The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2023-29962 | S-CMS v5.0 was discovered to contain an arbitrary file read vulnerability. | -- | Jan 4, 2024 |
| CVE-2023-29963 | S-CMS v5.0 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the component /admin/ajax.php. | -- | May 11, 2023 |
| CVE-2023-45929 | S-Lang 2.3.2 was discovered to contain a segmentation fault via the function fixup_tgetstr(). | -- | Mar 27, 2024 |
| CVE-2023-45927 | S-Lang 2.3.2 was discovered to contain an arithmetic exception via the function tt_sprintf(). | -- | Mar 27, 2024 |
| CVE-2008-6702 | S.T.A.L.K.E.R.: Shadow of Chernobyl 1.0006 and earlier allows remote attackers to cause a denial of service (crash) via a long nickname, which triggers an exception. | Medium | Apr 13, 2009 |
| CVE-2023-42473 | S/4HANA Manage (Withholding Tax Items) - version 106, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges which has low impact on the confidentiality and integrity of the application. | -- | Oct 10, 2023 |
| CVE-2022-22542 | S/4HANA Supplier Factsheet exposes the private address and bank details of an Employee Business Partner with Supplier Role, AND Enterprise Search for Customer, Supplier and Business Partner objects exposes the private address fields of Employee Business Partners, to an actor that is not explicitly authorized to have access to that information, which could compromise Confidentiality. | MEDIUM | Feb 10, 2022 |
| CVE-2017-15327 | S12700 V200R005C00, V200R006C00, V200R006C01, V200R007C00, V200R007C01, V200R007C20, V200R008C00, V200R008C06, V200R009C00, V200R010C00, S7700 V200R001C00, V200R001C01, V200R002C00, V200R003C00, V200R005C00, V200R006C00, V200R006C01, V200R007C00, V200R007C01, V200R008C00, V200R008C06, V200R009C00, V200R010C00, S9700 V200R001C00, V200R001C01, V200R002C00, V200R003C00, V200R005C00, V200R006C00, V200R006C01, V200R007C00, V200R007C01, V200R008C00, V200R009C00, V200R010C00 have an improper authorization vulnerability on Huawei switch products. The system incorrectly performs an authorization check when a normal user attempts to access certain information which is supposed to be accessed only by authenticated user. Successful exploit could cause information disclosure. | MEDIUM | Apr 11, 2018 |
| CVE-2016-4750 | S2 Camera in Apple iOS before 10 and OS X before 10.12 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. | HIGH | Sep 27, 2016 |
| CVE-2015-8013 | s2k.js in OpenPGP.js will decrypt arbitrary messages regardless of passphrase for crafted PGP keys which allows remote attackers to bypass authentication if message decryption is used as an authentication mechanism via a crafted symmetrically encrypted PGP message. | MEDIUM | Jul 25, 2017 |
| CVE-2012-3525 | s2s/out.c in jabberd2 2.2.16 and earlier does not verify that a request was made for an XMPP Server Dialback response, which allows remote XMPP servers to spoof domains via a (1) Verify Response or (2) Authorization Response. | Medium | Aug 27, 2012 |
| CVE-2018-20298 | S3 Browser before 8.1.5 contains an XML external entity (XXE) vulnerability, allowing remote attackers to read arbitrary files and obtain NTLMv2 hash values by tricking a user into connecting to a malicious server via the S3 protocol. | MEDIUM | Dec 19, 2018 |
| CVE-2017-2712 | S3300 V100R006C05 have an Ethernet in the First Mile (EFM) flapping vulnerability due to the lack of type-length-value (TLV) consistency check. An attacker may craft malformed packets and send them to a device to cause EFM flapping. | MEDIUM | Nov 22, 2017 |
| CVE-2014-0485 | S3QL 1.18.1 and earlier uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object in (1) common.py or (2) local.py in backends/. | High | Sep 3, 2014 |
| CVE-2018-12088 | S3QL before 2.27 mishandles checksumming, and consequently allows replay attacks in which an attacker who controls the backend can present old versions of the filesystem metadata database as up-to-date, temporarily inject zero-valued bytes into files, or temporarily hide parts of files. This is related to the checksum_basic_mapping function. | MEDIUM | Jun 10, 2018 |
| CVE-2021-32061 | S3Scanner before 2.0.2 allows Directory Traversal via a crafted bucket, as demonstrated by a <Key>../ substring in a ListBucketResult element. | MEDIUM | Nov 29, 2021 |
| CVE-2023-40625 | S4CORE (Manage Purchase Contracts App) - versions 102, 103, 104, 105, 106, 107, does not perform necessary authorization checks for an authenticated user. This could allow an attacker to perform unintended actions resulting in escalation of privileges which has low impact on confidentiality and integrity with no impact on availibility of the system. | -- | Sep 12, 2023 |
| CVE-2019-19920 | sa-exim 4.2.1 allows attackers to execute arbitrary code if they can write a .cf file or a rule. This occurs because Greylisting.pm relies on eval (rather than direct parsing and/or use of the taint feature). This issue is similar to CVE-2018-11805. | HIGH | Dec 23, 2019 |
| CVE-2023-23150 | SA-WR915ND router firmware v17.35.1 was discovered to be vulnerable to code execution. | -- | Mar 16, 2023 |
| CVE-2020-13756 | Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data, possibly leading to remote code execution if the function allSelectors() or getSelectorsBySpecificity() is called with input from an attacker. | HIGH | Jun 5, 2020 |
| CVE-2020-13124 | SABnzbd 2.3.9 and 3.0.0Alpha2 has a command injection vulnerability in the web configuration interface that permits an authenticated user to execute arbitrary Python commands on the underlying operating system. | MEDIUM | Aug 13, 2020 |
| CVE-2023-34237 | SABnzbd is an open source automated Usenet download tool. A design flaw was discovered in SABnzbd that could allow remote code execution. Manipulating the Parameters setting in the Notification Script functionality allows code execution with the privileges of the SABnzbd process. Exploiting the vulnerabilities requires access to the web interface. Remote exploitation is possible if users[exposed their setup to the internet or other untrusted networks without setting a username/password. By default SABnzbd is only accessible from `localhost`, with no authentication required for the web interface. This issue has been patched in commits `e3a722` and `422b4f` which have been included in the 4.0.2 release. Users are advised to upgrade. Users unable to upgrade should ensure that a username and password have been set if their instance is web accessible. | -- | Jun 7, 2023 |
| CVE-2021-29488 | SABnzbd is an open source binary newsreader. A vulnerability was discovered in SABnzbd that could trick the `filesystem.renamer()` function into writing downloaded files outside the configured Download Folder via malicious PAR2 files. A patch was released as part of SABnzbd 3.2.1RC1. As a workaround, limit downloads to NZBs without PAR2 files, deny write permissions to the SABnzbd process outside areas it must access to perform its job, or update to a fixed version. | MEDIUM | May 7, 2021 |
| CVE-2014-2055 | SabreDAV before 1.7.11, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.Per: http://cwe.mitre.org/data/definitions/611.html CWE-611: Improper Restriction of XML External Entity Reference ('XXE') | High | Jun 4, 2014 |
| CVE-2008-1358 | Sack-based buffer overflow in the IMAP server in Alt-N Technologies MDaemon 9.6.4 allows remote authenticated users to execute arbitrary code via a FETCH command with a long BODY. | Medium | Mar 18, 2008 |
| CVE-2019-12251 | sadmin/ceditpost.php in UCMS 1.4.7 allows SQL Injection via the index.php?do=sadmin_ceditpost cvalue parameter. | MEDIUM | May 21, 2019 |
| CVE-2018-20600 | sadmin\\cedit.php in UCMS 1.4.7 has XSS via an index.php sadmin_cedit action. | MEDIUM | Dec 30, 2018 |
| CVE-2020-10634 | SAE IT-systems FW-50 Remote Telemetry Unit (RTU). A specially crafted request could allow an attacker to view the file structure of the affected device and access files that should be inaccessible. | MEDIUM | May 5, 2020 |
| CVE-2020-10630 | SAE IT-systems FW-50 Remote Telemetry Unit (RTU). The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in the output used as a webpage that is served to other users. | MEDIUM | May 5, 2020 |
| CVE-2021-44232 | SAF-T Framework Transaction SAFTN_G allows an attacker to exploit insufficient validation of path information provided by normal user, leading to full server directory access. The attacker can see the whole filesystem structure but cannot overwrite, delete, or corrupt arbitrary files on the server. | MEDIUM | Dec 14, 2021 |
| CVE-2010-1755 | Safari in Apple iOS before 4 on the iPhone and iPod touch does not properly implement the Accept Cookies preference, which makes it easier for remote web servers to track users via a cookie. | Medium | Jun 26, 2010 |
| CVE-2012-0674 | Safari in Apple iOS before 5.1.1 allows remote attackers to spoof the location bar\'s URL via a crafted web site. | Medium | May 8, 2012 |
| CVE-2012-3742 | Safari in Apple iOS before 6 does not properly restrict use of an unspecified Unicode character that looks similar to the https lock indicator, which allows remote attackers to spoof https connections by placing this character in the TITLE element of a web page. | Medium | Sep 21, 2012 |
| CVE-2013-1036 | Safari in Apple iOS before 7 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document. | Medium | Oct 10, 2013 |
| CVE-2014-4363 | Safari in Apple iOS before 8 does not properly restrict the autofilling of passwords in forms, which allows remote attackers to obtain sensitive information via (1) an http web site, (2) an https web site with an unacceptable X.509 certificate, or (3) an IFRAME element. | Medium | Sep 23, 2014 |
| CVE-2015-1111 | Safari in Apple iOS before 8.3 does not delete Recently Closed Tabs data in response to a history-clearing action, which allows attackers to obtain sensitive information by reading a history file. | Medium | Apr 14, 2015 |
| CVE-2015-3763 | Safari in Apple iOS before 8.4.1 does not limit the rate of JavaScript alert messages, which allows remote attackers to cause a denial of service (apparent browser locking) via a crafted web site. | Medium | Aug 19, 2015 |
| CVE-2015-5904 | Safari in Apple iOS before 9 allows remote attackers to spoof the relationship between URLs and web content via a crafted web site. | Medium | Sep 18, 2015 |
| CVE-2015-5905 | Safari in Apple iOS before 9 allows remote attackers to spoof the relationship between URLs and web content via a crafted window opener on a web site. | Medium | Sep 18, 2015 |
| CVE-2015-7093 | Safari in Apple iOS before 9.2 allows remote attackers to spoof a URL in the user interface via a crafted web site. | Medium | Dec 11, 2015 |
| CVE-2016-4604 | Safari in Apple iOS before 9.3.3 allows remote attackers to spoof the displayed URL via an HTTP response specifying redirection to an invalid TCP port number. | MEDIUM | Jul 26, 2016 |
| CVE-2007-3757 | Safari in Apple iPhone 1.1.1 allows remote user-assisted attackers to trick the iPhone user into making calls to arbitrary telephone numbers via a crafted "tel:" link that causes iPhone to display a different number than the number that will be dialed. | Medium | Oct 1, 2007 |
| CVE-2007-3758 | Safari in Apple iPhone 1.1.1, and Safari 3 before Beta Update 3.0.4 on Windows and in Mac OS X 10.4 through 10.4.10, allows remote attackers to set Javascript window properties for web pages that are in a different domain, which can be leveraged to conduct cross-site scripting (XSS) attacks. | Medium | Oct 1, 2007 |
| CVE-2007-3756 | Safari in Apple iPhone 1.1.1, and Safari 3 before Beta Update 3.0.4 on Windows and Mac OS X 10.4 through 10.4.10, allows remote attackers to obtain sensitive information via a crafted web page that identifies the URL of the parent window, even when the parent window is in a different domain. | Medium | Oct 15, 2007 |
| CVE-2007-3759 | Safari in Apple iPhone 1.1.1, when requested to disable Javascript, does not disable it until Safari is restarted, which might leave Safari open to attacks that the user does not expect. | Medium | Oct 1, 2007 |
| CVE-2008-4233 | Safari in Apple iPhone OS 1.0 through 2.1 and iPhone OS for iPod touch 1.1 through 2.1 does not isolate the call-approval dialog from the process of launching Unchanged applications, which allows remote attackers to make arbitrary phone calls via a crafted HTML document. | Low | Nov 26, 2008 |
| CVE-2008-4231 | Safari in Apple iPhone OS 1.0 through 2.1 and iPhone OS for iPod touch 1.1 through 2.1 does not properly handle HTML TABLE elements, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted HTML document. | High | Nov 26, 2008 |
| CVE-2009-1680 | Safari in Apple iPhone OS 1.0 through 2.2.1 and iPhone OS for iPod touch 1.1 through 2.2.1 does not properly clear the search history when it is cleared from the Settings application, which allows physically proximate attackers to obtain the search history. | Low | Jun 24, 2009 |
| CVE-2008-4232 | Safari in Apple iPhone OS 2.0 through 2.1 and iPhone OS for iPod touch 2.1 through 2.1 does not restrict an IFRAME\'s content display to the boundaries of the IFRAME, which allows remote attackers to spoof a user interface via a crafted HTML document. | Medium | Nov 26, 2008 |
| CVE-2007-4694 | Safari in Apple Mac OS X 10.4 through 10.4.10 allows remote attackers to access local content via file:// URLs. | Medium | Nov 15, 2007 |
