Search
Total
143 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-26925 | 1 Microsoft | 10 Windows 10, Windows 11, Windows 7 and 7 more | 2023-12-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| Windows LSA Spoofing Vulnerability | |||||
| CVE-2023-6595 | 1 Progress | 1 Whatsup Gold | 2023-12-19 | N/A | 5.3 MEDIUM |
| In WhatsUp Gold versions released before 2023.1, an API endpoint was found to be missing an authentication mechanism. It is possible for an unauthenticated attacker to enumerate ancillary credential information stored within WhatsUp Gold. | |||||
| CVE-2023-6368 | 1 Progress | 1 Whatsup Gold | 2023-12-19 | N/A | 5.3 MEDIUM |
| In WhatsUp Gold versions released before 2023.1, an API endpoint was found to be missing an authentication mechanism. It is possible for an unauthenticated attacker to enumerate information related to a registered device being monitored by WhatsUp Gold. | |||||
| CVE-2023-50263 | 1 Networktocode | 1 Nautobot | 2023-12-18 | N/A | 5.3 MEDIUM |
| Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. In Nautobot 1.x and 2.0.x prior to 1.6.7 and 2.0.6, the URLs `/files/get/?name=...` and `/files/download/?name=...` are used to provide admin access to files that have been uploaded as part of a run request for a Job that has FileVar inputs. Under normal operation these files are ephemeral and are deleted once the Job in question runs. In the default implementation used in Nautobot, as provided by `django-db-file-storage`, these URLs do not by default require any user authentication to access; they should instead be restricted to only users who have permissions to view Nautobot's `FileProxy` model instances. Note that no URL mechanism is provided for listing or traversal of the available file `name` values, so in practice an unauthenticated user would have to guess names to discover arbitrary files for download, but if a user knows the file name/path value, they can access it without authenticating, so we are considering this a vulnerability. Fixes are included in Nautobot 1.6.7 and Nautobot 2.0.6. No known workarounds are available other than applying the patches included in those versions. | |||||
| CVE-2023-29061 | 2 Bd, Hp | 3 Facschorus, Hp Z2 Tower G5, Hp Z2 Tower G9 | 2023-12-05 | N/A | 5.2 MEDIUM |
| There is no BIOS password on the FACSChorus workstation. A threat actor with physical access to the workstation can potentially exploit this vulnerability to access the BIOS configuration and modify the drive boot order and BIOS pre-boot authentication. | |||||
| CVE-2023-29060 | 2 Bd, Hp | 3 Facschorus, Hp Z2 Tower G5, Hp Z2 Tower G9 | 2023-12-05 | N/A | 5.7 MEDIUM |
| The FACSChorus workstation operating system does not restrict what devices can interact with its USB ports. If exploited, a threat actor with physical access to the workstation could gain access to system information and potentially exfiltrate data. | |||||
| CVE-2022-36884 | 1 Jenkins | 1 Git | 2023-11-22 | N/A | 5.3 MEDIUM |
| The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository. | |||||
| CVE-2020-13920 | 3 Apache, Debian, Oracle | 4 Activemq, Debian Linux, Communications Diameter Signaling Router and 1 more | 2023-11-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ 5.15.12. | |||||
| CVE-2023-36847 | 2023-08-18 | N/A | 5.3 MEDIUM | ||
| A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request that doesn't require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on EX Series: * All versions prior to 20.4R3-S8; * 21.2 versions prior to 21.2R3-S6; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S4; * 22.1 versions prior to 22.1R3-S3; * 22.2 versions prior to 22.2R3-S1; * 22.3 versions prior to 22.3R2-S2, 22.3R3; * 22.4 versions prior to 22.4R2-S1, 22.4R3. | |||||
| CVE-2023-36846 | 2023-08-18 | N/A | 5.3 MEDIUM | ||
| A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request that doesn't require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on SRX Series: * All versions prior to 20.4R3-S8; * 21.2 versions prior to 21.2R3-S6; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S5; * 22.1 versions prior to 22.1R3-S3; * 22.2 versions prior to 22.2R3-S2; * 22.3 versions prior to 22.3R2-S2, 22.3R3; * 22.4 versions prior to 22.4R2-S1, 22.4R3. | |||||
| CVE-2022-25245 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2023-08-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| Zoho ManageEngine ServiceDesk Plus before 13001 allows anyone to know the organisation's default currency name. | |||||
| CVE-2021-37234 | 1 Modern Honey Network Project | 1 Modern Honey Network | 2023-08-08 | N/A | 6.5 MEDIUM |
| Incorrect Access Control vulnerability in Modern Honey Network commit 0abf0db9cd893c6d5c727d036e1f817c02de4c7b allows remote attackers to view sensitive information via crafted PUT request to Web API. | |||||
| CVE-2022-45424 | 1 Dahuasecurity | 8 Dhi-dss4004-s2, Dhi-dss4004-s2 Firmware, Dhi-dss7016d-s2 and 5 more | 2023-08-08 | N/A | 5.3 MEDIUM |
| Some Dahua software products have a vulnerability of unauthenticated request of AES crypto key. An attacker can obtain the AES crypto key by sending a specific crafted packet to the vulnerable interface. | |||||
| CVE-2022-29270 | 1 Nagios | 1 Nagios Xi | 2023-08-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| In Nagios XI through 5.8.5, it is possible for a user without password verification to change his e-mail address. | |||||
| CVE-2022-22652 | 1 Apple | 2 Ipados, Iphone Os | 2023-08-08 | 3.6 LOW | 6.1 MEDIUM |
| The GSMA authentication panel could be presented on the lock screen. The issue was resolved by requiring device unlock to interact with the GSMA authentication panel. This issue is fixed in iOS 15.4 and iPadOS 15.4. A person with physical access may be able to view and modify the carrier account information and settings from the lock screen. | |||||
| CVE-2022-31701 | 2 Linux, Vmware | 4 Linux Kernel, Access, Cloud Foundation and 1 more | 2023-08-08 | N/A | 5.3 MEDIUM |
| VMware Workspace ONE Access and Identity Manager contain a broken authentication vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3. | |||||
| CVE-2021-31814 | 1 Stormshield | 1 Stormshield Network Security | 2023-08-08 | 3.6 LOW | 6.1 MEDIUM |
| In Stormshield 1.1.0, and 2.1.0 through 2.9.0, an attacker can block a client from accessing the VPN and can obtain sensitive information through the SN VPN SSL Client. | |||||
| CVE-2022-20060 | 2 Google, Mediatek | 34 Android, Mt6761, Mt6762 and 31 more | 2023-08-08 | 4.4 MEDIUM | 6.6 MEDIUM |
| In preloader (usb), there is a possible permission bypass due to a missing proper image authentication. This could lead to local escalation of privilege, for an attacker who has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS06160806; Issue ID: ALPS06137462. | |||||
| CVE-2022-36780 | 1 Avdorcis | 1 Crystal Quality | 2023-08-08 | N/A | 5.3 MEDIUM |
| Avdor CIS - crystal quality Credentials Management Errors. The product is phone call recorder, you can hear all the recorded calls without authenticate to the system. Attacker sends crafted URL to the system: ip:port//V=2;ChannellD=number;Ext=number;Command=startLM;Client=number;Request=number;R=number number - id of the recorded number. | |||||
| CVE-2022-3312 | 1 Google | 1 Chrome | 2023-08-08 | N/A | 4.6 MEDIUM |
| Insufficient validation of untrusted input in VPN in Google Chrome on ChromeOS prior to 106.0.5249.62 allowed a local attacker to bypass managed device restrictions via physical access to the device. (Chromium security severity: Medium) | |||||
| CVE-2022-35136 | 1 Boodskap | 1 Iot Platform | 2023-08-08 | N/A | 6.5 MEDIUM |
| Boodskap IoT Platform v4.4.9-02 allows attackers to make unauthenticated API requests. | |||||
| CVE-2022-26971 | 1 Barco | 1 Control Room Management Suite | 2023-08-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| Barco Control Room Management Suite web application, which is part of TransForm N before 3.14, is exposing a license file upload mechanism. This upload can be executed without authentication. | |||||
| CVE-2022-31461 | 1 Owllabs | 2 Meeting Owl Pro, Meeting Owl Pro Firmware | 2023-08-08 | 3.3 LOW | 6.5 MEDIUM |
| Owl Labs Meeting Owl 5.2.0.15 allows attackers to deactivate the passcode protection mechanism via a certain c 11 message. | |||||
| CVE-2022-45190 | 1 Microchip | 2 Rn4870, Rn4870 Firmware | 2023-08-08 | N/A | 5.3 MEDIUM |
| An issue was discovered on Microchip RN4870 1.43 devices. An attacker within BLE radio range can bypass passkey entry in the legacy pairing of the device. | |||||
| CVE-2022-0140 | 1 Vfbpro | 1 Visual Form Builder | 2023-08-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Visual Form Builder WordPress plugin before 3.0.6 does not perform access control on entry form export, allowing unauthenticated users to see the form entries or export it as a CSV File using the vfb-export endpoint. | |||||
| CVE-2023-38523 | 1 Samsung | 66 Fgn1115-wp-wh, Fgn1115-wp-wh Firmware, Fgn1122-cd and 63 more | 2023-08-01 | N/A | 5.3 MEDIUM |
| The web interface on multiple Samsung Harman AMX N-Series devices allows directory listing for the /tmp/ directory, without authentication, exposing sensitive information such as the command history and screenshot of the file being processed. This affects N-Series N1115 Wallplate Video Encoder before 1.15.61, N-Series N1x22A Video Encoder/Decoder before 1.15.61, N-Series N1x33A Video Encoder/Decoder before 1.15.61, N-Series N1x33 Video Encoder/Decoder before 1.15.61, N-Series N2x35 Video Encoder/Decoder before 1.15.61, N-Series N2x35A Video Encoder/Decoder before 1.15.61, N-Series N2xx2 Video Encoder/Decoder before 1.15.61, N-Series N2xx2A Video Encoder/Decoder before 1.15.61, N-Series N3000 Video Encoder/Decoder before 2.12.105, and N-Series N4321 Audio Transceiver before 1.00.06. | |||||
| CVE-2021-36200 | 1 Johnsoncontrols | 3 Metasys Application And Data Server, Metasys Extended Application And Data Server, Metasys Open Application Server | 2022-07-29 | N/A | 5.3 MEDIUM |
| Under certain circumstances an unauthenticated user could access the the web API for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and enumerate users. | |||||
| CVE-2021-24219 | 1 Thrivethemes | 20 Focusblog, Ignition, Luxe and 17 more | 2022-07-29 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Thrive Optimize WordPress plugin before 1.4.13.3, Thrive Comments WordPress plugin before 1.4.15.3, Thrive Headline Optimizer WordPress plugin before 1.3.7.3, Thrive Leads WordPress plugin before 2.3.9.4, Thrive Ultimatum WordPress plugin before 2.3.9.4, Thrive Quiz Builder WordPress plugin before 2.3.9.4, Thrive Apprentice WordPress plugin before 2.3.9.4, Thrive Visual Editor WordPress plugin before 2.6.7.4, Thrive Dashboard WordPress plugin before 2.3.9.3, Thrive Ovation WordPress plugin before 2.4.5, Thrive Clever Widgets WordPress plugin before 1.57.1 and Rise by Thrive Themes WordPress theme before 2.0.0, Ignition by Thrive Themes WordPress theme before 2.0.0, Luxe by Thrive Themes WordPress theme before 2.0.0, FocusBlog by Thrive Themes WordPress theme before 2.0.0, Minus by Thrive Themes WordPress theme before 2.0.0, Squared by Thrive Themes WordPress theme before 2.0.0, Voice WordPress theme before 2.0.0, Performag by Thrive Themes WordPress theme before 2.0.0, Pressive by Thrive Themes WordPress theme before 2.0.0, Storied by Thrive Themes WordPress theme before 2.0.0, Thrive Themes Builder WordPress theme before 2.2.4 register a REST API endpoint associated with Zapier functionality. While this endpoint was intended to require an API key in order to access, it was possible to access it by supplying an empty api_key parameter in vulnerable versions if Zapier was not enabled. Attackers could use this endpoint to add arbitrary data to a predefined option in the wp_options table. | |||||
| CVE-2020-15799 | 1 Siemens | 132 Scalance X200-4pirt, Scalance X200-4pirt Firmware, Scalance X201-3pirt and 129 more | 2022-07-28 | 7.1 HIGH | 6.5 MEDIUM |
| A vulnerability has been identified in SCALANCE X-200 switch family (incl. SIPLUS NET variants) (All versions < V5.2.5), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions < V5.5.0). The vulnerability could allow an unauthenticated attacker to reboot the device over the network by using special urls from integrated web server of the affected products. | |||||
| CVE-2021-43333 | 1 Datalogic | 1 Dxu | 2022-07-12 | 5.8 MEDIUM | 6.5 MEDIUM |
| The Datalogic DXU service on (for example) DL-Axist devices does not require authentication for configuration changes or disclosure of configuration settings. | |||||
| CVE-2021-33259 | 1 D-link | 2 Dir-868lw, Dir-868lw Firmware | 2022-07-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| Several web interfaces in D-Link DIR-868LW 1.12b have no authentication requirements for access, allowing for attackers to obtain users' DNS query history. | |||||
| CVE-2021-27668 | 1 Hashicorp | 1 Vault | 2022-07-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| HashiCorp Vault Enterprise 0.9.2 through 1.6.2 allowed the read of license metadata from DR secondaries without authentication. Fixed in 1.6.3. | |||||
| CVE-2021-20150 | 1 Trendnet | 2 Tew-827dru, Tew-827dru Firmware | 2022-07-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| Trendnet AC2600 TEW-827DRU version 2.08B01 improperly discloses information via redirection from the setup wizard. Authentication can be bypassed and a user may view information as Admin by manually browsing to the setup wizard and forcing it to redirect to the desired page. | |||||
| CVE-2021-20161 | 1 Trendnet | 2 Tew-827dru, Tew-827dru Firmware | 2022-07-12 | 7.2 HIGH | 6.8 MEDIUM |
| Trendnet AC2600 TEW-827DRU version 2.08B01 does not have sufficient protections for the UART functionality. A malicious actor with physical access to the device is able to connect to the UART port via a serial connection. No username or password is required and the user is given a root shell with full control of the device. | |||||
| CVE-2021-27570 | 1 Remotemouse | 1 Emote Remote Mouse | 2022-07-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Emote Remote Mouse through 3.015. Attackers can close any running process by sending the process name in a specially crafted packet. This information is sent in cleartext and is not protected by any authentication logic. | |||||
| CVE-2021-27569 | 1 Remotemouse | 1 Emote Remote Mouse | 2022-07-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Emote Remote Mouse through 4.0.0.0. Attackers can maximize or minimize the window of a running process by sending the process name in a crafted packet. This information is sent in cleartext and is not protected by any authentication logic. | |||||
| CVE-2021-43974 | 1 Sysaid | 1 Itil | 2022-07-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in SysAid ITIL 20.4.74 b10. The /enduserreg endpoint is used to register end users anonymously, but does not respect the server-side setting that determines if anonymous users are allowed to register new accounts. Configuring the server-side setting to disable anonymous user registration only hides the client-side registration form. An attacker can still post registration data to create new accounts without prior authentication. | |||||
| CVE-2021-28124 | 1 Cohesity | 1 Cohesity Dataplatform | 2022-07-12 | 4.3 MEDIUM | 5.9 MEDIUM |
| A man-in-the-middle vulnerability in Cohesity DataPlatform support channel in version 6.3 up to 6.3.1g, 6.4 up to 6.4.1c and 6.5.1 through 6.5.1b. Missing server authentication in impacted versions can allow an attacker to Man-in-the-middle (MITM) support channel UI session to Cohesity DataPlatform cluster. | |||||
| CVE-2021-27571 | 1 Remotemouse | 1 Emote Remote Mouse | 2022-07-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Emote Remote Mouse through 4.0.0.0. Attackers can retrieve recently used and running applications, their icons, and their file paths. This information is sent in cleartext and is not protected by any authentication logic. | |||||
| CVE-2021-37420 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2022-07-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to mail spoofing. | |||||
| CVE-2022-0424 | 1 Supsystic | 1 Popup | 2022-07-01 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Popup by Supsystic WordPress plugin before 1.10.9 does not have any authentication and authorisation in an AJAX action, allowing unauthenticated attackers to call it and get the email addresses of subscribed users | |||||
| CVE-2022-22309 | 1 Ibm | 2 Power System S922, Power System S922 Firmware | 2022-06-21 | 4.6 MEDIUM | 6.8 MEDIUM |
| The POWER systems FSP is vulnerable to unauthenticated logins through the serial port/TTY interface. This vulnerability can be more critical if the serial port is connected to a serial-over-lan device. IBM X-Force ID: 217095. | |||||
| CVE-2019-5014 | 1 Wincofireworks | 2 Fw-1007, Fw-1007 Firmware | 2022-06-13 | 3.3 LOW | 6.5 MEDIUM |
| An exploitable improper access control vulnerability exists in the bluetooth low energy functionality of Winco Fireworks FireFly FW-1007 V2.0. An attacker can connect to the device to trigger this vulnerability. | |||||
| CVE-2022-31022 | 1 Couchbase | 1 Bleve | 2022-06-09 | 2.1 LOW | 5.5 MEDIUM |
| Bleve is a text indexing library for go. Bleve includes HTTP utilities under bleve/http package, that are used by its sample application. These HTTP methods pave way for exploitation of a node’s filesystem where the bleve index resides, if the user has used bleve’s own HTTP (bleve/http) handlers for exposing the access to the indexes. For instance, the CreateIndexHandler (`http/index_create.go`) and DeleteIndexHandler (`http/index_delete.go`) enable an attacker to create a bleve index (directory structure) anywhere where the user running the server has the write permissions and to delete recursively any directory owned by the same user account. Users who have used the bleve/http package for exposing access to bleve index without the explicit handling for the Role Based Access Controls(RBAC) of the index assets would be impacted by this issue. There is no patch for this issue because the http package is purely intended to be used for demonstration purposes. Bleve was never designed handle the RBACs, nor it was ever advertised to be used in that way. The collaborators of this project have decided to stay away from adding any authentication or authorization to bleve project at the moment. The bleve/http package is mainly for demonstration purposes and it lacks exhaustive validation of the user inputs as well as any authentication and authorization measures. It is recommended to not use bleve/http in production use cases. | |||||
| CVE-2022-29402 | 1 Tp-link | 2 Tl-wr840n, Tl-wr840n Firmware | 2022-06-07 | 7.2 HIGH | 6.8 MEDIUM |
| TP-Link TL-WR840N EU v6.20 was discovered to contain insecure protections for its UART console. This vulnerability allows attackers to connect to the UART port via a serial connection and execute commands as the root user without authentication. | |||||
| CVE-2022-29881 | 1 Siemens | 72 7kg8500-0aa00-0aa0, 7kg8500-0aa00-0aa0 Firmware, 7kg8500-0aa00-2aa0 and 69 more | 2022-06-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability has been identified in SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00). The web based management interface of affected devices does not employ special access protection for certain internal developer views. This could allow unauthenticated users to extract internal configuration details. | |||||
| CVE-2022-29879 | 1 Siemens | 72 7kg8500-0aa00-0aa0, 7kg8500-0aa00-0aa0 Firmware, 7kg8500-0aa00-2aa0 and 69 more | 2022-06-02 | 4.0 MEDIUM | 6.5 MEDIUM |
| A vulnerability has been identified in SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00). The web based management interface of affected devices does not employ special access protection for certain internal developer views. This could allow authenticated users to access critical device information. | |||||
| CVE-2022-29877 | 1 Siemens | 72 7kg8500-0aa00-0aa0, 7kg8500-0aa00-0aa0 Firmware, 7kg8500-0aa00-2aa0 and 69 more | 2022-06-02 | 6.4 MEDIUM | 6.5 MEDIUM |
| A vulnerability has been identified in SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00). Affected devices allow unauthenticated access to the web interface configuration area. This could allow an attacker to extract internal configuration details or to reconfigure network settings. However, the reconfigured settings cannot be activated unless the role of an authenticated administrator user. | |||||
| CVE-2022-22809 | 1 Schneider-electric | 6 Fellerlynk, Fellerlynk Firmware, Spacelynk and 3 more | 2022-05-25 | 5.0 MEDIUM | 5.3 MEDIUM |
| A CWE-306: Missing Authentication for Critical Function vulnerability exists that could allow modifications of the touch configurations in an unauthorized manner when an attacker attempts to modify the touch configurations. Affected Product: spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior) | |||||
| CVE-2022-27495 | 1 F5 | 1 Nginx Service Mesh | 2022-05-13 | 3.3 LOW | 6.5 MEDIUM |
| On all versions 1.3.x (fixed in 1.4.0) NGINX Service Mesh control plane endpoints are exposed to the cluster overlay network. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | |||||