CWE:
 

Topic
Date
Author
Low
HP Wireless Mouse Spoofing Issue
17.05.2017
SySS GmbH
Med.
Microsoft Wireless Desktop 2000 Insufficent Verification / Mouse Spoofing
30.07.2016
SySS
Med.
Samsung SW Update Tool 2.2.5.16 Man-In-The-Middle
11.03.2016
CORE


CVEMAP Search Results

CVE
Details
Description
2019-07-31
Medium
CVE-2019-10181

Vendor: Icetea-web project
Software: Icetea-web
 

 
It was found that in icedtea-web up to and including 1.7.2 and 1.8.2 executable code could be injected in a JAR file without compromising the signature verification. An attacker could use this flaw to inject code in a trusted JAR. The code would be executed inside the sandbox.

 
2019-07-25
Medium
CVE-2019-13483

Vendor: Auth0
Software: Passport-sha...
 

 
Auth0 Passport-SharePoint before 0.4.0 does not validate the JWT signature of an Access Token before processing. This allows attackers to forge tokens and bypass authentication and authorization mechanisms.

 
2019-07-10
Low
CVE-2019-12804

Updating...
 

 
In Hunesion i-oneNet version 3.0.7 ~ 3.0.53 and 4.0.4 ~ 4.0.16, due to the lack of update file integrity checking in the upgrade process, an attacker can craft malicious file and use it as an update.

 
2019-07-05
Medium
CVE-2019-1932

Vendor: Cisco
Software: Advanced mal...
 

 
A vulnerability in Cisco Advanced Malware Protection (AMP) for Endpoints for Windows could allow an authenticated, local attacker with administrator privileges to execute arbitrary code. The vulnerability is due to insufficient validation of dynamically loaded modules. An attacker could exploit this vulnerability by placing a file in a specific location in the Windows filesystem. A successful exploit could allow the attacker to execute the code with the privileges of the AMP service.

 
2019-06-07
High
CVE-2019-12504

Vendor: Inateck
Software: Wp2002 firmware
 

 
Due to unencrypted and unauthenticated data communication, the wireless presenter Inateck WP2002 is prone to keystroke injection attacks. Thus, an attacker is able to send arbitrary keystrokes to a victim's computer system, e.g., to install malware when the target system is unattended. In this way, an attacker can remotely take control over the victim's computer that is operated with an affected receiver of this device.

 
2019-06-05
Low
CVE-2019-1880

Updating...
 

 
A vulnerability in the BIOS upgrade utility of Cisco Unified Computing System (UCS) C-Series Rack Servers could allow an authenticated, local attacker to install compromised BIOS firmware on an affected device. The vulnerability is due to insufficient validation of the firmware image file. An attacker could exploit this vulnerability by executing the BIOS upgrade utility with a specific set of options. A successful exploit could allow the attacker to bypass the firmware signature-verification process and install compromised BIOS firmware on an affected device.

 
2019-04-22
Medium
CVE-2019-11235

Vendor: Freeradius
Software: Freeradius
 

 
FreeRADIUS before 3.0.19 mishandles the "each participant verifies that the received scalar is within a range, and that the received group element is a valid point on the curve being used" protection mechanism, aka a "Dragonblood" issue, a similar issue to CVE-2019-9498 and CVE-2019-9499.

 
2019-03-25
High
CVE-2015-3956

Vendor: Pifzer
Software: Plum a+3 inf...
 

 
Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior accept drug libraries, firmware updates, pump commands, and unauthorized configuration changes from unauthenticated devices on the host network. Hospira recommends that customers close Port 20/FTP and Port 23/TELNET on the affected devices. Hospira has also released the Plum 360 Infusion System which is not vulnerable to this issue.

 
2019-02-21
Low
CVE-2019-1667

Vendor: Cisco
Software: Hyperflex hx...
 

 
A vulnerability in the Graphite interface of Cisco HyperFlex software could allow an authenticated, local attacker to write arbitrary data to the Graphite interface. The vulnerability is due to insufficient authorization controls. An attacker could exploit this vulnerability by connecting to the Graphite service and sending arbitrary data. A successful exploit could allow the attacker to write arbitrary data to Graphite, which could result in invalid statistics being presented in the interface. Versions prior to 3.5(2a) are affected.

 
2018-12-19
Medium
CVE-2018-15801

Updating...
 

 
Spring Security versions 5.1.x prior to 5.1.2 contain an authorization bypass vulnerability during JWT issuer validation. In order to be impacted, the same private key for an honest issuer and a malicious user must be used when signing JWTs. In that case, a malicious user could fashion signed JWTs with the malicious issuer URL that may be granted for the honest issuer.

 

 


Copyright 2019, cxsecurity.com

 

Back to Top