In the name of Allah, the Most Gracious, the Most Merciful.
CVE-2021-33593 – Whale Browser
Description: Whale browser for iOS before 1.14.0 has an inconsistent user interface issue that allows an attacker to obfuscate the address bar which may lead to address bar spoofing.
References:
• NAVER Security Advisory – CVE-2021-33593
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33593
• https://nvd.nist.gov/vuln/detail/CVE-2021-33593
CVE-2020-15816 – WD Discovery for macOS
Description: A malicious application running with standard user permissions could potentially execute code in the application’s process through library injection by using DYLD environment variables. Any sensitive resources that may be accessed via the application may be stolen.
References:
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15816
• https://nvd.nist.gov/vuln/detail/CVE-2020-15816
• https://www.westerndigital.com/support/productsecurity/wdc-20005-wd-discovery-remote-command-execution-vulnerability
CVE-2019-18654 – AVG AntiVirus (Desktop) for Windows
Description: A Cross Site Scripting (XSS) issue exists in AVG AntiVirus (Free, Internet Security, and Premiere Edition) 19.3.2369 build 19.3.4241.440 in the Network Notification Popup, allowing an attacker to execute JavaScript code via an SSID Name.
References:
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18654
• https://nvd.nist.gov/vuln/detail/CVE-2019-18654
• https://medium.com/@YoKoKho/5-000-usd-xss-issue-at-avast-desktop-antivirus-for-windows-yes-desktop-1e99375f0968
• http://firstsight.me/2019/10/5000-usd-xss-issue-at-avast-desktop-antivirus-for-windows-yes-desktop/
CVE-2019-18653 – Avast AntiVirus (Desktop) for Windows
Description: A Cross Site Scripting (XSS) issue exists in Avast AntiVirus (Free, Internet Security, and Premiere Edition) 19.3.2369 build 19.3.4241.440 in the Network Notification Popup, allowing an attacker to execute JavaScript code via an SSID Name.
References:
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18653
• https://nvd.nist.gov/vuln/detail/CVE-2019-18653
• https://medium.com/@YoKoKho/5-000-usd-xss-issue-at-avast-desktop-antivirus-for-windows-yes-desktop-1e99375f0968
• http://firstsight.me/2019/10/5000-usd-xss-issue-at-avast-desktop-antivirus-for-windows-yes-desktop/
CVE-2019-18624 – Opera Mini for Android
Description: Illegal rendered at download feature in Opera Mini for Android version 44.1.2254.142553 that could lead to extension manipulation.
References:
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18624
• https://nvd.nist.gov/vuln/detail/CVE-2019-18624
• https://medium.com/@YoKoKho/illegal-rendered-at-download-feature-in-opera-mini-that-lead-to-extension-manipulation-with-rtlo-685bf2d77d51
• http://firstsight.me/2019/10/illegal-rendered-at-download-feature-in-several-apps-including-opera-mini-that-lead-to-extension-manipulation-with-rtlo/
CVE-2019-9700 – Norton Password Manager for Android
Description: Norton Password Manager, prior to 6.3.0.2082, may be susceptible to an address spoofing issue. This type of issue may allow an attacker to disguise their origin IP address in order to obfuscate the source of network traffic.
References:
• https://support.symantec.com/us/en/article.SYMSA1483.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9700
• https://nvd.nist.gov/vuln/detail/CVE-2019-9700
• https://www.securityfocus.com/bid/108676
CVE-2018-18365 – Norton Password Manager for Android
Description: Norton Password Manager may be susceptible to an address spoofing issue. This type of issue may allow an attacker to disguise their origin IP address in order to obfuscate the source of network traffic.
References:
• https://support.symantec.com/us/en/article.symsa1475.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18365
• https://nvd.nist.gov/vuln/detail/CVE-2018-18365
• https://www.securityfocus.com/bid/106953
CVE-2018-18330 – Trend Micro Dr. Safety for Android (Consumer)
Description: An Address Bar Spoofing vulnerability in Trend Micro Dr. Safety for Android (Consumer) versions 3.0.1324 and below could allow an attacker to potentially trick a victim into visiting a malicious URL using address bar spoofing on the Private Browser of the app on vulnerable installations.
References:
• https://helpcenter.trendmicro.com/en-us/article/TMKA-20514
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18330
• https://nvd.nist.gov/vuln/detail/CVE-2018-18330
CVE-2018-6682 – McAfee True Key Android
Description: Address bar spoofing exposure in McAfee True Key (TK) 4.0.0.0 and earlier allows local users to expose confidential data via a crafted web site.
References:
• https://service.mcafee.com/webcenter/portal/cp/home/articleview?articleId=TS102825
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6682
• https://nvd.nist.gov/vuln/detail/CVE-2018-6682
CVE-2018-4188 – Apple (Webkit for Safari at OS X, iOS, tvOS, iCloud for Windows, and iTunes for Windows)
Description: An issue was discovered in certain Apple products:
• iOS before 11.4 is affected.
• Safari before 11.1.1 is affected.
• iCloud before 7.5 on Windows is affected.
• iTunes before 12.7.5 on Windows is affected.
• tvOS before 11.4 is affected.
The issue involves the “WebKit” component. It allows remote attackers to spoof the address bar via a crafted web site.
References:
• https://support.apple.com/HT208848
• https://support.apple.com/HT208850
• https://support.apple.com/HT208852
• https://support.apple.com/HT208853
• https://support.apple.com/HT208854
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4188
• https://nvd.nist.gov/vuln/detail/CVE-2018-4188
• http://www.securitytracker.com/id/1041029
CVE-2018-4870 – Samsung Internet Browser for Android
Description: An Address Bar Spoofing vulnerability in Samsung Internet Browser versions 6.2.00.31 and below could allow an attacker to potentially trick a victim into visiting a malicious URL using address bar spoofing on.
Reference: Not yet released. Still a private CVE Information.
CVE-2018-4869 – Samsung Internet Browser for Android
Description: An Address Bar Spoofing vulnerability in Samsung Internet Browser versions 6.2.00.8 and below could allow an attacker to potentially trick a victim into visiting a malicious URL using address bar spoofing on.
Reference: Not yet released. Still a private CVE Information.
But the general description about this issue could be seen at: https://www.youtube.com/watch?v=02LoePAi9jk
CVE-2017-17945 – ASUS HiVivo for Android
Description: The ASUS HiVivo application before 5.6.27 for Android has Missing SSL Certificate Validation.
References:
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17945
• https://nvd.nist.gov/vuln/detail/CVE-2017-17945
CVE-2017-17944 – ASUS Vivobaby for Android
Description: The ASUS Vivobaby application before 1.1.09 for Android has Missing SSL Certificate Validation.
References:
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17944
• https://nvd.nist.gov/vuln/detail/CVE-2017-17944
CVE-2016-9468 – Nextcloud and ownCloud Server
Description: Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the dav app. The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information.
References:
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9468
• https://nvd.nist.gov/vuln/detail/CVE-2016-9468
• https://nextcloud.com/security/advisory/?id=nc-sa-2016-011
• https://owncloud.org/security/advisory/?id=oc-sa-2016-021
• https://github.com/nextcloud/server/commit/7350e13113c8ed484727a5c25331ec11d4d59f5f
• https://github.com/nextcloud/server/commit/a4cfb3ddc1f4cdb585e05c0e9b2f8e52a0e2ee3e
• https://github.com/owncloud/core/commit/96b8afe48570bc70088ccd8f897e9d71997d336e
• https://github.com/owncloud/core/commit/bcc6c39ad8c22a00323a114e9c1a0a834983fb35
CVE-2016-4157 – Adobe Creative Cloud Desktop Application for Windows
Description: Untrusted search path vulnerability in the installer in Adobe Creative Cloud Desktop Application before 3.7.0.272 on Windows allows local users to gain privileges via a Trojan horse resource in an unspecified directory.
References:
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4157
• https://nvd.nist.gov/vuln/detail/CVE-2016-4157
• https://helpx.adobe.com/security/products/creative-cloud/apsb16-21.html
CVE-2016-1742 – Apple iTunes Desktop Application for Windows
Description: Untrusted search path vulnerability in the installer in Apple iTunes before 12.4 allows local users to gain privileges via a Trojan horse DLL in the current working directory.
References:
• https://support.apple.com/HT206379
• http://lists.apple.com/archives/security-announce/2016/May/msg00006.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1742
• https://nvd.nist.gov/vuln/detail/CVE-2016-1742
• http://www.securitytracker.com/id/1035887
