Vulnerabilities (CVE)

Filtered by CWE-345
Total 436 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2025-48865 1 Fabiolb 1 Fabio 2025-06-04 N/A 9.1 CRITICAL
Fabio is an HTTP(S) and TCP router for deploying applications managed by consul. Prior to version 1.6.6, Fabio allows clients to remove X-Forwarded headers (except X-Forwarded-For) due to a vulnerability in how it processes hop-by-hop headers. Fabio adds HTTP headers like X-Forwarded-Host and X-Forwarded-Port when routing requests to backend applications. Since the receiving application should trust these headers, allowing HTTP clients to remove or modify them creates potential security vulnerabilities. Some of these custom headers can be removed and, in certain cases, manipulated. The attack relies on the behavior that headers can be defined as hop-by-hop via the HTTP Connection header. This issue has been patched in version 1.6.6.
CVE-2023-52109 1 Huawei 2 Emui, Harmonyos 2025-06-02 N/A 7.5 HIGH
Vulnerability of trust relationships being inaccurate in distributed scenarios. Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2025-5320 2025-06-01 2.6 LOW 3.7 LOW
A vulnerability classified as problematic has been found in gradio-app gradio up to 5.29.1. This affects the function is_valid_origin of the component CORS Handler. The manipulation of the argument localhost_aliases leads to erweiterte Rechte. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2021-4226 1 Rsjoomla 1 Rsfirewall\! 2025-05-27 N/A 9.8 CRITICAL
RSFirewall tries to identify the original IP address by looking at different HTTP headers. A bypass is possible due to the way it is implemented.
CVE-2025-27558 2025-05-22 N/A 9.1 CRITICAL
IEEE P802.11-REVme D1.1 through D7.0 allows FragAttacks against mesh networks. In mesh networks using Wi-Fi Protected Access (WPA, WPA2, or WPA3) or Wired Equivalent Privacy (WEP), an adversary can exploit this vulnerability to inject arbitrary frames towards devices that support receiving non-SSP A-MSDU frames. NOTE: this issue exists because of an incorrect fix for CVE-2020-24588. P802.11-REVme, as of early 2025, is a planned release of the 802.11 standard.
CVE-2018-10626 1 Medtronic 4 Mycarelink 24950 Patient Monitor, Mycarelink 24950 Patient Monitor Firmware, Mycarelink 24952 Patient Monitor and 1 more 2025-05-22 3.8 LOW 4.4 MEDIUM
Medtronic MyCareLink Patient Monitor’s update service does not sufficiently verify the authenticity of the data uploaded. An attacker who obtains per-product credentials from the monitor and paired implantable cardiac device information can potentially upload invalid data to the Medtronic CareLink network.
CVE-2025-29842 1 Microsoft 13 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 10 more 2025-05-19 N/A 7.5 HIGH
Acceptance of extraneous untrusted data with trusted data in UrlMon allows an unauthorized attacker to bypass a security feature over a network.
CVE-2022-37928 1 Hpe 18 Hf20, Hf20 Firmware, Hf20c and 15 more 2025-05-02 N/A 8.0 HIGH
Insufficient Verification of Data Authenticity vulnerability in Hewlett Packard Enterprise HPE Nimble Storage Hybrid Flash Arrays and Nimble Storage Secondary Flash Arrays.
CVE-2024-43428 1 Moodle 1 Moodle 2025-05-01 N/A 7.7 HIGH
To address a cache poisoning risk in Moodle, additional validation for local storage was required.
CVE-2022-31813 3 Apache, Fedoraproject, Netapp 3 Http Server, Fedora, Clustered Data Ontap 2025-05-01 7.5 HIGH 9.8 CRITICAL
Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application.
CVE-2023-5482 3 Debian, Fedoraproject, Google 3 Debian Linux, Fedora, Chrome 2025-04-30 N/A 8.8 HIGH
Insufficient data validation in USB in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
CVE-2025-43865 2025-04-29 N/A 8.2 HIGH
React Router is a router for React. In versions on the 7.0 branch prior to version 7.5.2, it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values ​​of the data object passed to the HTML. This issue has been patched in version 7.5.2.
CVE-2022-31877 1 Msi 1 Center 2025-04-25 N/A 8.8 HIGH
An issue in the component MSI.TerminalServer.exe of MSI Center v1.0.41.0 allows attackers to escalate privileges via a crafted TCP packet.
CVE-2023-28457 1 Technitium 1 Dnsserver 2025-04-22 N/A 7.5 HIGH
An issue was discovered in Technitium through 11.0.3. It enables attackers to conduct a DNS cache poisoning attack and inject fake responses within 1 second, which is impactful.
CVE-2022-46692 1 Apple 7 Icloud, Ipados, Iphone Os and 4 more 2025-04-21 N/A 5.5 MEDIUM
A logic issue was addressed with improved state management. This issue is fixed in Safari 16.2, tvOS 16.2, iCloud for Windows 14.1, iOS 15.7.2 and iPadOS 15.7.2, macOS Ventura 13.1, iOS 16.2 and iPadOS 16.2, watchOS 9.2. Processing maliciously crafted web content may bypass Same Origin Policy.
CVE-2017-11379 1 Trendmicro 1 Deep Discovery Director 2025-04-20 5.0 MEDIUM 7.5 HIGH
Configuration and database backup archives are not signed or validated in Trend Micro Deep Discovery Director 1.1.
CVE-2015-9232 1 Good 1 Good For Enterprise 2025-04-20 2.6 LOW 5.3 MEDIUM
The Good for Enterprise application 3.0.0.415 for Android does not use signature protection for its Authentication Delegation API intent. Also, the Good Dynamic application activation process does not attempt to detect malicious activation attempts involving modified names beginning with a com.good.gdgma substring. Consequently, an attacker could obtain access to intranet data. This issue is only relevant in cases where the user has already downloaded a malicious Android application.
CVE-2017-10624 1 Juniper 1 Junos Space 2025-04-20 5.1 MEDIUM 7.5 HIGH
Insufficient verification of node certificates in Juniper Networks Junos Space may allow a man-in-the-middle type of attacker to make unauthorized modifications to Space database or add nodes. Affected releases are Juniper Networks Junos Space all versions prior to 17.1R1.
CVE-2017-9606 1 Infotecs 2 Vipnet Client, Vipnet Coordinator 2025-04-20 4.4 MEDIUM 7.3 HIGH
Infotecs ViPNet Client and Coordinator before 4.3.2-42442 allow local users to gain privileges by placing a Trojan horse ViPNet update file in the update folder. The attack succeeds because of incorrect folder permissions in conjunction with a lack of integrity and authenticity checks.
CVE-2017-12740 1 Siemens 1 Logo\! Soft Comfort 2025-04-20 4.3 MEDIUM 5.9 MEDIUM
Siemens LOGO! Soft Comfort (All versions before V8.2) lacks integrity verification of software packages downloaded via an unprotected communication channel. This could allow a remote attacker to manipulate the software package while performing a Man-in-the-Middle (MitM) attack.