The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2022-32648 | In disp, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06535964; Issue ID: ALPS06535964. | -- | Jan 4, 2023 |
| CVE-2022-20465 | In dismiss and related functions of KeyguardHostViewController.java and related files, there is a possible lockscreen bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-218500036 | -- | Nov 9, 2022 |
| CVE-2023-40100 | In discovery_thread of Dns64Configuration.cpp, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | -- | Feb 16, 2024 |
| CVE-2021-3138 | In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms. | MEDIUM | Jan 14, 2021 |
| CVE-2022-22116 | In Directus, versions 9.0.0-alpha.4 through 9.4.1 are vulnerable to stored Cross-Site Scripting (XSS) vulnerability via SVG file upload in media upload functionality. A low privileged attacker can inject arbitrary javascript code which will be executed in a victim’s browser when they open the image URL. | LOW | Jan 14, 2022 |
| CVE-2022-22117 | In Directus, versions 9.0.0-alpha.4 through 9.4.1 allow unrestricted file upload of .html files in the media upload functionality, which leads to Cross-Site Scripting vulnerability. A low privileged attacker can upload a crafted HTML file as a profile avatar, and when an admin or another user opens it, the XSS payload gets triggered. | LOW | Jan 14, 2022 |
| CVE-2022-23080 | In directus versions v9.0.0-beta.2 through 9.6.0 are vulnerable to server-side request forgery (SSRF) in the media upload functionality which allows a low privileged user to perform internal network port scans. | -- | Jun 23, 2022 |
| CVE-2022-26969 | In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true. | -- | Dec 27, 2022 |
| CVE-2021-26594 | In Directus 8.x through 8.8.1, an attacker can switch to the administrator role (via the PATCH method) without any control by the back end. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | MEDIUM | Feb 23, 2021 |
| CVE-2021-26593 | In Directus 8.x through 8.8.1, an attacker can see all users in the CMS using the API /users/{id}. For each call, they get in response a lot of information about the user (such as email address, first name, and last name) but also the secret for 2FA if one exists. This secret can be regenerated. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | MEDIUM | Feb 23, 2021 |
| CVE-2021-26595 | In Directus 8.x through 8.8.1, an attacker can learn sensitive information such as the version of the CMS, the PHP version used by the site, and the name of the DBMS, simply by view the result of the api-aa, called automatically upon a connection. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | MEDIUM | Feb 23, 2021 |
| CVE-2021-27583 | In Directus 8.x through 8.8.1, an attacker can discover whether a user is present in the database through the password reset feature. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | MEDIUM | Feb 23, 2021 |
| CVE-2019-13980 | In Directus 7 API through 2.3.0, uploading of PHP files is blocked only when the Apache HTTP Server is used, leading to uploads/_/originals remote code execution with nginx. | MEDIUM | Jul 22, 2019 |
| CVE-2019-13981 | In Directus 7 API through 2.3.0, remote attackers can read image files via a direct request for a filename under the uploads/_/originals/ directory. This is related to a configuration option in which the file collection can be non-public, but this option does not apply to the thumbnailer. | MEDIUM | Jul 22, 2019 |
| CVE-2019-13979 | In Directus 7 API before 2.2.1, uploading of PHP files is not blocked, leading to uploads/_/originals remote code execution. | MEDIUM | Jul 22, 2019 |
| CVE-2019-14767 | In DIMO YellowBox CRM before 6.3.4, Path Traversal in images/Apparence (dossier=../) and servletrecuperefichier (document=../) allows an unauthenticated user to download arbitrary files from the server. | MEDIUM | Jan 28, 2020 |
| CVE-2020-4051 | In Dijit before versions 1.11.11, and greater than or equal to 1.12.0 and less than 1.12.9, and greater than or equal to 1.13.0 and less than 1.13.8, and greater than or equal to 1.14.0 and less than 1.14.7, and greater than or equal to 1.15.0 and less than 1.15.4, and greater than or equal to 1.16.0 and less than 1.16.3, there is a cross-site scripting vulnerability in the Editor\'s LinkDialog plugin. This has been fixed in 1.11.11, 1.12.9, 1.13.8, 1.14.7, 1.15.4, 1.16.3. | LOW | Jun 16, 2020 |
| CVE-2020-4081 | In Digital Experience 8.5, 9.0, and 9.5, WSRP consumer is vulnerable to cross-site scripting (XSS). | MEDIUM | Feb 2, 2021 |
| CVE-2021-36767 | In Digi RealPort through 4.10.490, authentication relies on a challenge-response mechanism that gives access to the server password, making the protection ineffective. An attacker may send an unauthenticated request to the server. The server will reply with a weakly-hashed version of the server\'s access password. The attacker may then crack this hash offline in order to successfully login to the server. | HIGH | Oct 8, 2021 |
| CVE-2019-9843 | In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn\'t respect the resolveExternalEntities setting. For example, this allows disclosure of file contents to a MITM attacker if a victim performs a spotlessApply operation on an untrusted XML file. | MEDIUM | Jul 5, 2019 |
| CVE-2023-42718 | In dialer, there is a possible way to write permission usage records of an app due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed | -- | Dec 4, 2023 |
| CVE-2021-39790 | In Dialer, there is a possible way to manipulate visual voicemail settings due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-186405146 | MEDIUM | Apr 5, 2022 |
| CVE-2023-40631 | In Dialer, there is a possible missing permission check. This could lead to local information disclosure with System execution privileges needed | -- | Oct 8, 2023 |
| CVE-2022-48371 | In dialer service, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges. | -- | May 11, 2023 |
| CVE-2022-48370 | In dialer service, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges. | -- | May 11, 2023 |
| CVE-2022-48392 | In dialer service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges. | -- | Jun 6, 2023 |
| CVE-2022-48442 | In dialer service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges. | -- | Jun 6, 2023 |
| CVE-2022-48441 | In dialer service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges. | -- | Jun 6, 2023 |
| CVE-2022-48440 | In dialer service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges. | -- | Jun 6, 2023 |
| CVE-2022-48379 | In dialer service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges. | -- | May 9, 2023 |
| CVE-2022-48377 | In dialer service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges. | -- | May 9, 2023 |
| CVE-2022-48376 | In dialer service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges. | -- | May 9, 2023 |
| CVE-2023-30865 | In dialer service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. | -- | Jun 6, 2023 |
| CVE-2023-21071 | In dhd_prot_ioctcmplt_process of dhd_msgbuf.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-254028518References: N/A | -- | Mar 24, 2023 |
| CVE-2023-48423 | In dhcp4_SetPDNAddress of dhcp4_Main.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. | -- | Dec 8, 2023 |
| CVE-2021-0511 | In Dex2oat of dex2oat.cc, there is a possible way to inject bytecode into an app due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11Android ID: A-178055795 | MEDIUM | Jun 23, 2021 |
| CVE-2019-9578 | In devs.c in Yubico libu2f-host before 1.1.8, the response to init is misparsed, leaking uninitialized stack memory back to the device. | MEDIUM | Mar 20, 2019 |
| CVE-2023-21165 | In DevmemIntUnmapPMR of devicemem_server.c, there is a possible arbitrary code execution due to a use after free. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation. | -- | Feb 16, 2024 |
| CVE-2023-21164 | In DevmemIntMapPMR of devicemem_server.c, there is a possible arbitrary code execution due to a use after free. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation. | -- | Dec 5, 2023 |
| CVE-2021-0951 | In DevmemIntHeapAcquire of TBD, there is a possible arbitrary code execution due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-242345085 | -- | Oct 13, 2022 |
| CVE-2023-21401 | In DevmemIntChangeSparse of devicemem_server.c, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation. | -- | Dec 5, 2023 |
| CVE-2023-21215 | In DevmemIntAcquireRemoteCtx of devicemem_server.c, there is a possible arbitrary code execution due to a race condition. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation. | -- | Dec 5, 2023 |
| CVE-2019-2226 | In device_class_to_int of device_class.cc, there is a possible out of bounds read due to improper casting. This could lead to local information disclosure in the Bluetooth server with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-140152619 | MEDIUM | Dec 9, 2019 |
| CVE-2021-39755 | In DevicePolicyManager, there is a possible way to reveal the existence of an installed package without proper query permissions due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-204995407 | LOW | Apr 5, 2022 |
| CVE-2022-20275 | In DevicePolicyManager, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-205836975 | -- | Aug 12, 2022 |
| CVE-2022-20276 | In DevicePolicyManager, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-205706731 | -- | Aug 12, 2022 |
| CVE-2022-20277 | In DevicePolicyManager, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-205145497 | -- | Aug 12, 2022 |
| CVE-2022-20279 | In DevicePolicyManager, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-204877302 | -- | Aug 12, 2022 |
| CVE-2021-39745 | In DevicePolicyManager, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-206127671 | LOW | Apr 5, 2022 |
| CVE-2021-39744 | In DevicePolicyManager, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-192369136 | LOW | Apr 5, 2022 |
