CWE:
 

Topic
Date
Author
Med.
Magento WooCommerce CardGate Payment Gateway 2.0.30 Payment Process Bypass
25.02.2020
GeekHack
Low
Parity Browser < 1.6.10 Bypass Same Origin Policy
12.01.2018
tintinweb
Med.
Solarwinds LEM Insecure Update Process
26.09.2017
Hank Leininger


CVEMAP Search Results

CVE
Details
Description
2020-09-18
Low
CVE-2020-15773

Vendor: Gradle
Software: Enterprise
 

 
An issue was discovered in Gradle Enterprise before 2020.2.4. Because of unrestricted cross-origin requests to read-only data in the Export API, an attacker can access data as a user (for the duration of the browser session) after previously explicitly authenticating with the API.

 
2020-09-16
Medium
CVE-2020-14519

Vendor: WIBU
Software: Codemeter
 

 
This vulnerability allows an attacker to use the internal WebSockets API for CodeMeter (All versions prior to 7.00 are affected, including Version 7.0 or newer with the affected WebSockets API still enabled. This is especially relevant for systems or devices where a web browser is used to access a web server) via a specifically crafted Java Script payload, which may allow alteration or creation of license files for when combined with CVE-2020-14515.

 
2020-08-10
Low
CVE-2020-15652

Vendor: Mozilla
Software: Firefox
 

 
By observing the stack trace for JavaScript errors in web workers, it was possible to leak the result of a cross-origin redirect. This applied only to content that can be parsed as script. This vulnerability affects Firefox < 79, Firefox ESR < 68.11, Firefox ESR < 78.1, Thunderbird < 68.11, and Thunderbird < 78.1.

 
2020-08-07
Low
CVE-2020-16168

Updating...
 

 
Origin Validation Error in Robotemi Global Ltd Temi Firmware up to 20190419.165201, Launcher OS prior to 11969-13146, Robox OS prior to 117.21-119.24, and their Android phone app prior to 1.3.3-1.3.7931 allows remote attackers to access the custom API server and MQTT broker used by the temi and send it custom data/requests.

 
2020-07-14
Medium
CVE-2020-15104

Vendor: Envoyproxy
Software: Envoy
 

 
In Envoy before versions 1.12.6, 1.13.4, 1.14.4, and 1.15.0 when validating TLS certificates, Envoy would incorrectly allow a wildcard DNS Subject Alternative Name apply to multiple subdomains. For example, with a SAN of *.example.com, Envoy would incorrectly allow nested.subdomain.example.com, when it should only allow subdomain.example.com. This defect applies to both validating a client TLS certificate in mTLS, and validating a server TLS certificate for upstream connections. This vulnerability is only applicable to situations where an untrusted entity can obtain a signed wildcard TLS certificate for a domain of which you only intend to trust a subdomain of. For example, if you intend to trust api.mysubdomain.example.com, and an untrusted actor can obtain a signed TLS certificate for *.example.com or *.com. Configurations are vulnerable if they use verify_subject_alt_name in any Envoy version, or if they use match_subject_alt_names in version 1.14 or later. This issue has been fixed in Envoy versions 1.12.6, 1.13.4, 1.14.4, 1.15.0.

 
2020-06-19
Medium
CVE-2020-14456

Vendor: Mattermost
Software: Mattermost d...
 

 
An issue was discovered in Mattermost Desktop App before 4.4.0. The Same Origin Policy is mishandled during access-control decisions for web APIs, aka MMSA-2020-0006.

 
2020-05-22
Low
CVE-2020-12397

Vendor: Mozilla
Software: Thunderbird
 

 
By encoding Unicode whitespace characters within the From email header, an attacker can spoof the sender email address that Thunderbird displays. This vulnerability affects Thunderbird < 68.8.0.

 
2020-03-24
Medium
CVE-2020-8984

Vendor: ZEND
Software: Zendto
 

 
lib/NSSDropbox.php in ZendTo prior to 5.22-2 Beta allowed IP address spoofing via the X-Forwarded-For header.

 
2020-01-23
Medium
CVE-2019-16517

Vendor: Connectwise
Software: Control
 

 
An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. There is a CORS misconfiguration, which reflected the Origin provided by incoming requests. This allowed JavaScript running on any domain to interact with the server APIs and perform administrative actions, without the victim's knowledge.

 
2020-01-08
Medium
CVE-2019-11762

Vendor: Mozilla
Software: Firefox
 

 
If two same-origin documents set document.domain differently to become cross-origin, it was possible for them to call arbitrary DOM methods/getters/setters on the now-cross-origin window. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2.

 

 


Copyright 2020, cxsecurity.com

 

Back to Top