Search
Total
256 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-32930 | 1 Advantech | 1 Iview | 2021-06-23 | 7.5 HIGH | 9.8 CRITICAL |
| The affected product’s configuration is vulnerable due to missing authentication, which may allow an attacker to change configurations and execute arbitrary code on the iView (versions prior to v5.7.03.6182). | |||||
| CVE-2021-23847 | 1 Bosch | 6 Cpp6, Cpp6 Firmware, Cpp7 and 3 more | 2021-06-22 | 6.4 MEDIUM | 9.1 CRITICAL |
| A Missing Authentication in Critical Function in Bosch IP cameras allows an unauthenticated remote attacker to extract sensitive information or change settings of the camera by sending crafted requests to the device. Only devices of the CPP6, CPP7 and CPP7.3 family with firmware 7.70, 7.72, and 7.80 prior to B128 are affected by this vulnerability. Versions 7.62 or lower and INTEOX cameras are not affected. | |||||
| CVE-2020-6207 | 1 Sap | 1 Solution Manager | 2021-06-17 | 10.0 HIGH | 9.8 CRITICAL |
| SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check does not perform any authentication for a service resulting in complete compromise of all SMDAgents connected to the Solution Manager. | |||||
| CVE-2021-20998 | 1 Wago | 10 0852-0303, 0852-0303 Firmware, 0852-1305 and 7 more | 2021-05-20 | 7.5 HIGH | 9.8 CRITICAL |
| In multiple managed switches by WAGO in different versions without authorization and with specially crafted packets it is possible to create users. | |||||
| CVE-2019-13547 | 1 Advantech | 1 Wise-paas\/rmm | 2021-05-13 | 10.0 HIGH | 9.8 CRITICAL |
| Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. There is an unsecured function that allows anyone who can access the IP address to use the function without authentication. | |||||
| CVE-2020-36333 | 1 Themegrill | 1 Themegrill Demo Importer | 2021-05-11 | 6.4 MEDIUM | 9.1 CRITICAL |
| themegrill-demo-importer before 1.6.2 does not require authentication for wiping the database, because of a reset_wizard_actions hook. | |||||
| CVE-2021-20697 | 1 Dlink | 2 Dap-1880ac, Dap-1880ac Firmware | 2021-05-03 | 7.5 HIGH | 9.8 CRITICAL |
| Missing authentication for critical function in DAP-1880AC firmware version 1.21 and earlier allows a remote attacker to login to the device as an authenticated user without the access privilege via unspecified vectors. | |||||
| CVE-2019-13101 | 1 Dlink | 2 Dir-600m, Dir-600m Firmware | 2021-04-23 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered on D-Link DIR-600M 3.02, 3.03, 3.04, and 3.06 devices. wan.htm can be accessed directly without authentication, which can lead to disclosure of information about the WAN, and can also be leveraged by an attacker to modify the data fields of the page. | |||||
| CVE-2021-22652 | 1 Advantech | 1 Iview | 2021-03-26 | 7.5 HIGH | 9.8 CRITICAL |
| Access to the Advantech iView versions prior to v5.7.03.6112 configuration are missing authentication, which may allow an unauthorized attacker to change the configuration and obtain code execution. | |||||
| CVE-2020-28899 | 1 Zyxel | 6 Lte4506-m606, Lte4506-m606 Firmware, Lte7460-m608 and 3 more | 2021-03-22 | 6.4 MEDIUM | 9.1 CRITICAL |
| The Web CGI Script on ZyXEL LTE4506-M606 V1.00(ABDO.2)C0 devices does not require authentication, which allows remote unauthenticated attackers (via crafted JSON action data to /cgi-bin/gui.cgi) to use all features provided by the router. Examples: change the router password, retrieve the Wi-Fi passphrase, send an SMS message, or modify the IP forwarding to access the internal network. | |||||
| CVE-2021-26705 | 1 Squarebox | 1 Catdv | 2021-03-13 | 6.4 MEDIUM | 9.1 CRITICAL |
| An issue was discovered in SquareBox CatDV Server through 9.2. An attacker can invoke sensitive RMI methods such as getConnections without authentication, the results of which can be used to generate valid authentication tokens. These tokens can then be used to invoke administrative tasks within the application, such as disclosing password hashes. | |||||
| CVE-2021-1393 | 1 Cisco | 2 Application Policy Infrastructure Controller, Application Services Engine | 2021-03-02 | 10.0 HIGH | 9.8 CRITICAL |
| Multiple vulnerabilities in Cisco Application Services Engine could allow an unauthenticated, remote attacker to gain privileged access to host-level operations or to learn device-specific information, create diagnostic files, and make limited configuration changes. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2019-12524 | 3 Canonical, Debian, Squid-cache | 3 Ubuntu Linux, Debian Linux, Squid | 2021-02-09 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Squid through 4.7. When handling requests from users, Squid checks its rules to see if the request should be denied. Squid by default comes with rules to block access to the Cache Manager, which serves detailed server information meant for the maintainer. This rule is implemented via url_regex. The handler for url_regex rules URL decodes an incoming request. This allows an attacker to encode their URL to bypass the url_regex check, and gain access to the blocked resource. | |||||
| CVE-2020-4958 | 1 Ibm | 1 Security Identity Governance And Intelligence | 2021-01-28 | 7.5 HIGH | 9.8 CRITICAL |
| IBM Security Identity Governance and Intelligence 5.2.6 does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. IBM X-Force ID: 192209. | |||||
| CVE-2020-27285 | 1 Redlion | 1 Crimson | 2021-01-08 | 6.4 MEDIUM | 9.1 CRITICAL |
| The default configuration of Crimson 3.1 (Build versions prior to 3119.001) allows a user to be able to read and modify the database without authentication. | |||||
| CVE-2020-7589 | 1 Siemens | 2 Logo\! 8 Bm, Logo\! 8 Bm Firmware | 2020-12-23 | 6.4 MEDIUM | 9.1 CRITICAL |
| A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions). The vulnerability could lead to an attacker reading and modifying the device configuration and obtain project files from affected devices. The security vulnerability could be exploited by an unauthenticated attacker with network access to port 135/tcp. No user interaction is required to exploit this security vulnerability. The vulnerability impacts confidentiality, integrity, and availability of the device. At the time of advisory publication no public exploitation of this security vulnerability was known. | |||||
| CVE-2020-29389 | 1 Docker | 1 Crux Linux Docker Image | 2020-12-22 | 10.0 HIGH | 9.8 CRITICAL |
| The official Crux Linux Docker images 3.0 through 3.4 contain a blank password for a root user. System using the Crux Linux Docker container deployed by affected versions of the Docker image may allow an attacker to achieve root access with a blank password. | |||||
| CVE-2020-35197 | 1 Docker | 1 Memcached Docker Image | 2020-12-22 | 10.0 HIGH | 9.8 CRITICAL |
| The official memcached docker images before 1.5.11-alpine (Alpine specific) contain a blank password for a root user. System using the memcached docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. | |||||
| CVE-2020-35196 | 1 Docker | 1 Rabbitmq Docker Image | 2020-12-22 | 10.0 HIGH | 9.8 CRITICAL |
| The official rabbitmq docker images before 3.7.13-beta.1-management-alpine (Alpine specific) contain a blank password for a root user. System using the rabbitmq docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. | |||||
| CVE-2020-35193 | 1 Sonarsource | 1 Sonarqube Docker Image | 2020-12-21 | 10.0 HIGH | 9.8 CRITICAL |
| The official sonarqube docker images before alpine (Alpine specific) contain a blank password for a root user. System using the sonarqube docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. | |||||
| CVE-2020-35195 | 1 Docker | 1 Haproxy Docker Image | 2020-12-21 | 10.0 HIGH | 9.8 CRITICAL |
| The official haproxy docker images before 1.8.18-alpine (Alpine specific) contain a blank password for a root user. System using the haproxy docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. | |||||
| CVE-2020-35185 | 1 Docker | 1 Ghost Alpine Docker Image | 2020-12-18 | 10.0 HIGH | 9.8 CRITICAL |
| The official ghost docker images before 2.16.1-alpine (Alpine specific) contain a blank password for a root user. System using the ghost docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. | |||||
| CVE-2020-35189 | 1 Kong | 1 Kong Alpine Docker Image | 2020-12-18 | 10.0 HIGH | 9.8 CRITICAL |
| The official kong docker images before 1.0.2-alpine (Alpine specific) contain a blank password for a root user. System using the kong docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. | |||||
| CVE-2020-35190 | 1 Plone | 1 Plone | 2020-12-18 | 10.0 HIGH | 9.8 CRITICAL |
| The official plone Docker images before version of 4.3.18-alpine (Alpine specific) contain a blank password for a root user. System using the plone docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. | |||||
| CVE-2020-35191 | 1 Drupal | 1 Drupal Docker Images | 2020-12-18 | 10.0 HIGH | 9.8 CRITICAL |
| The official drupal docker images before 8.5.10-fpm-alpine (Alpine specific) contain a blank password for a root user. System using the drupal docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. | |||||
| CVE-2020-35192 | 1 Hashicorp | 1 Vault | 2020-12-18 | 10.0 HIGH | 9.8 CRITICAL |
| The official vault docker images before 0.11.6 contain a blank password for a root user. System using the vault docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. | |||||
| CVE-2020-35467 | 1 Docker | 1 Docs | 2020-12-18 | 10.0 HIGH | 9.8 CRITICAL |
| The Docker Docs Docker image through 2020-12-14 contains a blank password for the root user. Systems deployed using affected versions of the Docker Docs container may allow a remote attacker to achieve root access with a blank password. | |||||
| CVE-2020-35468 | 1 Appbase | 1 Streams | 2020-12-17 | 10.0 HIGH | 9.8 CRITICAL |
| The Appbase streams Docker image 2.1.2 contains a blank password for the root user. Systems deployed using affected versions of the streams container may allow a remote attacker to achieve root access with a blank password. | |||||
| CVE-2020-35469 | 1 Softwareag | 1 Terracotta Server Oss | 2020-12-17 | 10.0 HIGH | 9.8 CRITICAL |
| The Software AG Terracotta Server OSS Docker image 5.4.1 contains a blank password for the root user. Systems deployed using affected versions of the Terracotta Server OSS container may allow a remote attacker to achieve root access with a blank password. | |||||
| CVE-2020-35466 | 1 Blackfire | 1 Blackfire | 2020-12-17 | 10.0 HIGH | 9.8 CRITICAL |
| The Blackfire Docker image through 2020-12-14 contains a blank password for the root user. Systems deployed using affected versions of the Blackfire container may allow a remote attacker to achieve root access with a blank password. | |||||
| CVE-2020-35465 | 1 Fullarmor | 1 Hapi File Share Mount | 2020-12-17 | 10.0 HIGH | 9.8 CRITICAL |
| The FullArmor HAPI File Share Mount Docker image through 2020-12-14 contains a blank password for the root user. Systems deployed using affected versions of the FullArmor HAPI File Share Mount container may allow the remote attacker to achieve root access with a blank password. | |||||
| CVE-2020-35464 | 1 Weave | 1 Cloud Agent | 2020-12-17 | 10.0 HIGH | 9.8 CRITICAL |
| Version 1.3.0 of the Weave Cloud Agent Docker image contains a blank password for the root user. Systems deployed using affected versions of the Weave Cloud Agent container may allow a remote attacker to achieve root access with a blank password. | |||||
| CVE-2020-35462 | 1 Coscale Agent Project | 1 Coscale Agent | 2020-12-17 | 10.0 HIGH | 9.8 CRITICAL |
| Version 3.16.0 of the CoScale agent Docker image contains a blank password for the root user. Systems deployed using affected versions of the CoScale agent container may allow a remote attacker to achieve root access with a blank password. | |||||
| CVE-2020-35187 | 1 Influxdata | 1 Telegraf | 2020-12-17 | 10.0 HIGH | 9.8 CRITICAL |
| The official telegraf docker images before 1.9.4-alpine (Alpine specific) contain a blank password for a root user. System using the telegraf docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. | |||||
| CVE-2020-35186 | 1 Docker | 1 Adminer | 2020-12-17 | 10.0 HIGH | 9.8 CRITICAL |
| The official adminer docker images before 4.7.0-fastcgi contain a blank password for a root user. System using the adminer docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. | |||||
| CVE-2020-35463 | 1 Instana | 1 Dynamic Apm | 2020-12-17 | 10.0 HIGH | 9.8 CRITICAL |
| Version 1.0.0 of the Instana Dynamic APM Docker image contains a blank password for the root user. Systems deployed using affected versions of the Instana Dynamic APM container may allow a remote attacker to achieve root access with a blank password. | |||||
| CVE-2020-25228 | 1 Siemens | 2 Logo\! 8 Bm, Logo\! 8 Bm Firmware | 2020-12-16 | 10.0 HIGH | 9.8 CRITICAL |
| A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions < V8.3). A service available on port 10005/tcp of the affected devices could allow complete access to all services without authorization. An attacker could gain full control over an affected device, if he has access to this service. The system manual recommends to protect access to this port. | |||||
| CVE-2020-7540 | 1 Schneider-electric | 46 140cpu65150, 140cpu65150 Firmware, 140cpu65160 and 43 more | 2020-12-14 | 7.5 HIGH | 9.8 CRITICAL |
| A CWE-306: Missing Authentication for Critical Function vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause unauthenticated command execution in the controller when sending special HTTP requests. | |||||
| CVE-2020-3531 | 1 Cisco | 1 Iot Field Network Director | 2020-12-02 | 10.0 HIGH | 9.8 CRITICAL |
| A vulnerability in the REST API of Cisco IoT Field Network Director (FND) could allow an unauthenticated, remote attacker to access the back-end database of an affected system. The vulnerability exists because the affected software does not properly authenticate REST API calls. An attacker could exploit this vulnerability by obtaining a cross-site request forgery (CSRF) token and then using the token with REST API requests. A successful exploit could allow the attacker to access the back-end database of the affected device and read, alter, or drop information. | |||||
| CVE-2020-10282 | 1 Dronecode | 1 Micro Air Vehicle Link | 2020-10-23 | 7.5 HIGH | 9.8 CRITICAL |
| The Micro Air Vehicle Link (MAVLink) protocol presents no authentication mechanism on its version 1.0 (nor authorization) whichs leads to a variety of attacks including identity spoofing, unauthorized access, PITM attacks and more. According to literature, version 2.0 optionally allows for package signing which mitigates this flaw. Another source mentions that MAVLink 2.0 only provides a simple authentication system based on HMAC. This implies that the flying system overall should add the same symmetric key into all devices of network. If not the case, this may cause a security issue, that if one of the devices and its symmetric key are compromised, the whole authentication system is not reliable. | |||||
| CVE-2019-15068 | 1 Gigastone | 2 Smart Battery A4, Smart Battery A4 Firmware | 2020-10-16 | 10.0 HIGH | 9.8 CRITICAL |
| A broken access control vulnerability in Smart Battery A4, a multifunctional portable charger, firmware version ?<= r1.7.9 allows an attacker to get/reset administrator’s password without any authentication. | |||||
| CVE-2019-3899 | 2 Heketi Project, Redhat | 2 Heketi, Openshift Container Platform | 2020-10-15 | 7.5 HIGH | 9.8 CRITICAL |
| It was found that default configuration of Heketi does not require any authentication potentially exposing the management interface to misuse. This isue only affects heketi as shipped with Openshift Container Platform 3.11. | |||||
| CVE-2019-10950 | 1 Fujifilm | 6 Cr-ir 357 Fcr Capsula X, Cr-ir 357 Fcr Capsula X Firmware, Cr-ir 357 Fcr Carbon X and 3 more | 2020-10-02 | 10.0 HIGH | 9.8 CRITICAL |
| Fujifilm FCR Capsula X/ Carbon X/ FCR XC-2, model versions CR-IR 357 FCR Carbon X, CR-IR 357 FCR XC-2, FCR-IR 357 FCR Capsula X provide insecure telnet services that lack authentication requirements. An attacker who successfully exploits this vulnerability may be able to access the underlying operating system. | |||||
| CVE-2018-0127 | 1 Cisco | 4 Rv132w, Rv132w Firmware, Rv134w and 1 more | 2020-09-04 | 5.0 MEDIUM | 9.8 CRITICAL |
| A vulnerability in the web interface of Cisco RV132W ADSL2+ Wireless-N VPN Routers and Cisco RV134W VDSL2 Wireless-AC VPN Routers could allow an unauthenticated, remote attacker to view configuration parameters for an affected device, which could lead to the disclosure of confidential information. The vulnerability is due to the absence of user authentication requirements for certain pages that are part of the web interface and contain confidential information for an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device and examining the HTTP response to the request. A successful exploit could allow the attacker to view configuration parameters, including the administrator password, for the affected device. Cisco Bug IDs: CSCvg92739, CSCvh60172. | |||||
| CVE-2020-6294 | 2 Opengroup, Sap | 2 Unix, Businessobjects Business Intelligence Platform | 2020-09-02 | 6.4 MEDIUM | 9.1 CRITICAL |
| Xvfb of SAP Business Objects Business Intelligence Platform, versions - 4.2, 4.3, platform on Unix does not perform any authentication checks for functionalities that require user identity. | |||||
| CVE-2020-16167 | 1 Robotemi | 1 Launcher Os | 2020-09-02 | 6.4 MEDIUM | 9.1 CRITICAL |
| Missing Authentication for Critical Function in temi Robox OS prior to 120, temi Android app up to 1.3.7931 allows remote attackers to receive and answer calls intended for another temi user. Answering the call this way grants motor control of the temi in addition to audio/video via unspecified vectors. | |||||
| CVE-2019-15819 | 1 Restaurant Reservations Project | 1 Restaurant Reservations | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| The nd-restaurant-reservations plugin before 1.5 for WordPress has no requirement for nd_rst_import_settings_php_function authentication. | |||||
| CVE-2018-13114 | 1 Keruigroup | 2 Ypc99, Ypc99 Firmware | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Missing authentication and improper input validation in KERUI Wifi Endoscope Camera (YPC99) allow an attacker to execute arbitrary commands (with a length limit of 19 characters) via the "ssid" value, as demonstrated by ssid:;ping 192.168.1.2 in the body of a SETSSID command. | |||||
| CVE-2018-19248 | 1 Epson | 2 Epson Workforce Wf-2861, Epson Workforce Wf-2861 Firmware | 2020-08-24 | 6.4 MEDIUM | 9.1 CRITICAL |
| The web service on Epson WorkForce WF-2861 10.48 LQ22I3(Recovery-mode), WF-2861 10.51.LQ20I6, and WF-2861 10.52.LQ17IA devices allows remote attackers to upload a firmware file and reset the printer without authentication by making a request to the /DOWN/FIRMWAREUPDATE/ROM1 URI and a POST request to the /FIRMWAREUPDATE URI. | |||||
| CVE-2018-6223 | 1 Trendmicro | 1 Email Encryption Gateway | 2020-08-24 | 5.0 MEDIUM | 9.8 CRITICAL |
| A missing authentication for appliance registration vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to manipulate the registration process of the product to reset configuration parameters. | |||||