Search
Total
256 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-16879 | 1 Mysyngeryss | 2 Husky Rtu 6049-e70, Husky Rtu 6049-e70 Firmware | 2020-04-14 | 7.5 HIGH | 9.8 CRITICAL |
| The Synergy Systems & Solutions (SSS) HUSKY RTU 6049-E70, with firmware Versions 5.0 and prior, has a Missing Authentication for Critical Function (CWE-306) vulnerability. The affected product does not require authentication for TELNET access, which may allow an attacker to change configuration or perform other malicious activities. | |||||
| CVE-2020-10625 | 1 Advantech | 1 Webaccess\/nms | 2020-04-10 | 7.5 HIGH | 9.8 CRITICAL |
| WebAccess/NMS (versions prior to 3.0.2) allows an unauthenticated remote user to create a new admin account. | |||||
| CVE-2020-10265 | 1 Universal-robots | 7 Ur10, Ur10e, Ur3 and 4 more | 2020-04-06 | 9.0 HIGH | 9.4 CRITICAL |
| Universal Robots Robot Controllers Version CB2 SW Version 1.4 upwards, CB3 SW Version 3.0 and upwards, e-series SW Version 5.0 and upwards expose a service called DashBoard server at port 29999 that allows for control over core robot functions like starting/stopping programs, shutdown, reset safety and more. The DashBoard server is not protected by any kind of authentication or authorization. | |||||
| CVE-2019-12125 | 1 Onap | 1 Open Network Automation Platform | 2020-03-20 | 7.5 HIGH | 9.8 CRITICAL |
| In ONAP Logging through Dublin, by accessing an applicable port (30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, and/or 30271), an attacker gains full access to the respective ONAP services without any authentication. All ONAP Operations Manager (OOM) setups are affected. | |||||
| CVE-2019-12126 | 1 Onap | 1 Open Network Automation Platform | 2020-03-20 | 7.5 HIGH | 9.8 CRITICAL |
| In ONAP DCAE through Dublin, by accessing an applicable port (30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, and/or 30271), an attacker gains full access to the respective ONAP services without any authentication. All ONAP Operations Manager (OOM) setups are affected. | |||||
| CVE-2019-12127 | 1 Onap | 1 Open Network Automation Platform | 2020-03-20 | 7.5 HIGH | 9.8 CRITICAL |
| In ONAP OOM through Dublin, by accessing an applicable port (30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, and/or 30271), an attacker gains full access to the respective ONAP services without any authentication. All ONAP Operations Manager (OOM) setups are affected. | |||||
| CVE-2020-5328 | 1 Dell | 1 Emc Isilon Onefs | 2020-03-09 | 10.0 HIGH | 9.8 CRITICAL |
| Dell EMC Isilon OneFS versions prior to 8.2.0 contain an unauthorized access vulnerability due to a lack of thorough authorization checks when SyncIQ is licensed, but encrypted syncs are not marked as required. When this happens, loss of control of the cluster can occur. | |||||
| CVE-2020-6769 | 1 Bosch | 8 Divar Ip 2000, Divar Ip 2000 Firmware, Divar Ip 3000 and 5 more | 2020-02-12 | 6.4 MEDIUM | 9.1 CRITICAL |
| Missing Authentication for Critical Function in the Bosch Video Streaming Gateway (VSG) allows an unauthenticated remote attacker to retrieve and set arbitrary configuration data of the Video Streaming Gateway. A successful attack can impact the confidentiality and availability of live and recorded video data of all cameras configured to be controlled by the VSG as well as the recording storage associated with the VSG. This affects Bosch Video Streaming Gateway versions 6.45 <= 6.45.08, 6.44 <= 6.44.022, 6.43 <= 6.43.0023 and 6.42.10 and older. This affects Bosch DIVAR IP 3000, DIVAR IP 7000 and DIVAR IP all-in-one 5000 if a vulnerable VSG version is installed with BVMS. This affects Bosch DIVAR IP 2000 <= 3.62.0019 and DIVAR IP 5000 <= 3.80.0039 if the corresponding port 8023 has been opened in the device's firewall. | |||||
| CVE-2020-8636 | 1 Opservices | 1 Opmon | 2020-02-12 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in OpServices OpMon 9.3.2 that allows Remote Code Execution . | |||||
| CVE-2019-5077 | 1 Wago | 4 Pfc 100, Pfc 100 Firmware, Pfc 200 and 1 more | 2020-02-10 | 8.5 HIGH | 9.1 CRITICAL |
| An exploitable denial-of-service vulnerability exists in the iocheckd service ‘’I/O-Chec’’ functionality of WAGO PFC 200 Firmware versions 03.01.07(13) and 03.00.39(12), and WAGO PFC 100 Firmware version 03.00.39(12). A specially crafted set of packets can cause a denial of service, resulting in the device entering an error state where it ceases all network communications. An attacker can send unauthenticated packets to trigger this vulnerability. | |||||
| CVE-2014-3449 | 1 Bss Continuity Cms Project | 1 Bss Continuty Cms | 2020-01-14 | 7.5 HIGH | 9.8 CRITICAL |
| BSS Continuity CMS 4.2.22640.0 has an Authentication Bypass vulnerability | |||||
| CVE-2019-5078 | 1 Wago | 4 Pfc 100, Pfc 100 Firmware, Pfc 200 and 1 more | 2019-12-27 | 9.4 HIGH | 9.1 CRITICAL |
| An exploitable denial of service vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC200 Firmware versions 03.01.07(13) and 03.00.39(12), and WAGO PFC100 Firmware version 03.00.39(12). A specially crafted set of packets can cause a denial of service, resulting in the device entering an error state where it ceases all network communications. An attacker can send unauthenticated packets to trigger this vulnerability. | |||||
| CVE-2019-5080 | 1 Wago | 4 Pfc 100, Pfc 100 Firmware, Pfc 200 and 1 more | 2019-12-27 | 6.4 MEDIUM | 9.1 CRITICAL |
| An exploitable denial-of-service vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200 Firmware versions 03.01.07(13) and 03.00.39(12), and WAGO PFC100 Firmware version 03.00.39(12). A single packet can cause a denial of service and weaken credentials resulting in the default documented credentials being applied to the device. An attacker can send an unauthenticated packet to trigger this vulnerability. | |||||
| CVE-2019-4244 | 1 Ibm | 1 Smartcloud Analytics Log Analysis | 2019-12-13 | 6.4 MEDIUM | 9.1 CRITICAL |
| IBM SmartCloud Analytics 1.3.1 through 1.3.5 could allow a remote attacker to gain unauthorized information and unrestricted control over Zookeeper installations due to missing authentication. IBM X-Force ID: 159518. | |||||
| CVE-2006-0061 | 1 Sillycycle | 1 Xlockmore | 2019-11-08 | 7.5 HIGH | 9.8 CRITICAL |
| xlockmore 5.13 and 5.22 segfaults when using libpam-opensc and returns the underlying xsession. This allows unauthorized users access to the X session. | |||||
| CVE-2006-0062 | 1 Sillycycle | 1 Xlockmore | 2019-11-06 | 7.5 HIGH | 9.8 CRITICAL |
| xlockmore 5.13 allows potential xlock bypass when FVWM switches to the same virtual desktop as a new Gaim window. | |||||
| CVE-2019-18465 | 1 Ipswitch | 1 Moveit Transfer | 2019-11-04 | 6.8 MEDIUM | 9.8 CRITICAL |
| In Progress MOVEit Transfer 11.1 before 11.1.3, a vulnerability has been found that could allow an attacker to sign in without full credentials via the SSH (SFTP) interface. The vulnerability affects only certain SSH (SFTP) configurations, and is applicable only if the MySQL database is being used. | |||||
| CVE-2019-6543 | 1 Aveva | 2 Indusoft Web Studio, Intouch Machine Edition 2014 | 2019-10-09 | 10.0 HIGH | 9.8 CRITICAL |
| AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update. Code is executed under the program runtime privileges, which could lead to the compromise of the machine. | |||||
| CVE-2019-6533 | 1 Kunbus | 2 Pr100088 Modbus Gateway, Pr100088 Modbus Gateway Firmware | 2019-10-09 | 6.4 MEDIUM | 9.1 CRITICAL |
| Registers used to store Modbus values can be read and written from the web interface without authentication in the PR100088 Modbus gateway versions prior to Release R02 (or Software Version 1.1.13166). | |||||
| CVE-2019-1895 | 1 Cisco | 1 Enterprise Network Function Virtualization Infrastructure | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability in the Virtual Network Computing (VNC) console implementation of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, remote attacker to access the VNC console session of an administrative user on an affected device. The vulnerability is due to an insufficient authentication mechanism used to establish a VNC session. An attacker could exploit this vulnerability by intercepting an administrator VNC session request prior to login. A successful exploit could allow the attacker to watch the administrator console session or interact with it, allowing admin access to the affected device. | |||||
| CVE-2018-5393 | 1 Tp-link | 1 Eap Controller | 2019-10-09 | 10.0 HIGH | 9.8 CRITICAL |
| The TP-LINK EAP Controller is TP-LINK's software for remotely controlling wireless access point devices. It utilizes a Java remote method invocation (RMI) service for remote control. The RMI interface does not require any authentication before use, so it lacks user authentication for RMI service commands in EAP controller versions 2.5.3 and earlier. Remote attackers can implement deserialization attacks through the RMI protocol. Successful attacks may allow a remote attacker to remotely control the target server and execute Java functions or bytecode. | |||||
| CVE-2018-18995 | 1 Abb | 4 Gate-e1, Gate-e1 Firmware, Gate-e2 and 1 more | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| Pluto Safety PLC Gateway Ethernet devices ABB GATE-E1 and GATE-E2 all versions do not allow authentication to be configured on administrative telnet or web interfaces, which could enable various effects vectors, including conducting device resets, reading or modifying registers, and changing configuration settings such as IP addresses. | |||||
| CVE-2018-10635 | 1 Universal-robots | 2 Cb3.1, Cb3.1 Firmware | 2019-10-09 | 10.0 HIGH | 9.8 CRITICAL |
| In Universal Robots Robot Controllers Version CB 3.1, SW Version 3.4.5-100, ports 30001/TCP to 30003/TCP listen for arbitrary URScript code and execute the code. This enables a remote attacker who has access to the ports to remotely execute code that may allow root access to be obtained. | |||||
| CVE-2018-0376 | 1 Cisco | 2 Mobility Services Engine, Policy Suite | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability in the Policy Builder interface of Cisco Policy Suite before 18.2.0 could allow an unauthenticated, remote attacker to access the Policy Builder interface. The vulnerability is due to a lack of authentication. An attacker could exploit this vulnerability by accessing the Policy Builder interface. A successful exploit could allow the attacker to make changes to existing repositories and create new repositories. Cisco Bug IDs: CSCvi35109. | |||||
| CVE-2018-0374 | 1 Cisco | 1 Mobility Services Engine | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability in the Policy Builder database of Cisco Policy Suite before 18.2.0 could allow an unauthenticated, remote attacker to connect directly to the Policy Builder database. The vulnerability is due to a lack of authentication. An attacker could exploit this vulnerability by connecting directly to the Policy Builder database. A successful exploit could allow the attacker to access and change any data in the Policy Builder database. Cisco Bug IDs: CSCvh06134. | |||||
| CVE-2018-0181 | 1 Cisco | 2 Cisco Policy Suite Diameter Routing Agent, Cisco Policy Suite For Mobile | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability in the Redis implementation used by the Cisco Policy Suite for Mobile and Cisco Policy Suite Diameter Routing Agent software could allow an unauthenticated, remote attacker to modify key-value pairs for short-lived events stored by the Redis server. The vulnerability is due to improper authentication when accessing the Redis server. An unauthenticated attacker could exploit this vulnerability by modifying key-value pairs stored within the Redis server database. An exploit could allow the attacker to reduce the efficiency of the Cisco Policy Suite for Mobile and Cisco Policy Suite Diameter Routing Agent software. | |||||
| CVE-2018-0377 | 1 Cisco | 2 Mobility Services Engine, Policy Suite | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability in the Open Systems Gateway initiative (OSGi) interface of Cisco Policy Suite before 18.1.0 could allow an unauthenticated, remote attacker to directly connect to the OSGi interface. The vulnerability is due to a lack of authentication. An attacker could exploit this vulnerability by directly connecting to the OSGi interface. An exploit could allow the attacker to access or change any files that are accessible by the OSGi process. Cisco Bug IDs: CSCvh18017. | |||||
| CVE-2017-6044 | 1 Sierra Wireless | 4 Airlink Raven Xe, Airlink Raven Xe Firmware, Airlink Raven Xt and 1 more | 2019-10-09 | 10.0 HIGH | 9.8 CRITICAL |
| An Improper Authorization issue was discovered in Sierra Wireless AirLink Raven XE, all versions prior to 4.0.14, and AirLink Raven XT, all versions prior to 4.0.11. Several files and directories can be accessed without authentication, which may allow a remote attacker to perform sensitive functions including arbitrary file upload, file download, and device reboot. | |||||
| CVE-2017-3216 | 5 Greenpacket, Huawei, Mada and 2 more | 28 Ox350, Ox350 Firmware, Bm2022 and 25 more | 2019-10-09 | 10.0 HIGH | 9.8 CRITICAL |
| WiMAX routers based on the MediaTek SDK (libmtk) that use a custom httpd plugin are vulnerable to an authentication bypass allowing a remote, unauthenticated attacker to gain administrator access to the device by performing an administrator password change on the device via a crafted POST request. | |||||
| CVE-2017-12733 | 1 Opwglobal | 6 Sitesentinel Integra 100, Sitesentinel Integra 100 Firmware, Sitesentinel Integra 500 and 3 more | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| A Missing Authentication for Critical Function issue was discovered in OPW Fuel Management Systems SiteSentinel Integra 100, SiteSentinel Integra 500, and SiteSentinel iSite ATG consoles with the following software versions: older than V175, V175-V189, V191-V195, and V16Q3.1. An attacker may create an application user account to gain administrative privileges. | |||||
| CVE-2017-13997 | 1 Schneider-electric | 2 Wonderware Indusoft Web Studio, Wonderware Intouch | 2019-10-09 | 10.0 HIGH | 9.8 CRITICAL |
| A Missing Authentication for Critical Function issue was discovered in Schneider Electric InduSoft Web Studio v8.0 SP2 or prior, and InTouch Machine Edition v8.0 SP2 or prior. InduSoft Web Studio provides the capability for an HMI client to trigger script execution on the server for the purposes of performing customized calculations or actions. A remote malicious entity could bypass the server authentication and trigger the execution of an arbitrary command. The command is executed under high privileges and could lead to a complete compromise of the server. | |||||
| CVE-2019-15940 | 1 Govicture | 2 Pc530, Pc530 Firmware | 2019-10-04 | 10.0 HIGH | 9.8 CRITICAL |
| Victure PC530 devices allow unauthenticated TELNET access as root. | |||||
| CVE-2017-6409 | 1 Veritas | 2 Netbackup, Netbackup Appliance | 2019-10-03 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Veritas NetBackup 8.0 and earlier and NetBackup Appliance 3.0 and earlier. Unauthenticated CORBA interfaces permit inappropriate access. | |||||
| CVE-2018-5339 | 1 Zohocorp | 1 Manageengine Desktop Central | 2019-10-03 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: insufficient enforcement of database query type restrictions. | |||||
| CVE-2017-12822 | 1 Sentinel | 1 Sentinel Ldk Rte Firmware | 2019-10-03 | 7.5 HIGH | 9.9 CRITICAL |
| Remote enabling and disabling admin interface in Gemalto's HASP SRM, Sentinel HASP and Sentinel LDK products prior to Sentinel LDK RTE version 7.55 leads to new attack vectors. | |||||
| CVE-2018-8016 | 1 Apache | 1 Cassandra | 2019-10-03 | 7.5 HIGH | 9.8 CRITICAL |
| The default configuration in Apache Cassandra 3.8 through 3.11.1 binds an unauthenticated JMX/RMI interface to all network interfaces, which allows remote attackers to execute arbitrary Java code via an RMI request. This issue is a regression of CVE-2015-0225. The regression was introduced in https://issues.apache.org/jira/browse/CASSANDRA-12109. The fix for the regression is implemented in https://issues.apache.org/jira/browse/CASSANDRA-14173. This fix is contained in the 3.11.2 release of Apache Cassandra. | |||||
| CVE-2017-14417 | 1 D-link | 2 Dir-850l, Dir-850l Firmware | 2019-10-03 | 7.5 HIGH | 9.8 CRITICAL |
| register_send.php on D-Link DIR-850L REV. B (with firmware through FW208WWb02) devices does not require authentication, which can result in unintended enrollment in mydlink Cloud Services. | |||||
| CVE-2017-4919 | 1 Vmware | 1 Vcenter Server | 2019-10-03 | 6.8 MEDIUM | 9.0 CRITICAL |
| VMware vCenter Server 5.5, 6.0, 6.5 allows vSphere users with certain, limited vSphere privileges to use the VIX API to access Guest Operating Systems without the need to authenticate. | |||||
| CVE-2017-18001 | 1 Trustwave | 1 Secure Web Gateway | 2019-10-03 | 10.0 HIGH | 9.8 CRITICAL |
| Trustwave Secure Web Gateway (SWG) through 11.8.0.27 allows remote attackers to append an arbitrary public key to the device's SSH Authorized Keys data, and consequently obtain remote root access, via the publicKey parameter to the /sendKey URI. | |||||
| CVE-2017-7315 | 1 Humaxdigital | 2 Hg100r, Hg100r Firmware | 2019-10-03 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered on Humax Digital HG100R 2.0.6 devices. To download the backup file it's not necessary to use credentials, and the router credentials are stored in plaintext inside the backup, aka GatewaySettings.bin. | |||||
| CVE-2019-13983 | 1 Rangerstudio | 1 Directus 7 Api | 2019-07-22 | 5.0 MEDIUM | 9.8 CRITICAL |
| Directus 7 API before 2.2.2 has insufficient anti-automation, as demonstrated by lack of a CAPTCHA in core/Directus/Services/AuthService.php and endpoints/Auth.php. | |||||
| CVE-2016-2004 | 1 Hp | 1 Data Protector | 2019-07-12 | 9.3 HIGH | 9.8 CRITICAL |
| HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allow remote attackers to execute arbitrary code via unspecified vectors related to lack of authentication. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2623. | |||||
| CVE-2019-9879 | 1 Wpgraphql | 1 Wpgraphql | 2019-06-11 | 7.5 HIGH | 9.8 CRITICAL |
| The WPGraphQL 0.2.3 plugin for WordPress allows remote attackers to register a new user with admin privileges, whenever new user registrations are allowed. This is related to the registerUser mutation. | |||||
| CVE-2019-9880 | 1 Wpgraphql | 1 Wpgraphql | 2019-06-11 | 6.4 MEDIUM | 9.1 CRITICAL |
| An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username. | |||||
| CVE-2018-5338 | 1 Zohocorp | 1 Manageengine Desktop Central | 2019-03-05 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: missing authentication/authorization for a database query mechanism. | |||||
| CVE-2018-11247 | 1 Nasdaq | 1 Bwise | 2018-10-23 | 7.5 HIGH | 9.8 CRITICAL |
| The JMX/RMI interface in Nasdaq BWise 5.0 does not require authentication for an SAP BO Component, which allows remote attackers to execute arbitrary code via a session on port 81. | |||||
| CVE-2018-7778 | 1 Schneider-electric | 2 Evlink Charging Station, Evlink Charging Station Firmware | 2018-09-05 | 7.5 HIGH | 9.8 CRITICAL |
| In Schneider Electric Evlink Charging Station versions prior to v3.2.0-12_v1, the Web Interface has an issue that may allow a remote attacker to gain administrative privileges without properly authenticating remote users. | |||||
| CVE-2018-9162 | 1 Contec-touch | 2 Smart Home, Smart Home Firmware | 2018-05-15 | 7.5 HIGH | 9.8 CRITICAL |
| Contec Smart Home 4.15 devices do not require authentication for new_user.php, edit_user.php, delete_user.php, and user.php, as demonstrated by changing the admin password and then obtaining control over doors. | |||||
| CVE-2018-2368 | 1 Sap | 1 Netweaver System Landscape Directory | 2018-03-23 | 7.5 HIGH | 9.8 CRITICAL |
| SAP NetWeaver System Landscape Directory, LM-CORE 7.10, 7.20, 7.30, 7.31, 7.40, does not perform any authentication checks for functionalities that require user identity. | |||||
| CVE-2018-7301 | 1 Eq-3 | 2 Homematic Central Control Unit Ccu2, Homematic Central Control Unit Ccu2 Firmware | 2018-03-18 | 7.5 HIGH | 9.8 CRITICAL |
| eQ-3 AG HomeMatic CCU2 2.29.22 devices have an open XML-RPC port without authentication. This can be exploited by sending arbitrary XML-RPC requests to control the attached BidCos devices. | |||||