App Security Vulnerabilities

CVE-2021-44209

OX App Suite through 7.10.5 allows XSS via an HTML 5 element such as...

CVE-2021-44210

OX App Suite through 7.10.5 allows XSS via NIFF (Notation Interchange File Format)...

CVE-2022-22951

VMware Carbon Black App Control (8.5.x prior to 8.5.14, 8.6.x prior to 8.6.6, 8.7.x prior to 8.7.4 and 8.8.x prior to 8.8.2) contains an OS command injection vulnerability. An authenticated, high privileged malicious actor with network access to the VMware App Control administration interface may.....

CVE-2022-22952

VMware Carbon Black App Control (8.5.x prior to 8.5.14, 8.6.x prior to 8.6.6, 8.7.x prior to 8.7.4 and 8.8.x prior to 8.8.2) contains a file upload vulnerability. A malicious actor with administrative access to the VMware App Control administration interface may be able to execute code on the...

CVE-2022-0017

An improper link resolution before file access ('link following') vulnerability exists in the Palo Alto Networks GlobalProtect app on Windows that enables a local attacker to disrupt system processes and potentially execute arbitrary code with SYSTEM privileges under certain circumstances. This...

CVE-2022-0021

An information exposure through log file vulnerability exists in the Palo Alto Networks GlobalProtect app on Windows that logs the cleartext credentials of the connecting GlobalProtect user when authenticating using Connect Before Logon feature. This issue impacts GlobalProtect App 5.2 versions...

CVE-2022-0019

An insufficiently protected credentials vulnerability exists in the Palo Alto Networks GlobalProtect app on Linux that exposes the hashed credentials of GlobalProtect users that saved their password during previous GlobalProtect app sessions to other local users on the system. The exposed...

CVE-2022-0016

An improper handling of exceptional conditions vulnerability exists within the Connect Before Logon feature of the Palo Alto Networks GlobalProtect app that enables a local attacker to escalate to SYSTEM or root privileges when authenticating with Connect Before Logon under certain circumstances......

CVE-2022-0018

An information exposure vulnerability exists in the Palo Alto Networks GlobalProtect app on Windows and MacOS where the credentials of the local user account are sent to the GlobalProtect portal when the Single Sign-On feature is enabled in the GlobalProtect portal configuration. This product...

CVE-2022-21825

An Improper Access Control vulnerability exists in Citrix Workspace App for Linux 2012 - 2111 with App Protection installed that can allow an attacker to perform local privilege...

CVE-2021-44900

Micro-Star International (MSI) App Player <= 4.280.1.6309 is vulnerable to multiple Privilege Escalation (LPE/EoP) vulnerabilities in the NTIOLib_X64.sys and BstkDrv_msi2.sys drivers components. All the vulnerabilities are triggered by sending specific IOCTL...

CVE-2022-0131

Jimoty App for Android versions prior to 3.7.42 uses a hard-coded API key for an external service. By exploiting this vulnerability, API key for an external service may be obtained by analyzing data in the...

CVE-2021-43905

Microsoft Office app Remote Code Execution...

CVE-2021-43890

We have investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader. An attacker...

CVE-2021-44043

An issue was discovered in UiPath App Studio 21.4.4. There is a persistent XSS vulnerability in the file-upload functionality for uploading icons when attempting to create new Apps. An attacker with minimal privileges in the application can build their own App and upload a malicious file...

CVE-2020-16154

The App::cpanminus package 1.7044 for Perl allows Signature Verification...

CVE-2021-20835

Improper authorization in handler for custom URL scheme vulnerability in Android App 'Mercari (Merpay) - Marketplace and Mobile Payments App' (Japan version) versions prior to 4.49.1 allows a remote attacker to lead a user to access an arbitrary website and the website launches an arbitrary...

CVE-2021-33491

OX App Suite through 7.10.5 allows Directory Traversal via ../ in an OOXML or ODF ZIP archive, because of the mishandling of relative paths in mail addresses in conjunction with auto-configuration DNS...

CVE-2021-33495

OX App Suite 7.10.5 allows XSS via an OX Chat system...

CVE-2021-33493

The middleware component in OX App Suite through 7.10.5 allows Code Injection via Java classes in a YAML...

CVE-2021-38378

OX App Suite 7.10.5 allows Information Exposure because a caching mechanism can caused a Modified By response to show a person's...

CVE-2021-38377

OX App Suite through 7.10.5 allows XSS via JavaScript code in an anchor HTML comment within truncated e-mail, because there is a predictable UUID with HTML transformation...

CVE-2021-33492

OX App Suite 7.10.5 allows XSS via an OX Chat room...

CVE-2021-33494

OX App Suite 7.10.5 allows XSS via an OX Chat room title during typing...

CVE-2021-38374

OX App Suite through through 7.10.5 allows XSS via a crafted snippet that has an app loader reference within an app loader...

CVE-2021-38375

OX App Suite through 7.10.5 allows XSS via the alt attribute of an IMG element in a truncated e-mail...

CVE-2021-38376

OX App Suite through 7.10.5 has Incorrect Access Control for retrieval of session information via the rampup action of the login API...

CVE-2021-33488

chat in OX App Suite 7.10.5 has Improper Input Validation. A user can be redirected to a rogue OX Chat server via a development-related...

CVE-2021-33490

OX App Suite through 7.10.5 allows XSS via a crafted snippet in a shared mail...

CVE-2021-33489

OX App Suite through 7.10.5 allows XSS via JavaScript code in a shared XCF...

CVE-2021-41278

Functions SDK for EdgeX is meant to provide all the plumbing necessary for developers to get started in processing/transforming/exporting data out of the EdgeX IoT platform. In affected versions broken encryption in app-functions-sdk “AES” transform in EdgeX Foundry releases prior to Jakarta...

CVE-2021-40520

Airangel HSMX Gateway devices through 5.2.04 have Weak SSH...

CVE-2021-40517

Airangel HSMX Gateway devices through 5.2.04 is vulnerable to stored Cross Site Scripting. XSS Payload is placed in the name column of the updates table using database...

CVE-2021-40521

Airangel HSMX Gateway devices through 5.2.04 allow Remote Code...

CVE-2021-40519

Airangel HSMX Gateway devices through 5.2.04 have Hard-coded Database...

CVE-2021-40518

Airangel HSMX Gateway devices through 5.2.04 allow...

CVE-2021-3440

HP Print and Scan Doctor, an application within the HP Smart App for Windows, is potentially vulnerable to local elevation of...

CVE-2021-41747

Cross-Site Scripting (XSS) vulnerability exists in Csdn APP 4.10.0, which can be exploited by attackers to obtain sensitive information such as user...

CVE-2021-22034

Releases prior to VMware vRealize Operations Tenant App 8.6 contain an Information Disclosure...

CVE-2021-3057

A stack-based buffer overflow vulnerability exists in the Palo Alto Networks GlobalProtect app that enables a man-in-the-middle attacker to disrupt system processes and potentially execute arbitrary code with SYSTEM privileges. This issue impacts: GlobalProtect app 5.1 versions earlier than...

CVE-2021-20834

Improper authorization in handler for custom URL scheme vulnerability in Nike App for Android versions prior to 2.177 and Nike App for iOS versions prior to 2.177.1 allows a remote attacker to lead a user to access an arbitrary website via the vulnerable...

CVE-2021-20833

The SNKRDUNK Market Place App for iOS versions prior to 2.2.0 does not verify server certificate properly, which allows man-in-the-middle attackers to eavesdrop on and/or alter encrypted communication via a crafted...

CVE-2021-20832

InBody App for iOS versions prior to 2.3.30 and InBody App for Android versions prior to 2.2.90(510) contain a vulnerability which may lead to information disclosure only when it works with the body composition analyzer InBody Dial. This may allow an attacker who can connect to the InBody Dial...

CVE-2021-29906

IBM App Connect Enterprise Certified Container 1.0, 1.1, 1.2, 1.3, 1.4 and 1.5 could disclose sensitive information to a local user when it is configured to use an IBM Cloud API key to connect to cloud-based connectors. IBM X-Force ID:...

CVE-2021-41647

An un-authenticated error-based and time-based blind SQL injection vulnerability exists in Kaushik Jadhav Online Food Ordering Web App 1.0. An attacker can exploit the vulnerable "username" parameter in login.php and retrieve sensitive database information, as well as add an administrative...

CVE-2021-21742

There is an information leak vulnerability in the message service app of a ZTE mobile phone. Due to improper parameter settings, attackers could use this vulnerability to obtain some sensitive information of users by accessing specific...

CVE-2020-14130

Some js interfaces in the Xiaomi community were exposed, causing sensitive functions to be maliciously called on Xiaomi community app Affected Version...

CVE-2021-23050

On BIG-IP Advanced WAF and BIG-IP ASM version 16.0.x before 16.0.1.2 and 15.1.x before 15.1.3 and NGINX App Protect on all versions before 3.5.0, when a cross-site request forgery (CSRF)-enabled policy is configured on a virtual server, an undisclosed HTML response may cause the bd process to...

CVE-2020-27940

This issue was addressed with improved file handling. This issue is fixed in Apple TV app for Fire OS 6.1.0.6A142:7.1.0. An attacker with file system access may modify scripts used by the...

CVE-2021-38753

An unrestricted file upload on Simple Image Gallery Web App can be exploited to upload a web shell and executed to gain unauthorized access to the server hosting the web...