
Assigner-Trend Micro, Inc.
CVSS Score-7.5||HIGH
EPSS-0.21% / 43.00%
||
7 Day CHG~0.00%
Published-01 Aug, 2017 | 15:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Configuration and database backup archives are not signed or validated in Trend Micro Deep Discovery Director 1.1.

Action-Not Available
Vendor-Trend Micro Incorporated
Product-deep_discovery_directorTrend Micro Deep Discovery Director
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2017-10862
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-5.3||MEDIUM
EPSS-0.23% / 45.72%
||
7 Day CHG~0.00%
Published-12 Oct, 2017 | 14:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

jwt-scala 1.2.2 and earlier fails to verify token signatures correctly which may lead to an attacker being able to pass specially crafted JWT data as a correctly signed token.

Action-Not Available
Vendor-reallyreallyl IO
Product-jwt-scalajwt-scala
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2017-12972
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.15% / 35.93%
||
7 Day CHG~0.00%
Published-20 Aug, 2017 | 16:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Nimbus JOSE+JWT before 4.39, there is no integer-overflow check when converting length values from bytes to bits, which allows attackers to conduct HMAC bypass attacks by shifting Additional Authenticated Data (AAD) and ciphertext so that different plaintext is obtained for the same HMAC.

Action-Not Available
Vendor-connect2idn/a
Product-nimbus_jose\+jwtn/a
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2020-13265
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 31.00%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 21:42
Updated-04 Aug, 2024 | 12:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

User email verification bypass in GitLab CE/EE 12.5 and later through 13.0.1 allows user to bypass email verification

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2016-9450
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.23% / 45.47%
||
7 Day CHG~0.00%
Published-25 Nov, 2016 | 18:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The user password reset form in Drupal 8.x before 8.2.3 allows remote attackers to conduct cache poisoning attacks by leveraging failure to specify a correct cache context.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-drupaln/a
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2019-6475
Matching Score-4
Assigner-Internet Systems Consortium (ISC)
ShareView Details
Matching Score-4
Assigner-Internet Systems Consortium (ISC)
CVSS Score-5.9||MEDIUM
EPSS-0.66% / 70.26%
||
7 Day CHG~0.00%
Published-17 Oct, 2019 | 19:17
Updated-16 Sep, 2024 | 17:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
A flaw in mirror zone validity checking can allow zone data to be spoofed

Mirror zones are a BIND feature allowing recursive servers to pre-cache zone data provided by other servers. A mirror zone is similar to a zone of type secondary, except that its data is subject to DNSSEC validation before being used in answers, as if it had been looked up via traditional recursion, and when mirror zone data cannot be validated, BIND falls back to using traditional recursion instead of the mirror zone. However, an error in the validity checks for the incoming zone data can allow an on-path attacker to replace zone data that was validated with a configured trust anchor with forged data of the attacker's choosing. The mirror zone feature is most often used to serve a local copy of the root zone. If an attacker was able to insert themselves into the network path between a recursive server using a mirror zone and a root name server, this vulnerability could then be used to cause the recursive server to accept a copy of falsified root zone data. This affects BIND versions 9.14.0 up to 9.14.6, and 9.15.0 up to 9.15.4.

Action-Not Available
Vendor-Internet Systems Consortium, Inc.
Product-bindBIND 9
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CVE-2019-3979
Matching Score-4
Assigner-Tenable Network Security, Inc.
ShareView Details
Matching Score-4
Assigner-Tenable Network Security, Inc.
CVSS Score-7.5||HIGH
EPSS-0.18% / 39.32%
||
7 Day CHG~0.00%
Published-28 Oct, 2019 | 21:33
Updated-04 Aug, 2024 | 19:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

RouterOS versions 6.45.6 Stable, 6.44.5 Long-term, and below are vulnerable to a DNS unrelated data attack. The router adds all A records to its DNS cache even when the records are unrelated to the domain that was queried. Therefore, a remote attacker controlled DNS server can poison the router's DNS cache via malicious responses with additional and untrue records.

Action-Not Available
Vendor-n/aMikroTik
Product-routerosMikroTik RouterOS
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • Next
Details not found