CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-23656 – Dex 2.37.0 is discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers
https://notcve.org/view.php?id=CVE-2024-23656
25 Jan 2024 — Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. `cmd/dex/serve.go` line 425 seemingly sets TLS 1.2 as minimum version, but the whole `tlsConfig` is ignored after `TLS cert reloader` was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0. • https://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go#L425 • CWE-326: Inadequate Encryption Strength CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-20802
https://notcve.org/view.php?id=CVE-2024-20802
04 Jan 2024 — Improper access control vulnerability in Samsung DeX prior to SMR Jan-2024 Release 1 allows owner to access other users' notification in a multi-user environment. Una vulnerabilidad de control de acceso inadecuado en Samsung DeX anterior a la versión 1 de SMR de enero de 2024 permite al propietario acceder a las cuentas de otros usuarios. Notificación en un entorno multiusuario. • https://security.samsungmobile.com/securityUpdate.smsb?year=2024&month=01 •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2009-3650
https://notcve.org/view.php?id=CVE-2009-3650
09 Oct 2009 — Cross-site scripting (XSS) vulnerability in Dex 5.x-1.0 and earlier and 6.x-1.0-rc1 and earlier, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Una vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el módulo de Drupal "Dex" en sus versiones v5.x-1.0 y anteriores y v6.x-1.0-RC1 y anteriores, permite a atacantes remotos inyectar HTML o scripts web aleatorios a través de vectores no especificados. • http://drupal.org/node/592394 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •