Total
380 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-45139 | 1 Wago | 14 751-9301, 751-9301 Firmware, 752-8303\/8000-002 and 11 more | 2025-03-10 | 5.3 Medium |
| A CORS Misconfiguration in the web-based management allows a malicious third party webserver to misuse all basic information pages on the webserver. In combination with CVE-2022-45138 this could lead to disclosure of device information like CPU diagnostics. As there is just a limited amount of information readable the impact only affects a small subset of confidentiality. | ||||
| CVE-2023-0957 | 1 Gitpod | 1 Gitpod | 2025-03-05 | 8.2 High |
| An issue was discovered in Gitpod versions prior to release-2022.11.2.16. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to the Gitpod JSONRPC server using a victim’s credentials, because the Origin header is not restricted. This can lead to the extraction of data from workspaces, to a full takeover of the workspace. | ||||
| CVE-2025-23117 | 2025-03-05 | 6.8 Medium | ||
| An Insufficient Firmware Update Validation vulnerability could allow an authenticated malicious actor with access to UniFi Protect Cameras adjacent network to make unsupported changes to the camera system. | ||||
| CVE-2025-1969 | 2025-03-04 | 4.3 Medium | ||
| Improper request input validation in Temporary Elevated Access Management (TEAM) for AWS IAM Identity Center allows a user to modify a valid request and spoof an approval in TEAM. Upgrade TEAM to the latest release v.1.2.2. Follow instructions in updating TEAM documentation for updating process | ||||
| CVE-2021-26735 | 1 Zscaler | 1 Client Connector | 2025-02-27 | 6.7 Medium |
| The Zscaler Client Connector Installer and Unsintallers for Windows prior to 3.6 had an unquoted search path vulnerability. A local adversary may be able to execute code with SYSTEM privileges. | ||||
| CVE-2023-28795 | 1 Zscaler | 1 Client Connector | 2025-02-27 | 7.8 High |
| Origin Validation Error vulnerability in Zscaler Client Connector on Linux allows Inclusion of Code in Existing Process. This issue affects Zscaler Client Connector for Linux: before 1.3.1.6. | ||||
| CVE-2023-26114 | 1 Coder | 1 Code-server | 2025-02-25 | 8.2 High |
| Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect to the code-server instance. | ||||
| CVE-2025-1102 | 2025-02-17 | 5.5 Medium | ||
| A CWE-346 "Origin Validation Error" in the CORS configuration in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to affect the device confidentiality, integrity, or availability via crafted URLs or HTTP requests. | ||||
| CVE-2023-5973 | 1 Broadcom | 1 Fabric Operating System | 2025-02-13 | 4.3 Medium |
| Brocade Web Interface in Brocade Fabric OS v9.x and before v9.2.0 does not properly represent the portName to the user if the portName contains reserved characters. This could allow an authenticated user to alter the UI of the Brocade Switch and change ports display. | ||||
| CVE-2023-5859 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2025-02-13 | 4.3 Medium |
| Incorrect security UI in Picture In Picture in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to perform domain spoofing via a crafted local HTML page. (Chromium security severity: Low) | ||||
| CVE-2023-5853 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2025-02-13 | 4.3 Medium |
| Incorrect security UI in Downloads in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to obfuscate security UI via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2023-5851 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2025-02-13 | 4.3 Medium |
| Inappropriate implementation in Downloads in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to obfuscate security UI via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2023-4045 | 3 Debian, Mozilla, Redhat | 7 Debian Linux, Firefox, Enterprise Linux and 4 more | 2025-02-13 | 5.3 Medium |
| Offscreen Canvas did not properly track cross-origin tainting, which could have been used to access image data from another site in violation of same-origin policy. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1. | ||||
| CVE-2023-37210 | 1 Mozilla | 1 Firefox | 2025-02-13 | 6.5 Medium |
| A website could prevent a user from exiting full-screen mode via alert and prompt calls. This could lead to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 115. | ||||
| CVE-2023-30996 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2025-02-13 | 5.3 Medium |
| IBM Cognos Analytics 11.1.7, 11.2.4, and 12.0.0 could be vulnerable to information leakage due to unverified sources in messages sent between Windows objects of different origins. IBM X-Force ID: 254290. | ||||
| CVE-2022-4917 | 2 Fedoraproject, Google | 3 Fedora, Android, Chrome | 2025-02-13 | 4.3 Medium |
| Incorrect security UI in Notifications in Google Chrome on Android prior to 103.0.5060.53 allowed a remote attacker to obscure the full screen notification via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2024-36472 | 1 Redhat | 2 Enterprise Linux, Rhel Eus | 2025-02-13 | 6.5 Medium |
| In GNOME Shell through 45.7, a portal helper can be launched automatically (without user confirmation) based on network responses provided by an adversary (e.g., an adversary who controls the local Wi-Fi network), and subsequently loads untrusted JavaScript code, which may lead to resource consumption or other impacts depending on the JavaScript code's behavior. | ||||
| CVE-2025-1083 | 2025-02-12 | 3.1 Low | ||
| A vulnerability classified as problematic was found in Mindskip xzs-mysql 学之思开源考试系统 3.9.0. Affected by this vulnerability is an unknown functionality of the component CORS Handler. The manipulation leads to permissive cross-domain policy with untrusted domains. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-23023 | 2025-02-12 | 8.2 High | ||
| Discourse is an open source platform for community discussion. In affected versions an attacker can carefully craft a request with the right request headers to poison the anonymous cache (for example, the cache may have a response with missing preloaded data). This issue only affects anonymous visitors of the site. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade may disable anonymous cache by setting the `DISCOURSE_DISABLE_ANON_CACHE` environment variable to a non-empty value. | ||||
| CVE-2024-25124 | 1 Gofiber | 1 Fiber | 2025-02-05 | 9.4 Critical |
| Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard (`*`) while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices. The impact of this misconfiguration is high as it can lead to unauthorized access to sensitive user data and expose the system to various types of attacks listed in the PortSwigger article linked in the references. Version 2.52.1 contains a patch for this issue. As a workaround, users may manually validate the CORS configurations in their implementation to ensure that they do not allow a wildcard origin when credentials are enabled. The browser fetch api, as well as browsers and utilities that enforce CORS policies, are not affected by this. | ||||