CWE:
 

Topic
Date
Author
High
QuantaStor Software Defined Storage < 4.3.1 Multiple Vulnerabilities
18.08.2017
Nahuel D. Sanchez, VVV...
Low
ProjectDox 8.1 XSS / User Enumeration / Ciphertext Reuse
05.09.2014
CAaNES


CVEMAP Search Results

CVE
Details
Description
2020-06-26
Medium
CVE-2020-9588

Vendor: Magento
Software: Magento
 

 
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have an observable timing discrepancy vulnerability. Successful exploitation could lead to signature verification bypass.

 
2020-05-13
Low
CVE-2020-11063

Vendor: Typo3
Software: Typo3
 

 
In TYPO3 CMS versions 10.4.0 and 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts. This has been fixed in 10.4.2.

 
2020-03-11
Medium
CVE-2019-5135

Updating...
 

 
An exploitable timing discrepancy vulnerability exists in the authentication functionality of the Web-Based Management (WBM) web application on WAGO PFC100/200 controllers. The WBM application makes use of the PHP crypt() function which can be exploited to disclose hashed user credentials. This affects WAGO PFC200 Firmware version 03.00.39(12) and version 03.01.07(13), and WAGO PFC100 Firmware version 03.00.39(12).

 
2020-03-05
Low
CVE-2020-10102

Vendor: Zammad
Software: Zammad
 

 
An issue was discovered in Zammad 3.0 through 3.2. The Forgot Password functionality is implemented in a way that would enable an anonymous user to guess valid user emails. In the current implementation, the application responds differently depending on whether the input supplied was recognized as associated with a valid user. This behavior could be used as part of a two-stage automated attack. During the first stage, an attacker would iterate through a list of account names to determine which correspond to valid accounts. During the second stage, the attacker would use a list of common passwords to attempt to brute force credentials for accounts that were recognized by the system in the first stage.

 
2020-02-04
Medium
CVE-2013-1422

Vendor: Webcalendar project
Software: Webcalendar
 

 
webcalendar before 1.2.7 shows the reason for a failed login (e.g., "no such user").

 
2020-01-29
Low
CVE-2020-2102

Vendor: Jenkins
Software: Jenkins
 

 
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier used a non-constant time comparison function when validating an HMAC.

 
Low
CVE-2020-2101

Vendor: Jenkins
Software: Jenkins
 

 
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier did not use a constant-time comparison function for validating connection secrets, which could potentially allow an attacker to use a timing attack to obtain this secret.

 
2020-01-27
Medium
CVE-2014-4156

Vendor: Proxmov
Software: Virtual envi...
 

 
Proxmox VE prior to 3.2: 'AccessControl.pm' User Enumeration Vulnerability

 
2020-01-24
Low
CVE-2014-9720

Vendor: Tornadoweb
Software: Tornado
 

 
Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests.

 
2019-12-20
Low
CVE-2015-8313

Vendor: GNU
Software: Gnutls
 

 
GnuTLS incorrectly validates the first byte of padding in CBC modes

 

 


Copyright 2020, cxsecurity.com

 

Back to Top