Total
515 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-1461 | 2024-11-21 | 4.9 Medium | ||
| A vulnerability in the Image Signature Verification feature of Cisco SD-WAN Software could allow an authenticated, remote attacker with Administrator-level credentials to install a malicious software patch on an affected device. The vulnerability is due to improper verification of digital signatures for patch images. An attacker could exploit this vulnerability by crafting an unsigned software patch to bypass signature checks and loading it on an affected device. A successful exploit could allow the attacker to boot a malicious software patch image.Cisco has released software updates that address the vulnerability described in this advisory. There are no workarounds that address this vulnerability. | ||||
| CVE-2021-1453 | 1 Cisco | 1 Ios Xe | 2024-11-21 | 6.8 Medium |
| A vulnerability in the software image verification functionality of Cisco IOS XE Software for the Cisco Catalyst 9000 Family of switches could allow an unauthenticated, physical attacker to execute unsigned code at system boot time. The vulnerability is due to an improper check in the code function that manages the verification of the digital signatures of system image files during the initial boot process. An attacker could exploit this vulnerability by loading unsigned software on an affected device. A successful exploit could allow the attacker to boot a malicious software image or execute unsigned code and bypass the image verification check part of the secure boot process of an affected device. To exploit this vulnerability, the attacker would need to have unauthenticated physical access to the device or obtain privileged access to the root shell on the device. | ||||
| CVE-2021-1376 | 1 Cisco | 1 Ios Xe | 2024-11-21 | 6.7 Medium |
| Multiple vulnerabilities in the fast reload feature of Cisco IOS XE Software running on Cisco Catalyst 3850, Cisco Catalyst 9300, and Cisco Catalyst 9300L Series Switches could allow an authenticated, local attacker to either execute arbitrary code on the underlying operating system, install and boot a malicious software image, or execute unsigned binaries on an affected device. These vulnerabilities are due to improper checks performed by system boot routines. To exploit these vulnerabilities, the attacker would need privileged access to the CLI of the device. A successful exploit could allow the attacker to either execute arbitrary code on the underlying operating system or execute unsigned code and bypass the image verification check part of the secure boot process. For more information about these vulnerabilities, see the Details section of this advisory. | ||||
| CVE-2021-1375 | 1 Cisco | 1 Ios Xe | 2024-11-21 | 6.7 Medium |
| Multiple vulnerabilities in the fast reload feature of Cisco IOS XE Software running on Cisco Catalyst 3850, Cisco Catalyst 9300, and Cisco Catalyst 9300L Series Switches could allow an authenticated, local attacker to either execute arbitrary code on the underlying operating system, install and boot a malicious software image, or execute unsigned binaries on an affected device. These vulnerabilities are due to improper checks performed by system boot routines. To exploit these vulnerabilities, the attacker would need privileged access to the CLI of the device. A successful exploit could allow the attacker to either execute arbitrary code on the underlying operating system or execute unsigned code and bypass the image verification check part of the secure boot process. For more information about these vulnerabilities, see the Details section of this advisory. | ||||
| CVE-2021-1366 | 1 Cisco | 1 Anyconnect Secure Mobility Client | 2024-11-21 | 7.8 High |
| A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack on an affected device if the VPN Posture (HostScan) Module is installed on the AnyConnect client. This vulnerability is due to insufficient validation of resources that are loaded by the application at run time. An attacker could exploit this vulnerability by sending a crafted IPC message to the AnyConnect process. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges. To exploit this vulnerability, the attacker needs valid credentials on the Windows system. | ||||
| CVE-2021-1244 | 1 Cisco | 7 8201, 8202, 8808 and 4 more | 2024-11-21 | 6.7 Medium |
| Multiple vulnerabilities in Cisco Network Convergence System (NCS) 540 Series Routers, only when running Cisco IOS XR NCS540L software images, and Cisco IOS XR Software for the Cisco 8000 Series Routers could allow an authenticated, local attacker to execute unsigned code during the boot process on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. | ||||
| CVE-2021-1136 | 1 Cisco | 7 8201, 8202, 8808 and 4 more | 2024-11-21 | 6.7 Medium |
| Multiple vulnerabilities in Cisco Network Convergence System (NCS) 540 Series Routers, only when running Cisco IOS XR NCS540L software images, and Cisco IOS XR Software for the Cisco 8000 Series Routers could allow an authenticated, local attacker to execute unsigned code during the boot process on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. | ||||
| CVE-2021-0152 | 1 Intel | 30 Ac1550, Ac1550 Firmware, Ac 3165 and 27 more | 2024-11-21 | 5.5 Medium |
| Improper verification of cryptographic signature in the installer for some Intel(R) Wireless Bluetooth(R) and Killer(TM) Bluetooth(R) products in Windows 10 may allow an authenticated user to potentially enable denial of service via local access. | ||||
| CVE-2020-9753 | 1 Naver | 1 Whale Browser Installer | 2024-11-21 | 9.1 Critical |
| Whale Browser Installer before 1.2.0.5 versions don't support signature verification for Flash installer. | ||||
| CVE-2020-9283 | 3 Debian, Golang, Redhat | 7 Debian Linux, Package Ssh, 3scale Amp and 4 more | 2024-11-21 | 7.5 High |
| golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client. | ||||
| CVE-2020-9226 | 1 Huawei | 2 P30, P30 Firmware | 2024-11-21 | 5.5 Medium |
| HUAWEI P30 with versions earlier than 10.1.0.135(C00E135R2P11) have an improper signature verification vulnerability. The system does not improper check signature of specific software package, an attacker may exploit this vulnerability to load a crafted software package to the device. | ||||
| CVE-2020-9047 | 1 Johnsoncontrols | 2 Exacqvision Enterprise Manager, Exacqvision Web Service | 2024-11-21 | 6.8 Medium |
| A vulnerability exists that could allow the execution of unauthorized code or operating system commands on systems running exacqVision Web Service versions 20.06.3.0 and prior and exacqVision Enterprise Manager versions 20.06.4.0 and prior. An attacker with administrative privileges could potentially download and run a malicious executable that could allow OS command injection on the system. | ||||
| CVE-2020-8324 | 1 Lenovo | 1 System Interface Foundation | 2024-11-21 | 5 Medium |
| A vulnerability was reported in LenovoAppScenarioPluginSystem for Lenovo System Interface Foundation prior to version 1.2.184.31 that could allow unsigned DLL files to be executed. | ||||
| CVE-2020-8133 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | 5.3 Medium |
| A wrong generation of the passphrase for the encrypted block in Nextcloud Server 19.0.1 allowed an attacker to overwrite blocks in a file. | ||||
| CVE-2020-7906 | 1 Jetbrains | 1 Rider | 2024-11-21 | 7.5 High |
| In JetBrains Rider versions 2019.3 EAP2 through 2019.3 EAP7, there were unsigned binaries provided by the Windows installer. This issue was fixed in release version 2019.3. | ||||
| CVE-2020-6174 | 1 Linuxfoundation | 1 The Update Framework | 2024-11-21 | 9.8 Critical |
| TUF (aka The Update Framework) through 0.12.1 has Improper Verification of a Cryptographic Signature. | ||||
| CVE-2020-5407 | 1 Pivotal Software | 1 Spring Security | 2024-11-21 | 8.8 High |
| Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an arbitrary assertion that Spring Security will accept as valid. | ||||
| CVE-2020-5390 | 3 Canonical, Debian, Pysaml2 Project | 3 Ubuntu Linux, Debian Linux, Pysaml2 | 2024-11-21 | 7.5 High |
| PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus the signature verification will succeed, but the wrong data will be used. This specifically affects the verification of assertion that have been signed. | ||||
| CVE-2020-3209 | 1 Cisco | 1 Ios Xe | 2024-11-21 | 6.8 Medium |
| A vulnerability in software image verification in Cisco IOS XE Software could allow an unauthenticated, physical attacker to install and boot a malicious software image or execute unsigned binaries on an affected device. The vulnerability is due to an improper check on the area of code that manages the verification of the digital signatures of system image files during the initial boot process. An attacker could exploit this vulnerability by loading unsigned software on an affected device. A successful exploit could allow the attacker to install and boot a malicious software image or execute unsigned binaries on the targeted device. | ||||
| CVE-2020-3138 | 1 Cisco | 1 Enterprise Network Function Virtualization Infrastructure | 2024-11-21 | 6.7 Medium |
| A vulnerability in the upgrade component of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, local attacker to install a malicious file when upgrading. The vulnerability is due to insufficient signature validation. An attacker could exploit this vulnerability by providing a crafted upgrade file. A successful exploit could allow the attacker to upload crafted code to the affected device. | ||||