Search
Total
644 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-8713 | 1 Intel | 153 Compute Module Hns2600bp Firmware, Compute Module Hns2600bpb, Compute Module Hns2600bpb24 and 150 more | 2020-08-19 | 5.8 MEDIUM | 8.8 HIGH |
| Improper authentication for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access. | |||||
| CVE-2020-8709 | 1 Intel | 153 Compute Module Hns2600bp Firmware, Compute Module Hns2600bpb, Compute Module Hns2600bpb24 and 150 more | 2020-08-19 | 5.8 MEDIUM | 8.8 HIGH |
| Improper authentication in socket services for some Intel(R) Server Boards, Server Systems and Compute Modules before version 2.45 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access. | |||||
| CVE-2020-8708 | 1 Intel | 153 Compute Module Hns2600bp Firmware, Compute Module Hns2600bpb, Compute Module Hns2600bpb24 and 150 more | 2020-08-19 | 5.8 MEDIUM | 8.8 HIGH |
| Improper authentication for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access. | |||||
| CVE-2017-12160 | 1 Redhat | 1 Keycloak | 2020-08-19 | 6.5 MEDIUM | 7.2 HIGH |
| It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks. | |||||
| CVE-2019-16201 | 2 Debian, Ruby-lang | 2 Debian Linux, Ruby | 2020-08-16 | 7.8 HIGH | 7.5 HIGH |
| WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network. | |||||
| CVE-2020-4662 | 1 Ibm | 1 Event Streams | 2020-08-14 | 6.5 MEDIUM | 8.8 HIGH |
| IBM Event Streams 10.0.0 could allow an authenticated user to perform tasks to a schema due to improper authentication validation. IBM X-Force ID: 186233. | |||||
| CVE-2020-5384 | 1 Rsa | 1 Multifactor Authentication Agent | 2020-08-11 | 7.2 HIGH | 8.4 HIGH |
| Authentication Bypass Vulnerability RSA MFA Agent 2.0 for Microsoft Windows contains an Authentication Bypass vulnerability. A local unauthenticated attacker could potentially exploit this vulnerability by using an alternate path to bypass authentication in order to gain full access to the system. | |||||
| CVE-2020-15055 | 1 Tp-link | 2 Tl-ps310u, Tl-ps310u Firmware | 2020-08-09 | 8.3 HIGH | 8.8 HIGH |
| TP-Link USB Network Server TL-PS310U devices before 2.079.000.t0210 allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter. | |||||
| CVE-2020-15059 | 1 Lindy-international | 2 42633, 42633 Firmware | 2020-08-09 | 8.3 HIGH | 8.8 HIGH |
| Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter. | |||||
| CVE-2020-15063 | 1 Digitus | 2 Da-70254, Da-70254 Firmware | 2020-08-09 | 8.3 HIGH | 8.8 HIGH |
| DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter. | |||||
| CVE-2017-1000068 | 1 Betterment | 1 Testtrack | 2020-08-05 | 5.0 MEDIUM | 7.5 HIGH |
| TestTrack Server versions 1.0 and earlier are vulnerable to an authentication flaw in the split disablement feature resulting in the ability to disable arbitrary running splits and cause denial of service to clients in the field. | |||||
| CVE-2020-8108 | 1 Bitdefender | 1 Endpoint Security | 2020-08-04 | 4.6 MEDIUM | 8.8 HIGH |
| Improper Authentication vulnerability in Bitdefender Endpoint Security for Mac allows an unprivileged process to restart the main service and potentially inject third-party code into a trusted process. This issue affects: Bitdefender Endpoint Security for Mac versions prior to 4.12.80. | |||||
| CVE-2020-8207 | 1 Citrix | 1 Workspace | 2020-07-29 | 6.0 MEDIUM | 8.8 HIGH |
| Improper access control in Citrix Workspace app for Windows 1912 CU1 and 2006.1 causes privilege escalation and code execution when the automatic updater service is running. | |||||
| CVE-2020-10918 | 1 Automationdirect | 13 C-more Hmi Ea9 Firmware, Ea9-pgmsw, Ea9-rhmi and 10 more | 2020-07-28 | 5.0 MEDIUM | 7.5 HIGH |
| This vulnerability allows remote attackers to bypass authentication on affected installations of C-MORE HMI EA9 Firmware version 6.52 touch screen panels. Authentication is not required to exploit this vulnerability. The specific flaw exists within the authentication mechanism. The issue is due to insufficient authentication on post-authentication requests. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from unauthenticated users. Was ZDI-CAN-10182. | |||||
| CVE-2020-15896 | 1 Dlink | 2 Dap-1522, Dap-1522 Firmware | 2020-07-27 | 5.0 MEDIUM | 7.5 HIGH |
| An authentication-bypass issue was discovered on D-Link DAP-1522 devices 1.4x before 1.10b04Beta02. There exist a few pages that are directly accessible by any unauthorized user, e.g., logout.php and login.php. This occurs because of checking the value of NO_NEED_AUTH. If the value of NO_NEED_AUTH is 1, the user has direct access to the webpage without any authentication. By appending a query string NO_NEED_AUTH with the value of 1 to any protected URL, any unauthorized user can access the application directly, as demonstrated by bsc_lan.php?NO_NEED_AUTH=1. | |||||
| CVE-2020-3388 | 1 Cisco | 5 Isr1100-4g, Isr1100-4gltegb, Isr1100-4gltena and 2 more | 2020-07-23 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability in the CLI of Cisco SD-WAN vManage Software could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the CLI. The attacker must be authenticated to access the CLI. A successful exploit could allow the attacker to execute commands with root privileges. | |||||
| CVE-2017-6967 | 1 Neutrinolabs | 1 Xrdp | 2020-07-08 | 7.5 HIGH | 7.3 HIGH |
| xrdp 0.9.1 calls the PAM function auth_start_session() in an incorrect location, leading to PAM session modules not being properly initialized, with a potential consequence of incorrect configurations or elevation of privileges, aka a pam_limits.so bypass. | |||||
| CVE-2017-18906 | 1 Mattermost | 1 Mattermost Server | 2020-06-29 | 4.9 MEDIUM | 8.1 HIGH |
| An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when Single Sign-On OAuth2 is used. An attacker could claim somebody else's account. | |||||
| CVE-2018-21263 | 1 Mattermost | 1 Mattermost Server | 2020-06-25 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. An attacker could authenticate to a different user's account via a crafted SAML response. | |||||
| CVE-2018-21235 | 1 Foxitsoftware | 1 E-mail Advertising System | 2020-06-09 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Foxit E-mail advertising system before September 2018. It allows authentication bypass and information disclosure, related to Interspire Email Marketer. | |||||
| CVE-2020-1718 | 1 Redhat | 3 Jboss Fuse, Keycloak, Openshift Application Runtimes | 2020-05-14 | 6.5 MEDIUM | 8.8 HIGH |
| A flaw was found in the reset credential flow in all Keycloak versions before 8.0.0. This flaw allows an attacker to gain unauthorized access to the application. | |||||
| CVE-2020-10916 | 1 Tp-link | 2 Tl-wa855re, Tl-wa855re Firmware | 2020-05-14 | 5.2 MEDIUM | 8.0 HIGH |
| This vulnerability allows network-adjacent attackers to escalate privileges on affected installations of TP-Link TL-WA855RE Firmware Ver: 855rev4-up-ver1-0-1-P1[20191213-rel60361] Wi-Fi extenders. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the first-time setup process. The issue results from the lack of proper validation on first-time setup requests. An attacker can leverage this vulnerability to reset the password for the Admin account and execute code in the context of the device. Was ZDI-CAN-10003. | |||||
| CVE-2018-9105 | 1 Nordvpn | 1 Nordvpn | 2020-05-11 | 9.0 HIGH | 8.8 HIGH |
| NordVPN 3.3.10 for macOS suffers from a root privilege escalation vulnerability. The vulnerability stems from its privileged helper tool's implemented XPC service. This XPC service is responsible for receiving and processing new OpenVPN connection requests from the main application. Unfortunately this XPC service is not protected, which allows arbitrary applications to connect and send it XPC messages. An attacker can send a crafted XPC message to the privileged helper tool requesting it make a new OpenVPN connection. Because he or she controls the contents of the XPC message, the attacker can specify the location of the openvpn executable, which could point to something malicious they control located on disk. Without validation of the openvpn executable, this will give the attacker code execution in the context of the privileged helper tool. | |||||
| CVE-2016-11057 | 1 Netgear | 18 Jnr1010, Jnr1010 Firmware, Jwnr2000 and 15 more | 2020-05-06 | 5.0 MEDIUM | 7.5 HIGH |
| Certain NETGEAR devices are affected by mishandling of repeated URL calls. This affects JNR1010v2 before 2017-01-06, WNR614 before 2017-01-06, WNR618 before 2017-01-06, JWNR2000v5 before 2017-01-06, WNR2020 before 2017-01-06, JWNR2010v5 before 2017-01-06, WNR1000v4 before 2017-01-06, WNR2020v2 before 2017-01-06, R6220 before 2017-01-06, and WNDR3700v5 before 2017-01-06. | |||||
| CVE-2020-5268 | 1 Sustainsys | 1 Saml2 | 2020-05-06 | 4.9 MEDIUM | 7.3 HIGH |
| In Saml2 Authentication Services for ASP.NET versions before 1.0.2, and between 2.0.0 and 2.6.0, there is a vulnerability in how tokens are validated in some cases. Saml2 tokens are usually used as bearer tokens - a caller that presents a token is assumed to be the subject of the token. There is also support in the Saml2 protocol for issuing tokens that is tied to a subject through other means, e.g. holder-of-key where possession of a private key must be proved. The Sustainsys.Saml2 library incorrectly treats all incoming tokens as bearer tokens, even though they have another subject confirmation method specified. This could be used by an attacker that could get access to Saml2 tokens with another subject confirmation method than bearer. The attacker could then use such a token to create a log in session. This vulnerability is patched in versions 1.0.2 and 2.7.0. | |||||
| CVE-2020-5567 | 1 Cybozu | 1 Garoon | 2020-04-30 | 5.0 MEDIUM | 7.5 HIGH |
| Improper authentication vulnerability in Cybozu Garoon 4.0.0 to 4.10.3 allows remote attackers to obtain data in Application Menu. | |||||
| CVE-2018-21125 | 1 Netgear | 2 Wac510, Wac510 Firmware | 2020-04-28 | 5.8 MEDIUM | 8.8 HIGH |
| NETGEAR WAC510 devices before 5.0.0.17 are affected by authentication bypass. | |||||
| CVE-2017-18720 | 1 Netgear | 8 D6200, D6200 Firmware, R6700 and 5 more | 2020-04-28 | 5.8 MEDIUM | 8.8 HIGH |
| Certain NETGEAR devices are affected by authentication bypass. This affects D6200 before 1.1.00.24, R6700v2 before 1.1.0.42, R6800 before 1.1.0.42, and R6900v2 before 1.1.0.42. | |||||
| CVE-2018-21128 | 1 Netgear | 4 Wac505, Wac505 Firmware, Wac510 and 1 more | 2020-04-27 | 5.8 MEDIUM | 8.8 HIGH |
| Certain NETGEAR devices are affected by authentication bypass. This affects WAC505 before 5.0.0.17 and WAC510 before 5.0.0.17. | |||||
| CVE-2017-18743 | 1 Netgear | 26 R6300, R6300 Firmware, R6400 and 23 more | 2020-04-27 | 5.8 MEDIUM | 8.8 HIGH |
| Certain NETGEAR devices are affected by authentication bypass. This affects R6300v2 before 1.0.4.8, R6400 before 1.0.1.20, R6700 before 1.0.1.20, R6900 before 1.0.1.20, R7000 before 1.0.7.10, R7100LG before V1.0.0.32, R7300DST before 1.0.0.52, R7900 before 1.0.1.16, R8000 before 1.0.3.36, R8300 before 1.0.2.94, R8500 before 1.0.2.94, WNDR3400v3 before 1.0.1.12, and WNR3500Lv2 before 1.2.0.40. | |||||
| CVE-2018-21121 | 1 Netgear | 6 Gs810emx, Gs810emx Firmware, Xs512em and 3 more | 2020-04-24 | 5.8 MEDIUM | 8.8 HIGH |
| Certain NETGEAR devices are affected by authentication bypass. This affects GS810EMX before 1.0.0.5, XS512EM before 1.0.0.6, and XS724EM before 1.0.0.6. | |||||
| CVE-2018-21118 | 1 Netgear | 2 Xr500, Xr500 Firmware | 2020-04-24 | 5.8 MEDIUM | 8.8 HIGH |
| NETGEAR XR500 devices before 2.3.2.32 are affected by authentication bypass. | |||||
| CVE-2017-18776 | 1 Netgear | 28 D6100, D6100 Firmware, D7000 and 25 more | 2020-04-24 | 4.6 MEDIUM | 8.4 HIGH |
| Certain NETGEAR devices are affected by authentication bypass. This affects D6100 before V1.0.0.55, D7000 before V1.0.1.50, D7800 before V1.0.1.24, JNR1010v2 before 1.1.0.40, JWNR2010v5 before 1.1.0.40, R6100 before 1.0.1.12, R6220 before 1.1.0.50, R7500 before 1.0.0.108, R7500v2 before 1.0.3.10, WNDR4300v1 before 1.0.2.88, WNDR4300v2 before 1.0.0.48, WNDR4500v3 before 1.0.0.48, WNR1000v4 before 1.1.0.40, WNR2000v5 before 1.0.0.42, WNR2020 before 1.1.0.40, and WNR2050 before 1.1.0.40. | |||||
| CVE-2017-18772 | 1 Netgear | 26 Ex3700, Ex3700 Firmware, Ex3800 and 23 more | 2020-04-24 | 5.8 MEDIUM | 8.8 HIGH |
| Certain NETGEAR devices are affected by authentication bypass. This affects EX3700 before 1.0.0.64, EX3800 before 1.0.0.64, EX6120 before 1.0.0.32, EX6130 before 1.0.0.16, R6300v2 before 1.0.4.12, R6700 before 1.0.1.26, R6900 before 1.0.1.22, R7000 before 1.0.9.6, R7300DST before 1.0.0.52, R7900 before 1.0.1.12, R8000 before 1.0.3.24, R8500 before 1.0.2.74, and WNR2000v2 before 1.2.0.8. | |||||
| CVE-2017-18733 | 1 Netgear | 18 D6220, D6220 Firmware, D6400 and 15 more | 2020-04-23 | 5.8 MEDIUM | 8.8 HIGH |
| Certain NETGEAR devices are affected by authentication bypass. This affects D6220 before 1.0.0.28, D6400 before 1.0.0.60, D8500 before 1.0.3.29, R6250 before 1.0.4.8, R6400 before 1.0.1.22, R6400v2 before 1.0.2.32, R7100LG before 1.0.0.32, R7300DST before 1.0.0.52, R8300 before 1.0.2.94, and R8500 before 1.0.2.100. | |||||
| CVE-2017-18732 | 1 Netgear | 6 Plw1000, Plw1000 Firmware, Plw1010 and 3 more | 2020-04-23 | 5.8 MEDIUM | 8.8 HIGH |
| Certain NETGEAR devices are affected by authentication bypass. This affects R6300v2 before 1.0.4.8, PLW1000v2 before 1.0.0.14, and PLW1010v2 before 1.0.0.14. | |||||
| CVE-2017-18850 | 1 Netgear | 32 D6220, D6220 Firmware, D6400 and 29 more | 2020-04-23 | 4.6 MEDIUM | 8.4 HIGH |
| Certain NETGEAR devices are affected by authentication bypass. This affects D6220 before 1.0.0.26, D6400 before 1.0.0.60, D8500 before 1.0.3.29, R6250 before 1.0.4.12, R6400 before 1.01.24, R6400v2 before 1.0.2.30, R6700 before 1.0.1.22, R6900 before 1.0.1.22, R6900P before 1.0.0.56, R7000 before 1.0.9.4, R7000P before 1.0.0.56, R7100LG before 1.0.0.32, R7300DST before 1.0.0.54, R7900 before 1.0.1.18, R8000 before 1.0.3.44, R8300 before 1.0.2.100_1.0.82, and R8500 before 1.0.2.100_1.0.82. | |||||
| CVE-2019-5890 | 1 Overit | 1 Geocall | 2020-04-23 | 9.0 HIGH | 8.8 HIGH |
| An issue was discovered in OverIT Geocall 6.3 before build 2:346977. Weak authentication and session management allows an authenticated user to obtain access to the Administrative control panel and execute administrative functions. | |||||
| CVE-2017-18654 | 1 Google | 1 Android | 2020-04-08 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on Samsung mobile devices with M(6.0) and N(7.0, 7.1) software. An unauthenticated attacker can register a new security certificate. The Samsung ID is SVE-2017-9659 (September 2017). | |||||
| CVE-2016-11042 | 1 Google | 1 Android | 2020-04-07 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on Samsung mobile devices with L(5.0/5.1) and M(6.0) software. There is a SIM Lock bypass. The Samsung ID is SVE-2016-5381 (June 2016). | |||||
| CVE-2020-9066 | 1 Huawei | 2 Oxfordp-an10b, Oxfordp-an10b Firmware | 2020-03-30 | 6.8 MEDIUM | 7.8 HIGH |
| Huawei smartphones OxfordP-AN10B with versions earlier than 10.0.1.169(C00E166R4P1) have an improper authentication vulnerability. The Application doesn't perform proper authentication when user performs certain operations. An attacker can trick user into installing a malicious plug-in to exploit this vulnerability. Successful exploit could allow the attacker to bypass the authentication to perform unauthorized operations. | |||||
| CVE-2019-20565 | 1 Google | 1 Android | 2020-03-27 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) software. Attackers can change the USB configuration without authentication. The Samsung ID is SVE-2018-13300 (September 2019). | |||||
| CVE-2019-20618 | 1 Google | 1 Android | 2020-03-26 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on Samsung mobile devices with P(9.0) software. The Pin Window feature allows unauthenticated unpinning of an app. The Samsung ID is SVE-2018-13765 (March 2019). | |||||
| CVE-2019-20620 | 1 Google | 1 Android | 2020-03-26 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on Samsung mobile devices with P(9.0) software. The Settings application allows unauthenticated changes. The Samsung IDs are SVE-2019-13814, SVE-2019-13815 (March 2019). | |||||
| CVE-2020-10669 | 1 Canon | 2 Oce Colorwave 500, Oce Colorwave 500 Firmware | 2020-03-24 | 5.0 MEDIUM | 7.5 HIGH |
| The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 printer is vulnerable to authentication bypass on the page /home.jsp. An unauthenticated attacker able to connect to the device's web interface can get a copy of the documents uploaded by any users. NOTE: this is fixed in the latest version. | |||||
| CVE-2020-1864 | 1 Huawei | 2 Secospace Antiddos8000, Secospace Antiddos8000 Firmware | 2020-03-23 | 6.8 MEDIUM | 8.1 HIGH |
| Some Huawei products have a security vulnerability due to improper authentication. A remote attacker needs to obtain some information and forge the peer device to send specific packets to the affected device. Due to the improper implementation of the authentication function, attackers can exploit the vulnerability to connect to affected devices and execute a series of commands.Affected product versions include:Secospace AntiDDoS8000 versions V500R001C00,V500R001C20,V500R001C60,V500R005C00. | |||||
| CVE-2020-6988 | 1 Rockwellautomation | 6 Micrologix 1100, Micrologix 1100 Firmware, Micrologix 1400 and 3 more | 2020-03-20 | 5.0 MEDIUM | 7.5 HIGH |
| Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, A remote, unauthenticated attacker can send a request from the RSLogix 500 software to the victim’s MicroLogix controller. The controller will then respond to the client with used password values to authenticate the user on the client-side. This method of authentication may allow an attacker to bypass authentication altogether, disclose sensitive information, or leak credentials. | |||||
| CVE-2020-5536 | 1 Plathome | 2 Openblocks Iot Vx2, Openblocks Iot Vx2 Firmware | 2020-03-05 | 5.8 MEDIUM | 8.8 HIGH |
| OpenBlocks IoT VX2 prior to Ver.4.0.0 (Ver.3 Series) allows an attacker on the same network segment to bypass authentication and to initialize the device via unspecified vectors. | |||||
| CVE-2018-15819 | 1 Easyio | 2 Easyio 30p, Easyio 30p Firmware | 2020-03-04 | 5.0 MEDIUM | 7.5 HIGH |
| EasyIO EasyIO-30P devices before 2.0.5.27 have Incorrect Access Control, related to webuser.js. | |||||
| CVE-2020-8861 | 1 Dlink | 2 Dap-1330, Dap-1330 Firmware | 2020-02-28 | 8.3 HIGH | 8.8 HIGH |
| This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-1330 1.10B01 BETA Wi-Fi range extenders. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login requests. The issue results from the lack of proper handling of cookies. An attacker can leverage this vulnerability to execute arbitrary code on the router. Was ZDI-CAN-9554. | |||||