CVE-IDs Achievements

In the name of Allah, the Most Gracious, the Most Merciful.


CVE-2020-15816 – WD Discovery for macOS

Description: A malicious application running with standard user permissions could potentially execute code in the application’s process through library injection by using DYLD environment variables. Any sensitive resources that may be accessed via the application may be stolen.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15816
https://nvd.nist.gov/vuln/detail/CVE-2020-15816
https://www.westerndigital.com/support/productsecurity/wdc-20005-wd-discovery-remote-command-execution-vulnerability


CVE-2019-18654 – AVG AntiVirus (Desktop) for Windows

Description: A Cross Site Scripting (XSS) issue exists in AVG AntiVirus (Free, Internet Security, and Premiere Edition) 19.3.2369 build 19.3.4241.440 in the Network Notification Popup, allowing an attacker to execute JavaScript code via an SSID Name.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18654
https://nvd.nist.gov/vuln/detail/CVE-2019-18654
https://medium.com/@YoKoKho/5-000-usd-xss-issue-at-avast-desktop-antivirus-for-windows-yes-desktop-1e99375f0968
http://firstsight.me/2019/10/5000-usd-xss-issue-at-avast-desktop-antivirus-for-windows-yes-desktop/


CVE-2019-18653 – Avast AntiVirus (Desktop) for Windows

Description: A Cross Site Scripting (XSS) issue exists in Avast AntiVirus (Free, Internet Security, and Premiere Edition) 19.3.2369 build 19.3.4241.440 in the Network Notification Popup, allowing an attacker to execute JavaScript code via an SSID Name.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18653
https://nvd.nist.gov/vuln/detail/CVE-2019-18653
https://medium.com/@YoKoKho/5-000-usd-xss-issue-at-avast-desktop-antivirus-for-windows-yes-desktop-1e99375f0968
http://firstsight.me/2019/10/5000-usd-xss-issue-at-avast-desktop-antivirus-for-windows-yes-desktop/


CVE-2019-18624 – Opera Mini for Android

Description: Illegal rendered at download feature in Opera Mini for Android version 44.1.2254.142553 that could lead to extension manipulation.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18624
https://nvd.nist.gov/vuln/detail/CVE-2019-18624
https://medium.com/@YoKoKho/illegal-rendered-at-download-feature-in-opera-mini-that-lead-to-extension-manipulation-with-rtlo-685bf2d77d51
http://firstsight.me/2019/10/illegal-rendered-at-download-feature-in-several-apps-including-opera-mini-that-lead-to-extension-manipulation-with-rtlo/


CVE-2019-9700 – Norton Password Manager for Android

Description: Norton Password Manager, prior to 6.3.0.2082, may be susceptible to an address spoofing issue. This type of issue may allow an attacker to disguise their origin IP address in order to obfuscate the source of network traffic.

References:
https://support.symantec.com/us/en/article.SYMSA1483.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9700
https://nvd.nist.gov/vuln/detail/CVE-2019-9700
https://www.securityfocus.com/bid/108676


CVE-2018-18365 – Norton Password Manager for Android

Description: Norton Password Manager may be susceptible to an address spoofing issue. This type of issue may allow an attacker to disguise their origin IP address in order to obfuscate the source of network traffic.

References:
https://support.symantec.com/us/en/article.symsa1475.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18365
https://nvd.nist.gov/vuln/detail/CVE-2018-18365
https://www.securityfocus.com/bid/106953


CVE-2018-18330 – Trend Micro Dr. Safety for Android (Consumer)

Description: An Address Bar Spoofing vulnerability in Trend Micro Dr. Safety for Android (Consumer) versions 3.0.1324 and below could allow an attacker to potentially trick a victim into visiting a malicious URL using address bar spoofing on the Private Browser of the app on vulnerable installations.

References:
https://helpcenter.trendmicro.com/en-us/article/TMKA-20514
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18330
https://nvd.nist.gov/vuln/detail/CVE-2018-18330


CVE-2018-6682 – McAfee True Key Android

Description: Address bar spoofing exposure in McAfee True Key (TK) 4.0.0.0 and earlier allows local users to expose confidential data via a crafted web site.

References:
https://service.mcafee.com/webcenter/portal/cp/home/articleview?articleId=TS102825
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6682
https://nvd.nist.gov/vuln/detail/CVE-2018-6682


CVE-2018-4188 – Apple (Webkit for Safari at OS X, iOS, tvOS, iCloud for Windows, and iTunes for Windows)

Description: An issue was discovered in certain Apple products:
• iOS before 11.4 is affected.
• Safari before 11.1.1 is affected.
• iCloud before 7.5 on Windows is affected.
• iTunes before 12.7.5 on Windows is affected.
• tvOS before 11.4 is affected.
The issue involves the “WebKit” component. It allows remote attackers to spoof the address bar via a crafted web site.

References:
https://support.apple.com/HT208848
https://support.apple.com/HT208850
https://support.apple.com/HT208852
https://support.apple.com/HT208853
https://support.apple.com/HT208854
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4188
https://nvd.nist.gov/vuln/detail/CVE-2018-4188
http://www.securitytracker.com/id/1041029


CVE-2018-4870 – Samsung Internet Browser for Android

Description: An Address Bar Spoofing vulnerability in Samsung Internet Browser versions 6.2.00.31 and below could allow an attacker to potentially trick a victim into visiting a malicious URL using address bar spoofing on.

Reference: Not yet released. Still a private CVE Information.


CVE-2018-4869 – Samsung Internet Browser for Android

Description: An Address Bar Spoofing vulnerability in Samsung Internet Browser versions 6.2.00.8 and below could allow an attacker to potentially trick a victim into visiting a malicious URL using address bar spoofing on.

Reference: Not yet released. Still a private CVE Information.
But the general description about this issue could be seen at: https://www.youtube.com/watch?v=02LoePAi9jk


CVE-2017-17945 – ASUS HiVivo for Android

Description: The ASUS HiVivo application before 5.6.27 for Android has Missing SSL Certificate Validation.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17945
https://nvd.nist.gov/vuln/detail/CVE-2017-17945


CVE-2017-17944 – ASUS Vivobaby for Android

Description: The ASUS Vivobaby application before 1.1.09 for Android has Missing SSL Certificate Validation.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17944
https://nvd.nist.gov/vuln/detail/CVE-2017-17944


CVE-2016-9468 – Nextcloud and ownCloud Server

Description: Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the dav app. The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9468
https://nvd.nist.gov/vuln/detail/CVE-2016-9468
https://nextcloud.com/security/advisory/?id=nc-sa-2016-011
https://owncloud.org/security/advisory/?id=oc-sa-2016-021
https://github.com/nextcloud/server/commit/7350e13113c8ed484727a5c25331ec11d4d59f5f
https://github.com/nextcloud/server/commit/a4cfb3ddc1f4cdb585e05c0e9b2f8e52a0e2ee3e
https://github.com/owncloud/core/commit/96b8afe48570bc70088ccd8f897e9d71997d336e
https://github.com/owncloud/core/commit/bcc6c39ad8c22a00323a114e9c1a0a834983fb35


CVE-2016-4157 – Adobe Creative Cloud Desktop Application for Windows

Description: Untrusted search path vulnerability in the installer in Adobe Creative Cloud Desktop Application before 3.7.0.272 on Windows allows local users to gain privileges via a Trojan horse resource in an unspecified directory.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4157
https://nvd.nist.gov/vuln/detail/CVE-2016-4157
https://helpx.adobe.com/security/products/creative-cloud/apsb16-21.html


CVE-2016-1742 – Apple iTunes Desktop Application for Windows

Description: Untrusted search path vulnerability in the installer in Apple iTunes before 12.4 allows local users to gain privileges via a Trojan horse DLL in the current working directory.

References:
https://support.apple.com/HT206379
http://lists.apple.com/archives/security-announce/2016/May/msg00006.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1742
https://nvd.nist.gov/vuln/detail/CVE-2016-1742
http://www.securitytracker.com/id/1035887

Share

You may also like...