Total
492 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-1318 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
|
A spoofing vulnerability exists when Transport Layer Security (TLS) accesses non- Extended Master Secret (EMS) sessions, aka 'Microsoft Windows Transport Layer Security Spoofing Vulnerability'.
|
|||||
| CVE-2019-1234 | 1 Microsoft | 1 Azure Stack | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A spoofing vulnerability exists when Azure Stack fails to validate certain requests, aka 'Azure Stack Spoofing Vulnerability'.
|
|||||
| CVE-2019-18991 | 1 Qualcomm | 6 Atheros Ar9132, Atheros Ar9132 Firmware, Atheros Ar9283 and 3 more | 2024-11-21 | 4.8 MEDIUM | 5.4 MEDIUM |
|
A partial authentication bypass vulnerability exists on Atheros AR9132 3.60(AMX.8), AR9283 1.85, and AR9285 1.0.0.12NA devices. The vulnerability allows sending an unencrypted data frame to a WPA2-protected WLAN router where the packet is routed through the network. If successful, a response is sent back as an encrypted frame, which would allow an attacker to discern information or potentially modify data.
|
|||||
| CVE-2019-18990 | 1 Realtek | 8 Rtl8192er, Rtl8192er Firmware, Rtl8196d and 5 more | 2024-11-21 | 4.8 MEDIUM | 5.4 MEDIUM |
|
A partial authentication bypass vulnerability exists on Realtek RTL8812AR 1.21WW, RTL8196D 1.0.0, RTL8192ER 2.10, and RTL8881AN 1.09 devices. The vulnerability allows sending an unencrypted data frame to a WPA2-protected WLAN router where the packet is routed through the network. If successful, a response is sent back as an encrypted frame, which would allow an attacker to discern information or potentially modify data.
|
|||||
| CVE-2019-18989 | 1 Mediatek | 2 Mt7620n, Mt7620n Firmware | 2024-11-21 | 4.8 MEDIUM | 5.4 MEDIUM |
|
A partial authentication bypass vulnerability exists on Mediatek MT7620N 1.06 devices. The vulnerability allows sending an unencrypted data frame to a WPA2-protected WLAN router where the packet is routed through the network. If successful, a response is sent back as an encrypted frame, which would allow an attacker to discern information or potentially modify data.
|
|||||
| CVE-2019-18659 | 1 Ready | 1 Wireless Emergency Alerts | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
The Wireless Emergency Alerts (WEA) protocol allows remote attackers to spoof a Presidential Alert because cryptographic authentication is not used, as demonstrated by MessageIdentifier 4370 in LTE System Information Block 12 (aka SIB12). NOTE: testing inside an RF-isolated shield box suggested that all LTE phones are affected by design (e.g., use of Android versus iOS does not matter); testing in an open RF environment is, of course, contraindicated.
|
|||||
| CVE-2019-18259 | 1 Omron | 2 Plc Cj Firmware, Plc Cs Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
In Omron PLC CJ series, all versions and Omron PLC CS series, all versions, an attacker could spoof arbitrary messages or execute commands.
|
|||||
| CVE-2019-16871 | 1 Beckhoff | 1 Twincat | 2024-11-21 | 9.3 HIGH | 9.8 CRITICAL |
|
Beckhoff Embedded Windows PLCs through 3.1.4024.0, and Beckhoff Twincat on Windows Engineering stations, allow an attacker to achieve Remote Code Execution (as SYSTEM) via the Beckhoff ADS protocol.
|
|||||
| CVE-2019-16766 | 1 Labdigital | 1 Wagtail-2fa | 2024-11-21 | 4.0 MEDIUM | 8.7 HIGH |
|
When using wagtail-2fa before 1.3.0, if someone gains access to someone's Wagtail login credentials, they can log into the CMS and bypass the 2FA check by changing the URL. They can then add a new device and gain full access to the CMS. This problem has been patched in version 1.3.0.
|
|||||
| CVE-2019-16378 | 4 Canonical, Debian, Fedoraproject and 1 more | 4 Ubuntu Linux, Debian Linux, Fedora and 1 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 is prone to a signature-bypass vulnerability with multiple From: addresses, which might affect applications that consider a domain name to be relevant to the origin of an e-mail message.
|
|||||
| CVE-2019-15022 | 1 Zingbox | 1 Inspector | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A security vulnerability exists in Zingbox Inspector versions 1.294 and earlier, that allows for the Inspector to be susceptible to ARP spoofing.
|
|||||
| CVE-2019-13715 | 2 Google, Opensuse | 2 Chrome, Backports Sle | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.
|
|||||
| CVE-2019-13709 | 2 Google, Opensuse | 2 Chrome, Backports Sle | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Insufficient policy enforcement in downloads in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to bypass download restrictions via a crafted HTML page.
|
|||||
| CVE-2019-13708 | 2 Google, Opensuse | 2 Chrome, Backports Sle | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
Inappropriate implementation in navigation in Google Chrome on iOS prior to 78.0.3904.70 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
|
|||||
| CVE-2019-13704 | 2 Google, Opensuse | 2 Chrome, Backports Sle | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
Insufficient policy enforcement in navigation in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to bypass content security policy via a crafted HTML page.
|
|||||
| CVE-2019-13703 | 2 Google, Opensuse | 2 Chrome, Backports Sle | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
Insufficient policy enforcement in the Omnibox in Google Chrome on Android prior to 78.0.3904.70 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
|
|||||
| CVE-2019-13701 | 2 Google, Opensuse | 2 Chrome, Backports Sle | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
Incorrect implementation in navigation in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
|
|||||
| CVE-2019-12131 | 1 Onap | 1 Open Network Automation Platform | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
An issue was detected in ONAP APPC through Dublin and SDC through Dublin. By setting a USER_ID parameter in an HTTP header, an attacker may impersonate an arbitrary existing user without any authentication. All APPC and SDC setups are affected.
|
|||||
| CVE-2019-11189 | 1 Opennetworking | 1 Onos | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Authentication Bypass by Spoofing in org.onosproject.acl (access control) and org.onosproject.mobility (host mobility) in ONOS v2.0 and earlier allows attackers to bypass network access control via data plane packet injection. To exploit the vulnerability, an attacker sends a gratuitous ARP reply that causes the host mobility application to remove existing access control flow denial rules in the network. The access control application does not re-install flow deny rules, so the attacker can bypa ...
Show More |
|||||
| CVE-2019-10875 | 1 Mi | 2 Mi Browser, Mint Browser | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
A URL spoofing vulnerability was found in all international versions of Xiaomi Mi browser 10.5.6-g (aka the MIUI native browser) and Mint Browser 1.5.3 due to the way they handle the "q" query parameter. The portion of an https URL before the ?q= substring is not shown to the user.
|
|||||
| CVE-2019-0608 | 1 Microsoft | 10 Edge, Internet Explorer, Windows 10 and 7 more | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content, aka 'Microsoft Browser Spoofing Vulnerability'. This CVE ID is unique from CVE-2019-1357.
|
|||||
| CVE-2019-0388 | 1 Sap | 1 Ui | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
SAP UI5 HTTP Handler (corrected in SAP_UI versions 7.5, 7.51, 7.52, 7.53, 7.54 and SAP UI_700 version 2.0) allows an attacker to manipulate content due to insufficient URL validation.
|
|||||
| CVE-2019-0283 | 1 Sap | 1 Netweaver Process Integration | 2024-11-21 | 5.5 MEDIUM | 7.1 HIGH |
|
SAP NetWeaver Process Integration (Adapter Engine), fixed in versions 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50; is vulnerable to Digital Signature Spoofing. It is possible to spoof XML signatures and send arbitrary requests to the server via PI Axis adapter. These requests will be accepted by the PI Axis adapter even if the payload has been altered, especially when the signed element is the body of the xml document.
|
|||||
| CVE-2018-8425 | 1 Microsoft | 3 Edge, Windows 10, Windows Server 2016 | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
A spoofing vulnerability exists when Microsoft Edge improperly handles specific HTML content, aka "Microsoft Edge Spoofing Vulnerability." This affects Microsoft Edge.
|
|||||
| CVE-2018-8388 | 1 Microsoft | 1 Edge | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
A spoofing vulnerability exists when Microsoft Edge improperly handles specific HTML content, aka "Microsoft Edge Spoofing Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-8383.
|
|||||
| CVE-2018-8383 | 1 Microsoft | 1 Edge | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
A spoofing vulnerability exists when Microsoft Edge does not properly parse HTTP content, aka "Microsoft Edge Spoofing Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-8388.
|
|||||
| CVE-2018-8278 | 1 Microsoft | 2 Edge, Windows 10 | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
A spoofing vulnerability exists when Microsoft Edge improperly handles specific HTML content, aka "Microsoft Edge Spoofing Vulnerability." This affects Microsoft Edge.
|
|||||
| CVE-2018-8153 | 1 Microsoft | 1 Exchange Server | 2024-11-21 | 5.8 MEDIUM | 5.4 MEDIUM |
|
A spoofing vulnerability exists in Microsoft Exchange Server when Outlook Web Access (OWA) fails to properly handle web requests, aka "Microsoft Exchange Spoofing Vulnerability." This affects Microsoft Exchange Server.
|
|||||
| CVE-2018-7842 | 1 Schneider-electric | 8 Modicon M340, Modicon M340 Firmware, Modicon M580 and 5 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
A CWE-290: Authentication Bypass by Spoofing vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause an elevation of privilege by conducting a brute force attack on Modbus parameters sent to the controller.
|
|||||
| CVE-2018-7160 | 1 Nodejs | 1 Node.js | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local netw ...
Show More |
|||||
| CVE-2018-5354 | 1 Anixis | 1 Password Reset Client | 2024-11-21 | 5.8 MEDIUM | 8.8 HIGH |
|
The custom GINA/CP module in ANIXIS Password Reset Client before version 3.22 allows remote attackers to execute code and escalate privileges via spoofing. When the client is configured to use HTTP, it does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable of conducting a spoofing attack can redirect the browser to gain execution in the context of the WinLogon.exe process. If Network Level Authentication is not enforced, the vulnerability c ...
Show More |
|||||
| CVE-2018-5353 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. It does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable of conducting a spoofing attack can redirect the browser to gain execution in the context of the WinLogon.exe process. If Network Level Authentication is not enforced, the vulnerability can be exploited via RDP. Addition ...
Show More |
|||||
| CVE-2018-3829 | 1 Elastic | 1 Elastic Cloud Enterprise | 2024-11-21 | 3.5 LOW | 5.3 MEDIUM |
|
In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 it was discovered that a user could scale out allocators on new hosts with an invalid roles token. An attacker with access to the previous runner ID and IP address of the coordinator-host could add a allocator to an existing ECE install to gain access to other clusters data.
|
|||||
| CVE-2018-1695 | 1 Ibm | 1 Websphere Application Server | 2024-11-21 | 6.8 MEDIUM | 7.3 HIGH |
|
IBM WebSphere Application Server 7.0, 8.0, and 8.5.5 installations using Form Login could allow a remote attacker to conduct spoofing attacks. IBM X-Force ID: 145769.
|
|||||
| CVE-2018-16483 | 1 Express-cart Project | 1 Express-cart | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
A deficiency in the access control in module express-cart <=1.1.5 allows unprivileged users to add new users to the application as administrators.
|
|||||
| CVE-2018-15715 | 1 Zoom | 1 Zoom | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Zoom clients on Windows (before version 4.1.34814.1119), Mac OS (before version 4.1.34801.1116), and Linux (2.4.129780.0915 and below) are vulnerable to unauthorized message processing. A remote unauthenticated attacker can spoof UDP messages from a meeting attendee or Zoom server in order to invoke functionality in the target client. This allows the attacker to remove attendees from meetings, spoof messages from users, or hijack shared screens.
|
|||||
| CVE-2018-15588 | 1 Freron | 1 Mailmate | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
MailMate before 1.11.3 mishandles a suspicious HTML/MIME structure in a signed/encrypted email.
|
|||||
| CVE-2018-12331 | 1 Ecos | 1 System Management Appliance | 2024-11-21 | 5.8 MEDIUM | 7.4 HIGH |
|
Authentication Bypass by Spoofing vulnerability in ECOS System Management Appliance (aka SMA) 5.2.68 allows a man-in-the-middle attacker to compromise authentication keys and configurations via IP spoofing during "Easy Enrollment."
|
|||||
| CVE-2017-18190 | 3 Apple, Canonical, Debian | 3 Cups, Ubuntu Linux, Debian Linux | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).
|
|||||
| CVE-2017-12095 | 1 Meetcircle | 1 Circle With Disney Firmware | 2024-11-21 | 3.3 LOW | 6.5 MEDIUM |
|
An exploitable vulnerability exists in the WiFi Access Point feature of Circle with Disney running firmware 2.0.1. A series of WiFi packets can force Circle to setup an Access Point with default credentials. An attacker needs to send a series of spoofed "de-auth" packets to trigger this vulnerability.
|
|||||