CWE:
 

Tytuł
Data
Autor
Med.
Microsoft Windows Hello Face Authentication Bypass
20.12.2017
SySS


Common Weakness Enumeration (CWE)

CVE
Szczegóły
Opis
2022-07-27
Waiting for details
CVE-2022-2310

Updating...
 

 
An authentication bypass vulnerability in Skyhigh SWG in main releases 10.x prior to 10.2.12, 9.x prior to 9.2.23, 8.x prior to 8.2.28, and controlled release 11.x prior to 11.2.1 allows a remote attacker to bypass authentication into the administration User Interface. This is possible because of SWG incorrectly whitelisting authentication bypass methods and using a weak crypto password. This can lead to the attacker logging into the SWG admin interface, without valid credentials, as the super user with complete control over the SWG.

 
2022-07-08
Medium
CVE-2022-22476

Vendor: IBM
Software: Open liberty
 

 
IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.7 and Open Liberty are vulnerable to identity spoofing by an authenticated user using a specially crafted request. IBM X-Force ID: 225604.

 
2022-06-24
Waiting for details
CVE-2022-1745

Updating...
 

 
The authentication mechanism used by technicians on the tested version of Dominion Voting Systems ImageCast X is susceptible to forgery. An attacker with physical access may use this to gain administrative privileges on a device and install malicious code or perform arbitrary administrative actions.

 
2022-06-20
Medium
CVE-2022-32983

Vendor: NIC
Software: Knot resolver
 

 
Knot Resolver through 5.5.1 may allow DNS cache poisoning when there is an attempt to limit forwarding actions by filters.

 
2022-03-06
Low
CVE-2022-26505

Vendor: Readymedia project
Software: Readymedia
 

 
A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1 allows a remote web server to exfiltrate media files.

 
2022-02-11
Medium
CVE-2022-24112

Vendor: Apache
Software: Apisix
 

 
An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.

 
2022-01-13
Medium
CVE-2022-23131

Vendor: Zabbix
Software: Zabbix
 

 
In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified. Malicious unauthenticated actor may exploit this issue to escalate privileges and gain admin access to Zabbix Frontend. To perform the attack, SAML authentication is required to be enabled and the actor has to know the username of Zabbix user (or use the guest account, which is disabled by default).

 
2021-12-15
Low
CVE-2021-42320

Vendor: Microsoft
Software: Sharepoint e...
 

 
Microsoft SharePoint Server Spoofing Vulnerability This CVE ID is unique from CVE-2021-43242.

 
Medium
CVE-2021-43890

Updating...
 

 
Windows AppX Installer Spoofing Vulnerability

 
2021-12-14
Low
CVE-2021-43807

Vendor: Apereo
Software: Opencast
 

 
Opencast is an Open Source Lecture Capture & Video Management for Education. Opencast versions prior to 9.10 allow HTTP method spoofing, allowing to change the assumed HTTP method via URL parameter. This allows attackers to turn HTTP GET requests into PUT requests or an HTTP form to send DELETE requests. This bypasses restrictions otherwise put on these types of requests and aids in cross-site request forgery (CSRF) attacks, which would otherwise not be possible. The vulnerability allows attackers to craft links or forms which may change the server state. This issue is fixed in Opencast 9.10 and 10.0. You can mitigate the problem by setting the `SameSite=Strict` attribute for your cookies. If this is a viable option for you depends on your integrations. We strongly recommend updating in any case.

 

 


Copyright 2022, cxsecurity.com

 

Back to Top