Total
452 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-7667 | 1 Apache | 1 Nifi | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the response header telling browsers to only allow framing with the same origin. | |||||
| CVE-2016-8358 | 1 Smiths-medical | 1 Cadd-solis Medication Safety Software | 2025-04-20 | 6.0 MEDIUM | 8.5 HIGH |
| An issue was discovered in Smiths-Medical CADD-Solis Medication Safety Software, Version 1.0; 2.0; 3.0; and 3.1. The affected software does not verify the identities at communication endpoints, which may allow a man-in-the-middle attacker to gain access to the communication channel between endpoints. | |||||
| CVE-2017-5589 | 1 Yaxim | 2 Bruno, Yaxim | 2025-04-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for yaxim and Bruno (0.8.6 - 0.8.8; Android). | |||||
| CVE-2017-5590 | 2 Chatsecure, Zom | 2 Chatsecure, Zom | 2025-04-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for ChatSecure (3.2.0 - 4.0.0; only iOS) and Zom (all versions up to 1.0.11; only iOS). | |||||
| CVE-2017-0902 | 4 Canonical, Debian, Redhat and 1 more | 9 Ubuntu Linux, Debian Linux, Enterprise Linux Desktop and 6 more | 2025-04-20 | 6.8 MEDIUM | 8.1 HIGH |
| RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls. | |||||
| CVE-2017-5604 | 1 Mcabber | 1 Mcabber | 2025-04-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for mcabber 1.0.0 - 1.0.4. | |||||
| CVE-2017-5592 | 1 Profanity Project | 1 Profanity | 2025-04-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for profanity (0.4.7 - 0.5.0). | |||||
| CVE-2017-7561 | 1 Redhat | 1 Jboss Enterprise Application Platform | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| Red Hat JBoss EAP version 3.0.7 through before 4.0.0.Beta1 is vulnerable to a server-side cache poisoning or CORS requests in the JAX-RS component resulting in a moderate impact. | |||||
| CVE-2025-3651 | 2025-04-17 | N/A | N/A | ||
| Improper Verification of Source of a Communication Channel in Work Desktop for Mac versions 10.8.1.46 and earlier allows attackers to execute arbitrary commands via unauthorized access to the Agent service. This has been remediated in Work Desktop for Mac version 10.8.2.33. | |||||
| CVE-2022-1747 | 1 Dominionvoting | 2 Democracy Suite, Imagecast X | 2025-04-17 | 2.1 LOW | 4.6 MEDIUM |
| The authentication mechanism used by voters to activate a voting session on the tested version of Dominion Voting Systems ImageCast X is susceptible to forgery. An attacker could leverage this vulnerability to print an arbitrary number of ballots without authorization. | |||||
| CVE-2022-1520 | 1 Mozilla | 1 Thunderbird | 2025-04-16 | N/A | 4.3 MEDIUM |
| When viewing an email message A, which contains an attached message B, where B is encrypted or digitally signed or both, Thunderbird may show an incorrect encryption or signature status. After opening and viewing the attached message B, when returning to the display of message A, the message A might be shown with the security status of message B. This vulnerability affects Thunderbird < 91.9. | |||||
| CVE-2022-22757 | 1 Mozilla | 1 Firefox | 2025-04-16 | N/A | 6.5 MEDIUM |
| Remote Agent, used in WebDriver, did not validate the Host or Origin headers. This could have allowed websites to connect back locally to the user's browser to control it. <br>*This bug only affected Firefox when WebDriver was enabled, which is not the default configuration.*. This vulnerability affects Firefox < 97. | |||||
| CVE-2022-38472 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-04-15 | N/A | 6.5 MEDIUM |
| An attacker could have abused XSLT error handling to associate attacker-controlled content with another origin which was displayed in the address bar. This could have been used to fool the user into submitting data intended for the spoofed origin. This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104. | |||||
| CVE-2022-42927 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-04-15 | N/A | 8.1 HIGH |
| A same-origin policy violation could have allowed the theft of cross-origin URL entries, leaking the result of a redirect, via `performance.getEntries()`. This vulnerability affects Firefox < 106, Firefox ESR < 102.4, and Thunderbird < 102.4. | |||||
| CVE-2022-29915 | 1 Mozilla | 1 Firefox | 2025-04-15 | N/A | 4.3 MEDIUM |
| The Performance API did not properly hide the fact whether a request cross-origin resource has observed redirects. This vulnerability affects Firefox < 100. | |||||
| CVE-2014-1502 | 5 Mozilla, Opensuse, Opensuse Project and 2 more | 8 Firefox, Seamonkey, Opensuse and 5 more | 2025-04-12 | 6.8 MEDIUM | N/A |
| The (1) WebGL.compressedTexImage2D and (2) WebGL.compressedTexSubImage2D functions in Mozilla Firefox before 28.0 and SeaMonkey before 2.25 allow remote attackers to bypass the Same Origin Policy and render content in a different domain via unspecified vectors. | |||||
| CVE-2017-20146 | 1 Gorillatoolkit | 1 Handlers | 2025-04-11 | N/A | 9.8 CRITICAL |
| Usage of the CORS handler may apply improper CORS headers, allowing the requester to explicitly control the value of the Access-Control-Allow-Origin header, which bypasses the expected behavior of the Same Origin Policy. | |||||
| CVE-2011-3067 | 2 Apple, Google | 3 Iphone Os, Safari, Chrome | 2025-04-11 | 6.8 MEDIUM | N/A |
| Google Chrome before 18.0.1025.151 allows remote attackers to bypass the Same Origin Policy via vectors related to replacement of IFRAME elements. | |||||
| CVE-2011-2856 | 1 Google | 1 Chrome | 2025-04-11 | 7.5 HIGH | N/A |
| Google V8, as used in Google Chrome before 14.0.835.163, allows remote attackers to bypass the Same Origin Policy via unspecified vectors. | |||||
| CVE-2011-3956 | 1 Google | 1 Chrome | 2025-04-11 | 6.8 MEDIUM | N/A |
| The extension implementation in Google Chrome before 17.0.963.46 does not properly handle sandboxed origins, which might allow remote attackers to bypass the Same Origin Policy via a crafted extension. | |||||