Client Security Vulnerabilities

CVE-2021-26735

The Zscaler Client Connector Installer and Unsintallers for Windows prior to 3.6 had an unquoted search path vulnerability. A local adversary may be able to execute code with SYSTEM...

CVE-2021-26734

Zscaler Client Connector Installer on Windows before version 3.4.0.124 improperly handled directory junctions during uninstallation. A local adversary may be able to delete folders in an elevated...

CVE-2021-26737

The Zscaler Client Connector for macOS prior to 3.6 did not sufficiently validate RPC clients. A local adversary without sufficient privileges may be able to shutdown the Zscaler tunnel by exploiting a race...

CVE-2021-26736

Multiple vulnerabilities in the Zscaler Client Connector Installer and Uninstaller for Windows prior to 3.6 allowed execution of binaries from a low privileged path. A local adversary may be able to execute code with SYSTEM...

CVE-2023-5554

Lack of TLS certificate verification in log transmission of a financial module within LINE Client for iOS prior to...

CVE-2023-44689

e-Gov Client Application (Windows version) versions prior to 2.1.1.0 and e-Gov Client Application (macOS version) versions prior to 1.1.1.0 are vulnerable to improper authorization in handler for custom URL scheme. A crafted URL may direct the product to access an arbitrary website. As a result,...

CVE-2023-30801

All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and.....

CVE-2023-5450

An insufficient verification of data vulnerability exists in BIG-IP Edge Client Installer on macOS that may allow an attacker elevation of privileges during the installation process. Note: Software versions which have reached End of Technical Support (EoTS) are not...

CVE-2023-43611

The BIG-IP Edge Client Installer on macOS does not follow best practices for elevating privileges during the installation process. This vulnerability is due to an incomplete fix for CVE-2023-38418. Note: Software versions which have reached End of Technical Support (EoTS) are not...

CVE-2023-40310

SAP PowerDesigner Client - version 16.7, does not sufficiently validate BPMN2 XML document imported from an untrusted source. As a result, URLs of external entities in BPMN2 file, although not used, would be accessed during import. A successful attack could impact availability of SAP...

CVE-2023-35897

IBM Spectrum Protect Client and IBM Storage Protect for Virtual Environments 8.1.0.0 through 8.1.19.0 could allow a local user to execute arbitrary code on the system using a specially crafted file, caused by a DLL hijacking flaw. IBM X-Force ID: ...

CVE-2023-45160

In the affected version of the 1E Client, an ordinary user could subvert downloaded instruction resource files, e.g., to substitute a harmful script. by replacing a resource script file created by an instruction at run time with a malicious script. The 1E Client's temporary directory is now locked....

CVE-2023-45159

1E Client installer can perform arbitrary file deletion on protected files. A non-privileged user could provide a symbolic link or Windows junction to point to a protected directory in the installer that the 1E Client would then clear on service startup. A hotfix is available from the 1E...

CVE-2023-43125

BIG-IP APM clients may send IP traffic outside of the VPN tunnel. Note: Software versions which have reached End of Technical Support (EoTS) are not...

CVE-2023-43124

BIG-IP APM clients may send IP traffic outside of the VPN tunnel. Note: Software versions which have reached End of Technical Support (EoTS) are not...

CVE-2023-40368

IBM Storage Protect 8.1.0.0 through 8.1.19.0 could allow a privileged user to obtain sensitive information from the administrative command line client. IBM X-Force ID: ...

CVE-2023-3892

Improper Restriction of XML External Entity Reference vulnerability in MIM Assistant and Client DICOM RTst Loading modules allows XML Entity Linking / XML External Entities Blowup. In order to take advantage of this vulnerability, an attacker must craft a malicious XML document, embed this...

CVE-2023-39208

Improper input validation in Zoom Desktop Client for Linux before version 5.15.10 may allow an unauthenticated user to conduct a denial of service via network...

CVE-2023-28831

The OPC UA implementations (ANSI C and C++) in affected products contain an integer overflow vulnerability that could cause the application to run into an infinite loop during certificate validation. This could allow an unauthenticated remote attacker to create a denial of service condition by...

CVE-2023-40621

SAP PowerDesigner Client - version 16.7, allows an unauthenticated attacker to inject VBScript code in a document and have it opened by an unsuspecting user, to have it executed by the application on behalf of the user. The application has a security option to disable or prompt users before...

CVE-2023-4104

An invalid Polkit Authentication check and missing authentication requirements for D-Bus methods allowed any local user to configure arbitrary VPN setups. This bug only affects Mozilla VPN on Linux. Other operating systems are unaffected. This vulnerability affects Mozilla VPN client for Linux <...

CVE-2022-27599

An insertion of sensitive information into Log file vulnerability has been reported to affect product. If exploited, the vulnerability possibly provides local authenticated administrators with an additional, less-protected path to acquiring the information via unspecified vectors. We have already.....

CVE-2023-3747

Zero Trust Administrators have the ability to disallow end users from disabling WARP on their devices. Override codes can also be created by the Administrators to allow a device to temporarily be disconnected from WARP, however, due to lack of server side validation, an attacker with local access.....

CVE-2023-39938

Reflected cross-site scripting vulnerability in VI Web Client prior to 7.9.6 allows a remote unauthenticated attacker to inject an arbitrary...

CVE-2023-40535

Stored cross-site scripting vulnerability in View setting page of VI Web Client prior to 7.9.6 allows a remote authenticated attacker to inject an arbitrary...

CVE-2023-40705

Stored cross-site scripting vulnerability in Map setting page of VI Web Client prior to 7.9.6 allows a remote authenticated attacker to inject an arbitrary...

CVE-2023-38574

Open redirect vulnerability in VI Web Client prior to 7.9.6 allows a remote unauthenticated attacker to redirect users to arbitrary web sites and conduct phishing attacks via a specially crafted...

CVE-2023-41049

@dcl/single-sign-on-client is an open source npm library which deals with single sign on authentication flows. Improper input validation in the init function allows arbitrary javascript to be executed using the javascript: prefix. This vulnerability has been patched on version 0.1.0. Users are...

CVE-2023-0654

Due to a misconfiguration, the WARP Mobile Client (< 6.29) for Android was susceptible to a tapjacking attack. In the event that an attacker built a malicious application and managed to install it on a victim's device, the attacker would be able to trick the user into believing that the app show...

CVE-2023-0238

Due to lack of a security policy, the WARP Mobile Client (<=6.29) for Android was susceptible to this vulnerability which allowed a malicious app installed on a victim's device to exploit a peculiarity in an Android function, wherein under certain conditions, the malicious app could dictate the....

CVE-2023-3078

An uncontrolled search path vulnerability was reported in the Lenovo Universal Device Client (UDC) that could allow an attacker with local access to execute code with elevated...

CVE-2023-39250

Dell Storage Integration Tools for VMware (DSITV) and Dell Storage vSphere Client Plugin (DSVCP) versions prior to 6.1.1 and Replay Manager for VMware (RMSV) versions prior to 3.1.2 contain an information disclosure vulnerability. A local low-privileged malicious user could potentially exploit...

CVE-2023-2916

The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.11.1 via the 'admin_notice' function. This can allow authenticated attackers with subscriber-level permissions or above to extract sensitive data including configuration......

CVE-2022-44629

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Catalyst Connect Catalyst Connect Zoho CRM Client Portal plugin <= 2.0.0...

CVE-2023-39211

Improper privilege management in Zoom Desktop Client for Windows and Zoom Rooms for Windows before 5.15.5 may allow an authenticated user to enable an information disclosure via local...

CVE-2023-39210

Cleartext storage of sensitive information in Zoom Client SDK for Windows before 5.15.0 may allow an authenticated user to enable an information disclosure via local...

CVE-2023-39213

Improper neutralization of special elements in Zoom Desktop Client for Windows and Zoom VDI Client before 5.15.2 may allow an unauthenticated user to enable an escalation of privilege via network...

CVE-2023-39209

Improper input validation in Zoom Desktop Client for Windows before 5.15.5 may allow an authenticated user to enable an information disclosure via network...

CVE-2023-39216

Improper input validation in Zoom Desktop Client for Windows before 5.14.7 may allow an unauthenticated user to enable an escalation of privilege via network...

CVE-2023-36541

Insufficient verification of data authenticity in Zoom Desktop Client for Windows before 5.14.5 may allow an authenticated user to enable an escalation of privilege via network...

CVE-2023-36540

Untrusted search path in the installer for Zoom Desktop Client for Windows before 5.14.5 may allow an authenticated user to enable an escalation of privilege via local...

CVE-2023-36534

Path traversal in Zoom Desktop Client for Windows before 5.14.7 may allow an unauthenticated user to enable an escalation of privilege via network...

CVE-2023-3569

In PHOENIX CONTACTs TC ROUTER and TC CLOUD CLIENT in versions prior to 2.07.2 as well as CLOUD CLIENT 1101T-TX/TX prior to 2.06.10 an authenticated remote attacker with admin privileges could upload a crafted XML file which causes a...

CVE-2023-3526

In PHOENIX CONTACTs TC ROUTER and TC CLOUD CLIENT in versions prior to 2.07.2 as well as CLOUD CLIENT 1101T-TX/TX prior to 2.06.10 an unauthenticated remote attacker could use a reflective XSS within the license viewer page of the devices in order to execute code in the context of the user's...

CVE-2023-36480

The Aerospike Java client is a Java application that implements a network protocol to communicate with an Aerospike server. Prior to versions 7.0.0, 6.2.0, 5.2.0, and 4.5.0 some of the messages received from the server contain Java objects that the client deserializes when it encounters them...

CVE-2023-38418

The BIG-IP Edge Client Installer on macOS does not follow best practices for elevating privileges during the installation process. Note: Software versions which have reached End of Technical Support (EoTS) are not...

CVE-2023-36858

An insufficient verification of data vulnerability exists in BIG-IP Edge Client for Windows and macOS that may allow an attacker to modify its configured server list. Note: Software versions which have reached End of Technical Support (EoTS) are not...

CVE-2023-32476

Dell Hybrid Client version 2.0 contains a Sensitive Data Exposure vulnerability. An unauthenticated malicious user on the device can access hard coded secrets in javascript...

CVE-2022-34155

Improper Authentication vulnerability in miniOrange OAuth Single Sign On – SSO (OAuth Client) plugin allows Authentication Bypass.This issue affects OAuth Single Sign On – SSO (OAuth Client): from n/a through...

CVE-2023-24492

A vulnerability has been discovered in the Citrix Secure Access client for Ubuntu which, if exploited, could allow an attacker to remotely execute code if a victim user opens an attacker-crafted link and accepts further...