CWE:
 

Tytuł
Data
Autor
High
WordPress iThemes Security Insecure Backup / Logfile Generation
22.04.2016
Nicolas CHATELAIN


Common Weakness Enumeration (CWE)

CVE
Szczegóły
Opis
2021-11-16
Medium
CVE-2021-26322

Updating...
 

 

 
2021-10-29
Medium
CVE-2021-22038

Vendor: Vmware
Software: Installbuilder
 

 
On Windows, the uninstaller binary copies itself to a fixed temporary location, which is then executed (the originally called uninstaller exits, so it does not block the installation directory). This temporary location is not randomized and does not restrict access to Administrators only so a potential attacker could plant a binary to replace the copied binary right before it gets called, thus gaining Administrator privileges (if the original uninstaller was executed as Administrator). The vulnerability only affects Windows installers.

 
2021-08-19
Medium
CVE-2020-35685

Vendor: Hcc-embedded
Software: Nichestack
 

 
An issue was discovered in HCC Nichestack 3.0. The code that generates Initial Sequence Numbers (ISNs) for TCP connections derives the ISN from an insufficiently random source. As a result, an attacker may be able to determine the ISN of current and future TCP connections and either hijack existing ones or spoof future ones. (Proper ISN generation should aim to follow at least the specifications outlined in RFC 6528.)

 
2021-08-10
Medium
CVE-2021-3689

Vendor: Yiiframework
Software: YII
 

 
yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator

 
2021-08-04
Medium
CVE-2021-26098

Vendor: Fortinet
Software: Fortisandbox
 

 
An instance of small space of random values in the RPC API of FortiSandbox before 4.0.0 may allow an attacker in possession of a few information pieces about the state of the device to possibly predict valid session IDs.

 
2021-06-29
Low
CVE-2021-29480

Vendor: Ratpack project
Software: Ratpack
 

 
Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, the client side session module uses the application startup time as the signing key by default. This means that if an attacker can determine this time, and if encryption is not also used (which is recommended, but is not on by default), the session data could be tampered with by someone with the ability to write cookies. The default configuration is unsuitable for production use as an application restart renders all sessions invalid and is not multi-host compatible, but its use is not actively prevented. As of Ratpack 1.9.0, the default value is a securely randomly generated value, generated at application startup time. As a workaround, supply an alternative signing key, as per the documentation's recommendation.

 
2021-04-22
Medium
CVE-2021-27393

Vendor: Siemens
Software: Nucleus net
 

 
A vulnerability has been identified in Nucleus NET (All versions), Nucleus RTOS (versions including affected DNS modules), Nucleus ReadyStart (All versions < V2013.08), Nucleus Source Code (versions including affected DNS modules), VSTAR (versions including affected DNS modules). The DNS client does not properly randomize UDP port numbers of DNS requests. That could allow an attacker to poison the DNS cache or spoof DNS resolving.

 
Medium
CVE-2021-25677

Vendor: Siemens
Software: Nucleus net
 

 
A vulnerability has been identified in Nucleus 4 (All versions < V4.1.0), Nucleus NET (All versions), Nucleus RTOS (versions including affected DNS modules), Nucleus ReadyStart (All versions < V2017.02.3), Nucleus Source Code (versions including affected DNS modules), SIMOTICS CONNECT 400 (All versions < V0.5.0.0), SIMOTICS CONNECT 400 (All versions >= V0.5.0.0), VSTAR (versions including affected DNS modules). The DNS client does not properly randomize DNS transaction IDs. That could allow an attacker to poison the DNS cache or spoof DNS resolving.

 
2021-03-10
Low
CVE-2021-0375

Vendor: Google
Software: Android
 

 
In onPackageModified of VoiceInteractionManagerService.java, there is a possible change of default applications due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-167261484

 
2021-03-03
Medium
CVE-2021-21352

Vendor: Anuko
Software: Time tracker
 

 
Anuko Time Tracker is an open source, web-based time tracking application written in PHP. In TimeTracker before version 1.19.24.5415 tokens used in password reset feature in Time Tracker are based on system time and, therefore, are predictable. This opens a window for brute force attacks to guess user tokens and, once successful, change user passwords, including that of a system administrator. This vulnerability is pathced in version 1.19.24.5415 (started to use more secure tokens) with an additional improvement in 1.19.24.5416 (limited an available window for brute force token guessing).

 

 


Copyright 2022, cxsecurity.com

 

Back to Top